Bug 13476 - php new security issues CVE-2014-0237 and CVE-2014-0238
Summary: php new security issues CVE-2014-0237 and CVE-2014-0238
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/601059/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-03 15:26 CEST by David Walser
Modified: 2014-06-06 20:02 CEST (History)
3 users (show)

See Also:
Source RPM: php-5.5.12-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-03 15:26:57 CEST
+++ This bug was initially created as a clone of Bug #13460 +++

Upstream has released versions 5.4.29 and 5.5.12 on May 29:
http://www.php.net/archive/2014.php#id2014-05-29-5
http://www.php.net/archive/2014.php#id2014-05-29-3

As with other recent PHP CVEs, these were issues in fileinfo, so the file package may also be affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-06-03 15:27:31 CEST
Let's use this bug for the PHP update.

Depends on: 13460 => (none)
Assignee: bugsquad => oe
Whiteboard: (none) => MGA3TOO

Comment 2 David Walser 2014-06-03 18:39:31 CEST
Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated php packages fix security vulnerabilities:

A flaw was found in the way file's Composite Document Files (CDF) format
parser handle CDF files with many summary info entries.  The
cdf_unpack_summary_info() function unnecessarily repeatedly read the info
from the same offset.  This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount of
CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files.  A property entry with 0 elements triggers an
infinite loop (CVE-2014-0238).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to this issue. It has been updated to versions 5.4.29 and 5.5.13,
which fix this issue and several other bugs.

Additionally, php-apc has been rebuilt against the updated php packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
http://www.php.net/ChangeLog-5.php#5.4.29
http://www.php.net/ChangeLog-5.php#5.5.13
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0237
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0238
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.29-1.mga3
apache-mod_php-5.4.29-1.mga3
php-cli-5.4.29-1.mga3
php-cgi-5.4.29-1.mga3
libphp5_common5-5.4.29-1.mga3
php-devel-5.4.29-1.mga3
php-openssl-5.4.29-1.mga3
php-zlib-5.4.29-1.mga3
php-doc-5.4.29-1.mga3
php-bcmath-5.4.29-1.mga3
php-bz2-5.4.29-1.mga3
php-calendar-5.4.29-1.mga3
php-ctype-5.4.29-1.mga3
php-curl-5.4.29-1.mga3
php-dba-5.4.29-1.mga3
php-dom-5.4.29-1.mga3
php-enchant-5.4.29-1.mga3
php-exif-5.4.29-1.mga3
php-fileinfo-5.4.29-1.mga3
php-filter-5.4.29-1.mga3
php-ftp-5.4.29-1.mga3
php-gd-5.4.29-1.mga3
php-gettext-5.4.29-1.mga3
php-gmp-5.4.29-1.mga3
php-hash-5.4.29-1.mga3
php-iconv-5.4.29-1.mga3
php-imap-5.4.29-1.mga3
php-interbase-5.4.29-1.mga3
php-intl-5.4.29-1.mga3
php-json-5.4.29-1.mga3
php-ldap-5.4.29-1.mga3
php-mbstring-5.4.29-1.mga3
php-mcrypt-5.4.29-1.mga3
php-mssql-5.4.29-1.mga3
php-mysql-5.4.29-1.mga3
php-mysqli-5.4.29-1.mga3
php-mysqlnd-5.4.29-1.mga3
php-odbc-5.4.29-1.mga3
php-pcntl-5.4.29-1.mga3
php-pdo-5.4.29-1.mga3
php-pdo_dblib-5.4.29-1.mga3
php-pdo_firebird-5.4.29-1.mga3
php-pdo_mysql-5.4.29-1.mga3
php-pdo_odbc-5.4.29-1.mga3
php-pdo_pgsql-5.4.29-1.mga3
php-pdo_sqlite-5.4.29-1.mga3
php-pgsql-5.4.29-1.mga3
php-phar-5.4.29-1.mga3
php-posix-5.4.29-1.mga3
php-readline-5.4.29-1.mga3
php-recode-5.4.29-1.mga3
php-session-5.4.29-1.mga3
php-shmop-5.4.29-1.mga3
php-snmp-5.4.29-1.mga3
php-soap-5.4.29-1.mga3
php-sockets-5.4.29-1.mga3
php-sqlite3-5.4.29-1.mga3
php-sybase_ct-5.4.29-1.mga3
php-sysvmsg-5.4.29-1.mga3
php-sysvsem-5.4.29-1.mga3
php-sysvshm-5.4.29-1.mga3
php-tidy-5.4.29-1.mga3
php-tokenizer-5.4.29-1.mga3
php-xml-5.4.29-1.mga3
php-xmlreader-5.4.29-1.mga3
php-xmlrpc-5.4.29-1.mga3
php-xmlwriter-5.4.29-1.mga3
php-xsl-5.4.29-1.mga3
php-wddx-5.4.29-1.mga3
php-zip-5.4.29-1.mga3
php-fpm-5.4.29-1.mga3
php-apc-3.1.14-7.7.mga3
php-apc-admin-3.1.14-7.7.mga3
php-timezonedb-2014.2-1.mga3
php-gd-bundled-5.4.29-1.mga3
php-ini-5.5.13-1.mga4
apache-mod_php-5.5.13-1.mga4
php-cli-5.5.13-1.mga4
php-cgi-5.5.13-1.mga4
libphp5_common5-5.5.13-1.mga4
php-devel-5.5.13-1.mga4
php-openssl-5.5.13-1.mga4
php-zlib-5.5.13-1.mga4
php-doc-5.5.13-1.mga4
php-bcmath-5.5.13-1.mga4
php-bz2-5.5.13-1.mga4
php-calendar-5.5.13-1.mga4
php-ctype-5.5.13-1.mga4
php-curl-5.5.13-1.mga4
php-dba-5.5.13-1.mga4
php-dom-5.5.13-1.mga4
php-enchant-5.5.13-1.mga4
php-exif-5.5.13-1.mga4
php-fileinfo-5.5.13-1.mga4
php-filter-5.5.13-1.mga4
php-ftp-5.5.13-1.mga4
php-gd-5.5.13-1.mga4
php-gettext-5.5.13-1.mga4
php-gmp-5.5.13-1.mga4
php-hash-5.5.13-1.mga4
php-iconv-5.5.13-1.mga4
php-imap-5.5.13-1.mga4
php-interbase-5.5.13-1.mga4
php-intl-5.5.13-1.mga4
php-json-5.5.13-1.mga4
php-ldap-5.5.13-1.mga4
php-mbstring-5.5.13-1.mga4
php-mcrypt-5.5.13-1.mga4
php-mssql-5.5.13-1.mga4
php-mysql-5.5.13-1.mga4
php-mysqli-5.5.13-1.mga4
php-mysqlnd-5.5.13-1.mga4
php-odbc-5.5.13-1.mga4
php-opcache-5.5.13-1.mga4
php-pcntl-5.5.13-1.mga4
php-pdo-5.5.13-1.mga4
php-pdo_dblib-5.5.13-1.mga4
php-pdo_firebird-5.5.13-1.mga4
php-pdo_mysql-5.5.13-1.mga4
php-pdo_odbc-5.5.13-1.mga4
php-pdo_pgsql-5.5.13-1.mga4
php-pdo_sqlite-5.5.13-1.mga4
php-pgsql-5.5.13-1.mga4
php-phar-5.5.13-1.mga4
php-posix-5.5.13-1.mga4
php-readline-5.5.13-1.mga4
php-recode-5.5.13-1.mga4
php-session-5.5.13-1.mga4
php-shmop-5.5.13-1.mga4
php-snmp-5.5.13-1.mga4
php-soap-5.5.13-1.mga4
php-sockets-5.5.13-1.mga4
php-sqlite3-5.5.13-1.mga4
php-sybase_ct-5.5.13-1.mga4
php-sysvmsg-5.5.13-1.mga4
php-sysvsem-5.5.13-1.mga4
php-sysvshm-5.5.13-1.mga4
php-tidy-5.5.13-1.mga4
php-tokenizer-5.5.13-1.mga4
php-xml-5.5.13-1.mga4
php-xmlreader-5.5.13-1.mga4
php-xmlrpc-5.5.13-1.mga4
php-xmlwriter-5.5.13-1.mga4
php-xsl-5.5.13-1.mga4
php-wddx-5.5.13-1.mga4
php-zip-5.5.13-1.mga4
php-fpm-5.5.13-1.mga4
php-apc-3.1.15-4.2.mga4
php-apc-admin-3.1.15-4.2.mga4
php-timezonedb-2014.2-1.mga4

from SRPMS:
php-5.4.29-1.mga3.src.rpm
php-apc-3.1.14-7.9.mga3.src.rpm
php-gd-bundled-5.4.29-1.mga3.src.rpm
php-5.5.13-1.mga4.src.rpm
php-apc-3.1.15-4.4.mga4.src.rpm

CC: (none) => oe
Assignee: oe => qa-bugs

Comment 3 claire robinson 2014-06-05 11:29:40 CEST
Testing complete mga4 64

Testing with the new wordpress in updates testing, http://localhost/php-apc, owncloud and the snippet below (which uses the libmagic function built into php) saved to snippet.php and run with 'php snippet.php'

$ cat snippet.php

<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
    echo $filename . "    " . finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
?>

It should show file information for all files in the current directory.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 4 claire robinson 2014-06-05 11:52:00 CEST
Testing mga3 32

php-fileinfo doesn't appear to be working, or perhaps uses a different syntax in the older php version. I don't have time to debug it at the moment, I'm on my way out.

Tried restarting httpd and checked /etc/php.d/32_fileinfo.ini which has..
extension = fileinfo.so

# php -n snippet.php 

Fatal error: Call to undefined function finfo_open() in /root/snippet.php on line 2
Comment 5 claire robinson 2014-06-05 11:54:29 CEST
php -i | grep fileinfo shows..

fileinfo
fileinfo support => enabled

so may be different syntax, but I can't check until later.
Comment 6 claire robinson 2014-06-06 15:18:03 CEST
Testing complete mga3 32

This is working today for some reason. It showed no output yesterday but the machine has been rebooted since.

$ php snippet.php
song.mp3    audio/mpeg
picture.png    image/png
...etc

php -n snippet.php shows an error but checking what it actually does, now I have time, shows I was both rushing and acting on bad info. It tells php to use no php.ini file which is obviously a bad idea. I suspect I hadn't tried php without -n after restarting httpd but will confirm with mga3 64 next..

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 7 claire robinson 2014-06-06 15:54:06 CEST
Testing complete mga3 64

No issues.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 8 claire robinson 2014-06-06 16:36:07 CEST
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 9 claire robinson 2014-06-06 16:40:30 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-06-06 20:02:28 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0258.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.