Bug 24185 - php-pear-HTML_QuickForm new security issue (eval injection) CVE-2018-1999022
Summary: php-pear-HTML_QuickForm new security issue (eval injection) CVE-2018-1999022
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-15 11:28 CET by Marc Krämer
Modified: 2019-01-23 16:51 CET (History)
3 users (show)

See Also:
Source RPM: php-pear-HTML_QuickForm-3.2.14-5.mga6.src.rpm
CVE: CVE-2018-1999022
Status comment:

Attachments
Script to use php-pear-HTML_QuickForm (820 bytes, application/x-php)
2019-01-19 20:58 CET, Lewis Smith 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2019-01-15 11:28:03 CET 
A vulnerability in the HTML_QuickForm package has been found which potentially allows remote code execution.
Marc Krämer 2019-01-15 11:28:15 CET

Assignee: php => mageia

Comment 1 Marc Krämer 2019-01-15 11:36:22 CET 
Updated php-pear-HTML_QuickForm packages fix security vulnerabilities:

A vulnerability in the HTML_QuickForm package has been found which potentially allows remote code execution.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999022
========================

Updated packages in core/updates_testing:
========================
php-pear-HTML_QuickForm-3.2.15-1.mga6.noarch.rpm

Source RPMs: 
php-pear-HTML_QuickForm-3.2.15-1.mga6.src.rpm

Component: RPM Packages => Security
CVE: (none) => CVE-2018-1999022
QA Contact: (none) => security
Assignee: mageia => qa-bugs

David Walser 2019-01-15 16:04:46 CET

Summary: Security issue injection issue => php-pear-HTML_QuickForm new security issue (eval injection) CVE-2018-1999022

Comment 2 Herman Viaene 2019-01-16 09:40:37 CET 
MGA6-32 MATE on IBM Thinkpad R50e
At installation selecting this package draws in 20­­+ php7 packages, but after agreeing on this I still get:
Sorry, het volgende pakket is niet selecteerbaar: (package cannot be selected)

- php-pear-HTML_QuickForm-3.2.15-1.mga6.noarch (vanwege onvoldane pear(HTML/QuickForm/utils.php)) unfulfilled pear(HTML/QuickForm/utils.php

CC: (none) => herman.viaene

Comment 3 Marc Krämer 2019-01-16 11:59:58 CET 
thanks Herman, you're right. Pushed new release.
Comment 4 Lewis Smith 2019-01-18 21:26:29 CET 
Testing M6/64

BEFORE update, installing the package added a couple of others:
  php-pear-HTML_Common           1.2.5        8.mga6        noarch  
* php-pear-HTML_QuickForm        3.2.14       5.mga6        noarch  *
  php-pear-HTML_Template_IT      1.3.0        8.mga6        noarch  

No useful info from the CVE. No previous update for this pkg. This looks good:
 https://pear.php.net/manual/en/package.html.html-quickform.tutorial.php
Running the script:
 $ php ./pearHTML.php
outputs to STDOUT a chunk of HTML which will need wrapping in outer HTML to try in a browser. No time now.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2019-01-19 20:47:22 CET 
Testing M6/64

BEFORE update: php-pear-HTML_QuickForm-3.2.14-5.mga6

Ran the script
 $ php ./pearHTML.php > pre1.htm
and saved that O/P for reference.
Edited this (to a *different* file) to enclose the whole in <HTML>...</HTML>, the script part in <HEAD>...</HEAD>  and the HTML part in <BODY>...</BODY>.
Opening that file in a browser showed a correct form, submitting a blank name field popped an error, it works. But this is more for interest.

DURING update, I got the error:
"Yn anffodus, nid oes modd dewis y pecyn canlynol:
- php-pear-HTML_QuickForm-3.2.15-2.mga6.noarch (pear(HTML/QuickForm/Renderer/ITDynamic.php) heb ei foddloni)"
= Cannot select pkg 'php-pear-HTML_QuickForm-3.2.15-2.mga6.noarch' because 'pear(HTML/QuickForm/Renderer/ITDynamic.php' cannot be satisfied.

Before:
 $ urpmq --requires php-pear-HTML_QuickForm | grep ITDynamic
 $
After:
 $ urpmq --media 'updates testing' --requires php-pear-HTML_QuickForm | grep ITDynamic
 php-pear-HTML_QuickForm: pear(HTML/QuickForm/Renderer/ITDynamic.php)
 $
which shows that the update requires the new thingy, not required by its predecessor.
-----------
$ php -v
PHP 5.6.40 (cli) (built: Jan 11 2019 09:50:49)

Keywords: (none) => feedback

Comment 6 Lewis Smith 2019-01-19 20:58:16 CET 
Created attachment 10683 [details]
Script to use php-pear-HTML_QuickForm

To use the script (e.g. from its own directory):
 $ php ./pearHTML.php > <output file>
The O/P file is JavaScript + HTML. Keep it for reference re updates.

Suggest editing this to a *different* file as a complete HTML page: enclose the whole in <HTML>...</HTML>, the script part in <HEAD>...</HEAD>  and the HTML part in <BODY>...</BODY>.
Open that file in a browser, it should show a valid form.
Comment 7 Marc Krämer 2019-01-20 21:27:21 CET 
my apologies, the new package reuquires things it provides itself. I have to recheck, why this happens - it should not! it is one of those automagic things :(
Comment 8 Marc Krämer 2019-01-21 22:01:56 CET 
strange - I've checked cauldron package which is identical, here the automagic discovered different things. Using the provides from cauldron, this package is installable now, with subrelease 3.

Keywords: feedback => (none)

Comment 9 Lewis Smith 2019-01-23 10:40:33 CET 
Re-trying M6/64
See comment 5 for previous attempt.
Before trying the update, I tested it empirically:
 $ urpmq --media 'updates testing' --requires php-pear-HTML_QuickForm | grep ITDynamic
 php-pear-HTML_QuickForm: pear(HTML/QuickForm/Renderer/ITDynamic.php)
 php-pear-HTML_QuickForm: pear(HTML/QuickForm/Renderer/ITDynamic.php)
Do not know what to make of that, but the pkg could be selected & updated:
- php-pear-HTML_QuickForm-3.2.15-3.mga6.noarch

AFTER update
 $ php ./pearHTML.php > post1.htm
PHP Warning:  require_once(HTML/QuickForm.php): failed to open stream: No such file or directory in /home/lewis/tmp/pearHTML.php on line 3
PHP Fatal error:  require_once(): Failed opening required 'HTML/QuickForm.php' (include_path='.:/usr/lib64/php/:/usr/share/pear/:/usr/share/php/') in /home/lewis/tmp/pearHTML.php on line 3

Remember this worked before.
 $ head pearHTML.php 
<?php
// Load the main class
require_once 'HTML/QuickForm.php';

Await a comment from Marc. @Herman: do you want to try again?
Comment 10 Marc Krämer 2019-01-23 11:21:15 CET 
this one is a beast. There was a silent fail switch added, so I didn't see the error.
Released subrel 4
Comment 11 Lewis Smith 2019-01-23 13:51:52 CET 
(In reply to Marc Krämer from comment #10)
> this one is a beast.
And has been from the beginning. You can cheer up now!

Tested OK M6/64

I first reverted to the version in the field:
 # urpmi --downgrade php-pear-HTML_QuickForm
and re-ran this check:
 $ urpmq --media 'updates testing' --requires php-pear-HTML_QuickForm | grep ITDynamic
 php-pear-HTML_QuickForm: pear(HTML/QuickForm/Renderer/ITDynamic.php)
which shows that entity as now being required (not a package, I think: I did not have anything like it, nor was it pulled in during the update).

BEFORE update: php-pear-HTML_QuickForm-3.2.14-5.mga6
Having preserved the O/P files from c5 test, no need to rerun that.

AFTER trouble-free update: php-pear-HTML_QuickForm-3.2.15-4.mga6
 $ php ./pearHTML.php > post1.htm
 $                                [So that now works again]
 $ cmp pre1.htm post1.htm 
 $                        [So the test O/Ps are identical].
And copying/editing this O/P into bare HTML wrappers as per c6, in a browser
 file:///home/lewis/tmp/post.htm
again showed the correct form page. The update looks good.

Advisory from comment 1, but version 3.2.15-4.mga6

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2019-01-23 16:51:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0049.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.