Bug 1971

Summary:	Additional php vulnerabilities
Product:	Mageia	Reporter:	Stew Benedict <stewbintn>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, dmorganec, eeeemail, guillomovitch, lists.jjorge, pterjan, stormi-mageia, sysadmin-bugs
Version:	1	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
Whiteboard:
Source RPM:	php-5.3.6-2.mga1.src.rpm	CVE:
Status comment:

Description Stew Benedict 2011-06-30 13:54:40 CEST

Description of problem:

Debian just released PHP updates. I find 3 in their list that I don't see an indication of being fixed in our package:

CVE-2011-1466

   An integer overflow was discovered in the Calendar module.

CVE-2011-1471

   The Zip module was prone to denial of service through malformed
   archives.

CVE-2011-2202

   Path names in form based file uploads (RFC 1867) were incorrectly 
   validated.

Debian sid package is here (for patches):
http://packages.debian.org/sid/php5

Version-Release number of selected component (if applicable):

php-5.3.6-2.mga1.src.rpm

How reproducible:

NA

Update text:

Several issues have been identified in PHP:

An integer overflow was discovered in the Calendar module. (CVE-2011-1466)
The Zip module was prone to denial of service through malformed archives. (CVE-2011-1471)
Path names in form based file uploads (RFC 1867) were incorrectly validated. (CVE-2011-2202)

These issues have been corrected in updated packages.

Manuel Hiebel 2011-08-30 09:59:23 CEST

CC: (none) => dmorganec, fundawang, guillomovitch, pterjan

Comment 1 Pascal Terjan 2011-09-13 00:14:18 CEST

CVE-2011-1466 Was already fixed in 5.3.6

Comment 2 Pascal Terjan 2011-09-13 00:15:37 CEST

CVE-2011-1471 was also fixed in 5.3.6

Comment 3 Pascal Terjan 2011-09-13 00:17:22 CEST

Patch for CVE-2011-2202 
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/rfc1867.c?r1=312103&r2=312102&pathrev=312103

Assignee: bugsquad => pterjan

Comment 4 Pascal Terjan 2011-09-13 00:26:59 CEST

I added the patch to svn and sent package to updates_testing but it is actually low impact given that only CVE-2011-2202 is present in our package.

CVE-2011-2202 is only exploitable if php runs on a webserver as a user allowed to write to /. In such case a user could create a file in / (not in a subdirectory) but I don't think anyone would setup their webserver to run as root.

Comment 5 Manuel Hiebel 2011-09-13 01:30:32 CEST

ok to go on QA ?

Comment 6 Pascal Terjan 2011-09-13 08:59:15 CEST

I am not sure what QA can do about it except running a webserver as root to test
But it may not be worth the effort to push an update for this one, it could wait until next php update

Comment 7 José Jorge 2011-09-13 11:11:46 CEST

Well QA can ensure it still runs at least. For the CVE fix, yes as it isn't the default Mageia configuration, we can skip this update.

But I think anything in updates_testing should have a bug in QA : I've just updated PHP and tested it (not the CVE fix, only that it still runs), then it was hard to report the test ;-)

REPORT : Tested on x86_64, runs OK. But the CVE CVE-2011-2202 was not tested.

CC: (none) => lists.jjorge

Funda Wang 2011-09-13 11:16:35 CEST

CC: fundawang => (none)

Comment 8 Manuel Hiebel 2011-09-13 11:37:04 CEST

Yes I (In reply to comment #7)
> But I think anything in updates_testing should have a bug in QA
Yes sure, I ask because some update was not ready for the QA (or we was to fast) :)

Assignee: pterjan => qa-bugs

Comment 9 claire robinson 2011-09-13 12:44:22 CEST

There is an exploit available for CVE-2011-2202 at

http://downloads.securityfocus.com/vulnerabilities/exploits/48259.php

Did you decide this was ready for testing or are you still working on it?

CC: (none) => eeeemail

Comment 10 claire robinson 2011-09-13 12:46:37 CEST

Looking at it though Im not sure what to do with it..

Comment 11 Pascal Terjan 2011-09-13 12:47:50 CEST

Getting an exploit is easy (this gives a good basis) but for it to work you need either php to run as root or / being writable by the web user

Comment 12 claire robinson 2011-09-13 12:52:23 CEST

Personally, I'm going to need a testing procedure for this one please.

Comment 13 Samuel Verschelde 2011-09-13 12:57:40 CEST

(In reply to comment #12)
> Personally, I'm going to need a testing procedure for this one please.

I don't think we need to check the exploit for this one, as it is of low severity. Making sure php works will be enough, and I can test myself that I see no regression as I use it on a daily basis at work. José Jorge already reported that it's ok for x86_64.

CC: (none) => stormi

Comment 14 Dave Hodgins 2011-09-16 04:51:51 CEST

I've confirmed that http://127.0.0.1/phpmyadmin works on my i586 system.

Is that enough though?

CC: (none) => davidwhodgins

Comment 15 claire robinson 2011-09-16 10:48:51 CEST

Also confirmed working OK i586 with phpmyadmin.

Update validated. Ready for pushing.


Advisory:

---------------------

Several issues have been identified in PHP including:

An integer overflow was discovered in the Calendar module. (CVE-2011-1466)
The Zip module was prone to denial of service through malformed archives.
(CVE-2011-1471)
Path names in form based file uploads (RFC 1867) were incorrectly validated.
(CVE-2011-2202)

These issues have been corrected in updated packages.

----------------------

SRPM: php-5.3.6-2.1.mga1.src.rpm

Is php-smarty2-2.6.26-1.1.mga1.src.rpm also part of this update?

Manuel Hiebel 2011-09-16 12:20:17 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 claire robinson 2011-09-16 13:33:47 CEST

php-smarty2-2.6.26-1.1.mga1.src.rpm is NOT part of this update.

Sysadmin - Please push php-5.3.6-2.1.mga1.src.rpm from core/updates_testing to core/updates.

Thankyou!

Comment 17 D Morgan 2011-09-18 01:57:36 CEST

update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED