SuSE has issued an advisory on June 5: http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html Cauldron was affected, but I have fixed it there. Mageia 2 is affected, and I will file a duplicate bug to help QA. Patched package for Mageia 1 uploaded. Note to QA: The patch only affects the php-phar subpackage, so you can focus testing there if you can find a test case. Some of the documentation here may be helpful: http://php.net/manual/en/book.phar.php I believe there is also a PoC out there. See the references below. Advisory: ======================== Updated php packages fix security vulnerability: An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html ======================== Updated packages in core/updates_testing: ======================== php-cli-5.3.13-1.1.mga1 php-cgi-5.3.13-1.1.mga1 php-fpm-5.3.13-1.1.mga1 apache-mod_php-5.3.13-1.1.mga1 libphp5_common5-5.3.13-1.1.mga1 php-devel-5.3.13-1.1.mga1 php-openssl-5.3.13-1.1.mga1 php-zlib-5.3.13-1.1.mga1 php-doc-5.3.13-1.1.mga1 php-bcmath-5.3.13-1.1.mga1 php-bz2-5.3.13-1.1.mga1 php-calendar-5.3.13-1.1.mga1 php-ctype-5.3.13-1.1.mga1 php-curl-5.3.13-1.1.mga1 php-dba-5.3.13-1.1.mga1 php-dom-5.3.13-1.1.mga1 php-enchant-5.3.13-1.1.mga1 php-exif-5.3.13-1.1.mga1 php-fileinfo-5.3.13-1.1.mga1 php-filter-5.3.13-1.1.mga1 php-ftp-5.3.13-1.1.mga1 php-gd-5.3.13-1.1.mga1 php-gettext-5.3.13-1.1.mga1 php-gmp-5.3.13-1.1.mga1 php-hash-5.3.13-1.1.mga1 php-iconv-5.3.13-1.1.mga1 php-imap-5.3.13-1.1.mga1 php-intl-5.3.13-1.1.mga1 php-json-5.3.13-1.1.mga1 php-ldap-5.3.13-1.1.mga1 php-mbstring-5.3.13-1.1.mga1 php-mcrypt-5.3.13-1.1.mga1 php-mssql-5.3.13-1.1.mga1 php-mysql-5.3.13-1.1.mga1 php-mysqli-5.3.13-1.1.mga1 php-mysqlnd-5.3.13-1.1.mga1 php-odbc-5.3.13-1.1.mga1 php-pcntl-5.3.13-1.1.mga1 php-pdo-5.3.13-1.1.mga1 php-pdo_dblib-5.3.13-1.1.mga1 php-pdo_mysql-5.3.13-1.1.mga1 php-pdo_odbc-5.3.13-1.1.mga1 php-pdo_pgsql-5.3.13-1.1.mga1 php-pdo_sqlite-5.3.13-1.1.mga1 php-pgsql-5.3.13-1.1.mga1 php-phar-5.3.13-1.1.mga1 php-posix-5.3.13-1.1.mga1 php-pspell-5.3.13-1.1.mga1 php-readline-5.3.13-1.1.mga1 php-recode-5.3.13-1.1.mga1 php-session-5.3.13-1.1.mga1 php-shmop-5.3.13-1.1.mga1 php-snmp-5.3.13-1.1.mga1 php-soap-5.3.13-1.1.mga1 php-sockets-5.3.13-1.1.mga1 php-sqlite3-5.3.13-1.1.mga1 php-sqlite-5.3.13-1.1.mga1 php-sybase_ct-5.3.13-1.1.mga1 php-sysvmsg-5.3.13-1.1.mga1 php-sysvsem-5.3.13-1.1.mga1 php-sysvshm-5.3.13-1.1.mga1 php-tidy-5.3.13-1.1.mga1 php-tokenizer-5.3.13-1.1.mga1 php-xml-5.3.13-1.1.mga1 php-xmlreader-5.3.13-1.1.mga1 php-xmlrpc-5.3.13-1.1.mga1 php-xmlwriter-5.3.13-1.1.mga1 php-xsl-5.3.13-1.1.mga1 php-wddx-5.3.13-1.1.mga1 php-zip-5.3.13-1.1.mga1 from php-5.3.13-1.1.mga1.src.rpm
Depends on: (none) => 6354
Debian issued an advisory for this yesterday (June 10): http://www.debian.org/security/2012/dsa-2492 Their update includes an additional patch (from upstream) to the php-phar tar handling code for a similar issue. I've included that patch and rebuilt this update. Advisory: ======================== Updated php packages fix security vulnerability: An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html http://www.debian.org/security/2012/dsa-2492 ======================== Updated packages in core/updates_testing: ======================== php-cli-5.3.13-1.2.mga1 php-cgi-5.3.13-1.2.mga1 php-fpm-5.3.13-1.2.mga1 apache-mod_php-5.3.13-1.2.mga1 libphp5_common5-5.3.13-1.2.mga1 php-devel-5.3.13-1.2.mga1 php-openssl-5.3.13-1.2.mga1 php-zlib-5.3.13-1.2.mga1 php-doc-5.3.13-1.2.mga1 php-bcmath-5.3.13-1.2.mga1 php-bz2-5.3.13-1.2.mga1 php-calendar-5.3.13-1.2.mga1 php-ctype-5.3.13-1.2.mga1 php-curl-5.3.13-1.2.mga1 php-dba-5.3.13-1.2.mga1 php-dom-5.3.13-1.2.mga1 php-enchant-5.3.13-1.2.mga1 php-exif-5.3.13-1.2.mga1 php-fileinfo-5.3.13-1.2.mga1 php-filter-5.3.13-1.2.mga1 php-ftp-5.3.13-1.2.mga1 php-gd-5.3.13-1.2.mga1 php-gettext-5.3.13-1.2.mga1 php-gmp-5.3.13-1.2.mga1 php-hash-5.3.13-1.2.mga1 php-iconv-5.3.13-1.2.mga1 php-imap-5.3.13-1.2.mga1 php-intl-5.3.13-1.2.mga1 php-json-5.3.13-1.2.mga1 php-ldap-5.3.13-1.2.mga1 php-mbstring-5.3.13-1.2.mga1 php-mcrypt-5.3.13-1.2.mga1 php-mssql-5.3.13-1.2.mga1 php-mysql-5.3.13-1.2.mga1 php-mysqli-5.3.13-1.2.mga1 php-mysqlnd-5.3.13-1.2.mga1 php-odbc-5.3.13-1.2.mga1 php-pcntl-5.3.13-1.2.mga1 php-pdo-5.3.13-1.2.mga1 php-pdo_dblib-5.3.13-1.2.mga1 php-pdo_mysql-5.3.13-1.2.mga1 php-pdo_odbc-5.3.13-1.2.mga1 php-pdo_pgsql-5.3.13-1.2.mga1 php-pdo_sqlite-5.3.13-1.2.mga1 php-pgsql-5.3.13-1.2.mga1 php-phar-5.3.13-1.2.mga1 php-posix-5.3.13-1.2.mga1 php-pspell-5.3.13-1.2.mga1 php-readline-5.3.13-1.2.mga1 php-recode-5.3.13-1.2.mga1 php-session-5.3.13-1.2.mga1 php-shmop-5.3.13-1.2.mga1 php-snmp-5.3.13-1.2.mga1 php-soap-5.3.13-1.2.mga1 php-sockets-5.3.13-1.2.mga1 php-sqlite3-5.3.13-1.2.mga1 php-sqlite-5.3.13-1.2.mga1 php-sybase_ct-5.3.13-1.2.mga1 php-sysvmsg-5.3.13-1.2.mga1 php-sysvsem-5.3.13-1.2.mga1 php-sysvshm-5.3.13-1.2.mga1 php-tidy-5.3.13-1.2.mga1 php-tokenizer-5.3.13-1.2.mga1 php-xml-5.3.13-1.2.mga1 php-xmlreader-5.3.13-1.2.mga1 php-xmlrpc-5.3.13-1.2.mga1 php-xmlwriter-5.3.13-1.2.mga1 php-xsl-5.3.13-1.2.mga1 php-wddx-5.3.13-1.2.mga1 php-zip-5.3.13-1.2.mga1 from php-5.3.13-1.2.mga1.src.rpm
I was worried this might happen, but upstream has issued a new version, Mandriva has updated it (including for 2010.2), and another CVE has been fixed. So, I'll have to build a new update. Mandriva has issued an advisory today (June 15): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093 This updates to 5.3.14 and adds an additional CVE, CVE-2012-2143.
Summary: php new security issue CVE-2012-2386 => php new security issues CVE-2012-2386 and CVE-2012-2143
Updated packages uploaded. php-eaccelerator and php-gd-bundled were rebuilt. Advisory: ======================== Updated php packages fix security vulnerabilities: There is a programming error in the DES implementation used in crypt() in ext/standard/crypt_freesec.c when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored (CVE-2012-2143). An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://www.php.net/ChangeLog-5.php#5.3.14 http://secunia.com/advisories/44335 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html http://www.debian.org/security/2012/dsa-2492 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093 ======================== Updated packages in core/updates_testing: ======================== php-eaccelerator-0.9.6.1-6.6.mga1 php-gd-bundled-5.3.14-1.mga1 php-ini-5.3.14-1.mga1 php-cli-5.3.14-1.mga1 php-cgi-5.3.14-1.mga1 php-fpm-5.3.14-1.mga1 apache-mod_php-5.3.14-1.mga1 libphp5_common5-5.3.14-1.mga1 php-devel-5.3.14-1.mga1 php-openssl-5.3.14-1.mga1 php-zlib-5.3.14-1.mga1 php-doc-5.3.14-1.mga1 php-bcmath-5.3.14-1.mga1 php-bz2-5.3.14-1.mga1 php-calendar-5.3.14-1.mga1 php-ctype-5.3.14-1.mga1 php-curl-5.3.14-1.mga1 php-dba-5.3.14-1.mga1 php-dom-5.3.14-1.mga1 php-enchant-5.3.14-1.mga1 php-exif-5.3.14-1.mga1 php-fileinfo-5.3.14-1.mga1 php-filter-5.3.14-1.mga1 php-ftp-5.3.14-1.mga1 php-gd-5.3.14-1.mga1 php-gettext-5.3.14-1.mga1 php-gmp-5.3.14-1.mga1 php-hash-5.3.14-1.mga1 php-iconv-5.3.14-1.mga1 php-imap-5.3.14-1.mga1 php-intl-5.3.14-1.mga1 php-json-5.3.14-1.mga1 php-ldap-5.3.14-1.mga1 php-mbstring-5.3.14-1.mga1 php-mcrypt-5.3.14-1.mga1 php-mssql-5.3.14-1.mga1 php-mysql-5.3.14-1.mga1 php-mysqli-5.3.14-1.mga1 php-mysqlnd-5.3.14-1.mga1 php-odbc-5.3.14-1.mga1 php-pcntl-5.3.14-1.mga1 php-pdo-5.3.14-1.mga1 php-pdo_dblib-5.3.14-1.mga1 php-pdo_mysql-5.3.14-1.mga1 php-pdo_odbc-5.3.14-1.mga1 php-pdo_pgsql-5.3.14-1.mga1 php-pdo_sqlite-5.3.14-1.mga1 php-pgsql-5.3.14-1.mga1 php-phar-5.3.14-1.mga1 php-posix-5.3.14-1.mga1 php-pspell-5.3.14-1.mga1 php-readline-5.3.14-1.mga1 php-recode-5.3.14-1.mga1 php-session-5.3.14-1.mga1 php-shmop-5.3.14-1.mga1 php-snmp-5.3.14-1.mga1 php-soap-5.3.14-1.mga1 php-sockets-5.3.14-1.mga1 php-sqlite3-5.3.14-1.mga1 php-sqlite-5.3.14-1.mga1 php-sybase_ct-5.3.14-1.mga1 php-sysvmsg-5.3.14-1.mga1 php-sysvsem-5.3.14-1.mga1 php-sysvshm-5.3.14-1.mga1 php-tidy-5.3.14-1.mga1 php-tokenizer-5.3.14-1.mga1 php-xml-5.3.14-1.mga1 php-xmlreader-5.3.14-1.mga1 php-xmlrpc-5.3.14-1.mga1 php-xmlwriter-5.3.14-1.mga1 php-xsl-5.3.14-1.mga1 php-wddx-5.3.14-1.mga1 php-zip-5.3.14-1.mga1 from SRPMS: php-eaccelerator-0.9.6.1-6.6.mga1.src.rpm php-gd-bundled-5.3.14-1.mga1.src.rpm php-ini-5.3.14-1.mga1.src.rpm php-5.3.14-1.mga1.src.rpm
