Bug 6353

Summary: php new security issues CVE-2012-2386 and CVE-2012-2143
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/500330/
Whiteboard: mga1-32-OK, mga1-64-OK
Source RPM: php-5.3.13-1.mga1.src.rpm CVE:
Status comment:
Bug Depends on: 6354    
Bug Blocks:    

Description David Walser 2012-06-06 18:22:23 CEST 
SuSE has issued an advisory on June 5:
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html

Cauldron was affected, but I have fixed it there.

Mageia 2 is affected, and I will file a duplicate bug to help QA.

Patched package for Mageia 1 uploaded.

Note to QA: The patch only affects the php-phar subpackage, so you can focus testing there if you can find a test case.  Some of the documentation here may be helpful:
http://php.net/manual/en/book.phar.php

I believe there is also a PoC out there.  See the references below.

Advisory:
========================

Updated php packages fix security vulnerability:

An integer overflow, leading to heap-based buffer overflow was
found in the way Phar extension of the PHP scripting language
processed certain fields by manipulating TAR files. A remote
attacker could provide a specially-crafted TAR archive file,
which once processed in an PHP application using the Phar extension
could lead to denial of service (application crash), or,
potentially arbitary code execution with the privileges of the
user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
========================

Updated packages in core/updates_testing:
========================
php-cli-5.3.13-1.1.mga1
php-cgi-5.3.13-1.1.mga1
php-fpm-5.3.13-1.1.mga1
apache-mod_php-5.3.13-1.1.mga1
libphp5_common5-5.3.13-1.1.mga1
php-devel-5.3.13-1.1.mga1
php-openssl-5.3.13-1.1.mga1
php-zlib-5.3.13-1.1.mga1
php-doc-5.3.13-1.1.mga1
php-bcmath-5.3.13-1.1.mga1
php-bz2-5.3.13-1.1.mga1
php-calendar-5.3.13-1.1.mga1
php-ctype-5.3.13-1.1.mga1
php-curl-5.3.13-1.1.mga1
php-dba-5.3.13-1.1.mga1
php-dom-5.3.13-1.1.mga1
php-enchant-5.3.13-1.1.mga1
php-exif-5.3.13-1.1.mga1
php-fileinfo-5.3.13-1.1.mga1
php-filter-5.3.13-1.1.mga1
php-ftp-5.3.13-1.1.mga1
php-gd-5.3.13-1.1.mga1
php-gettext-5.3.13-1.1.mga1
php-gmp-5.3.13-1.1.mga1
php-hash-5.3.13-1.1.mga1
php-iconv-5.3.13-1.1.mga1
php-imap-5.3.13-1.1.mga1
php-intl-5.3.13-1.1.mga1
php-json-5.3.13-1.1.mga1
php-ldap-5.3.13-1.1.mga1
php-mbstring-5.3.13-1.1.mga1
php-mcrypt-5.3.13-1.1.mga1
php-mssql-5.3.13-1.1.mga1
php-mysql-5.3.13-1.1.mga1
php-mysqli-5.3.13-1.1.mga1
php-mysqlnd-5.3.13-1.1.mga1
php-odbc-5.3.13-1.1.mga1
php-pcntl-5.3.13-1.1.mga1
php-pdo-5.3.13-1.1.mga1
php-pdo_dblib-5.3.13-1.1.mga1
php-pdo_mysql-5.3.13-1.1.mga1
php-pdo_odbc-5.3.13-1.1.mga1
php-pdo_pgsql-5.3.13-1.1.mga1
php-pdo_sqlite-5.3.13-1.1.mga1
php-pgsql-5.3.13-1.1.mga1
php-phar-5.3.13-1.1.mga1
php-posix-5.3.13-1.1.mga1
php-pspell-5.3.13-1.1.mga1
php-readline-5.3.13-1.1.mga1
php-recode-5.3.13-1.1.mga1
php-session-5.3.13-1.1.mga1
php-shmop-5.3.13-1.1.mga1
php-snmp-5.3.13-1.1.mga1
php-soap-5.3.13-1.1.mga1
php-sockets-5.3.13-1.1.mga1
php-sqlite3-5.3.13-1.1.mga1
php-sqlite-5.3.13-1.1.mga1
php-sybase_ct-5.3.13-1.1.mga1
php-sysvmsg-5.3.13-1.1.mga1
php-sysvsem-5.3.13-1.1.mga1
php-sysvshm-5.3.13-1.1.mga1
php-tidy-5.3.13-1.1.mga1
php-tokenizer-5.3.13-1.1.mga1
php-xml-5.3.13-1.1.mga1
php-xmlreader-5.3.13-1.1.mga1
php-xmlrpc-5.3.13-1.1.mga1
php-xmlwriter-5.3.13-1.1.mga1
php-xsl-5.3.13-1.1.mga1
php-wddx-5.3.13-1.1.mga1
php-zip-5.3.13-1.1.mga1

