CVE-2011-1466 Was already fixed in 5.3.6

CVE-2011-1471 was also fixed in 5.3.6

Patch for CVE-2011-2202 
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/rfc1867.c?r1=312103&r2=312102&pathrev=312103

Assignee: bugsquad => pterjan

I added the patch to svn and sent package to updates_testing but it is actually low impact given that only CVE-2011-2202 is present in our package.

CVE-2011-2202 is only exploitable if php runs on a webserver as a user allowed to write to /. In such case a user could create a file in / (not in a subdirectory) but I don't think anyone would setup their webserver to run as root.

ok to go on QA ?

I am not sure what QA can do about it except running a webserver as root to test
But it may not be worth the effort to push an update for this one, it could wait until next php update

Well QA can ensure it still runs at least. For the CVE fix, yes as it isn't the default Mageia configuration, we can skip this update.

But I think anything in updates_testing should have a bug in QA : I've just updated PHP and tested it (not the CVE fix, only that it still runs), then it was hard to report the test ;-)

REPORT : Tested on x86_64, runs OK. But the CVE CVE-2011-2202 was not tested.

CC: (none) => lists.jjorge

Yes I (In reply to comment #7)
> But I think anything in updates_testing should have a bug in QA
Yes sure, I ask because some update was not ready for the QA (or we was to fast) :)

Assignee: pterjan => qa-bugs

There is an exploit available for CVE-2011-2202 at

http://downloads.securityfocus.com/vulnerabilities/exploits/48259.php

Did you decide this was ready for testing or are you still working on it?

CC: (none) => eeeemail

Looking at it though Im not sure what to do with it..

Getting an exploit is easy (this gives a good basis) but for it to work you need either php to run as root or / being writable by the web user

Personally, I'm going to need a testing procedure for this one please.

(In reply to comment #12)
> Personally, I'm going to need a testing procedure for this one please.

I don't think we need to check the exploit for this one, as it is of low severity. Making sure php works will be enough, and I can test myself that I see no regression as I use it on a daily basis at work. José Jorge already reported that it's ok for x86_64.

CC: (none) => stormi

I've confirmed that http://127.0.0.1/phpmyadmin works on my i586 system.

Is that enough though?

CC: (none) => davidwhodgins

Also confirmed working OK i586 with phpmyadmin.

Update validated. Ready for pushing.


Advisory:

---------------------

Several issues have been identified in PHP including:

An integer overflow was discovered in the Calendar module. (CVE-2011-1466)
The Zip module was prone to denial of service through malformed archives.
(CVE-2011-1471)
Path names in form based file uploads (RFC 1867) were incorrectly validated.
(CVE-2011-2202)

These issues have been corrected in updated packages.

----------------------

SRPM: php-5.3.6-2.1.mga1.src.rpm

Is php-smarty2-2.6.26-1.1.mga1.src.rpm also part of this update?

php-smarty2-2.6.26-1.1.mga1.src.rpm is NOT part of this update.

Sysadmin - Please push php-5.3.6-2.1.mga1.src.rpm from core/updates_testing to core/updates.

Thankyou!

update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED