Bug 14848 - php new security issue CVE-2014-8142
Summary: php new security issue CVE-2014-8142
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627332/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-18 22:51 CET by David Walser
Modified: 2014-12-22 20:25 CET (History)
3 users (show)

See Also:
Source RPM: php-5.5.19-1.mga4.src.rpm
CVE:
Status comment:


Attachments
php-5.5.20 test files (900 bytes, application/x-gzip)
2014-12-19 21:49 CET, olivier charles
Details

Description David Walser 2014-12-18 22:51:38 CET
Upstream has released version 5.5.20 today (December 18):
http://php.net/archive/2014.php#id2014-12-18-1
http://php.net/ChangeLog-5.php#5.5.20

It fixes a CVE in unserialize(), as well as some other bugs that may be security relevant.

Version 5.6.4 was also released today, likely fixing the same issues, although the announcement and changelog are not available as of this moment.

I've checked 5.5.20 and 5.6.4 updates in Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-19 00:38:58 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated php packages fix security vulnerability:

A use-after-free flaw was found in PHP unserialize().  An untrusted input
could cause PHP interpreter to crash or, possibly, execute arbitrary code
when processed using unserialize() (CVE-2014-8412).

PHP has been updated to version 5.5.20, which fixes these issues and other
bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142
http://www.php.net/ChangeLog-5.php#5.5.20
https://bugzilla.redhat.com/show_bug.cgi?id=1175718
========================

Updated packages in core/updates_testing:
========================
php-ini-5.5.20-1.mga4
apache-mod_php-5.5.20-1.mga4
php-cli-5.5.20-1.mga4
php-cgi-5.5.20-1.mga4
libphp5_common5-5.5.20-1.mga4
php-devel-5.5.20-1.mga4
php-openssl-5.5.20-1.mga4
php-zlib-5.5.20-1.mga4
php-doc-5.5.20-1.mga4
php-bcmath-5.5.20-1.mga4
php-bz2-5.5.20-1.mga4
php-calendar-5.5.20-1.mga4
php-ctype-5.5.20-1.mga4
php-curl-5.5.20-1.mga4
php-dba-5.5.20-1.mga4
php-dom-5.5.20-1.mga4
php-enchant-5.5.20-1.mga4
php-exif-5.5.20-1.mga4
php-fileinfo-5.5.20-1.mga4
php-filter-5.5.20-1.mga4
php-ftp-5.5.20-1.mga4
php-gd-5.5.20-1.mga4
php-gettext-5.5.20-1.mga4
php-gmp-5.5.20-1.mga4
php-hash-5.5.20-1.mga4
php-iconv-5.5.20-1.mga4
php-imap-5.5.20-1.mga4
php-interbase-5.5.20-1.mga4
php-intl-5.5.20-1.mga4
php-json-5.5.20-1.mga4
php-ldap-5.5.20-1.mga4
php-mbstring-5.5.20-1.mga4
php-mcrypt-5.5.20-1.mga4
php-mssql-5.5.20-1.mga4
php-mysql-5.5.20-1.mga4
php-mysqli-5.5.20-1.mga4
php-mysqlnd-5.5.20-1.mga4
php-odbc-5.5.20-1.mga4
php-opcache-5.5.20-1.mga4
php-pcntl-5.5.20-1.mga4
php-pdo-5.5.20-1.mga4
php-pdo_dblib-5.5.20-1.mga4
php-pdo_firebird-5.5.20-1.mga4
php-pdo_mysql-5.5.20-1.mga4
php-pdo_odbc-5.5.20-1.mga4
php-pdo_pgsql-5.5.20-1.mga4
php-pdo_sqlite-5.5.20-1.mga4
php-pgsql-5.5.20-1.mga4
php-phar-5.5.20-1.mga4
php-posix-5.5.20-1.mga4
php-readline-5.5.20-1.mga4
php-recode-5.5.20-1.mga4
php-session-5.5.20-1.mga4
php-shmop-5.5.20-1.mga4
php-snmp-5.5.20-1.mga4
php-soap-5.5.20-1.mga4
php-sockets-5.5.20-1.mga4
php-sqlite3-5.5.20-1.mga4
php-sybase_ct-5.5.20-1.mga4
php-sysvmsg-5.5.20-1.mga4
php-sysvsem-5.5.20-1.mga4
php-sysvshm-5.5.20-1.mga4
php-tidy-5.5.20-1.mga4
php-tokenizer-5.5.20-1.mga4
php-xml-5.5.20-1.mga4
php-xmlreader-5.5.20-1.mga4
php-xmlrpc-5.5.20-1.mga4
php-xmlwriter-5.5.20-1.mga4
php-xsl-5.5.20-1.mga4
php-wddx-5.5.20-1.mga4
php-zip-5.5.20-1.mga4
php-fpm-5.5.20-1.mga4
php-apc-3.1.15-4.10.mga4
php-apc-admin-3.1.15-4.10.mga4

from SRPMS:
php-5.5.20-1.mga4.src.rpm
php-apc-3.1.15-4.10.mga4.src.rpm

Severity: normal => major
Assignee: bugsquad => qa-bugs

Comment 2 olivier charles 2014-12-19 21:49:03 CET
Created attachment 5737 [details]
php-5.5.20 test files


The link provided by David in Description :
http://php.net/ChangeLog-5.php#5.5.20

gives several scripts which can be used as PoCs.

In tarball attached, I've put those concerning core php.

CC: (none) => olchal

Comment 3 olivier charles 2014-12-20 15:01:18 CET
Testing on Mageia4x64 real hardware

From current package :
--------------------
php-ini-5.5.19-1.mga4
apache-mod_php-5.5.19-1.mga4
php-mysql-5.5.19-1.mga4
php-sqlite3-5.5.19-1.mga4
php-pgsql-5.5.19-1.mga4

Could use phpmyadmin, connect and use wordpress.

Tried the four PoC in attachment.

3 produced a segmentation fault, could not reproduce bug 68185


To updated testing packages :
---------------------------
php-ini-5.5.20-1.mga4
apache-mod_php-5.5.20-1.mga4
php-mysql-5.5.20-1.mga4
php-sqlite3-5.5.20-1.mga4
php-pgsql-5.5.20-1.mga4
+ all php modules used updated

rebooted

phpmyadmin, wordpress OK
Set up drupal installations using mysql, sqlite3 and pgsql. all OK

Tried the four PoCs
No segmentation fault found anymore but still an error with bug 68545.
$ php testbug68545.php 
PHP Notice:  unserialize(): Error at offset 310 of 310 bytes in /home/zitounu/qa/php/testbug68545.php on line 2
(https://bugs.php.net/bug.php?id=68545)
Comment 4 William Kenney 2014-12-20 19:33:59 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.19-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.19-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.34-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed

localhost/drupal opens and runs
localhost/glpi opens and runs
localhost/owncloud opens and runs
localhost/phpmyadmin opens and runs

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.20-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.20-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.34-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed

localhost/drupal opens and runs
localhost/glpi opens and runs
localhost/owncloud opens and runs
localhost/phpmyadmin opens and runs

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: (none) => MGA4-32-OK

Comment 5 William Kenney 2014-12-20 20:01:44 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
php-ini php-fpm drupal glpi owncloud phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.19-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.19-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.34-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed

localhost/drupal opens and runs
localhost/glpi opens and runs
localhost/owncloud opens and runs
localhost/phpmyadmin opens and runs

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.5.20-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.5.20-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi drupal
Package drupal-7.34-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.4-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed

localhost/drupal opens and runs
localhost/glpi opens and runs
localhost/owncloud opens and runs
localhost/phpmyadmin opens and runs

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2014-12-20 20:02:18 CET

Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 6 William Kenney 2014-12-20 20:04:17 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
I'll validate this update in 24-hours unless
someone else, olivier, wants to do some additional
testing or validate it themselves. Enjoy.
Comment 7 claire robinson 2014-12-21 17:18:28 CET
Validating. Advisory uploaded.

Could sysadmin please push to updates

Thanks

CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2014-12-21 21:47:58 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0542.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2014-12-22 20:17:53 CET
The CVE was mistyped as 8412 instead of 8142.  Sorry!

I've corrected in the advisory in SVN.  Could sysadmins make sure whatever processing gets run that needs to update this:
http://advisories.mageia.org/MGASA-2014-0542.html

I wish that there was a way to send out a corrected advisory e-mail.
David Walser 2014-12-22 20:25:50 CET

URL: (none) => http://lwn.net/Vulnerabilities/627332/


Note You need to log in before you can comment on or make changes to this bug.