+++ This bug was initially created as a clone of Bug #12807 +++ https://bugzilla.redhat.com/show_bug.cgi?id=1065836 " Murray McAllister 2014-02-17 00:58:09 EST A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code. Upstream fixes: https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 Original report: http://mx.gw.com/pipermail/file/2014/001327.html" http://www.debian.org/security/2014/dsa-2861
Here is the upstream PHP commit to fix this: http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d
Assignee: bugsquad => oeWhiteboard: (none) => MGA3TOO
Source RPM: file, php => php
PHP also made an additional commit to supposedly fix a memory leak: http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007 This would also apply to the file package, and Oden has committed it there in Cauldron. It doesn't appear to have been submitted upstream there yet.
Debian has issued an advisory for this on March 2: http://www.debian.org/security/2014/dsa-2868
Ubuntu has issued an advisory for this on March 3: http://www.ubuntu.com/usn/usn-2126-1/ Their advisory also lists some other CVEs, that it appears only affect PHP 5.5.x. They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020.
Oden fixed CVE-2013-7226 in MBS but said Mageia didn't need an update for it (not sure why). LWN reference for the other new CVEs: http://lwn.net/Vulnerabilities/589252/
Oden also pointed this out to me: https://bugzilla.redhat.com/show_bug.cgi?id=1072220 As is linked in that bug, PHP has already made a commit to fix it. A CVE request has not been responded to yet. file's upstream commit (kind of like the memory leak fix) to fix this may be incomplete. Once it's sorted out for file, we may need to do another update for that package.
(In reply to David Walser from comment #2) > PHP also made an additional commit to supposedly fix a memory leak: > http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007 > > This would also apply to the file package, and Oden has committed it there > in Cauldron. It doesn't appear to have been submitted upstream there yet. https://github.com/file/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9 That's the commit to file for this. There is some discussion on it, but no more commits have been made to address anything there. (In reply to David Walser from comment #6) > Oden also pointed this out to me: > https://bugzilla.redhat.com/show_bug.cgi?id=1072220 > > As is linked in that bug, PHP has already made a commit to fix it. A CVE > request has not been responded to yet. file's upstream commit (kind of like > the memory leak fix) to fix this may be incomplete. Once it's sorted out > for file, we may need to do another update for that package. This got CVE-2014-2270: http://openwall.com/lists/oss-security/2014/03/05/7 As you can see in the RH bug, there is an additional commit to complete the fix. Time for another file update :o)
Summary: php: infinite recursion (CVE-2014-1943) => php: infinite recursion and OOB parsing PE files (CVE-2014-1943, CVE-2014-2270)
(In reply to David Walser from comment #4) > Ubuntu has issued an advisory for this on March 3: > http://www.ubuntu.com/usn/usn-2126-1/ > > Their advisory also lists some other CVEs, that it appears only affect PHP > 5.5.x. > > They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020. All of these are issues that affect gd.c in PHP 5.5.x. They were fixed upstream in 5.5.9. We shipped 5.5.8 in Mageia 4. Oden, you previously told me when you updated MBS for this that we didn't need to update Mageia 4. Why was that? Also, Ubuntu says CVE-2013-7327 was fixed with the others in 5.5.9, but the upstream changelog says that one was fixed in 5.5.10, and doesn't even mention the last two. As far as the CVEs in the bug title (CVE-2014-1943, CVE-2014-2270), they are both fixed in 5.5.10. I believe PHP 5.4.x (Mageia 3) would also be affected for those issues.
Blocks: (none) => 13017
(In reply to David Walser from comment #8) > (In reply to David Walser from comment #4) > > Ubuntu has issued an advisory for this on March 3: > > http://www.ubuntu.com/usn/usn-2126-1/ > > > > Their advisory also lists some other CVEs, that it appears only affect PHP > > 5.5.x. > > > > They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020. > > All of these are issues that affect gd.c in PHP 5.5.x. They were fixed > upstream in 5.5.9. We shipped 5.5.8 in Mageia 4. Oden, you previously told > me when you updated MBS for this that we didn't need to update Mageia 4. > Why was that? It conserned the bundled gd lib not the system one and php-gd in mg4+ links against system gd.
(In reply to Oden Eriksson from comment #9) > (In reply to David Walser from comment #8) > > (In reply to David Walser from comment #4) > > > Ubuntu has issued an advisory for this on March 3: > > > http://www.ubuntu.com/usn/usn-2126-1/ > > > > > > Their advisory also lists some other CVEs, that it appears only affect PHP > > > 5.5.x. > > > > > > They are CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, and CVE-2014-2020. > > > > All of these are issues that affect gd.c in PHP 5.5.x. They were fixed > > upstream in 5.5.9. We shipped 5.5.8 in Mageia 4. Oden, you previously told > > me when you updated MBS for this that we didn't need to update Mageia 4. > > Why was that? > > It conserned the bundled gd lib not the system one and php-gd in mg4+ links > against system gd. Ahh, thanks. So wouldn't that mean that CVE-2013-7327 isn't relevant for us either?
Frankly, I lost track of this whole mess.
Advisory (Mageia 4): ======================== Updated php packages fix security vulnerabilities: It was discovered that the file utility contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to these issues. It has been updated to version 5.5.10, which fixes these issues and several other bugs. Also, the jsonc, xdebug, and timezonedb PHP PECL modules have been updated to their newest versions. Additionally, php-apc has been rebuilt against the updated php package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270 http://www.php.net/ChangeLog-5.php#5.5.9 http://www.php.net/ChangeLog-5.php#5.5.10 http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.4 http://pecl.php.net/package-changelog.php?package=xdebug&release=2.2.4 http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9 http://advisories.mageia.org/MGASA-2014-0092.html http://advisories.mageia.org/MGASA-2014-0123.html ======================== Updated packages in core/updates_testing: ======================== php-ini-5.5.10-1.mga4 apache-mod_php-5.5.10-1.mga4 php-cli-5.5.10-1.mga4 php-cgi-5.5.10-1.mga4 libphp5_common5-5.5.10-1.mga4 php-devel-5.5.10-1.mga4 php-openssl-5.5.10-1.mga4 php-zlib-5.5.10-1.mga4 php-doc-5.5.10-1.mga4 php-bcmath-5.5.10-1.mga4 php-bz2-5.5.10-1.mga4 php-calendar-5.5.10-1.mga4 php-ctype-5.5.10-1.mga4 php-curl-5.5.10-1.mga4 php-dba-5.5.10-1.mga4 php-dom-5.5.10-1.mga4 php-enchant-5.5.10-1.mga4 php-exif-5.5.10-1.mga4 php-fileinfo-5.5.10-1.mga4 php-filter-5.5.10-1.mga4 php-ftp-5.5.10-1.mga4 php-gd-5.5.10-1.mga4 php-gettext-5.5.10-1.mga4 php-gmp-5.5.10-1.mga4 php-hash-5.5.10-1.mga4 php-iconv-5.5.10-1.mga4 php-imap-5.5.10-1.mga4 php-interbase-5.5.10-1.mga4 php-intl-5.5.10-1.mga4 php-json-5.5.10-1.mga4 php-ldap-5.5.10-1.mga4 php-mbstring-5.5.10-1.mga4 php-mcrypt-5.5.10-1.mga4 php-mssql-5.5.10-1.mga4 php-mysql-5.5.10-1.mga4 php-mysqli-5.5.10-1.mga4 php-mysqlnd-5.5.10-1.mga4 php-odbc-5.5.10-1.mga4 php-opcache-5.5.10-1.mga4 php-pcntl-5.5.10-1.mga4 php-pdo-5.5.10-1.mga4 php-pdo_dblib-5.5.10-1.mga4 php-pdo_firebird-5.5.10-1.mga4 php-pdo_mysql-5.5.10-1.mga4 php-pdo_odbc-5.5.10-1.mga4 php-pdo_pgsql-5.5.10-1.mga4 php-pdo_sqlite-5.5.10-1.mga4 php-pgsql-5.5.10-1.mga4 php-phar-5.5.10-1.mga4 php-posix-5.5.10-1.mga4 php-readline-5.5.10-1.mga4 php-recode-5.5.10-1.mga4 php-session-5.5.10-1.mga4 php-shmop-5.5.10-1.mga4 php-snmp-5.5.10-1.mga4 php-soap-5.5.10-1.mga4 php-sockets-5.5.10-1.mga4 php-sqlite3-5.5.10-1.mga4 php-sybase_ct-5.5.10-1.mga4 php-sysvmsg-5.5.10-1.mga4 php-sysvsem-5.5.10-1.mga4 php-sysvshm-5.5.10-1.mga4 php-tidy-5.5.10-1.mga4 php-tokenizer-5.5.10-1.mga4 php-xml-5.5.10-1.mga4 php-xmlreader-5.5.10-1.mga4 php-xmlrpc-5.5.10-1.mga4 php-xmlwriter-5.5.10-1.mga4 php-xsl-5.5.10-1.mga4 php-wddx-5.5.10-1.mga4 php-zip-5.5.10-1.mga4 php-fpm-5.5.10-1.mga4 php-apc-3.1.15-4.1.mga4 php-apc-admin-3.1.15-4.1.mga4 php-timezonedb-2013.9-1.mga4 php-xdebug-2.2.4-1.mga4 from SRPMS: php-5.5.10-1.mga4.src.rpm php-apc-3.1.15-4.1.mga4.src.rpm php-timezonedb-2013.9-1.mga4.src.rpm php-xdebug-2.2.4-1.mga4.src.rpm
Assignee: oe => qa-bugsWhiteboard: MGA3TOO => (none)
timezonedb has been updated to php-timezonedb-2014.1-1.mga4 by Oden.
Oden, is CVE-2013-7345 relevant to our PHP version in Mageia 4? http://lwn.net/Vulnerabilities/592275/ RedHat has a link to the PHP commit in their bug: https://bugzilla.redhat.com/show_bug.cgi?id=1079846
There is a PoC for the file issue CVE-2014-1943 using the testcase attached to bug 12807 saved as 'test' and the php script below saved as fileinfo.php. <?php $finfo = new finfo(); $fileinfo = $finfo->file('test', FILEINFO_MIME); ?> $ php fileinfo.php Segmentation fault
Testing complete mga4 64 After update php fileinfo.php shows no output but doesn't segfault or take excess cpu/time. Tested with phpmyadmin & zoneminder Browsed to http://localhost/php-apc and logged in with the password which I set in /etc/php-apc/config.php Checked php-xdebug left debug info in /var/log/httpd/error_log when using the various webapps. Checked php-timezonedb with.. # php -r 'echo date("l, F d, Y h:i:s A" ,time()). "\n";' Monday, March 31, 2014 04:13:36 PM
Whiteboard: (none) => has_procedure mga4-64-ok
Installed php-cli and php-fileinfo from before and reproduced the segfault in Comment 15. Installed the updated packages and no more segfault. php-timezonedb seems fine with the example from Comment 16. Currently running these updated packages on my Mageia 4 i586 Moodle server, which seems to be working fine. I think this can be validated.
Yep, tested 32bit here too.
Whiteboard: has_procedure mga4-64-ok => has_procedure mga3-32-ok mga4-64-ok
Whiteboard: has_procedure mga3-32-ok mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0163.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED