Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635356 (CVE-2017-9841)

Summary: <dev-php/phpunit-5.7.15-r1: Remote code execution
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: php-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sebastianbergmann/phpunit/pull/1956
Whiteboard: C2 [glsa cve]
Package list:
=dev-php/phpunit-5.7.15-r1 =dev-php/phpunit-mock-objects-3.4.3 =dev-php/doctrine-instantiator-1.0.5 =dev-php/fedora-autoloader-0.2.1 =dev-php/sebastian-object-enumerator-2.0.1 =dev-php/sebastian-global-state-1.1.1 =dev-php/phpdocumentor-reflection-common-1.0 =dev-php/phpspec-prophecy-1.7.0 =dev-php/sebastian-recursion-context-2.0.0 =dev-php/myclabs-deepcopy-1.6.0 =dev-php/sebastian-resource-operations-1.0.0 =dev-php/PHP_CodeCoverage-4.0.7 =dev-php/Text_Template-1.2.1 =dev-php/symfony-yaml-2.1.0 =dev-php/File_Iterator-1.4.2 =dev-php/webmozart-assert-1.2.0 =dev-php/phpdocumentor-reflection-docblock-3.1.1 =dev-php/PHP_TokenStream-1.4.11 =dev-php/sebastian-diff-1.4.1-r1 =dev-php/sebastian-environment-2.0.0 =dev-php/phpdocumentor-type-resolver-0.2.1 =dev-php/sebastian-comparator-1.2.4 =dev-php/sebastian-code-unit-reverse-lookup-1.0.1 =dev-php/PHP_Timer-1.0.9 =dev-php/sebastian-exporter-2.0.0 =dev-php/sebastian-version-2.0.1
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-24 19:58:00 UTC
CVE-2017-9841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9841):
  Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows
  remote attackers to execute arbitrary PHP code via HTTP POST data beginning
  with a "<?php " substring, as demonstrated by an attack on a site with an
  exposed /vendor folder, i.e., external access to the
  /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Comment 1 D'juan McDonald (domhnall) 2017-10-25 06:55:19 UTC
Upstream Fix:
https://github.com/sebastianbergmann/phpunit/
commit 284a69fb88a2d0845d23f42974a583d8f59bf5a5

Adding associate patch and URL for reference.

@maintainer(s), please verify if vulnerable versions in tree before 5.7.15-r1 are indeed affected. Call for stabilization if needed, thank you

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 2 Michael Orlitzky gentoo-dev 2017-10-25 18:41:16 UTC
We'll still update PHPUnit, but this doesn't really affect us. No one on Gentoo is going to copy-paste /usr/share/php/PHPUnit into their public website directory. This is only a risk because Composer does that if you don't tell it to store "vendor" somewhere else.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-26 00:43:16 UTC
(In reply to Michael Orlitzky from comment #2)
> We'll still update PHPUnit, but this doesn't really affect us. No one on
> Gentoo is going to copy-paste /usr/share/php/PHPUnit into their public
> website directory. This is only a risk because Composer does that if you
> don't tell it to store "vendor" somewhere else.

Thanks for the clarification Michael, since it's a specific configuration in order to be vulnerable I'm downgrading to C2. Please call stabilization when ready.
Comment 4 Michael Orlitzky gentoo-dev 2017-11-05 23:56:20 UTC
Please stabilize the latest phpunit-5.7.15-r1, and I'll remove the remaining 4.x version afterwards.

There may be packages in the tree whose test suites require phpunit-4.x, but I'll mask USE=test for them in that case. PHPUnit-5.x isn't even the latest series, and we can't keep the old versions around forever.
Comment 5 Stabilization helper bot gentoo-dev 2017-11-13 00:03:53 UTC
An automated check of this bug failed - repoman reported dependency errors (38 lines truncated): 

> dependency.bad dev-php/phpunit/phpunit-5.7.15-r1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['<dev-php/sebastian-version-3.0']
> dependency.bad dev-php/phpunit/phpunit-5.7.15-r1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['<dev-php/sebastian-version-3.0']
> dependency.bad dev-php/phpunit/phpunit-5.7.15-r1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['<dev-php/sebastian-version-3.0']
> dependency.bad dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-php/sebastian-version-1.0']
> dependency.bad dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-php/sebastian-version-1.0']
> dependency.bad dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['>=dev-php/sebastian-version-1.0']
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-13 00:49:36 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-11-13 20:13:32 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 D'juan McDonald (domhnall) 2017-11-14 06:01:32 UTC
(In reply to Michael Orlitzky from comment #4)
> PHPUnit-5.x isn't even the latest series, and we can't keep the old versions around forever.

True, as noted from https://phpunit.de/
"Support for PHPUnit 5 ends on February 2, 2018."

Could you also confirm that commit 0c1ae1b5324fa10f96129c5679b788cc1ca9468e was the one actually applied and tested against? It was labeled as correct fix for 1956. See https://github.com/sebastianbergmann/phpunit/commit/0c1ae1b5324fa10f96129c5679b788cc1ca9468e . Not sure how I missed it. 

@Security, New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 9 Michael Orlitzky gentoo-dev 2017-11-14 12:45:25 UTC
(In reply to Daj' Uan (Jmbailey) from comment #8)
> 
> Could you also confirm that commit 0c1ae1b5324fa10f96129c5679b788cc1ca9468e
> was the one actually applied and tested against?

Confirmed.
Comment 10 Larry the Git Cow gentoo-dev 2017-11-14 14:47:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce0e623ff9c189a860febe202512bd4a8a9e931b

commit ce0e623ff9c189a860febe202512bd4a8a9e931b
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2017-11-14 14:34:35 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2017-11-14 14:42:03 +0000

    dev-php/phpunit: stabilize PHPUnit on all arches.
    
    The latest (and only, as of right now) version of PHPUnit in the tree
    has been stabilized on amd64 and x86 in bug 635356 to fix
    CVE-2017-9841. However, that new version now comes with a bunch of
    pure-PHP dependencies, all of which were unstable for most
    arches. That left a significant number of packages in permanent ~arch,
    as punishment for having a test suite. Since PHPUnit and its
    dependencies are all pure-PHP, I'm taking this opportunity to
    stabilize them all under the ALLARCHES umbrella.
    
    The following packages are affected:
    
      * dev-php/File_Iterator
      * dev-php/PHP_CodeCoverage
      * dev-php/PHP_Timer
      * dev-php/PHP_TokenStream
      * dev-php/Text_Template
      * dev-php/doctrine-instantiator
      * dev-php/fedora-autoloader
      * dev-php/myclabs-deepcopy
      * dev-php/phpdocumentor-reflection-common
      * dev-php/phpdocumentor-reflection-docblock
      * dev-php/phpdocumentor-type-resolver
      * dev-php/phpspec-prophecy
      * dev-php/phpunit-mock-objects
      * dev-php/phpunit
      * dev-php/sebastian-code-unit-reverse-lookup
      * dev-php/sebastian-comparator
      * dev-php/sebastian-diff
      * dev-php/sebastian-environment
      * dev-php/sebastian-exporter
      * dev-php/sebastian-global-state
      * dev-php/sebastian-object-enumerator
      * dev-php/sebastian-recursion-context
      * dev-php/sebastian-resource-operations
      * dev-php/sebastian-version
      * dev-php/symfony-yaml
      * dev-php/webmozart-assert
    
    These were all done in a single commit (against the usual better
    judgment) because many of the affected packages have PHPUnit test
    suites that create circular dependencies, and that would involve
    breaking the tree between commits if they had been made individually.
    
    Bug: https://bugs.gentoo.org/635356

 dev-php/File_Iterator/File_Iterator-1.4.2.ebuild                        | 2 +-
 dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild                  | 2 +-
 dev-php/PHP_Timer/PHP_Timer-1.0.9.ebuild                                | 2 +-
 dev-php/PHP_TokenStream/PHP_TokenStream-1.4.11.ebuild                   | 2 +-
 dev-php/Text_Template/Text_Template-1.2.1.ebuild                        | 2 +-
 dev-php/doctrine-instantiator/doctrine-instantiator-1.0.5.ebuild        | 2 +-
 dev-php/fedora-autoloader/fedora-autoloader-0.2.1.ebuild                | 2 +-
 dev-php/myclabs-deepcopy/myclabs-deepcopy-1.6.0.ebuild                  | 2 +-
 .../phpdocumentor-reflection-common-1.0.ebuild                          | 2 +-
 .../phpdocumentor-reflection-docblock-3.1.1.ebuild                      | 2 +-
 .../phpdocumentor-type-resolver-0.2.1.ebuild                            | 2 +-
 dev-php/phpspec-prophecy/phpspec-prophecy-1.7.0.ebuild                  | 2 +-
 dev-php/phpunit-mock-objects/phpunit-mock-objects-3.4.3.ebuild          | 2 +-
 dev-php/phpunit/phpunit-5.7.15-r1.ebuild                                | 2 +-
 .../sebastian-code-unit-reverse-lookup-1.0.1.ebuild                     | 2 +-
 dev-php/sebastian-comparator/sebastian-comparator-1.2.4.ebuild          | 2 +-
 dev-php/sebastian-diff/sebastian-diff-1.4.1-r1.ebuild                   | 2 +-
 dev-php/sebastian-environment/sebastian-environment-2.0.0.ebuild        | 2 +-
 dev-php/sebastian-exporter/sebastian-exporter-2.0.0.ebuild              | 2 +-
 dev-php/sebastian-global-state/sebastian-global-state-1.1.1.ebuild      | 2 +-
 .../sebastian-object-enumerator-2.0.1.ebuild                            | 2 +-
 .../sebastian-recursion-context-2.0.0.ebuild                            | 2 +-
 .../sebastian-resource-operations-1.0.0.ebuild                          | 2 +-
 dev-php/sebastian-version/sebastian-version-2.0.1.ebuild                | 2 +-
 dev-php/symfony-yaml/symfony-yaml-2.1.0.ebuild                          | 2 +-
 dev-php/webmozart-assert/webmozart-assert-1.2.0.ebuild                  | 2 +-
 26 files changed, 26 insertions(+), 26 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b731db1e2b5f6b7efa4a9416b079aca6ce35beac

commit b731db1e2b5f6b7efa4a9416b079aca6ce35beac
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2017-11-14 13:06:19 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2017-11-14 14:41:57 +0000

    dev-php/phpunit: remove unused phpunit-4.3.1.ebuild to fix CVE-2017-9841.
    
    Bug: https://bugs.gentoo.org/635356
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-php/phpunit/Manifest             |  1 -
 dev-php/phpunit/phpunit-4.3.1.ebuild | 37 ------------------------------------
 2 files changed, 38 deletions(-)}
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-14 14:55:49 UTC
New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-11-19 20:48:37 UTC
This issue was resolved and addressed in
 GLSA 201711-15 at https://security.gentoo.org/glsa/201711-15
by GLSA coordinator Christopher Diaz Riveros (chrisadr).