J-Security Center

Title: PHP Zip_Entry_Read() Integer Overflow Vulnerability

Severity: HIGH

Description:

PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun.

Specifically, the vulnerability resides in the 'zip_read_entry()' function that is used to read file contents inside ZIP archives. The affected function fails to properly check and validate the length parameter. An attacker may exploit this issue by supplying a length value of '0xffffffff', causing a memory block of size zero to be allocated while allowing up to 4GB of data to be copied into this space. This will cause memory to be overwritten and corrupted. The wraparound occurs because '1' is added to the '0xffffffff' value to create room for a trailing NULL byte prior to the memory allocation.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects versions prior to PHP 4.4.5.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Compaq Compaq Secure Web Server PHP 1.0.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux ecommerce
  • Conectiva Linux graficas
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 IA-32
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Debian Linux 3.1.0
  • Debian Linux 3.1.0 alpha
  • Debian Linux 3.1.0 amd64
  • Debian Linux 3.1.0 arm
  • Debian Linux 3.1.0 hppa
  • Debian Linux 3.1.0 ia-32
  • Debian Linux 3.1.0 ia-64
  • Debian Linux 3.1.0 m68k
  • Debian Linux 3.1.0 mips
  • Debian Linux 3.1.0 mipsel
  • Debian Linux 3.1.0 ppc
  • Debian Linux 3.1.0 s/390
  • Debian Linux 3.1.0 sparc
  • Debian Linux 4.0
  • Debian Linux 4.0 alpha
  • Debian Linux 4.0 amd64
  • Debian Linux 4.0 arm
  • Debian Linux 4.0 hppa
  • Debian Linux 4.0 ia-32
  • Debian Linux 4.0 ia-64
  • Debian Linux 4.0 m68k
  • Debian Linux 4.0 mips
  • Debian Linux 4.0 mipsel
  • Debian Linux 4.0 powerpc
  • Debian Linux 4.0 s/390
  • Debian Linux 4.0 sparc
  • EnGarde Secure Linux 1.0.1
  • Gentoo Linux
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Guardian Digital Engarde Secure Linux 1.0.1
  • HP Secure OS software for Linux 1.0.0
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Corporate Server 4.0
  • MandrakeSoft Corporate Server 4.0.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Multi Network Firewall 2.0.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • OpenPKG OpenPKG 1.1.0
  • OpenPKG OpenPKG Current
  • PHP PHP 3.0.0.10
  • PHP PHP 3.0.0.11
  • PHP PHP 3.0.0.12
  • PHP PHP 3.0.0.13
  • PHP PHP 3.0.0.16
  • PHP PHP 3.0.00
  • PHP PHP 3.0.1
  • PHP PHP 3.0.10
  • PHP PHP 3.0.11
  • PHP PHP 3.0.12
  • PHP PHP 3.0.13
  • PHP PHP 3.0.14
  • PHP PHP 3.0.15
  • PHP PHP 3.0.16
  • PHP PHP 3.0.17
  • PHP PHP 3.0.18
  • PHP PHP 3.0.2
  • PHP PHP 3.0.3
  • PHP PHP 3.0.4
  • PHP PHP 3.0.5
  • PHP PHP 3.0.6
  • PHP PHP 3.0.7
  • PHP PHP 3.0.8
  • PHP PHP 3.0.9
  • PHP PHP 4.0.0 0
  • PHP PHP 4.0.1
  • PHP PHP 4.0.1 pl1
  • PHP PHP 4.0.1 pl2
  • PHP PHP 4.0.2
  • PHP PHP 4.0.3
  • PHP PHP 4.0.3 pl1
  • PHP PHP 4.0.4
  • PHP PHP 4.0.5
  • PHP PHP 4.0.6
  • PHP PHP 4.0.7
  • PHP PHP 4.0.7 RC1
  • PHP PHP 4.0.7 RC2
  • PHP PHP 4.0.7 RC3
  • PHP PHP 4.1.0 .0
  • PHP PHP 4.1.1
  • PHP PHP 4.1.2
  • PHP PHP 4.2.0 -dev
  • PHP PHP 4.2.0 .0
  • PHP PHP 4.2.1
  • PHP PHP 4.2.2
  • PHP PHP 4.2.3
  • PHP PHP 4.3.0
  • PHP PHP 4.3.1
  • PHP PHP 4.3.10
  • PHP PHP 4.3.11
  • PHP PHP 4.3.2
  • PHP PHP 4.3.3
  • PHP PHP 4.3.4
  • PHP PHP 4.3.5
  • PHP PHP 4.3.6
  • PHP PHP 4.3.7
  • PHP PHP 4.3.8
  • PHP PHP 4.3.9
  • PHP PHP 4.4.0 .0
  • PHP PHP 4.4.1
  • PHP PHP 4.4.2
  • PHP PHP 4.4.3
  • PHP PHP 4.4.4
  • RedHat Fedora Core3
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 i386
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.1.0 alpha
  • S.u.S.E. Linux 7.1.0 ppc
  • S.u.S.E. Linux 7.1.0 sparc
  • S.u.S.E. Linux 7.1.0 x86
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.2.0 i386
  • S.u.S.E. Linux 7.3.0
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.0.0 i386
  • S.u.S.E. Linux 8.1.0
  • S.u.S.E. Linux Personal 8.2.0
  • S.u.S.E. Linux Personal 9.0.0
  • S.u.S.E. Linux Personal 9.0.0 x86_64
  • S.u.S.E. Linux Personal 9.1.0
  • S.u.S.E. Linux Personal 9.2.0
  • Slackware Linux 8.1.0
  • Sun 2800 Workgroup NTT/KOBE 2800WGJ-KOBE 0.0.0
  • Sun Cobalt Control Station 4100CS
  • Sun Cobalt Qube3 4000WG
  • Sun Cobalt Qube3 Japanese 4000WGJ
  • Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
  • Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
  • Sun Cobalt Qube3 w/ Caching and RAID 4100WG
  • Sun Cobalt Qube3 w/Caching 4010WG
  • Sun Cobalt RaQ 550
  • Sun Cobalt RaQ XTR 3500R
  • Sun Cobalt RaQ XTR Japanese 3500R-ja
  • Sun Cobalt RaQ4 3001R
  • Sun Cobalt RaQ4 Japanese RAID 3100R-ja
  • Sun Cobalt RaQ4 RAID 3100R
  • Sun LX50
  • Trustix Secure Enterprise Linux 2.0.0
  • Trustix Secure Linux 1.1.0
  • Trustix Secure Linux 1.2.0
  • Trustix Secure Linux 1.5.0
  • Trustix Secure Linux 2.0.0
  • Trustix Secure Linux 2.1.0
  • Trustix Secure Linux 2.2.0
  • Turbolinux Appliance Server 1.0.0 Hosting Edition
  • Turbolinux Appliance Server 1.0.0 Workgroup Edition
  • Turbolinux Appliance Server 2.0
  • Turbolinux Appliance Server 3.0
  • Turbolinux Appliance Server 3.0 x64
  • Turbolinux Appliance Server Hosting Edition 1.0.0
  • Turbolinux Appliance Server Workgroup Edition 1.0.0
  • Turbolinux Home
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 10.0.0
  • Turbolinux Turbolinux Server 10.0.0 x64
  • Turbolinux Turbolinux Server 11
  • Turbolinux Turbolinux Server 11 x64
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Workstation 7.0.0
  • Turbolinux Turbolinux Workstation 8.0.0
  • Ubuntu Ubuntu Linux 4.1.0 ia32
  • Ubuntu Ubuntu Linux 4.1.0 ia64
  • Ubuntu Ubuntu Linux 4.1.0 ppc

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.