from php-5.3.13-1.1.mga1.src.rpm
David Walser 2012-06-06 18:22:44 CEST

Depends on: (none) => 6354

Comment 1 David Walser 2012-06-11 22:36:03 CEST 
Debian issued an advisory for this yesterday (June 10):
http://www.debian.org/security/2012/dsa-2492

Their update includes an additional patch (from upstream) to the php-phar tar handling code for a similar issue.  I've included that patch and rebuilt this update.

Advisory:
========================

Updated php packages fix security vulnerability:

An integer overflow, leading to heap-based buffer overflow was
found in the way Phar extension of the PHP scripting language
processed certain fields by manipulating TAR files. A remote
attacker could provide a specially-crafted TAR archive file,
which once processed in an PHP application using the Phar extension
could lead to denial of service (application crash), or,
potentially arbitary code execution with the privileges of the
user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
========================

Updated packages in core/updates_testing:
========================
php-cli-5.3.13-1.2.mga1
php-cgi-5.3.13-1.2.mga1
php-fpm-5.3.13-1.2.mga1
apache-mod_php-5.3.13-1.2.mga1
libphp5_common5-5.3.13-1.2.mga1
php-devel-5.3.13-1.2.mga1
php-openssl-5.3.13-1.2.mga1
php-zlib-5.3.13-1.2.mga1
php-doc-5.3.13-1.2.mga1
php-bcmath-5.3.13-1.2.mga1
php-bz2-5.3.13-1.2.mga1
php-calendar-5.3.13-1.2.mga1
php-ctype-5.3.13-1.2.mga1
php-curl-5.3.13-1.2.mga1
php-dba-5.3.13-1.2.mga1
php-dom-5.3.13-1.2.mga1
php-enchant-5.3.13-1.2.mga1
php-exif-5.3.13-1.2.mga1
php-fileinfo-5.3.13-1.2.mga1
php-filter-5.3.13-1.2.mga1
php-ftp-5.3.13-1.2.mga1
php-gd-5.3.13-1.2.mga1
php-gettext-5.3.13-1.2.mga1
php-gmp-5.3.13-1.2.mga1
php-hash-5.3.13-1.2.mga1
php-iconv-5.3.13-1.2.mga1
php-imap-5.3.13-1.2.mga1
php-intl-5.3.13-1.2.mga1
php-json-5.3.13-1.2.mga1
php-ldap-5.3.13-1.2.mga1
php-mbstring-5.3.13-1.2.mga1
php-mcrypt-5.3.13-1.2.mga1
php-mssql-5.3.13-1.2.mga1
php-mysql-5.3.13-1.2.mga1
php-mysqli-5.3.13-1.2.mga1
php-mysqlnd-5.3.13-1.2.mga1
php-odbc-5.3.13-1.2.mga1
php-pcntl-5.3.13-1.2.mga1
php-pdo-5.3.13-1.2.mga1
php-pdo_dblib-5.3.13-1.2.mga1
php-pdo_mysql-5.3.13-1.2.mga1
php-pdo_odbc-5.3.13-1.2.mga1
php-pdo_pgsql-5.3.13-1.2.mga1
php-pdo_sqlite-5.3.13-1.2.mga1
php-pgsql-5.3.13-1.2.mga1
php-phar-5.3.13-1.2.mga1
php-posix-5.3.13-1.2.mga1
php-pspell-5.3.13-1.2.mga1
php-readline-5.3.13-1.2.mga1
php-recode-5.3.13-1.2.mga1
php-session-5.3.13-1.2.mga1
php-shmop-5.3.13-1.2.mga1
php-snmp-5.3.13-1.2.mga1
php-soap-5.3.13-1.2.mga1
php-sockets-5.3.13-1.2.mga1
php-sqlite3-5.3.13-1.2.mga1
php-sqlite-5.3.13-1.2.mga1
php-sybase_ct-5.3.13-1.2.mga1
php-sysvmsg-5.3.13-1.2.mga1
php-sysvsem-5.3.13-1.2.mga1
php-sysvshm-5.3.13-1.2.mga1
php-tidy-5.3.13-1.2.mga1
php-tokenizer-5.3.13-1.2.mga1
php-xml-5.3.13-1.2.mga1
php-xmlreader-5.3.13-1.2.mga1
php-xmlrpc-5.3.13-1.2.mga1
php-xmlwriter-5.3.13-1.2.mga1
php-xsl-5.3.13-1.2.mga1
php-wddx-5.3.13-1.2.mga1
php-zip-5.3.13-1.2.mga1

from php-5.3.13-1.2.mga1.src.rpm
Comment 2 David Walser 2012-06-15 15:27:46 CEST 
I was worried this might happen, but upstream has issued a new version, Mandriva has updated it (including for 2010.2), and another CVE has been fixed.  So, I'll have to build a new update.

Mandriva has issued an advisory today (June 15):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093

This updates to 5.3.14 and adds an additional CVE, CVE-2012-2143.
David Walser 2012-06-15 15:28:05 CEST

Summary: php new security issue CVE-2012-2386 => php new security issues CVE-2012-2386 and CVE-2012-2143

Comment 3 David Walser 2012-06-15 22:29:39 CEST 
Updated packages uploaded.  php-eaccelerator and php-gd-bundled were rebuilt.

Advisory:
========================

Updated php packages fix security vulnerabilities:

There is a programming error in the DES implementation used in crypt()
in ext/standard/crypt_freesec.c when handling input which contains
characters that can not be represented with 7-bit ASCII. When the input
contains characters with only the most significant bit set (0x80), that
character and all characters after it will be ignored (CVE-2012-2143).

An integer overflow, leading to heap-based buffer overflow was found in
the way Phar extension of the PHP scripting language processed certain
fields by manipulating TAR files. A remote attacker could provide a
specially-crafted TAR archive file, which once processed in an PHP
application using the Phar extension could lead to denial of service
(application crash), or, potentially arbitary code execution with
the privileges of the user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://www.php.net/ChangeLog-5.php#5.3.14
http://secunia.com/advisories/44335
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093
========================

Updated packages in core/updates_testing:
========================
php-eaccelerator-0.9.6.1-6.6.mga1
php-gd-bundled-5.3.14-1.mga1
php-ini-5.3.14-1.mga1
php-cli-5.3.14-1.mga1
php-cgi-5.3.14-1.mga1
php-fpm-5.3.14-1.mga1
apache-mod_php-5.3.14-1.mga1
libphp5_common5-5.3.14-1.mga1
php-devel-5.3.14-1.mga1
php-openssl-5.3.14-1.mga1
php-zlib-5.3.14-1.mga1
php-doc-5.3.14-1.mga1
php-bcmath-5.3.14-1.mga1
php-bz2-5.3.14-1.mga1
php-calendar-5.3.14-1.mga1
php-ctype-5.3.14-1.mga1
php-curl-5.3.14-1.mga1
php-dba-5.3.14-1.mga1
php-dom-5.3.14-1.mga1
php-enchant-5.3.14-1.mga1
php-exif-5.3.14-1.mga1
php-fileinfo-5.3.14-1.mga1
php-filter-5.3.14-1.mga1
php-ftp-5.3.14-1.mga1
php-gd-5.3.14-1.mga1
php-gettext-5.3.14-1.mga1
php-gmp-5.3.14-1.mga1
php-hash-5.3.14-1.mga1
php-iconv-5.3.14-1.mga1
php-imap-5.3.14-1.mga1
php-intl-5.3.14-1.mga1
php-json-5.3.14-1.mga1
php-ldap-5.3.14-1.mga1
php-mbstring-5.3.14-1.mga1
php-mcrypt-5.3.14-1.mga1
php-mssql-5.3.14-1.mga1
php-mysql-5.3.14-1.mga1
php-mysqli-5.3.14-1.mga1
php-mysqlnd-5.3.14-1.mga1
php-odbc-5.3.14-1.mga1
php-pcntl-5.3.14-1.mga1
php-pdo-5.3.14-1.mga1
php-pdo_dblib-5.3.14-1.mga1
php-pdo_mysql-5.3.14-1.mga1
php-pdo_odbc-5.3.14-1.mga1
php-pdo_pgsql-5.3.14-1.mga1
php-pdo_sqlite-5.3.14-1.mga1
php-pgsql-5.3.14-1.mga1
php-phar-5.3.14-1.mga1
php-posix-5.3.14-1.mga1
php-pspell-5.3.14-1.mga1
php-readline-5.3.14-1.mga1
php-recode-5.3.14-1.mga1
php-session-5.3.14-1.mga1
php-shmop-5.3.14-1.mga1
php-snmp-5.3.14-1.mga1
php-soap-5.3.14-1.mga1
php-sockets-5.3.14-1.mga1
php-sqlite3-5.3.14-1.mga1
php-sqlite-5.3.14-1.mga1
php-sybase_ct-5.3.14-1.mga1
php-sysvmsg-5.3.14-1.mga1
php-sysvsem-5.3.14-1.mga1
php-sysvshm-5.3.14-1.mga1
php-tidy-5.3.14-1.mga1
php-tokenizer-5.3.14-1.mga1
php-xml-5.3.14-1.mga1
php-xmlreader-5.3.14-1.mga1
php-xmlrpc-5.3.14-1.mga1
php-xmlwriter-5.3.14-1.mga1
php-xsl-5.3.14-1.mga1
php-wddx-5.3.14-1.mga1
php-zip-5.3.14-1.mga1

from SRPMS:
php-eaccelerator-0.9.6.1-6.6.mga1.src.rpm
php-gd-bundled-5.3.14-1.mga1.src.rpm
php-ini-5.3.14-1.mga1.src.rpm
php-5.3.14-1.mga1.src.rpm
Comment 4 William Murphy 2012-06-18 13:11:18 CEST 
Repeated the same PoC tests for CVE-2012-2386 and CVE-2012-2143 on mga1 i586 and mga1 x86_64 as was done on bug #6354. No problems found.

Advisory:
========================

Updated php packages fix security vulnerabilities:

There is a programming error in the DES implementation used in crypt()
in ext/standard/crypt_freesec.c when handling input which contains
characters that can not be represented with 7-bit ASCII. When the input
contains characters with only the most significant bit set (0x80), that
character and all characters after it will be ignored (CVE-2012-2143).

An integer overflow, leading to heap-based buffer overflow was found in
the way Phar extension of the PHP scripting language processed certain
fields by manipulating TAR files. A remote attacker could provide a
specially-crafted TAR archive file, which once processed in an PHP
application using the Phar extension could lead to denial of service
(application crash), or, potentially arbitary code execution with
the privileges of the user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://www.php.net/ChangeLog-5.php#5.3.14
http://secunia.com/advisories/44335
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093
========================

Updated packages in core/updates_testing:
========================
php-eaccelerator-0.9.6.1-6.6.mga1
php-gd-bundled-5.3.14-1.mga1
php-ini-5.3.14-1.mga1
php-cli-5.3.14-1.mga1
php-cgi-5.3.14-1.mga1
php-fpm-5.3.14-1.mga1
apache-mod_php-5.3.14-1.mga1
libphp5_common5-5.3.14-1.mga1
php-devel-5.3.14-1.mga1
php-openssl-5.3.14-1.mga1
php-zlib-5.3.14-1.mga1
php-doc-5.3.14-1.mga1
php-bcmath-5.3.14-1.mga1
php-bz2-5.3.14-1.mga1
php-calendar-5.3.14-1.mga1
php-ctype-5.3.14-1.mga1
php-curl-5.3.14-1.mga1
php-dba-5.3.14-1.mga1
php-dom-5.3.14-1.mga1
php-enchant-5.3.14-1.mga1
php-exif-5.3.14-1.mga1
php-fileinfo-5.3.14-1.mga1
php-filter-5.3.14-1.mga1
php-ftp-5.3.14-1.mga1
php-gd-5.3.14-1.mga1
php-gettext-5.3.14-1.mga1
php-gmp-5.3.14-1.mga1
php-hash-5.3.14-1.mga1
php-iconv-5.3.14-1.mga1
php-imap-5.3.14-1.mga1
php-intl-5.3.14-1.mga1
php-json-5.3.14-1.mga1
php-ldap-5.3.14-1.mga1
php-mbstring-5.3.14-1.mga1
php-mcrypt-5.3.14-1.mga1
php-mssql-5.3.14-1.mga1
php-mysql-5.3.14-1.mga1
php-mysqli-5.3.14-1.mga1
php-mysqlnd-5.3.14-1.mga1
php-odbc-5.3.14-1.mga1
php-pcntl-5.3.14-1.mga1
php-pdo-5.3.14-1.mga1
php-pdo_dblib-5.3.14-1.mga1
php-pdo_mysql-5.3.14-1.mga1
php-pdo_odbc-5.3.14-1.mga1
php-pdo_pgsql-5.3.14-1.mga1
php-pdo_sqlite-5.3.14-1.mga1
php-pgsql-5.3.14-1.mga1
php-phar-5.3.14-1.mga1
php-posix-5.3.14-1.mga1
php-pspell-5.3.14-1.mga1
php-readline-5.3.14-1.mga1
php-recode-5.3.14-1.mga1
php-session-5.3.14-1.mga1
php-shmop-5.3.14-1.mga1
php-snmp-5.3.14-1.mga1
php-soap-5.3.14-1.mga1
php-sockets-5.3.14-1.mga1
php-sqlite3-5.3.14-1.mga1
php-sqlite-5.3.14-1.mga1
php-sybase_ct-5.3.14-1.mga1
php-sysvmsg-5.3.14-1.mga1
php-sysvsem-5.3.14-1.mga1
php-sysvshm-5.3.14-1.mga1
php-tidy-5.3.14-1.mga1
php-tokenizer-5.3.14-1.mga1
php-xml-5.3.14-1.mga1
php-xmlreader-5.3.14-1.mga1
php-xmlrpc-5.3.14-1.mga1
php-xmlwriter-5.3.14-1.mga1
php-xsl-5.3.14-1.mga1
php-wddx-5.3.14-1.mga1
php-zip-5.3.14-1.mga1

from SRPMS:
php-eaccelerator-0.9.6.1-6.6.mga1.src.rpm
php-gd-bundled-5.3.14-1.mga1.src.rpm
php-ini-5.3.14-1.mga1.src.rpm
php-5.3.14-1.mga1.src.rpm

-------------------------------------------

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
-------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: (none) => mga1-32-OK, mga1-64-OK

Comment 5 Thomas Backlund 2012-06-19 19:39:44 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0118

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED