PHP ecalloc() integer overflow

php-ecalloc-integer-overflow (29362)

High Risk

Description:

PHP is vulnerable to an integer overflow in the ecalloc() function of the zend_alloc.c module and in the unserialize() function. A remote attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash by sending a specially-crafted request to a vulnerable PHP script.

Platforms Affected:

• Canonical, Ubuntu 5.04
• Canonical, Ubuntu 5.10
• Canonical, Ubuntu 6.06 LTS
• Gentoo, Linux
• IBM, AIX
• Novell, Linux POS 9
• Novell, Open Enterprise Server
• Novell, Open Enterprise Server
• Novell, UnitedLinux 1.0
• OpenPKG, OpenPKG 2-STABLE
• OpenPKG, OpenPKG CURRENT
• OpenPKG, OpenPKG Enterprise E1.0-SOLID
• PHP, PHP 5.0.0
• RedHat, Application Stack v1 for EL AS 4
• RedHat, Application Stack v1 for EL ES 4
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SuSE, SLE SDK 10
• SuSE, SuSE Linux 10.0
• SuSE, SuSE Linux 10.1
• SuSE, SuSE Linux 9.2
• SuSE, SuSE Linux 9.3
• SuSE, SuSE Linux Enterprise Server 8.0
• SuSE, SuSE Linux OpenExchange Server 4
• SuSE, SuSE Linux Retail Solution 8
• SuSE, SuSE Linux School Server
• SuSE, SuSE Linux Standard Server 8
• SuSE, SuSE SLES 10
• SuSE, SuSE SLES 9

Remedy:

Upgrade to the latest CVS release of PHP, available from The PHP Group Web site. See References.

For Red Hat Linux 2.1:
Refer to RHSA-2006:0710-7 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200610-14 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:059 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• Full-Disclosure Mailing List, Mon Oct 09 2006 - 01:51:07 CDT, Advisory 09/2006: PHP unserialize() Array Creation Integer Overflow at http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0135.html.
• The PHP Group Web site, PHP: Downloads at http://www.php.net/downloads.php#v5.
• ASA-2006-223: php security update (RHSA-2006-0688)
• ASA-2006-234: php security update (RHSA-2006-0708)
• BID-20349: PHP ZendEngine ECalloc Integer Overflow Vulnerability
• CVE-2006-4812: Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c).
• GLSA-200610-14: PHP: Integer overflow
• OpenPKG-SA-2006.023: PHP
• RHSA-2006-0688: php security update
• RHSA-2006-0708: php security update
• SA22280: PHP "_ecalloc" Integer Overflow Vulnerability
• SA22533: Avaya Products PHP "_ecalloc" Integer Overflow Vulnerability
• SA22538: Avaya Products PHP Multiple Vulnerabilites
• SECTRACK ID: 1016984: PHP Heap Overflows and Other Bugs Let Users Execute Arbitrary Code or Cause Denial of Service Conditions
• SUSE-SA:2006:059: PHP security problems
• USN-362-1: PHP vulnerabilities
• VUPEN/ADV-2006-3922: PHP ecalloc() Function Data Handling Remote Integer Overflow Vulnerability

Reported:

Oct 05, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page