Comment 1 Lars Wendler (Polynomial-C) (RETIRED) 2009-02-28 01:17:09 UTC

Reassigning to php herd.

It seems that following patches in 5.2.8 patchset have been obsoleted by the 5.2.9 upstream release:

003_test-standard-array_slice_variation3-32bitonly.patch
004_test-standard-array_slice_variation2-32bitonly.patch
005_apache2-sapi-user-logging-fix.patch
006_ext-xml-ns-crash.patch
007_ext-mssql-NULL-crash.patch
009_CVE-2008-5498-ext-gd-mem-exposure.patch
010_ext-openssl-crash-fix.patch
011_ext-xmlwriter-fstring-err.patch
014_ext-posix-_GNU_SOURCE.patch
015_json_decode-crash.patch
016_extract-crash.patch

I'll attach diffs for 001_tests-ignore-php-ini.patch and suhosin.

Created attachment 183581 [details, diff]
Suhosin patch for 5.2.7 ported to 5.2.9

Created attachment 183585 [details, diff]
Modified version of 5.2.8 patchset's patch

Comment 5 Christian Hoffmann (RETIRED) 2009-03-01 21:11:02 UTC

Antti, thanks for the patches / updates. I haven't had a deeper look at them yet, but the comments sound promising.
I'll handle it in the next few days. Unfortunately I have a big backlog of things to handle because of my unavailability during the last week.

Reassigning to security.
From the official list of security fixes only zip might still affect us, not sure, I'll verify. The others have already been fixed in previous Gentoo revisions of PHP.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED) 2009-03-05 08:02:15 UTC

*** Bug 261252 has been marked as a duplicate of this bug. ***

Comment 7 Lars Wendler (Polynomial-C) (RETIRED) 2009-03-16 20:11:02 UTC

*** Bug 262701 has been marked as a duplicate of this bug. ***

even if there is still a relevant security bug... what's keeping this out of portage. php always has security bugs.

Comment 9 Robert Buchholz (RETIRED) 2009-03-16 21:19:17 UTC

(In reply to comment #8)
> even if there is still a relevant security bug... what's keeping this out of
> portage. php always has security bugs.

I'm not sure I get your point. This security bug is for getting php-5.2.9 in the tree, not for keeping it outside.

my question is what still needs to be done to get this committed to cvs.

Comment 11 Christian Hoffmann (RETIRED) 2009-03-16 21:29:34 UTC

Someone needs to review, test and commit. That's usually me. And to get this done in this case, I need to finish several school-related work first.
Might have time tomorrow, but I cannot promise anything at the moment, everything is more or less unplanned here.

Bump for status on this issue?  Recently, sites on our machines have been failing PCI Compliance for not having upgraded to PHP 5.2.9.  As this is likely to become a major issue for others as well, this increases the urgency to upgrade PHP.  If an ebuild can be provided for 5.2.9, I'd be more than happy to test it on x86 and amd64.

Comment 13 Stefan Behte (RETIRED) 2009-04-09 18:15:49 UTC

Gentoo is based on volunteer's work, so it might take some time until updates hit the tree - maybe you want to reconsider using it for systems that require PCI compliance or - if your business is large enough - hire a gentoo dev that can write updated ebuilds and use them in an overlay before they are available.

I'd be more careful what I posted about PCI failure on a public bugtracker that is indexed by google...

Comment 14 Christian Hoffmann (RETIRED) 2009-04-09 22:31:09 UTC

I'm actively working on it. The problem is not 5.2.9, but the fact that it makes little sense to release a "vanilla" 5.2.9 right now, as there are lots of crash fixes in CVS already. Friday or Saturday might be realistic.

Comment 15 Christian Hoffmann (RETIRED) 2009-04-10 10:26:59 UTC

5.2.9 (almost vanilla) and 5.2.9-r1 (lots of additional crash fixes from upstream, post-5.2.9) in the tree now...
Feel free to call for stabilization in a few days if no problems arise and I should become unavailable again.
A list of security-relevant fixes will follow soon.

Thanks guys, you're doing a great job :)

Comment 17 Christian Hoffmann (RETIRED) 2009-04-12 10:05:19 UTC

Haven't heard of any problems, but I'd still want to wait, because I have two crash fixes pending (probably not security relevant, they are in the engine part, so they'd only allow for local DoS in FastCGI setups) and this curl open_basedir/safe_mode bypass has been disclosed recently: http://securityreason.com/securityalert/5564

I've already got a patch from Pierre from upstream, but it needs testing and is still only a first attempt, according to him.
So that's why I'd prefer to wait, if this is OK security-wise. We have to draw a line between convenience (for arch teams and users) and exposure to the already fixed issues (where all of them are only local or maybe remote DoS issues, it seems).

Comment 18 Robert Buchholz (RETIRED) 2009-04-12 15:28:08 UTC

let's set the target date in a week so we know when to revisit this bug.

Comment 19 Christian Hoffmann (RETIRED) 2009-04-14 18:19:22 UTC

(In reply to comment #17)
> I've already got a patch from Pierre from upstream, but it needs testing and is
> still only a first attempt, according to him.
> So that's why I'd prefer to wait, if this is OK security-wise. We have to draw
> a line between convenience (for arch teams and users) and exposure to the
> already fixed issues (where all of them are only local or maybe remote DoS
> issues, it seems).
Patch is still incomplete, we are not supposed to use it, so still waiting...

Fixes in php-5.2.9 since php-5.2.8-r2:

#A.01 "Crash on extract in zip when files or directories entry names contain
      a relative path." (CVE-2009-1272, USE=zip)

#A.02 "Segfault with new pg_meta_data" (USE=postgres)
  Impact: Local DoS (persistent php setups)
  References: [1] [2]

#A.03 Crash in ext/xml with specially crafted XML documents (USE=xml)
  Impact: Local DoS (persistent php setups)
  References: [3] [4]

#A.04 ext/mbstring: Double free in mb_detect_encoding() (USE=unicode)
  Impact: Local DoS (persistent php setups), more?
  References: [5] [6]

#A.05 "possible invalid read when string is not null terminated" in spprintf.c
  Impact: ?
  References: [7]

#A.06 Hang in ext/mbstring with certain user input (USE=unicode)
  Impact: DoS (CPU consumption)
  References: [8] [9] [10]

#A.07 Possible integer (?) overflow in ext/mbstring (USE=unicode)
  Impact: ?
  References: [11]

#A.08 ext/soap Crafted WSDL file crash (USE=soap)
  Impact: DoS
  References: [12] [13] [14] [15]

#A.09 Double free / memory corruption when passing method return values by ref
  Impact: Local DoS (persistent php setups)
  References: [16] [17] [18] [19] [20]

#A.10 Crash when creating lots of objects while destructing another object
  Impact: Local DoS (persistent php setups)
  References: [22] [23]


List of fixes in php-5.2.9-r1 since php-5.2.9 yet to come.

    


[1] http://cvs.php.net/viewvc.cgi/php-src/ext/pgsql/pgsql.c?r1=1.331.2.13.2.33&r2=1.331.2.13.2.34&diff_format=u
[2] http://bugs.php.net/bug.php?id=47048
[3] http://bugs.php.net/bug.php?id=47220
[4] http://cvs.php.net/viewvc.cgi/php-src/ext/dom/document.c?r1=1.68.2.3.2.10&r2=1.68.2.3.2.11&diff_format=u
[5] http://bugs.php.net/bug.php?id=47245
[6] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.224.2.22.2.42&r2=1.224.2.22.2.43&diff_format=u
[7] http://cvs.php.net/viewvc.cgi/php-src/main/spprintf.c?r1=1.25.2.2.2.13&r2=1.25.2.2.2.14&diff_format=u
[8] http://bugs.php.net/bug.php?id=45239
[9] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c?r1=1.7.2.5.2.2&r2=1.7.2.5.2.3&diff_format=u
[10] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/tests/bug45239.phpt?view=markup&rev=1.1
[11] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c?r1=1.7.2.5.2.4&r2=1.7.2.5.2.5&diff_format=u
[12] http://bugs.php.net/bug.php?id=47049
[13] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/soap.c?r1=1.156.2.28.2.43&r2=1.156.2.28.2.44&diff_format=u
[14] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/tests/bugs/bug47049.phpt?view=markup&rev=1.1
[15] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/tests/bugs/bug47049.wsdl?view=markup&rev=1.1
[16] http://bugs.php.net/bug.php?id=47165
[17] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_compile.c?r1=1.647.2.27.2.52&r2=1.647.2.27.2.53&diff_format=u
[18] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_compile.h?r1=1.316.2.8.2.15&r2=1.316.2.8.2.16&diff_format=u
[19] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?r1=1.59.2.29.2.63&r2=1.59.2.29.2.64&diff_format=u
[20] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?r1=1.62.2.30.2.66&r2=1.62.2.30.2.67&diff_format=u
[21] http://cvs.php.net/viewvc.cgi/ZendEngine2/tests/bug47165.phpt?view=markup&rev=1.1
[22] http://bugs.php.net/bug.php?id=47353
[23] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_objects_API.c?r1=1.47.2.6.2.8&r2=1.47.2.6.2.9&diff_format=u

Comment 20 Christian Hoffmann (RETIRED) 2009-04-14 18:59:02 UTC

Fixes in php-5.2.9-r1 since php-5.2.9:

#B.01 2 memory corruptions in ext/zip (USE=zip)
  Impact: Local DoS (persistent php setups), more?
  References: [1]

#B.02 ext/filter permitted invalid chars in email addresses (USE=filter)
  Impact: Circumvention of security restrictions in webapps, no issue by itself
  References: [2] [3]

#B.03 imagepng() crashes with empty images (USE=gd)
  Impact: Local? DoS (persistent php setups)
  References: [4] [5] [6]

#B.04 curl_set_opt() crash (USE=curl)
  Impact: Local DoS (persistent php setups)
  References: [7] [8]

#B.05 Crash in ext/openssl when UTF8 conversion fails (USE=ssl)
  Impact: Local? DoS (persistent php setups)
  References: [9] [10]

#B.06 Crash in ext/xmlrpc with bad callbacks
  Impact: Local DoS (persistent php setups)
  References: [11] [12] [13]

#B.07 Crash with bad config setting session.save_path (USE=session)
  Impact: (Local DoS)? (persistent php setups)
  References: [14]


All these local DoS thingies are just crash issues which can usually be only caused by a user which has the permissions to create/modify php code and run it. It affects other users in case of non-seperated mod_fastcgi/mod_php environments. Some of those might become remotely exploitable, depending on specific application scenarios.

Still missing: Two crash fixes in the engine which will be part of -r2.



[1] http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.49&r2=1.1.2.50&diff_format=u
[2] http://bugs.php.net/bug.php?id=47598
[3] http://cvs.php.net/viewvc.cgi/php-src/ext/filter/logical_filters.c?r1=1.1.2.29&r2=1.1.2.30&diff_format=u
[4] http://bugs.php.net/bug.php?id=45799
[5] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_png.c?r1=1.17.4.2.2.6&r2=1.17.4.2.2.7&diff_format=u
[6] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/bug45799.phpt?view=markup&revision=1.1
[7] http://bugs.php.net/bug.php?id=47616
[8] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.42&r2=1.62.2.14.2.43&diff_format=u
[9] http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.5.2.51&r2=1.98.2.5.2.52&diff_format=u
[10] http://bugs.php.net/bug.php?id=47828
[11] http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/xmlrpc-epi-php.c?r1=1.39.2.5.2.13&r2=1.39.2.5.2.14&diff_format=u
[12] http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/tests/bug47818.phpt?view=markup&revision=1.1
[13] http://bugs.php.net/bug.php?id=47818
[14] http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.12&r2=1.100.2.3.2.13&diff_format=u

Comment 21 Christian Hoffmann (RETIRED) 2009-04-16 18:39:57 UTC

Fixes in php-5.2.9-r2 since php-5.2.9-r1:

#C.01 PHP crashes on some "bad" operations with string offsets
  Impact: Local DoS (persistent php setups)
  References: [1] [2] [3] [4] [5]

#C.02 Double efree() in zend_API.c, no further details
  Impact: Local DoS? (persistent php setups)
  References: [6]

#C.03 open_basedir/safe_mode bypass possibility in ext/curl (USE=curl)
  Impact: (Local) Disclosure of arbitrary files, given the unix perms allow it,
          (although php "perms" (i.e. open_basedir and safe_mode) don't).
  References: [7] [8] [9] [10]

This should be it...

Arches, please test and mark stable:
  =dev-lang/php-5.2.9-r2
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd



[1] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?r1=1.59.2.29.2.65&r2=1.59.2.29.2.66&diff_format=u
[2] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?r1=1.62.2.30.2.68&r2=1.62.2.30.2.69&diff_format=u
[3] http://cvs.php.net/viewvc.cgi/ZendEngine2/tests/bug47704.phpt?view=markup&revision=1.1
[4] http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1443&r2=1.2027.2.547.2.1444&diff_format=u
[5] http://bugs.php.net/bug.php?id=47704
[6] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_API.c?r1=1.296.2.27.2.41&r2=1.296.2.27.2.42&diff_format=u
[7] http://securityreason.com/securityalert/5564
[8] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.43&r2=1.62.2.14.2.44&diff_format=u
[9] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.44&r2=1.62.2.14.2.45
[10] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.45&r2=1.62.2.14.2.46&diff_format=u

Comment 22 Tobias Heinlein (RETIRED) 2009-04-17 15:40:35 UTC

amd64 stable. most of the tests passed, just the usual ones failed.

hoffie: You might want to have a look at bug 266537. However, I didn't hit that.

Comment 23 Jeroen Roovers (RETIRED) 2009-04-17 18:56:00 UTC

Stable for HPPA.

Comment 24 nixnut (RETIRED) 2009-04-18 08:11:08 UTC

ppc stable

Comment 25 Markus Meier 2009-04-18 11:59:32 UTC

x86 stable

Comment 26 Brent Baude (RETIRED) 2009-04-18 13:33:05 UTC

ppc64 done

Comment 27 Tobias Klausmann (RETIRED) 2009-04-18 16:00:20 UTC

Stable on alpha.

Comment 28 Raúl Porcel (RETIRED) 2009-04-20 15:52:15 UTC

arm/ia64/s390/sh/sparc stable

Comment 29 Tobias Heinlein (RETIRED) 2009-05-03 18:42:35 UTC

GLSA together with bug 249875.

Comment 30 Tobias Heinlein (RETIRED) 2010-01-05 21:13:33 UTC

GLSA 201001-03.

Thank you everyone, sorry about the delay.