Pierluigi Paganini September 14, 2014

Ubuntu has issued a security notice to inform users about flaws in php5 exploitable to crash or run programs if it received specially crafted network traffic.

According to the recent Ubuntu Security Notice php5 could be made to crash or run arbitrary code if it received specially crafted network traffic.

“Summary -php5 could be made to crash or run programs if it received specially crafted network traffic.” states the advisory.

The Security Notice was issued by for the first time by the vendor on 9th September, 2014 and it was coded as USN-2344-1.

According to Ubuntu, the security flaw affects the following releases and its derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

According to security notice, the Fileinfo component in php5 contains is affected by an integer overflow that could be exploited by a bad actor to cause a denial of service or to execute arbitrary code via a crafted CDF file. (CVE-2014-3587). The advisory also reports that the php_parserr function contains multiple buffer overflows that could be exploited by an attacker to cause a denial of service or to execute arbitrary code via crafted DNS records. (CVE-2014-3597)

The vulnerabilities have been already fixed and it correct the problem is it necessary to update user’s system to the following package version:

Ubuntu 14.04 LTS:

php5 5.5.9+dfsg-1ubuntu4.4

libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.4

php5-fpm 5.5.9+dfsg-1ubuntu4.4

php5-cgi 5.5.9+dfsg-1ubuntu4.4

Ubuntu 12.04 LTS:

php5 5.3.10-1ubuntu3.14

libapache2-mod-php5 5.3.10-1ubuntu3.14

php5-fpm 5.3.10-1ubuntu3.14

php5-cgi 5.3.10-1ubuntu3.14

Ubuntu 10.04 LTS:

php5 5.3.2-1ubuntu4.27

libapache2-mod-php5 5.3.2-1ubuntu4.27

php5-cgi 5.3.2-1ubuntu4.27

Be aware, once updated the system it is necessary to restart Apache or php5-fpm to make effective the changes.

Pierluigi Paganini

(Security Affairs – Ubuntu, php)