Upstream has announced PHP 5.6.28 today: http://php.net/archive/2016.php#id2016-11-10-3 It fixes several security issues: http://www.php.net/ChangeLog-5.php#5.6.28 For the GD issues, it appears that the first few don't affect us with the system libgd, but CVE-2016-8670 does: https://bugs.php.net/bug.php?id=73280 Then the last two are marked private. The php#73280 one is fixed in libgd git upstream, but they haven't released 2.2.4 yet, but we should make sure to include that fix or update libgd if they make a release. Freeze push requested for Cauldron for php.
PHP 5.6.28 built. It looks like there are a handful of security fixes in libgd upstream, so if they're not going to make a release, we should pull a current git snapshot. Updated packages in core/updates_testing: ======================== php-ini-5.6.28-1.mga5 apache-mod_php-5.6.28-1.mga5 php-cli-5.6.28-1.mga5 php-cgi-5.6.28-1.mga5 libphp5_common5-5.6.28-1.mga5 php-devel-5.6.28-1.mga5 php-openssl-5.6.28-1.mga5 php-zlib-5.6.28-1.mga5 php-doc-5.6.28-1.mga5 php-bcmath-5.6.28-1.mga5 php-bz2-5.6.28-1.mga5 php-calendar-5.6.28-1.mga5 php-ctype-5.6.28-1.mga5 php-curl-5.6.28-1.mga5 php-dba-5.6.28-1.mga5 php-dom-5.6.28-1.mga5 php-enchant-5.6.28-1.mga5 php-exif-5.6.28-1.mga5 php-fileinfo-5.6.28-1.mga5 php-filter-5.6.28-1.mga5 php-ftp-5.6.28-1.mga5 php-gd-5.6.28-1.mga5 php-gettext-5.6.28-1.mga5 php-gmp-5.6.28-1.mga5 php-hash-5.6.28-1.mga5 php-iconv-5.6.28-1.mga5 php-imap-5.6.28-1.mga5 php-interbase-5.6.28-1.mga5 php-intl-5.6.28-1.mga5 php-json-5.6.28-1.mga5 php-ldap-5.6.28-1.mga5 php-mbstring-5.6.28-1.mga5 php-mcrypt-5.6.28-1.mga5 php-mssql-5.6.28-1.mga5 php-mysql-5.6.28-1.mga5 php-mysqli-5.6.28-1.mga5 php-mysqlnd-5.6.28-1.mga5 php-odbc-5.6.28-1.mga5 php-opcache-5.6.28-1.mga5 php-pcntl-5.6.28-1.mga5 php-pdo-5.6.28-1.mga5 php-pdo_dblib-5.6.28-1.mga5 php-pdo_firebird-5.6.28-1.mga5 php-pdo_mysql-5.6.28-1.mga5 php-pdo_odbc-5.6.28-1.mga5 php-pdo_pgsql-5.6.28-1.mga5 php-pdo_sqlite-5.6.28-1.mga5 php-pgsql-5.6.28-1.mga5 php-phar-5.6.28-1.mga5 php-posix-5.6.28-1.mga5 php-readline-5.6.28-1.mga5 php-recode-5.6.28-1.mga5 php-session-5.6.28-1.mga5 php-shmop-5.6.28-1.mga5 php-snmp-5.6.28-1.mga5 php-soap-5.6.28-1.mga5 php-sockets-5.6.28-1.mga5 php-sqlite3-5.6.28-1.mga5 php-sybase_ct-5.6.28-1.mga5 php-sysvmsg-5.6.28-1.mga5 php-sysvsem-5.6.28-1.mga5 php-sysvshm-5.6.28-1.mga5 php-tidy-5.6.28-1.mga5 php-tokenizer-5.6.28-1.mga5 php-xml-5.6.28-1.mga5 php-xmlreader-5.6.28-1.mga5 php-xmlrpc-5.6.28-1.mga5 php-xmlwriter-5.6.28-1.mga5 php-xsl-5.6.28-1.mga5 php-wddx-5.6.28-1.mga5 php-zip-5.6.28-1.mga5 php-fpm-5.6.28-1.mga5 phpdbg-5.6.28-1.mga5 from php-5.6.28-1.mga5.src.rpm
CC: (none) => nicolas.salguero
Assigning to David Walser, since he already pushed the packages and will probably add the advisory and assign to QA team, soon
CC: (none) => marja11Assignee: bugsquad => luigiwalser
CC: (none) => geiger.david68210
PHP 5.6.29 has been released on December 8: http://php.net/archive/2016.php#id2016-12-08-2 It fixes more security issues. CVE request (for 5.6.28 and 5.6.29): http://openwall.com/lists/oss-security/2016/12/12/2 I can now confirm based on new information in PHP's bug system that the patches David added to our libgd package do in fact get us up to date with the security issues fixed in PHP's bundled libgd, so I will assign these to QA once this one is pushed.
Summary: PHP 5.6.28 => PHP 5.6.29
Advisory: ======================== Updated php packages fix security vulnerabilities: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow in PHP before 5.6.28 (CVE-2016-9934). Invalid read when wddx decodes empty boolean element in PHP before 5.6.29 (CVE-2016-9935). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935 http://www.php.net/ChangeLog-5.php#5.6.29 http://openwall.com/lists/oss-security/2016/12/12/5 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.29-1.mga5 apache-mod_php-5.6.29-1.mga5 php-cli-5.6.29-1.mga5 php-cgi-5.6.29-1.mga5 libphp5_common5-5.6.29-1.mga5 php-devel-5.6.29-1.mga5 php-openssl-5.6.29-1.mga5 php-zlib-5.6.29-1.mga5 php-doc-5.6.29-1.mga5 php-bcmath-5.6.29-1.mga5 php-bz2-5.6.29-1.mga5 php-calendar-5.6.29-1.mga5 php-ctype-5.6.29-1.mga5 php-curl-5.6.29-1.mga5 php-dba-5.6.29-1.mga5 php-dom-5.6.29-1.mga5 php-enchant-5.6.29-1.mga5 php-exif-5.6.29-1.mga5 php-fileinfo-5.6.29-1.mga5 php-filter-5.6.29-1.mga5 php-ftp-5.6.29-1.mga5 php-gd-5.6.29-1.mga5 php-gettext-5.6.29-1.mga5 php-gmp-5.6.29-1.mga5 php-hash-5.6.29-1.mga5 php-iconv-5.6.29-1.mga5 php-imap-5.6.29-1.mga5 php-interbase-5.6.29-1.mga5 php-intl-5.6.29-1.mga5 php-json-5.6.29-1.mga5 php-ldap-5.6.29-1.mga5 php-mbstring-5.6.29-1.mga5 php-mcrypt-5.6.29-1.mga5 php-mssql-5.6.29-1.mga5 php-mysql-5.6.29-1.mga5 php-mysqli-5.6.29-1.mga5 php-mysqlnd-5.6.29-1.mga5 php-odbc-5.6.29-1.mga5 php-opcache-5.6.29-1.mga5 php-pcntl-5.6.29-1.mga5 php-pdo-5.6.29-1.mga5 php-pdo_dblib-5.6.29-1.mga5 php-pdo_firebird-5.6.29-1.mga5 php-pdo_mysql-5.6.29-1.mga5 php-pdo_odbc-5.6.29-1.mga5 php-pdo_pgsql-5.6.29-1.mga5 php-pdo_sqlite-5.6.29-1.mga5 php-pgsql-5.6.29-1.mga5 php-phar-5.6.29-1.mga5 php-posix-5.6.29-1.mga5 php-readline-5.6.29-1.mga5 php-recode-5.6.29-1.mga5 php-session-5.6.29-1.mga5 php-shmop-5.6.29-1.mga5 php-snmp-5.6.29-1.mga5 php-soap-5.6.29-1.mga5 php-sockets-5.6.29-1.mga5 php-sqlite3-5.6.29-1.mga5 php-sybase_ct-5.6.29-1.mga5 php-sysvmsg-5.6.29-1.mga5 php-sysvsem-5.6.29-1.mga5 php-sysvshm-5.6.29-1.mga5 php-tidy-5.6.29-1.mga5 php-tokenizer-5.6.29-1.mga5 php-xml-5.6.29-1.mga5 php-xmlreader-5.6.29-1.mga5 php-xmlrpc-5.6.29-1.mga5 php-xmlwriter-5.6.29-1.mga5 php-xsl-5.6.29-1.mga5 php-wddx-5.6.29-1.mga5 php-zip-5.6.29-1.mga5 php-fpm-5.6.29-1.mga5 phpdbg-5.6.29-1.mga5 from php-5.6.29-1.mga5.src.rpm
Assignee: luigiwalser => qa-bugs
LWN reference for CVE-2016-9935: https://lwn.net/Vulnerabilities/709010/
URL: (none) => https://lwn.net/Vulnerabilities/708993/
CC: (none) => brtians1Whiteboard: (none) => feedback
Whiteboard: feedback => (none)
MGA5-32 and MGA5-64 Not sure how to test PHP for the security issue, but I updated PHP from 5.6.27-1 to 5.6.29-1. The upgrade process runs well. I created a local web server using apache and PHP to manage a little data-base (just a little file with few data to check if it's working) I didn't notice problems while managing db and tweaking some PHP files but not sure about the CVE though.
CC: (none) => youpburden
[brian@localhost ~]$ uname -a Linux localhost 4.4.36-desktop-2.mga5 #1 SMP Tue Dec 6 17:31:54 UTC 2016 i686 i686 i686 GNU/Linux The following 118 packages are going to be installed: - apache-2.4.10-16.4.mga5.i586 - autoconf-2.69-6.mga5.noarch - automake-1.14.1-3.mga5.noarch - bison-3.0.4-1.mga5.i586 - byacc-20141128-1.mga5.i586 - chrpath-0.16-3.mga5.i586 - dos2unix-6.0.6-3.mga5.i586 - flex-2.5.39-3.1.mga5.i586 - glibc-devel-2.20-23.mga5.i586 - kernel-userspace-headers-4.4.39-1.mga5.i586 - libapr-util1_0-1.5.4-4.mga5.i586 - libapr1_0-1.5.1-3.mga5.i586 - libaudit-devel-2.4.4-1.mga5.i586 - libc-client0-2007f-6.mga5.i586 - libfbclient2-2.5.3.26778-4.mga5.i586 - libfreetds0-0.91-8.mga5.i586 - libgcrypt-devel-1.5.4-5.3.mga5.i586 - libgpg-error-devel-1.13-3.mga5.i586 - liblzma-devel-5.2.0-1.mga5.i586 - libmbfl1-1.2.0-12.mga5.i586 - libmcrypt-2.5.8-18.mga5.i586 - libmcrypt4-2.5.8-18.mga5.i586 - libonig2-5.9.5-3.mga5.i586 - libopenssl-devel-1.0.2j-1.mga5.i586 - libpam-devel-1.1.8-10.1.mga5.i586 - libpcre-devel-8.38-1.mga5.i586 - libpcre16_0-8.38-1.mga5.i586 - libpcre32_0-8.38-1.mga5.i586 - libphp5_common5-5.6.29-1.mga5.i586 - libpq5-9.4.9-1.mga5.i586 - libstdc++5-3.3.6-11.mga5.i586 - libstdc++5-devel-3.3.6-11.mga5.i586 - libt1lib5-5.1.2-18.mga5.i586 - libtidy0.99_0-20090904-9.mga5.i586 - libtool-2.4.2-13.mga5.i586 - libtool-base-2.4.2-13.mga5.i586 - libxml2-devel-2.9.4-1.1.mga5.i586 - libxmlrpc-epi0-0.54.2-5.1.mga5.i586 - libxslt-devel-1.1.29-1.1.mga5.i586 - libzip2-0.11.2-4.mga5.i586 - libzlib-devel-1.2.8-7.1.mga5.i586 - m4-1.4.17-4.mga5.i586 - net-snmp-mibs-5.7.2-23.mga5.i586 - php-bcmath-5.6.29-1.mga5.i586 - php-bz2-5.6.29-1.mga5.i586 - php-calendar-5.6.29-1.mga5.i586 - php-cli-5.6.29-1.mga5.i586 - php-ctype-5.6.29-1.mga5.i586 - php-curl-5.6.29-1.mga5.i586 - php-dba-5.6.29-1.mga5.i586 - php-devel-5.6.29-1.mga5.i586 - php-doc-5.6.29-1.mga5.noarch - php-dom-5.6.29-1.mga5.i586 - php-enchant-5.6.29-1.mga5.i586 - php-exif-5.6.29-1.mga5.i586 - php-fileinfo-5.6.29-1.mga5.i586 - php-filter-5.6.29-1.mga5.i586 - php-fpm-5.6.29-1.mga5.i586 - php-ftp-5.6.29-1.mga5.i586 - php-gd-5.6.29-1.mga5.i586 - php-gettext-5.6.29-1.mga5.i586 - php-gmp-5.6.29-1.mga5.i586 - php-hash-5.6.29-1.mga5.i586 - php-iconv-5.6.29-1.mga5.i586 - php-imap-5.6.29-1.mga5.i586 - php-ini-5.6.29-1.mga5.i586 - php-interbase-5.6.29-1.mga5.i586 - php-intl-5.6.29-1.mga5.i586 - php-json-5.6.29-1.mga5.i586 - php-ldap-5.6.29-1.mga5.i586 - php-mbstring-5.6.29-1.mga5.i586 - php-mcrypt-5.6.29-1.mga5.i586 - php-mssql-5.6.29-1.mga5.i586 - php-mysql-5.6.29-1.mga5.i586 - php-mysqli-5.6.29-1.mga5.i586 - php-mysqlnd-5.6.29-1.mga5.i586 - php-odbc-5.6.29-1.mga5.i586 - php-opcache-5.6.29-1.mga5.i586 - php-openssl-5.6.29-1.mga5.i586 - php-pcntl-5.6.29-1.mga5.i586 - php-pdo-5.6.29-1.mga5.i586 - php-pdo_dblib-5.6.29-1.mga5.i586 - php-pdo_firebird-5.6.29-1.mga5.i586 - php-pdo_mysql-5.6.29-1.mga5.i586 - php-pdo_odbc-5.6.29-1.mga5.i586 - php-pdo_pgsql-5.6.29-1.mga5.i586 - php-pdo_sqlite-5.6.29-1.mga5.i586 - php-pgsql-5.6.29-1.mga5.i586 - php-phar-5.6.29-1.mga5.i586 - php-posix-5.6.29-1.mga5.i586 - php-readline-5.6.29-1.mga5.i586 - php-recode-5.6.29-1.mga5.i586 - php-session-5.6.29-1.mga5.i586 - php-shmop-5.6.29-1.mga5.i586 - php-snmp-5.6.29-1.mga5.i586 - php-soap-5.6.29-1.mga5.i586 - php-sockets-5.6.29-1.mga5.i586 - php-sqlite3-5.6.29-1.mga5.i586 - php-suhosin-0.9.37.1-1.mga5.i586 - php-sybase_ct-5.6.29-1.mga5.i586 - php-sysvmsg-5.6.29-1.mga5.i586 - php-sysvsem-5.6.29-1.mga5.i586 - php-sysvshm-5.6.29-1.mga5.i586 - php-tidy-5.6.29-1.mga5.i586 - php-timezonedb-2016.6-1.mga5.i586 - php-tokenizer-5.6.29-1.mga5.i586 - php-wddx-5.6.29-1.mga5.i586 - php-xml-5.6.29-1.mga5.i586 - php-xmlreader-5.6.29-1.mga5.i586 - php-xmlrpc-5.6.29-1.mga5.i586 - php-xmlwriter-5.6.29-1.mga5.i586 - php-xsl-5.6.29-1.mga5.i586 - php-zip-5.6.29-1.mga5.i586 - php-zlib-5.6.29-1.mga5.i586 - phpdbg-5.6.29-1.mga5.i586 - re2c-0.13.6-3.mga5.i586 - t1lib-config-5.1.2-18.mga5.i586 - webserver-base-2.0-8.mga5.i586 164MB of additional disk space will be used. 33MB of packages will be retrieved. Is it ok to continue? [brian@localhost ~]$ php -v PHP 5.6.29 (cli) (built: Dec 12 2016 18:23:09) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies I ran my usual battery of tests, they seem to work as designed. Also ran the following script Test script: --------------- <?php $xml = <<<EOF <?xml version="1.0" ?> <wddxPacket version="1.0"> <number>2261634.5098039215</number> <binary><boolean/></binary> </wddxPacket> EOF; $wddx = wddx_deserialize($xml); var_dump($wddx); ?> It did not segfault and in fact returned the value. [brian@localhost sf_vmshare]$ php php529_test.php float(2261634.5098039) works as designed.
Whiteboard: (none) => mga5-32-ok
on my 64-bit box running an older php version I get this. $ php php529_test.php Segmentation fault $ php -v PHP 5.6.27 (cli) (built: Oct 18 2016 19:00:10) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies updated $ php -v PHP 5.6.29 (cli) (built: Dec 12 2016 18:23:25) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies [brian@localhost vmshare]$ php php529_test.php float(2261634.5098039) Note the real change was done in wddx module
Keywords: (none) => validated_updateWhiteboard: mga5-32-ok => mga5-32-ok mga5-64-okCC: (none) => sysadmin-bugs
CC: (none) => lewyssmithWhiteboard: mga5-32-ok mga5-64-ok => mga5-32-ok mga5-64-ok advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0422.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2015-8994: https://lists.opensuse.org/opensuse-updates/2017-03/msg00107.html