Debian issued an advisory for this yesterday (June 10):
http://www.debian.org/security/2012/dsa-2492

Their update includes an additional patch (from upstream) to the php-phar tar handling code for a similar issue.  I've included that patch and rebuilt this update.

Advisory:
========================

Updated php packages fix security vulnerability:

An integer overflow, leading to heap-based buffer overflow was
found in the way Phar extension of the PHP scripting language
processed certain fields by manipulating TAR files. A remote
attacker could provide a specially-crafted TAR archive file,
which once processed in an PHP application using the Phar extension
could lead to denial of service (application crash), or,
potentially arbitary code execution with the privileges of the
user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
========================

Updated packages in core/updates_testing:
========================
php-ini-5.3.13-1.1.mga2
php-cli-5.3.13-1.1.mga2
php-cgi-5.3.13-1.1.mga2
php-fpm-5.3.13-1.1.mga2
apache-mod_php-5.3.13-1.1.mga2
libphp5_common5-5.3.13-1.1.mga2
php-devel-5.3.13-1.1.mga2
php-openssl-5.3.13-1.1.mga2
php-zlib-5.3.13-1.1.mga2
php-bcmath-5.3.13-1.1.mga2
php-bz2-5.3.13-1.1.mga2
php-calendar-5.3.13-1.1.mga2
php-ctype-5.3.13-1.1.mga2
php-curl-5.3.13-1.1.mga2
php-dba-5.3.13-1.1.mga2
php-dom-5.3.13-1.1.mga2
php-enchant-5.3.13-1.1.mga2
php-exif-5.3.13-1.1.mga2
php-fileinfo-5.3.13-1.1.mga2
php-filter-5.3.13-1.1.mga2
php-ftp-5.3.13-1.1.mga2
php-gd-5.3.13-1.1.mga2
php-gettext-5.3.13-1.1.mga2
php-gmp-5.3.13-1.1.mga2
php-hash-5.3.13-1.1.mga2
php-iconv-5.3.13-1.1.mga2
php-imap-5.3.13-1.1.mga2
php-intl-5.3.13-1.1.mga2
php-json-5.3.13-1.1.mga2
php-ldap-5.3.13-1.1.mga2
php-mbstring-5.3.13-1.1.mga2
php-mcrypt-5.3.13-1.1.mga2
php-mssql-5.3.13-1.1.mga2
php-mysql-5.3.13-1.1.mga2
php-mysqli-5.3.13-1.1.mga2
php-mysqlnd-5.3.13-1.1.mga2
php-odbc-5.3.13-1.1.mga2
php-pcntl-5.3.13-1.1.mga2
php-pdo-5.3.13-1.1.mga2
php-pdo_dblib-5.3.13-1.1.mga2
php-pdo_mysql-5.3.13-1.1.mga2
php-pdo_odbc-5.3.13-1.1.mga2
php-pdo_pgsql-5.3.13-1.1.mga2
php-pdo_sqlite-5.3.13-1.1.mga2
php-pgsql-5.3.13-1.1.mga2
php-phar-5.3.13-1.1.mga2
php-posix-5.3.13-1.1.mga2
php-readline-5.3.13-1.1.mga2
php-recode-5.3.13-1.1.mga2
php-session-5.3.13-1.1.mga2
php-shmop-5.3.13-1.1.mga2
php-snmp-5.3.13-1.1.mga2
php-soap-5.3.13-1.1.mga2
php-sockets-5.3.13-1.1.mga2
php-sqlite3-5.3.13-1.1.mga2
php-sqlite-5.3.13-1.1.mga2
php-sybase_ct-5.3.13-1.1.mga2
php-sysvmsg-5.3.13-1.1.mga2
php-sysvsem-5.3.13-1.1.mga2
php-sysvshm-5.3.13-1.1.mga2
php-tidy-5.3.13-1.1.mga2
php-tokenizer-5.3.13-1.1.mga2
php-xml-5.3.13-1.1.mga2
php-xmlreader-5.3.13-1.1.mga2
php-xmlrpc-5.3.13-1.1.mga2
php-xmlwriter-5.3.13-1.1.mga2
php-xsl-5.3.13-1.1.mga2
php-wddx-5.3.13-1.1.mga2
php-zip-5.3.13-1.1.mga2

from php-5.3.13-1.1.mga2.src.rpm

Testing on mag2 x86_64.

A PoC testcase for CVE-2012-2386 is at:
http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html

Using the files in php_phar.zip, loading phar.php (which uses poc.phar.tar) before updating from testing recorded a segfault in the httpd error log:

[Thu Jun 14 12:12:18 2012] [notice] child pid 28849 exit signal Segmentation fault (11), possible coredump in /tmp

After updating from Updates Testing and reloading phar.php, php caught the error:

[Thu Jun 14 12:51:16 2012] [error] [client 192.168.0.1] PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'phar error: "/pub/sites/phar/poc.phar.tar" is a corrupted tar file (invalid entry size)' in /pub/sites/phar/phar.php:3\nStack trace:\n#0 /pub/sites/phar/phar.php(3): Phar->__construct('/pub/sites/phar...')\n#1 {main}\n  thrown in /pub/sites/phar/phar.php on line 3

The php-phar patch tests Ok. 2 packages failed to update:

- php-pgsql-5.3.13-1.2.mga2.x86_64 (due to unsatisfied libpq.so.5()(64bit))
- php-pdo_pgsql-5.3.13-1.2.mga2.x86_64 (due to conflicts with libpq9.1_5-9.1.4-1.mga2.i586, trying to promote libpq.so.5()(64bit))

libpq.so.5 is in lib64pq9.1_5, which is installed. Seems like a version conflict. There is an upgrade available for postgresql i586, but not for x86_64.
Do these modules expect an upgraded postgresql?

CC: (none) => fcs

Created attachment 2458 [details]
Testcase for CVE-2012-2386

Decoded archive from http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html

(In reply to comment #2)
> The php-phar patch tests Ok. 2 packages failed to update:
> 
> - php-pgsql-5.3.13-1.2.mga2.x86_64 (due to unsatisfied libpq.so.5()(64bit))
> - php-pdo_pgsql-5.3.13-1.2.mga2.x86_64 (due to conflicts with
> libpq9.1_5-9.1.4-1.mga2.i586, trying to promote libpq.so.5()(64bit))
> 
> libpq.so.5 is in lib64pq9.1_5, which is installed. Seems like a version
> conflict. There is an upgrade available for postgresql i586, but not for
> x86_64.
> Do these modules expect an upgraded postgresql?

From that error message it looks like you have the i586 libpg9.1_5 package installed on your system instead of the x86_64 one and they are in conflict.

The installed library on the system is the 64 bit version (lib64pq9.1_5-9.1.3-1.mga2). 

The error message suggests that urpmi tried to promote libpq9 from the 64 bit to newer 32 bit version and failed. I checked the installed /usr/lib64libpq.so.5 to make sure it wasn't a 32 bit lib:

/usr/lib64/libpq.so.5 -> libpq.so.5.4*

$ file /usr/lib64/libpq.so.5.4
/usr/lib64/libpq.so.5.4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0xaa561f82b2885f99f25dcb82a0fd8955abca4e57, stripped

Both php-pqsql and php-pdo_pqsql require libpq.so.5()(64bit), which is installed. That didn't make much sense, so made note of it here.

William, I just read your original message again.  Is something wrong with the mirror you're using?  I see the update libpq9.1_5 on both i586 and x86_64 on the mirror I just checked.  I guess the error you saw could make sense if your mirror was indeed missing the x86_64 update.

They are there. My fault, unckecked box in update media. 

All updated and working Ok on mga2 64.

Whiteboard: (none) => mga2-64-OK

Thanks for testing William.  I was worried this might happen, but upstream has issued a new version, Mandriva has updated it (including for 2010.2), and another CVE has been fixed.  So, I'll have to build a new update.

Mandriva has issued an advisory today (June 15):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093

This updates to 5.3.14 and adds an additional CVE, CVE-2012-2143.

Updated packages uploaded.  php-eaccelerator and php-gd-bundled were rebuilt.

Advisory:
========================

Updated php packages fix security vulnerabilities:

There is a programming error in the DES implementation used in crypt()
in ext/standard/crypt_freesec.c when handling input which contains
characters that can not be represented with 7-bit ASCII. When the input
contains characters with only the most significant bit set (0x80), that
character and all characters after it will be ignored (CVE-2012-2143).

An integer overflow, leading to heap-based buffer overflow was found in
the way Phar extension of the PHP scripting language processed certain
fields by manipulating TAR files. A remote attacker could provide a
specially-crafted TAR archive file, which once processed in an PHP
application using the Phar extension could lead to denial of service
(application crash), or, potentially arbitary code execution with
the privileges of the user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://www.php.net/ChangeLog-5.php#5.3.14
http://secunia.com/advisories/44335
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093
========================

Updated packages in core/updates_testing:
========================
php-eaccelerator-0.9.6.1-10.1.mga2
php-gd-bundled-5.3.14-1.mga2
php-ini-5.3.14-1.mga2
php-cli-5.3.14-1.mga2
php-cgi-5.3.14-1.mga2
php-fpm-5.3.14-1.mga2
apache-mod_php-5.3.14-1.mga2
libphp5_common5-5.3.14-1.mga2
php-devel-5.3.14-1.mga2
php-openssl-5.3.14-1.mga2
php-zlib-5.3.14-1.mga2
php-bcmath-5.3.14-1.mga2
php-bz2-5.3.14-1.mga2
php-calendar-5.3.14-1.mga2
php-ctype-5.3.14-1.mga2
php-curl-5.3.14-1.mga2
php-dba-5.3.14-1.mga2
php-dom-5.3.14-1.mga2
php-enchant-5.3.14-1.mga2
php-exif-5.3.14-1.mga2
php-fileinfo-5.3.14-1.mga2
php-filter-5.3.14-1.mga2
php-ftp-5.3.14-1.mga2
php-gd-5.3.14-1.mga2
php-gettext-5.3.14-1.mga2
php-gmp-5.3.14-1.mga2
php-hash-5.3.14-1.mga2
php-iconv-5.3.14-1.mga2
php-imap-5.3.14-1.mga2
php-intl-5.3.14-1.mga2
php-json-5.3.14-1.mga2
php-ldap-5.3.14-1.mga2
php-mbstring-5.3.14-1.mga2
php-mcrypt-5.3.14-1.mga2
php-mssql-5.3.14-1.mga2
php-mysql-5.3.14-1.mga2
php-mysqli-5.3.14-1.mga2
php-mysqlnd-5.3.14-1.mga2
php-odbc-5.3.14-1.mga2
php-pcntl-5.3.14-1.mga2
php-pdo-5.3.14-1.mga2
php-pdo_dblib-5.3.14-1.mga2
php-pdo_mysql-5.3.14-1.mga2
php-pdo_odbc-5.3.14-1.mga2
php-pdo_pgsql-5.3.14-1.mga2
php-pdo_sqlite-5.3.14-1.mga2
php-pgsql-5.3.14-1.mga2
php-phar-5.3.14-1.mga2
php-posix-5.3.14-1.mga2
php-readline-5.3.14-1.mga2
php-recode-5.3.14-1.mga2
php-session-5.3.14-1.mga2
php-shmop-5.3.14-1.mga2
php-snmp-5.3.14-1.mga2
php-soap-5.3.14-1.mga2
php-sockets-5.3.14-1.mga2
php-sqlite3-5.3.14-1.mga2
php-sqlite-5.3.14-1.mga2
php-sybase_ct-5.3.14-1.mga2
php-sysvmsg-5.3.14-1.mga2
php-sysvsem-5.3.14-1.mga2
php-sysvshm-5.3.14-1.mga2
php-tidy-5.3.14-1.mga2
php-tokenizer-5.3.14-1.mga2
php-xml-5.3.14-1.mga2
php-xmlreader-5.3.14-1.mga2
php-xmlrpc-5.3.14-1.mga2
php-xmlwriter-5.3.14-1.mga2
php-xsl-5.3.14-1.mga2
php-wddx-5.3.14-1.mga2
php-zip-5.3.14-1.mga2

from SRPMS:
php-eaccelerator-0.9.6.1-10.1.mga2.src.rpm
php-gd-bundled-5.3.14-1.mga2.src.rpm
php-5.3.14-1.mga2.src.rpm

Created attachment 2469 [details]
PoC test against CVE-2012-2143

Upstream patch provided PoC test code. Extracted code from patch at:

http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34

Tested on mga2 i586 & x86_64 with same results.

Update validated.
Thank you.

Advisory:
========================

Updated php packages fix security vulnerabilities:

There is a programming error in the DES implementation used in crypt()
in ext/standard/crypt_freesec.c when handling input which contains
characters that can not be represented with 7-bit ASCII. When the input
contains characters with only the most significant bit set (0x80), that
character and all characters after it will be ignored (CVE-2012-2143).

An integer overflow, leading to heap-based buffer overflow was found in
the way Phar extension of the PHP scripting language processed certain
fields by manipulating TAR files. A remote attacker could provide a
specially-crafted TAR archive file, which once processed in an PHP
application using the Phar extension could lead to denial of service
(application crash), or, potentially arbitary code execution with
the privileges of the user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://www.php.net/ChangeLog-5.php#5.3.14
http://secunia.com/advisories/44335
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093
========================
Updated packages in core/updates_testing:
========================
php-ini-5.3.13-1.1.mga2
php-cli-5.3.13-1.1.mga2
php-cgi-5.3.13-1.1.mga2
php-fpm-5.3.13-1.1.mga2
apache-mod_php-5.3.13-1.1.mga2
libphp5_common5-5.3.13-1.1.mga2
php-devel-5.3.13-1.1.mga2
php-openssl-5.3.13-1.1.mga2
php-zlib-5.3.13-1.1.mga2
php-bcmath-5.3.13-1.1.mga2
php-bz2-5.3.13-1.1.mga2
php-calendar-5.3.13-1.1.mga2
php-ctype-5.3.13-1.1.mga2
php-curl-5.3.13-1.1.mga2
php-dba-5.3.13-1.1.mga2
php-dom-5.3.13-1.1.mga2
php-enchant-5.3.13-1.1.mga2
php-exif-5.3.13-1.1.mga2
php-fileinfo-5.3.13-1.1.mga2
php-filter-5.3.13-1.1.mga2
php-ftp-5.3.13-1.1.mga2
php-gd-5.3.13-1.1.mga2
php-gettext-5.3.13-1.1.mga2
php-gmp-5.3.13-1.1.mga2
php-hash-5.3.13-1.1.mga2
php-iconv-5.3.13-1.1.mga2
php-imap-5.3.13-1.1.mga2
php-intl-5.3.13-1.1.mga2
php-json-5.3.13-1.1.mga2
php-ldap-5.3.13-1.1.mga2
php-mbstring-5.3.13-1.1.mga2
php-mcrypt-5.3.13-1.1.mga2
php-mssql-5.3.13-1.1.mga2
php-mysql-5.3.13-1.1.mga2
php-mysqli-5.3.13-1.1.mga2
php-mysqlnd-5.3.13-1.1.mga2
php-odbc-5.3.13-1.1.mga2
php-pcntl-5.3.13-1.1.mga2
php-pdo-5.3.13-1.1.mga2
php-pdo_dblib-5.3.13-1.1.mga2
php-pdo_mysql-5.3.13-1.1.mga2
php-pdo_odbc-5.3.13-1.1.mga2
php-pdo_pgsql-5.3.13-1.1.mga2
php-pdo_sqlite-5.3.13-1.1.mga2
php-pgsql-5.3.13-1.1.mga2
php-phar-5.3.13-1.1.mga2
php-posix-5.3.13-1.1.mga2
php-readline-5.3.13-1.1.mga2
php-recode-5.3.13-1.1.mga2
php-session-5.3.13-1.1.mga2
php-shmop-5.3.13-1.1.mga2
php-snmp-5.3.13-1.1.mga2
php-soap-5.3.13-1.1.mga2
php-sockets-5.3.13-1.1.mga2
php-sqlite3-5.3.13-1.1.mga2
php-sqlite-5.3.13-1.1.mga2
php-sybase_ct-5.3.13-1.1.mga2
php-sysvmsg-5.3.13-1.1.mga2
php-sysvsem-5.3.13-1.1.mga2
php-sysvshm-5.3.13-1.1.mga2
php-tidy-5.3.13-1.1.mga2
php-tokenizer-5.3.13-1.1.mga2
php-xml-5.3.13-1.1.mga2
php-xmlreader-5.3.13-1.1.mga2
php-xmlrpc-5.3.13-1.1.mga2
php-xmlwriter-5.3.13-1.1.mga2
php-xsl-5.3.13-1.1.mga2
php-wddx-5.3.13-1.1.mga2
php-zip-5.3.13-1.1.mga2

from php-5.3.13-1.1.mga2.src.rpm

----------------

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------------------------------------------------------

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: mga2-64-OK => mga2-64-OK, mga2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0118


Note:

comment 11 listed wrong rpms and missed some srpms, so I used list from comment 9

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED