Bug 10760 - php new security issue CVE-2013-4113
Summary: php new security issue CVE-2013-4113
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/558918/
Whiteboard: has_procedure mga2-32-ok mga2-64-ok
Keywords: validated_update
Depends on: 10797
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-12 01:00 CEST by David Walser
Modified: 2013-08-05 12:22 CEST (History)
3 users (show)

See Also:
Source RPM: php-5.3.27-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-12 01:00:17 CEST
PHP 5.3.27 has been released today (July 11), fixing a security issue:
http://openwall.com/lists/oss-security/2013/07/11/6

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-07-12 10:35:10 CEST
* Fixed bug #65236 (heap corruption in xml parser).

Additionally the php-timezonedb packages has been upgraded to the latest version (2013.4).

References:

http://www.php.net/ChangeLog-5.php#5.3.27
https://bugs.php.net/bug.php?id=65236
http://www.openwall.com/lists/oss-security/2013/07/11/6

Note: 5.3.27 is probably the last bugfix version and only security releases will be released for now on until final EOL which is unknown at this point.

http://php.net/releases/5_3_20.php <- this was the previous EOL statement.

URL: (none) => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113

Comment 2 Oden Eriksson 2013-07-12 10:50:18 CEST
All packages has been built now.
Comment 3 David Walser 2013-07-12 12:56:15 CEST
Assigning to QA.

Advisory:
========================

Updated php packages fix security vulnerability:

* Fixed bug #65236 (heap corruption in xml parser).

Additionally the php-timezonedb packages has been upgraded to the latest
version (2013.4).

References:
http://www.php.net/ChangeLog-5.php#5.3.27
https://bugs.php.net/bug.php?id=65236
http://www.openwall.com/lists/oss-security/2013/07/11/6
========================

Updated packages in core/updates_testing:
========================
php-ini-5.3.27-1.mga2
php-cli-5.3.27-1.mga2
php-cgi-5.3.27-1.mga2
php-fpm-5.3.27-1.mga2
apache-mod_php-5.3.27-1.mga2
libphp5_common5-5.3.27-1.mga2
php-devel-5.3.27-1.mga2
php-openssl-5.3.27-1.mga2
php-zlib-5.3.27-1.mga2
php-bcmath-5.3.27-1.mga2
php-bz2-5.3.27-1.mga2
php-calendar-5.3.27-1.mga2
php-ctype-5.3.27-1.mga2
php-curl-5.3.27-1.mga2
php-dba-5.3.27-1.mga2
php-dom-5.3.27-1.mga2
php-enchant-5.3.27-1.mga2
php-exif-5.3.27-1.mga2
php-fileinfo-5.3.27-1.mga2
php-filter-5.3.27-1.mga2
php-ftp-5.3.27-1.mga2
php-gd-5.3.27-1.mga2
php-gettext-5.3.27-1.mga2
php-gmp-5.3.27-1.mga2
php-hash-5.3.27-1.mga2
php-iconv-5.3.27-1.mga2
php-imap-5.3.27-1.mga2
php-intl-5.3.27-1.mga2
php-json-5.3.27-1.mga2
php-ldap-5.3.27-1.mga2
php-mbstring-5.3.27-1.mga2
php-mcrypt-5.3.27-1.mga2
php-mssql-5.3.27-1.mga2
php-mysql-5.3.27-1.mga2
php-mysqli-5.3.27-1.mga2
php-mysqlnd-5.3.27-1.mga2
php-odbc-5.3.27-1.mga2
php-pcntl-5.3.27-1.mga2
php-pdo-5.3.27-1.mga2
php-pdo_dblib-5.3.27-1.mga2
php-pdo_mysql-5.3.27-1.mga2
php-pdo_odbc-5.3.27-1.mga2
php-pdo_pgsql-5.3.27-1.mga2
php-pdo_sqlite-5.3.27-1.mga2
php-pgsql-5.3.27-1.mga2
php-phar-5.3.27-1.mga2
php-posix-5.3.27-1.mga2
php-readline-5.3.27-1.mga2
php-recode-5.3.27-1.mga2
php-session-5.3.27-1.mga2
php-shmop-5.3.27-1.mga2
php-snmp-5.3.27-1.mga2
php-soap-5.3.27-1.mga2
php-sockets-5.3.27-1.mga2
php-sqlite3-5.3.27-1.mga2
php-sqlite-5.3.27-1.mga2
php-sybase_ct-5.3.27-1.mga2
php-sysvmsg-5.3.27-1.mga2
php-sysvsem-5.3.27-1.mga2
php-sysvshm-5.3.27-1.mga2
php-tidy-5.3.27-1.mga2
php-tokenizer-5.3.27-1.mga2
php-xml-5.3.27-1.mga2
php-xmlreader-5.3.27-1.mga2
php-xmlrpc-5.3.27-1.mga2
php-xmlwriter-5.3.27-1.mga2
php-xsl-5.3.27-1.mga2
php-wddx-5.3.27-1.mga2
php-zip-5.3.27-1.mga2
php-apc-3.1.13-1.9.mga2
php-apc-admin-3.1.13-1.9.mga2
php-eaccelerator-0.9.6.1-10.11.mga2
php-eaccelerator-admin-0.9.6.1-10.11.mga2
php-firebird-5.3.27-1.mga2
php-gd-bundled-5.3.27-1.mga2
php-pdo_firebird-5.3.27-1.mga2
php-timezonedb-2013.4-1.mga2

from SRPMS:
php-5.3.27-1.mga2.src.rpm
php-apc-3.1.13-1.9.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.11.mga2.src.rpm
php-firebird-5.3.27-1.mga2.src.rpm
php-gd-bundled-5.3.27-1.mga2.src.rpm
php-pdo_firebird-5.3.27-1.mga2.src.rpm
php-timezonedb-2013.4-1.mga2.src.rpm

CC: (none) => oe
Assignee: oe => qa-bugs

Comment 4 claire robinson 2013-07-12 16:10:57 CEST
It's been assigned CVE-2013-4113
http://www.openwall.com/lists/oss-security/2013/07/11/6

Testing mga2 32 with the PoC in https://bugs.php.net/bug.php?id=65236
gdb shows a segfault.


Before
------

$ gdb php
GNU gdb (GDB) 7.3.50.20110722-4.mga2 (Mageia release 2)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) run -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);'
Starting program: /usr/bin/php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i686/libthread_db.so.1".
[New Thread 0xb6c6eb70 (LWP 16292)]
[Thread 0xb6c6eb70 (LWP 16292) exited]

Program received signal SIGSEGV, Segmentation fault.
0xb7e40a08 in _zend_hash_index_update_or_next_insert () from /usr/lib/libphp5_common.so.5
(gdb) bt
#0  0xb7e40a08 in _zend_hash_index_update_or_next_insert () from /usr/lib/libphp5_common.so.5
#1  0xb6d81c99 in _xml_startElementHandler () from /usr/lib/php/extensions/xml.so
#2  0xb6d82679 in ?? () from /usr/lib/php/extensions/xml.so
#3  0xb78eb31a in ?? () from /usr/lib/libxml2.so.2
#4  0xb78f49f2 in ?? () from /usr/lib/libxml2.so.2
#5  0xb78f5e97 in xmlParseChunk () from /usr/lib/libxml2.so.2
#6  0xb6d832e3 in php_XML_Parse () from /usr/lib/php/extensions/xml.so
#7  0xb6d7e5a7 in zif_xml_parse_into_struct () from /usr/lib/php/extensions/xml.so
#8  0xb7ed2b5c in execute_internal () from /usr/lib/libphp5_common.so.5
#9  0xb6c816a9 in ?? () from /usr/lib/php/extensions/suhosin.so
#10 0xb7ec9b67 in ?? () from /usr/lib/libphp5_common.so.5
#11 0xb7e5fc06 in execute () from /usr/lib/libphp5_common.so.5
#12 0xb6c82821 in ?? () from /usr/lib/php/extensions/suhosin.so
#13 0xb7e24a18 in zend_eval_stringl () from /usr/lib/libphp5_common.so.5
#14 0xb7e24c04 in zend_eval_stringl_ex () from /usr/lib/libphp5_common.so.5
#15 0xb7e24cb2 in zend_eval_string_ex () from /usr/lib/libphp5_common.so.5
#16 0x0804b5d0 in main ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 16289] will be killed.

Quit anyway? (y or n) y



After
-----
$ gdb php
GNU gdb (GDB) 7.3.50.20110722-4.mga2 (Mageia release 2)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) run -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);'
Starting program: /usr/bin/php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i686/libthread_db.so.1".
[New Thread 0xb6c6eb70 (LWP 17853)]
[Thread 0xb6c6eb70 (LWP 17853) exited]
[Inferior 1 (process 17849) exited normally]
(gdb) quit

Tested with some webapps and simple test scripts and appears OK.

Whiteboard: (none) => has_procedure mga2-32-ok

Comment 5 David Walser 2013-07-12 16:17:08 CEST
Whoops, sorry I forget the CVE in the advisory.  Thanks Claire.

Advisory:
========================

Updated php packages fix security vulnerability:

* Fixed PHP bug #65236 (heap corruption in xml parser) (CVE-2013-4113).

Additionally the php-timezonedb packages has been upgraded to the latest
version (2013.4).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
http://www.php.net/ChangeLog-5.php#5.3.27
https://bugs.php.net/bug.php?id=65236
http://www.openwall.com/lists/oss-security/2013/07/11/6
========================

Updated packages in core/updates_testing:
========================
php-ini-5.3.27-1.mga2
php-cli-5.3.27-1.mga2
php-cgi-5.3.27-1.mga2
php-fpm-5.3.27-1.mga2
apache-mod_php-5.3.27-1.mga2
libphp5_common5-5.3.27-1.mga2
php-devel-5.3.27-1.mga2
php-openssl-5.3.27-1.mga2
php-zlib-5.3.27-1.mga2
php-bcmath-5.3.27-1.mga2
php-bz2-5.3.27-1.mga2
php-calendar-5.3.27-1.mga2
php-ctype-5.3.27-1.mga2
php-curl-5.3.27-1.mga2
php-dba-5.3.27-1.mga2
php-dom-5.3.27-1.mga2
php-enchant-5.3.27-1.mga2
php-exif-5.3.27-1.mga2
php-fileinfo-5.3.27-1.mga2
php-filter-5.3.27-1.mga2
php-ftp-5.3.27-1.mga2
php-gd-5.3.27-1.mga2
php-gettext-5.3.27-1.mga2
php-gmp-5.3.27-1.mga2
php-hash-5.3.27-1.mga2
php-iconv-5.3.27-1.mga2
php-imap-5.3.27-1.mga2
php-intl-5.3.27-1.mga2
php-json-5.3.27-1.mga2
php-ldap-5.3.27-1.mga2
php-mbstring-5.3.27-1.mga2
php-mcrypt-5.3.27-1.mga2
php-mssql-5.3.27-1.mga2
php-mysql-5.3.27-1.mga2
php-mysqli-5.3.27-1.mga2
php-mysqlnd-5.3.27-1.mga2
php-odbc-5.3.27-1.mga2
php-pcntl-5.3.27-1.mga2
php-pdo-5.3.27-1.mga2
php-pdo_dblib-5.3.27-1.mga2
php-pdo_mysql-5.3.27-1.mga2
php-pdo_odbc-5.3.27-1.mga2
php-pdo_pgsql-5.3.27-1.mga2
php-pdo_sqlite-5.3.27-1.mga2
php-pgsql-5.3.27-1.mga2
php-phar-5.3.27-1.mga2
php-posix-5.3.27-1.mga2
php-readline-5.3.27-1.mga2
php-recode-5.3.27-1.mga2
php-session-5.3.27-1.mga2
php-shmop-5.3.27-1.mga2
php-snmp-5.3.27-1.mga2
php-soap-5.3.27-1.mga2
php-sockets-5.3.27-1.mga2
php-sqlite3-5.3.27-1.mga2
php-sqlite-5.3.27-1.mga2
php-sybase_ct-5.3.27-1.mga2
php-sysvmsg-5.3.27-1.mga2
php-sysvsem-5.3.27-1.mga2
php-sysvshm-5.3.27-1.mga2
php-tidy-5.3.27-1.mga2
php-tokenizer-5.3.27-1.mga2
php-xml-5.3.27-1.mga2
php-xmlreader-5.3.27-1.mga2
php-xmlrpc-5.3.27-1.mga2
php-xmlwriter-5.3.27-1.mga2
php-xsl-5.3.27-1.mga2
php-wddx-5.3.27-1.mga2
php-zip-5.3.27-1.mga2
php-apc-3.1.13-1.9.mga2
php-apc-admin-3.1.13-1.9.mga2
php-eaccelerator-0.9.6.1-10.11.mga2
php-eaccelerator-admin-0.9.6.1-10.11.mga2
php-firebird-5.3.27-1.mga2
php-gd-bundled-5.3.27-1.mga2
php-pdo_firebird-5.3.27-1.mga2
php-timezonedb-2013.4-1.mga2

from SRPMS:
php-5.3.27-1.mga2.src.rpm
php-apc-3.1.13-1.9.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.11.mga2.src.rpm
php-firebird-5.3.27-1.mga2.src.rpm
php-gd-bundled-5.3.27-1.mga2.src.rpm
php-pdo_firebird-5.3.27-1.mga2.src.rpm
php-timezonedb-2013.4-1.mga2.src.rpm
Comment 6 David Walser 2013-07-15 23:03:01 CEST
Mandriva has issued an advisory for this on July 12:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:195/

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 => http://lwn.net/Vulnerabilities/558918/

Comment 7 Oden Eriksson 2013-07-16 12:26:16 CEST
Note: 5.4.x is also affected. PoC:

php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
Comment 8 Oden Eriksson 2013-07-16 15:15:59 CEST
======================================================
Name: CVE-2013-4113
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commit;h=7d163e8a0880ae8af2dd869071393e5dc07ef271
Reference: CONFIRM:http://php.net/ChangeLog-5.php
Reference: CONFIRM:http://php.net/archive/2013.php#id2013-07-11-1
Reference: CONFIRM:https://bugs.php.net/bug.php?id=65236
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=983689

ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing
depth, which allows remote attackers to cause a denial of service
(heap memory corruption) or possibly have unspecified other impact via
a crafted document that is processed by the xml_parse_into_struct
function.
Comment 9 Oden Eriksson 2013-07-16 15:28:51 CEST
php-5.4.17-1.1.mga3 is being built. NOTE. Fedora wrongly tagged this as CVE-2013-4013, CVE-2013-4113 is the correct one.

Also, this patch has a test case as well.
Comment 10 claire robinson 2013-07-16 17:11:48 CEST
Testing complete mga2 64. This one is ready to be validated Oden, could you create a new bug for the mga3 update please.

Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok

Comment 11 claire robinson 2013-07-16 17:26:41 CEST
Validating. Advisory from comment 5 uploaded.

Could sysadmin please push from 2 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-07-18 09:12:17 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0216.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Source RPM: php-5.3.26-1.mga2.src.rpm => php-5.3.27-1.mga2.src.rpm

David Walser 2013-07-22 18:33:25 CEST

Depends on: (none) => 10797

Comment 13 David Walser 2013-08-05 11:22:48 CEST
As Oden pointed out on IRC, only the php SRPM was actually pushed to updates.

The others are still in updates_testing and should be pushed:
php-apc-3.1.13-1.9.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.11.mga2.src.rpm
php-firebird-5.3.27-1.mga2.src.rpm
php-gd-bundled-5.3.27-1.mga2.src.rpm
php-pdo_firebird-5.3.27-1.mga2.src.rpm
php-timezonedb-2013.4-1.mga2.src.rpm

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 14 Thomas Backlund 2013-08-05 12:22:18 CEST
ok, me screwed up :/

fixed now.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.