Bug 13142

Upstream also released PHP 5.4.27 yesterday to address this:
http://www.php.net/ChangeLog-5.php#5.4.27

The pending PHP updates from before should be pushed shortly, so we can address this with fresh updates to 5.4.27 and 5.5.11.

I've checked things in SVN, now they just need built.

php (Cauldron, mga4, mga3)
php-apc (Cauldron, mga4, mga3)
php-timezonedb (Cauldron, mga4, mga3)
php-gd-bundled (mga3)

We can use this for the advisory, assuming no further changes are made.

Note that this is the same CVE fixed in file in Bug 13105.

Advisory:
========================

Updated php packages fix security vulnerability:

The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards with
unlimited repetitions, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted ASCII file that triggers a
large amount of backtracking, as demonstrated via a file with many newline
characters (CVE-2013-7345).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to this issue. It has been updated to versions 5.4.27 and 5.5.11,
which fix this issue and several other bugs.

Also, the timezonedb PHP PECL module has been updated to its newest version.

Additionally, php-apc has been rebuilt against the updated php packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
http://www.php.net/ChangeLog-5.php#5.4.27
http://www.php.net/ChangeLog-5.php#5.5.11
http://pecl.php.net/package-info.php?package=timezonedb&version=2014.2
http://advisories.mageia.org/MGASA-2014-0142.html

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Oden, I'll let you have a look at this before pushing to QA.

========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.27-1.mga3
apache-mod_php-5.4.27-1.mga3
php-cli-5.4.27-1.mga3
php-cgi-5.4.27-1.mga3
libphp5_common5-5.4.27-1.mga3
php-devel-5.4.27-1.mga3
php-openssl-5.4.27-1.mga3
php-zlib-5.4.27-1.mga3
php-doc-5.4.27-1.mga3
php-bcmath-5.4.27-1.mga3
php-bz2-5.4.27-1.mga3
php-calendar-5.4.27-1.mga3
php-ctype-5.4.27-1.mga3
php-curl-5.4.27-1.mga3
php-dba-5.4.27-1.mga3
php-dom-5.4.27-1.mga3
php-enchant-5.4.27-1.mga3
php-exif-5.4.27-1.mga3
php-fileinfo-5.4.27-1.mga3
php-filter-5.4.27-1.mga3
php-ftp-5.4.27-1.mga3
php-gd-5.4.27-1.mga3
php-gettext-5.4.27-1.mga3
php-gmp-5.4.27-1.mga3
php-hash-5.4.27-1.mga3
php-iconv-5.4.27-1.mga3
php-imap-5.4.27-1.mga3
php-interbase-5.4.27-1.mga3
php-intl-5.4.27-1.mga3
php-json-5.4.27-1.mga3
php-ldap-5.4.27-1.mga3
php-mbstring-5.4.27-1.mga3
php-mcrypt-5.4.27-1.mga3
php-mssql-5.4.27-1.mga3
php-mysql-5.4.27-1.mga3
php-mysqli-5.4.27-1.mga3
php-mysqlnd-5.4.27-1.mga3
php-odbc-5.4.27-1.mga3
php-pcntl-5.4.27-1.mga3
php-pdo-5.4.27-1.mga3
php-pdo_dblib-5.4.27-1.mga3
php-pdo_firebird-5.4.27-1.mga3
php-pdo_mysql-5.4.27-1.mga3
php-pdo_odbc-5.4.27-1.mga3
php-pdo_pgsql-5.4.27-1.mga3
php-pdo_sqlite-5.4.27-1.mga3
php-pgsql-5.4.27-1.mga3
php-phar-5.4.27-1.mga3
php-posix-5.4.27-1.mga3
php-readline-5.4.27-1.mga3
php-recode-5.4.27-1.mga3
php-session-5.4.27-1.mga3
php-shmop-5.4.27-1.mga3
php-snmp-5.4.27-1.mga3
php-soap-5.4.27-1.mga3
php-sockets-5.4.27-1.mga3
php-sqlite3-5.4.27-1.mga3
php-sybase_ct-5.4.27-1.mga3
php-sysvmsg-5.4.27-1.mga3
php-sysvsem-5.4.27-1.mga3
php-sysvshm-5.4.27-1.mga3
php-tidy-5.4.27-1.mga3
php-tokenizer-5.4.27-1.mga3
php-xml-5.4.27-1.mga3
php-xmlreader-5.4.27-1.mga3
php-xmlrpc-5.4.27-1.mga3
php-xmlwriter-5.4.27-1.mga3
php-xsl-5.4.27-1.mga3
php-wddx-5.4.27-1.mga3
php-zip-5.4.27-1.mga3
php-fpm-5.4.27-1.mga3
php-apc-3.1.14-7.7.mga3
php-apc-admin-3.1.14-7.7.mga3
php-timezonedb-2014.2-1.mga3
php-gd-bundled-5.4.27-1.mga3
php-ini-5.5.11-1.mga4
apache-mod_php-5.5.11-1.mga4
php-cli-5.5.11-1.mga4
php-cgi-5.5.11-1.mga4
libphp5_common5-5.5.11-1.mga4
php-devel-5.5.11-1.mga4
php-openssl-5.5.11-1.mga4
php-zlib-5.5.11-1.mga4
php-doc-5.5.11-1.mga4
php-bcmath-5.5.11-1.mga4
php-bz2-5.5.11-1.mga4
php-calendar-5.5.11-1.mga4
php-ctype-5.5.11-1.mga4
php-curl-5.5.11-1.mga4
php-dba-5.5.11-1.mga4
php-dom-5.5.11-1.mga4
php-enchant-5.5.11-1.mga4
php-exif-5.5.11-1.mga4
php-fileinfo-5.5.11-1.mga4
php-filter-5.5.11-1.mga4
php-ftp-5.5.11-1.mga4
php-gd-5.5.11-1.mga4
php-gettext-5.5.11-1.mga4
php-gmp-5.5.11-1.mga4
php-hash-5.5.11-1.mga4
php-iconv-5.5.11-1.mga4
php-imap-5.5.11-1.mga4
php-interbase-5.5.11-1.mga4
php-intl-5.5.11-1.mga4
php-json-5.5.11-1.mga4
php-ldap-5.5.11-1.mga4
php-mbstring-5.5.11-1.mga4
php-mcrypt-5.5.11-1.mga4
php-mssql-5.5.11-1.mga4
php-mysql-5.5.11-1.mga4
php-mysqli-5.5.11-1.mga4
php-mysqlnd-5.5.11-1.mga4
php-odbc-5.5.11-1.mga4
php-opcache-5.5.11-1.mga4
php-pcntl-5.5.11-1.mga4
php-pdo-5.5.11-1.mga4
php-pdo_dblib-5.5.11-1.mga4
php-pdo_firebird-5.5.11-1.mga4
php-pdo_mysql-5.5.11-1.mga4
php-pdo_odbc-5.5.11-1.mga4
php-pdo_pgsql-5.5.11-1.mga4
php-pdo_sqlite-5.5.11-1.mga4
php-pgsql-5.5.11-1.mga4
php-phar-5.5.11-1.mga4
php-posix-5.5.11-1.mga4
php-readline-5.5.11-1.mga4
php-recode-5.5.11-1.mga4
php-session-5.5.11-1.mga4
php-shmop-5.5.11-1.mga4
php-snmp-5.5.11-1.mga4
php-soap-5.5.11-1.mga4
php-sockets-5.5.11-1.mga4
php-sqlite3-5.5.11-1.mga4
php-sybase_ct-5.5.11-1.mga4
php-sysvmsg-5.5.11-1.mga4
php-sysvsem-5.5.11-1.mga4
php-sysvshm-5.5.11-1.mga4
php-tidy-5.5.11-1.mga4
php-tokenizer-5.5.11-1.mga4
php-xml-5.5.11-1.mga4
php-xmlreader-5.5.11-1.mga4
php-xmlrpc-5.5.11-1.mga4
php-xmlwriter-5.5.11-1.mga4
php-xsl-5.5.11-1.mga4
php-wddx-5.5.11-1.mga4
php-zip-5.5.11-1.mga4
php-fpm-5.5.11-1.mga4
php-apc-3.1.15-4.2.mga4
php-apc-admin-3.1.15-4.2.mga4
php-timezonedb-2014.2-1.mga4

from SRPMS:
php-5.4.27-1.mga3.src.rpm
php-apc-3.1.14-7.7.mga3.src.rpm
php-timezonedb-2014.2-1.mga3.src.rpm
php-gd-bundled-5.4.27-1.mga3.src.rpm
php-5.5.11-1.mga4.src.rpm
php-apc-3.1.15-4.2.mga4.src.rpm
php-timezonedb-2014.2-1.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

$ time php -n -d extension=fileinfo.so poc.php 
string(10) "ASCII text"

real    0m36.310s
user    0m36.038s
sys     0m0.090s

rpm -Uvh --nodeps ftp://ftp.acc.umu.se/mirror/mageia/distrib/4/x86_64/media/core/updates_testing/php-fileinfo-5.5.11-1.mga4.x86_64.rpm

$ time php -n -d extension=fileinfo.so poc.php 
string(10) "ASCII text"

real    0m0.543s
user    0m0.536s
sys     0m0.006s

PoC as of https://bugs.php.net/bug.php?id=66946

Thanks Oden.  If everything looks good to you as far as the update, let me know and I'll assign to QA.

Same results on mga3 64 bit.

Since Oden has already pushed this update to MBS, I assume it's good to go:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:075/

Assigning to QA.

Advisory in Comment 3.

Package list in Comment 4.

PoC information in Comment 5 and Comment 6.

Note that Oden has already tested it on Mageia 3 and Mageia 4 x86_64 (Comment 5 and Comment 7), so since he's not the packager, it can be marked OK there already, but I'll let another QA team member do the honors.

CC: (none) => oe
Assignee: oe => qa-bugs

PoC in comment 5

Script:

<?php
  $fd = __DIR__.'/data';
  $a = str_repeat("\n", 1000000);
  file_put_contents($fd, $a);
  $fi = finfo_open(FILEINFO_NONE);
  var_dump(finfo_file($fi, $fd));
  finfo_close($fi);


Adding OK from Oden's test in comment 8

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-64-ok

PoC (Proof-of-concept) is fixed on mga4-64-ok in a VBox VM.

CC: (none) => shlomif
Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

MGA4-32-OK in a VBox VM.

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok

Confirmed MGA3-32-OK in a VBox VM.

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok mga3-32-ok

Thanks Shlomi, you're on fire today :)

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok mga3-32-ok => MGA3TOO has_procedure advisory mga3-64-ok mga4-64-ok mga4-32-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0178.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED