Bug 13017 - php new security issues CVE-2013-6712, CVE-2014-1943, and CVE-2014-2270
: php new security issues CVE-2013-6712, CVE-2014-1943, and CVE-2014-2270
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: has_procedure advisory mga3-32-ok mga...
: validated_update
: 12842
:
  Show dependency treegraph
 
Reported: 2014-03-14 09:01 CET by Oden Eriksson
Modified: 2014-04-04 14:09 CEST (History)
3 users (show)

See Also:
Source RPM: php
CVE:
Status comment:


Attachments

Description Oden Eriksson 2014-03-14 09:01:20 CET
MGA4:

Fixed source rpm packages:

php-5.5.10-1.mga4: 
http://www.php.net/ChangeLog-5.php#5.5.9
CVE-2013-7226

http://www.php.net/ChangeLog-5.php#5.5.10
CVE-2014-1943, CVE-2014-2270, CVE-2013-7327

jsonc-1.3.4:
http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.4

php-apc-3.1.15-4.1.mga4:
rebuild

php-timezonedb-2013.9-1.mga4:
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9

php-xdebug-2.2.4-1.mga4:
http://pecl.php.net/package-changelog.php?package=xdebug&release=2.2.4

----------------------------------------------------------------------------
MGA3:

Fixed source rpm packages:

php-5.4.26-1.mga3:
http://www.php.net/ChangeLog-5.php#5.4.24
CVE-2013-6712

http://www.php.net/ChangeLog-5.php#5.4.25

http://www.php.net/ChangeLog-5.php#5.4.26
CVE-2014-1943, CVE-2014-2270

php-timezonedb-2013.9-1.mga3:
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9

php-apc-3.1.14-7.6.mga3:
rebuild

php-gd-bundled-5.4.26-1.mga3: 
5.4.26


Reproducible: 

Steps to Reproduce:
Comment 2 David Walser 2014-03-14 11:44:37 CET
Thanks Oden!

Though not mentioned in the upstream changelog, I believe the CVE-2013-7328 and CVE-2014-2020 mentioned in the Ubuntu advisory I linked in Bug 12842 are relevant for the Mageia 4 update.

I guess we can use this bug for the Mageia 3 update and Bug 12842 for the Mageia 4 update.  I'll work on that later.
Comment 3 David Walser 2014-03-14 20:26:43 CET
Advisory (Mageia 3):
========================

Updated php packages fix security vulnerabilities:

It was discovered that the file utility contains a flaw in the handling of
"indirect" magic rules in the libmagic library, which leads to an infinite
recursion when trying to determine the file type of certain files
(CVE-2014-1943).

A flaw was found in the way the file utility determined the type of Portable
Executable (PE) format files, the executable format used on Windows. A
malicious PE file could cause the file utility to crash or, potentially,
execute arbitrary code (CVE-2014-2270).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to these issues.  It has been updated to version 5.4.26, which
fixes these issues and several other bugs.

This update also fixes a heap buffer over-read in DateInterval, which was
fixed in PHP 5.4.24 (CVE-2013-6712).

Also, the timezonedb PHP PECL module has been updated to its newest version.

Additionally, php-apc has been rebuilt against the updated php package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
http://www.php.net/ChangeLog-5.php#5.4.24
http://www.php.net/ChangeLog-5.php#5.4.25
http://www.php.net/ChangeLog-5.php#5.4.26
http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9
http://advisories.mageia.org/MGASA-2014-0092.html
http://advisories.mageia.org/MGASA-2014-0123.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.26-1.mga3
apache-mod_php-5.4.26-1.mga3
php-cli-5.4.26-1.mga3
php-cgi-5.4.26-1.mga3
libphp5_common5-5.4.26-1.mga3
php-devel-5.4.26-1.mga3
php-openssl-5.4.26-1.mga3
php-zlib-5.4.26-1.mga3
php-doc-5.4.26-1.mga3
php-bcmath-5.4.26-1.mga3
php-bz2-5.4.26-1.mga3
php-calendar-5.4.26-1.mga3
php-ctype-5.4.26-1.mga3
php-curl-5.4.26-1.mga3
php-dba-5.4.26-1.mga3
php-dom-5.4.26-1.mga3
php-enchant-5.4.26-1.mga3
php-exif-5.4.26-1.mga3
php-fileinfo-5.4.26-1.mga3
php-filter-5.4.26-1.mga3
php-ftp-5.4.26-1.mga3
php-gd-5.4.26-1.mga3
php-gettext-5.4.26-1.mga3
php-gmp-5.4.26-1.mga3
php-hash-5.4.26-1.mga3
php-iconv-5.4.26-1.mga3
php-imap-5.4.26-1.mga3
php-interbase-5.4.26-1.mga3
php-intl-5.4.26-1.mga3
php-json-5.4.26-1.mga3
php-ldap-5.4.26-1.mga3
php-mbstring-5.4.26-1.mga3
php-mcrypt-5.4.26-1.mga3
php-mssql-5.4.26-1.mga3
php-mysql-5.4.26-1.mga3
php-mysqli-5.4.26-1.mga3
php-mysqlnd-5.4.26-1.mga3
php-odbc-5.4.26-1.mga3
php-pcntl-5.4.26-1.mga3
php-pdo-5.4.26-1.mga3
php-pdo_dblib-5.4.26-1.mga3
php-pdo_firebird-5.4.26-1.mga3
php-pdo_mysql-5.4.26-1.mga3
php-pdo_odbc-5.4.26-1.mga3
php-pdo_pgsql-5.4.26-1.mga3
php-pdo_sqlite-5.4.26-1.mga3
php-pgsql-5.4.26-1.mga3
php-phar-5.4.26-1.mga3
php-posix-5.4.26-1.mga3
php-readline-5.4.26-1.mga3
php-recode-5.4.26-1.mga3
php-session-5.4.26-1.mga3
php-shmop-5.4.26-1.mga3
php-snmp-5.4.26-1.mga3
php-soap-5.4.26-1.mga3
php-sockets-5.4.26-1.mga3
php-sqlite3-5.4.26-1.mga3
php-sybase_ct-5.4.26-1.mga3
php-sysvmsg-5.4.26-1.mga3
php-sysvsem-5.4.26-1.mga3
php-sysvshm-5.4.26-1.mga3
php-tidy-5.4.26-1.mga3
php-tokenizer-5.4.26-1.mga3
php-xml-5.4.26-1.mga3
php-xmlreader-5.4.26-1.mga3
php-xmlrpc-5.4.26-1.mga3
php-xmlwriter-5.4.26-1.mga3
php-xsl-5.4.26-1.mga3
php-wddx-5.4.26-1.mga3
php-zip-5.4.26-1.mga3
php-fpm-5.4.26-1.mga3
php-gd-bundled-5.4.26-1.mga3
php-apc-3.1.14-7.6.mga3
php-apc-admin-3.1.14-7.6.mga3
php-timezonedb-2013.9-1.mga3

from SRPMS:
php-5.4.26-1.mga3.src.rpm
php-gd-bundled-5.4.26-1.mga3.src.rpm
php-apc-3.1.14-7.6.mga3.src.rpm
php-timezonedb-2013.9-1.mga3.src.rpm
Comment 4 Oden Eriksson 2014-03-19 11:11:16 CET
php-timezonedb-2014.1-1.mga3, php-timezonedb-2014.1-1.mga4 & php-timezonedb-2014.1-1.mga5 was just submitted.
Comment 5 David Walser 2014-03-27 18:33:07 CET
Oden, is CVE-2013-7345 relevant to our PHP version in Mageia 3?
http://lwn.net/Vulnerabilities/592275/

RedHat has a link to the PHP commit in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1079846
Comment 6 claire robinson 2014-04-01 16:17:20 CEST
Testing complete mga3 64
Comment 7 claire robinson 2014-04-04 13:31:06 CEST
Testing complete mga3 32

Procedure: https://bugs.mageia.org/show_bug.cgi?id=12842#c16

Also checked 'php -i | less' for any obvious errors
Comment 8 claire robinson 2014-04-04 13:52:51 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 updates

Thanks
Comment 9 Damien Lallement 2014-04-04 14:09:18 CEST
Advisory updated with the good release of php-timezonedb.

http://advisories.mageia.org/MGASA-2014-0162.html

Note You need to log in before you can comment on or make changes to this bug.