CVE-2005-0525
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:20:11
NMCOPS    

[原文]The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.


[CNNVD]PHP组PHP远程JPEG文件格式化远程拒绝服务漏洞(CNNVD-200505-540)

        PHP 4.2.2、4.3.9、4.3.10和5.0.3版本的image.c的php_next_marker函数,该函数可由getimagesize PHP函数所调用,使得远程攻击者可以通过一个带有无效标记值的JPEG图像,造成php_stream_seek收到负数的长度值,从而发起拒绝服务攻击(无限循环)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:4.3.10PHP PHP 4.3.10
cpe:/a:php:php:5.0.3PHP PHP 5.0.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11703The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0525
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0525
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-540
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2005/dsa-708
(PATCH)  DEBIAN  DSA-708
http://secunia.com/advisories/14792
(PATCH)  SECUNIA  14792
http://www.vupen.com/english/advisories/2005/0305
(UNKNOWN)  VUPEN  ADV-2005-0305
http://www.securityfocus.com/archive/1/394797
(VENDOR_ADVISORY)  IDEFENSE  20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilities
http://www.redhat.com/support/errata/RHSA-2005-406.html
(UNKNOWN)  REDHAT  RHSA-2005:406
http://www.redhat.com/support/errata/RHSA-2005-405.html
(UNKNOWN)  REDHAT  RHSA-2005:405
http://www.gentoo.org/security/en/glsa/glsa-200504-15.xml
(UNKNOWN)  GENTOO  GLSA-200504-15
http://www.debian.org/security/2005/dsa-729
(UNKNOWN)  DEBIAN  DSA-729
http://securitytracker.com/id?1013619
(UNKNOWN)  SECTRACK  1013619
http://lists.apple.com/archives/security-announce/2005/Jun/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-06-08
http://www.osvdb.org/15184
(UNKNOWN)  OSVDB  15184
http://www.mandriva.com/security/advisories?name=MDKSA-2005:072
(UNKNOWN)  MANDRAKE  MDKSA-2005:072

- 漏洞信息

PHP组PHP远程JPEG文件格式化远程拒绝服务漏洞
中危 其他
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        PHP 4.2.2、4.3.9、4.3.10和5.0.3版本的image.c的php_next_marker函数,该函数可由getimagesize PHP函数所调用,使得远程攻击者可以通过一个带有无效标记值的JPEG图像,造成php_stream_seek收到负数的长度值,从而发起拒绝服务攻击(无限循环)。

- 公告与补丁

        暂无数据

- 漏洞信息 (F36935)

iDEFENSE Security Advisory 2005-03-31.t (PacketStormID:F36935)
2005-04-14 00:00:00
iDefense Labs  idefense.com
advisory,remote,denial of service,php,vulnerability
CVE-2005-0524,CVE-2005-0525
[点击下载]

iDEFENSE Security Advisory 03.31.05 - Remote exploitation of multiple denial of service vulnerabilities in the PHP Group's PHP scripting language allows attackers to consume CPU resources. The vulnerable routines, php_handle_iff() and php_handle_jpeg(), are reachable from the PHP function getimagesize(). iDEFENSE has confirmed the existence of these vulnerabilities in PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3.

PHP getimagesize() Multiple Denial of Service Vulnerabilities

iDEFENSE Security Advisory 03.31.05
www.idefense.com/application/poi/display?id=222&type=vulnerabilities
March 31, 2005

I. BACKGROUND

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
More information is available at:

   http://www.php.net

II. DESCRIPTION

Remote exploitation of multiple denial of service vulnerabilities in 
the PHP Group's PHP scripting language allows attackers to consume CPU 
resources. The vulnerable routines, php_handle_iff() and 
php_handle_jpeg(), are reachable from the PHP function getimagesize(), 
which is defined as follows:

    array getimagesize ( string filename [, array &imageinfo] )

The getimagesize() routine is used to determine the size and dimensions
of multiple image formats, including GIF, JPG, PNG, TIFF, etc.

ISSUE 1 - php_handle_iff() Denial of Service

Remote exploitation of a denial of service (DoS) condition in the PHP
Group's PHP scripting language allows attackers to consume CPU
resources.

The problem specifically exists within the function php_handle_iff()
defined in ext/standard/image.c. The vulnerability is demonstrated in
the following excerpt:

    static struct gfxinfo *php_handle_iff(php_stream * stream TSRMLS_DC)
    {
    ...
            /* loop chunks to find BMHD chunk */
            do {
    [1]             if (php_stream_read(stream, a, 8) != 8) {
                            efree(result);
                            return NULL;
                    }
                    chunkId = php_ifd_get32s(a+0, 1);
    [2]             size    = php_ifd_get32s(a+4, 1);
                    if ((size & 1) == 1) {
                            size++;
                    }
                if (chunkId == 0x424d4844) { /* BMHD chunk */
                        ...
                ...
            } else {
    [3]                 if (php_stream_seek(stream, size, SEEK_CUR)) {
                                efree(result);
                                return NULL;
                        }
                    }
            } while (1);
    }

In the excerpt above, at line [1], 8 bytes are read from the user-
supplied file stream. At line [2], the variables 'chunkId' and 'size'
are set to user-supplied values from the file stream. If the variable
'size' is set to -8, then on line [3] the current position within the
file stream is moved back 8 bytes, resulting in an infinite loop. 

ISSUE 2 - php_handle_jpeg() Denial of Service 

Local exploitation of an input validation vulnerability in The PHP 
Group's PHP embedded scripting language allows attackers to consume CPU 
resources. The vulnerability specifically exists due to insufficient 
validation of JPEG image file headers in the php_handle_jpeg() 
function. The JPEG file header contains a file length field which may 
be manipulated to cause an infinate loop in the copying of file data to 
memory as shown below from ext/standard/image.c:

    static struct gfxinfo *
    php_handle_jpeg (php_stream * stream, pval *info TSRMLS_DC)
    {
        struct gfxinfo *result = NULL;
        unsigned int marker = M_PSEUDO;
        unsigned short length, ff_read=1;
    
        for (;;) {
    [1]     marker = php_next_marker(stream, marker, 1, ff_read
TSRMLS_CC);
            ff_read = 0;
            switch (marker) {
                ...
                default:
    [2]             php_skip_variable(stream TSRMLS_CC); 
                                    break;
            }
        }
    
        return result; /* perhaps image broken -> no info but size */
    }
    
    static void php_skip_variable(php_stream * stream TSRMLS_DC)
    {
    [3] off_t length = ((unsigned int)php_read2(stream TSRMLS_CC));
    
        length = length-2;
        if (length)
        {
    [4]     php_stream_seek(stream, (long)length, SEEK_CUR);
        }
    }

The php_next_marker() call [1] reads the next byte in the stream to 
determine handling of the associated data. If given an invalid marker 
value, the case statement executes the default block which calls the 
php_skip_variable() function [2]. The php_read2() call [3] will return 
0 bytes if the file stream has reached its end, so the pointer math 
causes a length value of -2 in the php_stream_seek() call[4]. This 
results in an infinate loop as the stream now points to the last two 
bytes of the file when the pointer is returned to the for loop in 
php_handle_jpeg().

III. ANALYSIS

Exploitation of either vulnerability could allow unauthenticated remote 
attackers to consume 100% CPU resources on vulnerable systems. 
Exploitation requires that an attacker supply a malicious image to the 
getimagesize() PHP routine. The getimagesize() routine is frequently 
used when handling user-supplied image uploads, which increases the 
feasibility of remote exploitation.

IV. DETECTION

iDEFENSE has confirmed the existence of these vulnerabilities in PHP
versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3.

V. WORKAROUND

iDEFENSE is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

These vulnerabilities are addressed in PHP 5.0.4 which is available for
download at:

   www.php.net/distributions/php-5.0.4.tar.gz
   www.php.net/distributions/php-5.0.4.tar.bz2

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:

CAN-2005-0524 - php_handle_iff()
CAN-2005-0525 - php_handle_jpeg()

These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

02/23/2005      Initial vendor notification
02/23/2005      Initial vendor response
03/31/2005      Coordinated public disclosure

IX. CREDIT

The discoverer of these issues wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

15184
PHP image.c php_next_marker Function JPEG Processing DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Vendor Verified

- 漏洞描述

PHP contains a flaw that may allow a remote attacker to cause a denial of service. The issue is due to the php_next_marker function in image.c, as reachable by the getimagesize PHP function, not properly sanitizing user-supplied input. By supplying a negative length value to the php_stream_seek, an attacker can cause an infinite loop and exhaust system resources.

