Upstream has released new versions on January 22: http://php.net/archive/2015.php#id2015-01-22-1 http://php.net/archive/2015.php#id2015-01-22-2 Several security issues are fixed, including: CVE-2014-9425 (php#68676) CVE-2014-9427 (php#68618) CVE-2015-0231 (php#68710) CVE-2015-0232 (php#68799) There's also: "Mcrypt: Fixed possible read after end of buffer and use after free." which has no CVE or PHP bug link, but could be a security issue. There's also: "GD: Fixed (php#68601) (buffer read overflow in gd_gif_in.c)." which sounds like a security issue, but the bug is private, and may affect our libgd package as well. There's also: "Fileinfo: Fixed (php#68671) (incorrect expression in libmagic). Fixed (php#68735) (fileinfo out-of-bounds memory access). Removed readelf.c and related code from libmagic sources" Removing readelf.c should effectively fix CVE-2014-811[67] and CVE-2014-962[01], which we fixed in the file package in Bug 14818 and Bug 15064. The (php#68671) issue does not appear to affect file, looking at the code. I already fixed the (php#68735) issue in file, referenced here: https://bugs.mageia.org/show_bug.cgi?id=14818#c3 It did not receive a CVE. Oden, is there any additional info on the mcrypt and gd issues that you can share? Reproducible: Steps to Reproduce:
(In reply to David Walser from comment #0) > There's also: > "GD: Fixed (php#68601) (buffer read overflow in gd_gif_in.c)." I found this upstream in libgd, fixed in these commits: https://bitbucket.org/libgd/gd-libgd/diff/src/gd_gif_in.c?diff2=47eb44b2e90c&at=master https://bitbucket.org/libgd/gd-libgd/diff/src/gd_gif_in.c?diff2=81e9a993f289&at=master There doesn't appear to be a CVE for it. I've checked a patch for that into libgd SVN for Mageia 4 and Cauldron, and checked PHP 5.5.20 and 5.6.5 into SVN. I've requested a freeze push for Cauldron.
Summary: PHP 5.5.20 => php new security issues fixed upstream in 5.5.21
Updated packages uploaded for Mageia 4 and Cauldron. Details are in Comment 0, formal advisory to come later. Updated packages in core/updates_testing: ======================== php-ini-5.5.21-1.mga4 apache-mod_php-5.5.21-1.mga4 php-cli-5.5.21-1.mga4 php-cgi-5.5.21-1.mga4 libphp5_common5-5.5.21-1.mga4 php-devel-5.5.21-1.mga4 php-openssl-5.5.21-1.mga4 php-zlib-5.5.21-1.mga4 php-doc-5.5.21-1.mga4 php-bcmath-5.5.21-1.mga4 php-bz2-5.5.21-1.mga4 php-calendar-5.5.21-1.mga4 php-ctype-5.5.21-1.mga4 php-curl-5.5.21-1.mga4 php-dba-5.5.21-1.mga4 php-dom-5.5.21-1.mga4 php-enchant-5.5.21-1.mga4 php-exif-5.5.21-1.mga4 php-fileinfo-5.5.21-1.mga4 php-filter-5.5.21-1.mga4 php-ftp-5.5.21-1.mga4 php-gd-5.5.21-1.mga4 php-gettext-5.5.21-1.mga4 php-gmp-5.5.21-1.mga4 php-hash-5.5.21-1.mga4 php-iconv-5.5.21-1.mga4 php-imap-5.5.21-1.mga4 php-interbase-5.5.21-1.mga4 php-intl-5.5.21-1.mga4 php-json-5.5.21-1.mga4 php-ldap-5.5.21-1.mga4 php-mbstring-5.5.21-1.mga4 php-mcrypt-5.5.21-1.mga4 php-mssql-5.5.21-1.mga4 php-mysql-5.5.21-1.mga4 php-mysqli-5.5.21-1.mga4 php-mysqlnd-5.5.21-1.mga4 php-odbc-5.5.21-1.mga4 php-opcache-5.5.21-1.mga4 php-pcntl-5.5.21-1.mga4 php-pdo-5.5.21-1.mga4 php-pdo_dblib-5.5.21-1.mga4 php-pdo_firebird-5.5.21-1.mga4 php-pdo_mysql-5.5.21-1.mga4 php-pdo_odbc-5.5.21-1.mga4 php-pdo_pgsql-5.5.21-1.mga4 php-pdo_sqlite-5.5.21-1.mga4 php-pgsql-5.5.21-1.mga4 php-phar-5.5.21-1.mga4 php-posix-5.5.21-1.mga4 php-readline-5.5.21-1.mga4 php-recode-5.5.21-1.mga4 php-session-5.5.21-1.mga4 php-shmop-5.5.21-1.mga4 php-snmp-5.5.21-1.mga4 php-soap-5.5.21-1.mga4 php-sockets-5.5.21-1.mga4 php-sqlite3-5.5.21-1.mga4 php-sybase_ct-5.5.21-1.mga4 php-sysvmsg-5.5.21-1.mga4 php-sysvsem-5.5.21-1.mga4 php-sysvshm-5.5.21-1.mga4 php-tidy-5.5.21-1.mga4 php-tokenizer-5.5.21-1.mga4 php-xml-5.5.21-1.mga4 php-xmlreader-5.5.21-1.mga4 php-xmlrpc-5.5.21-1.mga4 php-xmlwriter-5.5.21-1.mga4 php-xsl-5.5.21-1.mga4 php-wddx-5.5.21-1.mga4 php-zip-5.5.21-1.mga4 php-fpm-5.5.21-1.mga4 php-apc-3.1.15-4.11.mga4 php-apc-admin-3.1.15-4.11.mga4 libgd3-2.1.0-3.2.mga4 libgd-devel-2.1.0-3.2.mga4 libgd-static-devel-2.1.0-3.2.mga4 gd-utils-2.1.0-3.2.mga4 from SRPMS: php-5.5.21-1.mga4.src.rpm php-apc-3.1.15-4.11.mga4.src.rpm libgd-2.1.0-3.2.mga4.src.rpm
CC: (none) => oeAssignee: oe => qa-bugs
Testing on mageia4x32 real hardware From current packages : --------------------- php-ini-5.5.20-1.mga4 and so on. # nano /var/www/html/testphp.php <?php phpinfo(); ?> http://localhost/testphp.php which showed information on my php current install : PHP Version 5.5.20 System Linux localhost 3.14.27-server-1.mga4 #1 SMP Sun Dec 21 23:00:20 UTC 2014 i686 Build Date Dec 18 2014 23:08:59 (...) Could run phpmyadmin to create wordpress database and user and delete them after running a wordpress installation To updated testing packages : --------------------------- - apache-mod_php-5.5.21-1.mga4.i586 - gd-utils-2.1.0-3.2.mga4.i586 - libgd3-2.1.0-3.2.mga4.i586 - libphp5_common5-5.5.21-1.mga4.i586 - php-bcmath-5.5.21-1.mga4.i586 - php-bz2-5.5.21-1.mga4.i586 - php-cgi-5.5.21-1.mga4.i586 - php-cli-5.5.21-1.mga4.i586 - php-ctype-5.5.21-1.mga4.i586 - php-dom-5.5.21-1.mga4.i586 - php-filter-5.5.21-1.mga4.i586 - php-ftp-5.5.21-1.mga4.i586 - php-gd-5.5.21-1.mga4.i586 - php-gettext-5.5.21-1.mga4.i586 - php-hash-5.5.21-1.mga4.i586 - php-imap-5.5.21-1.mga4.i586 - php-ini-5.5.21-1.mga4.i586 - php-json-5.5.21-1.mga4.i586 - php-mbstring-5.5.21-1.mga4.i586 - php-mcrypt-5.5.21-1.mga4.i586 - php-mysql-5.5.21-1.mga4.i586 - php-mysqli-5.5.21-1.mga4.i586 - php-mysqlnd-5.5.21-1.mga4.i586 - php-openssl-5.5.21-1.mga4.i586 - php-pdo-5.5.21-1.mga4.i586 - php-pdo_pgsql-5.5.21-1.mga4.i586 - php-pgsql-5.5.21-1.mga4.i586 - php-posix-5.5.21-1.mga4.i586 - php-session-5.5.21-1.mga4.i586 - php-sqlite3-5.5.21-1.mga4.i586 - php-sysvsem-5.5.21-1.mga4.i586 - php-sysvshm-5.5.21-1.mga4.i586 - php-tokenizer-5.5.21-1.mga4.i586 - php-xml-5.5.21-1.mga4.i586 - php-xmlreader-5.5.21-1.mga4.i586 - php-xmlwriter-5.5.21-1.mga4.i586 - php-zip-5.5.21-1.mga4.i586 - php-zlib-5.5.21-1.mga4.i586 No issue during upgrade. # systemctl restart httpd # systemctl restart mysqld http://localhost/testphp.php PHP Version 5.5.21 System Linux localhost 3.14.27-server-1.mga4 #1 SMP Sun Dec 21 23:00:20 UTC 2014 i686 Build Date Jan 23 2015 20:05:07 (...) gd GD Support enabled GD Version 2.1.0-alpha (...) mcrypt mcrypt support enabled mcrypt_filter support enabled Version 2.5.8 Opened phpmyadmin which showed : Serveur web Apache/2.4.7 (Mageia) PHP/5.5.21 mod_perl/2.0.8-dev Perl/v5.18.1 Version du client de base de données : libmysql - mysqlnd 5.0.11-dev - 20120503 - $Id: bf9ad53b11c9a57efdb1057292d73b928b8c5c77 $ Extension PHP : mysqli Documentation In phpmyadmin, created database and user for wordpress. Browsed to http://localhost/wordpress Could create a new wordpress installation test. Could delete database and user with phpmyadmin. Conclusion : installation upgrade OK, GD and Mcrypt enabled, no regression found while testing with phpmyadmin. Anything else to test on these packages ?
CC: (none) => olchal
Unless there is a PoC we generally test a few php webapps and http://localhost/php-apc
Following Comment 4 from Claire, created a drupal installation with postgresql, browsed to http://localhost/drupal and went to report/status which showed somewhere in the page : PHP 5.5.21 (more information) OK PHP extensions Enabled OK PHP memory limit 128M OK PHP register globals Disabled OK Unicode library PHP Mbstring Extension Browsed to http://localhost/php-apc/ General Cache Information APC Version 3.1.15-dev PHP Version 5.5.21 APC Host localhost (localhost) (127.0.0.1) Server Software Apache/2.4.7 (Mageia) PHP/5.5.21 mod_perl/2.0.8-dev Perl/v5.18.1 Could find only one PoC : Bug #68618 # cd /usr/bin # printf "#" >crashme.php # ./php-cgi crashme.php X-Powered-By: PHP/5.5.21 Content-type: text/html No segmentation fault here, but too late to tell if that occurred in php 5.5.20
Whiteboard: (none) => has_procedure mga4-32-ok
Testing complete mga4 64 Tested with phpmyadmin, zoneminder and wordpress. http://localhost/php-apc/ Was getting an error initially when loading pages, "PHP Fatal error: php-gtk: Could not open display in Unknown on line 0" which turned out to be due to php-gtk2 being installed as a dependency of phoronix-test-suite. Removed both. # php --ri gd gd GD Support => enabled GD Version => 2.1.0-alpha FreeType Support => enabled FreeType Linkage => with freetype FreeType Version => 2.5.0 T1Lib Support => enabled GIF Read Support => enabled GIF Create Support => enabled JPEG Support => enabled libJPEG Version => 8 PNG Support => enabled libPNG Version => 1.6.16 WBMP Support => enabled XPM Support => enabled libXpm Version => 30411 XBM Support => enabled WebP Support => enabled Directive => Local Value => Master Value gd.jpeg_ignore_warning => 0 => 0
Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-32-ok
Validating. Please push to 4 updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
s/32/64/ in whiteboard
Whiteboard: has_procedure mga4-32-ok mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok
I guess we need an advisory... Advisory: ======================== Updated php and libgd packages fix security vulnerabilities: Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425). sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427). Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231). Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232). The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module. A buffer read overflow in gd_gif_in.c in the php#68601 bug referenced in the PHP 5.5.21 ChangeLog has been fixed in the libgd package. The php package has been updated to version 5.5.21 to fix these issues and other bugs. Please see the upstream ChangeLog for more information. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232 http://php.net/ChangeLog-5.php#5.5.21
Advisory above uploaded with srpms from comment 2.
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0040.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/630951/
CVE request for the php#68735 issue: http://openwall.com/lists/oss-security/2015/02/04/12
(In reply to David Walser from comment #12) > CVE request for the php#68735 issue: > http://openwall.com/lists/oss-security/2015/02/04/12 This is now CVE-2014-9652: http://openwall.com/lists/oss-security/2015/02/05/12
(In reply to David Walser from comment #13) > (In reply to David Walser from comment #12) > > CVE request for the php#68735 issue: > > http://openwall.com/lists/oss-security/2015/02/04/12 > > This is now CVE-2014-9652: > http://openwall.com/lists/oss-security/2015/02/05/12 LWN reference: http://lwn.net/Vulnerabilities/633839/
(In reply to David Walser from comment #1) > (In reply to David Walser from comment #0) > > There's also: > > "GD: Fixed (php#68601) (buffer read overflow in gd_gif_in.c)." > > I found this upstream in libgd, fixed in these commits: > https://bitbucket.org/libgd/gd-libgd/diff/src/gd_gif_in. > c?diff2=47eb44b2e90c&at=master > https://bitbucket.org/libgd/gd-libgd/diff/src/gd_gif_in. > c?diff2=81e9a993f289&at=master > > There doesn't appear to be a CVE for it. > > I've checked a patch for that into libgd SVN for Mageia 4 and Cauldron, and > checked PHP 5.5.20 and 5.6.5 into SVN. I've requested a freeze push for > Cauldron. CVE request for the libgd php#68601 issue: http://openwall.com/lists/oss-security/2015/03/23/13
(In reply to David Walser from comment #15) > (In reply to David Walser from comment #1) > > (In reply to David Walser from comment #0) > > > There's also: > > > "GD: Fixed (php#68601) (buffer read overflow in gd_gif_in.c)." > > > > I found this upstream in libgd, fixed in these commits: > > https://bitbucket.org/libgd/gd-libgd/diff/src/gd_gif_in. > > c?diff2=47eb44b2e90c&at=master > > https://bitbucket.org/libgd/gd-libgd/diff/src/gd_gif_in. > > c?diff2=81e9a993f289&at=master > > > > There doesn't appear to be a CVE for it. > > > > I've checked a patch for that into libgd SVN for Mageia 4 and Cauldron, and > > checked PHP 5.5.20 and 5.6.5 into SVN. I've requested a freeze push for > > Cauldron. > > CVE request for the libgd php#68601 issue: > http://openwall.com/lists/oss-security/2015/03/23/13 CVE-2014-9709 has been assigned: http://openwall.com/lists/oss-security/2015/03/23/18
LWN reference for CVE-2014-9709: http://lwn.net/Vulnerabilities/638611/