Bug 13017 - php new security issues CVE-2013-6712, CVE-2014-1943, and CVE-2014-2270
Summary: php new security issues CVE-2013-6712, CVE-2014-1943, and CVE-2014-2270
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure advisory mga3-32-ok mga...
Keywords: validated_update
Depends on: 12842
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-14 09:01 CET by Oden Eriksson
Modified: 2014-04-04 14:09 CEST (History)
3 users (show)

See Also:
Source RPM: php
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2014-03-14 09:01:20 CET 
MGA4:

Fixed source rpm packages:

php-5.5.10-1.mga4: 
http://www.php.net/ChangeLog-5.php#5.5.9
CVE-2013-7226

http://www.php.net/ChangeLog-5.php#5.5.10
CVE-2014-1943, CVE-2014-2270, CVE-2013-7327

jsonc-1.3.4:
http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.4

php-apc-3.1.15-4.1.mga4:
rebuild

php-timezonedb-2013.9-1.mga4:
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9

php-xdebug-2.2.4-1.mga4:
http://pecl.php.net/package-changelog.php?package=xdebug&release=2.2.4

----------------------------------------------------------------------------
MGA3:

Fixed source rpm packages:

php-5.4.26-1.mga3:
http://www.php.net/ChangeLog-5.php#5.4.24
CVE-2013-6712

http://www.php.net/ChangeLog-5.php#5.4.25

http://www.php.net/ChangeLog-5.php#5.4.26
CVE-2014-1943, CVE-2014-2270

php-timezonedb-2013.9-1.mga3:
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9

php-apc-3.1.14-7.6.mga3:
rebuild

php-gd-bundled-5.4.26-1.mga3: 
5.4.26


Reproducible: 

Steps to Reproduce:
Oden Eriksson 2014-03-14 09:02:32 CET

Summary: multiple vulnerabilities in php (CVE-2013-6712, CVE-2013-7226, CVE-2014-1943, CVE-2014-2270, CVE-2013-7327 => multiple vulnerabilities in php (CVE-2013-6712, CVE-2013-7226, CVE-2014-1943, CVE-2014-2270, CVE-2013-7327)

Comment 2 David Walser 2014-03-14 11:44:37 CET 
Thanks Oden!

Though not mentioned in the upstream changelog, I believe the CVE-2013-7328 and CVE-2014-2020 mentioned in the Ubuntu advisory I linked in Bug 12842 are relevant for the Mageia 4 update.

I guess we can use this bug for the Mageia 3 update and Bug 12842 for the Mageia 4 update.  I'll work on that later.

CC: (none) => luigiwalser
Depends on: (none) => 12842

Comment 3 David Walser 2014-03-14 20:26:43 CET 
Advisory (Mageia 3):
========================

Updated php packages fix security vulnerabilities:

It was discovered that the file utility contains a flaw in the handling of
"indirect" magic rules in the libmagic library, which leads to an infinite
recursion when trying to determine the file type of certain files
(CVE-2014-1943).

A flaw was found in the way the file utility determined the type of Portable
Executable (PE) format files, the executable format used on Windows. A
malicious PE file could cause the file utility to crash or, potentially,
execute arbitrary code (CVE-2014-2270).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to these issues.  It has been updated to version 5.4.26, which
fixes these issues and several other bugs.

This update also fixes a heap buffer over-read in DateInterval, which was
fixed in PHP 5.4.24 (CVE-2013-6712).

Also, the timezonedb PHP PECL module has been updated to its newest version.

Additionally, php-apc has been rebuilt against the updated php package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
http://www.php.net/ChangeLog-5.php#5.4.24
http://www.php.net/ChangeLog-5.php#5.4.25
http://www.php.net/ChangeLog-5.php#5.4.26
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9
http://advisories.mageia.org/MGASA-2014-0092.html
http://advisories.mageia.org/MGASA-2014-0123.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.26-1.mga3
apache-mod_php-5.4.26-1.mga3
php-cli-5.4.26-1.mga3
php-cgi-5.4.26-1.mga3
libphp5_common5-5.4.26-1.mga3
php-devel-5.4.26-1.mga3
php-openssl-5.4.26-1.mga3
php-zlib-5.4.26-1.mga3
php-doc-5.4.26-1.mga3
php-bcmath-5.4.26-1.mga3
php-bz2-5.4.26-1.mga3
php-calendar-5.4.26-1.mga3
php-ctype-5.4.26-1.mga3
php-curl-5.4.26-1.mga3
php-dba-5.4.26-1.mga3
php-dom-5.4.26-1.mga3
php-enchant-5.4.26-1.mga3
php-exif-5.4.26-1.mga3
php-fileinfo-5.4.26-1.mga3
php-filter-5.4.26-1.mga3
php-ftp-5.4.26-1.mga3
php-gd-5.4.26-1.mga3
php-gettext-5.4.26-1.mga3
php-gmp-5.4.26-1.mga3
php-hash-5.4.26-1.mga3
php-iconv-5.4.26-1.mga3
php-imap-5.4.26-1.mga3
php-interbase-5.4.26-1.mga3
php-intl-5.4.26-1.mga3
php-json-5.4.26-1.mga3
php-ldap-5.4.26-1.mga3
php-mbstring-5.4.26-1.mga3
php-mcrypt-5.4.26-1.mga3
php-mssql-5.4.26-1.mga3
php-mysql-5.4.26-1.mga3
php-mysqli-5.4.26-1.mga3
php-mysqlnd-5.4.26-1.mga3
php-odbc-5.4.26-1.mga3
php-pcntl-5.4.26-1.mga3
php-pdo-5.4.26-1.mga3
php-pdo_dblib-5.4.26-1.mga3
php-pdo_firebird-5.4.26-1.mga3
php-pdo_mysql-5.4.26-1.mga3
php-pdo_odbc-5.4.26-1.mga3
php-pdo_pgsql-5.4.26-1.mga3
php-pdo_sqlite-5.4.26-1.mga3
php-pgsql-5.4.26-1.mga3
php-phar-5.4.26-1.mga3
php-posix-5.4.26-1.mga3
php-readline-5.4.26-1.mga3
php-recode-5.4.26-1.mga3
php-session-5.4.26-1.mga3
php-shmop-5.4.26-1.mga3
php-snmp-5.4.26-1.mga3
php-soap-5.4.26-1.mga3
php-sockets-5.4.26-1.mga3
php-sqlite3-5.4.26-1.mga3
php-sybase_ct-5.4.26-1.mga3
php-sysvmsg-5.4.26-1.mga3
php-sysvsem-5.4.26-1.mga3
php-sysvshm-5.4.26-1.mga3
php-tidy-5.4.26-1.mga3
php-tokenizer-5.4.26-1.mga3
php-xml-5.4.26-1.mga3
php-xmlreader-5.4.26-1.mga3
php-xmlrpc-5.4.26-1.mga3
php-xmlwriter-5.4.26-1.mga3
php-xsl-5.4.26-1.mga3
php-wddx-5.4.26-1.mga3
php-zip-5.4.26-1.mga3
php-fpm-5.4.26-1.mga3
php-gd-bundled-5.4.26-1.mga3
php-apc-3.1.14-7.6.mga3
php-apc-admin-3.1.14-7.6.mga3
php-timezonedb-2013.9-1.mga3

from SRPMS:
php-5.4.26-1.mga3.src.rpm
php-gd-bundled-5.4.26-1.mga3.src.rpm
php-apc-3.1.14-7.6.mga3.src.rpm
php-timezonedb-2013.9-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs
Summary: multiple vulnerabilities in php (CVE-2013-6712, CVE-2013-7226, CVE-2014-1943, CVE-2014-2270, CVE-2013-7327) => php new security issues CVE-2013-6712, CVE-2014-1943, and CVE-2014-2270

Comment 4 Oden Eriksson 2014-03-19 11:11:16 CET 
php-timezonedb-2014.1-1.mga3, php-timezonedb-2014.1-1.mga4 & php-timezonedb-2014.1-1.mga5 was just submitted.
Comment 5 David Walser 2014-03-27 18:33:07 CET 
Oden, is CVE-2013-7345 relevant to our PHP version in Mageia 3?
http://lwn.net/Vulnerabilities/592275/

RedHat has a link to the PHP commit in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1079846
Comment 6 claire robinson 2014-04-01 16:17:20 CEST 
Testing complete mga3 64

Whiteboard: (none) => mga3-64-ok

Comment 7 claire robinson 2014-04-04 13:31:06 CEST 
Testing complete mga3 32

Procedure: https://bugs.mageia.org/show_bug.cgi?id=12842#c16

Also checked 'php -i | less' for any obvious errors

Whiteboard: mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok

Comment 8 claire robinson 2014-04-04 13:52:51 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Damien Lallement 2014-04-04 14:09:18 CEST 
Advisory updated with the good release of php-timezonedb.

http://advisories.mageia.org/MGASA-2014-0162.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.