SuSE has issued an advisory on June 5: http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html Cauldron was affected, but I have fixed it there. Mageia 1 is affected, and I filed a separate bug for that to help QA. Patched package for Mageia 2 uploaded. Note to QA: The patch only affects the php-phar subpackage, so you can focus testing there if you can find a test case. Some of the documentation here may be helpful: http://php.net/manual/en/book.phar.php I believe there is also a PoC out there. See the references below. Advisory: ======================== Updated php packages fix security vulnerability: An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.13-1.1.mga2 php-cli-5.3.13-1.1.mga2 php-cgi-5.3.13-1.1.mga2 php-fpm-5.3.13-1.1.mga2 apache-mod_php-5.3.13-1.1.mga2 libphp5_common5-5.3.13-1.1.mga2 php-devel-5.3.13-1.1.mga2 php-openssl-5.3.13-1.1.mga2 php-zlib-5.3.13-1.1.mga2 php-bcmath-5.3.13-1.1.mga2 php-bz2-5.3.13-1.1.mga2 php-calendar-5.3.13-1.1.mga2 php-ctype-5.3.13-1.1.mga2 php-curl-5.3.13-1.1.mga2 php-dba-5.3.13-1.1.mga2 php-dom-5.3.13-1.1.mga2 php-enchant-5.3.13-1.1.mga2 php-exif-5.3.13-1.1.mga2 php-fileinfo-5.3.13-1.1.mga2 php-filter-5.3.13-1.1.mga2 php-ftp-5.3.13-1.1.mga2 php-gd-5.3.13-1.1.mga2 php-gettext-5.3.13-1.1.mga2 php-gmp-5.3.13-1.1.mga2 php-hash-5.3.13-1.1.mga2 php-iconv-5.3.13-1.1.mga2 php-imap-5.3.13-1.1.mga2 php-intl-5.3.13-1.1.mga2 php-json-5.3.13-1.1.mga2 php-ldap-5.3.13-1.1.mga2 php-mbstring-5.3.13-1.1.mga2 php-mcrypt-5.3.13-1.1.mga2 php-mssql-5.3.13-1.1.mga2 php-mysql-5.3.13-1.1.mga2 php-mysqli-5.3.13-1.1.mga2 php-mysqlnd-5.3.13-1.1.mga2 php-odbc-5.3.13-1.1.mga2 php-pcntl-5.3.13-1.1.mga2 php-pdo-5.3.13-1.1.mga2 php-pdo_dblib-5.3.13-1.1.mga2 php-pdo_mysql-5.3.13-1.1.mga2 php-pdo_odbc-5.3.13-1.1.mga2 php-pdo_pgsql-5.3.13-1.1.mga2 php-pdo_sqlite-5.3.13-1.1.mga2 php-pgsql-5.3.13-1.1.mga2 php-phar-5.3.13-1.1.mga2 php-posix-5.3.13-1.1.mga2 php-readline-5.3.13-1.1.mga2 php-recode-5.3.13-1.1.mga2 php-session-5.3.13-1.1.mga2 php-shmop-5.3.13-1.1.mga2 php-snmp-5.3.13-1.1.mga2 php-soap-5.3.13-1.1.mga2 php-sockets-5.3.13-1.1.mga2 php-sqlite3-5.3.13-1.1.mga2 php-sqlite-5.3.13-1.1.mga2 php-sybase_ct-5.3.13-1.1.mga2 php-sysvmsg-5.3.13-1.1.mga2 php-sysvsem-5.3.13-1.1.mga2 php-sysvshm-5.3.13-1.1.mga2 php-tidy-5.3.13-1.1.mga2 php-tokenizer-5.3.13-1.1.mga2 php-xml-5.3.13-1.1.mga2 php-xmlreader-5.3.13-1.1.mga2 php-xmlrpc-5.3.13-1.1.mga2 php-xmlwriter-5.3.13-1.1.mga2 php-xsl-5.3.13-1.1.mga2 php-wddx-5.3.13-1.1.mga2 php-zip-5.3.13-1.1.mga2 from php-5.3.13-1.1.mga2.src.rpm
Blocks: (none) => 6353
Debian issued an advisory for this yesterday (June 10): http://www.debian.org/security/2012/dsa-2492 Their update includes an additional patch (from upstream) to the php-phar tar handling code for a similar issue. I've included that patch and rebuilt this update. Advisory: ======================== Updated php packages fix security vulnerability: An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html http://www.debian.org/security/2012/dsa-2492 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.13-1.1.mga2 php-cli-5.3.13-1.1.mga2 php-cgi-5.3.13-1.1.mga2 