Bug 8489 - [update candidate] php-5.3.23
: [update candidate] php-5.3.23
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/540472/
: has_procedure MGA2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-24 09:48 CET by Oden Eriksson
Modified: 2013-04-02 22:05 CEST (History)
5 users (show)

See Also:
Source RPM: php-5.3.19-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description Oden Eriksson 2012-12-24 09:48:57 CET
Hello,

I have updated php for mga2 as an proposed update candidate. These are the source rpm packages involved:

php-5.3.20-1.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.6.mga2.src.rpm
php-firebird-5.3.20-1.mga2.src.rpm
php-gd-bundled-5.3.20-1.mga2.src.rpm
php-apc-3.1.13-1.1.mga2.src.rpm
php-pdo_firebird-5.3.20-1.mga2.src.rpm

I use this in production. I pushed the new version for Mandriva as of:

http://www.mandriva.com/security/advisories?name=MDVA-2012:070

Cheers // Santa
Comment 1 Oden Eriksson 2012-12-24 09:51:53 CET
Proposed advisory:

This is a maintenance and bugfix release that upgrades php to the
latest 5.3.20 version which resolves various upstream bugs in php.

Additionally the php-eaccelerator, php-firebird, php-gd-bundled, php-apc and php-pdo_firebird packages has been rebuilt for the new php version.

References:

http://www.php.net/ChangeLog-5.php#5.3.20
Comment 2 Manuel Hiebel 2012-12-24 12:43:22 CET
if the update is ready feel free to reassign to the QA

https://wiki.mageia.org/en/Updates_policy
Comment 3 Oden Eriksson 2012-12-24 13:37:17 CET
qateam, please see comment 1+2
Comment 4 claire robinson 2013-01-05 15:35:01 CET
Oden could you list rpms aswell as srpm's please. We install the rpm's in QA but need to know the srpms too for sysadmin.

Is the list below correct?

SRPM: php-5.3.20-1.mga2.src.rpm
-------------------------------
apache-mod_php
lib64php5_common5
php-bcmath
php-bz2
php-calendar
php-cgi
php-cli
php-ctype
php-curl
php-dba
php-devel
php-dom
php-enchant
php-exif
php-fileinfo
php-filter
php-fpm
php-ftp
php-gd
php-gettext
php-gmp
php-hash
php-iconv
php-imap
php-ini
php-intl
php-json
php-ldap
php-mbstring
php-mcrypt
php-mssql
php-mysqli
php-mysqlnd
php-mysql
php-odbc
php-openssl
php-pcntl
php-pdo_dblib
php-pdo_mysql
php-pdo_odbc
php-pdo_pgsql
php-pdo
php-pdo_sqlite
php-pgsql
php-phar
php-posix
php-readline
php-recode
php-session
php-shmop
php-snmp
php-soap
php-sockets
php-sqlite3
php-sqlite
php-sybase_ct
php-sysvmsg
php-sysvsem
php-sysvshm
php-tidy
php-tokenizer
php-wddx
php-xml
php-xmlreader
php-xmlrpc
php-xmlwriter
php-xsl
php-zip
php-zlib

SRPM: php-eaccelerator-0.9.6.1-10.6.mga2.src.rpm
------------------------------------------------
php-eaccelerator-admin
php-eaccelerator

SRPM: php-apc-3.1.13-1.1.mga2.src.rpm
-------------------------------------
php-apc-admin
php-apc

SRPM: php-gd-bundled-5.3.20-1.mga2.src.rpm
------------------------------------------
php-gd-bundled

SRPM: php-firebird-5.3.20-1.mga2.src.rpm
----------------------------------------
php-firebird

SRPM: php-pdo_firebird-5.3.20-1.mga2.src.rpm
--------------------------------------------
php-pdo_firebird
Comment 5 Oden Eriksson 2013-01-05 15:56:20 CET
apache-mod_php-5.3.20-1.mga2.i586.rpm
libphp5_common5-5.3.20-1.mga2.i586.rpm
php-apc-3.1.13-1.1.mga2.i586.rpm
php-apc-admin-3.1.13-1.1.mga2.i586.rpm
php-bcmath-5.3.20-1.mga2.i586.rpm
php-bz2-5.3.20-1.mga2.i586.rpm
php-calendar-5.3.20-1.mga2.i586.rpm
php-cgi-5.3.20-1.mga2.i586.rpm
php-cli-5.3.20-1.mga2.i586.rpm
php-ctype-5.3.20-1.mga2.i586.rpm
php-curl-5.3.20-1.mga2.i586.rpm
php-dba-5.3.20-1.mga2.i586.rpm
php-devel-5.3.20-1.mga2.i586.rpm
php-dom-5.3.20-1.mga2.i586.rpm
php-eaccelerator-0.9.6.1-10.6.mga2.i586.rpm
php-eaccelerator-admin-0.9.6.1-10.6.mga2.i586.rpm
php-enchant-5.3.20-1.mga2.i586.rpm
php-exif-5.3.20-1.mga2.i586.rpm
php-fileinfo-5.3.20-1.mga2.i586.rpm
php-filter-5.3.20-1.mga2.i586.rpm
php-firebird-5.3.20-1.mga2.i586.rpm
php-fpm-5.3.20-1.mga2.i586.rpm
php-ftp-5.3.20-1.mga2.i586.rpm
php-gd-5.3.20-1.mga2.i586.rpm
php-gd-bundled-5.3.20-1.mga2.i586.rpm
php-gettext-5.3.20-1.mga2.i586.rpm
php-gmp-5.3.20-1.mga2.i586.rpm
php-hash-5.3.20-1.mga2.i586.rpm
php-iconv-5.3.20-1.mga2.i586.rpm
php-imap-5.3.20-1.mga2.i586.rpm
php-ini-5.3.20-1.mga2.i586.rpm
php-intl-5.3.20-1.mga2.i586.rpm
php-json-5.3.20-1.mga2.i586.rpm
php-ldap-5.3.20-1.mga2.i586.rpm
php-mbstring-5.3.20-1.mga2.i586.rpm
php-mcrypt-5.3.20-1.mga2.i586.rpm
php-mssql-5.3.20-1.mga2.i586.rpm
php-mysql-5.3.20-1.mga2.i586.rpm
php-mysqli-5.3.20-1.mga2.i586.rpm
php-mysqlnd-5.3.20-1.mga2.i586.rpm
php-odbc-5.3.20-1.mga2.i586.rpm
php-openssl-5.3.20-1.mga2.i586.rpm
php-pcntl-5.3.20-1.mga2.i586.rpm
php-pdo-5.3.20-1.mga2.i586.rpm
php-pdo_dblib-5.3.20-1.mga2.i586.rpm
php-pdo_firebird-5.3.20-1.mga2.i586.rpm
php-pdo_mysql-5.3.20-1.mga2.i586.rpm
php-pdo_odbc-5.3.20-1.mga2.i586.rpm
php-pdo_pgsql-5.3.20-1.mga2.i586.rpm
php-pdo_sqlite-5.3.20-1.mga2.i586.rpm
php-pgsql-5.3.20-1.mga2.i586.rpm
php-phar-5.3.20-1.mga2.i586.rpm
php-posix-5.3.20-1.mga2.i586.rpm
php-readline-5.3.20-1.mga2.i586.rpm
php-recode-5.3.20-1.mga2.i586.rpm
php-session-5.3.20-1.mga2.i586.rpm
php-shmop-5.3.20-1.mga2.i586.rpm
php-snmp-5.3.20-1.mga2.i586.rpm
php-soap-5.3.20-1.mga2.i586.rpm
php-sockets-5.3.20-1.mga2.i586.rpm
php-sqlite3-5.3.20-1.mga2.i586.rpm
php-sqlite-5.3.20-1.mga2.i586.rpm
php-sybase_ct-5.3.20-1.mga2.i586.rpm
php-sysvmsg-5.3.20-1.mga2.i586.rpm
php-sysvsem-5.3.20-1.mga2.i586.rpm
php-sysvshm-5.3.20-1.mga2.i586.rpm
php-tidy-5.3.20-1.mga2.i586.rpm
php-tokenizer-5.3.20-1.mga2.i586.rpm
php-wddx-5.3.20-1.mga2.i586.rpm
php-xml-5.3.20-1.mga2.i586.rpm
php-xmlreader-5.3.20-1.mga2.i586.rpm
php-xmlrpc-5.3.20-1.mga2.i586.rpm
php-xmlwriter-5.3.20-1.mga2.i586.rpm
php-xsl-5.3.20-1.mga2.i586.rpm
php-zip-5.3.20-1.mga2.i586.rpm
php-zlib-5.3.20-1.mga2.i586.rpm

apache-mod_php-5.3.20-1.mga2.x86_64.rpm
lib64php5_common5-5.3.20-1.mga2.x86_64.rpm
php-apc-3.1.13-1.1.mga2.x86_64.rpm
php-apc-admin-3.1.13-1.1.mga2.x86_64.rpm
php-bcmath-5.3.20-1.mga2.x86_64.rpm
php-bz2-5.3.20-1.mga2.x86_64.rpm
php-calendar-5.3.20-1.mga2.x86_64.rpm
php-cgi-5.3.20-1.mga2.x86_64.rpm
php-cli-5.3.20-1.mga2.x86_64.rpm
php-ctype-5.3.20-1.mga2.x86_64.rpm
php-curl-5.3.20-1.mga2.x86_64.rpm
php-dba-5.3.20-1.mga2.x86_64.rpm
php-devel-5.3.20-1.mga2.x86_64.rpm
php-dom-5.3.20-1.mga2.x86_64.rpm
php-eaccelerator-0.9.6.1-10.6.mga2.x86_64.rpm
php-eaccelerator-admin-0.9.6.1-10.6.mga2.x86_64.rpm
php-enchant-5.3.20-1.mga2.x86_64.rpm
php-exif-5.3.20-1.mga2.x86_64.rpm
php-fileinfo-5.3.20-1.mga2.x86_64.rpm
php-filter-5.3.20-1.mga2.x86_64.rpm
php-firebird-5.3.20-1.mga2.x86_64.rpm
php-fpm-5.3.20-1.mga2.x86_64.rpm
php-ftp-5.3.20-1.mga2.x86_64.rpm
php-gd-5.3.20-1.mga2.x86_64.rpm
php-gd-bundled-5.3.20-1.mga2.x86_64.rpm
php-gettext-5.3.20-1.mga2.x86_64.rpm
php-gmp-5.3.20-1.mga2.x86_64.rpm
php-hash-5.3.20-1.mga2.x86_64.rpm
php-iconv-5.3.20-1.mga2.x86_64.rpm
php-imap-5.3.20-1.mga2.x86_64.rpm
php-ini-5.3.20-1.mga2.x86_64.rpm
php-intl-5.3.20-1.mga2.x86_64.rpm
php-json-5.3.20-1.mga2.x86_64.rpm
php-ldap-5.3.20-1.mga2.x86_64.rpm
php-mbstring-5.3.20-1.mga2.x86_64.rpm
php-mcrypt-5.3.20-1.mga2.x86_64.rpm
php-mssql-5.3.20-1.mga2.x86_64.rpm
php-mysql-5.3.20-1.mga2.x86_64.rpm
php-mysqli-5.3.20-1.mga2.x86_64.rpm
php-mysqlnd-5.3.20-1.mga2.x86_64.rpm
php-odbc-5.3.20-1.mga2.x86_64.rpm
php-openssl-5.3.20-1.mga2.x86_64.rpm
php-pcntl-5.3.20-1.mga2.x86_64.rpm
php-pdo-5.3.20-1.mga2.x86_64.rpm
php-pdo_dblib-5.3.20-1.mga2.x86_64.rpm
php-pdo_firebird-5.3.20-1.mga2.x86_64.rpm
php-pdo_mysql-5.3.20-1.mga2.x86_64.rpm
php-pdo_odbc-5.3.20-1.mga2.x86_64.rpm
php-pdo_pgsql-5.3.20-1.mga2.x86_64.rpm
php-pdo_sqlite-5.3.20-1.mga2.x86_64.rpm
php-pgsql-5.3.20-1.mga2.x86_64.rpm
php-phar-5.3.20-1.mga2.x86_64.rpm
php-posix-5.3.20-1.mga2.x86_64.rpm
php-readline-5.3.20-1.mga2.x86_64.rpm
php-recode-5.3.20-1.mga2.x86_64.rpm
php-session-5.3.20-1.mga2.x86_64.rpm
php-shmop-5.3.20-1.mga2.x86_64.rpm
php-snmp-5.3.20-1.mga2.x86_64.rpm
php-soap-5.3.20-1.mga2.x86_64.rpm
php-sockets-5.3.20-1.mga2.x86_64.rpm
php-sqlite3-5.3.20-1.mga2.x86_64.rpm
php-sqlite-5.3.20-1.mga2.x86_64.rpm
php-sybase_ct-5.3.20-1.mga2.x86_64.rpm
php-sysvmsg-5.3.20-1.mga2.x86_64.rpm
php-sysvsem-5.3.20-1.mga2.x86_64.rpm
php-sysvshm-5.3.20-1.mga2.x86_64.rpm
php-tidy-5.3.20-1.mga2.x86_64.rpm
php-tokenizer-5.3.20-1.mga2.x86_64.rpm
php-wddx-5.3.20-1.mga2.x86_64.rpm
php-xml-5.3.20-1.mga2.x86_64.rpm
php-xmlreader-5.3.20-1.mga2.x86_64.rpm
php-xmlrpc-5.3.20-1.mga2.x86_64.rpm
php-xmlwriter-5.3.20-1.mga2.x86_64.rpm
php-xsl-5.3.20-1.mga2.x86_64.rpm
php-zip-5.3.20-1.mga2.x86_64.rpm
php-zlib-5.3.20-1.mga2.x86_64.rpm
Comment 6 Oden Eriksson 2013-01-06 16:11:01 CET
Additional update:

php-apc-3.1.14-2.mga2:

- fix mdvbz #64711 (Add an APC flavor providing mmap shared memory and pthread mutex locking)

Proposed advisory:

The php-apc extension has been upgraded to the latest version (3.1.14) that resolves various upstream bugs.

The php-apc extension has been complemented with an additional flavour (apc-mmap+mutex.so) that resolves mdvbz #64711. Note: in Mageia you can easily switch between different flavours of APC, please have a look at the topmost lines in the /etc/php.d/99_apc.ini file.

References:

https://qa.mandriva.com/show_bug.cgi?id=64711
http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:004
http://pecl.php.net/package-changelog.php?package=APC&release=3.1.14

Updated files:

php-apc-3.1.14-2.mga2.src.rpm

php-apc-3.1.14-2.mga2.x86_64.rpm
php-apc-admin-3.1.14-2.mga2.x86_64.rpm
php-apc-debug-3.1.14-2.mga2.x86_64.rpm

php-apc-3.1.14-2.mga2.i586.rpm
php-apc-admin-3.1.14-2.mga2.i586.rpm
php-apc-debug-3.1.14-2.mga2.i586.rpm
Comment 7 claire robinson 2013-01-08 18:27:48 CET
Tested x86_64 with zoneminder, wordpress, phpmyadmin and drupal installed with each of sqlite3, mysql and postgresql databases. See bug 8442 for how.

php-accelerator tested with the admin package by browsing to localhost/php-eaccelerator and loggin in with the default credentials admin/eAccelerator, then watching the scripts being parsed, ebabling and disabling the services and enabling/disabling the services with the buttons there.

Still to test php-apc and php-firebird/php-pdo_firebird
Comment 8 Oden Eriksson 2013-01-08 20:06:20 CET
php-apc-3.1.14 makes apache (with squirrelmail) segfault for me, will check this tomorrow.
Comment 9 Oden Eriksson 2013-01-10 10:56:16 CET
php-apc has been rolled back to the previous version (php-apc-3.1.13-1.2.mga2) and should hit the mirrors soon'ish.
Comment 10 claire robinson 2013-01-10 14:46:31 CET
php-apc now tested mga2 64

Still to test php-firebird/php-pdo_firebird

php-apc tested with php-apc-admin after changing the default password in /var/www/php-apc/index.php browsing to http://localhost/php-apc logging in and watching the cache working.
Comment 11 claire robinson 2013-01-10 15:07:26 CET
Forgot to update php-apc before testing d'oh!

Works ok but the update clobbers the existing password.

It should probably create an rpmnew or rpmold for /var/www/php-apc/index.php
Comment 12 claire robinson 2013-01-10 15:20:08 CET
Checked with urpmq --whatrequires-recursive php-firebird and php-pdo_firebird and nothing we have requires them. 

I can't find any specific way to test them so just checking they install and updates ok, which they do does.

If we can prevent the clobbering of php-apc password then afaict everything else is ok mga2 64.
Comment 13 Oden Eriksson 2013-01-10 16:14:12 CET
(In reply to comment #11)
> Forgot to update php-apc before testing d'oh!
> 
> Works ok but the update clobbers the existing password.
> 
> It should probably create an rpmnew or rpmold for /var/www/php-apc/index.php

Fixed in cauldron with r344747, but this is probably too invasive for an update.
Comment 14 Oden Eriksson 2013-01-10 16:30:04 CET
(In reply to comment #13)
> (In reply to comment #11)
> > Forgot to update php-apc before testing d'oh!
> > 
> > Works ok but the update clobbers the existing password.
> > 
> > It should probably create an rpmnew or rpmold for /var/www/php-apc/index.php
> 
> Fixed in cauldron with r344747, but this is probably too invasive for an
> update.

Humm, maybe not when i start to think about it. One could clear the cache by using clever xss or with shell access, so this is actually more of a security fix.
Comment 15 claire robinson 2013-01-10 16:32:59 CET
It just needs to create the /var/www/php-apc/index.php.rpmold when upgrading. Probably rpmold is better than rpmnew as sec fixes could be in the rpmnew.
Comment 16 Oden Eriksson 2013-01-10 16:44:19 CET
Fixed, but differently in r344754 (mga2, updates_testing, php-apc-3.1.13-1.3.mga2)
Comment 17 Oden Eriksson 2013-01-10 16:47:31 CET
Also, previousely, when you wanted to secure the /var/www/php-apc/index.php by using login, this was overwritten/reverted (to no restrictions) with the next release bump. Not good at all...
Comment 18 claire robinson 2013-01-10 18:27:36 CET
A few issues, following our conversation on IRC. 

The update still clobbers the existing login/password which was previously set in /var/www/php-apc/index.php. 

The graph size is now 500 (was 200) which looks huge. 

Also, I created the /etc/php-apc/config.php, which you said should get an rpmsave, before applying the update and it hasn't create rpmsave etc. I didn't alter it from the default contents though before updating.

/etc/php-apc/config.php link so I don't lose it..
http://svnweb.mageia.org/packages/updates/2/php-apc/current/SOURCES/php-apc.config.php?revision=344754&view=co&pathrev=344754

chmod 640 /etc/php-apc/config.php
chown root:apache /etc/php-apc/config.php
Comment 19 Oden Eriksson 2013-01-10 19:04:57 CET
(In reply to comment #18)
> A few issues, following our conversation on IRC. 
> 
> The update still clobbers the existing login/password which was previously set
> in /var/www/php-apc/index.php. 
> 
> The graph size is now 500 (was 200) which looks huge. 
> 
> Also, I created the /etc/php-apc/config.php, which you said should get an
> rpmsave, before applying the update and it hasn't create rpmsave etc. I didn't
> alter it from the default contents though before updating.
> 
> /etc/php-apc/config.php link so I don't lose it..
> http://svnweb.mageia.org/packages/updates/2/php-apc/current/SOURCES/php-apc.config.php?revision=344754&view=co&pathrev=344754
> 
> chmod 640 /etc/php-apc/config.php
> chown root:apache /etc/php-apc/config.php

We covered this as an nono issue on irc.

I changed the graph size to 200 in php-apc-3.1.13-1.4.mga2
Comment 20 claire robinson 2013-01-10 19:12:31 CET
Could you summarise the changes you've made please Oden for the advisory.

Thanks.
Comment 21 Oden Eriksson 2013-01-10 19:16:19 CET
Proposed advisory for php-apc

The authentication logic and how this was handled in the APC admin script in the php-apc-admin package was flawed. If you previousely enabled the authentication by setting a password in the /var/www/php-apc/index.php file the changes would be lost with a possible future update of the package. If the authentication mechanism was not used local users could access features they shouldn't have access to. This has been addressed by using a new /etc/php-apc/config.php configuration file containing the the authentication credentials and more, in a much more safe, secure and update-friendly way.
Comment 22 Oden Eriksson 2013-01-10 19:21:13 CET
Additional text for the proposed advisory for php-apc

The owner of the system (the root user or equal) has to examine the /etc/php-apc/config.php file for the login name and password. The strong password is automatically generated on new installs.
Comment 23 David Walser 2013-01-11 01:22:00 CET
Having a problem with the php source.  Trying to rebuild on Mageia 2 in a VM, which has always worked fine in the past.  Now, twice in a row I got the following failure in make check:

TEST 630/6835 [tests/output/bug63377.phpt]
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130809857 bytes) in /home/<username>/php/BUILD/php-5.3.20/run-tests.php on line 1099
Comment 24 claire robinson 2013-01-11 14:24:38 CET
David do you consider that a reason not to validate?
Comment 25 claire robinson 2013-01-11 14:37:15 CET
Confirmed that if /etc/php-apc/config.php exists and the password is not default then it creates the new one as rpmnew, which will prevent clobbering the settings in future updates.

Confirmed the graph size fix and clicked buttons in the admin page, no errors noticed.

Testing complete mga2 64 unless David wants to look further into the test failure in comment 23.
Comment 26 David Walser 2013-01-11 17:42:46 CET
(In reply to comment #23)
> Having a problem with the php source.  Trying to rebuild on Mageia 2 in a VM,
> which has always worked fine in the past.  Now, twice in a row I got the
> following failure in make check:
> 
> TEST 630/6835 [tests/output/bug63377.phpt]
> Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
> allocate 130809857 bytes) in
> /home/<username>/php/BUILD/php-5.3.20/run-tests.php on line 1099

This is a new test that was added in 5.3.20, and it is buggy.  It checks the system's available memory and wants to not try to run it if there isn't enough available, but that check doesn't work, and it tries to run the test anyway.  So this test will fail on any system that doesn't have at least 2100MB of free memory.

The fix is actually quite simple since it's a stupid error.  They tried to convert kilobytes reported in /proc/meminfo to megabytes by *multiplying* by 1024, rather than dividing!

Line 18 of php-5.3.20/tests/output/bug63377.phpt should be changed as follows:
-    $value = (int)ltrim($tmp[1], " ")*1024;
+    $value = (int)((int)ltrim($tmp[1], " ")/1024);
Comment 27 Oden Eriksson 2013-01-11 17:51:23 CET
Could you please test this:

--- php-5.3.20/tests/output/bug63377.phpt       2012-12-19 16:13:48.000000000 +0100
+++ php-5.3.21RC1/tests/output/bug63377.phpt    2013-01-03 22:47:29.000000000 +0100
@@ -1,7 +1,11 @@
 --TEST--
 Bug #63377 (Segfault on output buffer > 2GB)
---SKIPF--
+--SKIPIF--
 <?php
+if (PHP_INT_SIZE == 4) {
+  die('skip Not for 32-bits OS');
+}
+
 $zend_mm_enabled = getenv("USE_ZEND_ALLOC");
 if ($zend_mm_enabled === "0") {
     die("skip Zend MM disabled");
@@ -19,7 +23,7 @@ if (PHP_OS == 'Linux') {
     $infos[$index] = $value;
   }
   $freeMemory = $infos['memfree']+$infos['buffers']+$infos['cached'];
-  if ($freeMemory < 2100*1024*1024) {
+  if ($freeMemory < 3072*1024*1024) {
     die('skip Not enough memory.');
   }
 }
@@ -38,7 +42,7 @@ elseif (PHP_OS == 'FreeBSD') {
   $freeMemory = ($infos['vm.stats.vm.v_inactive_count']*$infos['hw.pagesize'])
                 +($infos['vm.stats.vm.v_cache_count']*$infos['hw.pagesize'])
                 +($infos['vm.stats.vm.v_free_count']*$infos['hw.pagesize']);
-  if ($freeMemory < 2100*1024*1024) {
+  if ($freeMemory < 3072*1024*1024) {
     die('skip Not enough memory.');
   }
 }
Comment 28 David Walser 2013-01-11 18:09:59 CET
Actually it later converts everything to bytes by multiplying, so I was wrong, and on second look that code doesn't appear wrong.  For whatever reason, it's just not protecting it from running this test.
Comment 29 David Walser 2013-01-11 19:30:13 CET
OK, using Oden's patch it does build.

I also tested using my normal test cases from:
https://bugs.mageia.org/show_bug.cgi?id=3895#c35

It's good for me on i586.  Note that doesn't test things from the supplementary SRPMS, just the main php one.
Comment 30 claire robinson 2013-01-11 19:37:13 CET
No need to rebuild for this then by the sounds of it?
Comment 31 David Walser 2013-01-11 19:38:34 CET
(In reply to comment #30)
> No need to rebuild for this then by the sounds of it?

I suppose not.  The issue is documented in this bug, which will be linked in the advisory.
Comment 32 claire robinson 2013-01-11 19:43:03 CET
Previous testing stands then, just needs testing i586.

Testing procedure is spread across comments but it is there :)
Comment 33 David Walser 2013-01-18 02:17:53 CET
OK, I've tested all of the supplemental packages on i586.

All are fine for me except for php-apc.  With php-apc installed, all of my PHP testcases fail.
Comment 34 David Walser 2013-01-18 18:59:56 CET
(In reply to comment #33)
> All are fine for me except for php-apc.  With php-apc installed, all of my PHP
> testcases fail.

The failures were http code 500, premature end of script headers, from the CGIs.

/var/log/httpd/error_log had messages like this:
[Thu Jan 17 20:15:25 2013] [error] [client 127.0.0.1] PHP Fatal error:  PHP Startup: apc_mmap: mkstemp on /var/lib/php-apc/apc.nDRtTQ failed: in Unknown on line 0, referer: http://localhost/~<username>/survey.html
[Thu Jan 17 20:15:25 2013] [error] [client 127.0.0.1] PHP Fatal error:  PHP Startup: apc_fcntl_create: open(/var/lib/php-apc/.apc.X69zLB, O_RDWR|O_CREAT, 0666) failed: in Unknown on line 0, referer: http://localhost/~<username>/survey.html

The CGIs are running through suexec, so the issue is my user doesn't have write access to /var/lib/php-apc.  I did chmod 1777 /var/lib/php-apc, and now they work fine with it installed.
Comment 35 claire robinson 2013-01-18 19:16:51 CET
Do you consider that a problem with php-apc David or just a feature of your script?

Did you test php-eaccelerator too?
Comment 36 David Walser 2013-01-18 19:43:32 CET
(In reply to comment #35)
> Do you consider that a problem with php-apc David or just a feature of your
> script?

It's not anything special about my tests.  Anyone using CGIs through suexec (ones in ~/public_html/cgi-bin) will have this problem with php-apc.

> Did you test php-eaccelerator too?

Yes, that one worked fine.
Comment 37 David Walser 2013-01-18 19:46:35 CET
PHP 5.3.21 is out and is being built for updates_testing now by Oden.
Comment 38 David Walser 2013-01-18 23:51:38 CET
Testing complete on i586.  Same results as before.

php-5.3.21-1.mga2
php-apc-3.1.13-1.5.mga2
php-eaccelerator-0.9.6.1-10.7.mga2
php-firebird-5.3.21-1.mga2
php-gd-bundled-5.3.21-1.mga2
php-pdo_firebird-5.3.21-1.mga2
Comment 39 David Walser 2013-01-22 01:22:35 CET
Oden, do you have any thoughts on the php-apc issue?

Also, do you have anything to add to the advisory now that this is 5.3.21?
Comment 40 Oden Eriksson 2013-01-22 11:55:04 CET
Regarding suexec and apc. I haven't used it like that but I think you could pass something like '-d apc.mmap_file_mask="/path/to/userdir/tmp/apc.XXXXXX"' in your per-user suexec wrapper script (untested). Here's a writeup using fastcgi:

http://www.brandonturner.net/blog/2009/07/fastcgi_with_php_opcode_cache/

Or, you could try some other combination of apc, there's a few of them:

$ grep "\.so$" apc.ini
extension = apc-mmap.so
;extension = apc-sem.so
;extension = apc-spinlocks.so
;extension = apc-pthread.so
;extension = apc-mmap+mutex.so
Comment 41 Oden Eriksson 2013-01-22 11:58:26 CET
Proposed advisory:

This is a maintenance and bugfix release that upgrades php to the
latest 5.3.21 version which resolves various upstream bugs in php.

Additionally the php-eaccelerator, php-firebird, php-gd-bundled, php-apc and
php-pdo_firebird packages has been rebuilt for the new php version.

The authentication logic and how this was handled in the APC admin script in
the php-apc-admin package was flawed. If you previousely enabled the
authentication by setting a password in the /var/www/php-apc/index.php file the
changes would be lost with a possible future update of the package. If the
authentication mechanism was not used local users could access features they
shouldn't have access to. This has been addressed by using a new
/etc/php-apc/config.php configuration file containing the the authentication
credentials and more, in a much more safe, secure and update-friendly way.

The owner of the system (the root user or equal) has to examine the
/etc/php-apc/config.php file for the login name and password. The strong
password is automatically generated on new installs.


References:

http://www.php.net/ChangeLog-5.php#5.3.20
http://www.php.net/ChangeLog-5.php#5.3.21
Comment 42 David Walser 2013-01-23 00:46:36 CET
(In reply to comment #40)
> Regarding suexec and apc. I haven't used it like that but I think you could
> pass something like '-d apc.mmap_file_mask="/path/to/userdir/tmp/apc.XXXXXX"'
> in your per-user suexec wrapper script (untested). Here's a writeup using
> fastcgi:
> 
> http://www.brandonturner.net/blog/2009/07/fastcgi_with_php_opcode_cache/

That's just craziness.

> Or, you could try some other combination of apc, there's a few of them:
> 
> $ grep "\.so$" apc.ini
> extension = apc-mmap.so
> ;extension = apc-sem.so
> ;extension = apc-spinlocks.so
> ;extension = apc-pthread.so
> ;extension = apc-mmap+mutex.so

Neither of the mmap ones work out of the box, but the other three do work.
Comment 43 Oden Eriksson 2013-01-23 16:39:54 CET
Relaxing dir permissions on /var/lib/php-apc would not be an option.

IMO apache 1.3.x was easier to use with multi-homing. These days people use apache2 + php differently using special MPMs, nginx, varnish, fpm and what have you. But, changing to something else than mod_php that fits all would be quite an undertakement.
Comment 44 David Walser 2013-01-30 01:19:26 CET
So is anything going to be done about php-apc?

BTW, Funda just rebuilt php to fix some issue with php-gd and libjpeg-turbo.
Comment 45 David Walser 2013-01-30 01:47:33 CET
Hmm, should php-gd-bundled be rebuilt?
Comment 46 David Walser 2013-02-07 21:36:06 CET
Adding feedback marker as we need some responses from Oden.
Comment 48 Oden Eriksson 2013-02-12 15:50:26 CET
Anyway, we should wait for 5.3.22.
Comment 49 David Walser 2013-02-13 21:48:18 CET
Assigning to Oden until 5.3.22 is ready.
Comment 50 Oden Eriksson 2013-02-15 10:38:53 CET
5.3.22RC2 has 2 sec fixes:

- SOAP
  . Added check that soap.wsdl_cache_dir conforms to open_basedir
    (CVE-2013-1635). (Dmitry)
  . Disabled external entities loading (CVE-2013-1643). (Dmitry)

This is now considered public info.
Comment 59 Oden Eriksson 2013-02-28 10:56:10 CET
Proposed advisory:

Multiple vulnerabilities has been discovered and corrected in php:

PHP does not validate the configration directive "soap.wsdl_cache_dir" before
writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to
write remote wsdl files to arbitrary locations (CVE-2013-1635).

PHP allows the use of external entities while parsing SOAP wsdl files which
allows an attacker to read arbitrary files. If a web application unserializes
user-supplied data and tries to execute any method of it, an attacker can send
serialized SoapClient object initialized in non-wsdl mode which will make PHP
to parse automatically remote XML-document specified in the "location" option
parameter (CVE-2013-1643).

The updated packages have been upgraded to the 5.3.22 version which is not
vulnerable to these issues.

Additionally, some packages which requires so has been rebuilt for php-5.3.22.
Comment 60 Oden Eriksson 2013-02-28 10:58:39 CET
Proposed advisory:

Multiple vulnerabilities has been discovered and corrected in php:

PHP does not validate the configration directive "soap.wsdl_cache_dir" before
writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to
write remote wsdl files to arbitrary locations (CVE-2013-1635).

PHP allows the use of external entities while parsing SOAP wsdl files which
allows an attacker to read arbitrary files. If a web application unserializes
user-supplied data and tries to execute any method of it, an attacker can send
serialized SoapClient object initialized in non-wsdl mode which will make PHP
to parse automatically remote XML-document specified in the "location" option
parameter (CVE-2013-1643).

The authentication logic and how this was handled in the APC admin script in
the php-apc-admin package was flawed. If you previousely enabled the
authentication by setting a password in the /var/www/php-apc/index.php file the
changes would be lost with a possible future update of the package. If the
authentication mechanism was not used local users could access features they
shouldn't have access to. This has been addressed by using a new
/etc/php-apc/config.php configuration file containing the the authentication
credentials and more, in a much more safe, secure and update-friendly way.

The owner of the system (the root user or equal) has to examine the
/etc/php-apc/config.php file for the login name and password. The strong
password is automatically generated on new installs.

The updated packages have been upgraded to the 5.3.22 version which is not
vulnerable to these issues.

Additionally, some packages which requires so has been rebuilt for php-5.3.22.


References:

http://www.php.net/ChangeLog-5.php#5.3.20
http://www.php.net/ChangeLog-5.php#5.3.21
http://www.php.net/ChangeLog-5.php#5.3.22
Comment 61 David Walser 2013-02-28 12:52:49 CET
Assigning back to QA.

php-5.3.22-3.mga2
php-apc-3.1.13-1.6.mga2
php-eaccelerator-0.9.6.1-10.8.mga2
php-firebird-5.3.22-1.mga2
php-gd-bundled-5.3.22-1.mga2
php-pdo_firebird-5.3.22-1.mga2
Comment 62 claire robinson 2013-02-28 12:54:24 CET
Could you list the new rpm's too please
Comment 63 Oden Eriksson 2013-02-28 13:58:41 CET
I made a mistake and put php-5.3.22-3.mga2 in nonfree/updates_testing. Can someone move this to the correct repo, or how should it be done?
Comment 64 David Walser 2013-02-28 16:52:26 CET
(In reply to Oden Eriksson from comment #63)
> I made a mistake and put php-5.3.22-3.mga2 in nonfree/updates_testing. Can
> someone move this to the correct repo, or how should it be done?

Yes, it can be moved.  We can CC the sysadmins here, and they might see it.  For this sort of thing, I usually ask in #mageia-sysadm on IRC and if one of our sysadmins are there, they can move it.  You could probably also just resubmit the build to core/updates_testing and ask them to remove the one in nonfree.
Comment 65 David Walser 2013-02-28 17:06:15 CET
Here's Mandriva's advisory:
http://www.mandriva.com/en/support/security/advisories/2011/MDVSA-2013:016/
Comment 66 Thomas Backlund 2013-02-28 20:12:19 CET
php nuked from nonfree/updates_testing so you can submit it again to core/updates_testing
Comment 67 David Walser 2013-02-28 20:59:33 CET
Thanks Thomas!

I'll post the full package list at some point after it's built (building now).
Comment 68 David Walser 2013-03-01 16:08:32 CET
Advisory in Comment 60.

Packages built:
apache-mod_php-5.3.22-3.mga2
libphp5_common5-5.3.22-3.mga2
php-bcmath-5.3.22-3.mga2
php-bz2-5.3.22-3.mga2
php-calendar-5.3.22-3.mga2
php-cgi-5.3.22-3.mga2
php-cli-5.3.22-3.mga2
php-ctype-5.3.22-3.mga2
php-curl-5.3.22-3.mga2
php-dba-5.3.22-3.mga2
php-devel-5.3.22-3.mga2
php-dom-5.3.22-3.mga2
php-enchant-5.3.22-3.mga2
php-exif-5.3.22-3.mga2
php-fileinfo-5.3.22-3.mga2
php-filter-5.3.22-3.mga2
php-fpm-5.3.22-3.mga2
php-ftp-5.3.22-3.mga2
php-gd-5.3.22-3.mga2
php-gettext-5.3.22-3.mga2
php-gmp-5.3.22-3.mga2
php-hash-5.3.22-3.mga2
php-iconv-5.3.22-3.mga2
php-imap-5.3.22-3.mga2
php-ini-5.3.22-3.mga2
php-intl-5.3.22-3.mga2
php-json-5.3.22-3.mga2
php-ldap-5.3.22-3.mga2
php-mbstring-5.3.22-3.mga2
php-mcrypt-5.3.22-3.mga2
php-mssql-5.3.22-3.mga2
php-mysql-5.3.22-3.mga2
php-mysqli-5.3.22-3.mga2
php-mysqlnd-5.3.22-3.mga2
php-odbc-5.3.22-3.mga2
php-openssl-5.3.22-3.mga2
php-pcntl-5.3.22-3.mga2
php-pdo-5.3.22-3.mga2
php-pdo_dblib-5.3.22-3.mga2
php-pdo_mysql-5.3.22-3.mga2
php-pdo_odbc-5.3.22-3.mga2
php-pdo_pgsql-5.3.22-3.mga2
php-pdo_sqlite-5.3.22-3.mga2
php-pgsql-5.3.22-3.mga2
php-phar-5.3.22-3.mga2
php-posix-5.3.22-3.mga2
php-readline-5.3.22-3.mga2
php-recode-5.3.22-3.mga2
php-session-5.3.22-3.mga2
php-shmop-5.3.22-3.mga2
php-snmp-5.3.22-3.mga2
php-soap-5.3.22-3.mga2
php-sockets-5.3.22-3.mga2
php-sqlite-5.3.22-3.mga2
php-sqlite3-5.3.22-3.mga2
php-sybase_ct-5.3.22-3.mga2
php-sysvmsg-5.3.22-3.mga2
php-sysvsem-5.3.22-3.mga2
php-sysvshm-5.3.22-3.mga2
php-tidy-5.3.22-3.mga2
php-tokenizer-5.3.22-3.mga2
php-wddx-5.3.22-3.mga2
php-xml-5.3.22-3.mga2
php-xmlreader-5.3.22-3.mga2
php-xmlrpc-5.3.22-3.mga2
php-xmlwriter-5.3.22-3.mga2
php-xsl-5.3.22-3.mga2
php-zip-5.3.22-3.mga2
php-zlib-5.3.22-3.mga2
php-apc-3.1.13-1.6.mga2
php-apc-admin-3.1.13-1.6.mga2
php-eaccelerator-0.9.6.1-10.8.mga2
php-eaccelerator-admin-0.9.6.1-10.8.mga2
php-gd-bundled-5.3.22-1.mga2
php-firebird-5.3.22-1.mga2
php-pdo_firebird-5.3.22-1.mga2

from SRPMS:
php-5.3.22-3.mga2.src.rpm
php-apc-3.1.13-1.6.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.8.mga2.src.rpm
php-gd-bundled-5.3.22-1.mga2.src.rpm
php-firebird-5.3.22-1.mga2.src.rpm
php-pdo_firebird-5.3.22-1.mga2.src.rpm
Comment 71 Oden Eriksson 2013-03-05 20:42:28 CET
NOTE: new packages:

http://svnweb.mageia.org/packages?view=revision&revision=401486

php-5.3.22-4.mga2:
- P303: added a new mageia logo by Rémi Verschelde
Comment 72 Oden Eriksson 2013-03-06 12:20:21 CET
======================================================
Name: CVE-2013-1635
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130207
Category: 
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74
Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=459904
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=918196

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not
validate the relationship between the soap.wsdl_cache_dir directive
and the open_basedir directive, which allows remote attackers to
bypass intended access restrictions by triggering the creation of
cached SOAP WSDL files in an arbitrary directory.



======================================================
Name: CVE-2013-1643
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130210
Category: 
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=459904
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=918187

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows
remote attackers to read arbitrary files via a SOAP WSDL file
containing an XML external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue in the
soap_xmlParseFile and soap_xmlParseMemory functions.
Comment 73 claire robinson 2013-03-12 09:56:22 CET
Assigning Oden

Please reassign when this is ready for QA.

Thanks!
Comment 74 David Walser 2013-03-15 16:10:34 CET
Now we have:
php-5.3.23-1.mga2
php-apc-3.1.13-1.7.mga2
php-eaccelerator-0.9.6.1-10.9.mga2
php-gd-bundled-5.3.23-1.mga2
php-firebird-5.3.23-1.mga2
php-pdo_firebird-5.3.23-1.mga2
php-timezonedb-2013.2-1.mga2
Comment 75 Oden Eriksson 2013-03-18 09:08:02 CET
Packages:

php-5.3.23-1.mga2.src.rpm
php-firebird-5.3.23-1.mga2.src.rpm
php-gd-bundled-5.3.23-1.mga2.src.rpm
php-pdo_firebird-5.3.23-1.mga2.src.rpm
php-apc-3.1.13-1.7.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.src.rpm
php-timezonedb-2013.2-1.mga2.src.rpm


php-pdo_firebird-5.3.23-1.mga2.i586.rpm
php-snmp-5.3.23-1.mga2.i586.rpm
php-soap-5.3.23-1.mga2.i586.rpm
php-iconv-5.3.23-1.mga2.i586.rpm
php-phar-5.3.23-1.mga2.i586.rpm
php-ctype-5.3.23-1.mga2.i586.rpm
php-readline-5.3.23-1.mga2.i586.rpm
php-pdo_odbc-5.3.23-1.mga2.i586.rpm
php-xmlrpc-5.3.23-1.mga2.i586.rpm
php-sqlite3-5.3.23-1.mga2.i586.rpm
php-imap-5.3.23-1.mga2.i586.rpm
php-pdo_pgsql-5.3.23-1.mga2.i586.rpm
php-cgi-5.3.23-1.mga2.i586.rpm
php-dom-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                     
php-devel-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                   
php-xmlreader-5.3.23-1.mga2.i586.rpm                                                                                                                                                                               
php-ftp-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                     
libphp5_common5-5.3.23-1.mga2.i586.rpm                                                                                                                                                                             
php-zlib-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                    
php-xml-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                     
php-pdo_dblib-5.3.23-1.mga2.i586.rpm                                                                                                                                                                               
php-fpm-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                     
php-xmlwriter-5.3.23-1.mga2.i586.rpm                                                                                                                                                                               
php-hash-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                    
php-calendar-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                
php-pgsql-5.3.23-1.mga2.i586.rpm                                                                                                                                                                                   
php-cli-5.3.23-1.mga2.i586.rpm
php-sockets-5.3.23-1.mga2.i586.rpm
php-mysql-5.3.23-1.mga2.i586.rpm
php-tokenizer-5.3.23-1.mga2.i586.rpm
php-exif-5.3.23-1.mga2.i586.rpm
php-bcmath-5.3.23-1.mga2.i586.rpm
php-sqlite-5.3.23-1.mga2.i586.rpm
php-zip-5.3.23-1.mga2.i586.rpm
php-sysvsem-5.3.23-1.mga2.i586.rpm
php-mcrypt-5.3.23-1.mga2.i586.rpm
php-gd-5.3.23-1.mga2.i586.rpm
php-posix-5.3.23-1.mga2.i586.rpm
php-pdo_mysql-5.3.23-1.mga2.i586.rpm
php-mbstring-5.3.23-1.mga2.i586.rpm
php-dba-5.3.23-1.mga2.i586.rpm
php-pdo-5.3.23-1.mga2.i586.rpm
php-ini-5.3.23-1.mga2.i586.rpm
php-shmop-5.3.23-1.mga2.i586.rpm
php-intl-5.3.23-1.mga2.i586.rpm
php-openssl-5.3.23-1.mga2.i586.rpm
php-gd-bundled-5.3.23-1.mga2.i586.rpm
php-sysvmsg-5.3.23-1.mga2.i586.rpm
php-gmp-5.3.23-1.mga2.i586.rpm
php-wddx-5.3.23-1.mga2.i586.rpm
php-recode-5.3.23-1.mga2.i586.rpm
php-sybase_ct-5.3.23-1.mga2.i586.rpm
php-sysvshm-5.3.23-1.mga2.i586.rpm
php-gettext-5.3.23-1.mga2.i586.rpm
php-enchant-5.3.23-1.mga2.i586.rpm
php-firebird-5.3.23-1.mga2.i586.rpm
php-json-5.3.23-1.mga2.i586.rpm
php-bz2-5.3.23-1.mga2.i586.rpm
php-mssql-5.3.23-1.mga2.i586.rpm
php-xsl-5.3.23-1.mga2.i586.rpm
php-pdo_sqlite-5.3.23-1.mga2.i586.rpm
php-fileinfo-5.3.23-1.mga2.i586.rpm
php-odbc-5.3.23-1.mga2.i586.rpm
php-pcntl-5.3.23-1.mga2.i586.rpm
php-mysqli-5.3.23-1.mga2.i586.rpm
php-filter-5.3.23-1.mga2.i586.rpm
php-session-5.3.23-1.mga2.i586.rpm
php-curl-5.3.23-1.mga2.i586.rpm
php-tidy-5.3.23-1.mga2.i586.rpm
apache-mod_php-5.3.23-1.mga2.i586.rpm
php-ldap-5.3.23-1.mga2.i586.rpm
php-mysqlnd-5.3.23-1.mga2.i586.rpm
php-enchant-5.3.23-1.mga2.x86_64.rpm
php-pdo_pgsql-5.3.23-1.mga2.x86_64.rpm
php-zip-5.3.23-1.mga2.x86_64.rpm
php-fpm-5.3.23-1.mga2.x86_64.rpm
php-gd-5.3.23-1.mga2.x86_64.rpm
php-ini-5.3.23-1.mga2.x86_64.rpm
php-zlib-5.3.23-1.mga2.x86_64.rpm
php-sysvshm-5.3.23-1.mga2.x86_64.rpm
php-ftp-5.3.23-1.mga2.x86_64.rpm
php-mbstring-5.3.23-1.mga2.x86_64.rpm
php-tidy-5.3.23-1.mga2.x86_64.rpm
php-gettext-5.3.23-1.mga2.x86_64.rpm
php-pdo-5.3.23-1.mga2.x86_64.rpm
php-ldap-5.3.23-1.mga2.x86_64.rpm
php-mysqli-5.3.23-1.mga2.x86_64.rpm
php-pdo_dblib-5.3.23-1.mga2.x86_64.rpm
php-wddx-5.3.23-1.mga2.x86_64.rpm
php-snmp-5.3.23-1.mga2.x86_64.rpm
php-mssql-5.3.23-1.mga2.x86_64.rpm
php-json-5.3.23-1.mga2.x86_64.rpm
php-exif-5.3.23-1.mga2.x86_64.rpm
php-readline-5.3.23-1.mga2.x86_64.rpm
php-bz2-5.3.23-1.mga2.x86_64.rpm
php-filter-5.3.23-1.mga2.x86_64.rpm
php-pcntl-5.3.23-1.mga2.x86_64.rpm
php-xmlrpc-5.3.23-1.mga2.x86_64.rpm
php-cli-5.3.23-1.mga2.x86_64.rpm
php-xml-5.3.23-1.mga2.x86_64.rpm
php-mysqlnd-5.3.23-1.mga2.x86_64.rpm
apache-mod_php-5.3.23-1.mga2.x86_64.rpm
php-mysql-5.3.23-1.mga2.x86_64.rpm
php-fileinfo-5.3.23-1.mga2.x86_64.rpm
php-imap-5.3.23-1.mga2.x86_64.rpm
php-pdo_firebird-5.3.23-1.mga2.x86_64.rpm
php-phar-5.3.23-1.mga2.x86_64.rpm
php-firebird-5.3.23-1.mga2.x86_64.rpm
php-devel-5.3.23-1.mga2.x86_64.rpm
php-sqlite-5.3.23-1.mga2.x86_64.rpm
php-xsl-5.3.23-1.mga2.x86_64.rpm
php-dba-5.3.23-1.mga2.x86_64.rpm
php-cgi-5.3.23-1.mga2.x86_64.rpm
php-iconv-5.3.23-1.mga2.x86_64.rpm
php-intl-5.3.23-1.mga2.x86_64.rpm
php-xmlwriter-5.3.23-1.mga2.x86_64.rpm
php-pdo_mysql-5.3.23-1.mga2.x86_64.rpm
php-sqlite3-5.3.23-1.mga2.x86_64.rpm
php-soap-5.3.23-1.mga2.x86_64.rpm
php-hash-5.3.23-1.mga2.x86_64.rpm
lib64php5_common5-5.3.23-1.mga2.x86_64.rpm
php-pgsql-5.3.23-1.mga2.x86_64.rpm
php-openssl-5.3.23-1.mga2.x86_64.rpm
php-dom-5.3.23-1.mga2.x86_64.rpm
php-calendar-5.3.23-1.mga2.x86_64.rpm
php-sockets-5.3.23-1.mga2.x86_64.rpm
php-session-5.3.23-1.mga2.x86_64.rpm
php-mcrypt-5.3.23-1.mga2.x86_64.rpm
php-curl-5.3.23-1.mga2.x86_64.rpm
php-odbc-5.3.23-1.mga2.x86_64.rpm
php-posix-5.3.23-1.mga2.x86_64.rpm
php-bcmath-5.3.23-1.mga2.x86_64.rpm
php-xmlreader-5.3.23-1.mga2.x86_64.rpm
php-sysvsem-5.3.23-1.mga2.x86_64.rpm
php-sysvmsg-5.3.23-1.mga2.x86_64.rpm
php-gmp-5.3.23-1.mga2.x86_64.rpm
php-gd-bundled-5.3.23-1.mga2.x86_64.rpm
php-shmop-5.3.23-1.mga2.x86_64.rpm
php-recode-5.3.23-1.mga2.x86_64.rpm
php-pdo_sqlite-5.3.23-1.mga2.x86_64.rpm
php-tokenizer-5.3.23-1.mga2.x86_64.rpm
php-ctype-5.3.23-1.mga2.x86_64.rpm
php-sybase_ct-5.3.23-1.mga2.x86_64.rpm
php-pdo_odbc-5.3.23-1.mga2.x86_64.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.i586.rpm
php-eaccelerator-admin-0.9.6.1-10.9.mga2.i586.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.x86_64.rpm
php-eaccelerator-admin-0.9.6.1-10.9.mga2.x86_64.rpm
php-apc-admin-3.1.13-1.7.mga2.i586.rpm
php-apc-3.1.13-1.7.mga2.i586.rpm
php-apc-admin-3.1.13-1.7.mga2.x86_64.rpm
php-apc-3.1.13-1.7.mga2.x86_64.rpm
php-timezonedb-2013.2-1.mga2.i586.rpm
php-timezonedb-2013.2-1.mga2.x86_64.rpm
Comment 76 Oden Eriksson 2013-03-18 09:20:26 CET
Proposed advisory:

Multiple vulnerabilities has been discovered and corrected in php:

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory (CVE-2013-1635).

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions (CVE-2013-1643).

Backported upstream php bug #61930: "openssl corrupts ssl key resource when using openssl_get_publickey()" to php-5.3.x.

The new "Powered by Mageia logo" has been added to php, this is only a cosmetic change.

The authentication logic and how this was handled in the APC admin script in
the php-apc-admin package was flawed. If you previousely enabled the
authentication by setting a password in the /var/www/php-apc/index.php file the
changes would be lost with a possible future update of the package. If the
authentication mechanism was not used local users could access features they
shouldn't have access to. This has been addressed by using a new
/etc/php-apc/config.php configuration file containing the the authentication
credentials and more, in a much more safe, secure and update-friendly way.

The owner of the system (the root user or equal) has to examine the
/etc/php-apc/config.php file for the login name and password. The strong
password is automatically generated on new installs.

The php-timezonedb package has been updated to the 2013.2 version.

The updated packages have been upgraded to the 5.3.23 version which is not
vulnerable to these issues.

Additionally, some packages which requires so has been rebuilt for php-5.3.23.


References:

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
http://www.php.net/ChangeLog-5.php#5.3.20
http://www.php.net/ChangeLog-5.php#5.3.21
http://www.php.net/ChangeLog-5.php#5.3.22
http://www.php.net/ChangeLog-5.php#5.3.23
https://bugs.php.net/bug.php?id=61930
Comment 77 Oden Eriksson 2013-03-18 09:24:18 CET
qateam: 

PoCs for CVE-2013-1635, CVE-2013-1643 and https://bugs.php.net/bug.php?id=61930 exists in the bundled test suite.

Package list in Comment 75

Advisory text in Comment 76
Comment 78 David Walser 2013-03-18 21:13:13 CET
Testing everything on i586.  Same results as before.  Everything works.

I still had to change the 99_apc.ini to change which extension is loaded, as the mmap ones don't work through suexec.  The other ones work.

One strange thing I noticed that I don't remember from before, when installing or uninstalling php-apc or php-eaccelerator and its associated admin package at the same time, at the end of the transaction apache is reloaded (because of the apache config file added by the admin package) and then immediately restarted (because of the added PHP module), which is expected, but what was strange this time was the restart took a really long time.  It does complete and everything still works OK.
Comment 79 Dave Hodgins 2013-03-24 00:20:41 CET
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpms
php-5.3.23-1.mga2.src.rpm
php-firebird-5.3.23-1.mga2.src.rpm
php-gd-bundled-5.3.23-1.mga2.src.rpm
php-pdo_firebird-5.3.23-1.mga2.src.rpm
php-apc-3.1.13-1.7.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.src.rpm
php-timezonedb-2013.2-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Please see Comment 76 for the advisory.
Comment 80 Thomas Backlund 2013-04-02 22:05:31 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101

Note You need to log in before you can comment on or make changes to this bug.