Bug 14326

Summary:	php new security issues CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	oe, rverschelde, stormi-mageia, sysadmin-bugs, wilcal.int
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/617781/
Whiteboard:	MGA3TOO has_procedure mga3-32-ok MGA4-64-OK advisory
Source RPM:	php-5.5.18-1.1.mga4.src.rpm	CVE:
Status comment:
Bug Depends on:
Bug Blocks:	13820

Description David Walser 2014-10-18 17:18:47 CEST

Upstream has released versions 5.4.34, 5.5.18, and 5.6.2 on October 16:
http://php.net/archive/2014.php
http://php.net/ChangeLog-5.php

The announcements say that 4 CVEs were fixed in 5.5.18 and 6 security issues were fixed in 5.4.34, but only 3 CVEs are listed.

PHP 5.6.2 is checked into SVN in Cauldron (by Oden) and needs a freeze push.

PHP 5.4.34 and 5.5.18 are checked into Mageia 3 and Mageia 4 SVN and have been built, so this update is in progress pending php-apc rebuilds, and also php-gd-bundled for Mageia 3.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2014-10-18 17:20:59 CEST

Packages built so far:
php-ini-5.4.34-1.mga3
apache-mod_php-5.4.34-1.mga3
php-cli-5.4.34-1.mga3
php-cgi-5.4.34-1.mga3
libphp5_common5-5.4.34-1.mga3
php-devel-5.4.34-1.mga3
php-openssl-5.4.34-1.mga3
php-zlib-5.4.34-1.mga3
php-doc-5.4.34-1.mga3
php-bcmath-5.4.34-1.mga3
php-bz2-5.4.34-1.mga3
php-calendar-5.4.34-1.mga3
php-ctype-5.4.34-1.mga3
php-curl-5.4.34-1.mga3
php-dba-5.4.34-1.mga3
php-dom-5.4.34-1.mga3
php-enchant-5.4.34-1.mga3
php-exif-5.4.34-1.mga3
php-fileinfo-5.4.34-1.mga3
php-filter-5.4.34-1.mga3
php-ftp-5.4.34-1.mga3
php-gd-5.4.34-1.mga3
php-gettext-5.4.34-1.mga3
php-gmp-5.4.34-1.mga3
php-hash-5.4.34-1.mga3
php-iconv-5.4.34-1.mga3
php-imap-5.4.34-1.mga3
php-interbase-5.4.34-1.mga3
php-intl-5.4.34-1.mga3
php-json-5.4.34-1.mga3
php-ldap-5.4.34-1.mga3
php-mbstring-5.4.34-1.mga3
php-mcrypt-5.4.34-1.mga3
php-mssql-5.4.34-1.mga3
php-mysql-5.4.34-1.mga3
php-mysqli-5.4.34-1.mga3
php-mysqlnd-5.4.34-1.mga3
php-odbc-5.4.34-1.mga3
php-pcntl-5.4.34-1.mga3
php-pdo-5.4.34-1.mga3
php-pdo_dblib-5.4.34-1.mga3
php-pdo_firebird-5.4.34-1.mga3
php-pdo_mysql-5.4.34-1.mga3
php-pdo_odbc-5.4.34-1.mga3
php-pdo_pgsql-5.4.34-1.mga3
php-pdo_sqlite-5.4.34-1.mga3
php-pgsql-5.4.34-1.mga3
php-phar-5.4.34-1.mga3
php-posix-5.4.34-1.mga3
php-readline-5.4.34-1.mga3
php-recode-5.4.34-1.mga3
php-session-5.4.34-1.mga3
php-shmop-5.4.34-1.mga3
php-snmp-5.4.34-1.mga3
php-soap-5.4.34-1.mga3
php-sockets-5.4.34-1.mga3
php-sqlite3-5.4.34-1.mga3
php-sybase_ct-5.4.34-1.mga3
php-sysvmsg-5.4.34-1.mga3
php-sysvsem-5.4.34-1.mga3
php-sysvshm-5.4.34-1.mga3
php-tidy-5.4.34-1.mga3
php-tokenizer-5.4.34-1.mga3
php-xml-5.4.34-1.mga3
php-xmlreader-5.4.34-1.mga3
php-xmlrpc-5.4.34-1.mga3
php-xmlwriter-5.4.34-1.mga3
php-xsl-5.4.34-1.mga3
php-wddx-5.4.34-1.mga3
php-zip-5.4.34-1.mga3
php-fpm-5.4.34-1.mga3
php-ini-5.5.18-1.mga4
apache-mod_php-5.5.18-1.mga4
php-cli-5.5.18-1.mga4
php-cgi-5.5.18-1.mga4
libphp5_common5-5.5.18-1.mga4
php-devel-5.5.18-1.mga4
php-openssl-5.5.18-1.mga4
php-zlib-5.5.18-1.mga4
php-doc-5.5.18-1.mga4
php-bcmath-5.5.18-1.mga4
php-bz2-5.5.18-1.mga4
php-calendar-5.5.18-1.mga4
php-ctype-5.5.18-1.mga4
php-curl-5.5.18-1.mga4
php-dba-5.5.18-1.mga4
php-dom-5.5.18-1.mga4
php-enchant-5.5.18-1.mga4
php-exif-5.5.18-1.mga4
php-fileinfo-5.5.18-1.mga4
php-filter-5.5.18-1.mga4
php-ftp-5.5.18-1.mga4
php-gd-5.5.18-1.mga4
php-gettext-5.5.18-1.mga4
php-gmp-5.5.18-1.mga4
php-hash-5.5.18-1.mga4
php-iconv-5.5.18-1.mga4
php-imap-5.5.18-1.mga4
php-interbase-5.5.18-1.mga4
php-intl-5.5.18-1.mga4
php-json-5.5.18-1.mga4
php-ldap-5.5.18-1.mga4
php-mbstring-5.5.18-1.mga4
php-mcrypt-5.5.18-1.mga4
php-mssql-5.5.18-1.mga4
php-mysql-5.5.18-1.mga4
php-mysqli-5.5.18-1.mga4
php-mysqlnd-5.5.18-1.mga4
php-odbc-5.5.18-1.mga4
php-opcache-5.5.18-1.mga4
php-pcntl-5.5.18-1.mga4
php-pdo-5.5.18-1.mga4
php-pdo_dblib-5.5.18-1.mga4
php-pdo_firebird-5.5.18-1.mga4
php-pdo_mysql-5.5.18-1.mga4
php-pdo_odbc-5.5.18-1.mga4
php-pdo_pgsql-5.5.18-1.mga4
php-pdo_sqlite-5.5.18-1.mga4
php-pgsql-5.5.18-1.mga4
php-phar-5.5.18-1.mga4
php-posix-5.5.18-1.mga4
php-readline-5.5.18-1.mga4
php-recode-5.5.18-1.mga4
php-session-5.5.18-1.mga4
php-shmop-5.5.18-1.mga4
php-snmp-5.5.18-1.mga4
php-soap-5.5.18-1.mga4
php-sockets-5.5.18-1.mga4
php-sqlite3-5.5.18-1.mga4
php-sybase_ct-5.5.18-1.mga4
php-sysvmsg-5.5.18-1.mga4
php-sysvsem-5.5.18-1.mga4
php-sysvshm-5.5.18-1.mga4
php-tidy-5.5.18-1.mga4
php-tokenizer-5.5.18-1.mga4
php-xml-5.5.18-1.mga4
php-xmlreader-5.5.18-1.mga4
php-xmlrpc-5.5.18-1.mga4
php-xmlwriter-5.5.18-1.mga4
php-xsl-5.5.18-1.mga4
php-wddx-5.5.18-1.mga4
php-zip-5.5.18-1.mga4
php-fpm-5.5.18-1.mga4

