Bug 16874

Summary: PHP 5.6.14
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/660425/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: php-5.6.13-mga5.src.rpm CVE:
Status comment:
Attachments: php test I ran for first note

Description David Walser 2015-10-01 20:22:55 CEST 
PHP 5.6.14 has been released today (October 1).  The website hasn't posted the announcement or changelog for it yet, but you can see what the changelog is in the NEWS file in git:
http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=6b95607aef2aa0aa1ea9584ec731ba20f93eb234;hb=refs/heads/PHP-5.6

It should show up here soon:
http://php.net/ChangeLog-5.php

It fixes two security issues in php-phar and fixes several other bugs.

I will be updating php-timezonedb with this update as well.

In the process of building this update, advisory and package list will be as follows.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.14, which fixes two security
issues in phar and several other bugs.  See the upstream ChangeLog for more
details.

References:
http://www.php.net/ChangeLog-5.php#5.6.14

Updated packages in core/updates_testing:
========================
php-ini-5.6.14-1.mga5
apache-mod_php-5.6.14-1.mga5
php-cli-5.6.14-1.mga5
php-cgi-5.6.14-1.mga5
libphp5_common5-5.6.14-1.mga5
php-devel-5.6.14-1.mga5
php-openssl-5.6.14-1.mga5
php-zlib-5.6.14-1.mga5
php-doc-5.6.14-1.mga5
php-bcmath-5.6.14-1.mga5
php-bz2-5.6.14-1.mga5
php-calendar-5.6.14-1.mga5
php-ctype-5.6.14-1.mga5
php-curl-5.6.14-1.mga5
php-dba-5.6.14-1.mga5
php-dom-5.6.14-1.mga5
php-enchant-5.6.14-1.mga5
php-exif-5.6.14-1.mga5
php-fileinfo-5.6.14-1.mga5
php-filter-5.6.14-1.mga5
php-ftp-5.6.14-1.mga5
php-gd-5.6.14-1.mga5
php-gettext-5.6.14-1.mga5
php-gmp-5.6.14-1.mga5
php-hash-5.6.14-1.mga5
php-iconv-5.6.14-1.mga5
php-imap-5.6.14-1.mga5
php-interbase-5.6.14-1.mga5
php-intl-5.6.14-1.mga5
php-json-5.6.14-1.mga5
php-ldap-5.6.14-1.mga5
php-mbstring-5.6.14-1.mga5
php-mcrypt-5.6.14-1.mga5
php-mssql-5.6.14-1.mga5
php-mysql-5.6.14-1.mga5
php-mysqli-5.6.14-1.mga5
php-mysqlnd-5.6.14-1.mga5
php-odbc-5.6.14-1.mga5
php-opcache-5.6.14-1.mga5
php-pcntl-5.6.14-1.mga5
php-pdo-5.6.14-1.mga5
php-pdo_dblib-5.6.14-1.mga5
php-pdo_firebird-5.6.14-1.mga5
php-pdo_mysql-5.6.14-1.mga5
php-pdo_odbc-5.6.14-1.mga5
php-pdo_pgsql-5.6.14-1.mga5
php-pdo_sqlite-5.6.14-1.mga5
php-pgsql-5.6.14-1.mga5
php-phar-5.6.14-1.mga5
php-posix-5.6.14-1.mga5
php-readline-5.6.14-1.mga5
php-recode-5.6.14-1.mga5
php-session-5.6.14-1.mga5
php-shmop-5.6.14-1.mga5
php-snmp-5.6.14-1.mga5
php-soap-5.6.14-1.mga5
php-sockets-5.6.14-1.mga5
php-sqlite3-5.6.14-1.mga5
php-sybase_ct-5.6.14-1.mga5
php-sysvmsg-5.6.14-1.mga5
php-sysvsem-5.6.14-1.mga5
php-sysvshm-5.6.14-1.mga5
php-tidy-5.6.14-1.mga5
php-tokenizer-5.6.14-1.mga5
php-xml-5.6.14-1.mga5
php-xmlreader-5.6.14-1.mga5
php-xmlrpc-5.6.14-1.mga5
php-xmlwriter-5.6.14-1.mga5
php-xsl-5.6.14-1.mga5
php-wddx-5.6.14-1.mga5
php-zip-5.6.14-1.mga5
php-fpm-5.6.14-1.mga5
phpdbg-5.6.14-1.mga5
php-timezonedb-2015.6.1-1.mga5

from SRPMS:
php-5.6.14-mga5.src.rpm
php-timezonedb-2015.6.1-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-10-01 22:57:52 CEST 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory and package list in Comment 0.

Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2015-10-02 23:37:13 CEST 
Test php with various webapps and for php-timezonedb see..
https://bugs.mageia.org/show_bug.cgi?id=11559#c1

Whiteboard: (none) => has_procedure

Comment 3 David Walser 2015-10-05 22:54:12 CEST 
CVE request:
http://openwall.com/lists/oss-security/2015/10/05/8
Comment 4 Brian Rockwell 2015-10-06 15:53:15 CEST 
I'd guess installing the update and running owncloud would test it.  I'll try it later tonight if I get some time.

CC: (none) => brtians1

Comment 5 Brian Rockwell 2015-10-07 02:42:44 CEST 
I tested one of the diagnostics (without compile) - worked the same, but nothing bad there.

before

Current PHP version: 5.6.13
PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'internal corruption of phar "/home/brian/php_tests/fuzz-test.zip" (truncated entry)' in /home/brian/php_tests/php14.php:3
Stack trace:
#0 /home/brian/php_tests/php14.php(3): PharData->__construct('fuzz-test.zip')
#1 {main}
  thrown in /home/brian/php_tests/php14.php on line 3


after


Current PHP version: 5.6.14
PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'internal corruption of phar "/home/brian/php_tests/fuzz-test.zip" (truncated entry)' in /home/brian/php_tests/php14.php:3
Stack trace:
#0 /home/brian/php_tests/php14.php(3): PharData->__construct('fuzz-test.zip')
#1 {main}
  thrown in /home/brian/php_tests/php14.php on line 3
Comment 6 Brian Rockwell 2015-10-07 02:46:09 CEST 
Tested owncloud it is working fine in 32-bit

Linux localhost 4.1.8-desktop-1.mga5 #1 SMP Sun Sep 20 12:33:42 UTC 2015 i686 i686 i686 GNU/Linux
Comment 7 Brian Rockwell 2015-10-07 02:47:04 CEST 
Created attachment 7103 [details]
php test I ran for first note
Brian Rockwell 2015-10-07 02:47:41 CEST

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Dave Hodgins 2015-10-09 00:24:43 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Dave Hodgins 2015-10-09 00:31:59 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-10-09 20:49:02 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0395.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-10-12 20:34:21 CEST

URL: (none) => http://lwn.net/Vulnerabilities/660425/

Comment 9 David Walser 2015-10-12 20:38:53 CEST 
CVE-2015-7803 and CVE-2015-7804 have been assigned for this:
http://openwall.com/lists/oss-security/2015/10/10/4