Ubuntu
php5 package

CVE-2011-2202

Bug #813115 reported by Shaun Duncan
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Steve Beattie
Lucid
Fix Released
Medium
Steve Beattie
Maverick
Fix Released
Medium
Steve Beattie
Natty
Fix Released
Medium
Steve Beattie
Oneiric
Fix Released
Medium
Unassigned

Bug Description

Release 5.3.6-11ubuntu1 of php5 main/rfc1867.c requires patch released at http://svn.php.net/viewvc?view=revision&revision=312103 that prevents file path injection vulnerability.

Shaun Duncan (shaun-duncan)
visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Hardy):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Maverick):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Natty):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Oneiric):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Angel Abad (angelabad) wrote :

This patch is appliend in 5.3.6-13ubuntu1 upload

Changed in php5 (Ubuntu Oneiric):
status: Confirmed → Fix Released
Angel Abad (angelabad)
tags: removed: 5.3.6-11ubuntu1 cve-2011-2202 php5
Revision history for this message
Angel Abad (angelabad) wrote :

php5 (5.3.5-1ubuntu7.3) natty-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 15:41:14 +0200

Revision history for this message
Angel Abad (angelabad) wrote :

php5 (5.3.3-1ubuntu9.6) maverick-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 21:18:32 +0200

Changed in php5 (Ubuntu Lucid):
assignee: nobody → Angel Abad (angelabad)
status: Confirmed → In Progress
Changed in php5 (Ubuntu Hardy):
assignee: nobody → Angel Abad (angelabad)
status: Confirmed → In Progress
Revision history for this message
Angel Abad (angelabad) wrote :

php5 (5.3.2-1ubuntu4.10) lucid-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 22:17:07 +0200

Changed in php5 (Ubuntu Lucid):
assignee: Angel Abad (angelabad) → nobody
status: In Progress → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs. Subscribing ubuntu-security-sponsors.

Revision history for this message
Angel Abad (angelabad) wrote :

php5 (5.2.4-2ubuntu5.18) hardy-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 22:33:47 +0200

Revision history for this message
Angel Abad (angelabad) wrote :

Last debdiff...

Changed in php5 (Ubuntu Hardy):
assignee: Angel Abad (angelabad) → nobody
status: In Progress → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Angel,

Thanks, these debdiffs look good, I'll incorporate them as there are other open CVEs for php5 that need to be addressed (see http://people.canonical.com/~ubuntu-security/cve/pkg/php5.html ).

Assigning to myself.

Changed in php5 (Ubuntu Hardy):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Angel Abad (angelabad) wrote :

Thanks Steve, I'll take a look to these CVEs

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors since Steve is handling this as part of his update.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.5-1ubuntu7.3

---------------
php5 (5.3.5-1ubuntu7.3) natty-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202
  * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
    (LP: #813110)
    - debian/patches/php5-CVE-2011-1938.patch:
    - CVE-2011-1938

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
    on invalid flags
    - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
    - CVE-2011-1657
  * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
    (non-ascii) passwords leading to a smaller collision space
    - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
      to 1.2 to correct handling of passwords containing 8-bit
      (non-ascii) characters.
      CVE-2011-2483
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: DoS in errorlog() when passed NULL
    - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
      errorlog()
    - CVE-2011-3267
  * debian/patches/fix_crash_in__php_mssql_get_column_content_without_type.patch:
    refresh patch to make it cleanly apply.
 -- Steve Beattie <email address hidden> Thu, 13 Oct 2011 13:49:23 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.3-1ubuntu9.6

---------------
php5 (5.3.3-1ubuntu9.6) maverick-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202
  * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
    (LP: #813110)
    - debian/patches/php5-CVE-2011-1938.patch:
    - CVE-2011-1938

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
    on invalid flags
    - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
    - CVE-2011-1657
  * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
    (non-ascii) passwords leading to a smaller collision space
    - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
      to 1.2 to correct handling of passwords containing 8-bit
      (non-ascii) characters.
      CVE-2011-2483
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: DoS in errorlog() when passed NULL
    - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
      errorlog()
    - CVE-2011-3267
 -- Steve Beattie <email address hidden> Thu, 13 Oct 2011 13:56:23 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.10

---------------
php5 (5.3.2-1ubuntu4.10) lucid-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202
  * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
    (LP: #813110)
    - debian/patches/php5-CVE-2011-1938.patch:
    - CVE-2011-1938

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
    on invalid flags
    - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
    - CVE-2011-1657
  * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
    (non-ascii) passwords leading to a smaller collision space
    - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
      to 1.2 to correct handling of passwords containing 8-bit
      (non-ascii) characters.
      CVE-2011-2483
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: DoS in errorlog() when passed NULL
    - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
      errorlog()
    - CVE-2011-3267
  * SECURITY UPDATE: information leak via handler interrupt (LP: #852871)
    - debian/patches/php5-CVE-2010-1914.patch: grab references before
      calling zendi_convert_to_long()
    - CVE-2010-1914
 -- Steve Beattie <email address hidden> Fri, 14 Oct 2011 14:24:59 -0700

Changed in php5 (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.18

---------------
php5 (5.2.4-2ubuntu5.18) hardy-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: Information leak via strchr interrupt (LP: #852865)
    - debian/patches/php5-CVE-2010-2484.patch: grab references before
      converting to string
    - CVE-2010-2484
 -- Steve Beattie <email address hidden> Fri, 14 Oct 2011 20:10:17 -0700

Changed in php5 (Ubuntu Hardy):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.