Fedora has issued an advisory on October 27: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141536.html The RedHat bug has links to upstream commits in file and PHP to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=1155071
For PHP, we could either wait for the next PHP release, or patch and fix it now. For Mageia 3, we may not have time to wait due to the upcoming EOL.
Version: 4 => CauldronDepends on: 14411 => (none)Assignee: bugsquad => oeSource RPM: file-5.16-1.6.mga4.src.rpm => php-5.5.18-1.1.mga4.src.rpmWhiteboard: (none) => MGA4TOO, MGA3TOO
Ubuntu and RedHat have patched this in their PHP update. Here's RedHat's advisory from October 30: https://rhn.redhat.com/errata/RHSA-2014-1767.html
Here's the upstream commits. PHP 5.4: http://git.php.net/?p=php-src.git;a=commitdiff;h=1803228597e82218a8c105e67975bc50e6f5bf0d PHP 5.5/5.6: http://git.php.net/?p=php-src.git;a=commitdiff;h=5b295bf19161b14d6c81151fd89c2f17bd50525c
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. I have a php-timezonedb update in SVN that I'll add to this later if it gets pushed in Cauldron soon enough. The security update is the important thing for now. Advisory: ======================== Updated php packages fix security vulnerability: An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash (CVE-2014-3710). PHP uses an embedded copy of file's libmagic library, and was therefore affected. It has been patched to correct this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710 https://rhn.redhat.com/errata/RHSA-2014-1767.html ======================== Updated packages in core/updates_testing: ======================== php-ini-5.4.34-1.1.mga3 apache-mod_php-5.4.34-1.1.mga3 php-cli-5.4.34-1.1.mga3 php-cgi-5.4.34-1.1.mga3 libphp5_common5-5.4.34-1.1.mga3 php-devel-5.4.34-1.1.mga3 php-openssl-5.4.34-1.1.mga3 php-zlib-5.4.34-1.1.mga3 php-doc-5.4.34-1.1.mga3 php-bcmath-5.4.34-1.1.mga3 php-bz2-5.4.34-1.1.mga3 php-calendar-5.4.34-1.1.mga3 php-ctype-5.4.34-1.1.mga3 php-curl-5.4.34-1.1.mga3 php-dba-5.4.34-1.1.mga3 php-dom-5.4.34-1.1.mga3 php-enchant-5.4.34-1.1.mga3 php-exif-5.4.34-1.1.mga3 php-fileinfo-5.4.34-1.1.mga3 php-filter-5.4.34-1.1.mga3 php-ftp-5.4.34-1.1.mga3 php-gd-5.4.34-1.1.mga3 php-gettext-5.4.34-1.1.mga3 php-gmp-5.4.34-1.1.mga3 php-hash-5.4.34-1.1.mga3 php-iconv-5.4.34-1.1.mga3 php-imap-5.4.34-1.1.mga3 php-interbase-5.4.34-1.1.mga3 php-intl-5.4.34-1.1.mga3 php-json-5.4.34-1.1.mga3 php-ldap-5.4.34-1.1.mga3 php-mbstring-5.4.34-1.1.mga3 php-mcrypt-5.4.34-1.1.mga3 php-mssql-5.4.34-1.1.mga3 php-mysql-5.4.34-1.1.mga3 php-mysqli-5.4.34-1.1.mga3 php-mysqlnd-5.4.34-1.1.mga3 php-odbc-5.4.34-1.1.mga3 php-pcntl-5.4.34-1.1.mga3 php-pdo-5.4.34-1.1.mga3 php-pdo_dblib-5.4.34-1.1.mga3 php-pdo_firebird-5.4.34-1.1.mga3 php-pdo_mysql-5.4.34-1.1.mga3 php-pdo_odbc-5.4.34-1.1.mga3 php-pdo_pgsql-5.4.34-1.1.mga3 php-pdo_sqlite-5.4.34-1.1.mga3 php-pgsql-5.4.34-1.1.mga3 php-phar-5.4.34-1.1.mga3 php-posix-5.4.34-1.1.mga3 php-readline-5.4.34-1.1.mga3 php-recode-5.4.34-1.1.mga3 php-session-5.4.34-1.1.mga3 php-shmop-5.4.34-1.1.mga3 php-snmp-5.4.34-1.1.mga3 php-soap-5.4.34-1.1.mga3 php-sockets-5.4.34-1.1.mga3 php-sqlite3-5.4.34-1.1.mga3 php-sybase_ct-5.4.34-1.1.mga3 php-sysvmsg-5.4.34-1.1.mga3 php-sysvsem-5.4.34-1.1.mga3 php-sysvshm-5.4.34-1.1.mga3 php-tidy-5.4.34-1.1.mga3 php-tokenizer-5.4.34-1.1.mga3 php-xml-5.4.34-1.1.mga3 php-xmlreader-5.4.34-1.1.mga3 php-xmlrpc-5.4.34-1.1.mga3 php-xmlwriter-5.4.34-1.1.mga3 php-xsl-5.4.34-1.1.mga3 php-wddx-5.4.34-1.1.mga3 php-zip-5.4.34-1.1.mga3 php-fpm-5.4.34-1.1.mga3 php-ini-5.5.18-1.2.mga4 apache-mod_php-5.5.18-1.2.mga4 php-cli-5.5.18-1.2.mga4 php-cgi-5.5.18-1.2.mga4 libphp5_common5-5.5.18-1.2.mga4 php-devel-5.5.18-1.2.mga4 php-openssl-5.5.18-1.2.mga4 php-zlib-5.5.18-1.2.mga4 php-doc-5.5.18-1.2.mga4 php-bcmath-5.5.18-1.2.mga4 php-bz2-5.5.18-1.2.mga4 php-calendar-5.5.18-1.2.mga4 php-ctype-5.5.18-1.2.mga4 php-curl-5.5.18-1.2.mga4 php-dba-5.5.18-1.2.mga4 php-dom-5.5.18-1.2.mga4 php-enchant-5.5.18-1.2.mga4 php-exif-5.5.18-1.2.mga4 php-fileinfo-5.5.18-1.2.mga4 php-filter-5.5.18-1.2.mga4 php-ftp-5.5.18-1.2.mga4 php-gd-5.5.18-1.2.mga4 php-gettext-5.5.18-1.2.mga4 php-gmp-5.5.18-1.2.mga4 php-hash-5.5.18-1.2.mga4 php-iconv-5.5.18-1.2.mga4 php-imap-5.5.18-1.2.mga4 php-interbase-5.5.18-1.2.mga4 php-intl-5.5.18-1.2.mga4 php-json-5.5.18-1.2.mga4 php-ldap-5.5.18-1.2.mga4 php-mbstring-5.5.18-1.2.mga4 php-mcrypt-5.5.18-1.2.mga4 php-mssql-5.5.18-1.2.mga4 php-mysql-5.5.18-1.2.mga4 php-mysqli-5.5.18-1.2.mga4 php-mysqlnd-5.5.18-1.2.mga4 php-odbc-5.5.18-1.2.mga4 php-opcache-5.5.18-1.2.mga4 php-pcntl-5.5.18-1.2.mga4 php-pdo-5.5.18-1.2.mga4 php-pdo_dblib-5.5.18-1.2.mga4 php-pdo_firebird-5.5.18-1.2.mga4 php-pdo_mysql-5.5.18-1.2.mga4 php-pdo_odbc-5.5.18-1.2.mga4 php-pdo_pgsql-5.5.18-1.2.mga4 php-pdo_sqlite-5.5.18-1.2.mga4 php-pgsql-5.5.18-1.2.mga4 php-phar-5.5.18-1.2.mga4 php-posix-5.5.18-1.2.mga4 php-readline-5.5.18-1.2.mga4 php-recode-5.5.18-1.2.mga4 php-session-5.5.18-1.2.mga4 php-shmop-5.5.18-1.2.mga4 php-snmp-5.5.18-1.2.mga4 php-soap-5.5.18-1.2.mga4 php-sockets-5.5.18-1.2.mga4 php-sqlite3-5.5.18-1.2.mga4 php-sybase_ct-5.5.18-1.2.mga4 php-sysvmsg-5.5.18-1.2.mga4 php-sysvsem-5.5.18-1.2.mga4 php-sysvshm-5.5.18-1.2.mga4 php-tidy-5.5.18-1.2.mga4 php-tokenizer-5.5.18-1.2.mga4 php-xml-5.5.18-1.2.mga4 php-xmlreader-5.5.18-1.2.mga4 php-xmlrpc-5.5.18-1.2.mga4 php-xmlwriter-5.5.18-1.2.mga4 php-xsl-5.5.18-1.2.mga4 php-wddx-5.5.18-1.2.mga4 php-zip-5.5.18-1.2.mga4 php-fpm-5.5.18-1.2.mga4 from SRPMS: php-5.4.34-1.1.mga3.src.rpm php-5.5.18-1.2.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
The php-timezonedb package has been updated to the newest version. php-timezonedb-2014.9-1.mga3 php-timezonedb-2014.9-1.mga4
Tested OK: apache-mod_php-5.5.18-1.2.mga4.x86_64.rpm I made a simple test to use php after update of the module.
CC: (none) => olivier
In VirtualBox, M4, KDE, 32-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.18-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.18-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.18-1.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.18-1.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.18-1.1.mga4.x86_64 is already installed Marking php-ini as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.18-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.18-1.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.18-1.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga4.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Quoting Stormi: Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following comments. Basically: choose a list of PHP webapps and test that they still work.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
(In reply to Rémi Verschelde from comment #9) > Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following > comments. Ya I like that too but I like to make sure that I can do that locally.
In VirtualBox, M3, KDE, 32-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.34-1.mga3.i586 is already installed writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.34-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.34-1.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.34-1.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M3, KDE, 64-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.34-1.mga3.x86_64 is already installed writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.34-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed http://www.avsforum.com/ works just fine ( loaded with php ) localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens install php-ini php-fpm drupal glpi owncloud phpmyadmin from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.34-1.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.34-1.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.32-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.6-1.mga3.noarch is already installed http://www.avsforum.com/ works just fine ( loaded with php ) localhost/drupal opens localhost/glpi opens localhost/owncloud opens and runs localhost/phpmyadmin opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
If no one else has any issues lets push this one Monday, 10 Nov
Why the delay?
(In reply to Rémi Verschelde from comment #14) > Why the delay? Lots of busy things going on right now. php gets used in so many ways 2 more days won't hurt. Unless David Walser thinks this is critical enough to push it now.
It's a denial of service. That can be serious, but I don't know if there are any known exploits for this particular issue. So, the priority is unclear. The impact is minor though, just a small patch on the embedded libmagic, so no reason to wait if it has been tested. We're just looking for obvious regressions here.
It's outta here. For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Seems that someone updated PHP in mga4 updates testing before this was pushed :( Sorry, but I can't move it now because of that and the older versions of the packages do not seem to be preserved anywhere for easy restoration (that I can see). We can either: 1) Kill php-5.5.18-1.2.mga4 and resubmit the older version (not looked at svn to see if that would need reverting too tho') 2) Update the advisory and this bug so it only applies to MGA3 and push it there only with a view to pushing php-5.5 to MGA4 in a fairly short timeframe. 3) ?? I look forward to the day when we ditch updates_testing and have private repos for individual updates which would avoid this problem! :s (probably creates others of course :D)
CC: (none) => mageia
Hmm, actually, I think I maybe just misread... php-5.5.18 IS the update for MGA4... it's just the advisory that's wrong :) That makes life easier :D
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0441.html
Status: NEW => RESOLVEDResolution: (none) => FIXED