Let's use this bug for the PHP update.

Depends on: 13460 => (none)
Assignee: bugsquad => oe
Whiteboard: (none) => MGA3TOO

Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated php packages fix security vulnerabilities:

A flaw was found in the way file's Composite Document Files (CDF) format
parser handle CDF files with many summary info entries.  The
cdf_unpack_summary_info() function unnecessarily repeatedly read the info
from the same offset.  This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount of
CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files.  A property entry with 0 elements triggers an
infinite loop (CVE-2014-0238).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to this issue. It has been updated to versions 5.4.29 and 5.5.13,
which fix this issue and several other bugs.

Additionally, php-apc has been rebuilt against the updated php packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
http://www.php.net/ChangeLog-5.php#5.4.29
http://www.php.net/ChangeLog-5.php#5.5.13
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0237
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0238
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.29-1.mga3
apache-mod_php-5.4.29-1.mga3
php-cli-5.4.29-1.mga3
php-cgi-5.4.29-1.mga3
libphp5_common5-5.4.29-1.mga3
php-devel-5.4.29-1.mga3
php-openssl-5.4.29-1.mga3
php-zlib-5.4.29-1.mga3
php-doc-5.4.29-1.mga3
php-bcmath-5.4.29-1.mga3
php-bz2-5.4.29-1.mga3
php-calendar-5.4.29-1.mga3
php-ctype-5.4.29-1.mga3
php-curl-5.4.29-1.mga3
php-dba-5.4.29-1.mga3
php-dom-5.4.29-1.mga3
php-enchant-5.4.29-1.mga3
php-exif-5.4.29-1.mga3
php-fileinfo-5.4.29-1.mga3
php-filter-5.4.29-1.mga3
php-ftp-5.4.29-1.mga3
php-gd-5.4.29-1.mga3
php-gettext-5.4.29-1.mga3
php-gmp-5.4.29-1.mga3
php-hash-5.4.29-1.mga3
php-iconv-5.4.29-1.mga3
php-imap-5.4.29-1.mga3
php-interbase-5.4.29-1.mga3
php-intl-5.4.29-1.mga3
php-json-5.4.29-1.mga3
php-ldap-5.4.29-1.mga3
php-mbstring-5.4.29-1.mga3
php-mcrypt-5.4.29-1.mga3
php-mssql-5.4.29-1.mga3
php-mysql-5.4.29-1.mga3
php-mysqli-5.4.29-1.mga3
php-mysqlnd-5.4.29-1.mga3
php-odbc-5.4.29-1.mga3
php-pcntl-5.4.29-1.mga3
php-pdo-5.4.29-1.mga3
php-pdo_dblib-5.4.29-1.mga3
php-pdo_firebird-5.4.29-1.mga3
php-pdo_mysql-5.4.29-1.mga3
php-pdo_odbc-5.4.29-1.mga3
php-pdo_pgsql-5.4.29-1.mga3
php-pdo_sqlite-5.4.29-1.mga3
php-pgsql-5.4.29-1.mga3
php-phar-5.4.29-1.mga3
php-posix-5.4.29-1.mga3
php-readline-5.4.29-1.mga3
php-recode-5.4.29-1.mga3
php-session-5.4.29-1.mga3
php-shmop-5.4.29-1.mga3
php-snmp-5.4.29-1.mga3
php-soap-5.4.29-1.mga3
php-sockets-5.4.29-1.mga3
php-sqlite3-5.4.29-1.mga3
php-sybase_ct-5.4.29-1.mga3
php-sysvmsg-5.4.29-1.mga3
php-sysvsem-5.4.29-1.mga3
php-sysvshm-5.4.29-1.mga3
php-tidy-5.4.29-1.mga3
php-tokenizer-5.4.29-1.mga3
php-xml-5.4.29-1.mga3
php-xmlreader-5.4.29-1.mga3
php-xmlrpc-5.4.29-1.mga3
php-xmlwriter-5.4.29-1.mga3
php-xsl-5.4.29-1.mga3
php-wddx-5.4.29-1.mga3
php-zip-5.4.29-1.mga3
php-fpm-5.4.29-1.mga3
php-apc-3.1.14-7.7.mga3
php-apc-admin-3.1.14-7.7.mga3
php-timezonedb-2014.2-1.mga3
php-gd-bundled-5.4.29-1.mga3
php-ini-5.5.13-1.mga4
apache-mod_php-5.5.13-1.mga4
php-cli-5.5.13-1.mga4
php-cgi-5.5.13-1.mga4
libphp5_common5-5.5.13-1.mga4
php-devel-5.5.13-1.mga4
php-openssl-5.5.13-1.mga4
php-zlib-5.5.13-1.mga4
php-doc-5.5.13-1.mga4
php-bcmath-5.5.13-1.mga4
php-bz2-5.5.13-1.mga4
php-calendar-5.5.13-1.mga4
php-ctype-5.5.13-1.mga4
php-curl-5.5.13-1.mga4
php-dba-5.5.13-1.mga4
php-dom-5.5.13-1.mga4
php-enchant-5.5.13-1.mga4
php-exif-5.5.13-1.mga4
php-fileinfo-5.5.13-1.mga4
php-filter-5.5.13-1.mga4
php-ftp-5.5.13-1.mga4
php-gd-5.5.13-1.mga4
php-gettext-5.5.13-1.mga4
php-gmp-5.5.13-1.mga4
php-hash-5.5.13-1.mga4
php-iconv-5.5.13-1.mga4
php-imap-5.5.13-1.mga4
php-interbase-5.5.13-1.mga4
php-intl-5.5.13-1.mga4
php-json-5.5.13-1.mga4
php-ldap-5.5.13-1.mga4
php-mbstring-5.5.13-1.mga4
php-mcrypt-5.5.13-1.mga4
php-mssql-5.5.13-1.mga4
php-mysql-5.5.13-1.mga4
php-mysqli-5.5.13-1.mga4
php-mysqlnd-5.5.13-1.mga4
php-odbc-5.5.13-1.mga4
php-opcache-5.5.13-1.mga4
php-pcntl-5.5.13-1.mga4
php-pdo-5.5.13-1.mga4
php-pdo_dblib-5.5.13-1.mga4
php-pdo_firebird-5.5.13-1.mga4
php-pdo_mysql-5.5.13-1.mga4
php-pdo_odbc-5.5.13-1.mga4
php-pdo_pgsql-5.5.13-1.mga4
php-pdo_sqlite-5.5.13-1.mga4
php-pgsql-5.5.13-1.mga4
php-phar-5.5.13-1.mga4
php-posix-5.5.13-1.mga4
php-readline-5.5.13-1.mga4
php-recode-5.5.13-1.mga4
php-session-5.5.13-1.mga4
php-shmop-5.5.13-1.mga4
php-snmp-5.5.13-1.mga4
php-soap-5.5.13-1.mga4
php-sockets-5.5.13-1.mga4
php-sqlite3-5.5.13-1.mga4
php-sybase_ct-5.5.13-1.mga4
php-sysvmsg-5.5.13-1.mga4
php-sysvsem-5.5.13-1.mga4
php-sysvshm-5.5.13-1.mga4
php-tidy-5.5.13-1.mga4
php-tokenizer-5.5.13-1.mga4
php-xml-5.5.13-1.mga4
php-xmlreader-5.5.13-1.mga4
php-xmlrpc-5.5.13-1.mga4
php-xmlwriter-5.5.13-1.mga4
php-xsl-5.5.13-1.mga4
php-wddx-5.5.13-1.mga4
php-zip-5.5.13-1.mga4
php-fpm-5.5.13-1.mga4
php-apc-3.1.15-4.2.mga4
php-apc-admin-3.1.15-4.2.mga4
php-timezonedb-2014.2-1.mga4

from SRPMS:
php-5.4.29-1.mga3.src.rpm
php-apc-3.1.14-7.9.mga3.src.rpm
php-gd-bundled-5.4.29-1.mga3.src.rpm
php-5.5.13-1.mga4.src.rpm
php-apc-3.1.15-4.4.mga4.src.rpm

CC: (none) => oe
Assignee: oe => qa-bugs

Testing complete mga4 64

Testing with the new wordpress in updates testing, http://localhost/php-apc, owncloud and the snippet below (which uses the libmagic function built into php) saved to snippet.php and run with 'php snippet.php'

$ cat snippet.php

<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
    echo $filename . "    " . finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
?>

It should show file information for all files in the current directory.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Testing mga3 32

php-fileinfo doesn't appear to be working, or perhaps uses a different syntax in the older php version. I don't have time to debug it at the moment, I'm on my way out.

Tried restarting httpd and checked /etc/php.d/32_fileinfo.ini which has..
extension = fileinfo.so

# php -n snippet.php 

Fatal error: Call to undefined function finfo_open() in /root/snippet.php on line 2

php -i | grep fileinfo shows..

fileinfo
fileinfo support => enabled

so may be different syntax, but I can't check until later.

Testing complete mga3 32

This is working today for some reason. It showed no output yesterday but the machine has been rebooted since.

$ php snippet.php
song.mp3    audio/mpeg
picture.png    image/png
...etc

php -n snippet.php shows an error but checking what it actually does, now I have time, shows I was both rushing and acting on bad info. It tells php to use no php.ini file which is obviously a bad idea. I suspect I hadn't tried php without -n after restarting httpd but will confirm with mga3 64 next..

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Testing complete mga3 64

No issues.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0258.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED