Bug 14412 - php new security issue CVE-2014-3710
Summary: php new security issue CVE-2014-3710
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/618453/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-29 18:35 CET by David Walser
Modified: 2014-11-12 10:57 CET (History)
6 users (show)

See Also:
Source RPM: php-5.5.18-1.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-29 18:35:50 CET
Fedora has issued an advisory on October 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141536.html

The RedHat bug has links to upstream commits in file and PHP to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=1155071
Comment 1 David Walser 2014-10-29 18:36:52 CET
For PHP, we could either wait for the next PHP release, or patch and fix it now.

For Mageia 3, we may not have time to wait due to the upcoming EOL.

Version: 4 => Cauldron
Depends on: 14411 => (none)
Assignee: bugsquad => oe
Source RPM: file-5.16-1.6.mga4.src.rpm => php-5.5.18-1.1.mga4.src.rpm
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 2 David Walser 2014-10-31 15:39:49 CET
Ubuntu and RedHat have patched this in their PHP update.

Here's RedHat's advisory from October 30:
https://rhn.redhat.com/errata/RHSA-2014-1767.html
Comment 4 David Walser 2014-10-31 19:09:02 CET
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

I have a php-timezonedb update in SVN that I'll add to this later if it gets pushed in Cauldron soon enough.  The security update is the important thing for now.

Advisory:
========================

Updated php packages fix security vulnerability:

An out-of-bounds read flaw was found in file's donote() function in the way
the file utility determined the note headers of a elf file. This could
possibly lead to file executable crash (CVE-2014-3710).

PHP uses an embedded copy of file's libmagic library, and was therefore
affected.  It has been patched to correct this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
https://rhn.redhat.com/errata/RHSA-2014-1767.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.34-1.1.mga3
apache-mod_php-5.4.34-1.1.mga3
php-cli-5.4.34-1.1.mga3
php-cgi-5.4.34-1.1.mga3
libphp5_common5-5.4.34-1.1.mga3
php-devel-5.4.34-1.1.mga3
php-openssl-5.4.34-1.1.mga3
php-zlib-5.4.34-1.1.mga3
php-doc-5.4.34-1.1.mga3
php-bcmath-5.4.34-1.1.mga3
php-bz2-5.4.34-1.1.mga3
php-calendar-5.4.34-1.1.mga3
php-ctype-5.4.34-1.1.mga3
php-curl-5.4.34-1.1.mga3
php-dba-5.4.34-1.1.mga3
php-dom-5.4.34-1.1.mga3
php-enchant-5.4.34-1.1.mga3
php-exif-5.4.34-1.1.mga3
php-fileinfo-5.4.34-1.1.mga3
php-filter-5.4.34-1.1.mga3
php-ftp-5.4.34-1.1.mga3
php-gd-5.4.34-1.1.mga3
php-gettext-5.4.34-1.1.mga3
php-gmp-5.4.34-1.1.mga3
php-hash-5.4.34-1.1.mga3
php-iconv-5.4.34-1.1.mga3
php-imap-5.4.34-1.1.mga3
php-interbase-5.4.34-1.1.mga3
php-intl-5.4.34-1.1.mga3
php-json-5.4.34-1.1.mga3
php-ldap-5.4.34-1.1.mga3
php-mbstring-5.4.34-1.1.mga3
php-mcrypt-5.4.34-1.1.mga3
php-mssql-5.4.34-1.1.mga3
php-mysql-5.4.34-1.1.mga3
php-mysqli-5.4.34-1.1.mga3
php-mysqlnd-5.4.34-1.1.mga3
php-odbc-5.4.34-1.1.mga3
php-pcntl-5.4.34-1.1.mga3
php-pdo-5.4.34-1.1.mga3
php-pdo_dblib-5.4.34-1.1.mga3
php-pdo_firebird-5.4.34-1.1.mga3
php-pdo_mysql-5.4.34-1.1.mga3
php-pdo_odbc-5.4.34-1.1.mga3
php-pdo_pgsql-5.4.34-1.1.mga3
php-pdo_sqlite-5.4.34-1.1.mga3
php-pgsql-5.4.34-1.1.mga3
php-phar-5.4.34-1.1.mga3
php-posix-5.4.34-1.1.mga3
php-readline-5.4.34-1.1.mga3
php-recode-5.4.34-1.1.mga3
php-session-5.4.34-1.1.mga3
php-shmop-5.4.34-1.1.mga3
php-snmp-5.4.34-1.1.mga3
php-soap-5.4.34-1.1.mga3
php-sockets-5.4.34-1.1.mga3
php-sqlite3-5.4.34-1.1.mga3
php-sybase_ct-5.4.34-1.1.mga3
php-sysvmsg-5.4.34-1.1.mga3
php-sysvsem-5.4.34-1.1.mga3
php-sysvshm-5.4.34-1.1.mga3
php-tidy-5.4.34-1.1.mga3
php-tokenizer-5.4.34-1.1.mga3
php-xml-5.4.34-1.1.mga3
php-xmlreader-5.4.34-1.1.mga3
php-xmlrpc-5.4.34-1.1.mga3
php-xmlwriter-5.4.34-1.1.mga3
php-xsl-5.4.34-1.1.mga3
php-wddx-5.4.34-1.1.mga3
php-zip-5.4.34-1.1.mga3
php-fpm-5.4.34-1.1.mga3
php-ini-5.5.18-1.2.mga4
apache-mod_php-5.5.18-1.2.mga4
php-cli-5.5.18-1.2.mga4
php-cgi-5.5.18-1.2.mga4
libphp5_common5-5.5.18-1.2.mga4
php-devel-5.5.18-1.2.mga4
php-openssl-5.5.18-1.2.mga4
php-zlib-5.5.18-1.2.mga4
php-doc-5.5.18-1.2.mga4
php-bcmath-5.5.18-1.2.mga4
php-bz2-5.5.18-1.2.mga4
php-calendar-5.5.18-1.2.mga4
php-ctype-5.5.18-1.2.mga4
php-curl-5.5.18-1.2.mga4
php-dba-5.5.18-1.2.mga4
php-dom-5.5.18-1.2.mga4
php-enchant-5.5.18-1.2.mga4
php-exif-5.5.18-1.2.mga4
php-fileinfo-5.5.18-1.2.mga4
php-filter-5.5.18-1.2.mga4
php-ftp-5.5.18-1.2.mga4
php-gd-5.5.18-1.2.mga4
php-gettext-5.5.18-1.2.mga4
php-gmp-5.5.18-1.2.mga4
php-hash-5.5.18-1.2.mga4
php-iconv-5.5.18-1.2.mga4
php-imap-5.5.18-1.2.mga4
php-interbase-5.5.18-1.2.mga4
php-intl-5.5.18-1.2.mga4
php-json-5.5.18-1.2.mga4
php-ldap-5.5.18-1.2.mga4
php-mbstring-5.5.18-1.2.mga4
php-mcrypt-5.5.18-1.2.mga4
php-mssql-5.5.18-1.2.mga4
php-mysql-5.5.18-1.2.mga4
php-mysqli-5.5.18-1.2.mga4
php-mysqlnd-5.5.18-1.2.mga4
php-odbc-5.5.18-1.2.mga4
php-opcache-5.5.18-1.2.mga4
php-pcntl-5.5.18-1.2.mga4
php-pdo-5.5.18-1.2.mga4
php-pdo_dblib-5.5.18-1.2.mga4
php-pdo_firebird-5.5.18-1.2.mga4
php-pdo_mysql-5.5.18-1.2.mga4
php-pdo_odbc-5.5.18-1.2.mga4
php-pdo_pgsql-5.5.18-1.2.mga4
php-pdo_sqlite-5.5.18-1.2.mga4
php-pgsql-5.5.18-1.2.mga4
php-phar-5.5.18-1.2.mga4
php-posix-5.5.18-1.2.mga4
php-readline-5.5.18-1.2.mga4
php-recode-5.5.18-1.2.mga4
php-session-5.5.18-1.2.mga4
php-shmop-5.5.18-1.2.mga4
php-snmp-5.5.18-1.2.mga4
php-soap-5.5.18-1.2.mga4
php-sockets-5.5.18-1.2.mga4
php-sqlite3-5.5.18-1.2.mga4
php-sybase_ct-5.5.18-1.2.mga4
php-sysvmsg-5.5.18-1.2.mga4
php-sysvsem-5.5.18-1.2.mga4
php-sysvshm-5.5.18-1.2.mga4
php-tidy-5.5.18-1.2.mga4
php-tokenizer-5.5.18-1.2.mga4
php-xml-5.5.18-1.2.mga4
php-xmlreader-5.5.18-1.2.mga4
php-xmlrpc-5.5.18-1.2.mga4
php-xmlwriter-5.5.18-1.2.mga4
php-xsl-5.5.18-1.2.mga4
php-wddx-5.5.18-1.2.mga4
php-zip-5.5.18-1.2.mga4
php-fpm-5.5.18-1.2.mga4

from SRPMS:
php-5.4.34-1.1.mga3.src.rpm
php-5.5.18-1.2.mga4.src.rpm

CC: (none) => oe
Version: Cauldron => 4
Assignee: oe => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 5 David Walser 2014-11-02 22:33:57 CET
The php-timezonedb package has been updated to the newest version.

php-timezonedb-2014.9-1.mga3
php-timezonedb-2014.9-1.mga4
Comment 6 Olivier FAURAX 2014-11-04 23:12:45 CET
Tested OK: apache-mod_php-5.5.18-1.2.mga4.x86_64.rpm
I made a simple test to use php after update of the module.

CC: (none) => olivier

Comment 7 William Kenney 2014-11-07 16:12:47 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.18-1.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.18-1.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.18-1.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.18-1.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 8 William Kenney 2014-11-07 16:29:54 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.18-1.1.mga4.x86_64 is already installed
Marking php-ini as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.18-1.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.18-1.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.18-1.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 9 Rémi Verschelde 2014-11-07 16:42:30 CET
Quoting Stormi:

Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following comments.

Basically: choose a list of PHP webapps and test that they still work.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 10 William Kenney 2014-11-07 16:46:05 CET
(In reply to Rémi Verschelde from comment #9)

> Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following
> comments.

Ya I like that too but I like to make sure that I can do that locally.
Comment 11 William Kenney 2014-11-07 16:47:13 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.34-1.mga3.i586 is already installed
writing /var/lib/rpm/installed-through-deps.list
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.34-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.34-1.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.34-1.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 12 William Kenney 2014-11-07 17:12:12 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.34-1.mga3.x86_64 is already installed
writing /var/lib/rpm/installed-through-deps.list
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.34-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed
http://www.avsforum.com/ works just fine ( loaded with php )

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.4.34-1.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.4.34-1.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.32-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.83.91-1.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-5.0.17-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed
http://www.avsforum.com/ works just fine ( loaded with php )

localhost/drupal opens
localhost/glpi opens
localhost/owncloud opens and runs
localhost/phpmyadmin opens

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 13 William Kenney 2014-11-07 17:36:32 CET
If no one else has any issues lets push this one Monday, 10 Nov
Comment 14 Rémi Verschelde 2014-11-07 17:40:11 CET
Why the delay?
Comment 15 William Kenney 2014-11-07 17:43:25 CET
(In reply to Rémi Verschelde from comment #14)

> Why the delay?

Lots of busy things going on right now. php gets
used in so many ways 2 more days won't hurt.
Unless David Walser thinks this is critical
enough to push it now.
Comment 16 David Walser 2014-11-07 18:18:42 CET
It's a denial of service.  That can be serious, but I don't know if there are any known exploits for this particular issue.  So, the priority is unclear.  The impact is minor though, just a small patch on the embedded libmagic, so no reason to wait if it has been tested.  We're just looking for obvious regressions here.
Comment 17 William Kenney 2014-11-07 21:06:43 CET
It's outta here.
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 18 Rémi Verschelde 2014-11-08 13:01:57 CET
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 19 Colin Guthrie 2014-11-12 10:36:36 CET
Seems that someone updated PHP in mga4 updates testing before this was pushed :(

Sorry, but I can't move it now because of that and the older versions of the packages do not seem to be preserved anywhere for easy restoration (that I can see).

We can either:

1) Kill php-5.5.18-1.2.mga4 and resubmit the older version (not looked at svn to see if that would need reverting too tho')
2) Update the advisory and this bug so it only applies to MGA3 and push it there only with a view to pushing php-5.5 to MGA4 in a fairly short timeframe.
3) ??

I look forward to the day when we ditch updates_testing and have private repos for individual updates which would avoid this problem! :s (probably creates others of course :D)

CC: (none) => mageia

Comment 20 Colin Guthrie 2014-11-12 10:37:55 CET
Hmm, actually, I think I maybe just misread... php-5.5.18 IS the update for MGA4... it's just the advisory that's wrong :) That makes life easier :D
Comment 21 Mageia Robot 2014-11-12 10:57:27 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0441.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.