Upstream has released versions 5.4.34, 5.5.18, and 5.6.2 on October 16: http://php.net/archive/2014.php http://php.net/ChangeLog-5.php The announcements say that 4 CVEs were fixed in 5.5.18 and 6 security issues were fixed in 5.4.34, but only 3 CVEs are listed. PHP 5.6.2 is checked into SVN in Cauldron (by Oden) and needs a freeze push. PHP 5.4.34 and 5.5.18 are checked into Mageia 3 and Mageia 4 SVN and have been built, so this update is in progress pending php-apc rebuilds, and also php-gd-bundled for Mageia 3. Reproducible: Steps to Reproduce:
Packages built so far: php-ini-5.4.34-1.mga3 apache-mod_php-5.4.34-1.mga3 php-cli-5.4.34-1.mga3 php-cgi-5.4.34-1.mga3 libphp5_common5-5.4.34-1.mga3 php-devel-5.4.34-1.mga3 php-openssl-5.4.34-1.mga3 php-zlib-5.4.34-1.mga3 php-doc-5.4.34-1.mga3 php-bcmath-5.4.34-1.mga3 php-bz2-5.4.34-1.mga3 php-calendar-5.4.34-1.mga3 php-ctype-5.4.34-1.mga3 php-curl-5.4.34-1.mga3 php-dba-5.4.34-1.mga3 php-dom-5.4.34-1.mga3 php-enchant-5.4.34-1.mga3 php-exif-5.4.34-1.mga3 php-fileinfo-5.4.34-1.mga3 php-filter-5.4.34-1.mga3 php-ftp-5.4.34-1.mga3 php-gd-5.4.34-1.mga3 php-gettext-5.4.34-1.mga3 php-gmp-5.4.34-1.mga3 php-hash-5.4.34-1.mga3 php-iconv-5.4.34-1.mga3 php-imap-5.4.34-1.mga3 php-interbase-5.4.34-1.mga3 php-intl-5.4.34-1.mga3 php-json-5.4.34-1.mga3 php-ldap-5.4.34-1.mga3 php-mbstring-5.4.34-1.mga3 php-mcrypt-5.4.34-1.mga3 php-mssql-5.4.34-1.mga3 php-mysql-5.4.34-1.mga3 php-mysqli-5.4.34-1.mga3 php-mysqlnd-5.4.34-1.mga3 php-odbc-5.4.34-1.mga3 php-pcntl-5.4.34-1.mga3 php-pdo-5.4.34-1.mga3 php-pdo_dblib-5.4.34-1.mga3 php-pdo_firebird-5.4.34-1.mga3 php-pdo_mysql-5.4.34-1.mga3 php-pdo_odbc-5.4.34-1.mga3 php-pdo_pgsql-5.4.34-1.mga3 php-pdo_sqlite-5.4.34-1.mga3 php-pgsql-5.4.34-1.mga3 php-phar-5.4.34-1.mga3 php-posix-5.4.34-1.mga3 php-readline-5.4.34-1.mga3 php-recode-5.4.34-1.mga3 php-session-5.4.34-1.mga3 php-shmop-5.4.34-1.mga3 php-snmp-5.4.34-1.mga3 php-soap-5.4.34-1.mga3 php-sockets-5.4.34-1.mga3 php-sqlite3-5.4.34-1.mga3 php-sybase_ct-5.4.34-1.mga3 php-sysvmsg-5.4.34-1.mga3 php-sysvsem-5.4.34-1.mga3 php-sysvshm-5.4.34-1.mga3 php-tidy-5.4.34-1.mga3 php-tokenizer-5.4.34-1.mga3 php-xml-5.4.34-1.mga3 php-xmlreader-5.4.34-1.mga3 php-xmlrpc-5.4.34-1.mga3 php-xmlwriter-5.4.34-1.mga3 php-xsl-5.4.34-1.mga3 php-wddx-5.4.34-1.mga3 php-zip-5.4.34-1.mga3 php-fpm-5.4.34-1.mga3 php-ini-5.5.18-1.mga4 apache-mod_php-5.5.18-1.mga4 php-cli-5.5.18-1.mga4 php-cgi-5.5.18-1.mga4 libphp5_common5-5.5.18-1.mga4 php-devel-5.5.18-1.mga4 php-openssl-5.5.18-1.mga4 php-zlib-5.5.18-1.mga4 php-doc-5.5.18-1.mga4 php-bcmath-5.5.18-1.mga4 php-bz2-5.5.18-1.mga4 php-calendar-5.5.18-1.mga4 php-ctype-5.5.18-1.mga4 php-curl-5.5.18-1.mga4 php-dba-5.5.18-1.mga4 php-dom-5.5.18-1.mga4 php-enchant-5.5.18-1.mga4 php-exif-5.5.18-1.mga4 php-fileinfo-5.5.18-1.mga4 php-filter-5.5.18-1.mga4 php-ftp-5.5.18-1.mga4 php-gd-5.5.18-1.mga4 php-gettext-5.5.18-1.mga4 php-gmp-5.5.18-1.mga4 php-hash-5.5.18-1.mga4 php-iconv-5.5.18-1.mga4 php-imap-5.5.18-1.mga4 php-interbase-5.5.18-1.mga4 php-intl-5.5.18-1.mga4 php-json-5.5.18-1.mga4 php-ldap-5.5.18-1.mga4 php-mbstring-5.5.18-1.mga4 php-mcrypt-5.5.18-1.mga4 php-mssql-5.5.18-1.mga4 php-mysql-5.5.18-1.mga4 php-mysqli-5.5.18-1.mga4 php-mysqlnd-5.5.18-1.mga4 php-odbc-5.5.18-1.mga4 php-opcache-5.5.18-1.mga4 php-pcntl-5.5.18-1.mga4 php-pdo-5.5.18-1.mga4 php-pdo_dblib-5.5.18-1.mga4 php-pdo_firebird-5.5.18-1.mga4 php-pdo_mysql-5.5.18-1.mga4 php-pdo_odbc-5.5.18-1.mga4 php-pdo_pgsql-5.5.18-1.mga4 php-pdo_sqlite-5.5.18-1.mga4 php-pgsql-5.5.18-1.mga4 php-phar-5.5.18-1.mga4 php-posix-5.5.18-1.mga4 php-readline-5.5.18-1.mga4 php-recode-5.5.18-1.mga4 php-session-5.5.18-1.mga4 php-shmop-5.5.18-1.mga4 php-snmp-5.5.18-1.mga4 php-soap-5.5.18-1.mga4 php-sockets-5.5.18-1.mga4 php-sqlite3-5.5.18-1.mga4 php-sybase_ct-5.5.18-1.mga4 php-sysvmsg-5.5.18-1.mga4 php-sysvsem-5.5.18-1.mga4 php-sysvshm-5.5.18-1.mga4 php-tidy-5.5.18-1.mga4 php-tokenizer-5.5.18-1.mga4 php-xml-5.5.18-1.mga4 php-xmlreader-5.5.18-1.mga4 php-xmlrpc-5.5.18-1.mga4 php-xmlwriter-5.5.18-1.mga4 php-xsl-5.5.18-1.mga4 php-wddx-5.5.18-1.mga4 php-zip-5.5.18-1.mga4 php-fpm-5.5.18-1.mga4 from SRPMS: php-5.4.34-1.mga3.src.rpm php-5.5.18-1.mga4.src.rpm
Whiteboard: (none) => MGA4TOO, MGA3TOO
Freeze push requested for Cauldron. Remaining needed packages uploaded for Mageia 3 and Mageia 4. php-apc-3.1.14-7.13.mga3 php-apc-admin-3.1.14-7.13.mga3 php-gd-bundled-5.4.34-1.mga3 php-apc-3.1.15-4.8.mga4 php-apc-admin-3.1.15-4.8.mga4 from SRPMS: php-apc-3.1.14-7.13.mga3.src.rpm php-gd-bundled-5.4.34-1.mga3.src.rpm php-apc-3.1.15-4.8.mga4.src.rpm Assigning to QA. Package lists in Comment 1 and Comment 2. Advisory to come later. For now, see the references in Comment 0.
Assignee: oe => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOOCC: (none) => oeVersion: Cauldron => 4
Note: We don't seem to be affected by CVE-2014-3668 as this affects the bundled xmlrpc-epi-0.51 and we use the system xmlrpc-epi-0.54.2 for php-xmlrpc. However chunk two in: http://git.php.net/?p=php-src.git;a=blobdiff_plain;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=b766a5495a41b3ecd5eecdcfae901c9068937da0;hp=ce70c2afd909b748f3ddc4560a1c3f882a498014;hb=886b8efbee605b6e5caa2e8d52475077757175fc;hpb=af88793d6dd28c207264fa0440ba5744d1fdc36f does apply but seems to have no effect.
According to the media, the cURL null byte injection flaw is the other security issue fixed in 5.5.18: http://www.internetnews.com/blog/skerner/php-5.6.2-and-5.4.34-update-for-critical-security-flaws.html RedHat has classified CVE-2014-3669 and CVE-2014-3670 as high severity.
Severity: normal => critical
The CVEs have test cases in PHP's test suite, so they're already known to be fixed by the update. CVE-2014-3669 only affects 32-bit systems. Here's a preliminary advisory. Advisory: ======================== Updated php packages fix security vulnerabilities: An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4, which fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://www.php.net/ChangeLog-5.php#5.5.18 http://www.php.net/ChangeLog-5.php#5.4.34 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670 https://bugs.php.net/bug.php?id=68089
The Mageia 4 update is being rebuilt to potentially fix an issue in php-zip. php-5.5.18-1.1.mga4.src.rpm
Blocks: (none) => 13820
Blocks: 13820 => (none)
Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following comments. Basically: choose a list of PHP webapps and test that they still work.
CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Source RPM: php => php-5.5.18-1.1.mga4.src.rpm
In VirtualBox, M3, KDE, 32-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.32-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.32-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.31-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.5-1.mga3.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.34-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.34-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.32-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.32-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.31-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.5-1.mga3.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.34-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.34-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 32-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.16-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.16-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.31-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.5-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.18-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.18-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.16-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.16-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.31-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.5-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.18-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.18-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
I'm gonna validate this thing in 24-hours unless someone else wants to do some additional testing.
Thanks William. We also need to test that Bug 13820 is fixed. There's a sample script to test it with here: https://bugs.mageia.org/show_bug.cgi?id=13820#c0 I also need to add a note about that to the advisory.
(In reply to David Walser from comment #13) > Thanks William. We also need to test that Bug 13820 is fixed. There's a > sample script to test it with here: > https://bugs.mageia.org/show_bug.cgi?id=13820#c0 > > I also need to add a note about that to the advisory. I've still got all 4 Vbox clients so I'll give'em a go later today or tomorrow. Create a webpage with the code in it and then open the webpage I guess.
Mageia 4, x86_64. I put the script from bug 13820 in a file named test.php, that I ran with "php" (from "php-cli") before installing the update candidate: $ php test.php OPEN OK Segmentation fault After the update, it runs fine: $ php test.php OPEN OK ADDFILE OK Based on William's tests, I consider it MGA4-64-OK.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Fedora and Mandriva have issued advisories for this: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141349.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A202/ Mandriva's advisory doesn't include CVE-2014-3669 because it's a 32-bit only issue and their package is 64-bit only.
Advisory: ======================== Updated php packages fix security vulnerabilities: An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4, which fix these issues and other bugs. Additionally, a bug in the php zip extension that could cause a crash on Mageia 4 has been fixed (mga#13820). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://www.php.net/ChangeLog-5.php#5.5.18 http://www.php.net/ChangeLog-5.php#5.4.34 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670 https://bugs.php.net/bug.php?id=68089 https://bugs.mageia.org/show_bug.cgi?id=13820 https://bugs.mageia.org/show_bug.cgi?id=14326
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK advisory
URL: (none) => http://lwn.net/Vulnerabilities/617781/
This update is just waiting on the PoC for Bug 13820 being tested on Mageia 3 (i586 and x86_64) and Mageia 4 i586. I had forgotten that I wanted to include php-suhosin (0.9.36 already built in updates_testing) in this update. If someone tests that before this is validated, it can be included, otherwise we'll save it for the next one.
PoC still causes apache to segfault mga4 64
Confirmed ok after manually restarting httpd. Also confirmed with php-cli.
mga3 doesn't suffer the zip segfault but no regression with the update. Both tested with suhosin.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK advisory => MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK
Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Thanks Claire. Since you tested with the updated suhosin, we'll include that in this update. However, since it didn't fix Bug 13820, that needs to be removed from the advisory. Source RPMS: php-5.4.34-1.mga3.src.rpm php-apc-3.1.14-7.13.mga3.src.rpm php-gd-bundled-5.4.34-1.mga3.src.rpm php-suhosin-0.9.36-1.mga3.src.rpm php-5.5.18-1.mga4.src.rpm php-apc-3.1.15-4.8.mga4.src.rpm php-suhosin-0.9.36-1.mga4.src.rpm Advisory: ======================== Updated php packages fix security vulnerabilities: An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4, which fix these issues and other bugs. Additionally, the suhosin PHP extension has been updated to version 0.9.36. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://www.php.net/ChangeLog-5.php#5.5.18 http://www.php.net/ChangeLog-5.php#5.4.34 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670 https://bugs.php.net/bug.php?id=68089
Blocks: 13820 => (none)Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK
We can include it in the advisory. Sorry for the confusion. It does fix bug 13820. httpd needs a manual restart, rather than the automated reload as we've found for various other issues. Mga3 appears not susceptible to the zip problem, at least not causing a segfault.
Advisory updated to.. Additionally, the suhosin PHP extension has been updated to version 0.9.36 and a bug in the php zip extension that could cause a crash on Mageia 4 has been fixed (mga#13820)
(In reply to claire robinson from comment #20) > PoC still causes apache to segfault mga4 64 Works here. [oden@localhost BUILD]$ cat 13820.php <?php $za = new ZipArchive(); $flags = ZIPARCHIVE::CREATE; if ($za->open('/tmp/test1.zip', $flags) === TRUE) { echo "OPEN OK\n"; @unlink('/tmp/newfile.txt'); fopen('/tmp/newfile.txt', 'x+'); if ($za->addFile('/tmp/newfile.txt', 'newfile.txt') === TRUE) { echo "ADDFILE OK\n"; } } $za->addEmptyDir('tot/'); $za->addFromString('emptydir/newfile','mycontent'); $za->close(); ?> [oden@localhost BUILD]$ php 13820.php OPEN OK ADDFILE OK
Same file opened under apache: OPEN OK ADDFILE OK
Yep, addressed in comment 25. Thanks for testing though. Ready for a push
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0430.html
Status: NEW => RESOLVEDResolution: (none) => FIXED