from SRPMS:
php-5.4.34-1.mga3.src.rpm
php-5.5.18-1.mga4.src.rpm

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 2 David Walser 2014-10-19 16:53:54 CEST

Freeze push requested for Cauldron.

Remaining needed packages uploaded for Mageia 3 and Mageia 4.

php-apc-3.1.14-7.13.mga3
php-apc-admin-3.1.14-7.13.mga3
php-gd-bundled-5.4.34-1.mga3
php-apc-3.1.15-4.8.mga4
php-apc-admin-3.1.15-4.8.mga4

from SRPMS:
php-apc-3.1.14-7.13.mga3.src.rpm
php-gd-bundled-5.4.34-1.mga3.src.rpm
php-apc-3.1.15-4.8.mga4.src.rpm


Assigning to QA.

Package lists in Comment 1 and Comment 2.  Advisory to come later.  For now, see the references in Comment 0.

Assignee: oe => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
CC: (none) => oe
Version: Cauldron => 4

Comment 3 Oden Eriksson 2014-10-20 11:04:10 CEST

Note: We don't seem to be affected by CVE-2014-3668 as this affects the bundled xmlrpc-epi-0.51 and we use the system xmlrpc-epi-0.54.2 for php-xmlrpc. However chunk two in:

http://git.php.net/?p=php-src.git;a=blobdiff_plain;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=b766a5495a41b3ecd5eecdcfae901c9068937da0;hp=ce70c2afd909b748f3ddc4560a1c3f882a498014;hb=886b8efbee605b6e5caa2e8d52475077757175fc;hpb=af88793d6dd28c207264fa0440ba5744d1fdc36f

does apply but seems to have no effect.

Comment 4 David Walser 2014-10-20 20:35:12 CEST

According to the media, the cURL null byte injection flaw is the other security issue fixed in 5.5.18:
http://www.internetnews.com/blog/skerner/php-5.6.2-and-5.4.34-update-for-critical-security-flaws.html

RedHat has classified CVE-2014-3669 and CVE-2014-3670 as high severity.

Severity: normal => critical

Comment 5 David Walser 2014-10-20 20:55:35 CEST

The CVEs have test cases in PHP's test suite, so they're already known to be fixed by the update.  CVE-2014-3669 only affects 32-bit systems.

Here's a preliminary advisory.

Advisory:
========================

Updated php packages fix security vulnerabilities:

An integer overflow flaw in PHP's unserialize() function was reported. If
unserialize() were used on untrusted data, this issue could lead to a crash or
potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A
specially-crafted JPEG image could cause the PHP interpreter to crash or,
potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download,
it could return local files from the server due to improper handling of null
bytes (PHP#68089).

PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4,
which fix these issues and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
http://www.php.net/ChangeLog-5.php#5.5.18
http://www.php.net/ChangeLog-5.php#5.4.34
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670
https://bugs.php.net/bug.php?id=68089

Comment 6 David Walser 2014-10-21 15:57:17 CEST

The Mageia 4 update is being rebuilt to potentially fix an issue in php-zip.

php-5.5.18-1.1.mga4.src.rpm

Blocks: (none) => 13820

Oden Eriksson 2014-10-21 15:59:54 CEST

Blocks: 13820 => (none)

David Walser 2014-10-21 16:12:28 CEST

Blocks: (none) => 13820

Comment 7 Samuel Verschelde 2014-10-22 10:13:44 CEST

Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following comments.

Basically: choose a list of PHP webapps and test that they still work.

CC: (none) => stormi

Samuel Verschelde 2014-10-22 10:13:59 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Samuel Verschelde 2014-10-22 10:15:23 CEST

Source RPM: php => php-5.5.18-1.1.mga4.src.rpm

Comment 8 William Kenney 2014-10-22 18:42:10 CEST

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.32-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.32-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.31-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.5-1.mga3.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.34-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.34-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 9 William Kenney 2014-10-22 18:58:03 CEST

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.32-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.32-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.31-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.5-1.mga3.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.34-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.34-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Comment 10 William Kenney 2014-10-22 19:10:57 CEST

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.16-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.16-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.31-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.5-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.18-1.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.18-1.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Comment 11 William Kenney 2014-10-22 19:23:55 CEST

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.16-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.16-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.31-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.5-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.18-1.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.18-1.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Comment 12 William Kenney 2014-10-22 19:25:12 CEST

I'm gonna validate this thing in 24-hours unless
someone else wants to do some additional testing.

Comment 13 David Walser 2014-10-22 19:27:27 CEST

Thanks William.  We also need to test that Bug 13820 is fixed.  There's a sample script to test it with here:
https://bugs.mageia.org/show_bug.cgi?id=13820#c0

I also need to add a note about that to the advisory.

Comment 14 William Kenney 2014-10-22 19:33:58 CEST

(In reply to David Walser from comment #13)

> Thanks William.  We also need to test that Bug 13820 is fixed.  There's a
> sample script to test it with here:
> https://bugs.mageia.org/show_bug.cgi?id=13820#c0
> 
> I also need to add a note about that to the advisory.

I've still got all 4 Vbox clients so I'll
give'em a go later today or tomorrow.
Create a webpage with the code in it and
then open the webpage I guess.

Comment 15 Rémi Verschelde 2014-10-23 10:47:46 CEST

Mageia 4, x86_64.

I put the script from bug 13820 in a file named test.php, that I ran with "php" (from "php-cli") before installing the update candidate:

$ php test.php 
OPEN OK
Segmentation fault

After the update, it runs fine:

$ php test.php 
OPEN OK
ADDFILE OK

Based on William's tests, I consider it MGA4-64-OK.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 16 David Walser 2014-10-23 14:44:28 CEST

Fedora and Mandriva have issued advisories for this:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141349.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A202/

Mandriva's advisory doesn't include CVE-2014-3669 because it's a 32-bit only issue and their package is 64-bit only.

Comment 17 David Walser 2014-10-23 15:04:29 CEST

Advisory:
========================

Updated php packages fix security vulnerabilities:

An integer overflow flaw in PHP's unserialize() function was reported. If
unserialize() were used on untrusted data, this issue could lead to a crash or
potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A
specially-crafted JPEG image could cause the PHP interpreter to crash or,
potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download,
it could return local files from the server due to improper handling of null
bytes (PHP#68089).

PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4,
which fix these issues and other bugs.

Additionally, a bug in the php zip extension that could cause a crash on
Mageia 4 has been fixed (mga#13820).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
http://www.php.net/ChangeLog-5.php#5.5.18
http://www.php.net/ChangeLog-5.php#5.4.34
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670
https://bugs.php.net/bug.php?id=68089
https://bugs.mageia.org/show_bug.cgi?id=13820
https://bugs.mageia.org/show_bug.cgi?id=14326

Comment 18 Rémi Verschelde 2014-10-23 15:55:32 CEST

Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK advisory

David Walser 2014-10-23 18:15:30 CEST

URL: (none) => http://lwn.net/Vulnerabilities/617781/

Comment 19 David Walser 2014-10-25 23:58:32 CEST

This update is just waiting on the PoC for Bug 13820 being tested on Mageia 3 (i586 and x86_64) and Mageia 4 i586.

I had forgotten that I wanted to include php-suhosin (0.9.36 already built in updates_testing) in this update.  If someone tests that before this is validated, it can be included, otherwise we'll save it for the next one.

Comment 20 claire robinson 2014-10-27 16:04:31 CET

PoC still causes apache to segfault mga4 64

Comment 21 claire robinson 2014-10-27 16:10:38 CET

Confirmed ok after manually restarting httpd. Also confirmed with php-cli.

Comment 22 claire robinson 2014-10-27 16:39:40 CET

mga3 doesn't suffer the zip segfault but no regression with the update. Both tested with suhosin.

claire robinson 2014-10-27 16:40:59 CET

Whiteboard: MGA3TOO has_procedure MGA4-64-OK advisory => MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK

Comment 23 claire robinson 2014-10-27 16:45:05 CET

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 24 David Walser 2014-10-27 17:04:57 CET

Thanks Claire.  Since you tested with the updated suhosin, we'll include that in this update.  However, since it didn't fix Bug 13820, that needs to be removed from the advisory.

Source RPMS:
php-5.4.34-1.mga3.src.rpm
php-apc-3.1.14-7.13.mga3.src.rpm
php-gd-bundled-5.4.34-1.mga3.src.rpm
php-suhosin-0.9.36-1.mga3.src.rpm
php-5.5.18-1.mga4.src.rpm
php-apc-3.1.15-4.8.mga4.src.rpm
php-suhosin-0.9.36-1.mga4.src.rpm

Advisory:
========================

Updated php packages fix security vulnerabilities:

An integer overflow flaw in PHP's unserialize() function was reported. If
unserialize() were used on untrusted data, this issue could lead to a crash or
potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A
specially-crafted JPEG image could cause the PHP interpreter to crash or,
potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download,
it could return local files from the server due to improper handling of null
bytes (PHP#68089).

PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4,
which fix these issues and other bugs.

Additionally, the suhosin PHP extension has been updated to version 0.9.36.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
http://www.php.net/ChangeLog-5.php#5.5.18
http://www.php.net/ChangeLog-5.php#5.4.34
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670
https://bugs.php.net/bug.php?id=68089

Blocks: 13820 => (none)
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK

Comment 25 claire robinson 2014-10-27 17:12:06 CET

We can include it in the advisory. Sorry for the confusion. 

It does fix bug 13820. httpd needs a manual restart, rather than the automated reload as we've found for various other issues.

Mga3 appears not susceptible to the zip problem, at least not causing a segfault.

Comment 26 claire robinson 2014-10-27 17:16:37 CET

Advisory updated to..

  Additionally, the suhosin PHP extension has been updated to version 0.9.36
  and a bug in the php zip extension that could cause a crash on Mageia 4 has
  been fixed (mga#13820)

Comment 27 Oden Eriksson 2014-10-27 17:49:49 CET

(In reply to claire robinson from comment #20)
> PoC still causes apache to segfault mga4 64

Works here.

[oden@localhost BUILD]$ cat 13820.php
<?php
$za = new ZipArchive();
$flags = ZIPARCHIVE::CREATE;
if ($za->open('/tmp/test1.zip', $flags) === TRUE) {
        echo "OPEN OK\n";
        @unlink('/tmp/newfile.txt');
        fopen('/tmp/newfile.txt', 'x+');
        if ($za->addFile('/tmp/newfile.txt', 'newfile.txt') === TRUE) {
                echo "ADDFILE OK\n";
        }
}
$za->addEmptyDir('tot/');
$za->addFromString('emptydir/newfile','mycontent');
$za->close();


?>

[oden@localhost BUILD]$ php 13820.php 
OPEN OK
ADDFILE OK

Comment 28 Oden Eriksson 2014-10-27 17:52:26 CET

Same file opened under apache:

OPEN OK ADDFILE OK

Comment 29 claire robinson 2014-10-27 17:55:32 CET

Yep, addressed in comment 25. Thanks for testing though.

Ready for a push

Rémi Verschelde 2014-10-27 18:36:06 CET

Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK advisory

David Walser 2014-10-27 19:47:54 CET

Blocks: (none) => 13820

Comment 30 Mageia Robot 2014-10-28 12:34:16 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0430.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED