18545 – PHP 5.6.22

Bug 18545 - PHP 5.6.22

Summary: PHP 5.6.22

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/689260/
Whiteboard:	advisory MGA5-32-OK MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-05-26 13:10 CEST by David Walser
Modified:	2016-06-02 23:41 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	php-5.6.21-1.mga5.src.rpm
CVE:
Status comment:

Attachments
fread sub-program for test (809 bytes, application/x-php) 2016-05-28 13:35 CEST, Brian Rockwell	Details
calling program to fread (128 bytes, application/x-php) 2016-05-28 13:35 CEST, Brian Rockwell	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-05-26 13:10:07 CEST

PHP 5.6.22 has been released either yesterday or today (May 26-27).  It has not yet been announced.  You can see the ChangeLog in git:
http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=ede10a8827695d41640e32b4a7e3939ba7608de1;hb=6e5958e37d9e04271216aa945168ee5bbf87a3f6

Some of the fixes are security related.  CVE request for them is here:
http://openwall.com/lists/oss-security/2016/05/25/3

The GD issue was fixed upstream in libgd in 2013, so it doesn't affect us.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.22, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://www.php.net/ChangeLog-5.php#5.6.22
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.22-1.mga5
apache-mod_php-5.6.22-1.mga5
php-cli-5.6.22-1.mga5
php-cgi-5.6.22-1.mga5
libphp5_common5-5.6.22-1.mga5
php-devel-5.6.22-1.mga5
php-openssl-5.6.22-1.mga5
php-zlib-5.6.22-1.mga5
php-doc-5.6.22-1.mga5
php-bcmath-5.6.22-1.mga5
php-bz2-5.6.22-1.mga5
php-calendar-5.6.22-1.mga5
php-ctype-5.6.22-1.mga5
php-curl-5.6.22-1.mga5
php-dba-5.6.22-1.mga5
php-dom-5.6.22-1.mga5
php-enchant-5.6.22-1.mga5
php-exif-5.6.22-1.mga5
php-fileinfo-5.6.22-1.mga5
php-filter-5.6.22-1.mga5
php-ftp-5.6.22-1.mga5
php-gd-5.6.22-1.mga5
php-gettext-5.6.22-1.mga5
php-gmp-5.6.22-1.mga5
php-hash-5.6.22-1.mga5
php-iconv-5.6.22-1.mga5
php-imap-5.6.22-1.mga5
php-interbase-5.6.22-1.mga5
php-intl-5.6.22-1.mga5
php-json-5.6.22-1.mga5
php-ldap-5.6.22-1.mga5
php-mbstring-5.6.22-1.mga5
php-mcrypt-5.6.22-1.mga5
php-mssql-5.6.22-1.mga5
php-mysql-5.6.22-1.mga5
php-mysqli-5.6.22-1.mga5
php-mysqlnd-5.6.22-1.mga5
php-odbc-5.6.22-1.mga5
php-opcache-5.6.22-1.mga5
php-pcntl-5.6.22-1.mga5
php-pdo-5.6.22-1.mga5
php-pdo_dblib-5.6.22-1.mga5
php-pdo_firebird-5.6.22-1.mga5
php-pdo_mysql-5.6.22-1.mga5
php-pdo_odbc-5.6.22-1.mga5
php-pdo_pgsql-5.6.22-1.mga5
php-pdo_sqlite-5.6.22-1.mga5
php-pgsql-5.6.22-1.mga5
php-phar-5.6.22-1.mga5
php-posix-5.6.22-1.mga5
php-readline-5.6.22-1.mga5
php-recode-5.6.22-1.mga5
php-session-5.6.22-1.mga5
php-shmop-5.6.22-1.mga5
php-snmp-5.6.22-1.mga5
php-soap-5.6.22-1.mga5
php-sockets-5.6.22-1.mga5
php-sqlite3-5.6.22-1.mga5
php-sybase_ct-5.6.22-1.mga5
php-sysvmsg-5.6.22-1.mga5
php-sysvsem-5.6.22-1.mga5
php-sysvshm-5.6.22-1.mga5
php-tidy-5.6.22-1.mga5
php-tokenizer-5.6.22-1.mga5
php-xml-5.6.22-1.mga5
php-xmlreader-5.6.22-1.mga5
php-xmlrpc-5.6.22-1.mga5
php-xmlwriter-5.6.22-1.mga5
php-xsl-5.6.22-1.mga5
php-wddx-5.6.22-1.mga5
php-zip-5.6.22-1.mga5
php-fpm-5.6.22-1.mga5
phpdbg-5.6.22-1.mga5

from php-5.6.22-1.mga5.src.rpm

Comment 1 David Walser 2016-05-27 14:46:04 CEST

CVEs:
http://www.openwall.com/lists/oss-security/2016/05/26/3

They're also listed on the upstream ChangeLog.

Advisory:
========================

Updated php packages fix security vulnerabilities:

In php-intl, get_icu_value_internal out-of-bounds read (CVE-2016-5093).

Integer Overflow in php_html_entities (CVE-2016-5094).

Integer underflow / arbitrary null write in fread/gzread (CVE-2016-5096).

The php package has been updated to version 5.6.22, which fixes these
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096
http://www.php.net/ChangeLog-5.php#5.6.22

Comment 2 Brian Rockwell 2016-05-28 13:33:21 CEST

mg5-64

Installed the following

The following 78 packages are going to be installed:

- apache-mod_php-5.6.22-1.mga5.x86_64
- lib64fbclient2-2.5.3.26778-4.mga5.x86_64
- lib64php5_common5-5.6.22-1.mga5.x86_64
- lib64t1lib5-5.1.2-18.mga5.x86_64
- lib64tidy0.99_0-20090904-9.mga5.x86_64
- lib64xmlrpc-epi0-0.54.2-5.mga5.x86_64
- net-snmp-mibs-5.7.2-23.mga5.x86_64
- php-bcmath-5.6.22-1.mga5.x86_64
- php-bz2-5.6.22-1.mga5.x86_64
- php-calendar-5.6.22-1.mga5.x86_64
- php-cgi-5.6.22-1.mga5.x86_64
- php-cli-5.6.22-1.mga5.x86_64
- php-ctype-5.6.22-1.mga5.x86_64
- php-curl-5.6.22-1.mga5.x86_64
- php-dba-5.6.22-1.mga5.x86_64
- php-devel-5.6.22-1.mga5.x86_64
- php-doc-5.6.22-1.mga5.noarch
- php-dom-5.6.22-1.mga5.x86_64
- php-enchant-5.6.22-1.mga5.x86_64
- php-exif-5.6.22-1.mga5.x86_64
- php-fileinfo-5.6.22-1.mga5.x86_64
- php-filter-5.6.22-1.mga5.x86_64
- php-fpm-5.6.22-1.mga5.x86_64
- php-ftp-5.6.22-1.mga5.x86_64
- php-gd-5.6.22-1.mga5.x86_64
- php-gettext-5.6.22-1.mga5.x86_64
- php-gmp-5.6.22-1.mga5.x86_64
- php-hash-5.6.22-1.mga5.x86_64
- php-iconv-5.6.22-1.mga5.x86_64
- php-imap-5.6.22-1.mga5.x86_64
- php-ini-5.6.22-1.mga5.x86_64
- php-interbase-5.6.22-1.mga5.x86_64
- php-intl-5.6.22-1.mga5.x86_64
- php-json-5.6.22-1.mga5.x86_64
- php-ldap-5.6.22-1.mga5.x86_64
- php-mbstring-5.6.22-1.mga5.x86_64
- php-mcrypt-5.6.22-1.mga5.x86_64
- php-mssql-5.6.22-1.mga5.x86_64
- php-mysql-5.6.22-1.mga5.x86_64
- php-mysqli-5.6.22-1.mga5.x86_64
- php-mysqlnd-5.6.22-1.mga5.x86_64
- php-odbc-5.6.22-1.mga5.x86_64
- php-opcache-5.6.22-1.mga5.x86_64
- php-openssl-5.6.22-1.mga5.x86_64
- php-pcntl-5.6.22-1.mga5.x86_64
- php-pdo-5.6.22-1.mga5.x86_64
- php-pdo_dblib-5.6.22-1.mga5.x86_64
- php-pdo_firebird-5.6.22-1.mga5.x86_64
- php-pdo_mysql-5.6.22-1.mga5.x86_64
- php-pdo_odbc-5.6.22-1.mga5.x86_64
- php-pdo_pgsql-5.6.22-1.mga5.x86_64
- php-pdo_sqlite-5.6.22-1.mga5.x86_64
- php-pgsql-5.6.22-1.mga5.x86_64
- php-phar-5.6.22-1.mga5.x86_64
- php-posix-5.6.22-1.mga5.x86_64
- php-recode-5.6.22-1.mga5.x86_64
- php-session-5.6.22-1.mga5.x86_64
- php-shmop-5.6.22-1.mga5.x86_64
- php-snmp-5.6.22-1.mga5.x86_64
- php-soap-5.6.22-1.mga5.x86_64
- php-sockets-5.6.22-1.mga5.x86_64
- php-sqlite3-5.6.22-1.mga5.x86_64
- php-sybase_ct-5.6.22-1.mga5.x86_64
- php-sysvmsg-5.6.22-1.mga5.x86_64
- php-sysvsem-5.6.22-1.mga5.x86_64
- php-sysvshm-5.6.22-1.mga5.x86_64
- php-tidy-5.6.22-1.mga5.x86_64
- php-tokenizer-5.6.22-1.mga5.x86_64
- php-wddx-5.6.22-1.mga5.x86_64
- php-xml-5.6.22-1.mga5.x86_64
- php-xmlreader-5.6.22-1.mga5.x86_64
- php-xmlrpc-5.6.22-1.mga5.x86_64
- php-xmlwriter-5.6.22-1.mga5.x86_64
- php-xsl-5.6.22-1.mga5.x86_64
- php-zip-5.6.22-1.mga5.x86_64
- php-zlib-5.6.22-1.mga5.x86_64
- phpdbg-5.6.22-1.mga5.x86_64
- t1lib-config-5.1.2-18.mga5.x86_64

7.2MB of additional disk space will be used.

17MB of packages will be retrieved.

------------

From browser ran some of my old tests.

//error class begin 5.6.22
Outer try
Middle try
Middle finally
Inner try
Inner finally
Outer catch
Outer finally

//error test end 

---that worked properly

------------------
next I reviewed https://bugs.php.net/bug.php?id=72114 and tried the test in there.  It worked.

[brian@localhost pp]$ php gzread.php
PHP Warning:  gzread(): Length parameter must be no more than 2147483647 in /home/brian/pp/gzread.php on line 7
[brian@localhost pp]$ ls -ltr
total 8
-rw-rw-r-- 1 brian brian 809 May 28 06:25 fread.php
-rw-rw-r-- 1 brian brian 128 May 28 06:31 gzread.php
[brian@localhost pp]$

CC: (none) => brtians1
Whiteboard: (none) => MGA5-64-OK

Comment 3 Brian Rockwell 2016-05-28 13:35:05 CEST

Created attachment 7872 [details]
fread sub-program for test

This file is called by the next I'll upload.

Comment 4 Brian Rockwell 2016-05-28 13:35:31 CEST

Created attachment 7873 [details]
calling program to fread

Comment 5 Lewis Smith 2016-05-30 14:51:51 CEST

Trying M5 x64, updated 45 installed PHP pkgs:

apache-mod_php-5.6.22-1.mga5
lib64php5_common5-5.6.22-1.mga5
php-bcmath-5.6.22-1.mga5
php-bz2-5.6.22-1.mga5
php-cli-5.6.22-1.mga5
php-ctype-5.6.22-1.mga5
php-curl-5.6.22-1.mga5
php-dom-5.6.22-1.mga5
php-fileinfo-5.6.22-1.mga5
php-filter-5.6.22-1.mga5
php-ftp-5.6.22-1.mga5
php-gd-5.6.22-1.mga5
php-gettext-5.6.22-1.mga5
php-hash-5.6.22-1.mga5
php-iconv-5.6.22-1.mga5
php-ini-5.6.22-1.mga5
php-intl-5.6.22-1.mga5
php-json-5.6.22-1.mga5
php-ldap-5.6.22-1.mga5
php-mbstring-5.6.22-1.mga5
php-mcrypt-5.6.22-1.mga5
php-mysql-5.6.22-1.mga5
php-mysqli-5.6.22-1.mga5
php-mysqlnd-5.6.22-1.mga5
php-openssl-5.6.22-1.mga5
php-pdo-5.6.22-1.mga5
php-pdo_pgsql-5.6.22-1.mga5
php-pdo_sqlite-5.6.22-1.mga5
php-pgsql-5.6.22-1.mga5
php-posix-5.6.22-1.mga5
php-session-5.6.22-1.mga5
php-snmp-5.6.22-1.mga5
php-soap-5.6.22-1.mga5
php-sockets-5.6.22-1.mga5
php-sqlite3-5.6.22-1.mga5
php-sysvsem-5.6.22-1.mga5
php-sysvshm-5.6.22-1.mga5
php-tidy-5.6.22-1.mga5
php-tokenizer-5.6.22-1.mga5
php-xml-5.6.22-1.mga5
php-xmlreader-5.6.22-1.mga5
php-xmlrpc-5.6.22-1.mga5
php-xmlwriter-5.6.22-1.mga5
php-zip-5.6.22-1.mga5
php-zlib-5.6.22-1.mga5

Three small test scripts:
 https://bugs.mageia.org/show_bug.cgi?id=18562#c1
yielded errors that were also apparent *before* this PHP update:
 $ php foo.php 
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/extensions/gd.so' - /usr/lib64/php/extensions/gd.so: undefined symbol: gdImageCreateFromWebp in Unknown on line 0
PHP Fatal error:  Call to undefined function imagecreatetruecolor() in /home/lewis/tmp/foo.php on line 2
 $ php gdtest.php 
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/extensions/gd.so' - /usr/lib64/php/extensions/gd.so: undefined symbol: gdImageCreateFromWebp in Unknown on line 0
PHP Fatal error:  Call to undefined function imagecreatetruecolor() in /home/lewis/tmp/gdtest.php on line 2
 $ php phpfread.php 
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/extensions/gd.so' - /usr/lib64/php/extensions/gd.so: undefined symbol: gdImageCreateFromWebp in Unknown on line 0

I will play with some PHP applications, but prefer to clear up this problem because it effects Bug 18562 also.

CC: (none) => lewyssmith

Comment 6 David Walser 2016-05-30 15:30:43 CEST

Sorry, should be fixed with libgd-2.2.1-1.1.mga5.

Comment 7 Lewis Smith 2016-05-30 17:54:46 CEST

Re-trying M5 x64 with
 gd-utils-2.2.1-1.1.mga5
 lib64gd3-2.2.1-1.1.mga5

Alas, without re-logging in or re-booting, same results as Comment 5.

Comment 8 David Walser 2016-05-30 18:24:19 CEST

Should be fixed for real with libgd-2.2.1-1.2.mga5.

Comment 9 Lewis Smith 2016-05-30 20:29:57 CEST

Testing M5 x64, with:
 gd-utils-2.2.1-1.2.mga5   lib64gd3-2.2.1-1.2.mga5
Thanks David for fixing these so quickly.

The two miniscripts shown in https://bugs.mageia.org/show_bug.cgi?id=18562#c1 now work correctly:
 $ php foo.php 
 $ php gdtest.php
and the test scripts from Brian (thanks for collecting same) in Comments 2,3,4  here give the expected result:
 $ php gzread.php 
 PHP Warning:  gzread(): Length parameter must be no more than 2147483647 in /home/lewis/tmp/gzread.php on line 7

In addition I have tested PHP with several major applications: Cacti, Drupal, MediaWiki, Moodle, PHPmyadmin, PHPpgadmin; no new problem noted.
So I second Brian's x64 OK.

Comment 10 David Walser 2016-05-31 02:05:43 CEST

My usual php cgi test cases work fine, Mageia 5 i586.

Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK

Comment 11 Lewis Smith 2016-05-31 10:34:08 CEST

(In reply to David Walser from comment #10)
> My usual php cgi test cases work fine, Mageia 5 i586.
Thanks for that, David. Validating this update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2016-06-01 13:22:29 CEST

LWN reference for CVE-2016-5094:
http://lwn.net/Vulnerabilities/689280/

URL: (none) => http://lwn.net/Vulnerabilities/689260/

Comment 13 claire robinson 2016-06-02 22:45:31 CEST

Advisory added with..

     - php-5.6.22-1.mga5
     - libgd-2.2.1-1.2.mga5

Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK

Comment 14 David Walser 2016-06-02 22:47:04 CEST

(In reply to claire robinson from comment #13)
> Advisory added with..
> 
>      - php-5.6.22-1.mga5
>      - libgd-2.2.1-1.2.mga5

libgd should be in the advisory for Bug 18562 actually, not this bug.

Comment 15 claire robinson 2016-06-02 22:48:38 CEST

noticed just after i commented. Corrected now.

Comment 16 Mageia Robot 2016-06-02 23:41:06 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0213.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.