Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546872 - <dev-lang/php-{5.4.40,5.5.24,5.6.8}: Multiple vulnerabilities (CVE-2013-6501,CVE-2014-9709,CVE-2015-{1351,1352,2301,2783,3329,3330})
Summary: <dev-lang/php-{5.4.40,5.5.24,5.6.8}: Multiple vulnerabilities (CVE-2013-6501,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-17 04:57 UTC by Tomáš Mózes
Modified: 2016-06-19 00:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2015-04-17 04:57:27 UTC
OPCache:
    Fixed bug #68677 (Use After Free). (CVE-2015-1351)

Phar:
    Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)

Postgres:
    Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
    
+5.4 only (already fixed in 5.5, 5.6):
     
GD:
    Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-04-17 05:05:48 UTC
CVE-2015-3324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3324):
  The ThinkServer System Manager (TSM) Baseboard Management Controller before
  firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350
  does not validate server certificates during an "encrypted remote KVM
  session," which allows man-in-the-middle attackers to spoof servers.

CVE-2015-2301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2301):
  Use-after-free vulnerability in the phar_rename_archive function in
  phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via vectors that trigger an attempted renaming of a Phar archive to
  the name of an existing file.

CVE-2015-1352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1352):
  The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql)
  extension in PHP through 5.6.7 does not validate token extraction for table
  names, which allows remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via a crafted name.

CVE-2014-9709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9709):
  The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP
  before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a
  denial of service (buffer over-read and application crash) via a crafted GIF
  image that is improperly handled by the gdImageCreateFromGif function.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-04-17 05:09:40 UTC
NOT CVE-2015-3324 (Removing)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-04-17 05:13:04 UTC
CVE-2015-1351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1351):
  Use-after-free vulnerability in the _zend_shared_memdup function in
  zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via unknown vectors.
Comment 4 Ole Markus With (RETIRED) gentoo-dev 2015-04-18 17:13:17 UTC
Ebuilds in the tree. Feel free to stabilise
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-04-18 22:53:54 UTC
Arches, please test and mark stable:

=dev-lang/php-5.4.40
=dev-lang/php-5.5.24

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 6 Agostino Sarubbo gentoo-dev 2015-04-19 08:15:42 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-04-19 08:15:59 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-23 05:06:01 UTC
Stable for HPPA PPC64.
Comment 9 Tomáš Mózes 2015-04-23 16:40:00 UTC
We just hit a bug with these new versions:

https://bugs.php.net/bug.php?id=69402

It's already fixed in master:

- OpenSSL:
  . Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-28 07:29:51 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-04-28 07:46:37 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-04-29 09:13:41 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-04-29 09:20:12 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-05-27 13:06:40 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 21:22:11 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:47:05 UTC
CVE-2015-2783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2783):
  ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before
  5.6.8 allows remote attackers to obtain sensitive information from process
  memory or cause a denial of service (buffer over-read and application crash)
  via a crafted length value in conjunction with crafted serialized data in a
  phar archive, related to the phar_parse_metadata and phar_parse_pharfile
  functions.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 23:57:57 UTC
CVE-2013-6501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6501):
  The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2)
  php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which
  makes it easier for local users to conduct WSDL injection attacks by
  creating a file under /tmp with a predictable filename that is used by the
  get_sdl function in ext/soap/php_sdl.c.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 00:09:20 UTC
CVE-2015-3330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3330):
  The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before
  5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP
  Server 2.4.x is used, allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via pipelined HTTP
  requests that result in a "deconfigured interpreter."

CVE-2015-3329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3329):
  Multiple stack-based buffer overflows in the phar_set_inode function in
  phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before
  5.6.8 allow remote attackers to execute arbitrary code via a crafted length
  value in a (1) tar, (2) phar, or (3) ZIP archive.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 00:26:47 UTC
This issue was resolved and addressed in
 GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10
by GLSA coordinator Kristian Fiskerstrand (K_F).