Upstream has released PHP 5.6.33 on Jan 4th: http://php.net/archive/2018.php#id2018-01-04-4 It fixes a few security issues: http://php.net/ChangeLog-5.php#5.6.33 Advisory: ======================== Updated php packages fix security vulnerabilities: Potential infinite loop in gdImageCreateFromGifCtx (php#75571) Reflected XSS in .phar 404 page (php#74782) References: http://php.net/ChangeLog-5.php#5.6.33 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.33-1.mga6 apache-mod_php-5.6.33-1.mga6 php-cli-5.6.33-1.mga6 php-cgi-5.6.33-1.mga6 lib64php5_common5-5.6.33-1.mga6 php-devel-5.6.33-1.mga6 php-openssl-5.6.33-1.mga6 php-zlib-5.6.33-1.mga6 php-doc-5.6.33-1.mga6 php-bcmath-5.6.33-1.mga6 php-bz2-5.6.33-1.mga6 php-calendar-5.6.33-1.mga6 php-ctype-5.6.33-1.mga6 php-curl-5.6.33-1.mga6 php-dba-5.6.33-1.mga6 php-dom-5.6.33-1.mga6 php-enchant-5.6.33-1.mga6 php-exif-5.6.33-1.mga6 php-fileinfo-5.6.33-1.mga6 php-filter-5.6.33-1.mga6 php-ftp-5.6.33-1.mga6 php-gd-5.6.33-1.mga6 php-gettext-5.6.33-1.mga6 php-gmp-5.6.33-1.mga6 php-hash-5.6.33-1.mga6 php-iconv-5.6.33-1.mga6 php-imap-5.6.33-1.mga6 php-interbase-5.6.33-1.mga6 php-intl-5.6.33-1.mga6 php-json-5.6.33-1.mga6 php-ldap-5.6.33-1.mga6 php-mbstring-5.6.33-1.mga6 php-mcrypt-5.6.33-1.mga6 php-mssql-5.6.33-1.mga6 php-mysql-5.6.33-1.mga6 php-mysqli-5.6.33-1.mga6 php-mysqlnd-5.6.33-1.mga6 php-odbc-5.6.33-1.mga6 php-opcache-5.6.33-1.mga6 php-pcntl-5.6.33-1.mga6 php-pdo-5.6.33-1.mga6 php-pdo_dblib-5.6.33-1.mga6 php-pdo_firebird-5.6.33-1.mga6 php-pdo_mysql-5.6.33-1.mga6 php-pdo_odbc-5.6.33-1.mga6 php-pdo_pgsql-5.6.33-1.mga6 php-pdo_sqlite-5.6.33-1.mga6 php-pgsql-5.6.33-1.mga6 php-phar-5.6.33-1.mga6 php-posix-5.6.33-1.mga6 php-readline-5.6.33-1.mga6 php-recode-5.6.33-1.mga6 php-session-5.6.33-1.mga6 php-shmop-5.6.33-1.mga6 php-snmp-5.6.33-1.mga6 php-soap-5.6.33-1.mga6 php-sockets-5.6.33-1.mga6 php-sqlite3-5.6.33-1.mga6 php-sybase_ct-5.6.33-1.mga6 php-sysvmsg-5.6.33-1.mga6 php-sysvsem-5.6.33-1.mga6 php-sysvshm-5.6.33-1.mga6 php-tidy-5.6.33-1.mga6 php-tokenizer-5.6.33-1.mga6 php-xml-5.6.33-1.mga6 php-xmlreader-5.6.33-1.mga6 php-xmlrpc-5.6.33-1.mga6 php-xmlwriter-5.6.33-1.mga6 php-xsl-5.6.33-1.mga6 php-wddx-5.6.33-1.mga6 php-zip-5.6.33-1.mga6 php-fpm-5.6.33-1.mga6 phpdbg-5.6.33-1.mga6 php-debuginfo-5.6.33-1.mga6 from SRPMS: php-5.6.33-1.mga6.src.rpm
QA Contact: (none) => securityComponent: RPM Packages => Security
We will need to patch libgd to fix the GD issue: http://www.php.net/ChangeLog-5.php#5.6.33
Keywords: (none) => feedbackCC: (none) => luigiwalser
Assignee: qa-bugs => mageia
@David: thanks, you're right. Sorry I missed this. The current version of gd is not patched yet. I've added a patch. Should I file another bug for this? libgd has built: lib64gd3-2.2.5-2.mga6 lib64gd-devel-2.2.5-2.mga6 lib64gd-static-devel-2.2.5-2.mga6 gd-utils-2.2.5-2.mga6 libgd-debuginfo-2.2.5-2.mga6 SRPM: libgd-2.2.5-2.mga6.src.rpm
Nope, it will be part of this update. Thanks!!
Keywords: feedback => (none)
Assignee: mageia => qa-bugs
For clarification please. Should the pkgs cited in comment 2 effectively be added to those in comment 0 ? I wonder in case we should expect a revised pkg list & advisory, or whether we can take the two comments combined as they are. (No problem for doing the advsory including both).
CC: (none) => lewyssmith
Please combine both, sorry for the mess. php#75571 is fixed in libgd, whereas php#74782 is fixed in php release.
*** Bug 22358 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
Is there still anything missing?
No, it's good.
Before testing. I cannot find our previous updates for libgd which showed how to use it via lib-utils, so re-iterate the available commands: /usr/bin/annotate /usr/bin/bdftogd /usr/bin/gd2copypal /usr/bin/gd2togif /usr/bin/gd2topng /usr/bin/gdcmpgif /usr/bin/gdparttopng /usr/bin/gdtopng /usr/bin/giftogd2 /usr/bin/pngtogd /usr/bin/pngtogd2 /usr/bin/webpng because I doubt that playing with PHP will prove much. GD2 is a weird image format if I remember correctly. $ urpmq --whatrequires lib64gd3 | uniq | grep -v ^lib amule apcupsd fceux fswebcam gd-utils glibc-utils gnuplot gnuplot-nox gnuplot-qt graphviz links-hacked m17n-lib mldonkey mscgen nagios-www navit nginx nut-cgi pcb perl-GD php-gd python-gd tcl-graphviz texlive vnstat To come back to.
You can use php-gd to generate images in PNG and other standard formats; that's the best way to test it. I've previously posted a PHP CGI script in our Bugzilla that uses it.
Installed and tested without issues. Tests included a variety of script, large and small, including wordpress, drupal and a several custom scripts. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ journalctl -b0 | egrep -o install.*success | sort -u install apache-mod_php-3:5.6.33-1.mga6.x86_64: success install lib64php5_common5-3:5.6.33-1.mga6.x86_64: success install php-cli-3:5.6.33-1.mga6.x86_64: success install php-ctype-3:5.6.33-1.mga6.x86_64: success install php-curl-3:5.6.33-1.mga6.x86_64: success install php-dom-3:5.6.33-1.mga6.x86_64: success install php-filter-3:5.6.33-1.mga6.x86_64: success install php-ftp-3:5.6.33-1.mga6.x86_64: success install php-gd-3:5.6.33-1.mga6.x86_64: success install php-gettext-3:5.6.33-1.mga6.x86_64: success install php-hash-3:5.6.33-1.mga6.x86_64: success install php-ini-3:5.6.33-1.mga6.x86_64: success install php-intl-3:5.6.33-1.mga6.x86_64: success install php-json-3:5.6.33-1.mga6.x86_64: success install php-mbstring-3:5.6.33-1.mga6.x86_64: success install php-mysqli-3:5.6.33-1.mga6.x86_64: success install php-mysqlnd-3:5.6.33-1.mga6.x86_64: success install php-openssl-3:5.6.33-1.mga6.x86_64: success install php-pdo-3:5.6.33-1.mga6.x86_64: success install php-pdo_mysql-3:5.6.33-1.mga6.x86_64: success install php-posix-3:5.6.33-1.mga6.x86_64: success install php-session-3:5.6.33-1.mga6.x86_64: success install php-sysvsem-3:5.6.33-1.mga6.x86_64: success install php-sysvshm-3:5.6.33-1.mga6.x86_64: success install php-tokenizer-3:5.6.33-1.mga6.x86_64: success install php-xml-3:5.6.33-1.mga6.x86_64: success install php-xmlreader-3:5.6.33-1.mga6.x86_64: success install php-xmlwriter-3:5.6.33-1.mga6.x86_64: success install php-zlib-3:5.6.33-1.mga6.x86_64: success
CC: (none) => mageia
Updated the whole list of packages apart from php-debuginfo. In the light of comment 10 found a "php tutorial for kids" online and created this snippet to test image creation. I have never been able to figure out, or remember how to run PHP in a browser so reverted to the command line. The script works fine and an strace shows that the gd libraries are used. <?php header('Content-type: image/png'); $png_image = imagecreate(150, 150); imagecolorallocate($png_image, 15, 142, 210); imagepng($png_image); $path_image = 'one.png'; imagepng($png_image, $path_image); imagedestroy($png_image); ?> $ strace php create-png.php 2> trace �PNG ��w�����PLTE��a�|� pHYs���+IDATH���1 �Om ��l�qIEND�B`� $ one.png displays a 150x150 blue square. $ grep gd trace stat("/etc/php.d/23_gd.ini", {st_mode=S_IFREG|0644, st_size=18, ...}) = 0 open("/etc/php.d/23_gd.ini", O_RDONLY) = 3 open("/usr/lib64/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/php/extensions/gd.so", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3 The tutorial by the way suggests going to <website>/<path to file>, so http://localhost/qa/php/create-png.php -> error 404 Even with the full path apache cannot find it. http://localhost/home/lcl/qa/php/create-png.php -> error 404 It seemed likely that apache would look in /var/www so I copied the file there but no luck. So, does apache need to be restarted? Tried that but still not able to see php files. Apart from that this tops up the tests by PC LX so we should give it an OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
Marc, for future reference, when you're patching something in a stable release, you should add a subrel (or increment it if it's already there), rather than incrementing the release tag. Make sure define the subrel immediately above where mkrel is called.
Blocks: (none) => 22384
MGA6-64 on Lenovo B50 Plasma No installation issues, updating both php and gd stuff Confirm test as in Comment 12 with php create-png.php works OK.
CC: (none) => herman.viaene
Three 64-bit tests. Still feeling a bit queasy about following through without 32-bit tests. Anyway, here goes, validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory done from comments 0 & 2.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0081.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
php#75571 has been assigned CVE-2018-5711: https://lists.opensuse.org/opensuse-updates/2018-01/msg00114.html