MDVSA-2008:127

Package name

php

Date

2008-07-03

Advisory ID

MDVSA-2008:127

Affected versions

2008.0 i586 , 2008.0 x86_64

Problem description

A number of vulnerabilities have been found and corrected in PHP:

The htmlentities() and htmlspecialchars() functions in PHP prior to
5.2.5 accepted partial multibyte sequences, which has unknown impact
and attack vectors (CVE-2007-5898).

The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites
local forms in which the ACTION attribute references a non-local URL,
which could allow a remote attacker to obtain potentially sensitive
information by reading the requests for this URL (CVE-2007-5899).

php-cgi in PHP prior to 5.2.6 does not properly calculate the length
of PATH_TRANSLATED, which has unknown impact and attack vectors
(CVE-2008-0599).

The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown
impact and context-dependent attack vectors related to incomplete
multibyte characters (CVE-2008-2051).

Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5
were discovered that could produce a zero seed in rare circumstances on
32bit systems and generations a portion of zero bits during conversion
due to insufficient precision on 64bit systems (CVE-2008-2107,
CVE-2008-2108).

The IMAP module in PHP uses obsolete API calls that allow
context-dependent attackers to cause a denial of service (crash)
via a long IMAP request (CVE-2008-2829).

In addition, this update also corrects an issue with some float to
string conversions.

The updated packages have been patched to correct these issues.

Updated packages

2008.0 i586

 4964496fdee7d2fff5f4b1fa8c14532b  2008.0/i586/libphp5_common5-5.2.4-3.2mdv2008.0.i586.rpm
 39937c9c935ad96fb6cf346018b81d57  2008.0/i586/php-bcmath-5.2.4-3.2mdv2008.0.i586.rpm
 112de70d3898dea5b99248eff489a78d  2008.0/i586/php-bz2-5.2.4-3.2mdv2008.0.i586.rpm
 3f4804e2a62bcafa66c1ca7a181537fd  2008.0/i586/php-calendar-5.2.4-3.2mdv2008.0.i586.rpm
 14377775243a1d5d3f3eed5f1b01261c  2008.0/i586/php-cgi-5.2.4-3.2mdv2008.0.i586.rpm
 6dbade915c57c8d2b87352f8fe6e0450  2008.0/i586/php-cli-5.2.4-3.2mdv2008.0.i586.rpm
 7a0cd01543c1e9f032018b5ce05f664a  2008.0/i586/php-ctype-5.2.4-3.2mdv2008.0.i586.rpm
 22f4036085ae339b6fe8248b4e316850  2008.0/i586/php-curl-5.2.4-3.2mdv2008.0.i586.rpm
 84a3f3752567dbbe12a4942da80a5b30  2008.0/i586/php-dba-5.2.4-3.2mdv2008.0.i586.rpm
 65916c79bd3716748f2115542402f9e1  2008.0/i586/php-dbase-5.2.4-3.2mdv2008.0.i586.rpm
 4ed4fbfc2322ab332de781b078f5fbf6  2008.0/i586/php-devel-5.2.4-3.2mdv2008.0.i586.rpm
 8de4887cda8cb1ca0527a7ddac80da34  2008.0/i586/php-dom-5.2.4-3.2mdv2008.0.i586.rpm
 c1c3eeb952c1492e65bafa53cc98dda7  2008.0/i586/php-exif-5.2.4-3.2mdv2008.0.i586.rpm
 5f4cb00ef6a273b03be7749d8181c873  2008.0/i586/php-fcgi-5.2.4-3.2mdv2008.0.i586.rpm
 38d62f9676137e7f4267ec488d029e12  2008.0/i586/php-filter-5.2.4-3.2mdv2008.0.i586.rpm
 f72252bd88ec2e34a7821aa5a70c37c1  2008.0/i586/php-ftp-5.2.4-3.2mdv2008.0.i586.rpm
 63b43f95c94e3f121a49c2c6016995bd  2008.0/i586/php-gd-5.2.4-3.2mdv2008.0.i586.rpm
 8cd73b8ca8370954c7e8c3f92b17cf26  2008.0/i586/php-gettext-5.2.4-3.2mdv2008.0.i586.rpm
 43702222ddbc3e9e8674d893174eab02  2008.0/i586/php-gmp-5.2.4-3.2mdv2008.0.i586.rpm
 3db9582768562fb6edca7d37504ac555  2008.0/i586/php-hash-5.2.4-3.2mdv2008.0.i586.rpm
 0494c0f6d0d1526d308ed8d131fe8771  2008.0/i586/php-iconv-5.2.4-3.2mdv2008.0.i586.rpm
 74e84b579bd1fafa55b3792795b32a2a  2008.0/i586/php-imap-5.2.4-3.2mdv2008.0.i586.rpm
 c25acebf5ab78b503ce889f9d434eb9d  2008.0/i586/php-json-5.2.4-3.2mdv2008.0.i586.rpm
 75c0858eebc00515193a8525e6abc52f  2008.0/i586/php-ldap-5.2.4-3.2mdv2008.0.i586.rpm
 ad813ea774c87cc21dfc03e1737e9992  2008.0/i586/php-mbstring-5.2.4-3.2mdv2008.0.i586.rpm
 cd672d701608dbc6285e83805b0caed6  2008.0/i586/php-mcrypt-5.2.4-3.2mdv2008.0.i586.rpm
 daff2f108122f193b1cdb7c53a63b439  2008.0/i586/php-mhash-5.2.4-3.2mdv2008.0.i586.rpm
 41713242ffef20ec2d201f47cf1394ad  2008.0/i586/php-mime_magic-5.2.4-3.2mdv2008.0.i586.rpm
 c532358f85d2dc2c29ca328a9b2bdc3d  2008.0/i586/php-ming-5.2.4-3.2mdv2008.0.i586.rpm
 f1ebed79be33a3a04ec75e6fc300b5d1  2008.0/i586/php-mssql-5.2.4-3.2mdv2008.0.i586.rpm
 116cb44f5b7092d2dbd4a0e2f861350f  2008.0/i586/php-mysql-5.2.4-3.2mdv2008.0.i586.rpm
 856c66c7136d7ca94fdf22b873664b75  2008.0/i586/php-mysqli-5.2.4-3.2mdv2008.0.i586.rpm
 731889df3739bb8413bf81287ba40459  2008.0/i586/php-ncurses-5.2.4-3.2mdv2008.0.i586.rpm
 9d100f8050649a4601ee2eecbaf9db22  2008.0/i586/php-odbc-5.2.4-3.2mdv2008.0.i586.rpm
 3333c9d55426bfdf7b14a4f3bfc0280b  2008.0/i586/php-openssl-5.2.4-3.2mdv2008.0.i586.rpm
 0faf70d76ad40914abb2b07235db0fe0  2008.0/i586/php-pcntl-5.2.4-3.2mdv2008.0.i586.rpm
 420c8170c11b5bcbf858e897a625a568  2008.0/i586/php-pdo-5.2.4-3.2mdv2008.0.i586.rpm
 33fa19cf7c0ec490aaa4150f4d1dc68e  2008.0/i586/php-pdo_dblib-5.2.4-3.2mdv2008.0.i586.rpm
 89245d8ab6d05972005ac5fb963d9021  2008.0/i586/php-pdo_mysql-5.2.4-3.2mdv2008.0.i586.rpm
 d7b8841964b26212fca668441102bb02  2008.0/i586/php-pdo_odbc-5.2.4-3.2mdv2008.0.i586.rpm
 a68b90f68d6627772b0b5fcda4352616  2008.0/i586/php-pdo_pgsql-5.2.4-3.2mdv2008.0.i586.rpm
 7de4ce0b46f67f2b5e86bac05bcdee1b  2008.0/i586/php-pdo_sqlite-5.2.4-3.2mdv2008.0.i586.rpm
 c2600185c76439cdf4485308d96f677b  2008.0/i586/php-pgsql-5.2.4-3.2mdv2008.0.i586.rpm
 36067daf02d684c247a0198478a9eca9  2008.0/i586/php-posix-5.2.4-3.2mdv2008.0.i586.rpm
 ca12377f3130587ed0e291219298ea85  2008.0/i586/php-pspell-5.2.4-3.2mdv2008.0.i586.rpm
 7bb0a857e8d68a167d2619896aa9138d  2008.0/i586/php-readline-5.2.4-3.2mdv2008.0.i586.rpm
 3d84362d34a97213908a060a011b761b  2008.0/i586/php-recode-5.2.4-3.2mdv2008.0.i586.rpm
 b3be6e8921d1400699bf5dd8d01534b8  2008.0/i586/php-session-5.2.4-3.2mdv2008.0.i586.rpm
 de73d4de81f7ff00ed7043fdaeb92c2b  2008.0/i586/php-shmop-5.2.4-3.2mdv2008.0.i586.rpm
 4e90e4c3bbf351c3e25d719803dbbbcd  2008.0/i586/php-simplexml-5.2.4-3.2mdv2008.0.i586.rpm
 0ba85b7cd04ae54c1be0212a3651abe7  2008.0/i586/php-snmp-5.2.4-3.2mdv2008.0.i586.rpm
 1edddb67795d167f199d08ad7c8544f7  2008.0/i586/php-soap-5.2.4-3.2mdv2008.0.i586.rpm
 447a4d2ce60d61385f655800582b255f  2008.0/i586/php-sockets-5.2.4-3.2mdv2008.0.i586.rpm
 7d1da4760885e4a93085a3251522c359  2008.0/i586/php-sqlite-5.2.4-3.2mdv2008.0.i586.rpm
 8ed94bd708eaa97d8274c3247f431a09  2008.0/i586/php-sysvmsg-5.2.4-3.2mdv2008.0.i586.rpm
 d1a8c118166c26bdd9a51a6539c2170d  2008.0/i586/php-sysvsem-5.2.4-3.2mdv2008.0.i586.rpm
 8fcb4e6ff9be40125d31dfa72c91304a  2008.0/i586/php-sysvshm-5.2.4-3.2mdv2008.0.i586.rpm
 e41ed56b79a47764bd2569c4807ef6c5  2008.0/i586/php-tidy-5.2.4-3.2mdv2008.0.i586.rpm
 d004aa350d12aa97d9e38facb7384923  2008.0/i586/php-tokenizer-5.2.4-3.2mdv2008.0.i586.rpm
 9b530981f55d4c13a135e9795ae26e80  2008.0/i586/php-wddx-5.2.4-3.2mdv2008.0.i586.rpm
 1d69762dc0ab2230eaa1b89649aa321d  2008.0/i586/php-xml-5.2.4-3.2mdv2008.0.i586.rpm
 79c68e71802c054e7f6a3fff96c135de  2008.0/i586/php-xmlreader-5.2.4-3.2mdv2008.0.i586.rpm
 efe5041757651f3b5e699031f6cdf69f  2008.0/i586/php-xmlrpc-5.2.4-3.2mdv2008.0.i586.rpm
 21ffedc32409617c2aa4e433818e349a  2008.0/i586/php-xmlwriter-5.2.4-3.2mdv2008.0.i586.rpm
 a9317dbd662e0c0a9d718ed37c2b2bad  2008.0/i586/php-xsl-5.2.4-3.2mdv2008.0.i586.rpm
 5c4ed89d027aea291d01d535a0b9b404  2008.0/i586/php-zlib-5.2.4-3.2mdv2008.0.i586.rpm 
 2c717855b2ed804e20c05da11f958e6b  2008.0/SRPMS/php-5.2.4-3.2mdv2008.0.src.rpm

2008.0 x86_64

 7c6ec0a220b884b70591d817b018854e  2008.0/x86_64/lib64php5_common5-5.2.4-3.2mdv2008.0.x86_64.rpm
 f82a02bf5481d88a10fd4a9435da20f1  2008.0/x86_64/php-bcmath-5.2.4-3.2mdv2008.0.x86_64.rpm
 c07ecb49cc0c56f85c2240c77d55e604  2008.0/x86_64/php-bz2-5.2.4-3.2mdv2008.0.x86_64.rpm
 55f39affa7ae19880ba553909c6f22fd  2008.0/x86_64/php-calendar-5.2.4-3.2mdv2008.0.x86_64.rpm
 84419c18107b9c0a1b0babbd97dc60b2  2008.0/x86_64/php-cgi-5.2.4-3.2mdv2008.0.x86_64.rpm
 76cd079e91c6c4e295769fe37b7bbb87  2008.0/x86_64/php-cli-5.2.4-3.2mdv2008.0.x86_64.rpm
 7fc9beea712fd5078c89c34af19a9946  2008.0/x86_64/php-ctype-5.2.4-3.2mdv2008.0.x86_64.rpm
 d284562916df646f74a804f91fcd659a  2008.0/x86_64/php-curl-5.2.4-3.2mdv2008.0.x86_64.rpm
 faa6f7d38a59cfa81e931e9537f6381d  2008.0/x86_64/php-dba-5.2.4-3.2mdv2008.0.x86_64.rpm
 0403c3c1073a5e4887dd978ba4c0b14a  2008.0/x86_64/php-dbase-5.2.4-3.2mdv2008.0.x86_64.rpm
 2571b773d626d0c2b14fca3be0dbcdd5  2008.0/x86_64/php-devel-5.2.4-3.2mdv2008.0.x86_64.rpm
 c0beeee29f9d5306162b59593f4b6590  2008.0/x86_64/php-dom-5.2.4-3.2mdv2008.0.x86_64.rpm
 c391c5b836ad63f1599333a823f9785b  2008.0/x86_64/php-exif-5.2.4-3.2mdv2008.0.x86_64.rpm
 c5af8ee7d5938468ea36424adddb42cb  2008.0/x86_64/php-fcgi-5.2.4-3.2mdv2008.0.x86_64.rpm
 a1e2e7e3c5d96ba24a205f0c6f799755  2008.0/x86_64/php-filter-5.2.4-3.2mdv2008.0.x86_64.rpm
 5d0f0db6c857986a8e0bed8ce1b2f274  2008.0/x86_64/php-ftp-5.2.4-3.2mdv2008.0.x86_64.rpm
 f29b00bc367ec0c17fca44a0eca1d2ee  2008.0/x86_64/php-gd-5.2.4-3.2mdv2008.0.x86_64.rpm
 9f36fac78f0615052cb1459981796eb5  2008.0/x86_64/php-gettext-5.2.4-3.2mdv2008.0.x86_64.rpm
 8b02cd2bfc64dafe36221ab2a84f1e1e  2008.0/x86_64/php-gmp-5.2.4-3.2mdv2008.0.x86_64.rpm
 6b8b3e930cad66d85c1e7c3798082696  2008.0/x86_64/php-hash-5.2.4-3.2mdv2008.0.x86_64.rpm
 a7f7d7e45415de6e8806ec8cd24fab15  2008.0/x86_64/php-iconv-5.2.4-3.2mdv2008.0.x86_64.rpm
 e71c04769901527f75bb32900d19138e  2008.0/x86_64/php-imap-5.2.4-3.2mdv2008.0.x86_64.rpm
 ea23fc2159c3fe956eef9a55335b87f4  2008.0/x86_64/php-json-5.2.4-3.2mdv2008.0.x86_64.rpm
 6ff77a39d3998b24650dc91eb09e902e  2008.0/x86_64/php-ldap-5.2.4-3.2mdv2008.0.x86_64.rpm
 441208300d91f0849ca6e0b8e26b9b19  2008.0/x86_64/php-mbstring-5.2.4-3.2mdv2008.0.x86_64.rpm
 a95bec26dfd5e2a8773a5edcca612c9b  2008.0/x86_64/php-mcrypt-5.2.4-3.2mdv2008.0.x86_64.rpm
 167bc322f2204d4c643ce499e8f303a2  2008.0/x86_64/php-mhash-5.2.4-3.2mdv2008.0.x86_64.rpm
 34b6a244a5361ea596b78e31e152087d  2008.0/x86_64/php-mime_magic-5.2.4-3.2mdv2008.0.x86_64.rpm
 07c137c89962d1bf9f02eb76d590fc9b  2008.0/x86_64/php-ming-5.2.4-3.2mdv2008.0.x86_64.rpm
 a4a23328014899da202ca3585202fb14  2008.0/x86_64/php-mssql-5.2.4-3.2mdv2008.0.x86_64.rpm
 fc523fd93e5ed4f8b5b2bdebfbb084c1  2008.0/x86_64/php-mysql-5.2.4-3.2mdv2008.0.x86_64.rpm
 d0c36a5ec8f31317ef18d4f86ab0d0e8  2008.0/x86_64/php-mysqli-5.2.4-3.2mdv2008.0.x86_64.rpm
 5548d0c4b41141ef095cef2b10e48e65  2008.0/x86_64/php-ncurses-5.2.4-3.2mdv2008.0.x86_64.rpm
 4afea2b1f843ab580288c7d2e2970885  2008.0/x86_64/php-odbc-5.2.4-3.2mdv2008.0.x86_64.rpm
 46ba4fa02760007576378428bb80feb5  2008.0/x86_64/php-openssl-5.2.4-3.2mdv2008.0.x86_64.rpm
 79ff2c4c60b58c950db9336e1ba2e5ec  2008.0/x86_64/php-pcntl-5.2.4-3.2mdv2008.0.x86_64.rpm
 30a0c1a42dee0e63df8edf4a03705583  2008.0/x86_64/php-pdo-5.2.4-3.2mdv2008.0.x86_64.rpm
 4934e452fdddfea4bd049319256e5c0b  2008.0/x86_64/php-pdo_dblib-5.2.4-3.2mdv2008.0.x86_64.rpm
 2aac1840cceb12487440906758b302d9  2008.0/x86_64/php-pdo_mysql-5.2.4-3.2mdv2008.0.x86_64.rpm
 e2f8ff3183b0aa2502f6f0f8b9c25dbf  2008.0/x86_64/php-pdo_odbc-5.2.4-3.2mdv2008.0.x86_64.rpm
 8f6d42248dbb2733ea961832bf1c8002  2008.0/x86_64/php-pdo_pgsql-5.2.4-3.2mdv2008.0.x86_64.rpm
 12fa367e082312b6ca239c48aa60d532  2008.0/x86_64/php-pdo_sqlite-5.2.4-3.2mdv2008.0.x86_64.rpm
 80cef4fd4f1bd43aafd329f5d3dd0746  2008.0/x86_64/php-pgsql-5.2.4-3.2mdv2008.0.x86_64.rpm
 ffe606c87612f73ce2aa346e2f6ef88a  2008.0/x86_64/php-posix-5.2.4-3.2mdv2008.0.x86_64.rpm
 e5a43918a92e042abb8744462c11450d  2008.0/x86_64/php-pspell-5.2.4-3.2mdv2008.0.x86_64.rpm
 3489f296995bbd4c39060a4dcef708a8  2008.0/x86_64/php-readline-5.2.4-3.2mdv2008.0.x86_64.rpm
 056f4802270d25466956722a084c0630  2008.0/x86_64/php-recode-5.2.4-3.2mdv2008.0.x86_64.rpm
 de836669d4705ce2876002be7c0ac0f5  2008.0/x86_64/php-session-5.2.4-3.2mdv2008.0.x86_64.rpm
 a6911b797b25eaecd320da289c8a6032  2008.0/x86_64/php-shmop-5.2.4-3.2mdv2008.0.x86_64.rpm
 b477a40948286c534204d1d4f22f9ab0  2008.0/x86_64/php-simplexml-5.2.4-3.2mdv2008.0.x86_64.rpm
 80f3d118ca6cf804d4ae1f9239ca443b  2008.0/x86_64/php-snmp-5.2.4-3.2mdv2008.0.x86_64.rpm
 b84262ac2963a40a1b2cead035c73a66  2008.0/x86_64/php-soap-5.2.4-3.2mdv2008.0.x86_64.rpm
 06c54cc25362d9402c57975c0c1fdb6c  2008.0/x86_64/php-sockets-5.2.4-3.2mdv2008.0.x86_64.rpm
 979551b073fb7a07dac96b7590e75eab  2008.0/x86_64/php-sqlite-5.2.4-3.2mdv2008.0.x86_64.rpm
 76a11ff08c0e8b10b54996ddc4d24f33  2008.0/x86_64/php-sysvmsg-5.2.4-3.2mdv2008.0.x86_64.rpm
 899c3c8cf2604a34c95c1f2777f7faca  2008.0/x86_64/php-sysvsem-5.2.4-3.2mdv2008.0.x86_64.rpm
 0e9dca07c599f6ab0fe7cd678bfd4056  2008.0/x86_64/php-sysvshm-5.2.4-3.2mdv2008.0.x86_64.rpm
 23554f0d3e453e262d8cf06004570db2  2008.0/x86_64/php-tidy-5.2.4-3.2mdv2008.0.x86_64.rpm
 a9775d8aa17c056b6ecf33493f460af6  2008.0/x86_64/php-tokenizer-5.2.4-3.2mdv2008.0.x86_64.rpm
 0de28245d48636781d26186a3f7aa3bf  2008.0/x86_64/php-wddx-5.2.4-3.2mdv2008.0.x86_64.rpm
 c68b945348738daedffaffc2c7116921  2008.0/x86_64/php-xml-5.2.4-3.2mdv2008.0.x86_64.rpm
 11a1d8dfe53bc833def78382853ec2bd  2008.0/x86_64/php-xmlreader-5.2.4-3.2mdv2008.0.x86_64.rpm
 8695d6aa557f9947b1c85c9b1f0ff794  2008.0/x86_64/php-xmlrpc-5.2.4-3.2mdv2008.0.x86_64.rpm
 30921f94417b1c0a36d91097319ccb69  2008.0/x86_64/php-xmlwriter-5.2.4-3.2mdv2008.0.x86_64.rpm
 fc8bd211ec721efe34e79b9c37c50be4  2008.0/x86_64/php-xsl-5.2.4-3.2mdv2008.0.x86_64.rpm
 20f1b68969555b6d16ee4862f9dbf401  2008.0/x86_64/php-zlib-5.2.4-3.2mdv2008.0.x86_64.rpm 
 2c717855b2ed804e20c05da11f958e6b  2008.0/SRPMS/php-5.2.4-3.2mdv2008.0.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829