Bug 22321 - PHP 5.6.33
Summary: PHP 5.6.33
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
: 22358 (view as bug list)
Depends on:
Blocks: 22384
  Show dependency treegraph
 
Reported: 2018-01-05 15:24 CET by Marc Krämer
Modified: 2018-01-14 17:55 CET (History)
7 users (show)

See Also:
Source RPM: php-5.6.32-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description Marc Krämer 2018-01-05 15:24:30 CET
Upstream has released PHP 5.6.33 on Jan 4th:
http://php.net/archive/2018.php#id2018-01-04-4

It fixes a few security issues:
http://php.net/ChangeLog-5.php#5.6.33

Advisory:
========================

Updated php packages fix security vulnerabilities:

Potential infinite loop in gdImageCreateFromGifCtx (php#75571)
Reflected XSS in .phar 404 page (php#74782)

References:
http://php.net/ChangeLog-5.php#5.6.33
========================

Updated packages in core/updates_testing:
========================

php-ini-5.6.33-1.mga6
apache-mod_php-5.6.33-1.mga6
php-cli-5.6.33-1.mga6
php-cgi-5.6.33-1.mga6
lib64php5_common5-5.6.33-1.mga6
php-devel-5.6.33-1.mga6
php-openssl-5.6.33-1.mga6
php-zlib-5.6.33-1.mga6
php-doc-5.6.33-1.mga6
php-bcmath-5.6.33-1.mga6
php-bz2-5.6.33-1.mga6
php-calendar-5.6.33-1.mga6
php-ctype-5.6.33-1.mga6
php-curl-5.6.33-1.mga6
php-dba-5.6.33-1.mga6
php-dom-5.6.33-1.mga6
php-enchant-5.6.33-1.mga6
php-exif-5.6.33-1.mga6
php-fileinfo-5.6.33-1.mga6
php-filter-5.6.33-1.mga6
php-ftp-5.6.33-1.mga6
php-gd-5.6.33-1.mga6
php-gettext-5.6.33-1.mga6
php-gmp-5.6.33-1.mga6
php-hash-5.6.33-1.mga6
php-iconv-5.6.33-1.mga6
php-imap-5.6.33-1.mga6
php-interbase-5.6.33-1.mga6
php-intl-5.6.33-1.mga6
php-json-5.6.33-1.mga6
php-ldap-5.6.33-1.mga6
php-mbstring-5.6.33-1.mga6
php-mcrypt-5.6.33-1.mga6
php-mssql-5.6.33-1.mga6
php-mysql-5.6.33-1.mga6
php-mysqli-5.6.33-1.mga6
php-mysqlnd-5.6.33-1.mga6
php-odbc-5.6.33-1.mga6
php-opcache-5.6.33-1.mga6
php-pcntl-5.6.33-1.mga6
php-pdo-5.6.33-1.mga6
php-pdo_dblib-5.6.33-1.mga6
php-pdo_firebird-5.6.33-1.mga6
php-pdo_mysql-5.6.33-1.mga6
php-pdo_odbc-5.6.33-1.mga6
php-pdo_pgsql-5.6.33-1.mga6
php-pdo_sqlite-5.6.33-1.mga6
php-pgsql-5.6.33-1.mga6
php-phar-5.6.33-1.mga6
php-posix-5.6.33-1.mga6
php-readline-5.6.33-1.mga6
php-recode-5.6.33-1.mga6
php-session-5.6.33-1.mga6
php-shmop-5.6.33-1.mga6
php-snmp-5.6.33-1.mga6
php-soap-5.6.33-1.mga6
php-sockets-5.6.33-1.mga6
php-sqlite3-5.6.33-1.mga6
php-sybase_ct-5.6.33-1.mga6
php-sysvmsg-5.6.33-1.mga6
php-sysvsem-5.6.33-1.mga6
php-sysvshm-5.6.33-1.mga6
php-tidy-5.6.33-1.mga6
php-tokenizer-5.6.33-1.mga6
php-xml-5.6.33-1.mga6
php-xmlreader-5.6.33-1.mga6
php-xmlrpc-5.6.33-1.mga6
php-xmlwriter-5.6.33-1.mga6
php-xsl-5.6.33-1.mga6
php-wddx-5.6.33-1.mga6
php-zip-5.6.33-1.mga6
php-fpm-5.6.33-1.mga6
phpdbg-5.6.33-1.mga6
php-debuginfo-5.6.33-1.mga6

from SRPMS:
php-5.6.33-1.mga6.src.rpm
Marc Krämer 2018-01-05 15:31:17 CET

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 1 David Walser 2018-01-05 16:07:40 CET
We will need to patch libgd to fix the GD issue:
http://www.php.net/ChangeLog-5.php#5.6.33

Keywords: (none) => feedback
CC: (none) => luigiwalser

Marc Krämer 2018-01-05 16:51:13 CET

Assignee: qa-bugs => mageia

Comment 2 Marc Krämer 2018-01-05 17:29:30 CET
@David: thanks, you're right. Sorry I missed this.
The current version of gd is not patched yet.

I've added a patch. Should I file another bug for this?

libgd has built:
lib64gd3-2.2.5-2.mga6
lib64gd-devel-2.2.5-2.mga6
lib64gd-static-devel-2.2.5-2.mga6
gd-utils-2.2.5-2.mga6
libgd-debuginfo-2.2.5-2.mga6

SRPM:
libgd-2.2.5-2.mga6.src.rpm
Comment 3 David Walser 2018-01-05 18:08:06 CET
Nope, it will be part of this update.  Thanks!!

Keywords: feedback => (none)

Marc Krämer 2018-01-05 18:15:05 CET

Assignee: mageia => qa-bugs

Comment 4 Lewis Smith 2018-01-07 15:49:14 CET
For clarification please.
Should the pkgs cited in comment 2 effectively be added to those in comment 0 ?
I wonder in case we should expect a revised pkg list & advisory, or whether we can take the two comments combined as they are. (No problem for doing the advsory including both).

CC: (none) => lewyssmith

Comment 5 Marc Krämer 2018-01-07 18:17:36 CET
Please combine both, sorry for the mess. php#75571 is fixed in libgd, whereas php#74782 is fixed in php release.
Comment 6 Thomas Backlund 2018-01-09 11:35:15 CET
*** Bug 22358 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 7 Marc Krämer 2018-01-10 19:04:16 CET
Is there still anything missing?
Comment 8 David Walser 2018-01-10 19:36:06 CET
No, it's good.
Comment 9 Lewis Smith 2018-01-10 21:40:48 CET
Before testing. I cannot find our previous updates for libgd which showed how to use it via lib-utils, so re-iterate the available commands:
 /usr/bin/annotate
 /usr/bin/bdftogd
 /usr/bin/gd2copypal
 /usr/bin/gd2togif
 /usr/bin/gd2topng
 /usr/bin/gdcmpgif
 /usr/bin/gdparttopng
 /usr/bin/gdtopng
 /usr/bin/giftogd2
 /usr/bin/pngtogd
 /usr/bin/pngtogd2
 /usr/bin/webpng
because I doubt that playing with PHP will prove much. GD2 is a weird image format if I remember correctly.
 $ urpmq --whatrequires lib64gd3 | uniq | grep -v ^lib
amule
apcupsd
fceux
fswebcam
gd-utils
glibc-utils
gnuplot
gnuplot-nox
gnuplot-qt
graphviz
links-hacked
m17n-lib
mldonkey
mscgen
nagios-www
navit
nginx
nut-cgi
pcb
perl-GD
php-gd
python-gd
tcl-graphviz
texlive
vnstat
To come back to.
Comment 10 David Walser 2018-01-10 22:12:55 CET
You can use php-gd to generate images in PNG and other standard formats; that's the best way to test it.  I've previously posted a PHP CGI script in our Bugzilla that uses it.
Comment 11 PC LX 2018-01-12 02:52:08 CET
Installed and tested without issues.

Tests included a variety of script, large and small, including wordpress, drupal and a several custom scripts.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ journalctl -b0 | egrep -o install.*success | sort -u
install apache-mod_php-3:5.6.33-1.mga6.x86_64: success
install lib64php5_common5-3:5.6.33-1.mga6.x86_64: success
install php-cli-3:5.6.33-1.mga6.x86_64: success
install php-ctype-3:5.6.33-1.mga6.x86_64: success
install php-curl-3:5.6.33-1.mga6.x86_64: success
install php-dom-3:5.6.33-1.mga6.x86_64: success
install php-filter-3:5.6.33-1.mga6.x86_64: success
install php-ftp-3:5.6.33-1.mga6.x86_64: success
install php-gd-3:5.6.33-1.mga6.x86_64: success
install php-gettext-3:5.6.33-1.mga6.x86_64: success
install php-hash-3:5.6.33-1.mga6.x86_64: success
install php-ini-3:5.6.33-1.mga6.x86_64: success
install php-intl-3:5.6.33-1.mga6.x86_64: success
install php-json-3:5.6.33-1.mga6.x86_64: success
install php-mbstring-3:5.6.33-1.mga6.x86_64: success
install php-mysqli-3:5.6.33-1.mga6.x86_64: success
install php-mysqlnd-3:5.6.33-1.mga6.x86_64: success
install php-openssl-3:5.6.33-1.mga6.x86_64: success
install php-pdo-3:5.6.33-1.mga6.x86_64: success
install php-pdo_mysql-3:5.6.33-1.mga6.x86_64: success
install php-posix-3:5.6.33-1.mga6.x86_64: success
install php-session-3:5.6.33-1.mga6.x86_64: success
install php-sysvsem-3:5.6.33-1.mga6.x86_64: success
install php-sysvshm-3:5.6.33-1.mga6.x86_64: success
install php-tokenizer-3:5.6.33-1.mga6.x86_64: success
install php-xml-3:5.6.33-1.mga6.x86_64: success
install php-xmlreader-3:5.6.33-1.mga6.x86_64: success
install php-xmlwriter-3:5.6.33-1.mga6.x86_64: success
install php-zlib-3:5.6.33-1.mga6.x86_64: success

CC: (none) => mageia

Comment 12 Len Lawrence 2018-01-12 18:24:42 CET
Updated the whole list of packages apart from php-debuginfo.

In the light of comment 10 found a "php tutorial for kids" online and created this snippet to test image creation.  I have never been able to figure out, or remember how to run PHP in a browser so reverted to the command line.  The script works fine and an strace shows that the gd libraries are used.

<?php
  header('Content-type: image/png');
  $png_image = imagecreate(150, 150);
  imagecolorallocate($png_image, 15, 142, 210);
  imagepng($png_image);
  $path_image = 'one.png';
  imagepng($png_image, $path_image);
  imagedestroy($png_image);
?>

$ strace php create-png.php 2> trace
�PNG

��w�����PLTE��a�|�	pHYs���+IDATH���1 �Om
    ��l�qIEND�B`�
$

one.png displays a 150x150 blue square.
$ grep gd trace
stat("/etc/php.d/23_gd.ini", {st_mode=S_IFREG|0644, st_size=18, ...}) = 0
open("/etc/php.d/23_gd.ini", O_RDONLY)  = 3
open("/usr/lib64/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/php/extensions/gd.so", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libgd.so.3", O_RDONLY|O_CLOEXEC) = 3

The tutorial by the way suggests going to <website>/<path to file>, so
http://localhost/qa/php/create-png.php -> error 404
Even with the full path apache cannot find it.
http://localhost/home/lcl/qa/php/create-png.php -> error 404

It seemed likely that apache would look in /var/www so I copied the file there but no luck.  So, does apache need to be restarted?  Tried that but still not able to see php files.

Apart from that this tops up the tests by PC LX so we should give it an OK.

CC: (none) => tarazed25

Len Lawrence 2018-01-12 18:38:26 CET

Whiteboard: (none) => MGA6-64-OK

Comment 13 David Walser 2018-01-13 06:09:22 CET
Marc, for future reference, when you're patching something in a stable release, you should add a subrel (or increment it if it's already there), rather than incrementing the release tag.  Make sure define the subrel immediately above where mkrel is called.
David Walser 2018-01-13 06:16:21 CET

Blocks: (none) => 22384

Comment 14 Herman Viaene 2018-01-13 13:57:13 CET
MGA6-64 on Lenovo B50 Plasma
No installation issues, updating both php and gd stuff
Confirm test as in Comment 12 with  php create-png.php works OK.

CC: (none) => herman.viaene

Comment 15 Len Lawrence 2018-01-13 18:49:39 CET
Three 64-bit tests.  Still feeling a bit queasy about following through without 32-bit tests.  Anyway, here goes, validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Lewis Smith 2018-01-14 16:48:06 CET
Advisory done from comments 0 & 2.

Keywords: (none) => advisory

Comment 17 Mageia Robot 2018-01-14 17:55:03 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0081.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.