Bug 26491 - PHP 7.3.17 fixes some issues
Summary: PHP 7.3.17 fixes some issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-16 17:53 CEST by Marc Krämer
Modified: 2020-04-20 16:03 CEST (History)
6 users (show)

See Also:
Source RPM: php
CVE: CVE-2020-7067
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2020-04-16 17:53:31 CEST 
currently CVE-2020-7067 on handling bad chars
Marc Krämer 2020-04-16 17:54:11 CEST

CVE: (none) => CVE-2020-7067
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 Marc Krämer 2020-04-16 17:58:54 CEST 
Updated php packages fix security vulnerabilities:

- OOB Read in urldecode() [1]
- Integer Overflow in shmop_open()

Noteable changes:
- Opcache chokes and uses 100% CPU on specific script
- curl_copy_handle() memory leak
- ZipArchive::open fails on empty file

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067
https://www.php.net/ChangeLog-7.php#7.3.17
========================

Updated packages in core/updates_testing:
========================

php-ini-7.3.17-1.mga7
apache-mod_php-7.3.17-1.mga7
php-cli-7.3.17-1.mga7
php-cgi-7.3.17-1.mga7
libphp_common7-7.3.17-1.mga7
php-devel-7.3.17-1.mga7
php-openssl-7.3.17-1.mga7
php-zlib-7.3.17-1.mga7
php-doc-7.3.17-1.mga7
php-bcmath-7.3.17-1.mga7
php-bz2-7.3.17-1.mga7
php-calendar-7.3.17-1.mga7
php-ctype-7.3.17-1.mga7
php-curl-7.3.17-1.mga7
php-dba-7.3.17-1.mga7
php-dom-7.3.17-1.mga7
php-enchant-7.3.17-1.mga7
php-exif-7.3.17-1.mga7
php-fileinfo-7.3.17-1.mga7
php-filter-7.3.17-1.mga7
php-ftp-7.3.17-1.mga7
php-gd-7.3.17-1.mga7
php-gettext-7.3.17-1.mga7
php-gmp-7.3.17-1.mga7
php-hash-7.3.17-1.mga7
php-iconv-7.3.17-1.mga7
php-imap-7.3.17-1.mga7
php-interbase-7.3.17-1.mga7
php-intl-7.3.17-1.mga7
php-json-7.3.17-1.mga7
php-ldap-7.3.17-1.mga7
php-mbstring-7.3.17-1.mga7
php-mysqli-7.3.17-1.mga7
php-mysqlnd-7.3.17-1.mga7
php-odbc-7.3.17-1.mga7
php-opcache-7.3.17-1.mga7
php-pcntl-7.3.17-1.mga7
php-pdo-7.3.17-1.mga7
php-pdo_dblib-7.3.17-1.mga7
php-pdo_firebird-7.3.17-1.mga7
php-pdo_mysql-7.3.17-1.mga7
php-pdo_odbc-7.3.17-1.mga7
php-pdo_pgsql-7.3.17-1.mga7
php-pdo_sqlite-7.3.17-1.mga7
php-pgsql-7.3.17-1.mga7
php-phar-7.3.17-1.mga7
php-posix-7.3.17-1.mga7
php-readline-7.3.17-1.mga7
php-recode-7.3.17-1.mga7
php-session-7.3.17-1.mga7
php-shmop-7.3.17-1.mga7
php-snmp-7.3.17-1.mga7
php-soap-7.3.17-1.mga7
php-sockets-7.3.17-1.mga7
php-sodium-7.3.17-1.mga7
php-sqlite3-7.3.17-1.mga7
php-sysvmsg-7.3.17-1.mga7
php-sysvsem-7.3.17-1.mga7
php-sysvshm-7.3.17-1.mga7
php-tidy-7.3.17-1.mga7
php-tokenizer-7.3.17-1.mga7
php-xml-7.3.17-1.mga7
php-xmlreader-7.3.17-1.mga7
php-xmlrpc-7.3.17-1.mga7
php-xmlwriter-7.3.17-1.mga7
php-xsl-7.3.17-1.mga7
php-wddx-7.3.17-1.mga7
php-zip-7.3.17-1.mga7
php-fpm-7.3.17-1.mga7
phpdbg-7.3.17-1.mga7
php-debugsource-7.3.17-1.mga7
php-debuginfo-7.3.17-1.mga7
apache-mod_php-debuginfo-7.3.17-1.mga7
php-cli-debuginfo-7.3.17-1.mga7
php-cgi-debuginfo-7.3.17-1.mga7
libphp_common7-debuginfo-7.3.17-1.mga7
php-openssl-debuginfo-7.3.17-1.mga7
php-zlib-debuginfo-7.3.17-1.mga7
php-bcmath-debuginfo-7.3.17-1.mga7
php-bz2-debuginfo-7.3.17-1.mga7
php-calendar-debuginfo-7.3.17-1.mga7
php-ctype-debuginfo-7.3.17-1.mga7
php-curl-debuginfo-7.3.17-1.mga7
php-dba-debuginfo-7.3.17-1.mga7
php-dom-debuginfo-7.3.17-1.mga7
php-enchant-debuginfo-7.3.17-1.mga7
php-exif-debuginfo-7.3.17-1.mga7
php-fileinfo-debuginfo-7.3.17-1.mga7
php-filter-debuginfo-7.3.17-1.mga7
php-ftp-debuginfo-7.3.17-1.mga7
php-gd-debuginfo-7.3.17-1.mga7
php-gettext-debuginfo-7.3.17-1.mga7
php-gmp-debuginfo-7.3.17-1.mga7
php-hash-debuginfo-7.3.17-1.mga7
php-iconv-debuginfo-7.3.17-1.mga7
php-imap-debuginfo-7.3.17-1.mga7
php-interbase-debuginfo-7.3.17-1.mga7
php-intl-debuginfo-7.3.17-1.mga7
php-json-debuginfo-7.3.17-1.mga7
php-ldap-debuginfo-7.3.17-1.mga7
php-mbstring-debuginfo-7.3.17-1.mga7
php-mysqli-debuginfo-7.3.17-1.mga7
php-mysqlnd-debuginfo-7.3.17-1.mga7
php-odbc-debuginfo-7.3.17-1.mga7
php-opcache-debuginfo-7.3.17-1.mga7
php-pcntl-debuginfo-7.3.17-1.mga7
php-pdo-debuginfo-7.3.17-1.mga7
php-pdo_dblib-debuginfo-7.3.17-1.mga7
php-pdo_firebird-debuginfo-7.3.17-1.mga7
php-pdo_mysql-debuginfo-7.3.17-1.mga7
php-pdo_odbc-debuginfo-7.3.17-1.mga7
php-pdo_pgsql-debuginfo-7.3.17-1.mga7
php-pdo_sqlite-debuginfo-7.3.17-1.mga7
php-pgsql-debuginfo-7.3.17-1.mga7
php-phar-debuginfo-7.3.17-1.mga7
php-posix-debuginfo-7.3.17-1.mga7
php-readline-debuginfo-7.3.17-1.mga7
php-recode-debuginfo-7.3.17-1.mga7
php-session-debuginfo-7.3.17-1.mga7
php-shmop-debuginfo-7.3.17-1.mga7
php-snmp-debuginfo-7.3.17-1.mga7
php-soap-debuginfo-7.3.17-1.mga7
php-sockets-debuginfo-7.3.17-1.mga7
php-sodium-debuginfo-7.3.17-1.mga7
php-sqlite3-debuginfo-7.3.17-1.mga7
php-sysvmsg-debuginfo-7.3.17-1.mga7
php-sysvsem-debuginfo-7.3.17-1.mga7
php-sysvshm-debuginfo-7.3.17-1.mga7
php-tidy-debuginfo-7.3.17-1.mga7
php-tokenizer-debuginfo-7.3.17-1.mga7
php-xml-debuginfo-7.3.17-1.mga7
php-xmlreader-debuginfo-7.3.17-1.mga7
php-xmlrpc-debuginfo-7.3.17-1.mga7
php-xmlwriter-debuginfo-7.3.17-1.mga7
php-xsl-debuginfo-7.3.17-1.mga7
php-wddx-debuginfo-7.3.17-1.mga7
php-zip-debuginfo-7.3.17-1.mga7
php-fpm-debuginfo-7.3.17-1.mga7
phpdbg-debuginfo-7.3.17-1.mga7

SRPM:
php-7.3.17-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 PC LX 2020-04-17 13:13:57 CEST 
Installed and tested without issues.


Tested with various large scripts (wordpress, phpmyadmin, roundcubemail, drupal and others) using HTTP(S) and CLI.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.5.15-desktop-3.mga7 #1 SMP Sat Apr 4 19:06:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*7.3.17 | sort
apache-mod_php-7.3.17-1.mga7
lib64php_common7-7.3.17-1.mga7
php-bz2-7.3.17-1.mga7
php-cli-7.3.17-1.mga7
php-ctype-7.3.17-1.mga7
php-curl-7.3.17-1.mga7
php-dom-7.3.17-1.mga7
php-exif-7.3.17-1.mga7
php-fileinfo-7.3.17-1.mga7
php-filter-7.3.17-1.mga7
php-fpm-7.3.17-1.mga7
php-ftp-7.3.17-1.mga7
php-gd-7.3.17-1.mga7
php-gettext-7.3.17-1.mga7
php-hash-7.3.17-1.mga7
php-iconv-7.3.17-1.mga7
php-ini-7.3.17-1.mga7
php-intl-7.3.17-1.mga7
php-json-7.3.17-1.mga7
php-ldap-7.3.17-1.mga7
php-mbstring-7.3.17-1.mga7
php-mysqli-7.3.17-1.mga7
php-mysqlnd-7.3.17-1.mga7
php-openssl-7.3.17-1.mga7
php-pdo-7.3.17-1.mga7
php-pdo_mysql-7.3.17-1.mga7
php-pdo_sqlite-7.3.17-1.mga7
php-pgsql-7.3.17-1.mga7
php-posix-7.3.17-1.mga7
php-session-7.3.17-1.mga7
php-sockets-7.3.17-1.mga7
php-sysvsem-7.3.17-1.mga7
php-sysvshm-7.3.17-1.mga7
php-tokenizer-7.3.17-1.mga7
php-xml-7.3.17-1.mga7
php-xmlreader-7.3.17-1.mga7
php-xmlwriter-7.3.17-1.mga7
php-zip-7.3.17-1.mga7
php-zlib-7.3.17-1.mga7

CC: (none) => mageia

Comment 3 Herman Viaene 2020-04-17 14:50:59 CEST 
MGA7-64 Plasma on Lenoovo B50
No installation issues
Ref bug 26365 for testing.
$ php -r 'phpinfo();' | more
phpinfo()
PHP Version => 7.3.17

System => Linux mach5.hviaene.thuis 5.5.15-desktop-2.mga7 #1 SMP Sat Apr 4 00:09:11 UTC 2020 x86_64
Build Date => Apr 16 2020 10:26:47
Configure Command =>  './configure'  '--with-apxs2=/usr/bin/apxs' '--with-pic' '--
and loads more ......
Fooled around with phomyadmin: all seems to work OK

CC: (none) => herman.viaene

José Jorge 2020-04-19 14:47:59 CEST

Whiteboard: (none) => MGA7-64-OK
CC: (none) => lists.jjorge

Comment 4 Thomas Andrews 2020-04-20 00:26:07 CEST 
Thanks for the tests, guys, and for the OK, Jose.

Validating. Advisory information in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-04-20 01:36:11 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2020-04-20 16:03:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0178.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.