php-fpm-5.3.13-1.1.mga2 apache-mod_php-5.3.13-1.1.mga2 libphp5_common5-5.3.13-1.1.mga2 php-devel-5.3.13-1.1.mga2 php-openssl-5.3.13-1.1.mga2 php-zlib-5.3.13-1.1.mga2 php-bcmath-5.3.13-1.1.mga2 php-bz2-5.3.13-1.1.mga2 php-calendar-5.3.13-1.1.mga2 php-ctype-5.3.13-1.1.mga2 php-curl-5.3.13-1.1.mga2 php-dba-5.3.13-1.1.mga2 php-dom-5.3.13-1.1.mga2 php-enchant-5.3.13-1.1.mga2 php-exif-5.3.13-1.1.mga2 php-fileinfo-5.3.13-1.1.mga2 php-filter-5.3.13-1.1.mga2 php-ftp-5.3.13-1.1.mga2 php-gd-5.3.13-1.1.mga2 php-gettext-5.3.13-1.1.mga2 php-gmp-5.3.13-1.1.mga2 php-hash-5.3.13-1.1.mga2 php-iconv-5.3.13-1.1.mga2 php-imap-5.3.13-1.1.mga2 php-intl-5.3.13-1.1.mga2 php-json-5.3.13-1.1.mga2 php-ldap-5.3.13-1.1.mga2 php-mbstring-5.3.13-1.1.mga2 php-mcrypt-5.3.13-1.1.mga2 php-mssql-5.3.13-1.1.mga2 php-mysql-5.3.13-1.1.mga2 php-mysqli-5.3.13-1.1.mga2 php-mysqlnd-5.3.13-1.1.mga2 php-odbc-5.3.13-1.1.mga2 php-pcntl-5.3.13-1.1.mga2 php-pdo-5.3.13-1.1.mga2 php-pdo_dblib-5.3.13-1.1.mga2 php-pdo_mysql-5.3.13-1.1.mga2 php-pdo_odbc-5.3.13-1.1.mga2 php-pdo_pgsql-5.3.13-1.1.mga2 php-pdo_sqlite-5.3.13-1.1.mga2 php-pgsql-5.3.13-1.1.mga2 php-phar-5.3.13-1.1.mga2 php-posix-5.3.13-1.1.mga2 php-readline-5.3.13-1.1.mga2 php-recode-5.3.13-1.1.mga2 php-session-5.3.13-1.1.mga2 php-shmop-5.3.13-1.1.mga2 php-snmp-5.3.13-1.1.mga2 php-soap-5.3.13-1.1.mga2 php-sockets-5.3.13-1.1.mga2 php-sqlite3-5.3.13-1.1.mga2 php-sqlite-5.3.13-1.1.mga2 php-sybase_ct-5.3.13-1.1.mga2 php-sysvmsg-5.3.13-1.1.mga2 php-sysvsem-5.3.13-1.1.mga2 php-sysvshm-5.3.13-1.1.mga2 php-tidy-5.3.13-1.1.mga2 php-tokenizer-5.3.13-1.1.mga2 php-xml-5.3.13-1.1.mga2 php-xmlreader-5.3.13-1.1.mga2 php-xmlrpc-5.3.13-1.1.mga2 php-xmlwriter-5.3.13-1.1.mga2 php-xsl-5.3.13-1.1.mga2 php-wddx-5.3.13-1.1.mga2 php-zip-5.3.13-1.1.mga2 from php-5.3.13-1.1.mga2.src.rpm
Testing on mag2 x86_64. A PoC testcase for CVE-2012-2386 is at: http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html Using the files in php_phar.zip, loading phar.php (which uses poc.phar.tar) before updating from testing recorded a segfault in the httpd error log: [Thu Jun 14 12:12:18 2012] [notice] child pid 28849 exit signal Segmentation fault (11), possible coredump in /tmp After updating from Updates Testing and reloading phar.php, php caught the error: [Thu Jun 14 12:51:16 2012] [error] [client 192.168.0.1] PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "/pub/sites/phar/poc.phar.tar" is a corrupted tar file (invalid entry size)' in /pub/sites/phar/phar.php:3\nStack trace:\n#0 /pub/sites/phar/phar.php(3): Phar->__construct('/pub/sites/phar...')\n#1 {main}\n thrown in /pub/sites/phar/phar.php on line 3 The php-phar patch tests Ok. 2 packages failed to update: - php-pgsql-5.3.13-1.2.mga2.x86_64 (due to unsatisfied libpq.so.5()(64bit)) - php-pdo_pgsql-5.3.13-1.2.mga2.x86_64 (due to conflicts with libpq9.1_5-9.1.4-1.mga2.i586, trying to promote libpq.so.5()(64bit)) libpq.so.5 is in lib64pq9.1_5, which is installed. Seems like a version conflict. There is an upgrade available for postgresql i586, but not for x86_64. Do these modules expect an upgraded postgresql?
CC: (none) => fcs
Created attachment 2458 [details] Testcase for CVE-2012-2386 Decoded archive from http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html
(In reply to comment #2) > The php-phar patch tests Ok. 2 packages failed to update: > > - php-pgsql-5.3.13-1.2.mga2.x86_64 (due to unsatisfied libpq.so.5()(64bit)) > - php-pdo_pgsql-5.3.13-1.2.mga2.x86_64 (due to conflicts with > libpq9.1_5-9.1.4-1.mga2.i586, trying to promote libpq.so.5()(64bit)) > > libpq.so.5 is in lib64pq9.1_5, which is installed. Seems like a version > conflict. There is an upgrade available for postgresql i586, but not for > x86_64. > Do these modules expect an upgraded postgresql? From that error message it looks like you have the i586 libpg9.1_5 package installed on your system instead of the x86_64 one and they are in conflict.
The installed library on the system is the 64 bit version (lib64pq9.1_5-9.1.3-1.mga2). The error message suggests that urpmi tried to promote libpq9 from the 64 bit to newer 32 bit version and failed. I checked the installed /usr/lib64libpq.so.5 to make sure it wasn't a 32 bit lib: /usr/lib64/libpq.so.5 -> libpq.so.5.4* $ file /usr/lib64/libpq.so.5.4 /usr/lib64/libpq.so.5.4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0xaa561f82b2885f99f25dcb82a0fd8955abca4e57, stripped Both php-pqsql and php-pdo_pqsql require libpq.so.5()(64bit), which is installed. That didn't make much sense, so made note of it here.
William, I just read your original message again. Is something wrong with the mirror you're using? I see the update libpq9.1_5 on both i586 and x86_64 on the mirror I just checked. I guess the error you saw could make sense if your mirror was indeed missing the x86_64 update.
They are there. My fault, unckecked box in update media. All updated and working Ok on mga2 64.
Whiteboard: (none) => mga2-64-OK
Thanks for testing William. I was worried this might happen, but upstream has issued a new version, Mandriva has updated it (including for 2010.2), and another CVE has been fixed. So, I'll have to build a new update. Mandriva has issued an advisory today (June 15): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093 This updates to 5.3.14 and adds an additional CVE, CVE-2012-2143.
Summary: php new security issue CVE-2012-2386 => php new security issues CVE-2012-2386 and CVE-2012-2143
Updated packages uploaded. php-eaccelerator and php-gd-bundled were rebuilt. Advisory: ======================== Updated php packages fix security vulnerabilities: There is a programming error in the DES implementation used in crypt() in ext/standard/crypt_freesec.c when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored (CVE-2012-2143). An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://www.php.net/ChangeLog-5.php#5.3.14 http://secunia.com/advisories/44335 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html http://www.debian.org/security/2012/dsa-2492 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093 ======================== Updated packages in core/updates_testing: ======================== php-eaccelerator-0.9.6.1-10.1.mga2 php-gd-bundled-5.3.14-1.mga2 php-ini-5.3.14-1.mga2 php-cli-5.3.14-1.mga2 php-cgi-5.3.14-1.mga2 php-fpm-5.3.14-1.mga2 apache-mod_php-5.3.14-1.mga2 libphp5_common5-5.3.14-1.mga2 php-devel-5.3.14-1.mga2 php-openssl-5.3.14-1.mga2 php-zlib-5.3.14-1.mga2 php-bcmath-5.3.14-1.mga2 php-bz2-5.3.14-1.mga2 php-calendar-5.3.14-1.mga2 php-ctype-5.3.14-1.mga2 php-curl-5.3.14-1.mga2 php-dba-5.3.14-1.mga2 php-dom-5.3.14-1.mga2 php-enchant-5.3.14-1.mga2 php-exif-5.3.14-1.mga2 php-fileinfo-5.3.14-1.mga2 php-filter-5.3.14-1.mga2 php-ftp-5.3.14-1.mga2 php-gd-5.3.14-1.mga2 php-gettext-5.3.14-1.mga2 php-gmp-5.3.14-1.mga2 php-hash-5.3.14-1.mga2 php-iconv-5.3.14-1.mga2 php-imap-5.3.14-1.mga2 php-intl-5.3.14-1.mga2 php-json-5.3.14-1.mga2 php-ldap-5.3.14-1.mga2 php-mbstring-5.3.14-1.mga2 php-mcrypt-5.3.14-1.mga2 php-mssql-5.3.14-1.mga2 php-mysql-5.3.14-1.mga2 php-mysqli-5.3.14-1.mga2 php-mysqlnd-5.3.14-1.mga2 php-odbc-5.3.14-1.mga2 php-pcntl-5.3.14-1.mga2 php-pdo-5.3.14-1.mga2 php-pdo_dblib-5.3.14-1.mga2 php-pdo_mysql-5.3.14-1.mga2 php-pdo_odbc-5.3.14-1.mga2 php-pdo_pgsql-5.3.14-1.mga2 php-pdo_sqlite-5.3.14-1.mga2 php-pgsql-5.3.14-1.mga2 php-phar-5.3.14-1.mga2 php-posix-5.3.14-1.mga2 php-readline-5.3.14-1.mga2 php-recode-5.3.14-1.mga2 php-session-5.3.14-1.mga2 php-shmop-5.3.14-1.mga2 php-snmp-5.3.14-1.mga2 php-soap-5.3.14-1.mga2 php-sockets-5.3.14-1.mga2 php-sqlite3-5.3.14-1.mga2 php-sqlite-5.3.14-1.mga2 php-sybase_ct-5.3.14-1.mga2 php-sysvmsg-5.3.14-1.mga2 php-sysvsem-5.3.14-1.mga2 php-sysvshm-5.3.14-1.mga2 php-tidy-5.3.14-1.mga2 php-tokenizer-5.3.14-1.mga2 php-xml-5.3.14-1.mga2 php-xmlreader-5.3.14-1.mga2 php-xmlrpc-5.3.14-1.mga2 php-xmlwriter-5.3.14-1.mga2 php-xsl-5.3.14-1.mga2 php-wddx-5.3.14-1.mga2 php-zip-5.3.14-1.mga2 from SRPMS: php-eaccelerator-0.9.6.1-10.1.mga2.src.rpm php-gd-bundled-5.3.14-1.mga2.src.rpm php-5.3.14-1.mga2.src.rpm
Created attachment 2469 [details] PoC test against CVE-2012-2143 Upstream patch provided PoC test code. Extracted code from patch at: http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34 Tested on mga2 i586 & x86_64 with same results.
Update validated. Thank you. Advisory: ======================== Updated php packages fix security vulnerabilities: There is a programming error in the DES implementation used in crypt() in ext/standard/crypt_freesec.c when handling input which contains characters that can not be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored (CVE-2012-2143). An integer overflow, leading to heap-based buffer overflow was found in the way Phar extension of the PHP scripting language processed certain fields by manipulating TAR files. A remote attacker could provide a specially-crafted TAR archive file, which once processed in an PHP application using the Phar extension could lead to denial of service (application crash), or, potentially arbitary code execution with the privileges of the user running the application (CVE-2012-2386). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143 https://bugzilla.redhat.com/show_bug.cgi?id=823594 http://www.php.net/ChangeLog-5.php#5.3.14 http://secunia.com/advisories/44335 http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html http://www.debian.org/security/2012/dsa-2492 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.13-1.1.mga2 php-cli-5.3.13-1.1.mga2 php-cgi-5.3.13-1.1.mga2 php-fpm-5.3.13-1.1.mga2 apache-mod_php-5.3.13-1.1.mga2 libphp5_common5-5.3.13-1.1.mga2 php-devel-5.3.13-1.1.mga2 php-openssl-5.3.13-1.1.mga2 php-zlib-5.3.13-1.1.mga2 php-bcmath-5.3.13-1.1.mga2 php-bz2-5.3.13-1.1.mga2 php-calendar-5.3.13-1.1.mga2 php-ctype-5.3.13-1.1.mga2 php-curl-5.3.13-1.1.mga2 php-dba-5.3.13-1.1.mga2 php-dom-5.3.13-1.1.mga2 php-enchant-5.3.13-1.1.mga2 php-exif-5.3.13-1.1.mga2 php-fileinfo-5.3.13-1.1.mga2 php-filter-5.3.13-1.1.mga2 php-ftp-5.3.13-1.1.mga2 php-gd-5.3.13-1.1.mga2 php-gettext-5.3.13-1.1.mga2 php-gmp-5.3.13-1.1.mga2 php-hash-5.3.13-1.1.mga2 php-iconv-5.3.13-1.1.mga2 php-imap-5.3.13-1.1.mga2 php-intl-5.3.13-1.1.mga2 php-json-5.3.13-1.1.mga2 php-ldap-5.3.13-1.1.mga2 php-mbstring-5.3.13-1.1.mga2 php-mcrypt-5.3.13-1.1.mga2 php-mssql-5.3.13-1.1.mga2 php-mysql-5.3.13-1.1.mga2 php-mysqli-5.3.13-1.1.mga2 php-mysqlnd-5.3.13-1.1.mga2 php-odbc-5.3.13-1.1.mga2 php-pcntl-5.3.13-1.1.mga2 php-pdo-5.3.13-1.1.mga2 php-pdo_dblib-5.3.13-1.1.mga2 php-pdo_mysql-5.3.13-1.1.mga2 php-pdo_odbc-5.3.13-1.1.mga2 php-pdo_pgsql-5.3.13-1.1.mga2 php-pdo_sqlite-5.3.13-1.1.mga2 php-pgsql-5.3.13-1.1.mga2 php-phar-5.3.13-1.1.mga2 php-posix-5.3.13-1.1.mga2 php-readline-5.3.13-1.1.mga2 php-recode-5.3.13-1.1.mga2 php-session-5.3.13-1.1.mga2 php-shmop-5.3.13-1.1.mga2 php-snmp-5.3.13-1.1.mga2 php-soap-5.3.13-1.1.mga2 php-sockets-5.3.13-1.1.mga2 php-sqlite3-5.3.13-1.1.mga2 php-sqlite-5.3.13-1.1.mga2 php-sybase_ct-5.3.13-1.1.mga2 php-sysvmsg-5.3.13-1.1.mga2 php-sysvsem-5.3.13-1.1.mga2 php-sysvshm-5.3.13-1.1.mga2 php-tidy-5.3.13-1.1.mga2 php-tokenizer-5.3.13-1.1.mga2 php-xml-5.3.13-1.1.mga2 php-xmlreader-5.3.13-1.1.mga2 php-xmlrpc-5.3.13-1.1.mga2 php-xmlwriter-5.3.13-1.1.mga2 php-xsl-5.3.13-1.1.mga2 php-wddx-5.3.13-1.1.mga2 php-zip-5.3.13-1.1.mga2 from php-5.3.13-1.1.mga2.src.rpm ---------------- Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------------------------------------------------------
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: mga2-64-OK => mga2-64-OK, mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0118 Note: comment 11 listed wrong rpms and missed some srpms, so I used list from comment 9
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED