sorry for the zero day bug. I just want to track the progress on the release of this. Reproducible: Always
Reassigning to php herd.
It seems that following patches in 5.2.8 patchset have been obsoleted by the 5.2.9 upstream release: 003_test-standard-array_slice_variation3-32bitonly.patch 004_test-standard-array_slice_variation2-32bitonly.patch 005_apache2-sapi-user-logging-fix.patch 006_ext-xml-ns-crash.patch 007_ext-mssql-NULL-crash.patch 009_CVE-2008-5498-ext-gd-mem-exposure.patch 010_ext-openssl-crash-fix.patch 011_ext-xmlwriter-fstring-err.patch 014_ext-posix-_GNU_SOURCE.patch 015_json_decode-crash.patch 016_extract-crash.patch I'll attach diffs for 001_tests-ignore-php-ini.patch and suhosin.
Created attachment 183581 [details, diff] Suhosin patch for 5.2.7 ported to 5.2.9
Created attachment 183585 [details, diff] Modified version of 5.2.8 patchset's patch
Antti, thanks for the patches / updates. I haven't had a deeper look at them yet, but the comments sound promising. I'll handle it in the next few days. Unfortunately I have a big backlog of things to handle because of my unavailability during the last week. Reassigning to security. From the official list of security fixes only zip might still affect us, not sure, I'll verify. The others have already been fixed in previous Gentoo revisions of PHP.
*** Bug 261252 has been marked as a duplicate of this bug. ***
*** Bug 262701 has been marked as a duplicate of this bug. ***
even if there is still a relevant security bug... what's keeping this out of portage. php always has security bugs.
(In reply to comment #8) > even if there is still a relevant security bug... what's keeping this out of > portage. php always has security bugs. I'm not sure I get your point. This security bug is for getting php-5.2.9 in the tree, not for keeping it outside.
my question is what still needs to be done to get this committed to cvs.
Someone needs to review, test and commit. That's usually me. And to get this done in this case, I need to finish several school-related work first. Might have time tomorrow, but I cannot promise anything at the moment, everything is more or less unplanned here.
Bump for status on this issue? Recently, sites on our machines have been failing PCI Compliance for not having upgraded to PHP 5.2.9. As this is likely to become a major issue for others as well, this increases the urgency to upgrade PHP. If an ebuild can be provided for 5.2.9, I'd be more than happy to test it on x86 and amd64.
Gentoo is based on volunteer's work, so it might take some time until updates hit the tree - maybe you want to reconsider using it for systems that require PCI compliance or - if your business is large enough - hire a gentoo dev that can write updated ebuilds and use them in an overlay before they are available. I'd be more careful what I posted about PCI failure on a public bugtracker that is indexed by google...
I'm actively working on it. The problem is not 5.2.9, but the fact that it makes little sense to release a "vanilla" 5.2.9 right now, as there are lots of crash fixes in CVS already. Friday or Saturday might be realistic.
5.2.9 (almost vanilla) and 5.2.9-r1 (lots of additional crash fixes from upstream, post-5.2.9) in the tree now... Feel free to call for stabilization in a few days if no problems arise and I should become unavailable again. A list of security-relevant fixes will follow soon.
Thanks guys, you're doing a great job :)
Haven't heard of any problems, but I'd still want to wait, because I have two crash fixes pending (probably not security relevant, they are in the engine part, so they'd only allow for local DoS in FastCGI setups) and this curl open_basedir/safe_mode bypass has been disclosed recently: http://securityreason.com/securityalert/5564 I've already got a patch from Pierre from upstream, but it needs testing and is still only a first attempt, according to him. So that's why I'd prefer to wait, if this is OK security-wise. We have to draw a line between convenience (for arch teams and users) and exposure to the already fixed issues (where all of them are only local or maybe remote DoS issues, it seems).
let's set the target date in a week so we know when to revisit this bug.
(In reply to comment #17) > I've already got a patch from Pierre from upstream, but it needs testing and is > still only a first attempt, according to him. > So that's why I'd prefer to wait, if this is OK security-wise. We have to draw > a line between convenience (for arch teams and users) and exposure to the > already fixed issues (where all of them are only local or maybe remote DoS > issues, it seems). Patch is still incomplete, we are not supposed to use it, so still waiting... Fixes in php-5.2.9 since php-5.2.8-r2: #A.01 "Crash on extract in zip when files or directories entry names contain a relative path." (CVE-2009-1272, USE=zip) #A.02 "Segfault with new pg_meta_data" (USE=postgres) Impact: Local DoS (persistent php setups) References: [1] [2] #A.03 Crash in ext/xml with specially crafted XML documents (USE=xml) Impact: Local DoS (persistent php setups) References: [3] [4] #A.04 ext/mbstring: Double free in mb_detect_encoding() (USE=unicode) Impact: Local DoS (persistent php setups), more? References: [5] [6] #A.05 "possible invalid read when string is not null terminated" in spprintf.c Impact: ? References: [7] #A.06 Hang in ext/mbstring with certain user input (USE=unicode) Impact: DoS (CPU consumption) References: [8] [9] [10] #A.07 Possible integer (?) overflow in ext/mbstring (USE=unicode) Impact: ? References: [11] #A.08 ext/soap Crafted WSDL file crash (USE=soap) Impact: DoS References: [12] [13] [14] [15] #A.09 Double free / memory corruption when passing method return values by ref Impact: Local DoS (persistent php setups) References: [16] [17] [18] [19] [20] #A.10 Crash when creating lots of objects while destructing another object Impact: Local DoS (persistent php setups) References: [22] [23] List of fixes in php-5.2.9-r1 since php-5.2.9 yet to come. [1] http://cvs.php.net/viewvc.cgi/php-src/ext/pgsql/pgsql.c?r1=1.331.2.13.2.33&r2=1.331.2.13.2.34&diff_format=u [2] http://bugs.php.net/bug.php?id=47048 [3] http://bugs.php.net/bug.php?id=47220 [4] http://cvs.php.net/viewvc.cgi/php-src/ext/dom/document.c?r1=1.68.2.3.2.10&r2=1.68.2.3.2.11&diff_format=u [5] http://bugs.php.net/bug.php?id=47245 [6] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.224.2.22.2.42&r2=1.224.2.22.2.43&diff_format=u [7] http://cvs.php.net/viewvc.cgi/php-src/main/spprintf.c?r1=1.25.2.2.2.13&r2=1.25.2.2.2.14&diff_format=u [8] http://bugs.php.net/bug.php?id=45239 [9] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c?r1=1.7.2.5.2.2&r2=1.7.2.5.2.3&diff_format=u [10] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/tests/bug45239.phpt?view=markup&rev=1.1 [11] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c?r1=1.7.2.5.2.4&r2=1.7.2.5.2.5&diff_format=u [12] http://bugs.php.net/bug.php?id=47049 [13] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/soap.c?r1=1.156.2.28.2.43&r2=1.156.2.28.2.44&diff_format=u [14] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/tests/bugs/bug47049.phpt?view=markup&rev=1.1 [15] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/tests/bugs/bug47049.wsdl?view=markup&rev=1.1 [16] http://bugs.php.net/bug.php?id=47165 [17] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_compile.c?r1=1.647.2.27.2.52&r2=1.647.2.27.2.53&diff_format=u [18] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_compile.h?r1=1.316.2.8.2.15&r2=1.316.2.8.2.16&diff_format=u [19] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?r1=1.59.2.29.2.63&r2=1.59.2.29.2.64&diff_format=u [20] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?r1=1.62.2.30.2.66&r2=1.62.2.30.2.67&diff_format=u [21] http://cvs.php.net/viewvc.cgi/ZendEngine2/tests/bug47165.phpt?view=markup&rev=1.1 [22] http://bugs.php.net/bug.php?id=47353 [23] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_objects_API.c?r1=1.47.2.6.2.8&r2=1.47.2.6.2.9&diff_format=u
Fixes in php-5.2.9-r1 since php-5.2.9: #B.01 2 memory corruptions in ext/zip (USE=zip) Impact: Local DoS (persistent php setups), more? References: [1] #B.02 ext/filter permitted invalid chars in email addresses (USE=filter) Impact: Circumvention of security restrictions in webapps, no issue by itself References: [2] [3] #B.03 imagepng() crashes with empty images (USE=gd) Impact: Local? DoS (persistent php setups) References: [4] [5] [6] #B.04 curl_set_opt() crash (USE=curl) Impact: Local DoS (persistent php setups) References: [7] [8] #B.05 Crash in ext/openssl when UTF8 conversion fails (USE=ssl) Impact: Local? DoS (persistent php setups) References: [9] [10] #B.06 Crash in ext/xmlrpc with bad callbacks Impact: Local DoS (persistent php setups) References: [11] [12] [13] #B.07 Crash with bad config setting session.save_path (USE=session) Impact: (Local DoS)? (persistent php setups) References: [14] All these local DoS thingies are just crash issues which can usually be only caused by a user which has the permissions to create/modify php code and run it. It affects other users in case of non-seperated mod_fastcgi/mod_php environments. Some of those might become remotely exploitable, depending on specific application scenarios. Still missing: Two crash fixes in the engine which will be part of -r2. [1] http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.49&r2=1.1.2.50&diff_format=u [2] http://bugs.php.net/bug.php?id=47598 [3] http://cvs.php.net/viewvc.cgi/php-src/ext/filter/logical_filters.c?r1=1.1.2.29&r2=1.1.2.30&diff_format=u [4] http://bugs.php.net/bug.php?id=45799 [5] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_png.c?r1=1.17.4.2.2.6&r2=1.17.4.2.2.7&diff_format=u [6] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/bug45799.phpt?view=markup&revision=1.1 [7] http://bugs.php.net/bug.php?id=47616 [8] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.42&r2=1.62.2.14.2.43&diff_format=u [9] http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.5.2.51&r2=1.98.2.5.2.52&diff_format=u [10] http://bugs.php.net/bug.php?id=47828 [11] http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/xmlrpc-epi-php.c?r1=1.39.2.5.2.13&r2=1.39.2.5.2.14&diff_format=u [12] http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/tests/bug47818.phpt?view=markup&revision=1.1 [13] http://bugs.php.net/bug.php?id=47818 [14] http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.12&r2=1.100.2.3.2.13&diff_format=u
Fixes in php-5.2.9-r2 since php-5.2.9-r1: #C.01 PHP crashes on some "bad" operations with string offsets Impact: Local DoS (persistent php setups) References: [1] [2] [3] [4] [5] #C.02 Double efree() in zend_API.c, no further details Impact: Local DoS? (persistent php setups) References: [6] #C.03 open_basedir/safe_mode bypass possibility in ext/curl (USE=curl) Impact: (Local) Disclosure of arbitrary files, given the unix perms allow it, (although php "perms" (i.e. open_basedir and safe_mode) don't). References: [7] [8] [9] [10] This should be it... Arches, please test and mark stable: =dev-lang/php-5.2.9-r2 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd [1] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?r1=1.59.2.29.2.65&r2=1.59.2.29.2.66&diff_format=u [2] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?r1=1.62.2.30.2.68&r2=1.62.2.30.2.69&diff_format=u [3] http://cvs.php.net/viewvc.cgi/ZendEngine2/tests/bug47704.phpt?view=markup&revision=1.1 [4] http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1443&r2=1.2027.2.547.2.1444&diff_format=u [5] http://bugs.php.net/bug.php?id=47704 [6] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_API.c?r1=1.296.2.27.2.41&r2=1.296.2.27.2.42&diff_format=u [7] http://securityreason.com/securityalert/5564 [8] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.43&r2=1.62.2.14.2.44&diff_format=u [9] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.44&r2=1.62.2.14.2.45 [10] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.45&r2=1.62.2.14.2.46&diff_format=u
amd64 stable. most of the tests passed, just the usual ones failed. hoffie: You might want to have a look at bug 266537. However, I didn't hit that.
Stable for HPPA.
ppc stable
x86 stable
ppc64 done
Stable on alpha.
arm/ia64/s390/sh/sparc stable
GLSA together with bug 249875.
GLSA 201001-03. Thank you everyone, sorry about the delay.