Vulnerabilities > CVE-2006-4486 - Numeric Errors vulnerability in PHP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
php
CWE-189
nessus

Summary

Integer overflow in memory allocation routines in PHP before 5.1.6, when running on a 64-bit system, allows context-dependent attackers to bypass the memory_limit restriction.

Vulnerable Configurations

Part Description Count
Application
Php
5

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-122.NASL
    descriptionMultiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. One instance in gd_io_dp.c does not appear to be corrected in the embedded copy of GD used in php to build the php-gd package. (CVE-2004-0941) Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2004-0990) The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x, when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. (CVE-2006-1017) Integer overflow in the wordwrap function in string.c in might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update for this issue did not resolve the issue on 64bit platforms. The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing nul characters. (CVE-2006-2563) Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename. (CVE-2006-2660) The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote attackers to cause a denial of service (CPU consumption) via malformed GIF data that causes an infinite loop. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2006-2906) The error_log function in PHP allows local users to bypass safe mode and open_basedir restrictions via a
    last seen2020-06-01
    modified2020-06-02
    plugin id22053
    published2006-07-17
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22053
    titleMandrake Linux Security Advisory : php (MDKSA-2006:122)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:122. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22053);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2004-0941", "CVE-2004-0990", "CVE-2006-1017", "CVE-2006-1990", "CVE-2006-1991", "CVE-2006-2563", "CVE-2006-2660", "CVE-2006-2906", "CVE-2006-3011", "CVE-2006-3016", "CVE-2006-3017", "CVE-2006-3018", "CVE-2006-4482", "CVE-2006-4483", "CVE-2006-4486");
      script_bugtraq_id(11523);
      script_xref(name:"MDKSA", value:"2006:122");
    
      script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2006:122)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple buffer overflows in the gd graphics library (libgd) 2.0.21
    and earlier may allow remote attackers to execute arbitrary code via
    malformed image files that trigger the overflows due to improper calls
    to the gdMalloc function. One instance in gd_io_dp.c does not appear
    to be corrected in the embedded copy of GD used in php to build the
    php-gd package. (CVE-2004-0941)
    
    Integer overflows were reported in the GD Graphics Library (libgd)
    2.0.28, and possibly other versions. These overflows allow remote
    attackers to cause a denial of service and possibly execute arbitrary
    code via PNG image files with large image rows values that lead to a
    heap-based buffer overflow in the gdImageCreateFromPngCtx() function.
    PHP, as packaged in Mandriva Linux, contains an embedded copy of the
    GD library, used to build the php-gd package. (CVE-2004-0990)
    
    The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x,
    when used in applications that accept user-controlled input for the
    mailbox argument to the imap_open function, allow remote attackers to
    obtain access to an IMAP stream data structure and conduct
    unauthorized IMAP actions. (CVE-2006-1017)
    
    Integer overflow in the wordwrap function in string.c in might allow
    context-dependent attackers to execute arbitrary code via certain long
    arguments that cause a small buffer to be allocated, which triggers a
    heap-based buffer overflow in a memcpy function call, a different
    vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update
    for this issue did not resolve the issue on 64bit platforms.
    
    The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to
    bypass safe mode and read files via a file:// request containing nul
    characters. (CVE-2006-2563)
    
    Buffer consumption vulnerability in the tempnam function in PHP 5.1.4
    and 4.x before 4.4.3 allows local users to bypass restrictions and
    create PHP files with fixed names in other directories via a pathname
    argument longer than MAXPATHLEN, which prevents a unique string from
    being appended to the filename. (CVE-2006-2660)
    
    The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas
    Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote
    attackers to cause a denial of service (CPU consumption) via malformed
    GIF data that causes an infinite loop. PHP, as packaged in Mandriva
    Linux, contains an embedded copy of the GD library, used to build the
    php-gd package. (CVE-2006-2906)
    
    The error_log function in PHP allows local users to bypass safe mode
    and open_basedir restrictions via a 'php://' or other scheme in the
    third argument, which disables safe mode. (CVE-2006-3011)
    
    An unspecified vulnerability in session.c in PHP before 5.1.3 has
    unknown impact and attack vectors, related to 'certain characters in
    session names', including special characters that are frequently
    associated with CRLF injection, SQL injection, and cross-site
    scripting (XSS) vulnerabilities. NOTE: while the nature of the
    vulnerability is unspecified, it is likely that this is related to a
    violation of an expectation by PHP applications that the session name
    is alphanumeric, as implied in the PHP manual for session_name().
    (CVE-2006-3016)
    
    An unspecified vulnerability in PHP before 5.1.3 can prevent a
    variable from being unset even when the unset function is called,
    which might cause the variable's value to be used in security-relevant
    operations. (CVE-2006-3017)
    
    An unspecified vulnerability in the session extension functionality in
    PHP before 5.1.3 has unkown impact and attack vectors related to heap
    corruption. (CVE-2006-3018)
    
    Multiple heap-based buffer overflows in the (1) str_repeat and (2)
    wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when
    used on a 64-bit system, have unspecified impact and attack vectors, a
    different vulnerability than CVE-2006-1990. (CVE-2006-4482)
    
    The cURL extension files (1) ext/curl/interface.c and (2)
    ext/curl/streams.c in PHP before 5.1.5 permit the
    CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is
    enabled, which allows attackers to perform unauthorized actions,
    possibly related to the realpath cache. (CVE-2006-4483)
    
    Unspecified vulnerability in PHP before 5.1.6, when running on a
    64-bit system, has unknown impact and attack vectors related to the
    memory_limit restriction. (CVE-2006-4486)
    
    The GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906)
    affect only Corporate 3 and Mandrake Network Firewall 2.
    
    The php-curl issues (CVE-2006-2563, CVE-2006-4483) affect only
    Mandriva 2006.0.
    
    Updated packages have been patched to address all these issues. Once
    these packages have been installed, you will need to restart Apache
    (service httpd restart) in order for the changes to take effect."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php5_common5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php_common432");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp5_common5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common432");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-fcgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php432-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/07/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64php_common432-4.3.10-7.14.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libphp_common432-4.3.10-7.14.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", reference:"php-cgi-4.3.10-7.14.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", reference:"php-cli-4.3.10-7.14.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", reference:"php-imap-4.3.10-6.3.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", reference:"php432-devel-4.3.10-7.14.102mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64php5_common5-5.0.4-9.12.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libphp5_common5-5.0.4-9.12.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"php-cgi-5.0.4-9.12.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"php-cli-5.0.4-9.12.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"php-curl-5.0.4-1.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"php-devel-5.0.4-9.12.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"php-fcgi-5.0.4-9.12.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"php-imap-5.0.4-2.3.20060mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0669.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id22423
    published2006-09-22
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22423
    titleCentOS 3 / 4 : php (CESA-2006:0669)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0682.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered found in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id22444
    published2006-09-22
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22444
    titleRHEL 2.1 : php (RHSA-2006:0682)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_EA09C5DF436211DB81E1000E0C2E438A.NASL
    descriptionThe PHP development team reports : - Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions. - Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems. - Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache. - Fixed overflow in GD extension on invalid GIF images. - Fixed a buffer overflow inside sscanf() function. - Fixed an out of bounds read inside stripos() function. - Fixed memory_limit restriction on 64 bit system.
    last seen2020-06-01
    modified2020-06-02
    plugin id22343
    published2006-09-14
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22343
    titleFreeBSD : php -- multiple vulnerabilities (ea09c5df-4362-11db-81e1-000e0c2e438a)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1331.NASL
    descriptionSeveral remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0207 Stefan Esser discovered HTTP response splitting vulnerabilities in the session extension. This only affects Debian 3.1 (Sarge). - CVE-2006-4486 Stefan Esser discovered that an integer overflow in memory allocation routines allows the bypass of memory limit restrictions. This only affects Debian 3.1 (Sarge) on 64 bit architectures. - CVE-2007-1864 It was discovered that a buffer overflow in the xmlrpc extension allows the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id25678
    published2007-07-10
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25678
    titleDebian DSA-1331-1 : php4 - several vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-362-1.NASL
    descriptionThe stripos() function did not check for invalidly long or empty haystack strings. In an application that uses this function on arbitrary untrusted data this could be exploited to crash the PHP interpreter. (CVE-2006-4485) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the
    last seen2020-06-01
    modified2020-06-02
    plugin id27942
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27942
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-362-1)
  • NASL familyCGI abuses
    NASL idPHP_5_2_0.NASL
    descriptionAccording to its banner, the version of PHP 5.x installed on the remote host is older than 5.2. Such versions may be affected by several buffer overflows. To exploit these issues, an attacker would need the ability to upload an arbitrary PHP script on the remote server or to manipulate several variables processed by some PHP functions such as
    last seen2020-06-01
    modified2020-06-02
    plugin id31649
    published2008-03-25
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31649
    titlePHP 5.x < 5.2 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-1024.NASL
    descriptionThis update includes the latest upstream release of PHP 5.1, version 5.1.6, fixing a number of security vulnerabilities, and other bugs. An integer overflow was discovered in the PHP memory handling routines. If a script can cause memory allocation based on untrusted user data, a remote attacker sending a carefully crafted request could execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id24032
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24032
    titleFedora Core 5 : php-5.1.6-1.1 (2006-1024)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2006-0730.NASL
    descriptionUpdated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. From Red Hat Security Advisory 2006:0730 : The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id67421
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/67421
    titleOracle Linux 4 : php (ELSA-2006-0730 / ELSA-2006-0669)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0669.NASL
    descriptionUpdated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id22443
    published2006-09-22
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22443
    titleRHEL 3 / 4 : php (RHSA-2006:0669)

Oval

accepted2013-04-29T04:11:23.846-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionInteger overflow in memory allocation routines in PHP before 5.1.6, when running on a 64-bit system, allows context-dependent attackers to bypass the memory_limit restriction.
familyunix
idoval:org.mitre.oval:def:11086
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger overflow in memory allocation routines in PHP before 5.1.6, when running on a 64-bit system, allows context-dependent attackers to bypass the memory_limit restriction.
version26

Redhat

advisories
  • bugzilla
    id206959
    titleCVE-2006-3016 PHP session ID validation
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentphp-snmp is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669001
          • commentphp-snmp is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276014
        • AND
          • commentphp-ncurses is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669003
          • commentphp-ncurses is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276016
        • AND
          • commentphp-pear is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669005
          • commentphp-pear is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276018
        • AND
          • commentphp-mbstring is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669007
          • commentphp-mbstring is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276020
        • AND
          • commentphp-domxml is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669009
          • commentphp-domxml is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276022
        • AND
          • commentphp-ldap is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669011
          • commentphp-ldap is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276024
        • AND
          • commentphp-devel is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669013
          • commentphp-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276028
        • AND
          • commentphp-gd is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669015
          • commentphp-gd is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276026
        • AND
          • commentphp-imap is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669017
          • commentphp-imap is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276002
        • AND
          • commentphp-pgsql is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669019
          • commentphp-pgsql is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276004
        • AND
          • commentphp-xmlrpc is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669021
          • commentphp-xmlrpc is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276006
        • AND
          • commentphp-odbc is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669023
          • commentphp-odbc is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276008
        • AND
          • commentphp is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669025
          • commentphp is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276012
        • AND
          • commentphp-mysql is earlier than 0:4.3.9-3.18
            ovaloval:com.redhat.rhsa:tst:20060669027
          • commentphp-mysql is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060276010
    rhsa
    idRHSA-2006:0669
    released2006-09-21
    severityModerate
    titleRHSA-2006:0669: php security update (Moderate)
  • rhsa
    idRHSA-2006:0682
  • rhsa
    idRHSA-2006:0688
rpms
  • php-0:4.3.2-36.ent
  • php-0:4.3.9-3.18
  • php-debuginfo-0:4.3.2-36.ent
  • php-debuginfo-0:4.3.9-3.18
  • php-devel-0:4.3.2-36.ent
  • php-devel-0:4.3.9-3.18
  • php-domxml-0:4.3.9-3.18
  • php-gd-0:4.3.9-3.18
  • php-imap-0:4.3.2-36.ent
  • php-imap-0:4.3.9-3.18
  • php-ldap-0:4.3.2-36.ent
  • php-ldap-0:4.3.9-3.18
  • php-mbstring-0:4.3.9-3.18
  • php-mysql-0:4.3.2-36.ent
  • php-mysql-0:4.3.9-3.18
  • php-ncurses-0:4.3.9-3.18
  • php-odbc-0:4.3.2-36.ent
  • php-odbc-0:4.3.9-3.18
  • php-pear-0:4.3.9-3.18
  • php-pgsql-0:4.3.2-36.ent
  • php-pgsql-0:4.3.9-3.18
  • php-snmp-0:4.3.9-3.18
  • php-xmlrpc-0:4.3.9-3.18
  • php-0:5.1.4-1.el4s1.4
  • php-bcmath-0:5.1.4-1.el4s1.4
  • php-dba-0:5.1.4-1.el4s1.4
  • php-debuginfo-0:5.1.4-1.el4s1.4
  • php-devel-0:5.1.4-1.el4s1.4
  • php-gd-0:5.1.4-1.el4s1.4
  • php-imap-0:5.1.4-1.el4s1.4
  • php-ldap-0:5.1.4-1.el4s1.4
  • php-mbstring-0:5.1.4-1.el4s1.4
  • php-mysql-0:5.1.4-1.el4s1.4
  • php-ncurses-0:5.1.4-1.el4s1.4
  • php-odbc-0:5.1.4-1.el4s1.4
  • php-pdo-0:5.1.4-1.el4s1.4
  • php-pgsql-0:5.1.4-1.el4s1.4
  • php-snmp-0:5.1.4-1.el4s1.4
  • php-soap-0:5.1.4-1.el4s1.4
  • php-xml-0:5.1.4-1.el4s1.4
  • php-xmlrpc-0:5.1.4-1.el4s1.4

References