Bug 25044 - Update php 7.3.8 fixes two CVE's
Summary: Update php 7.3.8 fixes two CVE's
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-07-04 18:49 CEST by Marc Krämer
Modified: 2019-08-10 02:14 CEST (History)
5 users (show)

See Also:
Source RPM: php
CVE:
Status comment:


Attachments
create png (249 bytes, application/x-php)
2019-07-21 12:11 CEST, Herman Viaene
Details
sample text (108 bytes, application/x-php)
2019-07-21 12:12 CEST, Herman Viaene
Details

Description Marc Krämer 2019-07-04 18:49:18 CEST
new version fixes a number of segfault (core, mysqli, mysqlnd, sodium)
Comment 1 Marc Krämer 2019-07-04 19:13:16 CEST
Suggested advisory:
========================

Updated php packages to the latest version, fixing some segfaults and crashes:
- Core:
    Fixed bug #76980 (Interface gets skipped if autoloader throws an exception).
- DOM:
    Fixed bug #78025 (segfault when accessing properties of DOMDocumentType).
MySQLi:
    Fixed bug #77956 (When mysqli.allow_local_infile = Off, use a meaningful error message).
    Fixed bug #38546 (bindParam incorrect processing of bool types).
- MySQLnd:
    Fixed bug #77955 (Random segmentation fault in mysqlnd from php-fpm).
- Opcache:
    Fixed bug #78015 (Incorrect evaluation of expressions involving partials arrays in SCCP).
    Fixed bug #78106 (Path resolution fails if opcache disabled during request).
- OpenSSL:
    Fixed bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c).
- phpdbg:
    Fixed bug #78050 (SegFault phpdbg + opcache on include file twice).
- Sockets:
    Fixed bug #78038 (Socket_select fails when resource array contains references).
- Sodium:
    Fixed bug #78114 (segfault when calling sodium_* functions from eval).
- Standard:
    Fixed bug #77135 (Extract with EXTR_SKIP should skip $this).
    Fixed bug #77937 (preg_match failed).
- Zip:
    Fixed bug #76345 (zip.h not found).

References:
https://www.php.net/ChangeLog-7.php#7.3.7
========================

Updated packages in core/updates_testing:
========================
php-ini-7.3.7-1
apache-mod_php-7.3.7-1
php-cli-7.3.7-1
php-cgi-7.3.7-1
lib64php_common7-7.3.7-1
php-devel-7.3.7-1
php-openssl-7.3.7-1
php-zlib-7.3.7-1
php-doc-7.3.7-1
php-bcmath-7.3.7-1
php-bz2-7.3.7-1
php-calendar-7.3.7-1
php-ctype-7.3.7-1
php-curl-7.3.7-1
php-dba-7.3.7-1
php-dom-7.3.7-1
php-enchant-7.3.7-1
php-exif-7.3.7-1
php-fileinfo-7.3.7-1
php-filter-7.3.7-1
php-ftp-7.3.7-1
php-gd-7.3.7-1
php-gettext-7.3.7-1
php-gmp-7.3.7-1
php-hash-7.3.7-1
php-iconv-7.3.7-1
php-imap-7.3.7-1
php-interbase-7.3.7-1
php-intl-7.3.7-1
php-json-7.3.7-1
php-ldap-7.3.7-1
php-mbstring-7.3.7-1
php-mysqli-7.3.7-1
php-mysqlnd-7.3.7-1
php-odbc-7.3.7-1
php-opcache-7.3.7-1
php-pcntl-7.3.7-1
php-pdo-7.3.7-1
php-pdo_dblib-7.3.7-1
php-pdo_firebird-7.3.7-1
php-pdo_mysql-7.3.7-1
php-pdo_odbc-7.3.7-1
php-pdo_pgsql-7.3.7-1
php-pdo_sqlite-7.3.7-1
php-pgsql-7.3.7-1
php-phar-7.3.7-1
php-posix-7.3.7-1
php-readline-7.3.7-1
php-recode-7.3.7-1
php-session-7.3.7-1
php-shmop-7.3.7-1
php-snmp-7.3.7-1
php-soap-7.3.7-1
php-sockets-7.3.7-1
php-sodium-7.3.7-1
php-sqlite3-7.3.7-1
php-sysvmsg-7.3.7-1
php-sysvsem-7.3.7-1
php-sysvshm-7.3.7-1
php-tidy-7.3.7-1
php-tokenizer-7.3.7-1
php-xml-7.3.7-1
php-xmlreader-7.3.7-1
php-xmlrpc-7.3.7-1
php-xmlwriter-7.3.7-1
php-xsl-7.3.7-1
php-wddx-7.3.7-1
php-zip-7.3.7-1
php-fpm-7.3.7-1
phpdbg-7.3.7-1
php-debugsource-7.3.7-1
php-debuginfo-7.3.7-1
apache-mod_php-debuginfo-7.3.7-1
php-cli-debuginfo-7.3.7-1
php-cgi-debuginfo-7.3.7-1
lib64php_common7-debuginfo-7.3.7-1
php-openssl-debuginfo-7.3.7-1
php-zlib-debuginfo-7.3.7-1
php-bcmath-debuginfo-7.3.7-1
php-bz2-debuginfo-7.3.7-1
php-calendar-debuginfo-7.3.7-1
php-ctype-debuginfo-7.3.7-1
php-curl-debuginfo-7.3.7-1
php-dba-debuginfo-7.3.7-1
php-dom-debuginfo-7.3.7-1
php-enchant-debuginfo-7.3.7-1
php-exif-debuginfo-7.3.7-1
php-fileinfo-debuginfo-7.3.7-1
php-filter-debuginfo-7.3.7-1
php-ftp-debuginfo-7.3.7-1
php-gd-debuginfo-7.3.7-1
php-gettext-debuginfo-7.3.7-1
php-gmp-debuginfo-7.3.7-1
php-hash-debuginfo-7.3.7-1
php-iconv-debuginfo-7.3.7-1
php-imap-debuginfo-7.3.7-1
php-interbase-debuginfo-7.3.7-1
php-intl-debuginfo-7.3.7-1
php-json-debuginfo-7.3.7-1
php-ldap-debuginfo-7.3.7-1
php-mbstring-debuginfo-7.3.7-1
php-mysqli-debuginfo-7.3.7-1
php-mysqlnd-debuginfo-7.3.7-1
php-odbc-debuginfo-7.3.7-1
php-opcache-debuginfo-7.3.7-1
php-pcntl-debuginfo-7.3.7-1
php-pdo-debuginfo-7.3.7-1
php-pdo_dblib-debuginfo-7.3.7-1
php-pdo_firebird-debuginfo-7.3.7-1
php-pdo_mysql-debuginfo-7.3.7-1
php-pdo_odbc-debuginfo-7.3.7-1
php-pdo_pgsql-debuginfo-7.3.7-1
php-pdo_sqlite-debuginfo-7.3.7-1
php-pgsql-debuginfo-7.3.7-1
php-phar-debuginfo-7.3.7-1
php-posix-debuginfo-7.3.7-1
php-readline-debuginfo-7.3.7-1
php-recode-debuginfo-7.3.7-1
php-session-debuginfo-7.3.7-1
php-shmop-debuginfo-7.3.7-1
php-snmp-debuginfo-7.3.7-1
php-soap-debuginfo-7.3.7-1
php-sockets-debuginfo-7.3.7-1
php-sodium-debuginfo-7.3.7-1
php-sqlite3-debuginfo-7.3.7-1
php-sysvmsg-debuginfo-7.3.7-1
php-sysvsem-debuginfo-7.3.7-1
php-sysvshm-debuginfo-7.3.7-1
php-tidy-debuginfo-7.3.7-1
php-tokenizer-debuginfo-7.3.7-1
php-xml-debuginfo-7.3.7-1
php-xmlreader-debuginfo-7.3.7-1
php-xmlrpc-debuginfo-7.3.7-1
php-xmlwriter-debuginfo-7.3.7-1
php-xsl-debuginfo-7.3.7-1
php-wddx-debuginfo-7.3.7-1
php-zip-debuginfo-7.3.7-1
php-fpm-debuginfo-7.3.7-1
phpdbg-debuginfo-7.3.7-1

SRPM:
php-7.3.7-1.mga7.src.rpm
Marc Krämer 2019-07-04 19:13:30 CEST

Assignee: mageia => qa-bugs

Manuel Hiebel 2019-07-04 19:41:38 CEST

Version: 6 => 7

Comment 2 Herman Viaene 2019-07-21 12:10:57 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 25045 for tests

Created the phpfiles as described (I will attach these).
In browser: http://localhost:8000/sample.php
shows
Now hear this. This is you captain speaking.All hands on deck. Abandon ship.

and
http://localhost:8000/create-png.php
shows
The picture cannot be displayed because it contains errors.
but the file one.png created, displays OK in gwenview, and inthr browser as well when entered as http://localhost:8000/one.png.
Asking Len to look at the php file if I made some mistake in copying.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2019-07-21 12:11:40 CEST
Created attachment 11206 [details]
create png
Comment 4 Herman Viaene 2019-07-21 12:12:15 CEST
Created attachment 11207 [details]
sample text
Comment 5 Len Lawrence 2019-07-21 19:50:37 CEST
@herman in reply to comment 2.
Nothing wrong with the text that I can see.  The only difference between your and my files is the extra space before the opening "<" but would not expect that to be significant.  The test fails here as well because the imagecreate function cannot be found.  Checking the php function list online shows that it does exist but does not say anything about how to make it available.  The similar test script from there also fails - no imagecreate.

All I can do now is check the current package list against one from the earlier bug to see if there are any clues.  It may have something to do with php-gd.

@Marc: Have you any idea what the trouble might be?

CC: (none) => tarazed25

Comment 6 Marc Krämer 2019-07-21 22:32:00 CEST
the opening space will lead to an invalid image, since the space is in the output stream ahead of the created image.

If the "function list" tells you the function is there, it is available. What is the exact output of your call, where it tells you it is "not available"?

running both scripts on command line, works as expected. Both are very very basic tests :)
Comment 7 Len Lawrence 2019-07-22 02:27:52 CEST
Yes, very basic, like my knowledge of php.  I cannot remember the exact wording of the error report but it did say that imagecreate is not a valid function.  It always worked in the past which might mean that something is missing at my end.
Comment 8 Len Lawrence 2019-07-22 02:34:58 CEST
@Marc.  I am on mga6 just now but shall try to get back to it on mga7 later today.
Comment 9 Herman Viaene 2019-07-22 10:56:41 CEST
@ Len
I removed the extra space before the opening "<" and now the http://localhost:8000/create-png.php
shws the blue square without problems, so OK for me. If yoou have no further problems, this can be OK'ed as far as I am conccerned.
Comment 10 Herman Viaene 2019-07-22 10:58:52 CEST
I didn't bother to test the previous php version from bug 25024, I don't see the point in it, so that one may be OK'ed as well.
Comment 11 Len Lawrence 2019-07-22 11:02:52 CEST
OK.  Back to this.
@Marc:  I am not testing this - just following up Herman's request for assistance.
Installing things properly removed the 'imagecreate' problem.

@herman: 
I started from the beginning.  Installed all the packages on the manifest from release.
Enabled updates and performed a clean update of all the packages.
Restarted httpd.
Started the local development server on port 8000.
Ran the hello-world scripts in a browser and they worked fine.  They also worked at the cli and a leading space before the opening chevron did not make any difference.  It was swallowed transparently.
Comment 12 Marc Krämer 2019-07-22 12:45:17 CEST
ok. all as expected :)
Herman Viaene 2019-07-22 13:24:10 CEST

Whiteboard: (none) => MGA7-64-OK

Marc Krämer 2019-08-01 11:38:37 CEST

Summary: Update php 7.3.7 => Update php 7.3.8

Comment 13 Marc Krämer 2019-08-01 11:40:19 CEST
updated to new version 7.3.8

Whiteboard: MGA7-64-OK => (none)
Summary: Update php 7.3.8 => Update php 7.3.8 fixes two CVE's

Comment 14 Marc Krämer 2019-08-01 11:44:51 CEST
Suggested advisory:
========================

Updated php packages to the latest version, fixing some segfaults and crashes.
Additionally two heap overflows were fixed.

References:
https://www.php.net/ChangeLog-7.php#7.3.7
https://www.php.net/ChangeLog-7.php#7.3.8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041

Updated packages in core/updates_testing:
========================
php-ini-7.3.8-1.mga7
apache-mod_php-7.3.8-1.mga7
php-cli-7.3.8-1.mga7
php-cgi-7.3.8-1.mga7
libphp_common7-7.3.8-1.mga7
php-devel-7.3.8-1.mga7
php-openssl-7.3.8-1.mga7
php-zlib-7.3.8-1.mga7
php-doc-7.3.8-1.mga7.noarch
php-bcmath-7.3.8-1.mga7
php-bz2-7.3.8-1.mga7
php-calendar-7.3.8-1.mga7
php-ctype-7.3.8-1.mga7
php-curl-7.3.8-1.mga7
php-dba-7.3.8-1.mga7
php-dom-7.3.8-1.mga7
php-enchant-7.3.8-1.mga7
php-exif-7.3.8-1.mga7
php-fileinfo-7.3.8-1.mga7
php-filter-7.3.8-1.mga7
php-ftp-7.3.8-1.mga7
php-gd-7.3.8-1.mga7
php-gettext-7.3.8-1.mga7
php-gmp-7.3.8-1.mga7
php-hash-7.3.8-1.mga7
php-iconv-7.3.8-1.mga7
php-imap-7.3.8-1.mga7
php-interbase-7.3.8-1.mga7
php-intl-7.3.8-1.mga7
php-json-7.3.8-1.mga7
php-ldap-7.3.8-1.mga7
php-mbstring-7.3.8-1.mga7
php-mysqli-7.3.8-1.mga7
php-mysqlnd-7.3.8-1.mga7
php-odbc-7.3.8-1.mga7
php-opcache-7.3.8-1.mga7
php-pcntl-7.3.8-1.mga7
php-pdo-7.3.8-1.mga7
php-pdo_dblib-7.3.8-1.mga7
php-pdo_firebird-7.3.8-1.mga7
php-pdo_mysql-7.3.8-1.mga7
php-pdo_odbc-7.3.8-1.mga7
php-pdo_pgsql-7.3.8-1.mga7
php-pdo_sqlite-7.3.8-1.mga7
php-pgsql-7.3.8-1.mga7
php-phar-7.3.8-1.mga7
php-posix-7.3.8-1.mga7
php-readline-7.3.8-1.mga7
php-recode-7.3.8-1.mga7
php-session-7.3.8-1.mga7
php-shmop-7.3.8-1.mga7
php-snmp-7.3.8-1.mga7
php-soap-7.3.8-1.mga7
php-sockets-7.3.8-1.mga7
php-sodium-7.3.8-1.mga7
php-sqlite3-7.3.8-1.mga7
php-sysvmsg-7.3.8-1.mga7
php-sysvsem-7.3.8-1.mga7
php-sysvshm-7.3.8-1.mga7
php-tidy-7.3.8-1.mga7
php-tokenizer-7.3.8-1.mga7
php-xml-7.3.8-1.mga7
php-xmlreader-7.3.8-1.mga7
php-xmlrpc-7.3.8-1.mga7
php-xmlwriter-7.3.8-1.mga7
php-xsl-7.3.8-1.mga7
php-wddx-7.3.8-1.mga7
php-zip-7.3.8-1.mga7
php-fpm-7.3.8-1.mga7
phpdbg-7.3.8-1.mga7
php-debugsource-7.3.8-1.mga7
php-debuginfo-7.3.8-1.mga7
apache-mod_php-debuginfo-7.3.8-1.mga7
php-cli-debuginfo-7.3.8-1.mga7
php-cgi-debuginfo-7.3.8-1.mga7
libphp_common7-debuginfo-7.3.8-1.mga7
php-openssl-debuginfo-7.3.8-1.mga7
php-zlib-debuginfo-7.3.8-1.mga7
php-bcmath-debuginfo-7.3.8-1.mga7
php-bz2-debuginfo-7.3.8-1.mga7
php-calendar-debuginfo-7.3.8-1.mga7
php-ctype-debuginfo-7.3.8-1.mga7
php-curl-debuginfo-7.3.8-1.mga7
php-dba-debuginfo-7.3.8-1.mga7
php-dom-debuginfo-7.3.8-1.mga7
php-enchant-debuginfo-7.3.8-1.mga7
php-exif-debuginfo-7.3.8-1.mga7
php-fileinfo-debuginfo-7.3.8-1.mga7
php-filter-debuginfo-7.3.8-1.mga7
php-ftp-debuginfo-7.3.8-1.mga7
php-gd-debuginfo-7.3.8-1.mga7
php-gettext-debuginfo-7.3.8-1.mga7
php-gmp-debuginfo-7.3.8-1.mga7
php-hash-debuginfo-7.3.8-1.mga7
php-iconv-debuginfo-7.3.8-1.mga7
php-imap-debuginfo-7.3.8-1.mga7
php-interbase-debuginfo-7.3.8-1.mga7
php-intl-debuginfo-7.3.8-1.mga7
php-json-debuginfo-7.3.8-1.mga7
php-ldap-debuginfo-7.3.8-1.mga7
php-mbstring-debuginfo-7.3.8-1.mga7
php-mysqli-debuginfo-7.3.8-1.mga7
php-mysqlnd-debuginfo-7.3.8-1.mga7
php-odbc-debuginfo-7.3.8-1.mga7
php-opcache-debuginfo-7.3.8-1.mga7
php-pcntl-debuginfo-7.3.8-1.mga7
php-pdo-debuginfo-7.3.8-1.mga7
php-pdo_dblib-debuginfo-7.3.8-1.mga7
php-pdo_firebird-debuginfo-7.3.8-1.mga7
php-pdo_mysql-debuginfo-7.3.8-1.mga7
php-pdo_odbc-debuginfo-7.3.8-1.mga7
php-pdo_pgsql-debuginfo-7.3.8-1.mga7
php-pdo_sqlite-debuginfo-7.3.8-1.mga7
php-pgsql-debuginfo-7.3.8-1.mga7
php-phar-debuginfo-7.3.8-1.mga7
php-posix-debuginfo-7.3.8-1.mga7
php-readline-debuginfo-7.3.8-1.mga7
php-recode-debuginfo-7.3.8-1.mga7
php-session-debuginfo-7.3.8-1.mga7
php-shmop-debuginfo-7.3.8-1.mga7
php-snmp-debuginfo-7.3.8-1.mga7
php-soap-debuginfo-7.3.8-1.mga7
php-sockets-debuginfo-7.3.8-1.mga7
php-sodium-debuginfo-7.3.8-1.mga7
php-sqlite3-debuginfo-7.3.8-1.mga7
php-sysvmsg-debuginfo-7.3.8-1.mga7
php-sysvsem-debuginfo-7.3.8-1.mga7
php-sysvshm-debuginfo-7.3.8-1.mga7
php-tidy-debuginfo-7.3.8-1.mga7
php-tokenizer-debuginfo-7.3.8-1.mga7
php-xml-debuginfo-7.3.8-1.mga7
php-xmlreader-debuginfo-7.3.8-1.mga7
php-xmlrpc-debuginfo-7.3.8-1.mga7
php-xmlwriter-debuginfo-7.3.8-1.mga7
php-xsl-debuginfo-7.3.8-1.mga7
php-wddx-debuginfo-7.3.8-1.mga7
php-zip-debuginfo-7.3.8-1.mga7
php-fpm-debuginfo-7.3.8-1.mga7
phpdbg-debuginfo-7.3.8-1.mga7



SRPM:
========================
php-7.3.8-1.mga7.src.rpm
Comment 15 PC LX 2019-08-03 10:10:25 CEST
Installed and tested without issues.

Tests:
- small and large scripts (e.g. wordpress, phpmyadmin);
- apache plus mod_php;
- php's built-in web server;
- php CLI;
- attached php files (no crushes or other issues noticed).

WARNING: The attached create_png.php file has a space at the start of the file that needs to be removed for it to work.

System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.1.20-desktop-2.mga7 #1 SMP Fri Jul 26 23:04:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-7.3.8-1.mga7
lib64php_common7-7.3.8-1.mga7
php-bz2-7.3.8-1.mga7
php-channel-phpunit-1.3-16.mga7
php-cli-7.3.8-1.mga7
php-ctype-7.3.8-1.mga7
php-dom-7.3.8-1.mga7
php-filter-7.3.8-1.mga7
php-ftp-7.3.8-1.mga7
php-gd-7.3.8-1.mga7
php-gettext-7.3.8-1.mga7
php-hash-7.3.8-1.mga7
php-ini-7.3.8-1.mga7
php-json-7.3.8-1.mga7
php-mbstring-7.3.8-1.mga7
phpmyadmin-4.9.0.1-1.mga7
php-mysqli-7.3.8-1.mga7
php-mysqlnd-7.3.8-1.mga7
php-openssl-7.3.8-1.mga7
php-pdo-7.3.8-1.mga7
php-pdo_mysql-7.3.8-1.mga7
php-pdo_sqlite-7.3.8-1.mga7
php-pear-1.10.9-1.mga7
php-pear-File_Iterator-1.3.4-6.mga7
php-posix-7.3.8-1.mga7
php-session-7.3.8-1.mga7
php-sysvsem-7.3.8-1.mga7
php-sysvshm-7.3.8-1.mga7
php-tokenizer-7.3.8-1.mga7
php-xml-7.3.8-1.mga7
php-xmlreader-7.3.8-1.mga7
php-xmlwriter-7.3.8-1.mga7
php-zip-7.3.8-1.mga7
php-zlib-7.3.8-1.mga7



$ php -S 127.0.0.1:8080 create-png.php 
PHP 7.3.8 Development Server started at Sat Aug  3 08:48:49 2019
Listening on http://127.0.0.1:8080
Document root is /tmp/
Press Ctrl-C to quit.

$ php -S 127.0.0.1:8080 sample.php 
PHP 7.3.8 Development Server started at Sat Aug  3 08:50:50 2019
Listening on http://127.0.0.1:8080
Document root is /tmp/
Press Ctrl-C to quit.

CC: (none) => mageia

Comment 16 Len Lawrence 2019-08-05 16:26:31 CEST
On the basis of the tests reported in comment 15 this looks good for release.  Adding the 64bit OK.  Thanks PC_LX.

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-08-09 23:30:15 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 17 Mageia Robot 2019-08-10 02:14:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0218.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.