Bug 28293 - PHP 7.3.27 (fixes CVE-2021-21702)
Summary: PHP 7.3.27 (fixes CVE-2021-21702)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 28297
  Show dependency treegraph
 
Reported: 2021-02-04 22:56 CET by Marc Krämer
Modified: 2021-02-08 18:59 CET (History)
6 users (show)

See Also:
Source RPM: php
CVE: CVE-2021-21702
Status comment:


Attachments
rpmdrake screen shot showing backport issue. (213.20 KB, image/png)
2021-02-05 17:10 CET, PC LX
Details

Description Marc Krämer 2021-02-04 22:56:05 CET
Update to 7.3.27 fixes CVE-2021-21702
Comment 1 Marc Krämer 2021-02-04 23:01:42 CET
Updated php fixes security issue:

SOAP: Fixed bug #80672 (Null Dereference in SoapClient)

References:
[1] https://www.php.net/ChangeLog-7.php#7.3.27
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21702

Updated packages in core/updates_testing:
========================
php-ini-7.3.27-1.mga7
apache-mod_php-7.3.27-1.mga7
php-cli-7.3.27-1.mga7
php-cgi-7.3.27-1.mga7
lib64php_common7-7.3.27-1.mga7
php-devel-7.3.27-1.mga7
php-openssl-7.3.27-1.mga7
php-zlib-7.3.27-1.mga7
php-doc-7.3.27-1.mga7
php-bcmath-7.3.27-1.mga7
php-bz2-7.3.27-1.mga7
php-calendar-7.3.27-1.mga7
php-ctype-7.3.27-1.mga7
php-curl-7.3.27-1.mga7
php-dba-7.3.27-1.mga7
php-dom-7.3.27-1.mga7
php-enchant-7.3.27-1.mga7
php-exif-7.3.27-1.mga7
php-fileinfo-7.3.27-1.mga7
php-filter-7.3.27-1.mga7
php-ftp-7.3.27-1.mga7
php-gd-7.3.27-1.mga7
php-gettext-7.3.27-1.mga7
php-gmp-7.3.27-1.mga7
php-iconv-7.3.27-1.mga7
php-imap-7.3.27-1.mga7
php-interbase-7.3.27-1.mga7
php-intl-7.3.27-1.mga7
php-json-7.3.27-1.mga7
php-ldap-7.3.27-1.mga7
php-mbstring-7.3.27-1.mga7
php-mysqli-7.3.27-1.mga7
php-mysqlnd-7.3.27-1.mga7
php-odbc-7.3.27-1.mga7
php-opcache-7.3.27-1.mga7
php-pcntl-7.3.27-1.mga7
php-pdo-7.3.27-1.mga7
php-pdo_dblib-7.3.27-1.mga7
php-pdo_firebird-7.3.27-1.mga7
php-pdo_mysql-7.3.27-1.mga7
php-pdo_odbc-7.3.27-1.mga7
php-pdo_pgsql-7.3.27-1.mga7
php-pdo_sqlite-7.3.27-1.mga7
php-pgsql-7.3.27-1.mga7
php-phar-7.3.27-1.mga7
php-posix-7.3.27-1.mga7
php-readline-7.3.27-1.mga7
php-recode-7.3.27-1.mga7
php-session-7.3.27-1.mga7
php-shmop-7.3.27-1.mga7
php-snmp-7.3.27-1.mga7
php-soap-7.3.27-1.mga7
php-sockets-7.3.27-1.mga7
php-sodium-7.3.27-1.mga7
php-sqlite3-7.3.27-1.mga7
php-sysvmsg-7.3.27-1.mga7
php-sysvsem-7.3.27-1.mga7
php-sysvshm-7.3.27-1.mga7
php-tidy-7.3.27-1.mga7
php-tokenizer-7.3.27-1.mga7
php-xml-7.3.27-1.mga7
php-xmlreader-7.3.27-1.mga7
php-xmlrpc-7.3.27-1.mga7
php-xmlwriter-7.3.27-1.mga7
php-xsl-7.3.27-1.mga7
php-wddx-7.3.27-1.mga7
php-zip-7.3.27-1.mga7
php-fpm-7.3.27-1.mga7
php-fpm-apache-7.3.27-1.mga7
phpdbg-7.3.27-1.mga7
php-debugsource-7.3.27-1.mga7
php-debuginfo-7.3.27-1.mga7
apache-mod_php-debuginfo-7.3.27-1.mga7
php-cli-debuginfo-7.3.27-1.mga7
php-cgi-debuginfo-7.3.27-1.mga7
lib64php_common7-debuginfo-7.3.27-1.mga7
php-openssl-debuginfo-7.3.27-1.mga7
php-zlib-debuginfo-7.3.27-1.mga7
php-bcmath-debuginfo-7.3.27-1.mga7
php-bz2-debuginfo-7.3.27-1.mga7
php-calendar-debuginfo-7.3.27-1.mga7
php-ctype-debuginfo-7.3.27-1.mga7
php-curl-debuginfo-7.3.27-1.mga7
php-dba-debuginfo-7.3.27-1.mga7
php-dom-debuginfo-7.3.27-1.mga7
php-enchant-debuginfo-7.3.27-1.mga7
php-exif-debuginfo-7.3.27-1.mga7
php-fileinfo-debuginfo-7.3.27-1.mga7
php-filter-debuginfo-7.3.27-1.mga7
php-ftp-debuginfo-7.3.27-1.mga7
php-gd-debuginfo-7.3.27-1.mga7
php-gettext-debuginfo-7.3.27-1.mga7
php-gmp-debuginfo-7.3.27-1.mga7
php-iconv-debuginfo-7.3.27-1.mga7
php-imap-debuginfo-7.3.27-1.mga7
php-interbase-debuginfo-7.3.27-1.mga7
php-intl-debuginfo-7.3.27-1.mga7
php-json-debuginfo-7.3.27-1.mga7
php-ldap-debuginfo-7.3.27-1.mga7
php-mbstring-debuginfo-7.3.27-1.mga7
php-mysqli-debuginfo-7.3.27-1.mga7
php-mysqlnd-debuginfo-7.3.27-1.mga7
php-odbc-debuginfo-7.3.27-1.mga7
php-opcache-debuginfo-7.3.27-1.mga7
php-pcntl-debuginfo-7.3.27-1.mga7
php-pdo-debuginfo-7.3.27-1.mga7
php-pdo_dblib-debuginfo-7.3.27-1.mga7
php-pdo_firebird-debuginfo-7.3.27-1.mga7
php-pdo_mysql-debuginfo-7.3.27-1.mga7
php-pdo_odbc-debuginfo-7.3.27-1.mga7
php-pdo_pgsql-debuginfo-7.3.27-1.mga7
php-pdo_sqlite-debuginfo-7.3.27-1.mga7
php-pgsql-debuginfo-7.3.27-1.mga7
php-phar-debuginfo-7.3.27-1.mga7
php-posix-debuginfo-7.3.27-1.mga7
php-readline-debuginfo-7.3.27-1.mga7
php-recode-debuginfo-7.3.27-1.mga7
php-session-debuginfo-7.3.27-1.mga7
php-shmop-debuginfo-7.3.27-1.mga7
php-snmp-debuginfo-7.3.27-1.mga7
php-soap-debuginfo-7.3.27-1.mga7
php-sockets-debuginfo-7.3.27-1.mga7
php-sodium-debuginfo-7.3.27-1.mga7
php-sqlite3-debuginfo-7.3.27-1.mga7
php-sysvmsg-debuginfo-7.3.27-1.mga7
php-sysvsem-debuginfo-7.3.27-1.mga7
php-sysvshm-debuginfo-7.3.27-1.mga7
php-tidy-debuginfo-7.3.27-1.mga7
php-tokenizer-debuginfo-7.3.27-1.mga7
php-xml-debuginfo-7.3.27-1.mga7
php-xmlreader-debuginfo-7.3.27-1.mga7
php-xmlrpc-debuginfo-7.3.27-1.mga7
php-xmlwriter-debuginfo-7.3.27-1.mga7
php-xsl-debuginfo-7.3.27-1.mga7
php-wddx-debuginfo-7.3.27-1.mga7
php-zip-debuginfo-7.3.27-1.mga7
php-fpm-debuginfo-7.3.27-1.mga7
phpdbg-debuginfo-7.3.27-1.mga7


SRPM:
php-7.3.27-1.mga7.src.rpm

Assignee: mageia => qa-bugs
CVE: (none) => CVE-2021-21702

Comment 2 Marc Krämer 2021-02-04 23:02:19 CET
please validate php-7.4.15-1.mga7.src.rpm from backports_testing too!
David Walser 2021-02-05 00:29:12 CET

Summary: PHP: new security vulunaribility => PHP 7.3.27 (fixes CVE-2021-21702)

Comment 3 David Walser 2021-02-05 00:30:16 CET
(In reply to Marc Krämer from comment #2)
> please validate php-7.4.15-1.mga7.src.rpm from backports_testing too!

They can't unless you file a bug for it.
Marc Krämer 2021-02-05 12:04:45 CET

Blocks: (none) => 28297

Comment 4 Marc Krämer 2021-02-05 12:05:17 CET
@David: it is a bit annoying to file 2 bugs. Having backports with regular updates often hangs until the next one is ready :(
Comment 5 PC LX 2021-02-05 14:29:54 CET
Installed and tested without issues.

Using php-fpm instead of mod_php.


Tested several scripts (phpmyadmin, wordpress, drupal, roundcubemail, mediawiki). Tested HTTP 1.1, HTTP 2, TLS and CLI.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*7.3 | sort
apache-mod_php-7.3.27-1.mga7
lib64php_common7-7.3.27-1.mga7
php-bz2-7.3.27-1.mga7
php-cli-7.3.27-1.mga7
php-ctype-7.3.27-1.mga7
php-curl-7.3.27-1.mga7
php-dom-7.3.27-1.mga7
php-exif-7.3.27-1.mga7
php-fileinfo-7.3.27-1.mga7
php-filter-7.3.27-1.mga7
php-fpm-7.3.27-1.mga7
php-ftp-7.3.27-1.mga7
php-gd-7.3.27-1.mga7
php-gettext-7.3.27-1.mga7
php-iconv-7.3.27-1.mga7
php-ini-7.3.27-1.mga7
php-intl-7.3.27-1.mga7
php-json-7.3.27-1.mga7
php-ldap-7.3.27-1.mga7
php-mbstring-7.3.27-1.mga7
php-mysqli-7.3.27-1.mga7
php-mysqlnd-7.3.27-1.mga7
php-openssl-7.3.27-1.mga7
php-pdo-7.3.27-1.mga7
php-pdo_mysql-7.3.27-1.mga7
php-pdo_sqlite-7.3.27-1.mga7
php-pear-PHPUnit-3.7.34-4.mga7
php-posix-7.3.27-1.mga7
php-session-7.3.27-1.mga7
php-sockets-7.3.27-1.mga7
php-sysvsem-7.3.27-1.mga7
php-sysvshm-7.3.27-1.mga7
php-tokenizer-7.3.27-1.mga7
php-xml-7.3.27-1.mga7
php-xmlreader-7.3.27-1.mga7
php-xmlwriter-7.3.27-1.mga7
php-zip-7.3.27-1.mga7
php-zlib-7.3.27-1.mga7
$ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service
● httpd.socket - httpd server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-02-05 10:37:19 WET; 2h 33min ago
   Listen: [::]:80 (Stream)
           [::]:443 (Stream)
    Tasks: 0 (limit: 4668)
   Memory: 8.0K
   CGroup: /system.slice/httpd.socket

fev 05 10:37:19 marte systemd[1]: Listening on httpd server activation socket.

● php-fpm.socket - php-fpm Server Socket
   Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-02-05 11:45:56 WET; 1h 24min ago
   Listen: /var/lib/php-fpm/php-fpm.sock (Stream)

fev 05 10:37:19 marte systemd[1]: Listening on php-fpm Server Socket.
fev 05 11:45:56 marte systemd[1]: php-fpm.socket: Succeeded.
fev 05 11:45:56 marte systemd[1]: Closed php-fpm Server Socket.

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-02-05 11:24:21 WET; 1h 46min ago
 Main PID: 20538 (httpd)
   Status: "Total requests: 837; Idle/Busy workers 100/0;Requests/sec: 0.131; Bytes served/sec: 1.6KB/sec"
    Tasks: 66 (limit: 4668)
   Memory: 38.5M
   CGroup: /system.slice/httpd.service
           ├─20538 /usr/sbin/httpd -DFOREGROUND
           ├─20540 /usr/sbin/httpd -DFOREGROUND
           └─20541 /usr/sbin/httpd -DFOREGROUND

fev 05 11:24:21 marte systemd[1]: Starting The Apache HTTP Server...
fev 05 11:24:21 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-02-05 11:45:56 WET; 1h 24min ago
 Main PID: 22363 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 115, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4668)
   Memory: 90.5M
   CGroup: /system.slice/php-fpm.service
           ├─12992 php-fpm: pool www
           ├─13001 php-fpm: pool www
           └─22363 php-fpm: master process (/etc/php-fpm.conf)

fev 05 11:45:56 marte systemd[1]: Starting The PHP FastCGI Process Manager...
fev 05 11:45:56 marte php-fpm[22363]: [NOTICE] fpm is running, pid 22363
fev 05 11:45:56 marte php-fpm[22363]: [NOTICE] ready to handle connections
fev 05 11:45:56 marte php-fpm[22363]: [NOTICE] systemd monitor interval set to 10000ms
fev 05 11:45:56 marte systemd[1]: Started The PHP FastCGI Process Manager.

CC: (none) => mageia

Comment 6 Herman Viaene 2021-02-05 16:15:58 CET
Selecting a 7.3.27 package calls for dependencies of 7.4.12 ????

CC: (none) => herman.viaene

Comment 7 David Walser 2021-02-05 16:24:12 CET
Disable backports Herman.
Comment 8 Herman Viaene 2021-02-05 16:34:40 CET
I cannt't see any backports enabled.
Comment 9 PC LX 2021-02-05 17:10:08 CET
(In reply to Herman Viaene from comment #8)
> I cannt't see any backports enabled.

I'm seeing the same issue but only when using rpmdrake GUI. When using urpmi CLI the issue is not present.

The following are the repositories I have enabled. No backports are enabled.

$ LANGUAGE=C urpmi.update -a
medium "Core Release" is up-to-date
medium "Core Updates" is up-to-date
medium "Core Updates Testing" is up-to-date
medium "Nonfree Release" is up-to-date
medium "Nonfree Updates" is up-to-date
medium "Nonfree Updates Testing" is up-to-date
medium "Tainted Release" is up-to-date
medium "Tainted Updates" is up-to-date
medium "Tainted Updates Testing" is up-to-date
medium "Core 32bit Release" is up-to-date
medium "Core 32bit Updates" is up-to-date
medium "Core 32bit Updates Testing" is up-to-date
medium "Nonfree 32bit Release" is up-to-date
medium "Nonfree 32bit Updates" is up-to-date
medium "Nonfree 32bit Updates Testing" is up-to-date
medium "Tainted 32bit Release" is up-to-date
medium "Tainted 32bit Updates" is up-to-date
medium "Tainted 32bit Updates Testing" is up-to-date

But in rpmdrake the backport packages are shown for update (see attached screen shot).

Any way, I'm planing to post a bug report for this.

For now, using urpmi CLI works around this issue and the php 7.3.* can be updated and tested.
Comment 10 PC LX 2021-02-05 17:10:47 CET
Created attachment 12311 [details]
rpmdrake screen shot showing backport issue.
Comment 11 Morgan Leijström 2021-02-06 12:51:02 CET
Bug 27436 - rpmdrake selects backports rpms although only updates_testing is selected

CC: (none) => fri

Comment 12 Thomas Andrews 2021-02-07 17:56:05 CET
So can we send this one on, or does bug 27436 have to be addressed first?

If this one can go, it might solve the issue Brian ran into in Bug 27905.

CC: (none) => andrewsfarm

Comment 13 David Walser 2021-02-07 18:08:02 CET
This one should be pushed ASAP.
Comment 14 Thomas Backlund 2021-02-07 18:17:32 CET
(In reply to Marc Krämer from comment #4)
> @David: it is a bit annoying to file 2 bugs. Having backports with regular
> updates often hangs until the next one is ready :(

Well, backports have lower priority than updates.
It's the simple fact of limited resources...
Comment 15 Thomas Andrews 2021-02-07 18:41:26 CET
Herman, PC LX, is it possible that you installed the backported php 7.4.12 in an earlier test? I took a look on one of my test installs where I had done that, and I see that drakrpm shows the 7.4.12 packages, even though backports is disabled. 

If you removed them, perhaps you didn't get them all, or all of their dependencies, so 7.4.12 packages are being called up now as dependencies because of it. How about a leftover orphan?
Comment 16 Thomas Andrews 2021-02-07 19:05:58 CET
Sending it on. Validating. Closest thing I see to an advisory is in Comment 1.

Now, if someone could check out the backport in Bug 28297?

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 17 PC LX 2021-02-07 20:00:44 CET
(In reply to Thomas Andrews from comment #15)
> Herman, PC LX, is it possible that you installed the backported php 7.4.12
> in an earlier test? I took a look on one of my test installs where I had
> done that, and I see that drakrpm shows the 7.4.12 packages, even though
> backports is disabled. 
> 
> If you removed them, perhaps you didn't get them all, or all of their
> dependencies, so 7.4.12 packages are being called up now as dependencies
> because of it. How about a leftover orphan?

This system has been following 7.3.* and never had any 7.4.* on it.
Comment 18 Aurelien Oudelet 2021-02-08 15:38:13 CET
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 19 Mageia Robot 2021-02-08 18:59:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0076.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.