Bug 15520

Summary: php new security issues CVE-2015-2305 and CVE-2015-2331
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ottoleipala1, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/637569/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Source RPM: php-5.6.6-3.mga5.src.rpm CVE:
Status comment:
Attachments: PoC file for CVE-2015-2331
PoC PHP script using php-zip and php-cli for CVE-2015-2331

Description David Walser 2015-03-18 17:30:15 CET 
CVEs have been assigned for two security issues that affect PHP:
http://openwall.com/lists/oss-security/2015/03/16/5
http://openwall.com/lists/oss-security/2015/03/18/3

The first, CVE-2015-2305, comes from code that apparently is bundled in a *lot* of packages.  Fortunately it's a minor issue, and it also only affects 32-bit systems.  More info on that:
https://security-tracker.debian.org/tracker/CVE-2015-2305

I don't know if PHP upstream has addressed it yet.  Debian fixed it in their php package in this commit:
http://anonscm.debian.org/cgit/pkg-php/php.git/commit/?id=a57d8616e445fced92a44241e4e4971f2b3119b2

That corresponds to this advisory from today (March 18):
https://lists.debian.org/debian-security-announce/2015/msg00080.html

which will be posted here:
https://www.debian.org/security/2015/dsa-3195

from http://lwn.net/Vulnerabilities/637136/

The second CVE is fixed in upstream git and the fix will be included in the next upstream PHP releases.

That issue affects php-zip, so Debian said that libzip needs to be checked to see if it's affected:
https://security-tracker.debian.org/tracker/CVE-2015-2331

Debian has also identified a few more security issues that will be fixed in the next PHP releases (no CVEs yet):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780713

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-18 17:30:39 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-18 20:50:16 CET 
It sounds like libzip is affected by CVE-2015-2331:
http://openwall.com/lists/oss-security/2015/03/18/12

I've checked the CVE-2015-2305 patch into Mageia 4 and Cauldron SVN.
Comment 2 David Walser 2015-03-20 16:40:36 CET 
Upstream has announced version 5.5.23 and 5.6.7 today (March 20):
http://php.net/archive/2015.php#id2015-03-20-1
http://php.net/archive/2015.php#id2015-03-20-2

It does indeed include fixes for CVE-2015-2305 and CVE-2015-2331.

Strangely, it also lists CVE-2015-0231 as being fixed, even though they also listed that as having been fixed in 5.5.21 and 5.6.5.  Now the reference for that CVE in the PHP ChangeLog uses a different PHP bug number (was php#68710 before, is php#68976 now), but the issue description is the same ("Use After Free Vulnerability in unserialize()").  It looks like they mistakenly re-used the same CVE for a similar issue?  Or maybe it wasn't completely fixed last time?  Either way, it should have received a new CVE.  For now, we'll just have to list it again.  (The Mageia PHP 5.5.21 update is in Bug 15121, for reference).

The ChangeLog lists fixes for several other crashes/segfaults and memory safety violations, but lists no other CVEs:
http://php.net/ChangeLog-5.php#5.5.23
http://php.net/ChangeLog-5.php#5.6.7

For CVE-2015-2331, we'll have to patch that in libzip, as php-zip is linked to our system libzip.  It looks like the patch is trivial to rediff from PHP to libzip.
Comment 3 David Walser 2015-03-20 16:41:21 CET 
Created attachment 6107 [details]
PoC file for CVE-2015-2331
Comment 4 David Walser 2015-03-20 16:41:47 CET 
Created attachment 6108 [details]
PoC PHP script using php-zip and php-cli for CVE-2015-2331
Comment 5 David Walser 2015-03-20 17:09:45 CET 
I attached a PoC script and zip file for CVE-2015-2331 in the above comments.  I have confirmed locally that just updating to PHP 5.6.7 doesn't fix the issue, but that patching libzip does fix it.

Before the libzip update, the PoC gives a segfault.  After the update, it gives some output from the script and a PHP Warning on the close() call that it's an Invalid or uninitialized Zip object.

I have also tested PHP 5.6.7 locally in Cauldron with Moodle and even backed up and restored a course to test the php-zip extension.  Everything works fine.

Saving the text for the Mageia 4 update advisory for later, below.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

Use after free vulnerability in unserialize() in PHP before 5.5.23
(php#68976, CVE-2015-0231).

Heap overflow vulnerability in regcomp.c in the ereg extension in PHP before
5.5.23 on 32-bit systems (CVE-2015-2305).

Integer overflow in zip extension in PHP before 5.5.23 leads to writing past
heap boundary (CVE-2015-2331).

PHP has been updated to version 5.5.23, which fixes these issues and other
bugs.  The php zip extension uses the libzip library, so it has been patched
to fix CVE-2015-2331.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331
http://php.net/ChangeLog-5.php#5.5.23
https://www.debian.org/security/2015/dsa-3195
Comment 6 David Walser 2015-03-20 17:18:29 CET 
Everything is checked into SVN.  Freeze push requested for Cauldron.

Here's the package list for the eventual Mageia 4 update.

Updated packages in core/updates_testing:
========================
php-ini-5.5.23-1.mga4
apache-mod_php-5.5.23-1.mga4
php-cli-5.5.23-1.mga4
php-cgi-5.5.23-1.mga4
libphp5_common5-5.5.23-1.mga4
php-devel-5.5.23-1.mga4
php-openssl-5.5.23-1.mga4
php-zlib-5.5.23-1.mga4
php-doc-5.5.23-1.mga4
php-bcmath-5.5.23-1.mga4
php-bz2-5.5.23-1.mga4
php-calendar-5.5.23-1.mga4
php-ctype-5.5.23-1.mga4
php-curl-5.5.23-1.mga4
php-dba-5.5.23-1.mga4
php-dom-5.5.23-1.mga4
php-enchant-5.5.23-1.mga4
php-exif-5.5.23-1.mga4
php-fileinfo-5.5.23-1.mga4
php-filter-5.5.23-1.mga4
php-ftp-5.5.23-1.mga4
php-gd-5.5.23-1.mga4
php-gettext-5.5.23-1.mga4
php-gmp-5.5.23-1.mga4
php-hash-5.5.23-1.mga4
php-iconv-5.5.23-1.mga4
php-imap-5.5.23-1.mga4
php-interbase-5.5.23-1.mga4
php-intl-5.5.23-1.mga4
php-json-5.5.23-1.mga4
php-ldap-5.5.23-1.mga4
php-mbstring-5.5.23-1.mga4
php-mcrypt-5.5.23-1.mga4
php-mssql-5.5.23-1.mga4
php-mysql-5.5.23-1.mga4
php-mysqli-5.5.23-1.mga4
php-mysqlnd-5.5.23-1.mga4
php-odbc-5.5.23-1.mga4
php-opcache-5.5.23-1.mga4
php-pcntl-5.5.23-1.mga4
php-pdo-5.5.23-1.mga4
php-pdo_dblib-5.5.23-1.mga4
php-pdo_firebird-5.5.23-1.mga4
php-pdo_mysql-5.5.23-1.mga4
php-pdo_odbc-5.5.23-1.mga4
php-pdo_pgsql-5.5.23-1.mga4
php-pdo_sqlite-5.5.23-1.mga4
php-pgsql-5.5.23-1.mga4
php-phar-5.5.23-1.mga4
php-posix-5.5.23-1.mga4
php-readline-5.5.23-1.mga4
php-recode-5.5.23-1.mga4
php-session-5.5.23-1.mga4
php-shmop-5.5.23-1.mga4
php-snmp-5.5.23-1.mga4
php-soap-5.5.23-1.mga4
php-sockets-5.5.23-1.mga4
php-sqlite3-5.5.23-1.mga4
php-sybase_ct-5.5.23-1.mga4
php-sysvmsg-5.5.23-1.mga4
php-sysvsem-5.5.23-1.mga4
php-sysvshm-5.5.23-1.mga4
php-tidy-5.5.23-1.mga4
php-tokenizer-5.5.23-1.mga4
php-xml-5.5.23-1.mga4
php-xmlreader-5.5.23-1.mga4
php-xmlrpc-5.5.23-1.mga4
php-xmlwriter-5.5.23-1.mga4
php-xsl-5.5.23-1.mga4
php-wddx-5.5.23-1.mga4
php-zip-5.5.23-1.mga4
php-fpm-5.5.23-1.mga4
php-apc-3.1.15-4.13.mga4
php-apc-admin-3.1.15-4.13.mga4
libzip-0.11.2-1.1.mga4
libzip2-0.11.2-1.1.mga4
libzip-devel-0.11.2-1.1.mga4

from SRPMS:
php-5.5.23-1.mga4.src.rpm
php-apc-3.1.15-4.13.mga4.src.rpm
libzip-0.11.2-1.1.mga4.src.rpm
Comment 7 David Walser 2015-03-20 18:17:56 CET 
Updated (php) and patched (libzip) packages uploaded for Mageia 4 and Cauldron.

See the advisory in Comment 5, package list in Comment 6, and PoC for CVE-2015-2331 in Comment 3 and Comment 4.

Version: Cauldron => 4
Assignee: oe => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 8 David Walser 2015-03-20 21:13:43 CET 
CVE request for php#69085:
http://openwall.com/lists/oss-security/2015/03/20/14
Comment 9 David Walser 2015-03-23 18:50:50 CET 
Debian has issued an advisory for CVE-2015-2331 on March 20:
https://www.debian.org/security/2015/dsa-3198

URL: (none) => http://lwn.net/Vulnerabilities/637569/

Comment 10 David Walser 2015-03-24 00:35:22 CET 
(In reply to David Walser from comment #2)
> For CVE-2015-2331, we'll have to patch that in libzip, as php-zip is linked
> to our system libzip.  It looks like the patch is trivial to rediff from PHP
> to libzip.

Upstream libzip added a similar commit upstream:
http://hg.nih.at/libzip/rev/9f11d54f692e
Comment 11 David Walser 2015-03-31 13:32:14 CEST 
The duplicated CVE should have been CVE-2015-2787:
http://openwall.com/lists/oss-security/2015/03/30/15

Fixing the advisory.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

Heap overflow vulnerability in regcomp.c in the ereg extension in PHP before
5.5.23 on 32-bit systems (CVE-2015-2305).

Integer overflow in zip extension in PHP before 5.5.23 leads to writing past
heap boundary (CVE-2015-2331).

Use after free vulnerability in unserialize() in PHP before 5.5.23
(CVE-2015-2787).

PHP has been updated to version 5.5.23, which fixes these issues and other
bugs.  The php zip extension uses the libzip library, so it has been patched
to fix CVE-2015-2331.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2787
http://php.net/ChangeLog-5.php#5.5.23
https://www.debian.org/security/2015/dsa-3195
Comment 12 Otto Leipälä 2015-04-03 23:31:00 CEST 
Testing finished both arch 64&32 no any problems found so bugs are fixed.
I tested mariadb today so same time get this done.

https://bugs.mageia.org/show_bug.cgi?id=15592

Validating update.

Sysadmins push to updates.

Keywords: (none) => validated_update
CC: (none) => ozkyster, sysadmin-bugs
Whiteboard: (none) => MGA4-64-OK MGA4-32-OK

Comment 13 Rémi Verschelde 2015-04-04 12:49:29 CEST 
Advisory uploaded.

Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory

Comment 14 Mageia Robot 2015-04-04 13:14:04 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0134.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 David Walser 2015-04-06 23:51:33 CEST 
LWN entry for CVE-2015-2787:
http://lwn.net/Vulnerabilities/639240/
Comment 16 David Walser 2015-04-08 19:54:37 CEST 
php#69207 fixed in this update got CVE-2015-2348.

LWN reference:
http://lwn.net/Vulnerabilities/639577/
Comment 17 David Walser 2015-06-01 12:46:55 CEST 
(In reply to David Walser from comment #8)
> CVE request for php#69085:
> http://openwall.com/lists/oss-security/2015/03/20/14

This got CVE-2015-4147 and CVE-2015-4148:
http://openwall.com/lists/oss-security/2015/06/01/4
Comment 18 David Walser 2015-06-15 22:37:47 CEST 
(In reply to David Walser from comment #17)
> (In reply to David Walser from comment #8)
> > CVE request for php#69085:
> > http://openwall.com/lists/oss-security/2015/03/20/14
> 
> This got CVE-2015-4147 and CVE-2015-4148:
> http://openwall.com/lists/oss-security/2015/06/01/4

LWN reference for CVE-2015-4148:
http://lwn.net/Vulnerabilities/648192/
Comment 19 David Walser 2015-06-23 20:44:43 CEST 
(In reply to David Walser from comment #17)
> (In reply to David Walser from comment #8)
> > CVE request for php#69085:
> > http://openwall.com/lists/oss-security/2015/03/20/14
> 
> This got CVE-2015-4147 and CVE-2015-4148:
> http://openwall.com/lists/oss-security/2015/06/01/4

LWN reference for CVE-2015-4147 (and several other unrelated ones):
http://lwn.net/Vulnerabilities/649071/