Bug 29586 - PHP 8.0.12 update fixes issues
Summary: PHP 8.0.12 update fixes issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 29594
  Show dependency treegraph
 
Reported: 2021-10-24 17:59 CEST by Marc Krämer
Modified: 2022-08-23 09:34 CEST (History)
6 users (show)

See Also:
Source RPM: php
CVE: CVE-2021-21703
Status comment:


Attachments

Description Marc Krämer 2021-10-24 17:59:22 CEST
New version 8.0.12 fixes issues


CVE-2021-21703
https://www.php.net/ChangeLog-8.php#8.0.12
Marc Krämer 2021-10-24 17:59:28 CEST

CVE: (none) => CVE-2021-21703

Comment 1 David Walser 2021-10-24 19:13:08 CEST
The fileinfo issue needs to be fixed in the file package (fixed in 5.40, Mageia 8 has 5.39).
Comment 2 Marc Krämer 2021-10-24 22:37:47 CEST
@David: sure - but I would not call this "critical". How do we handle this? Do we file a bug against fileinfo?
Comment 3 David Walser 2021-10-24 23:48:09 CEST
Whether it's critical or not doesn't matter, but we can fix it in this bug or another one, but they should be fixed together.  It probably won't be too difficult to identify the file commit that fixed it, given the information in the PHP bug.

CC: (none) => luigiwalser

Comment 4 Marc Krämer 2021-10-26 09:21:58 CEST
I would prefer just to update file package. This can just improve things. For this specific bug, I don't see a reason to fix it. It does not effect any other packages and it is already fixed in php. It just uses too much mem.
Comment 5 David Walser 2021-10-26 15:09:01 CEST
You have to be careful updating file because it sometimes can cause regressions with one of the automated scripts run at the end of rpmbuild.  We do need to fix it because our php won't use its own fixed code.
Comment 6 Marc Krämer 2021-10-26 19:28:49 CEST
Sorry, I don't get it... build_libmagic is not defined, so we don't link against system file-package.
Comment 7 David Walser 2021-10-26 22:21:40 CEST
Why did that change?  If so it can be in its own bug then, but we should still fix it.  PHP fixes is probably the main way we find out about security bugs in file and libzip at least.
Comment 8 Marc Krämer 2021-10-26 23:57:39 CEST
I haven't changed that. It is the way since I took over that package (for php 7)

And I don't have the background that php is the main source for those bugs. But if it is preferred, I can try to enable file package again for the next build. (currently php does not build in cauldron anymore - looks like some compiler setting has changed)
Comment 9 Marc Krämer 2021-10-26 23:58:05 CEST
Updated PHP package fix security vulnerability:

- Possibile privilege escalation in PHP-FPM [1]
- more bug fixes for php as a regular release [2]

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21703
[2] https://www.php.net/ChangeLog-8.php#8.0.12
========================

Updated packages in core/updates_testing:
========================
php-fpm-8.0.12-1.mga8
phpdbg-8.0.12-1.mga8
php-cli-8.0.12-1.mga8
php-cgi-8.0.12-1.mga8
php-cli-debuginfo-8.0.12-1.mga8
phpdbg-debuginfo-8.0.12-1.mga8
apache-mod_php-debuginfo-8.0.12-1.mga8
php-cgi-debuginfo-8.0.12-1.mga8
php-fpm-debuginfo-8.0.12-1.mga8
php-soap-debuginfo-8.0.12-1.mga8
php-intl-debuginfo-8.0.12-1.mga8
php-opcache-8.0.12-1.mga8
php-mbstring-8.0.12-1.mga8
php-mbstring-debuginfo-8.0.12-1.mga8
php-debuginfo-8.0.12-1.mga8
php-opcache-debuginfo-8.0.12-1.mga8
php-phar-debuginfo-8.0.12-1.mga8
php-mysqlnd-debuginfo-8.0.12-1.mga8
php-openssl-debuginfo-8.0.12-1.mga8
php-dom-debuginfo-8.0.12-1.mga8
php-pgsql-debuginfo-8.0.12-1.mga8
php-intl-8.0.12-1.mga8
php-fileinfo-debuginfo-8.0.12-1.mga8
php-mysqli-debuginfo-8.0.12-1.mga8
apache-mod_php-8.0.12-1.mga8
php-curl-debuginfo-8.0.12-1.mga8
php-pdo-debuginfo-8.0.12-1.mga8
php-ini-8.0.12-1.mga8
php-soap-8.0.12-1.mga8
php-sockets-debuginfo-8.0.12-1.mga8
php-session-debuginfo-8.0.12-1.mga8
php-phar-8.0.12-1.mga8
php-mysqlnd-8.0.12-1.mga8
php-gmp-debuginfo-8.0.12-1.mga8
php-imap-debuginfo-8.0.12-1.mga8
php-gd-debuginfo-8.0.12-1.mga8
php-ldap-debuginfo-8.0.12-1.mga8
php-exif-debuginfo-8.0.12-1.mga8
php-zip-debuginfo-8.0.12-1.mga8
php-ftp-debuginfo-8.0.12-1.mga8
php-snmp-debuginfo-8.0.12-1.mga8
php-dba-debuginfo-8.0.12-1.mga8
php-sodium-debuginfo-8.0.12-1.mga8
php-openssl-8.0.12-1.mga8
php-tidy-debuginfo-8.0.12-1.mga8
php-dom-8.0.12-1.mga8
php-doc-8.0.12-1.mga8
php-filter-debuginfo-8.0.12-1.mga8
php-bcmath-debuginfo-8.0.12-1.mga8
php-sqlite3-debuginfo-8.0.12-1.mga8
php-iconv-debuginfo-8.0.12-1.mga8
php-pgsql-8.0.12-1.mga8
php-mysqli-8.0.12-1.mga8
php-odbc-debuginfo-8.0.12-1.mga8
php-posix-debuginfo-8.0.12-1.mga8
php-zlib-debuginfo-8.0.12-1.mga8
php-pdo-8.0.12-1.mga8
php-session-8.0.12-1.mga8
php-pdo_pgsql-debuginfo-8.0.12-1.mga8
php-pdo_mysql-debuginfo-8.0.12-1.mga8
php-curl-8.0.12-1.mga8
php-gd-8.0.12-1.mga8
php-pdo_firebird-debuginfo-8.0.12-1.mga8
php-sockets-8.0.12-1.mga8
php-xsl-debuginfo-8.0.12-1.mga8
php-imap-8.0.12-1.mga8
php-tokenizer-debuginfo-8.0.12-1.mga8
php-xmlwriter-debuginfo-8.0.12-1.mga8
php-pdo_sqlite-debuginfo-8.0.12-1.mga8
php-sodium-8.0.12-1.mga8
php-xmlreader-debuginfo-8.0.12-1.mga8
php-pdo_dblib-debuginfo-8.0.12-1.mga8
php-calendar-debuginfo-8.0.12-1.mga8
php-readline-debuginfo-8.0.12-1.mga8
php-exif-8.0.12-1.mga8
php-pcntl-debuginfo-8.0.12-1.mga8
php-ldap-8.0.12-1.mga8
php-zip-8.0.12-1.mga8
php-gmp-8.0.12-1.mga8
php-fileinfo-8.0.12-1.mga8
php-ftp-8.0.12-1.mga8
php-pdo_odbc-debuginfo-8.0.12-1.mga8
php-dba-8.0.12-1.mga8
php-odbc-8.0.12-1.mga8
php-sqlite3-8.0.12-1.mga8
php-bz2-debuginfo-8.0.12-1.mga8
php-zlib-8.0.12-1.mga8
php-tidy-8.0.12-1.mga8
php-snmp-8.0.12-1.mga8
php-iconv-8.0.12-1.mga8
php-enchant-debuginfo-8.0.12-1.mga8
php-bcmath-8.0.12-1.mga8
php-pdo_pgsql-8.0.12-1.mga8
php-xmlwriter-8.0.12-1.mga8
php-gettext-debuginfo-8.0.12-1.mga8
php-ctype-debuginfo-8.0.12-1.mga8
php-filter-8.0.12-1.mga8
php-pdo_sqlite-8.0.12-1.mga8
php-pcntl-8.0.12-1.mga8
php-pdo_firebird-8.0.12-1.mga8
php-posix-8.0.12-1.mga8
php-sysvmsg-debuginfo-8.0.12-1.mga8
php-xmlreader-8.0.12-1.mga8
php-pdo_dblib-8.0.12-1.mga8
php-xsl-8.0.12-1.mga8
php-readline-8.0.12-1.mga8
php-calendar-8.0.12-1.mga8
php-pdo_mysql-8.0.12-1.mga8
php-sysvshm-debuginfo-8.0.12-1.mga8
php-bz2-8.0.12-1.mga8
php-tokenizer-8.0.12-1.mga8
php-enchant-8.0.12-1.mga8
php-shmop-debuginfo-8.0.12-1.mga8
php-sysvsem-debuginfo-8.0.12-1.mga8
php-pdo_odbc-8.0.12-1.mga8
php-shmop-8.0.12-1.mga8
php-gettext-8.0.12-1.mga8
php-sysvshm-8.0.12-1.mga8
php-sysvmsg-8.0.12-1.mga8
php-sysvsem-8.0.12-1.mga8
php-fpm-apache-8.0.12-1.mga8
php-fpm-nginx-8.0.12-1.mga8
php-ctype-8.0.12-1.mga8
php-debugsource-8.0.12-1.mga8
php-devel-8.0.12-1.mga8


SRPM:
php-8.0.12-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Marc Krämer 2021-10-27 00:03:00 CEST

Blocks: (none) => 29594

Comment 10 Herman Viaene 2021-10-27 11:28:25 CEST
MGA8-64 Plasma on Lenovo B50
Omitted alldebug stuff installation had no issues.
Ref bug 25045 for testing.
Made sure httpd is running, then with php folder and its test files under myhome folder Documenten.
$  php -S localhost:8000 -t php
[Wed Oct 27 11:18:12 2021] PHP 8.0.12 Development Server (http://localhost:8000) started
then pointing browser to https://localhost:8000/create-png.php
displays image OK and
http://localhost:8000/sample.php displays the captain's message OK

AFAICS good enough.

CC: (none) => herman.viaene

Comment 11 David Walser 2021-10-27 18:38:55 CEST
More info on the php-fpm security fix:
https://www.openwall.com/lists/oss-security/2021/10/26/7
Comment 12 Marc Krämer 2021-10-28 18:26:20 CEST
puh. who has time to read this? Maybe it is interesting what was the problem - but this article is way to long.
Comment 13 David Walser 2021-10-28 18:30:40 CEST
LOL, well it's more information than we need right now, but it's there if anyone is interested.  I'm just sharing the reference.
Comment 14 Marc Krämer 2021-10-29 14:46:27 CEST
can we push it?
Comment 15 Herman Viaene 2021-10-30 09:14:30 CEST
I'm not a php programmer, but as far as the test goes, and as in previous updates, I'll OK it.

Whiteboard: (none) => MGA8-64-OK

Comment 16 PC LX 2021-10-30 12:08:57 CEST
Installed and tested without issues.

Using php-fpm instead of mod_php.


Tested several scripts (e.g. phpmyadmin, roundcubemail, wordpress, drupal, several custom). Tested HTTP 1.1, HTTP 2, TLS and CLI.


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.75-desktop-1.mga8 #1 SMP Wed Oct 20 10:23:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*8\\.0 | sort
apache-mod_php-8.0.12-1.mga8
php-bz2-8.0.12-1.mga8
php-cli-8.0.12-1.mga8
php-ctype-8.0.12-1.mga8
php-curl-8.0.12-1.mga8
php-dom-8.0.12-1.mga8
php-exif-8.0.12-1.mga8
php-fileinfo-8.0.12-1.mga8
php-filter-8.0.12-1.mga8
php-fpm-8.0.12-1.mga8
php-ftp-8.0.12-1.mga8
php-gd-8.0.12-1.mga8
php-gettext-8.0.12-1.mga8
php-iconv-8.0.12-1.mga8
php-imap-8.0.12-1.mga8
php-ini-8.0.12-1.mga8
php-intl-8.0.12-1.mga8
php-ldap-8.0.12-1.mga8
php-mbstring-8.0.12-1.mga8
php-mysqli-8.0.12-1.mga8
php-mysqlnd-8.0.12-1.mga8
php-openssl-8.0.12-1.mga8
php-pdo-8.0.12-1.mga8
php-pdo_mysql-8.0.12-1.mga8
php-pdo_sqlite-8.0.12-1.mga8
php-posix-8.0.12-1.mga8
php-session-8.0.12-1.mga8
php-sockets-8.0.12-1.mga8
php-sysvsem-8.0.12-1.mga8
php-sysvshm-8.0.12-1.mga8
php-tokenizer-8.0.12-1.mga8
php-xmlreader-8.0.12-1.mga8
php-xmlwriter-8.0.12-1.mga8
php-zip-8.0.12-1.mga8
php-zlib-8.0.12-1.mga8
$ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
     Active: active (running) since Sat 2021-10-30 11:02:33 WEST; 4min 7s ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 4691)
     Memory: 12.0K
        CPU: 2ms
     CGroup: /system.slice/httpd.socket

out 30 11:02:33 marte systemd[1]: Listening on httpd server activation socket.

● php-fpm.socket - php-fpm Server Socket
     Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
     Active: inactive (dead) since Sat 2021-10-30 11:03:11 WEST; 3min 30s ago
   Triggers: ● php-fpm.service
     Listen: /var/lib/php-fpm/php-fpm.sock (Stream)

out 30 11:02:33 marte systemd[1]: Listening on php-fpm Server Socket.
out 30 11:03:11 marte systemd[1]: php-fpm.socket: Succeeded.
out 30 11:03:11 marte systemd[1]: Closed php-fpm Server Socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2021-10-30 11:03:11 WEST; 3min 31s ago
TriggeredBy: ● httpd.socket
   Main PID: 2442 (httpd)
     Status: "Total requests: 3; Idle/Busy workers 100/0;Requests/sec: 0.0144; Bytes served/sec: 501 B/sec"
      Tasks: 54 (limit: 4691)
     Memory: 34.0M
        CPU: 135ms
     CGroup: /system.slice/httpd.service
             ├─2442 /usr/sbin/httpd -DFOREGROUND
             ├─2443 /usr/sbin/httpd -DFOREGROUND
             └─2444 /usr/sbin/httpd -DFOREGROUND

out 30 11:03:11 marte systemd[1]: Starting The Apache HTTP Server...
out 30 11:03:11 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2021-10-30 11:03:12 WEST; 3min 30s ago
TriggeredBy: ● php-fpm.socket
   Main PID: 2497 (php-fpm)
     Status: "Processes active: 0, idle: 2, Requests: 1, slow: 0, Traffic: 0req/sec"
      Tasks: 3 (limit: 4691)
     Memory: 50.1M
        CPU: 184ms
     CGroup: /system.slice/php-fpm.service
             ├─2497 php-fpm: master process (/etc/php-fpm.conf)
             ├─2503 php-fpm: pool www
             └─2518 php-fpm: pool www

CC: (none) => mageia

Comment 17 Thomas Andrews 2021-10-30 19:04:58 CEST
Validating. Looks like the advisory is in Comment 9.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-10-31 11:35:15 CET

Keywords: (none) => advisory

Comment 18 Mageia Robot 2021-10-31 12:13:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0501.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 19 carlhammond hammond 2022-08-23 09:34:53 CEST Comment hidden (spam)

CC: (none) => Justinmachany932


Note You need to log in before you can comment on or make changes to this bug.