Ubuntu has issued an advisory on February 17: http://www.ubuntu.com/usn/usn-2501-1/ These CVE assignments were made here: http://openwall.com/lists/oss-security/2015/01/24/9 I would imagine these fixes will be included in the next upstream updates. CVE-2014-9652 was already fixed in Bug 15121. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
PHP 5.5.22 has been released today: http://php.net/archive/2015.php#id2015-02-19-1 It actually does not include the fixes for CVE-2015-135[12], but I was able to rediff the patches for 5.6.6 and 5.5.22 (actually only the first one required rediffing) and add those as well. The updates are committed in SVN, waiting for a freeze push in Cauldron. The updated versions also fix php#68942 (Use after free vulnerability in unserialize() with DateTimeZone, CVE-2015-0273) and have a GHOST mitigation. The ChangeLog is here: http://php.net/ChangeLog-5.php#5.5.22
Summary: php new security issues CVE-2015-1351 and CVE-2015-1352 => php new security issues CVE-2015-1351, CVE-2015-1352, and CVE-2015-0273
Also fixed in 5.5.22 that may be security relevant: php#68552 (heap buffer overflow in enchant_broker_request_dict()). php#68901 (use after free in phar_object.c).
Advisory: ======================== Updated php packages fix security vulnerabilities: It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351). It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352). Use after free vulnerability in unserialize() with DateTimeZone in PHP before 5.5.22 (CVE-2015-0273). PHP has been updated to version 5.5.22, which fixes these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352 http://php.net/ChangeLog-5.php#5.5.22 http://www.ubuntu.com/usn/usn-2501-1/ ======================== Updated packages in core/updates_testing: ======================== php-ini-5.5.22-1.mga4 apache-mod_php-5.5.22-1.mga4 php-cli-5.5.22-1.mga4 php-cgi-5.5.22-1.mga4 libphp5_common5-5.5.22-1.mga4 php-devel-5.5.22-1.mga4 php-openssl-5.5.22-1.mga4 php-zlib-5.5.22-1.mga4 php-doc-5.5.22-1.mga4 php-bcmath-5.5.22-1.mga4 php-bz2-5.5.22-1.mga4 php-calendar-5.5.22-1.mga4 php-ctype-5.5.22-1.mga4 php-curl-5.5.22-1.mga4 php-dba-5.5.22-1.mga4 php-dom-5.5.22-1.mga4 php-enchant-5.5.22-1.mga4 php-exif-5.5.22-1.mga4 php-fileinfo-5.5.22-1.mga4 php-filter-5.5.22-1.mga4 php-ftp-5.5.22-1.mga4 php-gd-5.5.22-1.mga4 php-gettext-5.5.22-1.mga4 php-gmp-5.5.22-1.mga4 php-hash-5.5.22-1.mga4 php-iconv-5.5.22-1.mga4 php-imap-5.5.22-1.mga4 php-interbase-5.5.22-1.mga4 php-intl-5.5.22-1.mga4 php-json-5.5.22-1.mga4 php-ldap-5.5.22-1.mga4 php-mbstring-5.5.22-1.mga4 php-mcrypt-5.5.22-1.mga4 php-mssql-5.5.22-1.mga4 php-mysql-5.5.22-1.mga4 php-mysqli-5.5.22-1.mga4 php-mysqlnd-5.5.22-1.mga4 php-odbc-5.5.22-1.mga4 php-opcache-5.5.22-1.mga4 php-pcntl-5.5.22-1.mga4 php-pdo-5.5.22-1.mga4 php-pdo_dblib-5.5.22-1.mga4 php-pdo_firebird-5.5.22-1.mga4 php-pdo_mysql-5.5.22-1.mga4 php-pdo_odbc-5.5.22-1.mga4 php-pdo_pgsql-5.5.22-1.mga4 php-pdo_sqlite-5.5.22-1.mga4 php-pgsql-5.5.22-1.mga4 php-phar-5.5.22-1.mga4 php-posix-5.5.22-1.mga4 php-readline-5.5.22-1.mga4 php-recode-5.5.22-1.mga4 php-session-5.5.22-1.mga4 php-shmop-5.5.22-1.mga4 php-snmp-5.5.22-1.mga4 php-soap-5.5.22-1.mga4 php-sockets-5.5.22-1.mga4 php-sqlite3-5.5.22-1.mga4 php-sybase_ct-5.5.22-1.mga4 php-sysvmsg-5.5.22-1.mga4 php-sysvsem-5.5.22-1.mga4 php-sysvshm-5.5.22-1.mga4 php-tidy-5.5.22-1.mga4 php-tokenizer-5.5.22-1.mga4 php-xml-5.5.22-1.mga4 php-xmlreader-5.5.22-1.mga4 php-xmlrpc-5.5.22-1.mga4 php-xmlwriter-5.5.22-1.mga4 php-xsl-5.5.22-1.mga4 php-wddx-5.5.22-1.mga4 php-zip-5.5.22-1.mga4 php-fpm-5.5.22-1.mga4 php-apc-3.1.15-4.12.mga4 php-apc-admin-3.1.15-4.12.mga4 from SRPMS: php-5.5.22-1.mga4.src.rpm php-apc-3.1.15-4.12.mga4.src.rpm
Version: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO => (none)Severity: normal => major
Please use 5.5.22-1.1.mga4 which has jsonc-1.3.7: http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.7
CC: (none) => oe
php-ini-5.5.22-1.1.mga4 apache-mod_php-5.5.22-1.1.mga4 php-cli-5.5.22-1.1.mga4 php-cgi-5.5.22-1.1.mga4 libphp5_common5-5.5.22-1.1.mga4 php-devel-5.5.22-1.1.mga4 php-openssl-5.5.22-1.1.mga4 php-zlib-5.5.22-1.1.mga4 php-doc-5.5.22-1.1.mga4 php-bcmath-5.5.22-1.1.mga4 php-bz2-5.5.22-1.1.mga4 php-calendar-5.5.22-1.1.mga4 php-ctype-5.5.22-1.1.mga4 php-curl-5.5.22-1.1.mga4 php-dba-5.5.22-1.1.mga4 php-dom-5.5.22-1.1.mga4 php-enchant-5.5.22-1.1.mga4 php-exif-5.5.22-1.1.mga4 php-fileinfo-5.5.22-1.1.mga4 php-filter-5.5.22-1.1.mga4 php-ftp-5.5.22-1.1.mga4 php-gd-5.5.22-1.1.mga4 php-gettext-5.5.22-1.1.mga4 php-gmp-5.5.22-1.1.mga4 php-hash-5.5.22-1.1.mga4 php-iconv-5.5.22-1.1.mga4 php-imap-5.5.22-1.1.mga4 php-interbase-5.5.22-1.1.mga4 php-intl-5.5.22-1.1.mga4 php-json-5.5.22-1.1.mga4 php-ldap-5.5.22-1.1.mga4 php-mbstring-5.5.22-1.1.mga4 php-mcrypt-5.5.22-1.1.mga4 php-mssql-5.5.22-1.1.mga4 php-mysql-5.5.22-1.1.mga4 php-mysqli-5.5.22-1.1.mga4 php-mysqlnd-5.5.22-1.1.mga4 php-odbc-5.5.22-1.1.mga4 php-opcache-5.5.22-1.1.mga4 php-pcntl-5.5.22-1.1.mga4 php-pdo-5.5.22-1.1.mga4 php-pdo_dblib-5.5.22-1.1.mga4 php-pdo_firebird-5.5.22-1.1.mga4 php-pdo_mysql-5.5.22-1.1.mga4 php-pdo_odbc-5.5.22-1.1.mga4 php-pdo_pgsql-5.5.22-1.1.mga4 php-pdo_sqlite-5.5.22-1.1.mga4 php-pgsql-5.5.22-1.1.mga4 php-phar-5.5.22-1.1.mga4 php-posix-5.5.22-1.1.mga4 php-readline-5.5.22-1.1.mga4 php-recode-5.5.22-1.1.mga4 php-session-5.5.22-1.1.mga4 php-shmop-5.5.22-1.1.mga4 php-snmp-5.5.22-1.1.mga4 php-soap-5.5.22-1.1.mga4 php-sockets-5.5.22-1.1.mga4 php-sqlite3-5.5.22-1.1.mga4 php-sybase_ct-5.5.22-1.1.mga4 php-sysvmsg-5.5.22-1.1.mga4 php-sysvsem-5.5.22-1.1.mga4 php-sysvshm-5.5.22-1.1.mga4 php-tidy-5.5.22-1.1.mga4 php-tokenizer-5.5.22-1.1.mga4 php-xml-5.5.22-1.1.mga4 php-xmlreader-5.5.22-1.1.mga4 php-xmlrpc-5.5.22-1.1.mga4 php-xmlwriter-5.5.22-1.1.mga4 php-xsl-5.5.22-1.1.mga4 php-wddx-5.5.22-1.1.mga4 php-zip-5.5.22-1.1.mga4 php-fpm-5.5.22-1.1.mga4 php-apc-3.1.15-4.12.mga4 php-apc-admin-3.1.15-4.12.mga4 from SRPMS: php-5.5.22-1.1.mga4.src.rpm php-apc-3.1.15-4.12.mga4.src.rpm
Testing on Mageia 4x32 real hardware From current packages : --------------------- of PHP Version 5.5.21 already installed from previous test (https://bugs.mageia.org/show_bug.cgi?id=15121) To updated testing packages : --------------------------- All php-5.5.22-1.1.mga4 packages except php-opcache and php-apc-3.1.15-4.12.mga4 Browsed to http://localhost/wordpress where I found wordpress test blog made during previous php testing.Logged in, created new page... Used phpmyadmin : ok Browsed to http://localhost/php-apc/ : ok As I had seen in Comment 3 there was an issue with PHP PostgreSQL Created drupal site using postgresql9.3 : ok In Comment 3, an issue about opcache is mentionned so : Installed php-opcache-5.5.22-1.1.mga4.i586 which uninstalled php-apc and php-apc-admin To configure php-opcache, # nano /etc/php.ini ; Determines if Zend OPCache is enabled opcache.enable=1 ; The OPcache shared memory storage size. opcache.memory_consumption=128 ; The maximum number of keys (scripts) in the OPcache hash table. ; Only numbers between 200 and 100000 are allowed. opcache.max_accelerated_files=4000 ; How often (in seconds) to check file timestamps for changes to the shared ; memory storage allocation. ("1" means validate once per second, but only ; once per request. "0" means always validate) opcache.revalidate_freq=60 Created php script (opcachecp.php) in /var/www/html from script found here in order to have an opcache control panel https://gist.github.com/ck-on/4959032/?ocp.php Browsed to http://opcachecp.php which showed me php-opcache was functionnal. OK
CC: (none) => olchalWhiteboard: (none) => MGA4-32-OK
Testing on Mageia 4x64 real hardware From current packages : --------------------- php-5.5.21-1.mga4 packages and php-apc-3.1.15-4.11.mga4 packages phpmyadmin OK wordpress installation and usage OK http://localhost/php-apc/ To updated testing packages : --------------------------- php-5.5.22-1.1.mga4 packages and php-apc-3.1.15-4.12.mga4 packages phpmyadmin OK wordpress OK (previous installation) Installing and using drupal with postgresql OK http://localhost/php-apc/ OK So long so good. BUT --- Reading in comment 1 that : The updated versions also fix php#68942 (Use after free vulnerability in unserialize() with DateTimeZone, CVE-2015-0273) I used the 2 PoCs found at : https://bugs.php.net/bug.php?id=68942 With current packages : --------------------- 1st PoC (which I called : fakezval.php) results in a leak : $ php fakezval.php array(2) { [0]=> object(DateTimeZone)#1 (2) { ["timezone_type"]=> int(2) ["timezone"]=> string(1) "A" } [1]=> string(17) "3" } 2nd PoC (zstrval.php) gives a segmentation fault $ php zstrval.php Erreur de segmentation To updated testing packages : --------------------------- $ php fakezval.php PHP Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in /home/zitounu/qa/fakezval.php on line 11 Returns now an error instead of leaking code. That sounds OK. $ php zstrval.php Erreur de segmentation Still a segmentation fault here. So bug #68942 is not entirely solved by this testing package from what I see. -----------------------------------------------------------------------------
Created attachment 5944 [details] PoCs used in previous comment
In VirtualBox, M4, KDE, 64-bit Package(s) under test: php-ini php-fpm drupal glpi owncloud phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.21-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.21-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.34-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.2.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/glpi opens and runs localhost/owncloud opens and runs set up phpmyadmin config file localhost/phpmyadmin opens and runs install php-ini & php-fpm from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.22-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.22-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.34-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.2.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.8-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/glpi opens and runs localhost/owncloud opens and runs localhost/phpmyadmin opens and runs Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
LWN reference for CVE-2015-0273: http://lwn.net/Vulnerabilities/634614/
OK, I see, this was at the bottom of the original report: II. Type confusion vulnerability Z_STRVAL_PP leads to various problems. The following code should crash PHP: <?php $data = unserialize('O:12:"DateTimeZone":2:{s:13:"timezone_type";i:1;s:8:"timezone";i:1;}'); ?> and that wasn't fixed. Only the two examples that it said should leak memory (part I of the original report and a later comment) were fixed, as those correspond to the two test cases added upstream. I don't know if they just missed the part II of the original report, or if they considered it a different issue. I added a comment about it on the upstream bug report and asked: https://bugs.php.net/bug.php?id=68942
(In reply to David Walser from comment #11) > I added a comment about it on the upstream bug report and asked: > https://bugs.php.net/bug.php?id=68942 The original reporter says it's a security issue, but a seperate one, so it won't hold up this update unless a new patch for it appears very soon.
a fix has been committed now by the looks of it David.
http://git.php.net/?p=php-src.git;a=commit;h=e441d71baae89bdc5dc6f75407b4a8f5e42b8fa9
I've added the patch locally and now believe I get the intended results for the 4 PoCs: $ php fakezval.php PHP Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in /tmp/fakezval.php on line 12 $ php zstrval.php PHP Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in /tmp/zstrval.php on line 4 $ php fakezval2.php PHP Fatal error: Invalid serialization data for DateTime object in /tmp/fakezval2.php on line 13 $ php infoleak.php PHP Notice: unserialize(): Error at offset 63 of 76 bytes in /tmp/infoleak.php on line 4 I'll ask for a push in Cauldron first.
OK the patched version for the other issue in php#68942 has been uploaded in Cauldron and is building now in Mageia 4. Please re-test when it's available. php-ini-5.5.22-1.2.mga4 apache-mod_php-5.5.22-1.2.mga4 php-cli-5.5.22-1.2.mga4 php-cgi-5.5.22-1.2.mga4 libphp5_common5-5.5.22-1.2.mga4 php-devel-5.5.22-1.2.mga4 php-openssl-5.5.22-1.2.mga4 php-zlib-5.5.22-1.2.mga4 php-doc-5.5.22-1.2.mga4 php-bcmath-5.5.22-1.2.mga4 php-bz2-5.5.22-1.2.mga4 php-calendar-5.5.22-1.2.mga4 php-ctype-5.5.22-1.2.mga4 php-curl-5.5.22-1.2.mga4 php-dba-5.5.22-1.2.mga4 php-dom-5.5.22-1.2.mga4 php-enchant-5.5.22-1.2.mga4 php-exif-5.5.22-1.2.mga4 php-fileinfo-5.5.22-1.2.mga4 php-filter-5.5.22-1.2.mga4 php-ftp-5.5.22-1.2.mga4 php-gd-5.5.22-1.2.mga4 php-gettext-5.5.22-1.2.mga4 php-gmp-5.5.22-1.2.mga4 php-hash-5.5.22-1.2.mga4 php-iconv-5.5.22-1.2.mga4 php-imap-5.5.22-1.2.mga4 php-interbase-5.5.22-1.2.mga4 php-intl-5.5.22-1.2.mga4 php-json-5.5.22-1.2.mga4 php-ldap-5.5.22-1.2.mga4 php-mbstring-5.5.22-1.2.mga4 php-mcrypt-5.5.22-1.2.mga4 php-mssql-5.5.22-1.2.mga4 php-mysql-5.5.22-1.2.mga4 php-mysqli-5.5.22-1.2.mga4 php-mysqlnd-5.5.22-1.2.mga4 php-odbc-5.5.22-1.2.mga4 php-opcache-5.5.22-1.2.mga4 php-pcntl-5.5.22-1.2.mga4 php-pdo-5.5.22-1.2.mga4 php-pdo_dblib-5.5.22-1.2.mga4 php-pdo_firebird-5.5.22-1.2.mga4 php-pdo_mysql-5.5.22-1.2.mga4 php-pdo_odbc-5.5.22-1.2.mga4 php-pdo_pgsql-5.5.22-1.2.mga4 php-pdo_sqlite-5.5.22-1.2.mga4 php-pgsql-5.5.22-1.2.mga4 php-phar-5.5.22-1.2.mga4 php-posix-5.5.22-1.2.mga4 php-readline-5.5.22-1.2.mga4 php-recode-5.5.22-1.2.mga4 php-session-5.5.22-1.2.mga4 php-shmop-5.5.22-1.2.mga4 php-snmp-5.5.22-1.2.mga4 php-soap-5.5.22-1.2.mga4 php-sockets-5.5.22-1.2.mga4 php-sqlite3-5.5.22-1.2.mga4 php-sybase_ct-5.5.22-1.2.mga4 php-sysvmsg-5.5.22-1.2.mga4 php-sysvsem-5.5.22-1.2.mga4 php-sysvshm-5.5.22-1.2.mga4 php-tidy-5.5.22-1.2.mga4 php-tokenizer-5.5.22-1.2.mga4 php-xml-5.5.22-1.2.mga4 php-xmlreader-5.5.22-1.2.mga4 php-xmlrpc-5.5.22-1.2.mga4 php-xmlwriter-5.5.22-1.2.mga4 php-xsl-5.5.22-1.2.mga4 php-wddx-5.5.22-1.2.mga4 php-zip-5.5.22-1.2.mga4 php-fpm-5.5.22-1.2.mga4 php-apc-3.1.15-4.12.mga4 php-apc-admin-3.1.15-4.12.mga4 from SRPMS: php-5.5.22-1.2.mga4.src.rpm php-apc-3.1.15-4.12.mga4.src.rpm
Whiteboard: MGA4-32-OK => (none)
Testing on Mageia 4x64 real hardware php-apc-3.1.15-4.11.mga4.x86_64 and all php-5.5.22-1.2.mga4 packages except php-opcache Logged in previous wordpress installation and made some changes : OK /localhost/php-apc : OK Drupal creation with postgresql and usage : OK Phpmyadmin : OK Installed php-opcache-5.5.21-1.mga4.x86_64 (which uninstalled php-apc packages) and tested it as in comment 6 : OK Retried the 2 PoCs from attachment 5944 [details] # php fakezval.php PHP Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in /home/zitounu/qa/fakezval.php on line 11 # php zstrval.php PHP Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in /home/zitounu/qa/zstrval.php on line 3 Both of them now result in PHP Fatal error : no more memory leakage or segmentation fault. All OK on Mageia4x64.
Whiteboard: (none) => MGA4-64-OK
Sorry error in previous comment : That was update testing # rpm -q php-apc php-apc-3.1.15-4.12.mga4 and not php-apc-3.1.15-4.11.mga4.x86_64 I used in comment 17 (which is current version)
Testing on Mageia 4x32, real hardware, using same procedure as in comment 17 # rpm -q php-ini php-apc php-ini-5.5.22-1.2.mga4 php-apc-3.1.15-4.12.mga4 Drupal installation with postgresql and usage : OK localhost/php-apc : OK phpmyadmin : OK Installed php-opcache and uninstalled php-apc # rpm -q php-opcache php-opcache-5.5.22-1.2.mga4 opcache php file test : OK PoC test files : OK All OK for Mageia 4x32
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Well done Olivier. This was good testing. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0090.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Two of the other issues fixed in 5.5.22 that I mentioned earlier have been assigned CVEs: http://openwall.com/lists/oss-security/2015/03/15/6 (In reply to David Walser from comment #2) > Also fixed in 5.5.22 that may be security relevant: > php#68552 (heap buffer overflow in enchant_broker_request_dict()). This is now CVE-2014-9705. > php#68901 (use after free in phar_object.c). This is now CVE-2015-2301.
LWN reference for CVE-2015-2301: http://lwn.net/Vulnerabilities/637140/ LWN reference for CVE-2014-9705: http://lwn.net/Vulnerabilities/637136/ That entry also lists CVE-2015-2305, a minor issue that we'll have to address in a future update.