Fedora 10: 2009-3768 Critical: PHP 5.2.9 Buffer Overflow
fedora
May 29, 2009
Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's
mbstring extension
Summary
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.
The php package contains the module which adds support for the PHP
language to Apache HTTP Server.
Update Information:
Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portion...
Topics Covered
Change Log
* Fri Apr 17 2009 Joe Orton
References
[ 1 ] Bug #478425 - CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure
https://bugzilla.redhat.com/show_bug.cgi?id=478425
[ 2 ] Bug #494530 - CVE-2009-1271 php: crash on malformed input in json_decode()
https://bugzilla.redhat.com/show_bug.cgi?id=494530
[ 3 ] Bug #459529 - CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension
https://bugzilla.redhat.com/show_bug.cgi?id=459529
[ 4 ] Bug #459572 - CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension
https://bugzilla.redhat.com/show_bug.cgi?id=459572
[ 5 ] Bug #452808 - CVE-2008-2829 php: ext/imap legacy routine buffer overflow
https://bugzilla.redhat.com/show_bug.cgi?id=452808
[ 6 ] Bug #474824 - CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=474824
[ 7 ] Bug #478848 - CVE-2008-5557 php: Heap-based buffer overflow in the mbs...
Update Instructions
This update can be installed with the "yum" update program. Use su -c 'yum update php' at the command line. For more information, refer to "Managing Software with yum", available at .
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Name: php
Product: Fedora 10
Version: 5.2.9
Release: 2.fc10
URL: https://www.php.net/
Summary: PHP scripting language for creating dynamic web sites
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!