Bug 16349

Summary: PHP 5.5.27
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/652175/
Whiteboard: MGA4-64-OK advisory
Source RPM: php-5.5.26-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-07-12 02:37:00 CEST 
Upstream has released version 5.5.27 on July 10:
http://php.net/archive/2015.php#id2015-07-10-2

It appears that some of the fixes are security relevant.  We'll try for an advisory later.

References:
http://php.net/ChangeLog-5.php#5.5.27

Updated packages in core/updates_testing:
========================
php-ini-5.5.27-1.mga4
apache-mod_php-5.5.27-1.mga4
php-cli-5.5.27-1.mga4
php-cgi-5.5.27-1.mga4
libphp5_common5-5.5.27-1.mga4
php-devel-5.5.27-1.mga4
php-openssl-5.5.27-1.mga4
php-zlib-5.5.27-1.mga4
php-doc-5.5.27-1.mga4
php-bcmath-5.5.27-1.mga4
php-bz2-5.5.27-1.mga4
php-calendar-5.5.27-1.mga4
php-ctype-5.5.27-1.mga4
php-curl-5.5.27-1.mga4
php-dba-5.5.27-1.mga4
php-dom-5.5.27-1.mga4
php-enchant-5.5.27-1.mga4
php-exif-5.5.27-1.mga4
php-fileinfo-5.5.27-1.mga4
php-filter-5.5.27-1.mga4
php-ftp-5.5.27-1.mga4
php-gd-5.5.27-1.mga4
php-gettext-5.5.27-1.mga4
php-gmp-5.5.27-1.mga4
php-hash-5.5.27-1.mga4
php-iconv-5.5.27-1.mga4
php-imap-5.5.27-1.mga4
php-interbase-5.5.27-1.mga4
php-intl-5.5.27-1.mga4
php-json-5.5.27-1.mga4
php-ldap-5.5.27-1.mga4
php-mbstring-5.5.27-1.mga4
php-mcrypt-5.5.27-1.mga4
php-mssql-5.5.27-1.mga4
php-mysql-5.5.27-1.mga4
php-mysqli-5.5.27-1.mga4
php-mysqlnd-5.5.27-1.mga4
php-odbc-5.5.27-1.mga4
php-opcache-5.5.27-1.mga4
php-pcntl-5.5.27-1.mga4
php-pdo-5.5.27-1.mga4
php-pdo_dblib-5.5.27-1.mga4
php-pdo_firebird-5.5.27-1.mga4
php-pdo_mysql-5.5.27-1.mga4
php-pdo_odbc-5.5.27-1.mga4
php-pdo_pgsql-5.5.27-1.mga4
php-pdo_sqlite-5.5.27-1.mga4
php-pgsql-5.5.27-1.mga4
php-phar-5.5.27-1.mga4
php-posix-5.5.27-1.mga4
php-readline-5.5.27-1.mga4
php-recode-5.5.27-1.mga4
php-session-5.5.27-1.mga4
php-shmop-5.5.27-1.mga4
php-snmp-5.5.27-1.mga4
php-soap-5.5.27-1.mga4
php-sockets-5.5.27-1.mga4
php-sqlite3-5.5.27-1.mga4
php-sybase_ct-5.5.27-1.mga4
php-sysvmsg-5.5.27-1.mga4
php-sysvsem-5.5.27-1.mga4
php-sysvshm-5.5.27-1.mga4
php-tidy-5.5.27-1.mga4
php-tokenizer-5.5.27-1.mga4
php-xml-5.5.27-1.mga4
php-xmlreader-5.5.27-1.mga4
php-xmlrpc-5.5.27-1.mga4
php-xmlwriter-5.5.27-1.mga4
php-xsl-5.5.27-1.mga4
php-wddx-5.5.27-1.mga4
php-zip-5.5.27-1.mga4
php-fpm-5.5.27-1.mga4
php-apc-3.1.15-4.15.mga4
php-apc-admin-3.1.15-4.15.mga4
php-timezonedb-2015.4-1.mga4

from SRPMS:
php-5.5.27-1.mga4.src.rpm
php-apc-3.1.15-4.17.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 William Kenney 2015-07-14 20:15:46 CEST 
In VirtualBox, M4, KDE, 32-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm owncloud drupal phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.26-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.26-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.7-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.38-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed

localhost/owncloud opens and runs
localhost/drupal opens and runs
localhost/phpmyadmin opens, runs and creates a database named "test"

install package from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.27-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.27-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.7-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.38-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed

localhost/owncloud opens and runs
localhost/drupal opens and runs
localhost/phpmyadmin opens, runs and creates a database named "testagain"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

Comment 2 William Kenney 2015-07-14 20:45:58 CEST 
In VirtualBox, M4, KDE, 64-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm drupal phpmyadmin

default install of php-ini php-fpm drupal phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.26-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.26-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.38-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed

localhost/drupal opens and runs
localhost/phpmyadmin opens, runs and creates a database named "test"

install package from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.27-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.27-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.38-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed

localhost/drupal opens and runs
localhost/phpmyadmin opens, runs and creates a database named "testagain"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 3 David Walser 2015-07-19 23:01:46 CEST 
CVE-2015-5589 and CVE-2015-5590 have been assigned to the phar issues fixed here:
http://openwall.com/lists/oss-security/2015/07/18/1
Comment 4 Lewis Smith 2015-07-20 14:40:22 CEST 
Testing MGA4 x64

Updated all applicable PHP modules in Updates Testing to 5.5.27-1.
Played with:
- phpmyadmin
- phppgadmin
- Drupal
- Moodle
- MediaWiki
- Cacti [relevant ?]
Nothing untoward noticed. OK as far as I am concerned; but needs more tests by others to formalise this.

CC: (none) => lewyssmith

Comment 5 Samuel Verschelde 2015-07-22 17:29:34 CEST 
I played with various PHP webapps myself while testing apache, mga 4 64 too but I consider it enough to validate the update (and hasn't PHP a testsuite included?)

Keywords: (none) => validated_update
Whiteboard: (none) => MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2015-07-22 17:34:21 CEST 
(In reply to Samuel VERSCHELDE from comment #5)
> I played with various PHP webapps myself while testing apache, mga 4 64 too
> but I consider it enough to validate the update (and hasn't PHP a testsuite
> included?)

It does indeed have an extensive build-time test suite, which we do run.  I don't know if we've ever rejected a PHP update because it broke something.  The only issue I can remember running into are PoCs that weren't fully fixed.
Comment 7 David Walser 2015-07-22 17:42:14 CEST 
Here's an advisory for now.  An inquiry was made about the CVE that should be used for php-mysqlnd's version of the BACKRONYM flaw, but it hasn't been answered yet.

Advisory:
========================

Updated php packages fix security vulnerabilities:

Segfault in Phar::convertToData on invalid file (CVE-2015-5589).

Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590).

The php package has been updated to version 5.5.27, which fixes these issues,
as well as other possible bugs and security issues, including the BACKRONYM
flaw, which allows php-mysqlnd client connections that were supposed to use
SSL/TLS to be downgraded to not use it.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590
http://php.net/ChangeLog-5.php#5.5.27
http://openwall.com/lists/oss-security/2015/07/18/1
Dave Hodgins 2015-07-23 03:42:42 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4-64-OK => MGA4-64-OK advisory

Samuel Verschelde 2015-07-23 09:43:37 CEST

Assignee: qa-bugs => sysadmin-bugs

Samuel Verschelde 2015-07-23 09:44:13 CEST

Assignee: sysadmin-bugs => qa-bugs

Comment 8 Mageia Robot 2015-07-23 11:40:13 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0276.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-07-23 16:28:53 CEST

URL: (none) => http://lwn.net/Vulnerabilities/652175/