Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059) Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
Updated php packages fix security vulnerabilities: Two bufferoverflows in string and mbstring handling have been found and fixed [2],[3] Some more security fixes have been applied: - Session: Fixed bug #79091 (heap use-after-free in session_create_id()). - Date: Fixed bug #79015 (undefined-behavior in php_date.c). References: [1] https://www.php.net/ChangeLog-7.php#7.3.14 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7059 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060 ======================== Updated packages in core/updates_testing: ======================== php-ini-7.3.14-1.mga7 apache-mod_php-7.3.14-1.mga7 php-cli-7.3.14-1.mga7 php-cgi-7.3.14-1.mga7 libphp_common7-7.3.14-1.mga7 php-devel-7.3.14-1.mga7 php-openssl-7.3.14-1.mga7 php-zlib-7.3.14-1.mga7 php-doc-7.3.14-1.mga7.noarch php-bcmath-7.3.14-1.mga7 php-bz2-7.3.14-1.mga7 php-calendar-7.3.14-1.mga7 php-ctype-7.3.14-1.mga7 php-curl-7.3.14-1.mga7 php-dba-7.3.14-1.mga7 php-dom-7.3.14-1.mga7 php-enchant-7.3.14-1.mga7 php-exif-7.3.14-1.mga7 php-fileinfo-7.3.14-1.mga7 php-filter-7.3.14-1.mga7 php-ftp-7.3.14-1.mga7 php-gd-7.3.14-1.mga7 php-gettext-7.3.14-1.mga7 php-gmp-7.3.14-1.mga7 php-hash-7.3.14-1.mga7 php-iconv-7.3.14-1.mga7 php-imap-7.3.14-1.mga7 php-interbase-7.3.14-1.mga7 php-intl-7.3.14-1.mga7 php-json-7.3.14-1.mga7 php-ldap-7.3.14-1.mga7 php-mbstring-7.3.14-1.mga7 php-mysqli-7.3.14-1.mga7 php-mysqlnd-7.3.14-1.mga7 php-odbc-7.3.14-1.mga7 php-opcache-7.3.14-1.mga7 php-pcntl-7.3.14-1.mga7 php-pdo-7.3.14-1.mga7 php-pdo_dblib-7.3.14-1.mga7 php-pdo_firebird-7.3.14-1.mga7 php-pdo_mysql-7.3.14-1.mga7 php-pdo_odbc-7.3.14-1.mga7 php-pdo_pgsql-7.3.14-1.mga7 php-pdo_sqlite-7.3.14-1.mga7 php-pgsql-7.3.14-1.mga7 php-phar-7.3.14-1.mga7 php-posix-7.3.14-1.mga7 php-readline-7.3.14-1.mga7 php-recode-7.3.14-1.mga7 php-session-7.3.14-1.mga7 php-shmop-7.3.14-1.mga7 php-snmp-7.3.14-1.mga7 php-soap-7.3.14-1.mga7 php-sockets-7.3.14-1.mga7 php-sodium-7.3.14-1.mga7 php-sqlite3-7.3.14-1.mga7 php-sysvmsg-7.3.14-1.mga7 php-sysvsem-7.3.14-1.mga7 php-sysvshm-7.3.14-1.mga7 php-tidy-7.3.14-1.mga7 php-tokenizer-7.3.14-1.mga7 php-xml-7.3.14-1.mga7 php-xmlreader-7.3.14-1.mga7 php-xmlrpc-7.3.14-1.mga7 php-xmlwriter-7.3.14-1.mga7 php-xsl-7.3.14-1.mga7 php-wddx-7.3.14-1.mga7 php-zip-7.3.14-1.mga7 php-fpm-7.3.14-1.mga7 phpdbg-7.3.14-1.mga7 php-debugsource-7.3.14-1.mga7 php-debuginfo-7.3.14-1.mga7 apache-mod_php-debuginfo-7.3.14-1.mga7 php-cli-debuginfo-7.3.14-1.mga7 php-cgi-debuginfo-7.3.14-1.mga7 libphp_common7-debuginfo-7.3.14-1.mga7 php-openssl-debuginfo-7.3.14-1.mga7 php-zlib-debuginfo-7.3.14-1.mga7 php-bcmath-debuginfo-7.3.14-1.mga7 php-bz2-debuginfo-7.3.14-1.mga7 php-calendar-debuginfo-7.3.14-1.mga7 php-ctype-debuginfo-7.3.14-1.mga7 php-curl-debuginfo-7.3.14-1.mga7 php-dba-debuginfo-7.3.14-1.mga7 php-dom-debuginfo-7.3.14-1.mga7 php-enchant-debuginfo-7.3.14-1.mga7 php-exif-debuginfo-7.3.14-1.mga7 php-fileinfo-debuginfo-7.3.14-1.mga7 php-filter-debuginfo-7.3.14-1.mga7 php-ftp-debuginfo-7.3.14-1.mga7 php-gd-debuginfo-7.3.14-1.mga7 php-gettext-debuginfo-7.3.14-1.mga7 php-gmp-debuginfo-7.3.14-1.mga7 php-hash-debuginfo-7.3.14-1.mga7 php-iconv-debuginfo-7.3.14-1.mga7 php-imap-debuginfo-7.3.14-1.mga7 php-interbase-debuginfo-7.3.14-1.mga7 php-intl-debuginfo-7.3.14-1.mga7 php-json-debuginfo-7.3.14-1.mga7 php-ldap-debuginfo-7.3.14-1.mga7 php-mbstring-debuginfo-7.3.14-1.mga7 php-mysqli-debuginfo-7.3.14-1.mga7 php-mysqlnd-debuginfo-7.3.14-1.mga7 php-odbc-debuginfo-7.3.14-1.mga7 php-opcache-debuginfo-7.3.14-1.mga7 php-pcntl-debuginfo-7.3.14-1.mga7 php-pdo-debuginfo-7.3.14-1.mga7 php-pdo_dblib-debuginfo-7.3.14-1.mga7 php-pdo_firebird-debuginfo-7.3.14-1.mga7 php-pdo_mysql-debuginfo-7.3.14-1.mga7 php-pdo_odbc-debuginfo-7.3.14-1.mga7 php-pdo_pgsql-debuginfo-7.3.14-1.mga7 php-pdo_sqlite-debuginfo-7.3.14-1.mga7 php-pgsql-debuginfo-7.3.14-1.mga7 php-phar-debuginfo-7.3.14-1.mga7 php-posix-debuginfo-7.3.14-1.mga7 php-readline-debuginfo-7.3.14-1.mga7 php-recode-debuginfo-7.3.14-1.mga7 php-session-debuginfo-7.3.14-1.mga7 php-shmop-debuginfo-7.3.14-1.mga7 php-snmp-debuginfo-7.3.14-1.mga7 php-soap-debuginfo-7.3.14-1.mga7 php-sockets-debuginfo-7.3.14-1.mga7 php-sodium-debuginfo-7.3.14-1.mga7 php-sqlite3-debuginfo-7.3.14-1.mga7 php-sysvmsg-debuginfo-7.3.14-1.mga7 php-sysvsem-debuginfo-7.3.14-1.mga7 php-sysvshm-debuginfo-7.3.14-1.mga7 php-tidy-debuginfo-7.3.14-1.mga7 php-tokenizer-debuginfo-7.3.14-1.mga7 php-xml-debuginfo-7.3.14-1.mga7 php-xmlreader-debuginfo-7.3.14-1.mga7 php-xmlrpc-debuginfo-7.3.14-1.mga7 php-xmlwriter-debuginfo-7.3.14-1.mga7 php-xsl-debuginfo-7.3.14-1.mga7 php-wddx-debuginfo-7.3.14-1.mga7 php-zip-debuginfo-7.3.14-1.mga7 php-fpm-debuginfo-7.3.14-1.mga7 phpdbg-debuginfo-7.3.14-1.mga7 Source RPMs: php-7.3.14-1.mga7.src.rpm
Assignee: mageia => qa-bugs
Summary: php update fixes security vulnerabilities => php 7.3.14 fixes security vulnerabilitiesQA Contact: (none) => securityComponent: RPM Packages => Security
Mageia7, x86_64 Installed any missing 7.3.13 packages, ignoring debuginfo. No POC posted. Updated everything to 7.3.14 versions. Not confident in php beyond the helloworld level. Installed task-lamp because it is listed in `urpmq --whatrequires-recursive`. Restarted apache in deference to apache-mod_php. Restarted firefox. Proper tests of the library would involve applications like acme, cherokee, dokuwiki, squirrelmail, roundcubemail, ZendFramework2 and zoneminder, none of which are used here. Basic tests: $ php -r 'phpinfo();' phpinfo() PHP Version => 7.3.14 System => Linux difda 5.4.12-desktop-1.mga7 #1 SMP Tue Jan 14 21:14:55 UTC 2020 x86_64 Build Date => Jan 23 2020 09:18:35 Configure Command => './configure' '--with-apxs2=/usr/bin/apxs' '--with-pic' ' [...] Loaded Configuration File => /etc/php.ini Scan this dir for additional .ini files => /etc/php.d Additional .ini files parsed => /etc/php.d/05_assertion.ini, /etc/php.d/05_date.ini, /etc/php.d/05_mail.ini, /etc/php.d/05_pcre.ini, [...] Debug Build => no Thread Safety => disabled Zend Signal Handling => enabled [...] ldap LDAP Support => enabled Total Links => 0/unlimited API Version => 3001 Vendor Name => OpenLDAP ..... In a base directory containing php/<php scripts> $ php -S localhost:8000 -t php PHP 7.3.14 Development Server started at Sun Jan 26 19:17:45 2020 Listening on http://localhost:8000 Document root is /home/lcl/dev/php Press Ctrl-C to quit. Pointed browser to localhost:8000/ and tried out a few helloworld scripts: blue.php - displays blue square on black create-png.php - displays PNG image of text string polygon.php - throws an error <something missing> sample.php - text message index.php - opens Github page where examples are listed Server responses: [Sun Jan 26 19:19:21 2020] 127.0.0.1:55598 [200]: /blue.php [Sun Jan 26 19:19:21 2020] 127.0.0.1:55602 [404]: /favicon.ico - No such file or directory [Sun Jan 26 19:23:37 2020] 127.0.0.1:55610 [200]: /create-png.php [Sun Jan 26 19:25:30 2020] PHP Fatal error: Uncaught Error: Class 'Imagick' not found in /home/lcl/dev/php/polygon.php:7 Stack trace: #0 {main} thrown in /home/lcl/dev/php/polygon.php on line 7 [Sun Jan 26 19:25:30 2020] 127.0.0.1:55620 [500]: /polygon.php - Uncaught Error: Class 'Imagick' not found in /home/lcl/dev/php/polygon.php:7 Stack trace: #0 {main} thrown in /home/lcl/dev/php/polygon.php on line 7 [Sun Jan 26 19:40:53 2020] 127.0.0.1:55650 [200]: /index.php [Sun Jan 26 19:40:53 2020] 127.0.0.1:55656 [404]: /tecnickcom/TCPDF/contributors/master/examples/index.php - No such file or directory [Sun Jan 26 19:41:18 2020] 127.0.0.1:55688 [200]: /orgs/tecnickcom/hovercard Working anyway. The examples which work in the browser also work on the command line. $ php create-png.php > sample.png $ eom sample.png $ php blue.php > blue.png $ eom blue.png Leaving this on hold in case more experienced testers show interest.
CC: (none) => tarazed25
Installed and tested without issues. Tested with various large (e.g. wordpress, drupal, phpmyadmin, phppgAdmin, roundcubemail) using HTTP(S) and CLI. System: Mageia 7, x86_64, Intel CPU. $ rpm -qa | grep php.*7.3.14 | sort apache-mod_php-7.3.14-1.mga7 lib64php_common7-7.3.14-1.mga7 php-bz2-7.3.14-1.mga7 php-cli-7.3.14-1.mga7 php-ctype-7.3.14-1.mga7 php-curl-7.3.14-1.mga7 php-dom-7.3.14-1.mga7 php-exif-7.3.14-1.mga7 php-fileinfo-7.3.14-1.mga7 php-filter-7.3.14-1.mga7 php-ftp-7.3.14-1.mga7 php-gd-7.3.14-1.mga7 php-gettext-7.3.14-1.mga7 php-hash-7.3.14-1.mga7 php-iconv-7.3.14-1.mga7 php-ini-7.3.14-1.mga7 php-intl-7.3.14-1.mga7 php-json-7.3.14-1.mga7 php-ldap-7.3.14-1.mga7 php-mbstring-7.3.14-1.mga7 php-mysqli-7.3.14-1.mga7 php-mysqlnd-7.3.14-1.mga7 php-openssl-7.3.14-1.mga7 php-pdo-7.3.14-1.mga7 php-pdo_mysql-7.3.14-1.mga7 php-pdo_sqlite-7.3.14-1.mga7 php-pgsql-7.3.14-1.mga7 php-posix-7.3.14-1.mga7 php-session-7.3.14-1.mga7 php-sockets-7.3.14-1.mga7 php-sysvsem-7.3.14-1.mga7 php-sysvshm-7.3.14-1.mga7 php-tokenizer-7.3.14-1.mga7 php-xml-7.3.14-1.mga7 php-xmlreader-7.3.14-1.mga7 php-xmlwriter-7.3.14-1.mga7 php-zip-7.3.14-1.mga7 php-zlib-7.3.14-1.mga7
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0066.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED