Bug 13532 - php new security issue CVE-2014-4049
: php new security issue CVE-2014-4049
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/602548/
: MGA3TOO advisory MGA3-64-OK MGA3-32-O...
: validated_update
:
: 13021
  Show dependency treegraph
 
Reported: 2014-06-17 19:22 CEST by David Walser
Modified: 2014-07-09 19:30 CEST (History)
6 users (show)

See Also:
Source RPM: php-5.5.13-1.mga4.src.rpm
CVE:
Status comment:


Attachments
php files before and after update MGA3-32 (14.41 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-06-30 17:49 CEST, William Kenney
Details
php files before, after update then after a full system update MGA3-32 (14.49 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-07-01 00:49 CEST, William Kenney
Details
php files before, after update then after a full system update MGA3-64 (14.29 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-07-01 01:20 CEST, William Kenney
Details
php files before, after update then after a full system update MGA4-32 (14.85 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-07-01 01:53 CEST, William Kenney
Details
php files before, after update then after a full system update MGA4-64 (15.48 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-07-01 02:27 CEST, William Kenney
Details
retest, php files before, after update then after a full system update MGA4-32 (14.93 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-07-01 18:24 CEST, William Kenney
Details

Description David Walser 2014-06-17 19:22:55 CEST
Debian has issued an advisory on June 16:
https://www.debian.org/security/2014/dsa-2961

I previously posted about this here:
https://bugs.mageia.org/show_bug.cgi?id=13021#c6

There are also issues in the bundled libgd in Mageia 3 (which is fixed in SVN for Bug 13021) and issues in the bundled libmagic which don't have public CVEs yet that I posted about here:
https://bugs.mageia.org/show_bug.cgi?id=13021#c7

We'll fix all of these in our next PHP update when upstream releases new versions.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-06-27 17:38:22 CEST
PHP versions 5.4.30 and 5.5.14 have been released on June 26:
http://www.php.net/archive/2014.php#id2014-06-26-1
http://www.php.net/archive/2014.php#id2014-06-27-1
http://www.php.net/ChangeLog-5.php#5.4.30
http://www.php.net/ChangeLog-5.php#5.5.14

This update will fix:
- An issue in bundled libgd for Mageia 3 (Bug 13021, CVE-2014-2497)
- Issues in bundled libmagic (CVE-2014-0207, CVE-2014-3478, CVE-2014-3479,
  CVE-2014-3480, CVE-2014-3487, see Bug 13603 for the file package)
- A DNS issue, original subject of this bug (CVE-2014-4049)
- An issue with the unserialize() function (CVE-2014-3515)
- A /tmp-file issue in the configure script, only affects those building PHP
  (CVE-2014-3981)
Comment 2 David Walser 2014-06-27 18:27:36 CEST
Updated packages uploaded for Mageia 3 and Mageia 4.

It would be nice to have a better description for CVE-2014-3515, but this is all I can find for now.

I haven't listed CVE-2014-3981, due to it only affecting those building the package.

Note to QA: please note the PoC for the libgd issue in the Mageia 3 update in Bug 13021.

Advisory (Mageia 3):
========================

Updated php packages fix security vulnerabilities:

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types
(CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer overflow in
the DNS TXT record parsing. A malicious server or man-in-the-middle attacker
could possibly use this flaw to execute arbitrary code as the PHP interpreter
if a PHP application uses dns_get_record() to perform a DNS query
(CVE-2014-4049).

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files, where the mconvert() function did not correctly
compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from
Composite Document Files (CDF) files, due to insufficient boundary checks on
buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to this issue. It has been updated to versions 5.4.30 and 5.5.14,
which fix this issue and several other bugs.

Also, PHP contains a bundled copy of the GD image library, and has been
patched to correct an issue in the imagecreatefromxpm function which allows
remote attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted color table in an XPM file (CVE-2014-2497).

Additionally, php-apc has been rebuilt against the updated php packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049
http://www.php.net/archive/2014.php#id2014-06-26-1
http://www.php.net/ChangeLog-5.php#5.4.30
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.30-1.mga3
apache-mod_php-5.4.30-1.mga3
php-cli-5.4.30-1.mga3
php-cgi-5.4.30-1.mga3
libphp5_common5-5.4.30-1.mga3
php-devel-5.4.30-1.mga3
php-openssl-5.4.30-1.mga3
php-zlib-5.4.30-1.mga3
php-doc-5.4.30-1.mga3
php-bcmath-5.4.30-1.mga3
php-bz2-5.4.30-1.mga3
php-calendar-5.4.30-1.mga3
php-ctype-5.4.30-1.mga3
php-curl-5.4.30-1.mga3
php-dba-5.4.30-1.mga3
php-dom-5.4.30-1.mga3
php-enchant-5.4.30-1.mga3
php-exif-5.4.30-1.mga3
php-fileinfo-5.4.30-1.mga3
php-filter-5.4.30-1.mga3
php-ftp-5.4.30-1.mga3
php-gd-5.4.30-1.mga3
php-gettext-5.4.30-1.mga3
php-gmp-5.4.30-1.mga3
php-hash-5.4.30-1.mga3
php-iconv-5.4.30-1.mga3
php-imap-5.4.30-1.mga3
php-interbase-5.4.30-1.mga3
php-intl-5.4.30-1.mga3
php-json-5.4.30-1.mga3
php-ldap-5.4.30-1.mga3
php-mbstring-5.4.30-1.mga3
php-mcrypt-5.4.30-1.mga3
php-mssql-5.4.30-1.mga3
php-mysql-5.4.30-1.mga3
php-mysqli-5.4.30-1.mga3
php-mysqlnd-5.4.30-1.mga3
php-odbc-5.4.30-1.mga3
php-pcntl-5.4.30-1.mga3
php-pdo-5.4.30-1.mga3
php-pdo_dblib-5.4.30-1.mga3
php-pdo_firebird-5.4.30-1.mga3
php-pdo_mysql-5.4.30-1.mga3
php-pdo_odbc-5.4.30-1.mga3
php-pdo_pgsql-5.4.30-1.mga3
php-pdo_sqlite-5.4.30-1.mga3
php-pgsql-5.4.30-1.mga3
php-phar-5.4.30-1.mga3
php-posix-5.4.30-1.mga3
php-readline-5.4.30-1.mga3
php-recode-5.4.30-1.mga3
php-session-5.4.30-1.mga3
php-shmop-5.4.30-1.mga3
php-snmp-5.4.30-1.mga3
php-soap-5.4.30-1.mga3
php-sockets-5.4.30-1.mga3
php-sqlite3-5.4.30-1.mga3
php-sybase_ct-5.4.30-1.mga3
php-sysvmsg-5.4.30-1.mga3
php-sysvsem-5.4.30-1.mga3
php-sysvshm-5.4.30-1.mga3
php-tidy-5.4.30-1.mga3
php-tokenizer-5.4.30-1.mga3
php-xml-5.4.30-1.mga3
php-xmlreader-5.4.30-1.mga3
php-xmlrpc-5.4.30-1.mga3
php-xmlwriter-5.4.30-1.mga3
php-xsl-5.4.30-1.mga3
php-wddx-5.4.30-1.mga3
php-zip-5.4.30-1.mga3
php-fpm-5.4.30-1.mga3
php-apc-3.1.14-7.10.mga3
php-apc-admin-3.1.14-7.10.mga3
php-gd-bundled-5.4.30-1.mga3

from SRPMS:
php-5.4.30-1.mga3.src.rpm
php-apc-3.1.14-7.10.mga3.src.rpm
php-gd-bundled-5.4.30-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated php packages fix security vulnerabilities:

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types
(CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer overflow in
the DNS TXT record parsing. A malicious server or man-in-the-middle attacker
could possibly use this flaw to execute arbitrary code as the PHP interpreter
if a PHP application uses dns_get_record() to perform a DNS query
(CVE-2014-4049).

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files, where the mconvert() function did not correctly
compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from
Composite Document Files (CDF) files, due to insufficient boundary checks on
buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

PHP contains a bundled copy of the file utility's libmagic library, so it was
vulnerable to this issue. It has been updated to versions 5.4.30 and 5.5.14,
which fix this issue and several other bugs.

Additionally, php-apc has been rebuilt against the updated php packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049
http://www.php.net/archive/2014.php#id2014-06-27-1
http://www.php.net/ChangeLog-5.php#5.5.14
========================

Updated packages in core/updates_testing:
========================
php-ini-5.5.14-1.mga4
apache-mod_php-5.5.14-1.mga4
php-cli-5.5.14-1.mga4
php-cgi-5.5.14-1.mga4
libphp5_common5-5.5.14-1.mga4
php-devel-5.5.14-1.mga4
php-openssl-5.5.14-1.mga4
php-zlib-5.5.14-1.mga4
php-doc-5.5.14-1.mga4
php-bcmath-5.5.14-1.mga4
php-bz2-5.5.14-1.mga4
php-calendar-5.5.14-1.mga4
php-ctype-5.5.14-1.mga4
php-curl-5.5.14-1.mga4
php-dba-5.5.14-1.mga4
php-dom-5.5.14-1.mga4
php-enchant-5.5.14-1.mga4
php-exif-5.5.14-1.mga4
php-fileinfo-5.5.14-1.mga4
php-filter-5.5.14-1.mga4
php-ftp-5.5.14-1.mga4
php-gd-5.5.14-1.mga4
php-gettext-5.5.14-1.mga4
php-gmp-5.5.14-1.mga4
php-hash-5.5.14-1.mga4
php-iconv-5.5.14-1.mga4
php-imap-5.5.14-1.mga4
php-interbase-5.5.14-1.mga4
php-intl-5.5.14-1.mga4
php-json-5.5.14-1.mga4
php-ldap-5.5.14-1.mga4
php-mbstring-5.5.14-1.mga4
php-mcrypt-5.5.14-1.mga4
php-mssql-5.5.14-1.mga4
php-mysql-5.5.14-1.mga4
php-mysqli-5.5.14-1.mga4
php-mysqlnd-5.5.14-1.mga4
php-odbc-5.5.14-1.mga4
php-opcache-5.5.14-1.mga4
php-pcntl-5.5.14-1.mga4
php-pdo-5.5.14-1.mga4
php-pdo_dblib-5.5.14-1.mga4
php-pdo_firebird-5.5.14-1.mga4
php-pdo_mysql-5.5.14-1.mga4
php-pdo_odbc-5.5.14-1.mga4
php-pdo_pgsql-5.5.14-1.mga4
php-pdo_sqlite-5.5.14-1.mga4
php-pgsql-5.5.14-1.mga4
php-phar-5.5.14-1.mga4
php-posix-5.5.14-1.mga4
php-readline-5.5.14-1.mga4
php-recode-5.5.14-1.mga4
php-session-5.5.14-1.mga4
php-shmop-5.5.14-1.mga4
php-snmp-5.5.14-1.mga4
php-soap-5.5.14-1.mga4
php-sockets-5.5.14-1.mga4
php-sqlite3-5.5.14-1.mga4
php-sybase_ct-5.5.14-1.mga4
php-sysvmsg-5.5.14-1.mga4
php-sysvsem-5.5.14-1.mga4
php-sysvshm-5.5.14-1.mga4
php-tidy-5.5.14-1.mga4
php-tokenizer-5.5.14-1.mga4
php-xml-5.5.14-1.mga4
php-xmlreader-5.5.14-1.mga4
php-xmlrpc-5.5.14-1.mga4
php-xmlwriter-5.5.14-1.mga4
php-xsl-5.5.14-1.mga4
php-wddx-5.5.14-1.mga4
php-zip-5.5.14-1.mga4
php-fpm-5.5.14-1.mga4
php-apc-3.1.15-4.5.mga4
php-apc-admin-3.1.15-4.5.mga4

from SRPMS:
php-5.5.14-1.mga4.src.rpm
php-apc-3.1.15-4.5.mga4.src.rpm
Comment 3 William Kenney 2014-06-30 17:48:06 CEST
Package(s) under test:
drupal glpi owncloud php-fpm php-ini phpmyadmin

default install of php-ini

[root@localhost wilcal]# urpmi drupal
Package drupal-7.26-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.16-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.29-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.29-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed

localhost/drupal opens
localhost/phpmyadmin opens
localhost/glpi opens
localhost/owncloud opens and runs

install php-ini from updates_testing

[root@localhost wilcal]# urpmi drupal
Package drupal-7.28-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.16-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.30-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.30-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed

localhost/phpmyadmin opens and works
localhost/glpi opens
localhost/owncloud opens and runs
localhost/drupal opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 4 William Kenney 2014-06-30 17:49:06 CEST
Created attachment 5224 [details]
php files before and after update MGA3-32
Comment 5 David Walser 2014-06-30 23:14:59 CEST
LWN reference for the /tmp-file, libmagic, and unserialize issues:
http://lwn.net/Vulnerabilities/603974/
Comment 6 David Walser 2014-06-30 23:15:33 CEST
(In reply to William Kenney from comment #4)
> Created attachment 5224 [details]
> php files before and after update MGA3-32

Your "After update" column lists several php packages that you haven't yet updated to the 5.4.30 testing versions.
Comment 7 William Kenney 2014-06-30 23:27:29 CEST
(In reply to David Walser from comment #6)

> Your "After update" column lists several php packages that you haven't yet
> updated to the 5.4.30 testing versions.

Yep, ran out of time. Next time I bring this up I'm gonna
let the entire Vbox client update, reboot, and run the
listing again. Hopefully things will be ok. If that all
works I'll run the same process on the other three clients.
Comment 8 William Kenney 2014-07-01 00:49:38 CEST
Created attachment 5226 [details]
php files before, after update then after a full system update  MGA3-32
Comment 9 William Kenney 2014-07-01 01:19:36 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
drupal glpi owncloud php-fpm php-ini phpmyadmin

default install of php-ini

[root@localhost wilcal]# urpmi drupal
Package drupal-7.26-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.16-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.29-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.29-1.mga3.x86_64 is already installed
Marking php-ini as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed

localhost/drupal opens
localhost/phpmyadmin opens
localhost/glpi opens
localhost/owncloud opens and runs

install php-ini from updates_testing

[root@localhost wilcal]# urpmi drupal
Package drupal-7.28-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.16-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.30-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.30-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed

localhost/phpmyadmin opens and works
localhost/glpi opens
localhost/owncloud opens and runs
localhost/drupal opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 10 William Kenney 2014-07-01 01:20:58 CEST
Created attachment 5227 [details]
php files before, after update then after a full system update  MGA3-64
Comment 11 William Kenney 2014-07-01 01:50:16 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
drupal glpi owncloud php-fpm php-ini phpmyadmin

default install of php-ini

[root@localhost wilcal]# urpmi drupal
Package drupal-7.26-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.13-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.13-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed

localhost/drupal opens
localhost/phpmyadmin opens
localhost/glpi opens
localhost/owncloud opens and runs

install php-ini from updates_testing

[root@localhost wilcal]# urpmi drupal
Package drupal-7.28-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.14-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.14-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed

localhost/phpmyadmin opens and works
localhost/glpi opens
localhost/owncloud opens and runs
localhost/drupal opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 12 William Kenney 2014-07-01 01:53:57 CEST
Created attachment 5228 [details]
php files before, after update then after a full system update  MGA4-32
Comment 13 David Walser 2014-07-01 02:01:54 CEST
(In reply to William Kenney from comment #12)
> Created attachment 5228 [details]
> php files before, after update then after a full system update  MGA4-32

Also shows several php packages not updated to 5.5.14.
Comment 14 William Kenney 2014-07-01 02:13:24 CEST
(In reply to David Walser from comment #13)

> Also shows several php packages not updated to 5.5.14.

Almost through M4 64-bit. Once I'm finished lets think about this.
I'm see'n some wrinkles in M4.
Comment 15 William Kenney 2014-07-01 02:25:21 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
drupal glpi owncloud php-fpm php-ini phpmyadmin

default install of php-ini

[root@localhost wilcal]# urpmi drupal
Package drupal-7.26-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.13-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.13-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed

localhost/drupal opens
localhost/phpmyadmin opens
localhost/glpi opens
localhost/owncloud opens and runs

install php-ini from updates_testing

[root@localhost wilcal]# urpmi drupal
Package drupal-7.28-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.14-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.14-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed

localhost/phpmyadmin opens and works
localhost/glpi opens
localhost/owncloud no longer opens or runs
localhost/drupal opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 16 William Kenney 2014-07-01 02:27:04 CEST
Created attachment 5229 [details]
php files before, after update then after a full system update  MGA4-64
Comment 17 William Kenney 2014-07-01 02:29:47 CEST
There were no available updates between the update_testing of php-ini
and a full system update for either M4-32bit or M4-64bit. Also notice
that owncloud didn't work after the update_testing on M4-64bit.
Comment 18 David Walser 2014-07-01 02:49:14 CEST
(In reply to William Kenney from comment #17)
> There were no available updates between the update_testing of php-ini
> and a full system update for either M4-32bit or M4-64bit. Also notice
> that owncloud didn't work after the update_testing on M4-64bit.

In both of your Mageia 4 tests, you didn't update all of the php packages before testing.  Please pay attention to the package lists and install all relevant packages.
Comment 19 William Kenney 2014-07-01 02:59:34 CEST
(In reply to David Walser from comment #18)

> In both of your Mageia 4 tests, you didn't update all of the php packages
> before testing.  Please pay attention to the package lists and install all
> relevant packages.

First go through I only deal with updates listed in the MCC with:

drupal glpi owncloud php-fpm php-ini phpmyadmin

If they're not listed there they ain't updated. 2nd time through
I do a complete update of the system and in both of those trys
with M4 there were no updates to update. I'll run the M4 testing
again tomorrow from scratch.

My local repo updates at 04:02AM everyday so I'm dealing with a
static repo.
Comment 20 David Walser 2014-07-01 03:45:46 CEST
William, I'm not sure what procedure that you're using to install the updates, but we have documented on the wiki a procedure that works pretty well.  See #2 "Installing the Update Candidate" here:
https://wiki.mageia.org/en/QA_process_for_validating_updates#Test_the_update_candidate

Basically the idea is that you temporarily enable the testing repository, run MageiaUpdate and it will propose all packages that you have installed that have updated versions available, and then you go through and check all of the packages listed there that are also listed in the bug report as being a part of that particular update.  Then you disable the testing repository.
Comment 21 William Kenney 2014-07-01 04:09:01 CEST
(In reply to David Walser from comment #20)

> Basically the idea is that you temporarily enable the testing repository,
> run MageiaUpdate and it will propose all packages that you have installed
> that have updated versions available,

Ya, that's pretty much what I'm do'n here. M3 worked fine, M4 seems to
have issues. I'll rerun the M4 thing all over again tomorrow ( Tues ) when
I have clear head. Thanks for the help.
Comment 22 William Kenney 2014-07-01 18:23:42 CEST
Retest

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
drupal glpi owncloud php-fpm php-ini phpmyadmin

default install of php-ini

[root@localhost wilcal]# urpmi drupal
Package drupal-7.26-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.13-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.13-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed

localhost/drupal opens
localhost/phpmyadmin opens
localhost/glpi opens
localhost/owncloud opens and runs

install php-ini from updates_testing

[root@localhost wilcal]# urpmi drupal
Package drupal-7.28-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.14-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.14-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed

localhost/phpmyadmin opens and works
localhost/glpi opens
localhost/owncloud opens and runs
localhost/drupal opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 23 William Kenney 2014-07-01 18:24:19 CEST
Created attachment 5231 [details]
retest, php files before, after update then after a full system update  MGA4-32
Comment 24 David Walser 2014-07-01 18:46:06 CEST
(In reply to William Kenney from comment #23)
> Created attachment 5231 [details]
> retest, php files before, after update then after a full system update 
> MGA4-32

From a quick glance I noticed that apache-mod_php still wasn't updated.
Comment 25 William Kenney 2014-07-01 19:26:21 CEST
(In reply to David Walser from comment #24)

> From a quick glance I noticed that apache-mod_php still wasn't updated.

Well clearly, IMO, we need a better way to test this.
php-ini is not updating all the php files on the system.
There appears to be over 80 php related files that need
to be updated and having to go through them one by one
to make sure they are updated is not a good way to update
and test. Throw in the database issue and it becomes overly
complex.

I'm also running into an M4-64bit owncloud issue. Before the
update I can log in using the system root and PW. After that
that don't work anymore. M3-32/64bit and M4-32bit that works fine.
Comment 26 David Walser 2014-07-01 19:30:52 CEST
(In reply to William Kenney from comment #25)
> Well clearly, IMO, we need a better way to test this.

There are a lot of subpackages and yes it tedious (and possibly error-prone) clicking all of them, but that's the procedure currently.  It would be great if we had a better tool for handling this than MageiaUpdate, but currently we don't.  We need to find developers interested in developing one :o)

My idea is that we have a simplified update tool that lists packages by their Source RPM rather than individual RPMs.  Listing the individual RPMs I think is TMI for most users, and I think the use case of allowing users to only update some subpackages but not others from the same SRPM is very limited and not something we should really be supporting anyway.

Anyway, that's an aside, but in the meantime, when testing updates you just have to be careful and pay attention to the package lists.
Comment 27 claire robinson 2014-07-01 19:33:37 CEST
It can be helpful to sort the packages in MageiaUpdate according to version.

It doesn't always help as some with lots of packages are also lots of versions.
Comment 28 David Walser 2014-07-01 19:37:17 CEST
(In reply to claire robinson from comment #27)
> It can be helpful to sort the packages in MageiaUpdate according to version.
> 
> It doesn't always help as some with lots of packages are also lots of
> versions.

Even still, that's a really good suggestion.  It didn't occur to me that you could do that :o)
Comment 29 William Kenney 2014-07-01 19:55:36 CEST
I'd kinda like to get this php behind us before we really
launch into M5 isos. This thing can be a time burner.
Anyway, I'm gonna take a break from it and try again.
Many thanks to David for the help. This is probably
a subject for the qa-meeting on Thurs.
Comment 30 Lewis Smith 2014-07-02 22:02:10 CEST
Just to say that I shall be trying MGA4 64-bit.
Comment 31 William Kenney 2014-07-03 19:26:20 CEST
I brute forced it this morning. Installed every file listed in
Comment #2 ( 74 files ) using the MCC, that installed over 150 files.
There was one conflict before install. rpm -qa | grep php- comes
up with a list of 85 files. Most match but about a dozen don't.
This may be a Mission Impossible. We'll talk about it at the
QA meeting.
Comment 32 William Murphy 2014-07-05 21:29:10 CEST
Tested on Mageia 3 & 4 for both i586 & x86_64 archs

Steps taken:
1: Updated each system without testing repos enabled.

2: Installed all packages listed above and webmin (for testing purposes). Mediawiki already installed. For conflicting packages, installed one, tested then replaced with conflicting package before and after updating. Verified that all packages do install correctly. 
   Conflicting packages found:
     Mageia 3: php-gd conflicts with php-gd-bundled.
     Mageia 4: php-opcache conflicts with php-apc, php-apc-admin.

3: Turned on php debugging to syslog in /etc/php.ini and set it to E_ALL.

4: Ran tests. Searched around, but found only one, the gd library's xpm bug.

   Tried running from command line (PoC: https://bugs.php.net/bug.php?id=66901):
     php -r 'var_dump(imagecreatefromxpm("foo.xpm"));'
   Results: 
   	    Mageia 3 & 4, i586 & x86_64: segfault

   Checked mediawiki and webmin to make sure they were working correclty. They were.

5: Enabled testing repositories and updated php-*, apache-mod_php and libphp5 (or lib64php5).

6: Ran tests again. 
   The PoC for the php-gd bug now reports 'bool(false)' and posts a warning to logs. 

   Mediawiki and webmin still function correctly after update and logs show no obvious errors.

   No segfaults reported in logs after restarting apache with php-opcache installed and enabled in php.ini (Bug #12995). Could be blind luck.

   Note for Mageia 4: libgd3 (or lib64gd3) needs to be upgraded from mageia 4 testing repositories as well or php-gd still segfaults after updating.

All packages install correctly. The two php intensive packages tested still functioned without complaint. 


Testing complete.

------------------------------------------
Update validated.
Thanks.

Advisories:
See comment #2

SRPMS: 
php-5.4.30-1.mga3.src.rpm
php-apc-3.1.14-7.10.mga3.src.rpm
php-gd-bundled-5.4.30-1.mga3.src.rpm
php-5.5.14-1.mga4.src.rpm
php-apc-3.1.15-4.5.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------
Comment 33 claire robinson 2014-07-07 15:03:51 CEST
Separate advisories uploaded 13532.mga3.adv & 13532.mga4.adv
Comment 34 David Walser 2014-07-07 20:59:10 CEST
A CVE has been assigned for another one of the bugs fixed in these updates:
http://openwall.com/lists/oss-security/2014/07/06/6

Could someone please add the following stanza and reference to the advisories?

The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion
issue that can cause it to leak arbitrary process memory (CVE-2014-4721).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721
Comment 35 claire robinson 2014-07-08 16:48:50 CEST
13532.mga3.adv & 13532.mga4.adv updated.
Comment 37 David Walser 2014-07-09 19:30:30 CEST
LWN reference for CVE-2014-4721:
http://lwn.net/Vulnerabilities/604856/

Note You need to log in before you can comment on or make changes to this bug.