Bug 32075

Summary: php new security issue CVE-2023-3247
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: php-8.0.28-1.mga8.src.rpm CVE: CVE-2023-3247
Status comment: Fixed upstream in 8.0.29

Description David Walser 2023-07-05 23:11:37 CEST 
Ubuntu has issued an advisory on July 3:
https://ubuntu.com/security/notices/USN-6199-1

The issue is fixed upstream in 8.0.29:
https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw

I see 8.0.29 checked into SVN, but no bug for it for some reason.
David Walser 2023-07-05 23:11:47 CEST

Status comment: (none) => Fixed upstream in 8.0.29

Comment 1 Marc Krämer 2023-07-06 10:06:19 CEST 
I guess I've forgotten to write a report.
Now I don't get the file list from build system :(
Comment 2 Dave Hodgins 2023-07-06 19:33:42 CEST 
apache-mod_php-8.0.29-1.mga8
php-bcmath-8.0.29-1.mga8
php-bz2-8.0.29-1.mga8
php-calendar-8.0.29-1.mga8
php-cgi-8.0.29-1.mga8
php-cli-8.0.29-1.mga8
php-ctype-8.0.29-1.mga8
php-curl-8.0.29-1.mga8
php-dba-8.0.29-1.mga8
phpdbg-8.0.29-1.mga8
php-devel-8.0.29-1.mga8
php-doc-8.0.29-1.mga8
php-dom-8.0.29-1.mga8
php-enchant-8.0.29-1.mga8
php-exif-8.0.29-1.mga8
php-fileinfo-8.0.29-1.mga8
php-filter-8.0.29-1.mga8
php-fpm-8.0.29-1.mga8
php-fpm-apache-8.0.29-1.mga8
php-fpm-nginx-8.0.29-1.mga8
php-ftp-8.0.29-1.mga8
php-gd-8.0.29-1.mga8
php-gettext-8.0.29-1.mga8
php-gmp-8.0.29-1.mga8
php-iconv-8.0.29-1.mga8
php-imap-8.0.29-1.mga8
php-ini-8.0.29-1.mga8
php-intl-8.0.29-1.mga8
php-ldap-8.0.29-1.mga8
php-mbstring-8.0.29-1.mga8
php-mysqli-8.0.29-1.mga8
php-mysqlnd-8.0.29-1.mga8
php-odbc-8.0.29-1.mga8
php-opcache-8.0.29-1.mga8
php-openssl-8.0.29-1.mga8
php-pcntl-8.0.29-1.mga8
php-pdo-8.0.29-1.mga8
php-pdo_dblib-8.0.29-1.mga8
php-pdo_firebird-8.0.29-1.mga8
php-pdo_mysql-8.0.29-1.mga8
php-pdo_odbc-8.0.29-1.mga8
php-pdo_pgsql-8.0.29-1.mga8
php-pdo_sqlite-8.0.29-1.mga8
php-pgsql-8.0.29-1.mga8
php-phar-8.0.29-1.mga8
php-posix-8.0.29-1.mga8
php-readline-8.0.29-1.mga8
php-session-8.0.29-1.mga8
php-shmop-8.0.29-1.mga8
php-snmp-8.0.29-1.mga8
php-soap-8.0.29-1.mga8
php-sockets-8.0.29-1.mga8
php-sodium-8.0.29-1.mga8
php-sqlite3-8.0.29-1.mga8
php-sysvmsg-8.0.29-1.mga8
php-sysvsem-8.0.29-1.mga8
php-sysvshm-8.0.29-1.mga8
php-tidy-8.0.29-1.mga8
php-tokenizer-8.0.29-1.mga8
php-xmlreader-8.0.29-1.mga8
php-xmlwriter-8.0.29-1.mga8
php-xsl-8.0.29-1.mga8
php-zip-8.0.29-1.mga8
php-zlib-8.0.29-1.mga8

CC: (none) => davidwhodgins

Comment 3 Marc Krämer 2023-07-07 11:45:26 CEST 
Updated php to fix a security vulnerability:

Soap
 - Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

References:
https://www.php.net/ChangeLog-8.php#8.0.29
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3247
https://ubuntu.com/security/notices/USN-6199-1
========================

Updated packages in core/updates_testing:
========================
apache-mod_php-8.0.29-1.mga8
php-bcmath-8.0.29-1.mga8
php-bz2-8.0.29-1.mga8
php-calendar-8.0.29-1.mga8
php-cgi-8.0.29-1.mga8
php-cli-8.0.29-1.mga8
php-ctype-8.0.29-1.mga8
php-curl-8.0.29-1.mga8
php-dba-8.0.29-1.mga8
phpdbg-8.0.29-1.mga8
php-devel-8.0.29-1.mga8
php-doc-8.0.29-1.mga8
php-dom-8.0.29-1.mga8
php-enchant-8.0.29-1.mga8
php-exif-8.0.29-1.mga8
php-fileinfo-8.0.29-1.mga8
php-filter-8.0.29-1.mga8
php-fpm-8.0.29-1.mga8
php-fpm-apache-8.0.29-1.mga8
php-fpm-nginx-8.0.29-1.mga8
php-ftp-8.0.29-1.mga8
php-gd-8.0.29-1.mga8
php-gettext-8.0.29-1.mga8
php-gmp-8.0.29-1.mga8
php-iconv-8.0.29-1.mga8
php-imap-8.0.29-1.mga8
php-ini-8.0.29-1.mga8
php-intl-8.0.29-1.mga8
php-ldap-8.0.29-1.mga8
php-mbstring-8.0.29-1.mga8
php-mysqli-8.0.29-1.mga8
php-mysqlnd-8.0.29-1.mga8
php-odbc-8.0.29-1.mga8
php-opcache-8.0.29-1.mga8
php-openssl-8.0.29-1.mga8
php-pcntl-8.0.29-1.mga8
php-pdo-8.0.29-1.mga8
php-pdo_dblib-8.0.29-1.mga8
php-pdo_firebird-8.0.29-1.mga8
php-pdo_mysql-8.0.29-1.mga8
php-pdo_odbc-8.0.29-1.mga8
php-pdo_pgsql-8.0.29-1.mga8
php-pdo_sqlite-8.0.29-1.mga8
php-pgsql-8.0.29-1.mga8
php-phar-8.0.29-1.mga8
php-posix-8.0.29-1.mga8
php-readline-8.0.29-1.mga8
php-session-8.0.29-1.mga8
php-shmop-8.0.29-1.mga8
php-snmp-8.0.29-1.mga8
php-soap-8.0.29-1.mga8
php-sockets-8.0.29-1.mga8
php-sodium-8.0.29-1.mga8
php-sqlite3-8.0.29-1.mga8
php-sysvmsg-8.0.29-1.mga8
php-sysvsem-8.0.29-1.mga8
php-sysvshm-8.0.29-1.mga8
php-tidy-8.0.29-1.mga8
php-tokenizer-8.0.29-1.mga8
php-xmlreader-8.0.29-1.mga8
php-xmlwriter-8.0.29-1.mga8
php-xsl-8.0.29-1.mga8
php-zip-8.0.29-1.mga8
php-zlib-8.0.29-1.mga8


SRPM
php-8.0.29-1.mga8.src.rpm

Assignee: mageia => qa-bugs
CVE: (none) => CVE-2023-3247

Comment 4 Herman Viaene 2023-07-11 10:18:17 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Refer to bug 31180 for testing:
$ php -S localhost:8000 -t php
[Tue Jul 11 10:13:55 2023] PHP 8.0.29 Development Server (http://localhost:8000) started
[Tue Jul 11 10:14:39 2023] [::1]:50968 Accepted
Then pointing firefox to http://localhost:8000/create-png.php and http://localhost:8000/sample.php displays correct image and text message.
Works OK and get feedback at the CLI:
[Tue Jul 11 10:14:39 2023] [::1]:50968 Accepted
[Tue Jul 11 10:14:40 2023] [::1]:50968 [200]: GET /create-png.php
[Tue Jul 11 10:14:40 2023] [::1]:50968 Closing
[Tue Jul 11 10:14:41 2023] [::1]:50970 Accepted
[Tue Jul 11 10:14:41 2023] [::1]:50970 [404]: GET /favicon.ico - No such file or directory
[Tue Jul 11 10:14:41 2023] [::1]:50970 Closing
[Tue Jul 11 10:15:11 2023] [::1]:57364 Accepted
[Tue Jul 11 10:15:11 2023] [::1]:57364 [200]: GET /sample.php
[Tue Jul 11 10:15:11 2023] [::1]:57364 Closing
[Tue Jul 11 10:15:55 2023] [::1]:56950 Accepted
[Tue Jul 11 10:15:55 2023] [::1]:56950 [200]: GET /sample.php
[Tue Jul 11 10:15:55 2023] [::1]:56950 Closing

Make sure httpd and mysqld are running, then start phpmyadmin, login,  create a new database testphp8029 and create a new table with PK and unique key and timestamp and insert some values.
All works OK, good to go.

CC: (none) => herman.viaene

Herman Viaene 2023-07-11 10:18:30 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2023-07-13 15:45:38 CEST 
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-13 19:50:58 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-07-19 21:54:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0234.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED