Bug 12842 - php: infinite recursion and OOB parsing PE files (CVE-2014-1943, CVE-2014-2270)
: php: infinite recursion and OOB parsing PE files (CVE-2014-1943, CVE-2014-2270)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/586789/
: has_procedure advisory mga4-32-ok mga...
: validated_update
: 12807
: 13017
  Show dependency treegraph
 
Reported: 2014-02-21 17:17 CET by David Walser
Modified: 2014-04-04 19:34 CEST (History)
3 users (show)

See Also:
Source RPM: php
CVE:
Status comment:


Attachments

Description David Walser 2014-02-21 17:17:29 CET
+++ This bug was initially created as a clone of Bug #12807 +++

https://bugzilla.redhat.com/show_bug.cgi?id=1065836

" Murray McAllister 2014-02-17 00:58:09 EST

A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code.

Upstream fixes:
https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70

Original report:
http://mx.gw.com/pipermail/file/2014/001327.html"

http://www.debian.org/security/2014/dsa-2861
Comment 1 David Walser 2014-02-21 17:18:39 CET
Here is the upstream PHP commit to fix this:
http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d
Comment 2 David Walser 2014-02-21 17:32:06 CET
PHP also made an additional commit to supposedly fix a memory leak:
http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007

This would also apply to the file package, and Oden has committed it there in Cauldron.  It doesn't appear to have been submitted upstream there yet.
Comment 3 David Walser 2014-03-04 14:49:32 CET
Debian has issued an advisory for this on March 2:
http://www.debian.org/security/2014/dsa-2868
Comment 4 David Walser 2014-03-04 14:52:27 CET
Ubuntu has issued an advisory for this on March 3:
http://www.ubuntu.com/usn/usn-2126-1/

Their advisory also lists some other CVEs, that it appears only affect PHP 5.5.x.

They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020.
Comment 5 David Walser 2014-03-04 18:39:41 CET
Oden fixed CVE-2013-7226 in MBS but said Mageia didn't need an update for it (not sure why).  LWN reference for the other new CVEs:
http://lwn.net/Vulnerabilities/589252/
Comment 6 David Walser 2014-03-05 01:18:41 CET
Oden also pointed this out to me:
https://bugzilla.redhat.com/show_bug.cgi?id=1072220

As is linked in that bug, PHP has already made a commit to fix it.  A CVE request has not been responded to yet.  file's upstream commit (kind of like the memory leak fix) to fix this may be incomplete.  Once it's sorted out for file, we may need to do another update for that package.
Comment 7 David Walser 2014-03-05 18:16:25 CET
(In reply to David Walser from comment #2)
> PHP also made an additional commit to supposedly fix a memory leak:
> http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007
> 
> This would also apply to the file package, and Oden has committed it there
> in Cauldron.  It doesn't appear to have been submitted upstream there yet.

https://github.com/file/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9

That's the commit to file for this.  There is some discussion on it, but no more commits have been made to address anything there.

(In reply to David Walser from comment #6)
> Oden also pointed this out to me:
> https://bugzilla.redhat.com/show_bug.cgi?id=1072220
> 
> As is linked in that bug, PHP has already made a commit to fix it.  A CVE
> request has not been responded to yet.  file's upstream commit (kind of like
> the memory leak fix) to fix this may be incomplete.  Once it's sorted out
> for file, we may need to do another update for that package.

This got CVE-2014-2270:
http://openwall.com/lists/oss-security/2014/03/05/7

As you can see in the RH bug, there is an additional commit to complete the fix.

Time for another file update :o)
Comment 8 David Walser 2014-03-06 14:20:17 CET
(In reply to David Walser from comment #4)
> Ubuntu has issued an advisory for this on March 3:
> http://www.ubuntu.com/usn/usn-2126-1/
> 
> Their advisory also lists some other CVEs, that it appears only affect PHP
> 5.5.x.
> 
> They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020.

All of these are issues that affect gd.c in PHP 5.5.x.  They were fixed upstream in 5.5.9.  We shipped 5.5.8 in Mageia 4.  Oden, you previously told me when you updated MBS for this that we didn't need to update Mageia 4.  Why was that?

Also, Ubuntu says CVE-2013-7327 was fixed with the others in 5.5.9, but the upstream changelog says that one was fixed in 5.5.10, and doesn't even mention the last two.

As far as the CVEs in the bug title (CVE-2014-1943, CVE-2014-2270), they are both fixed in 5.5.10.  I believe PHP 5.4.x (Mageia 3) would also be affected for those issues.
Comment 9 Oden Eriksson 2014-03-14 12:17:30 CET
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #4)
> > Ubuntu has issued an advisory for this on March 3:
> > http://www.ubuntu.com/usn/usn-2126-1/
> > 
> > Their advisory also lists some other CVEs, that it appears only affect PHP
> > 5.5.x.
> > 
> > They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020.
> 
> All of these are issues that affect gd.c in PHP 5.5.x.  They were fixed
> upstream in 5.5.9.  We shipped 5.5.8 in Mageia 4.  Oden, you previously told
> me when you updated MBS for this that we didn't need to update Mageia 4. 
> Why was that?

It conserned the bundled gd lib not the system one and php-gd in mg4+ links against system gd.
Comment 10 David Walser 2014-03-14 12:25:24 CET
(In reply to Oden Eriksson from comment #9)
> (In reply to David Walser from comment #8)
> > (In reply to David Walser from comment #4)
> > > Ubuntu has issued an advisory for this on March 3:
> > > http://www.ubuntu.com/usn/usn-2126-1/
> > > 
> > > Their advisory also lists some other CVEs, that it appears only affect PHP
> > > 5.5.x.
> > > 
> > > They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020.
> > 
> > All of these are issues that affect gd.c in PHP 5.5.x.  They were fixed
> > upstream in 5.5.9.  We shipped 5.5.8 in Mageia 4.  Oden, you previously told
> > me when you updated MBS for this that we didn't need to update Mageia 4. 
> > Why was that?
> 
> It conserned the bundled gd lib not the system one and php-gd in mg4+ links
> against system gd.

Ahh, thanks.  So wouldn't that mean that CVE-2013-7327 isn't relevant for us either?
Comment 11 Oden Eriksson 2014-03-14 12:28:25 CET
Frankly, I lost track of this whole mess.
Comment 12 David Walser 2014-03-14 20:26:31 CET
Advisory (Mageia 4):
========================

Updated php packages fix security vulnerabilities:

It was discovered that the file utility contains a flaw in the handling of
"indirect" magic rules in the libmagic library, which leads to an infinite
recursion when trying to determine the file type of certain files
(CVE-2014-1943).

A flaw was found in the way the file utility determined the type of Portable
Executable (PE) format files, the executable format used on Windows. A
malicious PE file could cause the file utility to crash or, potentially,
execute arbitrary code (CVE-2014-2270).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to these issues.  It has been updated to version 5.5.10, which
fixes these issues and several other bugs.

Also, the jsonc, xdebug, and timezonedb PHP PECL modules have been updated to
their newest versions.

Additionally, php-apc has been rebuilt against the updated php package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
http://www.php.net/ChangeLog-5.php#5.5.9
http://www.php.net/ChangeLog-5.php#5.5.10
http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.4
http://pecl.php.net/package-changelog.php?package=xdebug&release=2.2.4
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9
http://advisories.mageia.org/MGASA-2014-0092.html
http://advisories.mageia.org/MGASA-2014-0123.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.5.10-1.mga4
apache-mod_php-5.5.10-1.mga4
php-cli-5.5.10-1.mga4
php-cgi-5.5.10-1.mga4
libphp5_common5-5.5.10-1.mga4
php-devel-5.5.10-1.mga4
php-openssl-5.5.10-1.mga4
php-zlib-5.5.10-1.mga4
php-doc-5.5.10-1.mga4
php-bcmath-5.5.10-1.mga4
php-bz2-5.5.10-1.mga4
php-calendar-5.5.10-1.mga4
php-ctype-5.5.10-1.mga4
php-curl-5.5.10-1.mga4
php-dba-5.5.10-1.mga4
php-dom-5.5.10-1.mga4
php-enchant-5.5.10-1.mga4
php-exif-5.5.10-1.mga4
php-fileinfo-5.5.10-1.mga4
php-filter-5.5.10-1.mga4
php-ftp-5.5.10-1.mga4
php-gd-5.5.10-1.mga4
php-gettext-5.5.10-1.mga4
php-gmp-5.5.10-1.mga4
php-hash-5.5.10-1.mga4
php-iconv-5.5.10-1.mga4
php-imap-5.5.10-1.mga4
php-interbase-5.5.10-1.mga4
php-intl-5.5.10-1.mga4
php-json-5.5.10-1.mga4
php-ldap-5.5.10-1.mga4
php-mbstring-5.5.10-1.mga4
php-mcrypt-5.5.10-1.mga4
php-mssql-5.5.10-1.mga4
php-mysql-5.5.10-1.mga4
php-mysqli-5.5.10-1.mga4
php-mysqlnd-5.5.10-1.mga4
php-odbc-5.5.10-1.mga4
php-opcache-5.5.10-1.mga4
php-pcntl-5.5.10-1.mga4
php-pdo-5.5.10-1.mga4
php-pdo_dblib-5.5.10-1.mga4
php-pdo_firebird-5.5.10-1.mga4
php-pdo_mysql-5.5.10-1.mga4
php-pdo_odbc-5.5.10-1.mga4
php-pdo_pgsql-5.5.10-1.mga4
php-pdo_sqlite-5.5.10-1.mga4
php-pgsql-5.5.10-1.mga4
php-phar-5.5.10-1.mga4
php-posix-5.5.10-1.mga4
php-readline-5.5.10-1.mga4
php-recode-5.5.10-1.mga4
php-session-5.5.10-1.mga4
php-shmop-5.5.10-1.mga4
php-snmp-5.5.10-1.mga4
php-soap-5.5.10-1.mga4
php-sockets-5.5.10-1.mga4
php-sqlite3-5.5.10-1.mga4
php-sybase_ct-5.5.10-1.mga4
php-sysvmsg-5.5.10-1.mga4
php-sysvsem-5.5.10-1.mga4
php-sysvshm-5.5.10-1.mga4
php-tidy-5.5.10-1.mga4
php-tokenizer-5.5.10-1.mga4
php-xml-5.5.10-1.mga4
php-xmlreader-5.5.10-1.mga4
php-xmlrpc-5.5.10-1.mga4
php-xmlwriter-5.5.10-1.mga4
php-xsl-5.5.10-1.mga4
php-wddx-5.5.10-1.mga4
php-zip-5.5.10-1.mga4
php-fpm-5.5.10-1.mga4
php-apc-3.1.15-4.1.mga4
php-apc-admin-3.1.15-4.1.mga4
php-timezonedb-2013.9-1.mga4
php-xdebug-2.2.4-1.mga4

from SRPMS:
php-5.5.10-1.mga4.src.rpm
php-apc-3.1.15-4.1.mga4.src.rpm
php-timezonedb-2013.9-1.mga4.src.rpm
php-xdebug-2.2.4-1.mga4.src.rpm
Comment 13 David Walser 2014-03-19 12:37:00 CET
timezonedb has been updated to php-timezonedb-2014.1-1.mga4 by Oden.
Comment 14 David Walser 2014-03-27 18:33:11 CET
Oden, is CVE-2013-7345 relevant to our PHP version in Mageia 4?
http://lwn.net/Vulnerabilities/592275/

RedHat has a link to the PHP commit in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1079846
Comment 15 claire robinson 2014-03-31 16:14:41 CEST
There is a PoC for the file issue CVE-2014-1943 using the testcase attached to bug 12807 saved as 'test' and the php script below saved as fileinfo.php.

<?php
$finfo = new finfo();
$fileinfo = $finfo->file('test', FILEINFO_MIME);
?>


$ php fileinfo.php 

Segmentation fault
Comment 16 claire robinson 2014-03-31 18:13:50 CEST
Testing complete mga4 64

After update php fileinfo.php shows no output but doesn't segfault or take excess cpu/time.

Tested with phpmyadmin & zoneminder

Browsed to http://localhost/php-apc and logged in with the password which I set in /etc/php-apc/config.php

Checked php-xdebug left debug info in /var/log/httpd/error_log when using the various webapps.

Checked php-timezonedb with..

# php -r 'echo date("l, F d, Y h:i:s A" ,time()). "\n";'
Monday, March 31, 2014 04:13:36 PM
Comment 17 David Walser 2014-04-04 17:16:53 CEST
Installed php-cli and php-fileinfo from before and reproduced the segfault in Comment 15.  Installed the updated packages and no more segfault.  php-timezonedb seems fine with the example from Comment 16.  Currently running these updated packages on my Mageia 4 i586 Moodle server, which seems to be working fine.  I think this can be validated.
Comment 18 claire robinson 2014-04-04 17:46:34 CEST
Yep, tested 32bit here too.
Comment 19 claire robinson 2014-04-04 17:53:39 CEST
Advisory uploaded. Validating.

Could sysadmin please push to 4 updates

Thanks
Comment 20 Damien Lallement 2014-04-04 19:34:03 CEST
http://advisories.mageia.org/MGASA-2014-0163.html

Note You need to log in before you can comment on or make changes to this bug.