PHP 5.5.11 has been released today (April 3): http://www.php.net/ChangeLog-5.php#5.5.11 It fixes the security issue I mentioned previously in the other bugs we currently have open for testing PHP updates for Mageia 3 and Mageia 4 for other security issues. We could wait until those updates are pushed before fixing this, or do the updates and restart the testing in those bugs: https://bugs.mageia.org/show_bug.cgi?id=13017 https://bugs.mageia.org/show_bug.cgi?id=12842 I'm not sure what upstream's plan is for addressing this in PHP 5.4. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Upstream also released PHP 5.4.27 yesterday to address this: http://www.php.net/ChangeLog-5.php#5.4.27 The pending PHP updates from before should be pushed shortly, so we can address this with fresh updates to 5.4.27 and 5.5.11.
I've checked things in SVN, now they just need built. php (Cauldron, mga4, mga3) php-apc (Cauldron, mga4, mga3) php-timezonedb (Cauldron, mga4, mga3) php-gd-bundled (mga3)
We can use this for the advisory, assuming no further changes are made. Note that this is the same CVE fixed in file in Bug 13105. Advisory: ======================== Updated php packages fix security vulnerability: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to versions 5.4.27 and 5.5.11, which fix this issue and several other bugs. Also, the timezonedb PHP PECL module has been updated to its newest version. Additionally, php-apc has been rebuilt against the updated php packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 http://www.php.net/ChangeLog-5.php#5.4.27 http://www.php.net/ChangeLog-5.php#5.5.11 http://pecl.php.net/package-info.php?package=timezonedb&version=2014.2 http://advisories.mageia.org/MGASA-2014-0142.html
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Oden, I'll let you have a look at this before pushing to QA. ======================== Updated packages in core/updates_testing: ======================== php-ini-5.4.27-1.mga3 apache-mod_php-5.4.27-1.mga3 php-cli-5.4.27-1.mga3 php-cgi-5.4.27-1.mga3 libphp5_common5-5.4.27-1.mga3 php-devel-5.4.27-1.mga3 php-openssl-5.4.27-1.mga3 php-zlib-5.4.27-1.mga3 php-doc-5.4.27-1.mga3 php-bcmath-5.4.27-1.mga3 php-bz2-5.4.27-1.mga3 php-calendar-5.4.27-1.mga3 php-ctype-5.4.27-1.mga3 php-curl-5.4.27-1.mga3 php-dba-5.4.27-1.mga3 php-dom-5.4.27-1.mga3 php-enchant-5.4.27-1.mga3 php-exif-5.4.27-1.mga3 php-fileinfo-5.4.27-1.mga3 php-filter-5.4.27-1.mga3 php-ftp-5.4.27-1.mga3 php-gd-5.4.27-1.mga3 php-gettext-5.4.27-1.mga3 php-gmp-5.4.27-1.mga3 php-hash-5.4.27-1.mga3 php-iconv-5.4.27-1.mga3 php-imap-5.4.27-1.mga3 php-interbase-5.4.27-1.mga3 php-intl-5.4.27-1.mga3 php-json-5.4.27-1.mga3 php-ldap-5.4.27-1.mga3 php-mbstring-5.4.27-1.mga3 php-mcrypt-5.4.27-1.mga3 php-mssql-5.4.27-1.mga3 php-mysql-5.4.27-1.mga3 php-mysqli-5.4.27-1.mga3 php-mysqlnd-5.4.27-1.mga3 php-odbc-5.4.27-1.mga3 php-pcntl-5.4.27-1.mga3 php-pdo-5.4.27-1.mga3 php-pdo_dblib-5.4.27-1.mga3 php-pdo_firebird-5.4.27-1.mga3 php-pdo_mysql-5.4.27-1.mga3 php-pdo_odbc-5.4.27-1.mga3 php-pdo_pgsql-5.4.27-1.mga3 php-pdo_sqlite-5.4.27-1.mga3 php-pgsql-5.4.27-1.mga3 php-phar-5.4.27-1.mga3 php-posix-5.4.27-1.mga3 php-readline-5.4.27-1.mga3 php-recode-5.4.27-1.mga3 php-session-5.4.27-1.mga3 php-shmop-5.4.27-1.mga3 php-snmp-5.4.27-1.mga3 php-soap-5.4.27-1.mga3 php-sockets-5.4.27-1.mga3 php-sqlite3-5.4.27-1.mga3 php-sybase_ct-5.4.27-1.mga3 php-sysvmsg-5.4.27-1.mga3 php-sysvsem-5.4.27-1.mga3 php-sysvshm-5.4.27-1.mga3 php-tidy-5.4.27-1.mga3 php-tokenizer-5.4.27-1.mga3 php-xml-5.4.27-1.mga3 php-xmlreader-5.4.27-1.mga3 php-xmlrpc-5.4.27-1.mga3 php-xmlwriter-5.4.27-1.mga3 php-xsl-5.4.27-1.mga3 php-wddx-5.4.27-1.mga3 php-zip-5.4.27-1.mga3 php-fpm-5.4.27-1.mga3 php-apc-3.1.14-7.7.mga3 php-apc-admin-3.1.14-7.7.mga3 php-timezonedb-2014.2-1.mga3 php-gd-bundled-5.4.27-1.mga3 php-ini-5.5.11-1.mga4 apache-mod_php-5.5.11-1.mga4 php-cli-5.5.11-1.mga4 php-cgi-5.5.11-1.mga4 libphp5_common5-5.5.11-1.mga4 php-devel-5.5.11-1.mga4 php-openssl-5.5.11-1.mga4 php-zlib-5.5.11-1.mga4 php-doc-5.5.11-1.mga4 php-bcmath-5.5.11-1.mga4 php-bz2-5.5.11-1.mga4 php-calendar-5.5.11-1.mga4 php-ctype-5.5.11-1.mga4 php-curl-5.5.11-1.mga4 php-dba-5.5.11-1.mga4 php-dom-5.5.11-1.mga4 php-enchant-5.5.11-1.mga4 php-exif-5.5.11-1.mga4 php-fileinfo-5.5.11-1.mga4 php-filter-5.5.11-1.mga4 php-ftp-5.5.11-1.mga4 php-gd-5.5.11-1.mga4 php-gettext-5.5.11-1.mga4 php-gmp-5.5.11-1.mga4 php-hash-5.5.11-1.mga4 php-iconv-5.5.11-1.mga4 php-imap-5.5.11-1.mga4 php-interbase-5.5.11-1.mga4 php-intl-5.5.11-1.mga4 php-json-5.5.11-1.mga4 php-ldap-5.5.11-1.mga4 php-mbstring-5.5.11-1.mga4 php-mcrypt-5.5.11-1.mga4 php-mssql-5.5.11-1.mga4 php-mysql-5.5.11-1.mga4 php-mysqli-5.5.11-1.mga4 php-mysqlnd-5.5.11-1.mga4 php-odbc-5.5.11-1.mga4 php-opcache-5.5.11-1.mga4 php-pcntl-5.5.11-1.mga4 php-pdo-5.5.11-1.mga4 php-pdo_dblib-5.5.11-1.mga4 php-pdo_firebird-5.5.11-1.mga4 php-pdo_mysql-5.5.11-1.mga4 php-pdo_odbc-5.5.11-1.mga4 php-pdo_pgsql-5.5.11-1.mga4 php-pdo_sqlite-5.5.11-1.mga4 php-pgsql-5.5.11-1.mga4 php-phar-5.5.11-1.mga4 php-posix-5.5.11-1.mga4 php-readline-5.5.11-1.mga4 php-recode-5.5.11-1.mga4 php-session-5.5.11-1.mga4 php-shmop-5.5.11-1.mga4 php-snmp-5.5.11-1.mga4 php-soap-5.5.11-1.mga4 php-sockets-5.5.11-1.mga4 php-sqlite3-5.5.11-1.mga4 php-sybase_ct-5.5.11-1.mga4 php-sysvmsg-5.5.11-1.mga4 php-sysvsem-5.5.11-1.mga4 php-sysvshm-5.5.11-1.mga4 php-tidy-5.5.11-1.mga4 php-tokenizer-5.5.11-1.mga4 php-xml-5.5.11-1.mga4 php-xmlreader-5.5.11-1.mga4 php-xmlrpc-5.5.11-1.mga4 php-xmlwriter-5.5.11-1.mga4 php-xsl-5.5.11-1.mga4 php-wddx-5.5.11-1.mga4 php-zip-5.5.11-1.mga4 php-fpm-5.5.11-1.mga4 php-apc-3.1.15-4.2.mga4 php-apc-admin-3.1.15-4.2.mga4 php-timezonedb-2014.2-1.mga4 from SRPMS: php-5.4.27-1.mga3.src.rpm php-apc-3.1.14-7.7.mga3.src.rpm php-timezonedb-2014.2-1.mga3.src.rpm php-gd-bundled-5.4.27-1.mga3.src.rpm php-5.5.11-1.mga4.src.rpm php-apc-3.1.15-4.2.mga4.src.rpm php-timezonedb-2014.2-1.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
$ time php -n -d extension=fileinfo.so poc.php string(10) "ASCII text" real 0m36.310s user 0m36.038s sys 0m0.090s rpm -Uvh --nodeps ftp://ftp.acc.umu.se/mirror/mageia/distrib/4/x86_64/media/core/updates_testing/php-fileinfo-5.5.11-1.mga4.x86_64.rpm $ time php -n -d extension=fileinfo.so poc.php string(10) "ASCII text" real 0m0.543s user 0m0.536s sys 0m0.006s
PoC as of https://bugs.php.net/bug.php?id=66946
Thanks Oden. If everything looks good to you as far as the update, let me know and I'll assign to QA.
Same results on mga3 64 bit.
Since Oden has already pushed this update to MBS, I assume it's good to go: http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:075/ Assigning to QA. Advisory in Comment 3. Package list in Comment 4. PoC information in Comment 5 and Comment 6. Note that Oden has already tested it on Mageia 3 and Mageia 4 x86_64 (Comment 5 and Comment 7), so since he's not the packager, it can be marked OK there already, but I'll let another QA team member do the honors.
CC: (none) => oeAssignee: oe => qa-bugs
PoC in comment 5 Script: <?php $fd = __DIR__.'/data'; $a = str_repeat("\n", 1000000); file_put_contents($fd, $a); $fi = finfo_open(FILEINFO_NONE); var_dump(finfo_file($fi, $fd)); finfo_close($fi); Adding OK from Oden's test in comment 8
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-64-ok
PoC (Proof-of-concept) is fixed on mga4-64-ok in a VBox VM.
CC: (none) => shlomifWhiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
MGA4-32-OK in a VBox VM.
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok
Confirmed MGA3-32-OK in a VBox VM.
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok mga3-32-ok
Thanks Shlomi, you're on fire today :) Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok mga3-32-ok => MGA3TOO has_procedure advisory mga3-64-ok mga4-64-ok mga4-32-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0178.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED