Advisories | Mandriva

Package name	php4
Date	July 3rd, 2008
Advisory ID	MDVSA-2008:130
Affected versions	CS4.0

Problem Description

An integer overflow in the zip_read_entry() function in PHP prior
to 4.4.5 allowed remote attackers to execute arbitrary code via a
ZIP archive containing a certain type of entry that triggered a heap
overflow (CVE-2007-1777).

Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5
were discovered that could produce a zero seed in rare circumstances on
32bit systems and generations a portion of zero bits during conversion
due to insufficient precision on 64bit systems (CVE-2008-2107,
CVE-2008-2108).

The updated packages have been patched to correct these issues.

Updated Packages

Corporate Server 4.0

 070c4d4f7403e8a88cebf04ec8332d9c  corporate/4.0/i586/libphp4_common4-4.4.4-1.8.20060mlcs4.i586.rpm
 d4a5b569f487d6d0cd9c32e6c57973e2  corporate/4.0/i586/php4-cgi-4.4.4-1.8.20060mlcs4.i586.rpm
 cc39060ca799894fd2e0e31bdc588d93  corporate/4.0/i586/php4-cli-4.4.4-1.8.20060mlcs4.i586.rpm
 b9445da53d60e15b815d702bb0639b2c  corporate/4.0/i586/php4-devel-4.4.4-1.8.20060mlcs4.i586.rpm
 89578a93f8389f1c18a9ec2bb2976c3d  corporate/4.0/i586/php4-zip-4.4.4-1.1.20060mlcs4.i586.rpm 
 1bd1828056a9485094c3f8dcad359868  corporate/4.0/SRPMS/php4-4.4.4-1.8.20060mlcs4.src.rpm
 1c44162aa2dd129612450a61427e94f4  corporate/4.0/SRPMS/php4-zip-4.4.4-1.1.20060mlcs4.src.rpm

Corporate Server 4.0/X86_64

 fbc3b649e7429a3dc6e53e367eaf0eb4  corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.8.20060mlcs4.x86_64.rpm
 62ec98b2fdf5656e84afa1423f5e757b  corporate/4.0/x86_64/php4-cgi-4.4.4-1.8.20060mlcs4.x86_64.rpm
 6cfc64f13467e939995d00f5b9293701  corporate/4.0/x86_64/php4-cli-4.4.4-1.8.20060mlcs4.x86_64.rpm
 a158811bab4ffcc278660fc6bb0b8eb3  corporate/4.0/x86_64/php4-devel-4.4.4-1.8.20060mlcs4.x86_64.rpm
 e5eec77b3270124b1a68689aa0b3362b  corporate/4.0/x86_64/php4-zip-4.4.4-1.1.20060mlcs4.x86_64.rpm 
 1bd1828056a9485094c3f8dcad359868  corporate/4.0/SRPMS/php4-4.4.4-1.8.20060mlcs4.src.rpm
 1c44162aa2dd129612450a61427e94f4  corporate/4.0/SRPMS/php4-zip-4.4.4-1.1.20060mlcs4.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

		rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.