Re: @stake Advisory: PHP3/PHP4 Logging Format String Vulnerability (A 101200-1)

[Jouko Pynnönen <jouko () SOLUTIONS FI>]

On Thu, 12 Oct 2000, @stake Advisories wrote:

> We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
> to hold off releasing our advisory until a fix was available for PHP3
> since some users may not be able to easily upgrade to PHP4.  Fixes for
> PHP3 and PHP4 are now available. We are aware that Jouko Pynnönen
> <jouko () solutions fi> found this problem independantly but chose to release
> before the PHP3 fix was available.

The fix for PHP 3 seems to have been released about the same time as the
PHP 4 fix, ie. the day before my posting on this list:

 [   ]  php-3.0.17.tar.gz       11-Oct-2000 16:30   2.1M
 [   ]  php-4.0.3.tar.gz        11-Oct-2000 15:35   2.1M

I contacted the PHP team and vendor-sec list on 09/28/2000. The fix, by
the way, was first planned to be released as early as 10/05/2000. I didn't
mention the URL for PHP 3 fix in my posting which I should have done,
however finding it in the /distributions/ directory shouldn't be
difficult.

IMHO after the first piece of information about a security flaw has been
released (such as the PHP security fix announcement), the sooner people
get to know the details and advice about solving the problem, the better;
pinpointing the exact bug is a matter of minutes for the "bad guys", by
using diff(1) on the sources if not otherwise.


--
Jouko Pynnönen          Online Solutions Ltd       Secure your Linux -
jouko () solutions fi                                 http://www.secmod.com