Bug 15943

Summary: PHP 5.5.25
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/645054/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: php-5.5.24-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-15 14:34:06 CEST 
PHP 5.6.9 and 5.5.25 have been released on May 14:
http://php.net/ChangeLog-5.php#5.5.25
http://php.net/ChangeLog-5.php#5.6.9

There are several apparent security issues fixed, but no CVEs posted yet.

Updates checked into Mageia 4 and Cauldron SVN.  Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-15 14:34:42 CEST 
For Mageia 4, I can also include an updated php-timezonedb with this update.

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 2 David Walser 2015-05-15 15:27:17 CEST 
As there currently appear to be no CVE assignments, for now this will be the advisory and package list.

Advisory:
========================

Updated php packages fix security vulnerabilities:

PHP has been updated to version 5.5.24, which fixes multiple bugs and
potential security issues.  Please see the upstream ChangeLog for details.

References:
http://php.net/ChangeLog-5.php#5.5.25
========================

Updated packages in core/updates_testing:
========================
php-ini-5.5.25-1.mga4
apache-mod_php-5.5.25-1.mga4
php-cli-5.5.25-1.mga4
php-cgi-5.5.25-1.mga4
libphp5_common5-5.5.25-1.mga4
php-devel-5.5.25-1.mga4
php-openssl-5.5.25-1.mga4
php-zlib-5.5.25-1.mga4
php-doc-5.5.25-1.mga4
php-bcmath-5.5.25-1.mga4
php-bz2-5.5.25-1.mga4
php-calendar-5.5.25-1.mga4
php-ctype-5.5.25-1.mga4
php-curl-5.5.25-1.mga4
php-dba-5.5.25-1.mga4
php-dom-5.5.25-1.mga4
php-enchant-5.5.25-1.mga4
php-exif-5.5.25-1.mga4
php-fileinfo-5.5.25-1.mga4
php-filter-5.5.25-1.mga4
php-ftp-5.5.25-1.mga4
php-gd-5.5.25-1.mga4
php-gettext-5.5.25-1.mga4
php-gmp-5.5.25-1.mga4
php-hash-5.5.25-1.mga4
php-iconv-5.5.25-1.mga4
php-imap-5.5.25-1.mga4
php-interbase-5.5.25-1.mga4
php-intl-5.5.25-1.mga4
php-json-5.5.25-1.mga4
php-ldap-5.5.25-1.mga4
php-mbstring-5.5.25-1.mga4
php-mcrypt-5.5.25-1.mga4
php-mssql-5.5.25-1.mga4
php-mysql-5.5.25-1.mga4
php-mysqli-5.5.25-1.mga4
php-mysqlnd-5.5.25-1.mga4
php-odbc-5.5.25-1.mga4
php-opcache-5.5.25-1.mga4
php-pcntl-5.5.25-1.mga4
php-pdo-5.5.25-1.mga4
php-pdo_dblib-5.5.25-1.mga4
php-pdo_firebird-5.5.25-1.mga4
php-pdo_mysql-5.5.25-1.mga4
php-pdo_odbc-5.5.25-1.mga4
php-pdo_pgsql-5.5.25-1.mga4
php-pdo_sqlite-5.5.25-1.mga4
php-pgsql-5.5.25-1.mga4
php-phar-5.5.25-1.mga4
php-posix-5.5.25-1.mga4
php-readline-5.5.25-1.mga4
php-recode-5.5.25-1.mga4
php-session-5.5.25-1.mga4
php-shmop-5.5.25-1.mga4
php-snmp-5.5.25-1.mga4
php-soap-5.5.25-1.mga4
php-sockets-5.5.25-1.mga4
php-sqlite3-5.5.25-1.mga4
php-sybase_ct-5.5.25-1.mga4
php-sysvmsg-5.5.25-1.mga4
php-sysvsem-5.5.25-1.mga4
php-sysvshm-5.5.25-1.mga4
php-tidy-5.5.25-1.mga4
php-tokenizer-5.5.25-1.mga4
php-xml-5.5.25-1.mga4
php-xmlreader-5.5.25-1.mga4
php-xmlrpc-5.5.25-1.mga4
php-xmlwriter-5.5.25-1.mga4
php-xsl-5.5.25-1.mga4
php-wddx-5.5.25-1.mga4
php-zip-5.5.25-1.mga4
php-fpm-5.5.25-1.mga4
php-apc-3.1.15-4.15.mga4
php-apc-admin-3.1.15-4.15.mga4
php-timezonedb-2015.4-1.mga4

from SRPMS:
php-5.5.25-1.mga4.src.rpm
php-apc-3.1.15-4.15.mga4.src.rpm
php-timezonedb-2015.4-1.mga4.src.rpm
Comment 3 David Walser 2015-05-15 16:26:21 CEST 
Updated packages uploaded for Mageia 4 and Cauldron.

See Comment 2 for the advisory (for now) and the package list.

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 claire robinson 2015-05-18 10:52:00 CEST 
Testing complete mga4 32

Tested with phpmyadmin, php-apc & wordpress

Whiteboard: (none) => has_procedure mga4-32-ok

Comment 6 claire robinson 2015-05-18 16:40:31 CEST 
Testing complete mga4 64

Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2015-05-18 16:43:56 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-18 21:09:01 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0231.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-19 19:11:41 CEST

URL: (none) => http://lwn.net/Vulnerabilities/645054/

Comment 9 David Walser 2015-05-20 17:26:53 CEST 
CVE assignments were made public.  Here's the real advisory.  Can someone update it in SVN?

Advisory:
========================

Updated php packages fix security vulnerabilities:

Memory Corruption in phar_parse_tarfile when entry filename starts with null
(CVE-2015-4021).

Integer overflow in ftp_genlist() resulting in heap overflow, potentially
exploitable by a hostile FTP server (CVE-2015-4022).

PHP Multipart/form-data parsing remote DoS Vulnerability (CVE-2015-4024).

Various functions allow \0 in paths where they shouldn't. In theory, that
could lead to security failure for path-based access controls if the user
injects a string with \0 in it. These functions include set_include_path(),
tempnam(), rmdir(), and readlink() (CVE-2015-4025), as well as pcntl_exec()
(CVE-2015-4026).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026
http://php.net/ChangeLog-5.php#5.5.25
http://openwall.com/lists/oss-security/2015/05/20/3
Comment 10 claire robinson 2015-05-20 17:39:28 CEST 
Updated in SVN.