Bug 10797

PHP 5.5.1 has been released upstream, fixing this flaw.
http://php.net/archive/2013.php#id2013-07-18-1

Fixed in Cauldron in php-5.5.1-1.mga4.

Oden, are we waiting for a new upstream release of 5.4 before pushing the Mageia 3 update to QA?

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

(In reply to David Walser from comment #2)
> Fixed in Cauldron in php-5.5.1-1.mga4.
> 
> Oden, are we waiting for a new upstream release of 5.4 before pushing the
> Mageia 3 update to QA?

No. There's a new issue though so we might see a fix for that in 5.4.18.

Alles OK.

Thanks Oden.  Assigning to QA.

Note to QA: there's a PoC here:
https://bugs.mageia.org/show_bug.cgi?id=10760#c7

Also note that we currently have php-timezonedb newer in Mageia 2 than Mageia 3 because of this (whoops!).  That'll be fixed once this is pushed.

Advisory:
========================

Updated php packages fix security vulnerability:

* Fixed PHP bug #65236 (heap corruption in xml parser) (CVE-2013-4113).

Additionally the php-timezonedb packages has been upgraded to the latest
version (2013.4).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
https://bugs.php.net/bug.php?id=65236
http://www.openwall.com/lists/oss-security/2013/07/11/6
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:195/
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.17-1.1.mga3
apache-mod_php-5.4.17-1.1.mga3
php-cli-5.4.17-1.1.mga3
php-cgi-5.4.17-1.1.mga3
libphp5_common5-5.4.17-1.1.mga3
php-devel-5.4.17-1.1.mga3
php-openssl-5.4.17-1.1.mga3
php-zlib-5.4.17-1.1.mga3
php-doc-5.4.17-1.1.mga3
php-bcmath-5.4.17-1.1.mga3
php-bz2-5.4.17-1.1.mga3
php-calendar-5.4.17-1.1.mga3
php-ctype-5.4.17-1.1.mga3
php-curl-5.4.17-1.1.mga3
php-dba-5.4.17-1.1.mga3
php-dom-5.4.17-1.1.mga3
php-enchant-5.4.17-1.1.mga3
php-exif-5.4.17-1.1.mga3
php-fileinfo-5.4.17-1.1.mga3
php-filter-5.4.17-1.1.mga3
php-ftp-5.4.17-1.1.mga3
php-gd-5.4.17-1.1.mga3
php-gettext-5.4.17-1.1.mga3
php-gmp-5.4.17-1.1.mga3
php-hash-5.4.17-1.1.mga3
php-iconv-5.4.17-1.1.mga3
php-imap-5.4.17-1.1.mga3
php-interbase-5.4.17-1.1.mga3
php-intl-5.4.17-1.1.mga3
php-json-5.4.17-1.1.mga3
php-ldap-5.4.17-1.1.mga3
php-mbstring-5.4.17-1.1.mga3
php-mcrypt-5.4.17-1.1.mga3
php-mssql-5.4.17-1.1.mga3
php-mysql-5.4.17-1.1.mga3
php-mysqli-5.4.17-1.1.mga3
php-mysqlnd-5.4.17-1.1.mga3
php-odbc-5.4.17-1.1.mga3
php-pcntl-5.4.17-1.1.mga3
php-pdo-5.4.17-1.1.mga3
php-pdo_dblib-5.4.17-1.1.mga3
php-pdo_firebird-5.4.17-1.1.mga3
php-pdo_mysql-5.4.17-1.1.mga3
php-pdo_odbc-5.4.17-1.1.mga3
php-pdo_pgsql-5.4.17-1.1.mga3
php-pdo_sqlite-5.4.17-1.1.mga3
php-pgsql-5.4.17-1.1.mga3
php-phar-5.4.17-1.1.mga3
php-posix-5.4.17-1.1.mga3
php-readline-5.4.17-1.1.mga3
php-recode-5.4.17-1.1.mga3
php-session-5.4.17-1.1.mga3
php-shmop-5.4.17-1.1.mga3
php-snmp-5.4.17-1.1.mga3
php-soap-5.4.17-1.1.mga3
php-sockets-5.4.17-1.1.mga3
php-sqlite3-5.4.17-1.1.mga3
php-sybase_ct-5.4.17-1.1.mga3
php-sysvmsg-5.4.17-1.1.mga3
php-sysvsem-5.4.17-1.1.mga3
php-sysvshm-5.4.17-1.1.mga3
php-tidy-5.4.17-1.1.mga3
php-tokenizer-5.4.17-1.1.mga3
php-xml-5.4.17-1.1.mga3
php-xmlreader-5.4.17-1.1.mga3
php-xmlrpc-5.4.17-1.1.mga3
php-xmlwriter-5.4.17-1.1.mga3
php-xsl-5.4.17-1.1.mga3
php-wddx-5.4.17-1.1.mga3
php-zip-5.4.17-1.1.mga3
php-fpm-5.4.17-1.1.mga3
php-timezonedb-2013.4-1.mga3

from SRPMS:
php-5.4.17-1.1.mga3.src.rpm
php-timezonedb-2013.4-1.mga3.src.rpm

CC: (none) => oe
Assignee: oe => qa-bugs

I forgot to submit php-apc-3.1.14-7.2.mga3 and php-gd-bundled-5.4.17-1.mga3 which I just did.

Testing mga3 64

There is also php-zlib-5.4.17-1.1.mga3 rpm as part of php srpm IINM.

Tested with the PoC under gdb. Php tested with various webapps and php-apc tested by logging in at http://localhost/php-apc with the credentials from /etc/php-apc/config.php and watching the cache in action. php-timezonedb is tested by adding your location in /etc/php.ini before you start.

# grep date.timezone /etc/php.ini
; http://php.net/date.timezone
date.timezone = Europe/London

You can also watch for errors in /var/log/httpd/error_log whilst using the webapps.

Testing complete mga3 64

Whiteboard: (none) => has_procedure mga3-64-ok

Thanks Oden.  Re-posting the advisory with the two new packages added.

Advisory:
========================

Updated php packages fix security vulnerability:

* Fixed PHP bug #65236 (heap corruption in xml parser) (CVE-2013-4113).

Additionally the php-timezonedb packages has been upgraded to the latest
version (2013.4).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
https://bugs.php.net/bug.php?id=65236
http://www.openwall.com/lists/oss-security/2013/07/11/6
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:195/
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.17-1.1.mga3
apache-mod_php-5.4.17-1.1.mga3
php-cli-5.4.17-1.1.mga3
php-cgi-5.4.17-1.1.mga3
libphp5_common5-5.4.17-1.1.mga3
php-devel-5.4.17-1.1.mga3
php-openssl-5.4.17-1.1.mga3
php-zlib-5.4.17-1.1.mga3
php-doc-5.4.17-1.1.mga3
php-bcmath-5.4.17-1.1.mga3
php-bz2-5.4.17-1.1.mga3
php-calendar-5.4.17-1.1.mga3
php-ctype-5.4.17-1.1.mga3
php-curl-5.4.17-1.1.mga3
php-dba-5.4.17-1.1.mga3
php-dom-5.4.17-1.1.mga3
php-enchant-5.4.17-1.1.mga3
php-exif-5.4.17-1.1.mga3
php-fileinfo-5.4.17-1.1.mga3
php-filter-5.4.17-1.1.mga3
php-ftp-5.4.17-1.1.mga3
php-gd-5.4.17-1.1.mga3
php-gettext-5.4.17-1.1.mga3
php-gmp-5.4.17-1.1.mga3
php-hash-5.4.17-1.1.mga3
php-iconv-5.4.17-1.1.mga3
php-imap-5.4.17-1.1.mga3
php-interbase-5.4.17-1.1.mga3
php-intl-5.4.17-1.1.mga3
php-json-5.4.17-1.1.mga3
php-ldap-5.4.17-1.1.mga3
php-mbstring-5.4.17-1.1.mga3
php-mcrypt-5.4.17-1.1.mga3
php-mssql-5.4.17-1.1.mga3
php-mysql-5.4.17-1.1.mga3
php-mysqli-5.4.17-1.1.mga3
php-mysqlnd-5.4.17-1.1.mga3
php-odbc-5.4.17-1.1.mga3
php-pcntl-5.4.17-1.1.mga3
php-pdo-5.4.17-1.1.mga3
php-pdo_dblib-5.4.17-1.1.mga3
php-pdo_firebird-5.4.17-1.1.mga3
php-pdo_mysql-5.4.17-1.1.mga3
php-pdo_odbc-5.4.17-1.1.mga3
php-pdo_pgsql-5.4.17-1.1.mga3
php-pdo_sqlite-5.4.17-1.1.mga3
php-pgsql-5.4.17-1.1.mga3
php-phar-5.4.17-1.1.mga3
php-posix-5.4.17-1.1.mga3
php-readline-5.4.17-1.1.mga3
php-recode-5.4.17-1.1.mga3
php-session-5.4.17-1.1.mga3
php-shmop-5.4.17-1.1.mga3
php-snmp-5.4.17-1.1.mga3
php-soap-5.4.17-1.1.mga3
php-sockets-5.4.17-1.1.mga3
php-sqlite3-5.4.17-1.1.mga3
php-sybase_ct-5.4.17-1.1.mga3
php-sysvmsg-5.4.17-1.1.mga3
php-sysvsem-5.4.17-1.1.mga3
php-sysvshm-5.4.17-1.1.mga3
php-tidy-5.4.17-1.1.mga3
php-tokenizer-5.4.17-1.1.mga3
php-xml-5.4.17-1.1.mga3
php-xmlreader-5.4.17-1.1.mga3
php-xmlrpc-5.4.17-1.1.mga3
php-xmlwriter-5.4.17-1.1.mga3
php-xsl-5.4.17-1.1.mga3
php-wddx-5.4.17-1.1.mga3
php-zip-5.4.17-1.1.mga3
php-fpm-5.4.17-1.1.mga3
php-apc-3.1.14-7.2.mga3
php-apc-admin-3.1.14-7.2.mga3
php-gd-bundled-5.4.17-1.mga3
php-timezonedb-2013.4-1.mga3

from SRPMS:
php-5.4.17-1.1.mga3.src.rpm
php-apc-3.1.14-7.2.mga3.src.rpm
php-gd-bundled-5.4.17-1.mga3.src.rpm
php-timezonedb-2013.4-1.mga3.src.rpm

(In reply to claire robinson from comment #7)
> There is also php-zlib-5.4.17-1.1.mga3 rpm as part of php srpm IINM.

Oops, looks like I missed that one last time too (Bug 10456).  Strange :o(

Madb to the rescue :o)
http://mageia.madb.org/tools/listRpmsForQaBug/bugnum/10797%3F

Of course it hasn't picked up apc and gd-bundled yet, but should w/in a few hours.

Testing mga3 32

Before
------
$ php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
Segmentation fault

After
-----
$ php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
$ 


Possible problem with php-gd/php-gd-bundled, they can both be installed together and should maybe conflict.

eg.
$ php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
PHP Warning:  Module 'gd' already loaded in Unknown on line 0

It's not new though, probably been that way forever so I'll create a new bug.

Testing complete mga3 32

Validating. Advisory from comment 8 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Bug 10847 created for php-gd-bundled/php-gd

Update pushed:
http://advisories.mageia.org/MGASA-2013-0233.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED