Bug 25380 - php 7.3.9 fixes two CVE's
Summary: php 7.3.9 fixes two CVE's
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-29 15:44 CEST by Marc Krämer
Modified: 2019-09-06 23:11 CEST (History)
3 users (show)

See Also:
Source RPM: php
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2019-08-29 15:44:27 CEST 
Fixed CVE-2019-13224
Fixed CVE-2019-13225

And some more bugfixes like "Buffer overflow in zendparse"
Comment 1 Marc Krämer 2019-08-29 16:26:24 CEST 
Updated php packages fix security vulnerabilities:

- mbstring: fixed null-pointer and use after free vulnerability. [1,2]
- zendparse: A buffer overflow is now fixed.
- FPM: Use-after-free in FPM master event handling
- MySQLnd: MariaDB server version incorrectly detected

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225
[3] https://www.php.net/ChangeLog-7.php#PHP_7_3_9
========================

Updated packages in core/updates_testing:
========================
php-ini-7.3.9-1.mga7
apache-mod_php-7.3.9-1.mga7
php-cli-7.3.9-1.mga7
php-cgi-7.3.9-1.mga7
lib64php_common7-7.3.9-1.mga7
php-devel-7.3.9-1.mga7
php-openssl-7.3.9-1.mga7
php-zlib-7.3.9-1.mga7
php-doc-7.3.9-1.mga7.noarch.rpm
php-bcmath-7.3.9-1.mga7
php-bz2-7.3.9-1.mga7
php-calendar-7.3.9-1.mga7
php-ctype-7.3.9-1.mga7
php-curl-7.3.9-1.mga7
php-dba-7.3.9-1.mga7
php-dom-7.3.9-1.mga7
php-enchant-7.3.9-1.mga7
php-exif-7.3.9-1.mga7
php-fileinfo-7.3.9-1.mga7
php-filter-7.3.9-1.mga7
php-ftp-7.3.9-1.mga7
php-gd-7.3.9-1.mga7
php-gettext-7.3.9-1.mga7
php-gmp-7.3.9-1.mga7
php-hash-7.3.9-1.mga7
php-iconv-7.3.9-1.mga7
php-imap-7.3.9-1.mga7
php-interbase-7.3.9-1.mga7
php-intl-7.3.9-1.mga7
php-json-7.3.9-1.mga7
php-ldap-7.3.9-1.mga7
php-mbstring-7.3.9-1.mga7
php-mysqli-7.3.9-1.mga7
php-mysqlnd-7.3.9-1.mga7
php-odbc-7.3.9-1.mga7
php-opcache-7.3.9-1.mga7
php-pcntl-7.3.9-1.mga7
php-pdo-7.3.9-1.mga7
php-pdo_dblib-7.3.9-1.mga7
php-pdo_firebird-7.3.9-1.mga7
php-pdo_mysql-7.3.9-1.mga7
php-pdo_odbc-7.3.9-1.mga7
php-pdo_pgsql-7.3.9-1.mga7
php-pdo_sqlite-7.3.9-1.mga7
php-pgsql-7.3.9-1.mga7
php-phar-7.3.9-1.mga7
php-posix-7.3.9-1.mga7
php-readline-7.3.9-1.mga7
php-recode-7.3.9-1.mga7
php-session-7.3.9-1.mga7
php-shmop-7.3.9-1.mga7
php-snmp-7.3.9-1.mga7
php-soap-7.3.9-1.mga7
php-sockets-7.3.9-1.mga7
php-sodium-7.3.9-1.mga7
php-sqlite3-7.3.9-1.mga7
php-sysvmsg-7.3.9-1.mga7
php-sysvsem-7.3.9-1.mga7
php-sysvshm-7.3.9-1.mga7
php-tidy-7.3.9-1.mga7
php-tokenizer-7.3.9-1.mga7
php-xml-7.3.9-1.mga7
php-xmlreader-7.3.9-1.mga7
php-xmlrpc-7.3.9-1.mga7
php-xmlwriter-7.3.9-1.mga7
php-xsl-7.3.9-1.mga7
php-wddx-7.3.9-1.mga7
php-zip-7.3.9-1.mga7
php-fpm-7.3.9-1.mga7
phpdbg-7.3.9-1.mga7
php-debugsource-7.3.9-1.mga7
php-debuginfo-7.3.9-1.mga7
apache-mod_php-debuginfo-7.3.9-1.mga7
php-cli-debuginfo-7.3.9-1.mga7
php-cgi-debuginfo-7.3.9-1.mga7
lib64php_common7-debuginfo-7.3.9-1.mga7
php-openssl-debuginfo-7.3.9-1.mga7
php-zlib-debuginfo-7.3.9-1.mga7
php-bcmath-debuginfo-7.3.9-1.mga7
php-bz2-debuginfo-7.3.9-1.mga7
php-calendar-debuginfo-7.3.9-1.mga7
php-ctype-debuginfo-7.3.9-1.mga7
php-curl-debuginfo-7.3.9-1.mga7
php-dba-debuginfo-7.3.9-1.mga7
php-dom-debuginfo-7.3.9-1.mga7
php-enchant-debuginfo-7.3.9-1.mga7
php-exif-debuginfo-7.3.9-1.mga7
php-fileinfo-debuginfo-7.3.9-1.mga7
php-filter-debuginfo-7.3.9-1.mga7
php-ftp-debuginfo-7.3.9-1.mga7
php-gd-debuginfo-7.3.9-1.mga7
php-gettext-debuginfo-7.3.9-1.mga7
php-gmp-debuginfo-7.3.9-1.mga7
php-hash-debuginfo-7.3.9-1.mga7
php-iconv-debuginfo-7.3.9-1.mga7
php-imap-debuginfo-7.3.9-1.mga7
php-interbase-debuginfo-7.3.9-1.mga7
php-intl-debuginfo-7.3.9-1.mga7
php-json-debuginfo-7.3.9-1.mga7
php-ldap-debuginfo-7.3.9-1.mga7
php-mbstring-debuginfo-7.3.9-1.mga7
php-mysqli-debuginfo-7.3.9-1.mga7
php-mysqlnd-debuginfo-7.3.9-1.mga7
php-odbc-debuginfo-7.3.9-1.mga7
php-opcache-debuginfo-7.3.9-1.mga7
php-pcntl-debuginfo-7.3.9-1.mga7
php-pdo-debuginfo-7.3.9-1.mga7
php-pdo_dblib-debuginfo-7.3.9-1.mga7
php-pdo_firebird-debuginfo-7.3.9-1.mga7
php-pdo_mysql-debuginfo-7.3.9-1.mga7
php-pdo_odbc-debuginfo-7.3.9-1.mga7
php-pdo_pgsql-debuginfo-7.3.9-1.mga7
php-pdo_sqlite-debuginfo-7.3.9-1.mga7
php-pgsql-debuginfo-7.3.9-1.mga7
php-phar-debuginfo-7.3.9-1.mga7
php-posix-debuginfo-7.3.9-1.mga7
php-readline-debuginfo-7.3.9-1.mga7
php-recode-debuginfo-7.3.9-1.mga7
php-session-debuginfo-7.3.9-1.mga7
php-shmop-debuginfo-7.3.9-1.mga7
php-snmp-debuginfo-7.3.9-1.mga7
php-soap-debuginfo-7.3.9-1.mga7
php-sockets-debuginfo-7.3.9-1.mga7
php-sodium-debuginfo-7.3.9-1.mga7
php-sqlite3-debuginfo-7.3.9-1.mga7
php-sysvmsg-debuginfo-7.3.9-1.mga7
php-sysvsem-debuginfo-7.3.9-1.mga7
php-sysvshm-debuginfo-7.3.9-1.mga7
php-tidy-debuginfo-7.3.9-1.mga7
php-tokenizer-debuginfo-7.3.9-1.mga7
php-xml-debuginfo-7.3.9-1.mga7
php-xmlreader-debuginfo-7.3.9-1.mga7
php-xmlrpc-debuginfo-7.3.9-1.mga7
php-xmlwriter-debuginfo-7.3.9-1.mga7
php-xsl-debuginfo-7.3.9-1.mga7
php-wddx-debuginfo-7.3.9-1.mga7
php-zip-debuginfo-7.3.9-1.mga7
php-fpm-debuginfo-7.3.9-1.mga7
phpdbg-debuginfo-7.3.9-1.mga7


Source RPMs: 
php-7.3.9-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Marc Krämer 2019-08-29 16:27:06 CEST 
I assume, we will have 7.2.22 for backports tomorrow.
Comment 3 PC LX 2019-08-30 10:35:28 CEST 
Installed and tested the PHP 7.3.9 without issues.

Tested with various large (e.g. phpmyadmin, wordpress, roundcubemail, drupal) and small scripts, using HTTP(S) and CLI.

Will wait for more tests before OKing.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ php --version
PHP 7.3.9 (cli) (built: Aug 29 2019 13:50:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.9, Copyright (c) 1998-2018 Zend Technologies
$ rpm -qa | grep 7.3.9 | sort -u
apache-mod_php-7.3.9-1.mga7
lib64php_common7-7.3.9-1.mga7
php-bz2-7.3.9-1.mga7
php-cli-7.3.9-1.mga7
php-ctype-7.3.9-1.mga7
php-dom-7.3.9-1.mga7
php-filter-7.3.9-1.mga7
php-ftp-7.3.9-1.mga7
php-gd-7.3.9-1.mga7
php-gettext-7.3.9-1.mga7
php-hash-7.3.9-1.mga7
php-ini-7.3.9-1.mga7
php-json-7.3.9-1.mga7
php-mbstring-7.3.9-1.mga7
php-mysqli-7.3.9-1.mga7
php-mysqlnd-7.3.9-1.mga7
php-openssl-7.3.9-1.mga7
php-pdo-7.3.9-1.mga7
php-pdo_mysql-7.3.9-1.mga7
php-pdo_sqlite-7.3.9-1.mga7
php-posix-7.3.9-1.mga7
php-session-7.3.9-1.mga7
php-sysvsem-7.3.9-1.mga7
php-sysvshm-7.3.9-1.mga7
php-tokenizer-7.3.9-1.mga7
php-xml-7.3.9-1.mga7
php-xmlreader-7.3.9-1.mga7
php-xmlwriter-7.3.9-1.mga7
php-zip-7.3.9-1.mga7
php-zlib-7.3.9-1.mga7

CC: (none) => mageia

Comment 4 Marc Krämer 2019-08-30 10:46:18 CEST 
php 7.2.22 released but accoring to their website the CVE's are not fixed (?)
Comment 5 PC LX 2019-09-06 11:05:41 CEST 
A week has passed since my test and I haven't had any issues.

It would be better to have more tests, especially for the packages I'm not using and for 32 bits, but having security updates waiting is not good either so I'm OKing it. Fell free to remove the OK if appropriate.

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-09-06 20:08:43 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 6 Mageia Robot 2019-09-06 23:11:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0253.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.