Bug 10456 - php new security issue CVE-2013-2110
: php new security issue CVE-2013-2110
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/553812/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-07 21:01 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
2 users (show)

See Also:
Source RPM: php
CVE:
Status comment:


Attachments

Description David Walser 2013-06-07 21:01:01 CEST
Upstream has released PHP 5.4.16 and 5.3.26 on June 6:
http://php.net/archive/2013.php#id2013-06-06-2

This fixes a security issue CVE-2013-2110, as well as other bugs.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-09 10:08:15 CEST
Fixed in mga2, mga3 updates_testing and in cauldron.
Comment 2 David Walser 2013-06-09 23:11:32 CEST
Thanks Oden!

Advisory:
========================

Updated php packages fix security vulnerability:

Heap based buffer overflow in quoted_printable_encode() in PHP before versions
5.3.26 and 5.4.16 (CVE-2013-2110).

This update provides PHP versions 5.3.26 for Mageia 2 and 5.4.16 for Mageia 3,
which fix this as well as several other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110
http://www.php.net/ChangeLog-5.php
========================

Updated packages in core/updates_testing:
========================
php-ini-5.3.26-1.mga2
php-cli-5.3.26-1.mga2
php-cgi-5.3.26-1.mga2
php-fpm-5.3.26-1.mga2
apache-mod_php-5.3.26-1.mga2
libphp5_common5-5.3.26-1.mga2
php-devel-5.3.26-1.mga2
php-openssl-5.3.26-1.mga2
php-zlib-5.3.26-1.mga2
php-bcmath-5.3.26-1.mga2
php-bz2-5.3.26-1.mga2
php-calendar-5.3.26-1.mga2
php-ctype-5.3.26-1.mga2
php-curl-5.3.26-1.mga2
php-dba-5.3.26-1.mga2
php-dom-5.3.26-1.mga2
php-enchant-5.3.26-1.mga2
php-exif-5.3.26-1.mga2
php-fileinfo-5.3.26-1.mga2
php-filter-5.3.26-1.mga2
php-ftp-5.3.26-1.mga2
php-gd-5.3.26-1.mga2
php-gettext-5.3.26-1.mga2
php-gmp-5.3.26-1.mga2
php-hash-5.3.26-1.mga2
php-iconv-5.3.26-1.mga2
php-imap-5.3.26-1.mga2
php-intl-5.3.26-1.mga2
php-json-5.3.26-1.mga2
php-ldap-5.3.26-1.mga2
php-mbstring-5.3.26-1.mga2
php-mcrypt-5.3.26-1.mga2
php-mssql-5.3.26-1.mga2
php-mysql-5.3.26-1.mga2
php-mysqli-5.3.26-1.mga2
php-mysqlnd-5.3.26-1.mga2
php-odbc-5.3.26-1.mga2
php-pcntl-5.3.26-1.mga2
php-pdo-5.3.26-1.mga2
php-pdo_dblib-5.3.26-1.mga2
php-pdo_mysql-5.3.26-1.mga2
php-pdo_odbc-5.3.26-1.mga2
php-pdo_pgsql-5.3.26-1.mga2
php-pdo_sqlite-5.3.26-1.mga2
php-pgsql-5.3.26-1.mga2
php-phar-5.3.26-1.mga2
php-posix-5.3.26-1.mga2
php-readline-5.3.26-1.mga2
php-recode-5.3.26-1.mga2
php-session-5.3.26-1.mga2
php-shmop-5.3.26-1.mga2
php-snmp-5.3.26-1.mga2
php-soap-5.3.26-1.mga2
php-sockets-5.3.26-1.mga2
php-sqlite3-5.3.26-1.mga2
php-sqlite-5.3.26-1.mga2
php-sybase_ct-5.3.26-1.mga2
php-sysvmsg-5.3.26-1.mga2
php-sysvsem-5.3.26-1.mga2
php-sysvshm-5.3.26-1.mga2
php-tidy-5.3.26-1.mga2
php-tokenizer-5.3.26-1.mga2
php-xml-5.3.26-1.mga2
php-xmlreader-5.3.26-1.mga2
php-xmlrpc-5.3.26-1.mga2
php-xmlwriter-5.3.26-1.mga2
php-xsl-5.3.26-1.mga2
php-wddx-5.3.26-1.mga2
php-zip-5.3.26-1.mga2
php-apc-3.1.13-1.8.mga2
php-apc-admin-3.1.13-1.8.mga2
php-eaccelerator-0.9.6.1-10.10.mga2
php-eaccelerator-admin-0.9.6.1-10.10.mga2
php-gd-bundled-5.3.26-1.mga2
php-timezonedb-2013.3-1.mga2
php-firebird-5.3.26-1.mga2
php-pdo_firebird-5.3.26-1.mga2
php-ini-5.4.16-1.mga3
apache-mod_php-5.4.16-1.mga3
php-cli-5.4.16-1.mga3
php-cgi-5.4.16-1.mga3
libphp5_common5-5.4.16-1.mga3
php-devel-5.4.16-1.mga3
php-openssl-5.4.16-1.mga3
php-zlib-5.4.16-1.mga3
php-doc-5.4.16-1.mga3
php-bcmath-5.4.16-1.mga3
php-bz2-5.4.16-1.mga3
php-calendar-5.4.16-1.mga3
php-ctype-5.4.16-1.mga3
php-curl-5.4.16-1.mga3
php-dba-5.4.16-1.mga3
php-dom-5.4.16-1.mga3
php-enchant-5.4.16-1.mga3
php-exif-5.4.16-1.mga3
php-fileinfo-5.4.16-1.mga3
php-filter-5.4.16-1.mga3
php-ftp-5.4.16-1.mga3
php-gd-5.4.16-1.mga3
php-gettext-5.4.16-1.mga3
php-gmp-5.4.16-1.mga3
php-hash-5.4.16-1.mga3
php-iconv-5.4.16-1.mga3
php-imap-5.4.16-1.mga3
php-interbase-5.4.16-1.mga3
php-intl-5.4.16-1.mga3
php-json-5.4.16-1.mga3
php-ldap-5.4.16-1.mga3
php-mbstring-5.4.16-1.mga3
php-mcrypt-5.4.16-1.mga3
php-mssql-5.4.16-1.mga3
php-mysql-5.4.16-1.mga3
php-mysqli-5.4.16-1.mga3
php-mysqlnd-5.4.16-1.mga3
php-odbc-5.4.16-1.mga3
php-pcntl-5.4.16-1.mga3
php-pdo-5.4.16-1.mga3
php-pdo_dblib-5.4.16-1.mga3
php-pdo_firebird-5.4.16-1.mga3
php-pdo_mysql-5.4.16-1.mga3
php-pdo_odbc-5.4.16-1.mga3
php-pdo_pgsql-5.4.16-1.mga3
php-pdo_sqlite-5.4.16-1.mga3
php-pgsql-5.4.16-1.mga3
php-phar-5.4.16-1.mga3
php-posix-5.4.16-1.mga3
php-readline-5.4.16-1.mga3
php-recode-5.4.16-1.mga3
php-session-5.4.16-1.mga3
php-shmop-5.4.16-1.mga3
php-snmp-5.4.16-1.mga3
php-soap-5.4.16-1.mga3
php-sockets-5.4.16-1.mga3
php-sqlite3-5.4.16-1.mga3
php-sybase_ct-5.4.16-1.mga3
php-sysvmsg-5.4.16-1.mga3
php-sysvsem-5.4.16-1.mga3
php-sysvshm-5.4.16-1.mga3
php-tidy-5.4.16-1.mga3
php-tokenizer-5.4.16-1.mga3
php-xml-5.4.16-1.mga3
php-xmlreader-5.4.16-1.mga3
php-xmlrpc-5.4.16-1.mga3
php-xmlwriter-5.4.16-1.mga3
php-xsl-5.4.16-1.mga3
php-wddx-5.4.16-1.mga3
php-zip-5.4.16-1.mga3
php-fpm-5.4.16-1.mga3
php-apc-3.1.14-7.1.mga3
php-apc-admin-3.1.14-7.1.mga3
php-gd-bundled-5.4.16-1.mga3
php-timezonedb-2013.3-1.mga3

from SRPMS:
php-5.3.26-1.mga2.src.rpm
php-apc-3.1.13-1.8.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.10.mga2.src.rpm
php-gd-bundled-5.3.26-1.mga2.src.rpm
php-timezonedb-2013.3-1.mga2.src.rpm
php-firebird-5.3.26-1.mga2.src.rpm
php-pdo_firebird-5.3.26-1.mga2.src.rpm
php-5.4.16-1.mga3.src.rpm
php-apc-3.1.14-7.1.mga3.src.rpm
php-gd-bundled-5.4.16-1.mga3.src.rpm
php-timezonedb-2013.3-1.mga3.src.rpm
Comment 3 Oden Eriksson 2013-06-10 14:27:35 CEST
Funny, I can't reproduce the CVE-2013-2110 flaw. No crash at least.

PoC from ext/standard/tests/strings/bug64879.phpt

<?php
quoted_printable_encode(str_repeat("\xf4", 1000)); 
quoted_printable_encode(str_repeat("\xf4", 100000)); 
?>

Additionally RH has some insights (NOTABUG) about this at:

https://bugzilla.redhat.com/show_bug.cgi?id=964969
Comment 4 David Walser 2013-06-10 15:22:30 CEST
My interpretation of what RH said is that they did issue updates to fix this in Fedora, but the vulnerability was introduced in a later version than what they shipped in RHEL, so they're not vulnerable there.
Comment 5 claire robinson 2013-06-10 16:27:34 CEST
PoC: https://bugs.php.net/bug.php?id=64879

Changing some settings in /etc/php.ini so errors are displayed, tested using php-cli.

display_startup_errors = On


Testing mga3 64

Before
------
# php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));'
Segmentation fault

After
-----
# php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));'
#

Tested with several webapps (phpmyadmin, php-apc, zoneminder) and some basic test scripts.
Comment 6 claire robinson 2013-06-10 16:28:56 CEST
Tested also mga2 32 but it doesn't seem vulnerable so not sure the update is necessary.
Comment 7 claire robinson 2013-06-10 16:29:17 CEST
mid-air collisions, sorry.
Comment 8 David Walser 2013-06-10 17:15:16 CEST
I think the commit that introduced it has been identified; it'd be nice to know which PHP 5.3.x version first contained it.  We'll have to look into it.  If it turns out to really not be vulnerable, we could still do it as a bugfix update with a MGAA for mga2.
Comment 9 claire robinson 2013-06-11 14:14:41 CEST
It doesn't seem to be vulnerable, playing with this a bit further..

Mga3 32
# grep ^display_ /etc/php.ini
display_errors = Off
display_startup_errors = Off

# php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));'
Segmentation fault

Mga2 32
# grep ^display_ /etc/php.ini
display_errors = On
display_startup_errors = On

# php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));'
# php -r 'quoted_printable_encode(str_repeat("\xf4", 100000));'
# php -r 'quoted_printable_encode(str_repeat("\xf4", 10000000));'
# php -r 'quoted_printable_encode(str_repeat("\xf4", 100000000));'

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 312000003 bytes) in Command line code on line 1


I'll test mga3 32 so we're ready to go with that until a decision is made for mga2.
Comment 10 Oden Eriksson 2013-06-11 15:05:37 CEST
This affects 5.4.x only as the offending commit was not applied for 5.2.x.

http://git.php.net/?p=php-src.git;a=commitdiff;h=18bb426587d62f93c54c40bf8535eb8416603629
https://bugs.php.net/bug.php?id=62462

Additionally applying this for 5.2.x does not trigger the CVE-2013-2110 flaw.
Comment 11 claire robinson 2013-06-11 15:56:17 CEST
Testing complete mga3 32

Comfirmed the cve is closed and tested with owncloud, phpmyadmin, php-apc and a couple of basic test scripts.

Do you want to release an update for mga2? It is not vulnerable to the CVE so is not 'necessary' at this time.

If not then this can be validated for mga3 now.
Comment 12 David Walser 2013-06-11 18:51:41 CEST
Thanks Claire and Oden.

Let's go ahead and validate this for Mageia 3 now.

For Mageia 2, we might as well do it too, as the work's been done, and we've issued bugfix updates for PHP in the past.  I'll open a new bug for that to give more time for QA testing on it (which I may be able to help with when I have time).

Advisory:
========================

Updated php packages fix security vulnerability:

Heap based buffer overflow in quoted_printable_encode() in PHP before version
5.4.16 (CVE-2013-2110).

This update provides PHP version 5.4.16 which fixes this as well as several
other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110
http://www.php.net/ChangeLog-5.php
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.16-1.mga3
apache-mod_php-5.4.16-1.mga3
php-cli-5.4.16-1.mga3
php-cgi-5.4.16-1.mga3
libphp5_common5-5.4.16-1.mga3
php-devel-5.4.16-1.mga3
php-openssl-5.4.16-1.mga3
php-zlib-5.4.16-1.mga3
php-doc-5.4.16-1.mga3
php-bcmath-5.4.16-1.mga3
php-bz2-5.4.16-1.mga3
php-calendar-5.4.16-1.mga3
php-ctype-5.4.16-1.mga3
php-curl-5.4.16-1.mga3
php-dba-5.4.16-1.mga3
php-dom-5.4.16-1.mga3
php-enchant-5.4.16-1.mga3
php-exif-5.4.16-1.mga3
php-fileinfo-5.4.16-1.mga3
php-filter-5.4.16-1.mga3
php-ftp-5.4.16-1.mga3
php-gd-5.4.16-1.mga3
php-gettext-5.4.16-1.mga3
php-gmp-5.4.16-1.mga3
php-hash-5.4.16-1.mga3
php-iconv-5.4.16-1.mga3
php-imap-5.4.16-1.mga3
php-interbase-5.4.16-1.mga3
php-intl-5.4.16-1.mga3
php-json-5.4.16-1.mga3
php-ldap-5.4.16-1.mga3
php-mbstring-5.4.16-1.mga3
php-mcrypt-5.4.16-1.mga3
php-mssql-5.4.16-1.mga3
php-mysql-5.4.16-1.mga3
php-mysqli-5.4.16-1.mga3
php-mysqlnd-5.4.16-1.mga3
php-odbc-5.4.16-1.mga3
php-pcntl-5.4.16-1.mga3
php-pdo-5.4.16-1.mga3
php-pdo_dblib-5.4.16-1.mga3
php-pdo_firebird-5.4.16-1.mga3
php-pdo_mysql-5.4.16-1.mga3
php-pdo_odbc-5.4.16-1.mga3
php-pdo_pgsql-5.4.16-1.mga3
php-pdo_sqlite-5.4.16-1.mga3
php-pgsql-5.4.16-1.mga3
php-phar-5.4.16-1.mga3
php-posix-5.4.16-1.mga3
php-readline-5.4.16-1.mga3
php-recode-5.4.16-1.mga3
php-session-5.4.16-1.mga3
php-shmop-5.4.16-1.mga3
php-snmp-5.4.16-1.mga3
php-soap-5.4.16-1.mga3
php-sockets-5.4.16-1.mga3
php-sqlite3-5.4.16-1.mga3
php-sybase_ct-5.4.16-1.mga3
php-sysvmsg-5.4.16-1.mga3
php-sysvsem-5.4.16-1.mga3
php-sysvshm-5.4.16-1.mga3
php-tidy-5.4.16-1.mga3
php-tokenizer-5.4.16-1.mga3
php-xml-5.4.16-1.mga3
php-xmlreader-5.4.16-1.mga3
php-xmlrpc-5.4.16-1.mga3
php-xmlwriter-5.4.16-1.mga3
php-xsl-5.4.16-1.mga3
php-wddx-5.4.16-1.mga3
php-zip-5.4.16-1.mga3
php-fpm-5.4.16-1.mga3
php-apc-3.1.14-7.1.mga3
php-apc-admin-3.1.14-7.1.mga3
php-gd-bundled-5.4.16-1.mga3
php-timezonedb-2013.3-1.mga3

from SRPMS:
php-5.4.16-1.mga3.src.rpm
php-apc-3.1.14-7.1.mga3.src.rpm
php-gd-bundled-5.4.16-1.mga3.src.rpm
php-timezonedb-2013.3-1.mga3.src.rpm
Comment 13 David Walser 2013-06-11 18:52:20 CEST
Bug 10492 filed for the Mageia 2 update.
Comment 14 claire robinson 2013-06-11 19:32:50 CEST
Validating then, thanks.

Advisory & srpm in comment 12

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!
Comment 15 Nicolas Vigier 2013-06-18 17:13:27 CEST
http://advisories.mageia.org/MGASA-2013-0172.html
Comment 16 David Walser 2013-07-16 19:34:51 CEST
This update also fixes CVE-2013-4635:
http://lwn.net/Vulnerabilities/559055/
Comment 17 claire robinson 2013-07-16 20:15:08 CEST
Advisory updated.
Comment 18 claire robinson 2013-07-16 21:04:04 CEST
The advisory on the website hasn't updated, Sysadmin any ideas please?

http://advisories.mageia.org/MGASA-2013-0172.html
Comment 19 David Walser 2013-07-16 21:32:34 CEST
The advisory on the website looks updated to me.

Note You need to log in before you can comment on or make changes to this bug.