Updated php package fix security vulnerabilities:

An new update has been released [1]

GD:
- Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). [2]

Hash:
- Fixed bug #81738: buffer overflow in hash_update() on long parameter.[3]

Session:
- Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method).

Streams:
- Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set)

References:
[1] https://www.php.net/ChangeLog-8.php#8.0.25
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31630
========================

Updated packages in core/updates_testing:
========================
php-dom-debuginfo-8.0.25-1.mga8
php-openssl-debuginfo-8.0.25-1.mga8
php-debuginfo-8.0.25-1.mga8
php-phar-debuginfo-8.0.25-1.mga8
php-mysqlnd-debuginfo-8.0.25-1.mga8
php-mbstring-8.0.25-1.mga8
php-mbstring-debuginfo-8.0.25-1.mga8
php-pgsql-debuginfo-8.0.25-1.mga8
php-opcache-8.0.25-1.mga8
php-fileinfo-debuginfo-8.0.25-1.mga8
php-pdo-debuginfo-8.0.25-1.mga8
php-intl-8.0.25-1.mga8
php-curl-debuginfo-8.0.25-1.mga8
php-mysqli-debuginfo-8.0.25-1.mga8
php-ini-8.0.25-1.mga8
php-sockets-debuginfo-8.0.25-1.mga8
php-intl-debuginfo-8.0.25-1.mga8
php-soap-debuginfo-8.0.25-1.mga8
php-session-debuginfo-8.0.25-1.mga8
php-phar-8.0.25-1.mga8
php-mysqlnd-8.0.25-1.mga8
php-gmp-debuginfo-8.0.25-1.mga8
php-imap-debuginfo-8.0.25-1.mga8
php-soap-8.0.25-1.mga8
php-gd-debuginfo-8.0.25-1.mga8
php-ldap-debuginfo-8.0.25-1.mga8
php-zip-debuginfo-8.0.25-1.mga8
php-exif-debuginfo-8.0.25-1.mga8
php-doc-8.0.25-1.mga8
php-dba-debuginfo-8.0.25-1.mga8
php-ftp-debuginfo-8.0.25-1.mga8
php-snmp-debuginfo-8.0.25-1.mga8
php-openssl-8.0.25-1.mga8
php-tidy-debuginfo-8.0.25-1.mga8
php-sodium-debuginfo-8.0.25-1.mga8
php-dom-8.0.25-1.mga8
php-pgsql-8.0.25-1.mga8
php-bcmath-debuginfo-8.0.25-1.mga8
php-filter-debuginfo-8.0.25-1.mga8
php-zlib-debuginfo-8.0.25-1.mga8
php-mysqli-8.0.25-1.mga8
php-odbc-debuginfo-8.0.25-1.mga8
php-iconv-debuginfo-8.0.25-1.mga8
php-sqlite3-debuginfo-8.0.25-1.mga8
php-posix-debuginfo-8.0.25-1.mga8
php-pdo_pgsql-debuginfo-8.0.25-1.mga8
php-pdo-8.0.25-1.mga8
php-curl-8.0.25-1.mga8
php-gd-8.0.25-1.mga8
php-pdo_sqlite-debuginfo-8.0.25-1.mga8
php-xsl-debuginfo-8.0.25-1.mga8
php-session-8.0.25-1.mga8
php-pdo_firebird-debuginfo-8.0.25-1.mga8
php-sockets-8.0.25-1.mga8
php-pdo_mysql-debuginfo-8.0.25-1.mga8
php-imap-8.0.25-1.mga8
php-exif-8.0.25-1.mga8
php-ldap-8.0.25-1.mga8
php-sodium-8.0.25-1.mga8
php-calendar-debuginfo-8.0.25-1.mga8
php-pdo_dblib-debuginfo-8.0.25-1.mga8
php-xmlreader-debuginfo-8.0.25-1.mga8
php-readline-debuginfo-8.0.25-1.mga8
php-xmlwriter-debuginfo-8.0.25-1.mga8
php-tokenizer-debuginfo-8.0.25-1.mga8
php-gmp-8.0.25-1.mga8
php-tidy-8.0.25-1.mga8
php-dba-8.0.25-1.mga8
php-odbc-8.0.25-1.mga8
php-pdo_odbc-debuginfo-8.0.25-1.mga8
php-sqlite3-8.0.25-1.mga8
php-ftp-8.0.25-1.mga8
php-bz2-debuginfo-8.0.25-1.mga8
php-pcntl-debuginfo-8.0.25-1.mga8
php-zip-8.0.25-1.mga8
php-snmp-8.0.25-1.mga8
php-iconv-8.0.25-1.mga8
php-bcmath-8.0.25-1.mga8
php-filter-8.0.25-1.mga8
php-pdo_pgsql-8.0.25-1.mga8
php-zlib-8.0.25-1.mga8
php-gettext-debuginfo-8.0.25-1.mga8
php-xmlwriter-8.0.25-1.mga8
php-enchant-debuginfo-8.0.25-1.mga8
php-ctype-debuginfo-8.0.25-1.mga8
php-sysvmsg-debuginfo-8.0.25-1.mga8
php-posix-8.0.25-1.mga8
php-xsl-8.0.25-1.mga8
php-sysvshm-debuginfo-8.0.25-1.mga8
php-readline-8.0.25-1.mga8
php-xmlreader-8.0.25-1.mga8
php-calendar-8.0.25-1.mga8
php-pdo_firebird-8.0.25-1.mga8
php-pcntl-8.0.25-1.mga8
php-pdo_sqlite-8.0.25-1.mga8
php-pdo_mysql-8.0.25-1.mga8
php-sysvshm-8.0.25-1.mga8
php-sysvmsg-8.0.25-1.mga8
php-bz2-8.0.25-1.mga8
php-pdo_odbc-8.0.25-1.mga8
php-pdo_dblib-8.0.25-1.mga8
php-enchant-8.0.25-1.mga8
php-shmop-debuginfo-8.0.25-1.mga8
php-tokenizer-8.0.25-1.mga8
php-sysvsem-debuginfo-8.0.25-1.mga8
php-shmop-8.0.25-1.mga8
php-fpm-nginx-8.0.25-1.mga8
php-fpm-apache-8.0.25-1.mga8
php-ctype-8.0.25-1.mga8
php-sysvsem-8.0.25-1.mga8
php-gettext-8.0.25-1.mga8
php-cgi-8.0.25-1.mga8
phpdbg-8.0.25-1.mga8
php-cli-8.0.25-1.mga8
php-fpm-8.0.25-1.mga8
apache-mod_php-8.0.25-1.mga8
php-opcache-debuginfo-8.0.25-1.mga8
php-fileinfo-8.0.25-1.mga8
apache-mod_php-debuginfo-8.0.25-1.mga8
php-cgi-debuginfo-8.0.25-1.mga8
php-fpm-debuginfo-8.0.25-1.mga8
phpdbg-debuginfo-8.0.25-1.mga8
php-cli-debuginfo-8.0.25-1.mga8
php-debugsource-8.0.25-1.mga8
php-devel-8.0.25-1.mga8

SRPM:
php-8.0.25-1.mga8.src.rpm

CVE: (none) => CVE-2022-37454, CVE-2022-31630
Assignee: mageia => qa-bugs

Make sure to include the CVEs in the advisory.  If CVE-2022-31630 also affects libgd, we need to fix it there.

Hi Mark,
I'm getting bad links when I pick an 8.025 php object.  The system has 8.0.24 installed currently.

I pick one 8.0.25 object and the following appears.

To satisfy dependencies, the following package(s) also need to be installed:

- apache-mod_php-8.1.11-1.mga8.x86_64
- php-apcu-5.1.21-4.mga8.x86_64
- php-bcmath-8.1.11-1.mga8.x86_64
- php-bz2-8.1.11-1.mga8.x86_64
- php-cgi-8.1.11-1.mga8.x86_64
- php-cli-8.1.11-1.mga8.x86_64
- php-ctype-8.1.11-1.mga8.x86_64
- php-curl-8.1.11-1.mga8.x86_64
- php-dom-8.1.11-1.mga8.x86_64
- php-exif-8.1.11-1.mga8.x86_64
- php-fileinfo-8.1.11-1.mga8.x86_64
- php-filter-8.1.11-1.mga8.x86_64
- php-gd-8.1.11-1.mga8.x86_64
- php-gmp-8.1.11-1.mga8.x86_64
- php-iconv-8.1.11-1.mga8.x86_64
- php-imagick-3.6.0-0.3.mga8.x86_64
- php-ini-8.1.11-1.mga8.x86_64
- php-intl-8.1.11-1.mga8.x86_64
- php-ldap-8.1.11-1.mga8.x86_64
- php-mbstring-8.1.11-1.mga8.x86_64
- php-mysqlnd-8.1.11-1.mga8.x86_64
- php-opcache-8.1.11-1.mga8.x86_64
- php-openssl-8.1.11-1.mga8.x86_64
- php-pcntl-8.1.11-1.mga8.x86_64
- php-pdo-8.1.11-1.mga8.x86_64
- php-pdo_mysql-8.1.11-1.mga8.x86_64
- php-posix-8.1.11-1.mga8.x86_64
- php-session-8.1.11-1.mga8.x86_64
- php-sodium-8.1.11-1.mga8.x86_64
- php-sysvsem-8.1.11-1.mga8.x86_64
- php-sysvshm-8.1.11-1.mga8.x86_64
- php-tokenizer-8.1.11-1.mga8.x86_64
- php-xmlreader-8.1.11-1.mga8.x86_64
- php-xmlwriter-8.1.11-1.mga8.x86_64
- php-zip-8.1.11-1.mga8.x86_64
- php-zlib-8.1.11-1.mga8.x86_64


Is this a bad link or something wonky on my side?

CC: (none) => brtians1

this looks like the backports "bug" in urpmi.
Once backports was enabled urpmi tries to get updates from there. I think the soulution was, to remove the backports repo before update?
@David: do u remember ?
for gd: no, this is in handling of fonts loaded by php; this is not in the library.

(In reply to Brian Rockwell from comment #3)
> Hi Mark,
> I'm getting bad links when I pick an 8.025 php object.  The system has
> 8.0.24 installed currently.
> 
> I pick one 8.0.25 object and the following appears.
> 
> To satisfy dependencies, the following package(s) also need to be installed:
> 
> - apache-mod_php-8.1.11-1.mga8.x86_64
<snip list>
> Is this a bad link or something wonky on my side?

http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/backports/apache-mod_php-8.1.11-1.mga8.x86_64.rpm

It's the backports bug.

Workaround is to run "urpmi.removemedia -y Back". Delete and re-add all media
anytime you want to test backports.

CC: (none) => davidwhodgins

Thanks Marc and Dave,
Yup wonky on my end.  Removing Backports worked

MGA8-64, Xfce, AMD A4 apu

# uname -a
Linux localhost 5.15.74-server-1.mga8 #1 SMP Sat Oct 15 19:40:42 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

This is a test nextcloud server

The following 34 packages are going to be installed:

- apache-mod_php-8.0.25-1.mga8.x86_64
- php-bcmath-8.0.25-1.mga8.x86_64
- php-bz2-8.0.25-1.mga8.x86_64
- php-cgi-8.0.25-1.mga8.x86_64
- php-cli-8.0.25-1.mga8.x86_64
- php-ctype-8.0.25-1.mga8.x86_64
- php-curl-8.0.25-1.mga8.x86_64
- php-dom-8.0.25-1.mga8.x86_64
- php-exif-8.0.25-1.mga8.x86_64
- php-fileinfo-8.0.25-1.mga8.x86_64
- php-filter-8.0.25-1.mga8.x86_64
- php-gd-8.0.25-1.mga8.x86_64
- php-gmp-8.0.25-1.mga8.x86_64
- php-iconv-8.0.25-1.mga8.x86_64
- php-ini-8.0.25-1.mga8.x86_64
- php-intl-8.0.25-1.mga8.x86_64
- php-ldap-8.0.25-1.mga8.x86_64
- php-mbstring-8.0.25-1.mga8.x86_64
- php-mysqlnd-8.0.25-1.mga8.x86_64
- php-opcache-8.0.25-1.mga8.x86_64
- php-openssl-8.0.25-1.mga8.x86_64
- php-pcntl-8.0.25-1.mga8.x86_64
- php-pdo-8.0.25-1.mga8.x86_64
- php-pdo_mysql-8.0.25-1.mga8.x86_64
- php-posix-8.0.25-1.mga8.x86_64
- php-session-8.0.25-1.mga8.x86_64
- php-sodium-8.0.25-1.mga8.x86_64
- php-sysvsem-8.0.25-1.mga8.x86_64
- php-sysvshm-8.0.25-1.mga8.x86_64
- php-tokenizer-8.0.25-1.mga8.x86_64
- php-xmlreader-8.0.25-1.mga8.x86_64
- php-xmlwriter-8.0.25-1.mga8.x86_64
- php-zip-8.0.25-1.mga8.x86_64
- php-zlib-8.0.25-1.mga8.x86_64

664B of additional disk space will be used.

7.4MB of packages will be retrieved.

Is it ok to continue?


-- restarted machine


nextcloud working as expected.

Whiteboard: (none) => MGA8-64-OK

Waiting less and less patiently for that backports bug to get fixed. 

But I wander off-topic...

Validating. Advisory in Comment 1, with more information in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0406.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED