MDKSA-2004:068

Package name

php

Date

2004-07-14

Advisory ID

MDKSA-2004:068

Affected versions

9.2 amd64 , CS2.1 x86_64 , 10.0 amd64 , CS2.1 i586 , 10.0 i586 , 9.2 i586 , 9.1 i586 , MNF8.2 i586 , 9.1 i586

Problem description

Stefan Esser discovered a remotely exploitable vulnerability in PHP where a remote attacker could trigger a memory_limit request termination in places where an interruption is unsafe. This could be used to execute arbitrary code. As well, Stefan Esser also found a vulnerability in the handling of allowed tags within PHP's strip_tags() function. This could lead to a number of XSS issues on sites that rely on strip_tags(); however, this only seems to affect the Internet Explorer and Safari browsers. The updated packages have been patched to correct the problem and all users are encouraged to upgrade immediately.

Updated packages

9.2 amd64

 7440678e5a938931b88953232c5c2a46  amd64/9.2/RPMS/lib64php_common432-4.3.3-2.1.92mdk.amd64.rpm
4375a9c46be6b1ef103959253b469035  amd64/9.2/RPMS/php-cgi-4.3.3-2.1.92mdk.amd64.rpm
3cd4c385732e3b31b9f20fa93b6a7ee5  amd64/9.2/RPMS/php-cli-4.3.3-2.1.92mdk.amd64.rpm
dbf7471c02799c02a32e46a727ee87f3  amd64/9.2/RPMS/php432-devel-4.3.3-2.1.92mdk.amd64.rpm
8495c4332df4f8262d3f0b9b2b781739  amd64/9.2/SRPMS/php-4.3.3-2.1.92mdk.src.rpm

CS2.1 x86_64

 da53a0003ad75379dd473ca297c9b4f0  x86_64/corporate/2.1/RPMS/php-4.2.3-4.2.C21mdk.x86_64.rpm
190da4dbf19fd83c3e8b2db3ebe7e186  x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.2.C21mdk.x86_64.rpm
7c32a33ced47f7feaf47f801718b6d8d  x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.2.C21mdk.x86_64.rpm
0a747e5e17d82642f77cdfee44afe201  x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.2.C21mdk.x86_64.rpm
06a1c08156a866f9b78e1949df881425  x86_64/corporate/2.1/SRPMS/php-4.2.3-4.2.C21mdk.src.rpm

10.0 amd64

 8f7909d54dca79d0778754a78447c378  amd64/10.0/RPMS/lib64php_common432-4.3.4-4.1.100mdk.amd64.rpm
378466839541330d72df496acc9cd9da  amd64/10.0/RPMS/php-cgi-4.3.4-4.1.100mdk.amd64.rpm
3e6b698ba65fd6acb035d97f7c872c79  amd64/10.0/RPMS/php-cli-4.3.4-4.1.100mdk.amd64.rpm
62693eda687695449ff61aee7af8b844  amd64/10.0/RPMS/php432-devel-4.3.4-4.1.100mdk.amd64.rpm
805c5ba7b90fd4e53fc09b46d2e4c00c  amd64/10.0/SRPMS/php-4.3.4-4.1.100mdk.src.rpm

CS2.1 i586

 e1326fedc5957661efd6eec69c4e66cf  corporate/2.1/RPMS/php-4.2.3-4.2.C21mdk.i586.rpm
31337953ddfec7c379c8bcad70e97f7f  corporate/2.1/RPMS/php-common-4.2.3-4.2.C21mdk.i586.rpm
346f004bb741c5d3a279d495eadc61c5  corporate/2.1/RPMS/php-devel-4.2.3-4.2.C21mdk.i586.rpm
91ef39ceeb256c72f449ebd2f73fdc3a  corporate/2.1/RPMS/php-pear-4.2.3-4.2.C21mdk.i586.rpm
06a1c08156a866f9b78e1949df881425  corporate/2.1/SRPMS/php-4.2.3-4.2.C21mdk.src.rpm

10.0 i586

 62cdddfba4a6efda574d9a7fbade926a  10.0/RPMS/libphp_common432-4.3.4-4.1.100mdk.i586.rpm
c71dc50bc4db1eef210dcdb17bfefb84  10.0/RPMS/php-cgi-4.3.4-4.1.100mdk.i586.rpm
41ec866b7f9017e5e9697f758d96b7dd  10.0/RPMS/php-cli-4.3.4-4.1.100mdk.i586.rpm
6cf53b4acfaf964f2ad27c26c7522850  10.0/RPMS/php432-devel-4.3.4-4.1.100mdk.i586.rpm
805c5ba7b90fd4e53fc09b46d2e4c00c  10.0/SRPMS/php-4.3.4-4.1.100mdk.src.rpm

9.2 i586

 f731f578cdb9d458c4880a48f20c0027  9.2/RPMS/libphp_common432-4.3.3-2.1.92mdk.i586.rpm
732ba08087b14490c057a9454c6b706d  9.2/RPMS/php-cgi-4.3.3-2.1.92mdk.i586.rpm
d7aeca9053611e06ddeeb374ebc38fd5  9.2/RPMS/php-cli-4.3.3-2.1.92mdk.i586.rpm
dfdbda0df15baea7861646b4c42eb1d2  9.2/RPMS/php432-devel-4.3.3-2.1.92mdk.i586.rpm
8495c4332df4f8262d3f0b9b2b781739  9.2/SRPMS/php-4.3.3-2.1.92mdk.src.rpm

9.1 i586

 53e9be87d1e87c11384c78e656fb045b  9.1/RPMS/libphp_common430-430-11.2.91mdk.i586.rpm
d726c6e61503ace236d41e96dd2aacc4  9.1/RPMS/php-cgi-4.3.1-11.2.91mdk.i586.rpm
c0f0638a6977b0747b9cef6421f0baa2  9.1/RPMS/php-cli-4.3.1-11.2.91mdk.i586.rpm
846433aa57319fcf5ab760bb784c7f60  9.1/RPMS/php430-devel-430-11.2.91mdk.i586.rpm
68d0872d095bdb4976541debcdaa11d7  9.1/SRPMS/php-4.3.1-11.2.91mdk.src.rpm

MNF8.2 i586

 f91aac5bc43fa5c79317b8dd2d6fbfb2  mnf8.2/RPMS/php-common-4.1.2-1.3.M82mdk.i586.rpm
9805edbc685f9418c54e9ea20f968b15  mnf8.2/SRPMS/php-4.1.2-1.3.M82mdk.src.rpm

9.1 i586

 929514cf49ddeb4ac321b20ffa6fdb49  ppc/9.1/RPMS/libphp_common430-430-11.2.91mdk.ppc.rpm
429cafb67ce1e36012eabad5c46d0a26  ppc/9.1/RPMS/php-cgi-4.3.1-11.2.91mdk.ppc.rpm
0bab7923e30ccaf668a04b41925adc0b  ppc/9.1/RPMS/php-cli-4.3.1-11.2.91mdk.ppc.rpm
af5f2be485dad26cb88103f3373a8188  ppc/9.1/RPMS/php430-devel-430-11.2.91mdk.ppc.rpm
68d0872d095bdb4976541debcdaa11d7  ppc/9.1/SRPMS/php-4.3.1-11.2.91mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
• http://security.e-matters.de/advisories/112004.html
• http://security.e-matters.de/advisories/122004.html