Repeated the same PoC tests for CVE-2012-2386 and CVE-2012-2143 on mga1 i586 and mga1 x86_64 as was done on bug #6354. No problems found. Advisory: ======================== Updated php packages fix security vulnerabilities: There is a programming error in the DES implementation used in crypt() in ext/standard/crypt_freesec.c when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored (CVE-2012-2143). An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://www.php.net/ChangeLog-5.php#5.3.14 http://secunia.com/advisories/44335 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html http://www.debian.org/security/2012/dsa-2492 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093 ======================== Updated packages in core/updates_testing: ======================== php-eaccelerator-0.9.6.1-6.6.mga1 php-gd-bundled-5.3.14-1.mga1 php-ini-5.3.14-1.mga1 php-cli-5.3.14-1.mga1 php-cgi-5.3.14-1.mga1 php-fpm-5.3.14-1.mga1 apache-mod_php-5.3.14-1.mga1 libphp5_common5-5.3.14-1.mga1 php-devel-5.3.14-1.mga1 php-openssl-5.3.14-1.mga1 php-zlib-5.3.14-1.mga1 php-doc-5.3.14-1.mga1 php-bcmath-5.3.14-1.mga1 php-bz2-5.3.14-1.mga1 php-calendar-5.3.14-1.mga1 php-ctype-5.3.14-1.mga1 php-curl-5.3.14-1.mga1 php-dba-5.3.14-1.mga1 php-dom-5.3.14-1.mga1 php-enchant-5.3.14-1.mga1 php-exif-5.3.14-1.mga1 php-fileinfo-5.3.14-1.mga1 php-filter-5.3.14-1.mga1 php-ftp-5.3.14-1.mga1 php-gd-5.3.14-1.mga1 php-gettext-5.3.14-1.mga1 php-gmp-5.3.14-1.mga1 php-hash-5.3.14-1.mga1 php-iconv-5.3.14-1.mga1 php-imap-5.3.14-1.mga1 php-intl-5.3.14-1.mga1 php-json-5.3.14-1.mga1 php-ldap-5.3.14-1.mga1 php-mbstring-5.3.14-1.mga1 php-mcrypt-5.3.14-1.mga1 php-mssql-5.3.14-1.mga1 php-mysql-5.3.14-1.mga1 php-mysqli-5.3.14-1.mga1 php-mysqlnd-5.3.14-1.mga1 php-odbc-5.3.14-1.mga1 php-pcntl-5.3.14-1.mga1 php-pdo-5.3.14-1.mga1 php-pdo_dblib-5.3.14-1.mga1 php-pdo_mysql-5.3.14-1.mga1 php-pdo_odbc-5.3.14-1.mga1 php-pdo_pgsql-5.3.14-1.mga1 php-pdo_sqlite-5.3.14-1.mga1 php-pgsql-5.3.14-1.mga1 php-phar-5.3.14-1.mga1 php-posix-5.3.14-1.mga1 php-pspell-5.3.14-1.mga1 php-readline-5.3.14-1.mga1 php-recode-5.3.14-1.mga1 php-session-5.3.14-1.mga1 php-shmop-5.3.14-1.mga1 php-snmp-5.3.14-1.mga1 php-soap-5.3.14-1.mga1 php-sockets-5.3.14-1.mga1 php-sqlite3-5.3.14-1.mga1 php-sqlite-5.3.14-1.mga1 php-sybase_ct-5.3.14-1.mga1 php-sysvmsg-5.3.14-1.mga1 php-sysvsem-5.3.14-1.mga1 php-sysvshm-5.3.14-1.mga1 php-tidy-5.3.14-1.mga1 php-tokenizer-5.3.14-1.mga1 php-xml-5.3.14-1.mga1 php-xmlreader-5.3.14-1.mga1 php-xmlrpc-5.3.14-1.mga1 php-xmlwriter-5.3.14-1.mga1 php-xsl-5.3.14-1.mga1 php-wddx-5.3.14-1.mga1 php-zip-5.3.14-1.mga1 from SRPMS: php-eaccelerator-0.9.6.1-6.6.mga1.src.rpm php-gd-bundled-5.3.14-1.mga1.src.rpm php-ini-5.3.14-1.mga1.src.rpm php-5.3.14-1.mga1.src.rpm ------------------------------------------- Could sysadmin please push from core/updates_testing to core/updates. Thank you! -------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => mga1-32-OK, mga1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0118
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED