PHP 5.3.27 has been released today (July 11), fixing a security issue: http://openwall.com/lists/oss-security/2013/07/11/6 Reproducible: Steps to Reproduce:
* Fixed bug #65236 (heap corruption in xml parser). Additionally the php-timezonedb packages has been upgraded to the latest version (2013.4). References: http://www.php.net/ChangeLog-5.php#5.3.27 https://bugs.php.net/bug.php?id=65236 http://www.openwall.com/lists/oss-security/2013/07/11/6 Note: 5.3.27 is probably the last bugfix version and only security releases will be released for now on until final EOL which is unknown at this point. http://php.net/releases/5_3_20.php <- this was the previous EOL statement.
URL: (none) => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
All packages has been built now.
Assigning to QA. Advisory: ======================== Updated php packages fix security vulnerability: * Fixed bug #65236 (heap corruption in xml parser). Additionally the php-timezonedb packages has been upgraded to the latest version (2013.4). References: http://www.php.net/ChangeLog-5.php#5.3.27 https://bugs.php.net/bug.php?id=65236 http://www.openwall.com/lists/oss-security/2013/07/11/6 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.27-1.mga2 php-cli-5.3.27-1.mga2 php-cgi-5.3.27-1.mga2 php-fpm-5.3.27-1.mga2 apache-mod_php-5.3.27-1.mga2 libphp5_common5-5.3.27-1.mga2 php-devel-5.3.27-1.mga2 php-openssl-5.3.27-1.mga2 php-zlib-5.3.27-1.mga2 php-bcmath-5.3.27-1.mga2 php-bz2-5.3.27-1.mga2 php-calendar-5.3.27-1.mga2 php-ctype-5.3.27-1.mga2 php-curl-5.3.27-1.mga2 php-dba-5.3.27-1.mga2 php-dom-5.3.27-1.mga2 php-enchant-5.3.27-1.mga2 php-exif-5.3.27-1.mga2 php-fileinfo-5.3.27-1.mga2 php-filter-5.3.27-1.mga2 php-ftp-5.3.27-1.mga2 php-gd-5.3.27-1.mga2 php-gettext-5.3.27-1.mga2 php-gmp-5.3.27-1.mga2 php-hash-5.3.27-1.mga2 php-iconv-5.3.27-1.mga2 php-imap-5.3.27-1.mga2 php-intl-5.3.27-1.mga2 php-json-5.3.27-1.mga2 php-ldap-5.3.27-1.mga2 php-mbstring-5.3.27-1.mga2 php-mcrypt-5.3.27-1.mga2 php-mssql-5.3.27-1.mga2 php-mysql-5.3.27-1.mga2 php-mysqli-5.3.27-1.mga2 php-mysqlnd-5.3.27-1.mga2 php-odbc-5.3.27-1.mga2 php-pcntl-5.3.27-1.mga2 php-pdo-5.3.27-1.mga2 php-pdo_dblib-5.3.27-1.mga2 php-pdo_mysql-5.3.27-1.mga2 php-pdo_odbc-5.3.27-1.mga2 php-pdo_pgsql-5.3.27-1.mga2 php-pdo_sqlite-5.3.27-1.mga2 php-pgsql-5.3.27-1.mga2 php-phar-5.3.27-1.mga2 php-posix-5.3.27-1.mga2 php-readline-5.3.27-1.mga2 php-recode-5.3.27-1.mga2 php-session-5.3.27-1.mga2 php-shmop-5.3.27-1.mga2 php-snmp-5.3.27-1.mga2 php-soap-5.3.27-1.mga2 php-sockets-5.3.27-1.mga2 php-sqlite3-5.3.27-1.mga2 php-sqlite-5.3.27-1.mga2 php-sybase_ct-5.3.27-1.mga2 php-sysvmsg-5.3.27-1.mga2 php-sysvsem-5.3.27-1.mga2 php-sysvshm-5.3.27-1.mga2 php-tidy-5.3.27-1.mga2 php-tokenizer-5.3.27-1.mga2 php-xml-5.3.27-1.mga2 php-xmlreader-5.3.27-1.mga2 php-xmlrpc-5.3.27-1.mga2 php-xmlwriter-5.3.27-1.mga2 php-xsl-5.3.27-1.mga2 php-wddx-5.3.27-1.mga2 php-zip-5.3.27-1.mga2 php-apc-3.1.13-1.9.mga2 php-apc-admin-3.1.13-1.9.mga2 php-eaccelerator-0.9.6.1-10.11.mga2 php-eaccelerator-admin-0.9.6.1-10.11.mga2 php-firebird-5.3.27-1.mga2 php-gd-bundled-5.3.27-1.mga2 php-pdo_firebird-5.3.27-1.mga2 php-timezonedb-2013.4-1.mga2 from SRPMS: php-5.3.27-1.mga2.src.rpm php-apc-3.1.13-1.9.mga2.src.rpm php-eaccelerator-0.9.6.1-10.11.mga2.src.rpm php-firebird-5.3.27-1.mga2.src.rpm php-gd-bundled-5.3.27-1.mga2.src.rpm php-pdo_firebird-5.3.27-1.mga2.src.rpm php-timezonedb-2013.4-1.mga2.src.rpm
CC: (none) => oeAssignee: oe => qa-bugs
It's been assigned CVE-2013-4113 http://www.openwall.com/lists/oss-security/2013/07/11/6 Testing mga2 32 with the PoC in https://bugs.php.net/bug.php?id=65236 gdb shows a segfault. Before ------ $ gdb php GNU gdb (GDB) 7.3.50.20110722-4.mga2 (Mageia release 2) Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i586-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/php...(no debugging symbols found)...done. (gdb) run -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);' Starting program: /usr/bin/php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);' [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i686/libthread_db.so.1". [New Thread 0xb6c6eb70 (LWP 16292)] [Thread 0xb6c6eb70 (LWP 16292) exited] Program received signal SIGSEGV, Segmentation fault. 0xb7e40a08 in _zend_hash_index_update_or_next_insert () from /usr/lib/libphp5_common.so.5 (gdb) bt #0 0xb7e40a08 in _zend_hash_index_update_or_next_insert () from /usr/lib/libphp5_common.so.5 #1 0xb6d81c99 in _xml_startElementHandler () from /usr/lib/php/extensions/xml.so #2 0xb6d82679 in ?? () from /usr/lib/php/extensions/xml.so #3 0xb78eb31a in ?? () from /usr/lib/libxml2.so.2 #4 0xb78f49f2 in ?? () from /usr/lib/libxml2.so.2 #5 0xb78f5e97 in xmlParseChunk () from /usr/lib/libxml2.so.2 #6 0xb6d832e3 in php_XML_Parse () from /usr/lib/php/extensions/xml.so #7 0xb6d7e5a7 in zif_xml_parse_into_struct () from /usr/lib/php/extensions/xml.so #8 0xb7ed2b5c in execute_internal () from /usr/lib/libphp5_common.so.5 #9 0xb6c816a9 in ?? () from /usr/lib/php/extensions/suhosin.so #10 0xb7ec9b67 in ?? () from /usr/lib/libphp5_common.so.5 #11 0xb7e5fc06 in execute () from /usr/lib/libphp5_common.so.5 #12 0xb6c82821 in ?? () from /usr/lib/php/extensions/suhosin.so #13 0xb7e24a18 in zend_eval_stringl () from /usr/lib/libphp5_common.so.5 #14 0xb7e24c04 in zend_eval_stringl_ex () from /usr/lib/libphp5_common.so.5 #15 0xb7e24cb2 in zend_eval_string_ex () from /usr/lib/libphp5_common.so.5 #16 0x0804b5d0 in main () (gdb) quit A debugging session is active. Inferior 1 [process 16289] will be killed. Quit anyway? (y or n) y After ----- $ gdb php GNU gdb (GDB) 7.3.50.20110722-4.mga2 (Mageia release 2) Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i586-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/php...(no debugging symbols found)...done. (gdb) run -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);' Starting program: /usr/bin/php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);' [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i686/libthread_db.so.1". [New Thread 0xb6c6eb70 (LWP 17853)] [Thread 0xb6c6eb70 (LWP 17853) exited] [Inferior 1 (process 17849) exited normally] (gdb) quit Tested with some webapps and simple test scripts and appears OK.
Whiteboard: (none) => has_procedure mga2-32-ok
Whoops, sorry I forget the CVE in the advisory. Thanks Claire. Advisory: ======================== Updated php packages fix security vulnerability: * Fixed PHP bug #65236 (heap corruption in xml parser) (CVE-2013-4113). Additionally the php-timezonedb packages has been upgraded to the latest version (2013.4). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 http://www.php.net/ChangeLog-5.php#5.3.27 https://bugs.php.net/bug.php?id=65236 http://www.openwall.com/lists/oss-security/2013/07/11/6 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.27-1.mga2 php-cli-5.3.27-1.mga2 php-cgi-5.3.27-1.mga2 php-fpm-5.3.27-1.mga2 apache-mod_php-5.3.27-1.mga2 libphp5_common5-5.3.27-1.mga2 php-devel-5.3.27-1.mga2 php-openssl-5.3.27-1.mga2 php-zlib-5.3.27-1.mga2 php-bcmath-5.3.27-1.mga2 php-bz2-5.3.27-1.mga2 php-calendar-5.3.27-1.mga2 php-ctype-5.3.27-1.mga2 php-curl-5.3.27-1.mga2 php-dba-5.3.27-1.mga2 php-dom-5.3.27-1.mga2 php-enchant-5.3.27-1.mga2 php-exif-5.3.27-1.mga2 php-fileinfo-5.3.27-1.mga2 php-filter-5.3.27-1.mga2 php-ftp-5.3.27-1.mga2 php-gd-5.3.27-1.mga2 php-gettext-5.3.27-1.mga2 php-gmp-5.3.27-1.mga2 php-hash-5.3.27-1.mga2 php-iconv-5.3.27-1.mga2 php-imap-5.3.27-1.mga2 php-intl-5.3.27-1.mga2 php-json-5.3.27-1.mga2 php-ldap-5.3.27-1.mga2 php-mbstring-5.3.27-1.mga2 php-mcrypt-5.3.27-1.mga2 php-mssql-5.3.27-1.mga2 php-mysql-5.3.27-1.mga2 php-mysqli-5.3.27-1.mga2 php-mysqlnd-5.3.27-1.mga2 php-odbc-5.3.27-1.mga2 php-pcntl-5.3.27-1.mga2 php-pdo-5.3.27-1.mga2 php-pdo_dblib-5.3.27-1.mga2 php-pdo_mysql-5.3.27-1.mga2 php-pdo_odbc-5.3.27-1.mga2 php-pdo_pgsql-5.3.27-1.mga2 php-pdo_sqlite-5.3.27-1.mga2 php-pgsql-5.3.27-1.mga2 php-phar-5.3.27-1.mga2 php-posix-5.3.27-1.mga2 php-readline-5.3.27-1.mga2 php-recode-5.3.27-1.mga2 php-session-5.3.27-1.mga2 php-shmop-5.3.27-1.mga2 php-snmp-5.3.27-1.mga2 php-soap-5.3.27-1.mga2 php-sockets-5.3.27-1.mga2 php-sqlite3-5.3.27-1.mga2 php-sqlite-5.3.27-1.mga2 php-sybase_ct-5.3.27-1.mga2 php-sysvmsg-5.3.27-1.mga2 php-sysvsem-5.3.27-1.mga2 php-sysvshm-5.3.27-1.mga2 php-tidy-5.3.27-1.mga2 php-tokenizer-5.3.27-1.mga2 php-xml-5.3.27-1.mga2 php-xmlreader-5.3.27-1.mga2 php-xmlrpc-5.3.27-1.mga2 php-xmlwriter-5.3.27-1.mga2 php-xsl-5.3.27-1.mga2 php-wddx-5.3.27-1.mga2 php-zip-5.3.27-1.mga2 php-apc-3.1.13-1.9.mga2 php-apc-admin-3.1.13-1.9.mga2 php-eaccelerator-0.9.6.1-10.11.mga2 php-eaccelerator-admin-0.9.6.1-10.11.mga2 php-firebird-5.3.27-1.mga2 php-gd-bundled-5.3.27-1.mga2 php-pdo_firebird-5.3.27-1.mga2 php-timezonedb-2013.4-1.mga2 from SRPMS: php-5.3.27-1.mga2.src.rpm php-apc-3.1.13-1.9.mga2.src.rpm php-eaccelerator-0.9.6.1-10.11.mga2.src.rpm php-firebird-5.3.27-1.mga2.src.rpm php-gd-bundled-5.3.27-1.mga2.src.rpm php-pdo_firebird-5.3.27-1.mga2.src.rpm php-timezonedb-2013.4-1.mga2.src.rpm
Mandriva has issued an advisory for this on July 12: http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:195/
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 => http://lwn.net/Vulnerabilities/558918/
Note: 5.4.x is also affected. PoC: php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
====================================================== Name: CVE-2013-4113 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commit;h=7d163e8a0880ae8af2dd869071393e5dc07ef271 Reference: CONFIRM:http://php.net/ChangeLog-5.php Reference: CONFIRM:http://php.net/archive/2013.php#id2013-07-11-1 Reference: CONFIRM:https://bugs.php.net/bug.php?id=65236 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=983689 ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.
php-5.4.17-1.1.mga3 is being built. NOTE. Fedora wrongly tagged this as CVE-2013-4013, CVE-2013-4113 is the correct one. Also, this patch has a test case as well.
Testing complete mga2 64. This one is ready to be validated Oden, could you create a new bug for the mga3 update please.
Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok
Validating. Advisory from comment 5 uploaded. Could sysadmin please push from 2 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0216.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDSource RPM: php-5.3.26-1.mga2.src.rpm => php-5.3.27-1.mga2.src.rpm
Depends on: (none) => 10797
As Oden pointed out on IRC, only the php SRPM was actually pushed to updates. The others are still in updates_testing and should be pushed: php-apc-3.1.13-1.9.mga2.src.rpm php-eaccelerator-0.9.6.1-10.11.mga2.src.rpm php-firebird-5.3.27-1.mga2.src.rpm php-gd-bundled-5.3.27-1.mga2.src.rpm php-pdo_firebird-5.3.27-1.mga2.src.rpm php-timezonedb-2013.4-1.mga2.src.rpm
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
ok, me screwed up :/ fixed now.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED