Updated php packages fix security vulnerabilities:

Two bufferoverflows in string and mbstring handling have been found and fixed [2],[3]

Some more security fixes have been applied:
- Session: Fixed bug #79091 (heap use-after-free in session_create_id()).
- Date: Fixed bug #79015 (undefined-behavior in php_date.c).



References:
[1] https://www.php.net/ChangeLog-7.php#7.3.14
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7059
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060
========================

Updated packages in core/updates_testing:
========================
php-ini-7.3.14-1.mga7
apache-mod_php-7.3.14-1.mga7
php-cli-7.3.14-1.mga7
php-cgi-7.3.14-1.mga7
libphp_common7-7.3.14-1.mga7
php-devel-7.3.14-1.mga7
php-openssl-7.3.14-1.mga7
php-zlib-7.3.14-1.mga7
php-doc-7.3.14-1.mga7.noarch
php-bcmath-7.3.14-1.mga7
php-bz2-7.3.14-1.mga7
php-calendar-7.3.14-1.mga7
php-ctype-7.3.14-1.mga7
php-curl-7.3.14-1.mga7
php-dba-7.3.14-1.mga7
php-dom-7.3.14-1.mga7
php-enchant-7.3.14-1.mga7
php-exif-7.3.14-1.mga7
php-fileinfo-7.3.14-1.mga7
php-filter-7.3.14-1.mga7
php-ftp-7.3.14-1.mga7
php-gd-7.3.14-1.mga7
php-gettext-7.3.14-1.mga7
php-gmp-7.3.14-1.mga7
php-hash-7.3.14-1.mga7
php-iconv-7.3.14-1.mga7
php-imap-7.3.14-1.mga7
php-interbase-7.3.14-1.mga7
php-intl-7.3.14-1.mga7
php-json-7.3.14-1.mga7
php-ldap-7.3.14-1.mga7
php-mbstring-7.3.14-1.mga7
php-mysqli-7.3.14-1.mga7
php-mysqlnd-7.3.14-1.mga7
php-odbc-7.3.14-1.mga7
php-opcache-7.3.14-1.mga7
php-pcntl-7.3.14-1.mga7
php-pdo-7.3.14-1.mga7
php-pdo_dblib-7.3.14-1.mga7
php-pdo_firebird-7.3.14-1.mga7
php-pdo_mysql-7.3.14-1.mga7
php-pdo_odbc-7.3.14-1.mga7
php-pdo_pgsql-7.3.14-1.mga7
php-pdo_sqlite-7.3.14-1.mga7
php-pgsql-7.3.14-1.mga7
php-phar-7.3.14-1.mga7
php-posix-7.3.14-1.mga7
php-readline-7.3.14-1.mga7
php-recode-7.3.14-1.mga7
php-session-7.3.14-1.mga7
php-shmop-7.3.14-1.mga7
php-snmp-7.3.14-1.mga7
php-soap-7.3.14-1.mga7
php-sockets-7.3.14-1.mga7
php-sodium-7.3.14-1.mga7
php-sqlite3-7.3.14-1.mga7
php-sysvmsg-7.3.14-1.mga7
php-sysvsem-7.3.14-1.mga7
php-sysvshm-7.3.14-1.mga7
php-tidy-7.3.14-1.mga7
php-tokenizer-7.3.14-1.mga7
php-xml-7.3.14-1.mga7
php-xmlreader-7.3.14-1.mga7
php-xmlrpc-7.3.14-1.mga7
php-xmlwriter-7.3.14-1.mga7
php-xsl-7.3.14-1.mga7
php-wddx-7.3.14-1.mga7
php-zip-7.3.14-1.mga7
php-fpm-7.3.14-1.mga7
phpdbg-7.3.14-1.mga7
php-debugsource-7.3.14-1.mga7
php-debuginfo-7.3.14-1.mga7
apache-mod_php-debuginfo-7.3.14-1.mga7
php-cli-debuginfo-7.3.14-1.mga7
php-cgi-debuginfo-7.3.14-1.mga7
libphp_common7-debuginfo-7.3.14-1.mga7
php-openssl-debuginfo-7.3.14-1.mga7
php-zlib-debuginfo-7.3.14-1.mga7
php-bcmath-debuginfo-7.3.14-1.mga7
php-bz2-debuginfo-7.3.14-1.mga7
php-calendar-debuginfo-7.3.14-1.mga7
php-ctype-debuginfo-7.3.14-1.mga7
php-curl-debuginfo-7.3.14-1.mga7
php-dba-debuginfo-7.3.14-1.mga7
php-dom-debuginfo-7.3.14-1.mga7
php-enchant-debuginfo-7.3.14-1.mga7
php-exif-debuginfo-7.3.14-1.mga7
php-fileinfo-debuginfo-7.3.14-1.mga7
php-filter-debuginfo-7.3.14-1.mga7
php-ftp-debuginfo-7.3.14-1.mga7
php-gd-debuginfo-7.3.14-1.mga7
php-gettext-debuginfo-7.3.14-1.mga7
php-gmp-debuginfo-7.3.14-1.mga7
php-hash-debuginfo-7.3.14-1.mga7
php-iconv-debuginfo-7.3.14-1.mga7
php-imap-debuginfo-7.3.14-1.mga7
php-interbase-debuginfo-7.3.14-1.mga7
php-intl-debuginfo-7.3.14-1.mga7
php-json-debuginfo-7.3.14-1.mga7
php-ldap-debuginfo-7.3.14-1.mga7
php-mbstring-debuginfo-7.3.14-1.mga7
php-mysqli-debuginfo-7.3.14-1.mga7
php-mysqlnd-debuginfo-7.3.14-1.mga7
php-odbc-debuginfo-7.3.14-1.mga7
php-opcache-debuginfo-7.3.14-1.mga7
php-pcntl-debuginfo-7.3.14-1.mga7
php-pdo-debuginfo-7.3.14-1.mga7
php-pdo_dblib-debuginfo-7.3.14-1.mga7
php-pdo_firebird-debuginfo-7.3.14-1.mga7
php-pdo_mysql-debuginfo-7.3.14-1.mga7
php-pdo_odbc-debuginfo-7.3.14-1.mga7
php-pdo_pgsql-debuginfo-7.3.14-1.mga7
php-pdo_sqlite-debuginfo-7.3.14-1.mga7
php-pgsql-debuginfo-7.3.14-1.mga7
php-phar-debuginfo-7.3.14-1.mga7
php-posix-debuginfo-7.3.14-1.mga7
php-readline-debuginfo-7.3.14-1.mga7
php-recode-debuginfo-7.3.14-1.mga7
php-session-debuginfo-7.3.14-1.mga7
php-shmop-debuginfo-7.3.14-1.mga7
php-snmp-debuginfo-7.3.14-1.mga7
php-soap-debuginfo-7.3.14-1.mga7
php-sockets-debuginfo-7.3.14-1.mga7
php-sodium-debuginfo-7.3.14-1.mga7
php-sqlite3-debuginfo-7.3.14-1.mga7
php-sysvmsg-debuginfo-7.3.14-1.mga7
php-sysvsem-debuginfo-7.3.14-1.mga7
php-sysvshm-debuginfo-7.3.14-1.mga7
php-tidy-debuginfo-7.3.14-1.mga7
php-tokenizer-debuginfo-7.3.14-1.mga7
php-xml-debuginfo-7.3.14-1.mga7
php-xmlreader-debuginfo-7.3.14-1.mga7
php-xmlrpc-debuginfo-7.3.14-1.mga7
php-xmlwriter-debuginfo-7.3.14-1.mga7
php-xsl-debuginfo-7.3.14-1.mga7
php-wddx-debuginfo-7.3.14-1.mga7
php-zip-debuginfo-7.3.14-1.mga7
php-fpm-debuginfo-7.3.14-1.mga7
phpdbg-debuginfo-7.3.14-1.mga7

