Upstream has released PHP 5.4.16 and 5.3.26 on June 6: http://php.net/archive/2013.php#id2013-06-06-2 This fixes a security issue CVE-2013-2110, as well as other bugs. Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Fixed in mga2, mga3 updates_testing and in cauldron.
Thanks Oden! Advisory: ======================== Updated php packages fix security vulnerability: Heap based buffer overflow in quoted_printable_encode() in PHP before versions 5.3.26 and 5.4.16 (CVE-2013-2110). This update provides PHP versions 5.3.26 for Mageia 2 and 5.4.16 for Mageia 3, which fix this as well as several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110 http://www.php.net/ChangeLog-5.php ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.26-1.mga2 php-cli-5.3.26-1.mga2 php-cgi-5.3.26-1.mga2 php-fpm-5.3.26-1.mga2 apache-mod_php-5.3.26-1.mga2 libphp5_common5-5.3.26-1.mga2 php-devel-5.3.26-1.mga2 php-openssl-5.3.26-1.mga2 php-zlib-5.3.26-1.mga2 php-bcmath-5.3.26-1.mga2 php-bz2-5.3.26-1.mga2 php-calendar-5.3.26-1.mga2 php-ctype-5.3.26-1.mga2 php-curl-5.3.26-1.mga2 php-dba-5.3.26-1.mga2 php-dom-5.3.26-1.mga2 php-enchant-5.3.26-1.mga2 php-exif-5.3.26-1.mga2 php-fileinfo-5.3.26-1.mga2 php-filter-5.3.26-1.mga2 php-ftp-5.3.26-1.mga2 php-gd-5.3.26-1.mga2 php-gettext-5.3.26-1.mga2 php-gmp-5.3.26-1.mga2 php-hash-5.3.26-1.mga2 php-iconv-5.3.26-1.mga2 php-imap-5.3.26-1.mga2 php-intl-5.3.26-1.mga2 php-json-5.3.26-1.mga2 php-ldap-5.3.26-1.mga2 php-mbstring-5.3.26-1.mga2 php-mcrypt-5.3.26-1.mga2 php-mssql-5.3.26-1.mga2 php-mysql-5.3.26-1.mga2 php-mysqli-5.3.26-1.mga2 php-mysqlnd-5.3.26-1.mga2 php-odbc-5.3.26-1.mga2 php-pcntl-5.3.26-1.mga2 php-pdo-5.3.26-1.mga2 php-pdo_dblib-5.3.26-1.mga2 php-pdo_mysql-5.3.26-1.mga2 php-pdo_odbc-5.3.26-1.mga2 php-pdo_pgsql-5.3.26-1.mga2 php-pdo_sqlite-5.3.26-1.mga2 php-pgsql-5.3.26-1.mga2 php-phar-5.3.26-1.mga2 php-posix-5.3.26-1.mga2 php-readline-5.3.26-1.mga2 php-recode-5.3.26-1.mga2 php-session-5.3.26-1.mga2 php-shmop-5.3.26-1.mga2 php-snmp-5.3.26-1.mga2 php-soap-5.3.26-1.mga2 php-sockets-5.3.26-1.mga2 php-sqlite3-5.3.26-1.mga2 php-sqlite-5.3.26-1.mga2 php-sybase_ct-5.3.26-1.mga2 php-sysvmsg-5.3.26-1.mga2 php-sysvsem-5.3.26-1.mga2 php-sysvshm-5.3.26-1.mga2 php-tidy-5.3.26-1.mga2 php-tokenizer-5.3.26-1.mga2 php-xml-5.3.26-1.mga2 php-xmlreader-5.3.26-1.mga2 php-xmlrpc-5.3.26-1.mga2 php-xmlwriter-5.3.26-1.mga2 php-xsl-5.3.26-1.mga2 php-wddx-5.3.26-1.mga2 php-zip-5.3.26-1.mga2 php-apc-3.1.13-1.8.mga2 php-apc-admin-3.1.13-1.8.mga2 php-eaccelerator-0.9.6.1-10.10.mga2 php-eaccelerator-admin-0.9.6.1-10.10.mga2 php-gd-bundled-5.3.26-1.mga2 php-timezonedb-2013.3-1.mga2 php-firebird-5.3.26-1.mga2 php-pdo_firebird-5.3.26-1.mga2 php-ini-5.4.16-1.mga3 apache-mod_php-5.4.16-1.mga3 php-cli-5.4.16-1.mga3 php-cgi-5.4.16-1.mga3 libphp5_common5-5.4.16-1.mga3 php-devel-5.4.16-1.mga3 php-openssl-5.4.16-1.mga3 php-zlib-5.4.16-1.mga3 php-doc-5.4.16-1.mga3 php-bcmath-5.4.16-1.mga3 php-bz2-5.4.16-1.mga3 php-calendar-5.4.16-1.mga3 php-ctype-5.4.16-1.mga3 php-curl-5.4.16-1.mga3 php-dba-5.4.16-1.mga3 php-dom-5.4.16-1.mga3 php-enchant-5.4.16-1.mga3 php-exif-5.4.16-1.mga3 php-fileinfo-5.4.16-1.mga3 php-filter-5.4.16-1.mga3 php-ftp-5.4.16-1.mga3 php-gd-5.4.16-1.mga3 php-gettext-5.4.16-1.mga3 php-gmp-5.4.16-1.mga3 php-hash-5.4.16-1.mga3 php-iconv-5.4.16-1.mga3 php-imap-5.4.16-1.mga3 php-interbase-5.4.16-1.mga3 php-intl-5.4.16-1.mga3 php-json-5.4.16-1.mga3 php-ldap-5.4.16-1.mga3 php-mbstring-5.4.16-1.mga3 php-mcrypt-5.4.16-1.mga3 php-mssql-5.4.16-1.mga3 php-mysql-5.4.16-1.mga3 php-mysqli-5.4.16-1.mga3 php-mysqlnd-5.4.16-1.mga3 php-odbc-5.4.16-1.mga3 php-pcntl-5.4.16-1.mga3 php-pdo-5.4.16-1.mga3 php-pdo_dblib-5.4.16-1.mga3 php-pdo_firebird-5.4.16-1.mga3 php-pdo_mysql-5.4.16-1.mga3 php-pdo_odbc-5.4.16-1.mga3 php-pdo_pgsql-5.4.16-1.mga3 php-pdo_sqlite-5.4.16-1.mga3 php-pgsql-5.4.16-1.mga3 php-phar-5.4.16-1.mga3 php-posix-5.4.16-1.mga3 php-readline-5.4.16-1.mga3 php-recode-5.4.16-1.mga3 php-session-5.4.16-1.mga3 php-shmop-5.4.16-1.mga3 php-snmp-5.4.16-1.mga3 php-soap-5.4.16-1.mga3 php-sockets-5.4.16-1.mga3 php-sqlite3-5.4.16-1.mga3 php-sybase_ct-5.4.16-1.mga3 php-sysvmsg-5.4.16-1.mga3 php-sysvsem-5.4.16-1.mga3 php-sysvshm-5.4.16-1.mga3 php-tidy-5.4.16-1.mga3 php-tokenizer-5.4.16-1.mga3 php-xml-5.4.16-1.mga3 php-xmlreader-5.4.16-1.mga3 php-xmlrpc-5.4.16-1.mga3 php-xmlwriter-5.4.16-1.mga3 php-xsl-5.4.16-1.mga3 php-wddx-5.4.16-1.mga3 php-zip-5.4.16-1.mga3 php-fpm-5.4.16-1.mga3 php-apc-3.1.14-7.1.mga3 php-apc-admin-3.1.14-7.1.mga3 php-gd-bundled-5.4.16-1.mga3 php-timezonedb-2013.3-1.mga3 from SRPMS: php-5.3.26-1.mga2.src.rpm php-apc-3.1.13-1.8.mga2.src.rpm php-eaccelerator-0.9.6.1-10.10.mga2.src.rpm php-gd-bundled-5.3.26-1.mga2.src.rpm php-timezonedb-2013.3-1.mga2.src.rpm php-firebird-5.3.26-1.mga2.src.rpm php-pdo_firebird-5.3.26-1.mga2.src.rpm php-5.4.16-1.mga3.src.rpm php-apc-3.1.14-7.1.mga3.src.rpm php-gd-bundled-5.4.16-1.mga3.src.rpm php-timezonedb-2013.3-1.mga3.src.rpm
CC: (none) => oeVersion: Cauldron => 3Assignee: oe => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Funny, I can't reproduce the CVE-2013-2110 flaw. No crash at least. PoC from ext/standard/tests/strings/bug64879.phpt <?php quoted_printable_encode(str_repeat("\xf4", 1000)); quoted_printable_encode(str_repeat("\xf4", 100000)); ?> Additionally RH has some insights (NOTABUG) about this at: https://bugzilla.redhat.com/show_bug.cgi?id=964969
My interpretation of what RH said is that they did issue updates to fix this in Fedora, but the vulnerability was introduced in a later version than what they shipped in RHEL, so they're not vulnerable there.
PoC: https://bugs.php.net/bug.php?id=64879 Changing some settings in /etc/php.ini so errors are displayed, tested using php-cli. display_startup_errors = On Testing mga3 64 Before ------ # php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));' Segmentation fault After ----- # php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));' # Tested with several webapps (phpmyadmin, php-apc, zoneminder) and some basic test scripts.
Tested also mga2 32 but it doesn't seem vulnerable so not sure the update is necessary.
mid-air collisions, sorry.
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok
I think the commit that introduced it has been identified; it'd be nice to know which PHP 5.3.x version first contained it. We'll have to look into it. If it turns out to really not be vulnerable, we could still do it as a bugfix update with a MGAA for mga2.
It doesn't seem to be vulnerable, playing with this a bit further.. Mga3 32 # grep ^display_ /etc/php.ini display_errors = Off display_startup_errors = Off # php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));' Segmentation fault Mga2 32 # grep ^display_ /etc/php.ini display_errors = On display_startup_errors = On # php -r 'quoted_printable_encode(str_repeat("\xf4", 1000));' # php -r 'quoted_printable_encode(str_repeat("\xf4", 100000));' # php -r 'quoted_printable_encode(str_repeat("\xf4", 10000000));' # php -r 'quoted_printable_encode(str_repeat("\xf4", 100000000));' Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 312000003 bytes) in Command line code on line 1 I'll test mga3 32 so we're ready to go with that until a decision is made for mga2.
This affects 5.4.x only as the offending commit was not applied for 5.2.x. http://git.php.net/?p=php-src.git;a=commitdiff;h=18bb426587d62f93c54c40bf8535eb8416603629 https://bugs.php.net/bug.php?id=62462 Additionally applying this for 5.2.x does not trigger the CVE-2013-2110 flaw.
Testing complete mga3 32 Comfirmed the cve is closed and tested with owncloud, phpmyadmin, php-apc and a couple of basic test scripts. Do you want to release an update for mga2? It is not vulnerable to the CVE so is not 'necessary' at this time. If not then this can be validated for mga3 now.
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok
Thanks Claire and Oden. Let's go ahead and validate this for Mageia 3 now. For Mageia 2, we might as well do it too, as the work's been done, and we've issued bugfix updates for PHP in the past. I'll open a new bug for that to give more time for QA testing on it (which I may be able to help with when I have time). Advisory: ======================== Updated php packages fix security vulnerability: Heap based buffer overflow in quoted_printable_encode() in PHP before version 5.4.16 (CVE-2013-2110). This update provides PHP version 5.4.16 which fixes this as well as several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110 http://www.php.net/ChangeLog-5.php ======================== Updated packages in core/updates_testing: ======================== php-ini-5.4.16-1.mga3 apache-mod_php-5.4.16-1.mga3 php-cli-5.4.16-1.mga3 php-cgi-5.4.16-1.mga3 libphp5_common5-5.4.16-1.mga3 php-devel-5.4.16-1.mga3 php-openssl-5.4.16-1.mga3 php-zlib-5.4.16-1.mga3 php-doc-5.4.16-1.mga3 php-bcmath-5.4.16-1.mga3 php-bz2-5.4.16-1.mga3 php-calendar-5.4.16-1.mga3 php-ctype-5.4.16-1.mga3 php-curl-5.4.16-1.mga3 php-dba-5.4.16-1.mga3 php-dom-5.4.16-1.mga3 php-enchant-5.4.16-1.mga3 php-exif-5.4.16-1.mga3 php-fileinfo-5.4.16-1.mga3 php-filter-5.4.16-1.mga3 php-ftp-5.4.16-1.mga3 php-gd-5.4.16-1.mga3 php-gettext-5.4.16-1.mga3 php-gmp-5.4.16-1.mga3 php-hash-5.4.16-1.mga3 php-iconv-5.4.16-1.mga3 php-imap-5.4.16-1.mga3 php-interbase-5.4.16-1.mga3 php-intl-5.4.16-1.mga3 php-json-5.4.16-1.mga3 php-ldap-5.4.16-1.mga3 php-mbstring-5.4.16-1.mga3 php-mcrypt-5.4.16-1.mga3 php-mssql-5.4.16-1.mga3 php-mysql-5.4.16-1.mga3 php-mysqli-5.4.16-1.mga3 php-mysqlnd-5.4.16-1.mga3 php-odbc-5.4.16-1.mga3 php-pcntl-5.4.16-1.mga3 php-pdo-5.4.16-1.mga3 php-pdo_dblib-5.4.16-1.mga3 php-pdo_firebird-5.4.16-1.mga3 php-pdo_mysql-5.4.16-1.mga3 php-pdo_odbc-5.4.16-1.mga3 php-pdo_pgsql-5.4.16-1.mga3 php-pdo_sqlite-5.4.16-1.mga3 php-pgsql-5.4.16-1.mga3 php-phar-5.4.16-1.mga3 php-posix-5.4.16-1.mga3 php-readline-5.4.16-1.mga3 php-recode-5.4.16-1.mga3 php-session-5.4.16-1.mga3 php-shmop-5.4.16-1.mga3 php-snmp-5.4.16-1.mga3 php-soap-5.4.16-1.mga3 php-sockets-5.4.16-1.mga3 php-sqlite3-5.4.16-1.mga3 php-sybase_ct-5.4.16-1.mga3 php-sysvmsg-5.4.16-1.mga3 php-sysvsem-5.4.16-1.mga3 php-sysvshm-5.4.16-1.mga3 php-tidy-5.4.16-1.mga3 php-tokenizer-5.4.16-1.mga3 php-xml-5.4.16-1.mga3 php-xmlreader-5.4.16-1.mga3 php-xmlrpc-5.4.16-1.mga3 php-xmlwriter-5.4.16-1.mga3 php-xsl-5.4.16-1.mga3 php-wddx-5.4.16-1.mga3 php-zip-5.4.16-1.mga3 php-fpm-5.4.16-1.mga3 php-apc-3.1.14-7.1.mga3 php-apc-admin-3.1.14-7.1.mga3 php-gd-bundled-5.4.16-1.mga3 php-timezonedb-2013.3-1.mga3 from SRPMS: php-5.4.16-1.mga3.src.rpm php-apc-3.1.14-7.1.mga3.src.rpm php-gd-bundled-5.4.16-1.mga3.src.rpm php-timezonedb-2013.3-1.mga3.src.rpm
Bug 10492 filed for the Mageia 2 update.
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3-32-ok => has_procedure mga3-64-ok mga3-32-ok
Validating then, thanks. Advisory & srpm in comment 12 Could sysadmin please push from 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/553812/
http://advisories.mageia.org/MGASA-2013-0172.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
This update also fixes CVE-2013-4635: http://lwn.net/Vulnerabilities/559055/
Advisory updated.
The advisory on the website hasn't updated, Sysadmin any ideas please? http://advisories.mageia.org/MGASA-2013-0172.html
The advisory on the website looks updated to me.
CC: boklm => (none)