- 时间线

2005-03-31 2005-02-23
Unknow Unknow

- 解决方案

Upgrade to version 4.3.11, 5.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PHP Group PHP Remote JPEG File Format Remote Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 12963
Yes No
2005-04-01 12:00:00 2009-07-12 11:56:00
The discoverer of these issues wishes to remain anonymous; iDEFENSE is responsible for their disclosure.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
Red Hat Fedora Core2
Red Hat Fedora Core1
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
PHP PHP 4.3.9
PHP PHP 4.3.8
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
PHP PHP 4.2.3
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
PHP PHP 4.2.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ HP Secure OS software for Linux 1.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ Sun Cobalt RaQ 550
+ Sun LX50
+ Trustix Secure Linux 1.5
PHP PHP 4.0.5
PHP PHP 4.0.4
+ Compaq Compaq Secure Web Server PHP 1.0
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Red Hat Linux 6.2
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
+ Sun 2800 Workgroup NTT/KOBE 2800WGJ-KOBE
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
Peachtree Linux release 1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Converged Communications Server 2.0
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
PHP PHP 5.0.4
PHP PHP 4.3.11

- 不受影响的程序版本

PHP PHP 5.0.4
PHP PHP 4.3.11

- 漏洞讨论

A remote denial of service vulnerability affects PHP Group PHP. This issue is due to a failure of the application to properly handle maliciously crafted JPEG image files.

It should be noted that this vulnerability can only be exploited remotely if a Web based PHP application is implemented that allows user-supplied images to be processed by the 'getimagesize()' function. The 'getimagesize()' is commonly implemented in PHP Web applications that allow for the display of images.

An attacker may leverage this issue to cause the affected script interpreter to consume excessive processing resources on an affected computer, leading to a denial of service condition.

- 漏洞利用

An exploit is not required to leverage this issue.

- 解决方案

The vendor has released an upgrade dealing with this issue.

Avaya has released an advisory (ASA-2005-136) that acknowledges this vulnerability for Avaya products. Please see the referenced Avaya advisory for further details.

Turbolinux has released advisory TLSA-2005-50 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Peachtree Linux has released an advisory (PLSN-0001) including updated packages to address this issue. Please see the referenced advisory for more information.

Ubuntu advisory USN-105-1 is available to address this issue. Please see the referenced advisory for more information.

Debian GNU/Linux has released advisory DSA 708-1 to address this issue. Please see the referenced advisory for further information.

SuSE has released advisory SUSE-SA:2005:023 to address this issue. Please see the referenced advisory for further information.

Gentoo Linux has released advisory GLSA 200504-15 dealing with this issue. Gentoo advises that all users upgrade their packages by executing the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-4.3.11"

All mod_php users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/mod_php-4.3.11"

All php-cgi users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-cgi-4.3.11"

For more information, please see the referenced Gentoo Linux advisory.

Mandriva has released advisory MDKSA-2005:072 to address these issues. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat released advisory RHSA-2005:405-06 as well as fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisories for additional information.

SGI has released an advisory 20050501-01-U including updated SGI ProPack 3
Service Pack 5 packages to address this BID and other issues. Please see
the referenced advisory for more information.

Debian has released advisory DSA 729-1 to address these issues. Please see the attached advisory for details on obtaining and applying fixes.

Apple has released security advisory APPLE-SA-2005-06-08 along with fixes dealing with this issue for Mac OS X 10.4.1 and Mac OS X 10.3.9. Please see the referenced advisory for more information.

RedHat Fedora has released Fedora Legacy security advisory FLSA:155505 addressing this issue. Please see the referenced advisory for further information.


Apple Mac OS X Server 10.3.9

PHP PHP 3.0.18

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站