Upstream has released version 5.5.20 today (December 18): http://php.net/archive/2014.php#id2014-12-18-1 http://php.net/ChangeLog-5.php#5.5.20 It fixes a CVE in unserialize(), as well as some other bugs that may be security relevant. Version 5.6.4 was also released today, likely fixing the same issues, although the announcement and changelog are not available as of this moment. I've checked 5.5.20 and 5.6.4 updates in Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated php packages fix security vulnerability: A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8412). PHP has been updated to version 5.5.20, which fixes these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142 http://www.php.net/ChangeLog-5.php#5.5.20 https://bugzilla.redhat.com/show_bug.cgi?id=1175718 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.5.20-1.mga4 apache-mod_php-5.5.20-1.mga4 php-cli-5.5.20-1.mga4 php-cgi-5.5.20-1.mga4 libphp5_common5-5.5.20-1.mga4 php-devel-5.5.20-1.mga4 php-openssl-5.5.20-1.mga4 php-zlib-5.5.20-1.mga4 php-doc-5.5.20-1.mga4 php-bcmath-5.5.20-1.mga4 php-bz2-5.5.20-1.mga4 php-calendar-5.5.20-1.mga4 php-ctype-5.5.20-1.mga4 php-curl-5.5.20-1.mga4 php-dba-5.5.20-1.mga4 php-dom-5.5.20-1.mga4 php-enchant-5.5.20-1.mga4 php-exif-5.5.20-1.mga4 php-fileinfo-5.5.20-1.mga4 php-filter-5.5.20-1.mga4 php-ftp-5.5.20-1.mga4 php-gd-5.5.20-1.mga4 php-gettext-5.5.20-1.mga4 php-gmp-5.5.20-1.mga4 php-hash-5.5.20-1.mga4 php-iconv-5.5.20-1.mga4 php-imap-5.5.20-1.mga4 php-interbase-5.5.20-1.mga4 php-intl-5.5.20-1.mga4 php-json-5.5.20-1.mga4 php-ldap-5.5.20-1.mga4 php-mbstring-5.5.20-1.mga4 php-mcrypt-5.5.20-1.mga4 php-mssql-5.5.20-1.mga4 php-mysql-5.5.20-1.mga4 php-mysqli-5.5.20-1.mga4 php-mysqlnd-5.5.20-1.mga4 php-odbc-5.5.20-1.mga4 php-opcache-5.5.20-1.mga4 php-pcntl-5.5.20-1.mga4 php-pdo-5.5.20-1.mga4 php-pdo_dblib-5.5.20-1.mga4 php-pdo_firebird-5.5.20-1.mga4 php-pdo_mysql-5.5.20-1.mga4 php-pdo_odbc-5.5.20-1.mga4 php-pdo_pgsql-5.5.20-1.mga4 php-pdo_sqlite-5.5.20-1.mga4 php-pgsql-5.5.20-1.mga4 php-phar-5.5.20-1.mga4 php-posix-5.5.20-1.mga4 php-readline-5.5.20-1.mga4 php-recode-5.5.20-1.mga4 php-session-5.5.20-1.mga4 php-shmop-5.5.20-1.mga4 php-snmp-5.5.20-1.mga4 php-soap-5.5.20-1.mga4 php-sockets-5.5.20-1.mga4 php-sqlite3-5.5.20-1.mga4 php-sybase_ct-5.5.20-1.mga4 php-sysvmsg-5.5.20-1.mga4 php-sysvsem-5.5.20-1.mga4 php-sysvshm-5.5.20-1.mga4 php-tidy-5.5.20-1.mga4 php-tokenizer-5.5.20-1.mga4 php-xml-5.5.20-1.mga4 php-xmlreader-5.5.20-1.mga4 php-xmlrpc-5.5.20-1.mga4 php-xmlwriter-5.5.20-1.mga4 php-xsl-5.5.20-1.mga4 php-wddx-5.5.20-1.mga4 php-zip-5.5.20-1.mga4 php-fpm-5.5.20-1.mga4 php-apc-3.1.15-4.10.mga4 php-apc-admin-3.1.15-4.10.mga4 from SRPMS: php-5.5.20-1.mga4.src.rpm php-apc-3.1.15-4.10.mga4.src.rpm
Severity: normal => majorAssignee: bugsquad => qa-bugs
Created attachment 5737 [details] php-5.5.20 test files The link provided by David in Description : http://php.net/ChangeLog-5.php#5.5.20 gives several scripts which can be used as PoCs. In tarball attached, I've put those concerning core php.
CC: (none) => olchal
Testing on Mageia4x64 real hardware From current package : -------------------- php-ini-5.5.19-1.mga4 apache-mod_php-5.5.19-1.mga4 php-mysql-5.5.19-1.mga4 php-sqlite3-5.5.19-1.mga4 php-pgsql-5.5.19-1.mga4 Could use phpmyadmin, connect and use wordpress. Tried the four PoC in attachment. 3 produced a segmentation fault, could not reproduce bug 68185 To updated testing packages : --------------------------- php-ini-5.5.20-1.mga4 apache-mod_php-5.5.20-1.mga4 php-mysql-5.5.20-1.mga4 php-sqlite3-5.5.20-1.mga4 php-pgsql-5.5.20-1.mga4 + all php modules used updated rebooted phpmyadmin, wordpress OK Set up drupal installations using mysql, sqlite3 and pgsql. all OK Tried the four PoCs No segmentation fault found anymore but still an error with bug 68545. $ php testbug68545.php PHP Notice: unserialize(): Error at offset 310 of 310 bytes in /home/zitounu/qa/php/testbug68545.php on line 2 (https://bugs.php.net/bug.php?id=68545)
In VirtualBox, M4, KDE, 32-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.19-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.19-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.34-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/glpi opens and runs localhost/owncloud opens and runs localhost/phpmyadmin opens and runs install php-ini & php-fpm from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.20-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.20-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.34-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/glpi opens and runs localhost/owncloud opens and runs localhost/phpmyadmin opens and runs Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: (none) => MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.19-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.19-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.34-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/glpi opens and runs localhost/owncloud opens and runs localhost/phpmyadmin opens and runs install php-ini & php-fpm from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.20-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.20-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.34-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/glpi opens and runs localhost/owncloud opens and runs localhost/phpmyadmin opens and runs Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
This update works fine. Testing complete for mga4 32-bit & 64-bit I'll validate this update in 24-hours unless someone else, olivier, wants to do some additional testing or validate it themselves. Enjoy.
Validating. Advisory uploaded. Could sysadmin please push to updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0542.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
The CVE was mistyped as 8412 instead of 8142. Sorry! I've corrected in the advisory in SVN. Could sysadmins make sure whatever processing gets run that needs to update this: http://advisories.mageia.org/MGASA-2014-0542.html I wish that there was a way to send out a corrected advisory e-mail.
URL: (none) => http://lwn.net/Vulnerabilities/627332/