Source RPMs:
php-7.3.14-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Mageia7, x86_64

Installed any missing 7.3.13 packages, ignoring debuginfo.
No POC posted.
Updated everything to 7.3.14 versions.

Not confident in php beyond the helloworld level.
Installed task-lamp because it is listed in `urpmq --whatrequires-recursive`.
Restarted apache in deference to apache-mod_php.  Restarted firefox.
Proper tests of the library would involve applications like acme, cherokee, dokuwiki, squirrelmail, roundcubemail, ZendFramework2 and zoneminder, none of which are used here.

Basic tests:
$ php -r 'phpinfo();'
phpinfo()
PHP Version => 7.3.14
System => Linux difda 5.4.12-desktop-1.mga7 #1 SMP Tue Jan 14 21:14:55 UTC 2020 x86_64
Build Date => Jan 23 2020 09:18:35
Configure Command =>  './configure'  '--with-apxs2=/usr/bin/apxs' '--with-pic' '
[...]
Loaded Configuration File => /etc/php.ini
Scan this dir for additional .ini files => /etc/php.d
Additional .ini files parsed => /etc/php.d/05_assertion.ini,
/etc/php.d/05_date.ini,
/etc/php.d/05_mail.ini,
/etc/php.d/05_pcre.ini,
[...]
Debug Build => no
Thread Safety => disabled
Zend Signal Handling => enabled
[...]
ldap
LDAP Support => enabled
Total Links => 0/unlimited
API Version => 3001
Vendor Name => OpenLDAP
.....

In a base directory containing php/<php scripts>

$ php -S localhost:8000 -t php
PHP 7.3.14 Development Server started at Sun Jan 26 19:17:45 2020
Listening on http://localhost:8000
Document root is /home/lcl/dev/php
Press Ctrl-C to quit.

Pointed browser to localhost:8000/ and tried out a few helloworld scripts:
blue.php - displays blue square on black
create-png.php - displays PNG image of text string
polygon.php - throws an error <something missing>
sample.php - text message
index.php - opens Github page where examples are listed

Server responses:
[Sun Jan 26 19:19:21 2020] 127.0.0.1:55598 [200]: /blue.php
[Sun Jan 26 19:19:21 2020] 127.0.0.1:55602 [404]: /favicon.ico - No such file or directory
[Sun Jan 26 19:23:37 2020] 127.0.0.1:55610 [200]: /create-png.php
[Sun Jan 26 19:25:30 2020] PHP Fatal error:  Uncaught Error: Class 'Imagick' not found in /home/lcl/dev/php/polygon.php:7
Stack trace:
#0 {main}
  thrown in /home/lcl/dev/php/polygon.php on line 7
[Sun Jan 26 19:25:30 2020] 127.0.0.1:55620 [500]: /polygon.php - Uncaught Error: Class 'Imagick' not found in /home/lcl/dev/php/polygon.php:7
Stack trace:
#0 {main}
  thrown in /home/lcl/dev/php/polygon.php on line 7
[Sun Jan 26 19:40:53 2020] 127.0.0.1:55650 [200]: /index.php
[Sun Jan 26 19:40:53 2020] 127.0.0.1:55656 [404]: /tecnickcom/TCPDF/contributors/master/examples/index.php - No such file or directory
[Sun Jan 26 19:41:18 2020] 127.0.0.1:55688 [200]: /orgs/tecnickcom/hovercard

Working anyway.

The examples which work in the browser also work on the command line.
$ php create-png.php > sample.png
$ eom sample.png
$ php blue.php > blue.png
$ eom blue.png

Leaving this on hold in case more experienced testers show interest.

CC: (none) => tarazed25

Installed and tested without issues.

Tested with various large (e.g. wordpress, drupal, phpmyadmin, phppgAdmin, roundcubemail) using HTTP(S) and CLI.



System: Mageia 7, x86_64, Intel CPU.



$ rpm -qa | grep php.*7.3.14 | sort
apache-mod_php-7.3.14-1.mga7
lib64php_common7-7.3.14-1.mga7
php-bz2-7.3.14-1.mga7
php-cli-7.3.14-1.mga7
php-ctype-7.3.14-1.mga7
php-curl-7.3.14-1.mga7
php-dom-7.3.14-1.mga7
php-exif-7.3.14-1.mga7
php-fileinfo-7.3.14-1.mga7
php-filter-7.3.14-1.mga7
php-ftp-7.3.14-1.mga7
php-gd-7.3.14-1.mga7
php-gettext-7.3.14-1.mga7
php-hash-7.3.14-1.mga7
php-iconv-7.3.14-1.mga7
php-ini-7.3.14-1.mga7
php-intl-7.3.14-1.mga7
php-json-7.3.14-1.mga7
php-ldap-7.3.14-1.mga7
php-mbstring-7.3.14-1.mga7
php-mysqli-7.3.14-1.mga7
php-mysqlnd-7.3.14-1.mga7
php-openssl-7.3.14-1.mga7
php-pdo-7.3.14-1.mga7
php-pdo_mysql-7.3.14-1.mga7
php-pdo_sqlite-7.3.14-1.mga7
php-pgsql-7.3.14-1.mga7
php-posix-7.3.14-1.mga7
php-session-7.3.14-1.mga7
php-sockets-7.3.14-1.mga7
php-sysvsem-7.3.14-1.mga7
php-sysvshm-7.3.14-1.mga7
php-tokenizer-7.3.14-1.mga7
php-xml-7.3.14-1.mga7
php-xmlreader-7.3.14-1.mga7
php-xmlwriter-7.3.14-1.mga7
php-zip-7.3.14-1.mga7
php-zlib-7.3.14-1.mga7

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0066.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED