Below is the full disclosure timeline, up until now:
Jan 17, 2012: Eindbazen informs <email address hidden> about the vulnerability
Jan 20, 2012: Eindbazen informs Ubuntu about the vulnerability
Feb 1, 2012: Eindbazen again informs <email address hidden> about the vulnerability and provides a workaround
Feb 1, 2012: PHP confirms the issue and states that it does not know how to patch
Feb 6, 2012: Eindbazen again provides suggested workaround
Feb 19, 2012: Eindbazen informs CERT/CC about the vulnerability because of lack of action from PHP
Aforementioned workaround has been attached to this comment. As upstream stated on Feb 1st, command arguments to php-cgi can originate from various sources (eg. fcgi config, a scripts' shebang or a HTTP request), which makes the issue difficult to fix.
As such, supplied workaround resolves the issue, but as a result breaks eg. arguments originating from shebangs. We too are unsure how to properly fix this issue.
Below is the full disclosure timeline, up until now:
Jan 17, 2012: Eindbazen informs <email address hidden> about the vulnerability
Jan 20, 2012: Eindbazen informs Ubuntu about the vulnerability
Feb 1, 2012: Eindbazen again informs <email address hidden> about the vulnerability and provides a workaround
Feb 1, 2012: PHP confirms the issue and states that it does not know how to patch
Feb 6, 2012: Eindbazen again provides suggested workaround
Feb 19, 2012: Eindbazen informs CERT/CC about the vulnerability because of lack of action from PHP
Aforementioned workaround has been attached to this comment. As upstream stated on Feb 1st, command arguments to php-cgi can originate from various sources (eg. fcgi config, a scripts' shebang or a HTTP request), which makes the issue difficult to fix.
As such, supplied workaround resolves the issue, but as a result breaks eg. arguments originating from shebangs. We too are unsure how to properly fix this issue.
For reference, the commit which introduced the vulnerability: http:// svn.php. net/viewvc? view=revision& revision= 152585