CVE-2005-1042
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2010-08-21 00:27:31
NMCOS    

[原文]Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count.


[CNNVD]PHP4 EXIF模块exif_process_IFD_TAG()整数溢出漏洞(CNNVD-200505-256)

        PHP是服务器端脚本语言,设计成内嵌于HTML文件的形式,可以运行于Windows,Linux和许多Unix操作系统。
        PHP4 EXIF模块的exif_process_IFD_TAG()函数中存在整数溢出漏洞。有特制IFD标签的EXIF标签可能导致攻击者以PHP4 server的权限执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.3
cpe:/a:php:php:4.3.2PHP PHP 4.3.2
cpe:/a:php:php:4.3.10PHP PHP 4.3.10
cpe:/a:php:php:4.3.1PHP PHP 4.3.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10822Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code vi...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1042
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1042
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-256
(官方数据源) CNNVD

- 其它链接及资源

http://www.gentoo.org/security/en/glsa/glsa-200504-15.xml
(PATCH)  GENTOO  GLSA-200504-15
http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.33&r2=1.118.2.34&ty=u
(PATCH)  CONFIRM  http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.33&r2=1.118.2.34&ty=u
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154021
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154021
http://www.ubuntulinux.org/support/documentation/usn/usn-112-1
(VENDOR_ADVISORY)  UBUNTU  USN-112-1
http://www.redhat.com/support/errata/RHSA-2005-406.html
(UNKNOWN)  REDHAT  RHSA-2005:406
http://www.redhat.com/support/errata/RHSA-2005-405.html
(UNKNOWN)  REDHAT  RHSA-2005:405
http://lists.apple.com/archives/security-announce/2005/Jun/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-06-08
http://www.mandriva.com/security/advisories?name=MDKSA-2005:072
(UNKNOWN)  MANDRAKE  MDKSA-2005:072

- 漏洞信息

PHP4 EXIF模块exif_process_IFD_TAG()整数溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        PHP是服务器端脚本语言,设计成内嵌于HTML文件的形式,可以运行于Windows,Linux和许多Unix操作系统。
        PHP4 EXIF模块的exif_process_IFD_TAG()函数中存在整数溢出漏洞。有特制IFD标签的EXIF标签可能导致攻击者以PHP4 server的权限执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.php.net/downloads.php" target="_blank"

- 漏洞信息

15629
PHP exif.c exif_process_IFD_TAG Function IDF Tag Handling Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

PHP contains a flaw that may allow a remote attacker to gain elevated privileges. The issue is due to the exif_process_IFD_TAG function in exif.c not properly sanitizing user-supplied input. By supplying a crafted IFD tag, an attacker can trigger an overflow and execute arbitrary code.

- 时间线

2005-04-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP Group Exif Module IFD Tag Integer Overflow Vulnerability
Boundary Condition Error 13163
Yes No
2005-04-12 12:00:00 2009-07-12 12:56:00
This issue was announced by the PHP Group.

- 受影响的程序版本

SGI ProPack 3.0
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 i386
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 6.4 i386
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.1 alpha
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.0
S.u.S.E. Linux 5.3
S.u.S.E. Linux 5.2
S.u.S.E. Linux 5.1
S.u.S.E. Linux 5.0
S.u.S.E. Linux 4.4.1
S.u.S.E. Linux 4.4
S.u.S.E. Linux 4.3
S.u.S.E. Linux 4.2
S.u.S.E. Linux 4.0
S.u.S.E. Linux 3.0
S.u.S.E. Linux 2.0
S.u.S.E. Linux 1.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
Red Hat Fedora Core2
Red Hat Fedora Core1
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
Peachtree Linux release 1
Conectiva Linux 10.0
Conectiva Linux 9.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Converged Communications Server 2.0
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
PHP PHP 4.3.11

- 不受影响的程序版本

PHP PHP 4.3.11

- 漏洞讨论

PHP is prone to an integer overflow vulnerability in the EXIF module. This issue is exposed when malformed IFD (Image File Directory) tags are processed.

This issue could manifest itself in Web applications that allow users to upload images. Any other application that processes untrusted EXIF image data could also be exposed to attacks. Successful exploitation may allow for execution of arbitrary code.

This vulnerability may be one of the issues described in BID 13143 "PHP Group PHP Multiple Unspecified Vulnerabilities".

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Avaya has released an advisory (ASA-2005-136) that acknowledges this vulnerability for Avaya products. Please see the referenced Avaya advisory for further details.

Conectiva has released an advisory (CLSA-2005:955) and fixes to address this and other issues. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.

Turbolinux has released advisory TLSA-2005-50 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Peachtree Linux has released an advisory (PLSN-0001) including updated packages to address this issue. Please see the referenced advisory for more information.

Ubuntu has released advisory USN-112-1 to provide fixes for this issue. Please see the attached advisory for further information on obtaining and applying fixes.

This issue has been addressed in PHP 4.3.11.

Gentoo Linux has released advisory GLSA 200504-15 dealing with this issue. Gentoo advises that all users upgrade their packages by executing the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-4.3.11"

All mod_php users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/mod_php-4.3.11"

All php-cgi users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-cgi-4.3.11"

For more information, please see the referenced Gentoo Linux advisory.

RedHat Fedora has released advisory FEDORA-2005-315 for their Core 3 product. Please see the referenced advisory for more information.

Mandriva has released advisory MDKSA-2005:072 to address these issues. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat released advisory RHSA-2005:405-06 as well as fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisories for additional information.

SuSE has released advisory SUSE-SR:2005:012 and fixes for this issue. Fixes can be obtained through the SuSE FTP server or by using the YaST Online Update.

SGI has released an advisory 20050501-01-U including updated SGI ProPack 3
Service Pack 5 packages to address this BID and other issues. Please see
the referenced advisory for more information.

Apple has released security advisory APPLE-SA-2005-06-08 along with fixes dealing with this issue for Mac OS X 10.4.1 and Mac OS X 10.3.9. Please see the referenced advisory for more information.

RedHat Fedora has released Fedora Legacy security advisory FLSA:155505 addressing this issue. Please see the referenced advisory for further information.


Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.3.9

Apple Mac OS X Server 10.4.1

Apple Mac OS X 10.4.1

PHP PHP 4.3

PHP PHP 4.3.1

PHP PHP 4.3.10

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.4

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.7

PHP PHP 4.3.8

PHP PHP 4.3.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站