CVEs have been assigned for two security issues that affect PHP: http://openwall.com/lists/oss-security/2015/03/16/5 http://openwall.com/lists/oss-security/2015/03/18/3 The first, CVE-2015-2305, comes from code that apparently is bundled in a *lot* of packages. Fortunately it's a minor issue, and it also only affects 32-bit systems. More info on that: https://security-tracker.debian.org/tracker/CVE-2015-2305 I don't know if PHP upstream has addressed it yet. Debian fixed it in their php package in this commit: http://anonscm.debian.org/cgit/pkg-php/php.git/commit/?id=a57d8616e445fced92a44241e4e4971f2b3119b2 That corresponds to this advisory from today (March 18): https://lists.debian.org/debian-security-announce/2015/msg00080.html which will be posted here: https://www.debian.org/security/2015/dsa-3195 from http://lwn.net/Vulnerabilities/637136/ The second CVE is fixed in upstream git and the fix will be included in the next upstream PHP releases. That issue affects php-zip, so Debian said that libzip needs to be checked to see if it's affected: https://security-tracker.debian.org/tracker/CVE-2015-2331 Debian has also identified a few more security issues that will be fixed in the next PHP releases (no CVEs yet): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780713 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
It sounds like libzip is affected by CVE-2015-2331: http://openwall.com/lists/oss-security/2015/03/18/12 I've checked the CVE-2015-2305 patch into Mageia 4 and Cauldron SVN.
Upstream has announced version 5.5.23 and 5.6.7 today (March 20): http://php.net/archive/2015.php#id2015-03-20-1 http://php.net/archive/2015.php#id2015-03-20-2 It does indeed include fixes for CVE-2015-2305 and CVE-2015-2331. Strangely, it also lists CVE-2015-0231 as being fixed, even though they also listed that as having been fixed in 5.5.21 and 5.6.5. Now the reference for that CVE in the PHP ChangeLog uses a different PHP bug number (was php#68710 before, is php#68976 now), but the issue description is the same ("Use After Free Vulnerability in unserialize()"). It looks like they mistakenly re-used the same CVE for a similar issue? Or maybe it wasn't completely fixed last time? Either way, it should have received a new CVE. For now, we'll just have to list it again. (The Mageia PHP 5.5.21 update is in Bug 15121, for reference). The ChangeLog lists fixes for several other crashes/segfaults and memory safety violations, but lists no other CVEs: http://php.net/ChangeLog-5.php#5.5.23 http://php.net/ChangeLog-5.php#5.6.7 For CVE-2015-2331, we'll have to patch that in libzip, as php-zip is linked to our system libzip. It looks like the patch is trivial to rediff from PHP to libzip.
Created attachment 6107 [details] PoC file for CVE-2015-2331
Created attachment 6108 [details] PoC PHP script using php-zip and php-cli for CVE-2015-2331
I attached a PoC script and zip file for CVE-2015-2331 in the above comments. I have confirmed locally that just updating to PHP 5.6.7 doesn't fix the issue, but that patching libzip does fix it. Before the libzip update, the PoC gives a segfault. After the update, it gives some output from the script and a PHP Warning on the close() call that it's an Invalid or uninitialized Zip object. I have also tested PHP 5.6.7 locally in Cauldron with Moodle and even backed up and restored a course to test the php-zip extension. Everything works fine. Saving the text for the Mageia 4 update advisory for later, below. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: Use after free vulnerability in unserialize() in PHP before 5.5.23 (php#68976, CVE-2015-0231). Heap overflow vulnerability in regcomp.c in the ereg extension in PHP before 5.5.23 on 32-bit systems (CVE-2015-2305). Integer overflow in zip extension in PHP before 5.5.23 leads to writing past heap boundary (CVE-2015-2331). PHP has been updated to version 5.5.23, which fixes these issues and other bugs. The php zip extension uses the libzip library, so it has been patched to fix CVE-2015-2331. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331 http://php.net/ChangeLog-5.php#5.5.23 https://www.debian.org/security/2015/dsa-3195
Everything is checked into SVN. Freeze push requested for Cauldron. Here's the package list for the eventual Mageia 4 update. Updated packages in core/updates_testing: ======================== php-ini-5.5.23-1.mga4 apache-mod_php-5.5.23-1.mga4 php-cli-5.5.23-1.mga4 php-cgi-5.5.23-1.mga4 libphp5_common5-5.5.23-1.mga4 php-devel-5.5.23-1.mga4 php-openssl-5.5.23-1.mga4 php-zlib-5.5.23-1.mga4 php-doc-5.5.23-1.mga4 php-bcmath-5.5.23-1.mga4 php-bz2-5.5.23-1.mga4 php-calendar-5.5.23-1.mga4 php-ctype-5.5.23-1.mga4 php-curl-5.5.23-1.mga4 php-dba-5.5.23-1.mga4 php-dom-5.5.23-1.mga4 php-enchant-5.5.23-1.mga4 php-exif-5.5.23-1.mga4 php-fileinfo-5.5.23-1.mga4 php-filter-5.5.23-1.mga4 php-ftp-5.5.23-1.mga4 php-gd-5.5.23-1.mga4 php-gettext-5.5.23-1.mga4 php-gmp-5.5.23-1.mga4 php-hash-5.5.23-1.mga4 php-iconv-5.5.23-1.mga4 php-imap-5.5.23-1.mga4 php-interbase-5.5.23-1.mga4 php-intl-5.5.23-1.mga4 php-json-5.5.23-1.mga4 php-ldap-5.5.23-1.mga4 php-mbstring-5.5.23-1.mga4 php-mcrypt-5.5.23-1.mga4 php-mssql-5.5.23-1.mga4 php-mysql-5.5.23-1.mga4 php-mysqli-5.5.23-1.mga4 php-mysqlnd-5.5.23-1.mga4 php-odbc-5.5.23-1.mga4 php-opcache-5.5.23-1.mga4 php-pcntl-5.5.23-1.mga4 php-pdo-5.5.23-1.mga4 php-pdo_dblib-5.5.23-1.mga4 php-pdo_firebird-5.5.23-1.mga4 php-pdo_mysql-5.5.23-1.mga4 php-pdo_odbc-5.5.23-1.mga4 php-pdo_pgsql-5.5.23-1.mga4 php-pdo_sqlite-5.5.23-1.mga4 php-pgsql-5.5.23-1.mga4 php-phar-5.5.23-1.mga4 php-posix-5.5.23-1.mga4 php-readline-5.5.23-1.mga4 php-recode-5.5.23-1.mga4 php-session-5.5.23-1.mga4 php-shmop-5.5.23-1.mga4 php-snmp-5.5.23-1.mga4 php-soap-5.5.23-1.mga4 php-sockets-5.5.23-1.mga4 php-sqlite3-5.5.23-1.mga4 php-sybase_ct-5.5.23-1.mga4 php-sysvmsg-5.5.23-1.mga4 php-sysvsem-5.5.23-1.mga4 php-sysvshm-5.5.23-1.mga4 php-tidy-5.5.23-1.mga4 php-tokenizer-5.5.23-1.mga4 php-xml-5.5.23-1.mga4 php-xmlreader-5.5.23-1.mga4 php-xmlrpc-5.5.23-1.mga4 php-xmlwriter-5.5.23-1.mga4 php-xsl-5.5.23-1.mga4 php-wddx-5.5.23-1.mga4 php-zip-5.5.23-1.mga4 php-fpm-5.5.23-1.mga4 php-apc-3.1.15-4.13.mga4 php-apc-admin-3.1.15-4.13.mga4 libzip-0.11.2-1.1.mga4 libzip2-0.11.2-1.1.mga4 libzip-devel-0.11.2-1.1.mga4 from SRPMS: php-5.5.23-1.mga4.src.rpm php-apc-3.1.15-4.13.mga4.src.rpm libzip-0.11.2-1.1.mga4.src.rpm
Updated (php) and patched (libzip) packages uploaded for Mageia 4 and Cauldron. See the advisory in Comment 5, package list in Comment 6, and PoC for CVE-2015-2331 in Comment 3 and Comment 4.
Version: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
CVE request for php#69085: http://openwall.com/lists/oss-security/2015/03/20/14
Debian has issued an advisory for CVE-2015-2331 on March 20: https://www.debian.org/security/2015/dsa-3198
URL: (none) => http://lwn.net/Vulnerabilities/637569/
(In reply to David Walser from comment #2) > For CVE-2015-2331, we'll have to patch that in libzip, as php-zip is linked > to our system libzip. It looks like the patch is trivial to rediff from PHP > to libzip. Upstream libzip added a similar commit upstream: http://hg.nih.at/libzip/rev/9f11d54f692e
The duplicated CVE should have been CVE-2015-2787: http://openwall.com/lists/oss-security/2015/03/30/15 Fixing the advisory. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: Heap overflow vulnerability in regcomp.c in the ereg extension in PHP before 5.5.23 on 32-bit systems (CVE-2015-2305). Integer overflow in zip extension in PHP before 5.5.23 leads to writing past heap boundary (CVE-2015-2331). Use after free vulnerability in unserialize() in PHP before 5.5.23 (CVE-2015-2787). PHP has been updated to version 5.5.23, which fixes these issues and other bugs. The php zip extension uses the libzip library, so it has been patched to fix CVE-2015-2331. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2787 http://php.net/ChangeLog-5.php#5.5.23 https://www.debian.org/security/2015/dsa-3195
Testing finished both arch 64&32 no any problems found so bugs are fixed. I tested mariadb today so same time get this done. https://bugs.mageia.org/show_bug.cgi?id=15592 Validating update. Sysadmins push to updates.
Keywords: (none) => validated_updateCC: (none) => ozkyster, sysadmin-bugsWhiteboard: (none) => MGA4-64-OK MGA4-32-OK
Advisory uploaded.
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0134.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN entry for CVE-2015-2787: http://lwn.net/Vulnerabilities/639240/
php#69207 fixed in this update got CVE-2015-2348. LWN reference: http://lwn.net/Vulnerabilities/639577/
(In reply to David Walser from comment #8) > CVE request for php#69085: > http://openwall.com/lists/oss-security/2015/03/20/14 This got CVE-2015-4147 and CVE-2015-4148: http://openwall.com/lists/oss-security/2015/06/01/4
(In reply to David Walser from comment #17) > (In reply to David Walser from comment #8) > > CVE request for php#69085: > > http://openwall.com/lists/oss-security/2015/03/20/14 > > This got CVE-2015-4147 and CVE-2015-4148: > http://openwall.com/lists/oss-security/2015/06/01/4 LWN reference for CVE-2015-4148: http://lwn.net/Vulnerabilities/648192/
(In reply to David Walser from comment #17) > (In reply to David Walser from comment #8) > > CVE request for php#69085: > > http://openwall.com/lists/oss-security/2015/03/20/14 > > This got CVE-2015-4147 and CVE-2015-4148: > http://openwall.com/lists/oss-security/2015/06/01/4 LWN reference for CVE-2015-4147 (and several other unrelated ones): http://lwn.net/Vulnerabilities/649071/