Bug 16115

Summary: PHP 5.5.26
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/650306/
Whiteboard: MGA4-32-OK advisory
Source RPM: php-5.5.25-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-06-13 20:57:36 CEST 
PHP 5.6.9 and 5.5.25 have been released on June 11:
http://php.net/ChangeLog-5.php#5.5.26
http://php.net/ChangeLog-5.php#5.6.10

There are several apparent security issues fixed, but no CVEs posted yet.

The pcre and sqlite3 CVEs mentioned were fixed by previous updates for those.

Updated packages uploaded for Mageia 4 and Cauldron.

Generic advisory for now as there are no CVEs for the PHP bugs.

The most likely candidate for a CVE is the php#69545 improved fix (an apparently incomplete fix was in PHP 5.5.25, this was CVE-2015-4022).

Advisory:
========================

Updated php packages fix security vulnerabilities:

PHP has been updated to version 5.5.26, which fixes multiple bugs and
potential security issues.  Please see the upstream ChangeLog for details.

References:
http://php.net/ChangeLog-5.php#5.5.26
========================

Updated packages in core/updates_testing:
========================
php-ini-5.5.26-1.mga4
apache-mod_php-5.5.26-1.mga4
php-cli-5.5.26-1.mga4
php-cgi-5.5.26-1.mga4
libphp5_common5-5.5.26-1.mga4
php-devel-5.5.26-1.mga4
php-openssl-5.5.26-1.mga4
php-zlib-5.5.26-1.mga4
php-doc-5.5.26-1.mga4
php-bcmath-5.5.26-1.mga4
php-bz2-5.5.26-1.mga4
php-calendar-5.5.26-1.mga4
php-ctype-5.5.26-1.mga4
php-curl-5.5.26-1.mga4
php-dba-5.5.26-1.mga4
php-dom-5.5.26-1.mga4
php-enchant-5.5.26-1.mga4
php-exif-5.5.26-1.mga4
php-fileinfo-5.5.26-1.mga4
php-filter-5.5.26-1.mga4
php-ftp-5.5.26-1.mga4
php-gd-5.5.26-1.mga4
php-gettext-5.5.26-1.mga4
php-gmp-5.5.26-1.mga4
php-hash-5.5.26-1.mga4
php-iconv-5.5.26-1.mga4
php-imap-5.5.26-1.mga4
php-interbase-5.5.26-1.mga4
php-intl-5.5.26-1.mga4
php-json-5.5.26-1.mga4
php-ldap-5.5.26-1.mga4
php-mbstring-5.5.26-1.mga4
php-mcrypt-5.5.26-1.mga4
php-mssql-5.5.26-1.mga4
php-mysql-5.5.26-1.mga4
php-mysqli-5.5.26-1.mga4
php-mysqlnd-5.5.26-1.mga4
php-odbc-5.5.26-1.mga4
php-opcache-5.5.26-1.mga4
php-pcntl-5.5.26-1.mga4
php-pdo-5.5.26-1.mga4
php-pdo_dblib-5.5.26-1.mga4
php-pdo_firebird-5.5.26-1.mga4
php-pdo_mysql-5.5.26-1.mga4
php-pdo_odbc-5.5.26-1.mga4
php-pdo_pgsql-5.5.26-1.mga4
php-pdo_sqlite-5.5.26-1.mga4
php-pgsql-5.5.26-1.mga4
php-phar-5.5.26-1.mga4
php-posix-5.5.26-1.mga4
php-readline-5.5.26-1.mga4
php-recode-5.5.26-1.mga4
php-session-5.5.26-1.mga4
php-shmop-5.5.26-1.mga4
php-snmp-5.5.26-1.mga4
php-soap-5.5.26-1.mga4
php-sockets-5.5.26-1.mga4
php-sqlite3-5.5.26-1.mga4
php-sybase_ct-5.5.26-1.mga4
php-sysvmsg-5.5.26-1.mga4
php-sysvsem-5.5.26-1.mga4
php-sysvshm-5.5.26-1.mga4
php-tidy-5.5.26-1.mga4
php-tokenizer-5.5.26-1.mga4
php-xml-5.5.26-1.mga4
php-xmlreader-5.5.26-1.mga4
php-xmlrpc-5.5.26-1.mga4
php-xmlwriter-5.5.26-1.mga4
php-xsl-5.5.26-1.mga4
php-wddx-5.5.26-1.mga4
php-zip-5.5.26-1.mga4
php-fpm-5.5.26-1.mga4
php-apc-3.1.15-4.15.mga4
php-apc-admin-3.1.15-4.15.mga4
php-timezonedb-2015.4-1.mga4

from SRPMS:
php-5.5.26-1.mga4.src.rpm
php-apc-3.1.15-4.16.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-06-16 20:02:48 CEST 
Several CVEs have been assigned, mostly for issues fixed in older versions of PHP:
http://openwall.com/lists/oss-security/2015/06/16/12

CVE-2015-4598 applies to php#69719 fixed in this update:
Incorrect handling of paths with NULs
Comment 2 David Walser 2015-06-18 13:54:33 CEST 
CVE request for other fixes in this update:
http://openwall.com/lists/oss-security/2015/06/18/3
Comment 3 David Walser 2015-06-18 15:48:20 CEST 
CVE assignment:
http://openwall.com/lists/oss-security/2015/06/18/6

Advisory:
========================

Updated php packages fix security vulnerabilities:

Incorrect handling of paths with NULs (CVE-2015-4598).

OS command injection vulnerability in escapeshellarg (CVE-2015-4642).

Integer overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4643).

Segfault in php_pgsql_meta_data (CVE-2015-4644).

PHP has been updated to version 5.5.26, which fixes multiple bugs and
potential security issues.  Please see the upstream ChangeLog for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644
http://php.net/ChangeLog-5.php#5.5.26
http://openwall.com/lists/oss-security/2015/06/16/12
http://openwall.com/lists/oss-security/2015/06/18/6
Comment 4 David Walser 2015-06-23 21:00:57 CEST 
LWN reference for CVE-2015-4598 (and several unrelated ones):
http://lwn.net/Vulnerabilities/649071/
Comment 5 David Walser 2015-07-04 17:53:25 CEST 
Tested Mageia 4 i586 with my old php-gd, php-dba, php-cgi, apache-mod_userdir, apache-mod_suexec test case from https://bugs.mageia.org/show_bug.cgi?id=3895#c35

Whiteboard: (none) => MGA4-32-OK

Comment 6 Dave Hodgins 2015-07-04 19:08:38 CEST 
Advisory committed to svn.

Someone from the sysadmin team please push 16115.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => MGA4-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2015-07-05 19:23:23 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0258.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-07-06 20:26:41 CEST

URL: (none) => http://lwn.net/Vulnerabilities/650306/