Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549538 - <dev-lang/php-{5.4.41,5.5.25-r1}: Multiple vulnerabilities (CVE-2015-{2325,2326,4021,4022,4024,4025,4026})
Summary: <dev-lang/php-{5.4.41,5.5.25-r1}: Multiple vulnerabilities (CVE-2015-{2325,23...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://php.net/ChangeLog-5.php
Whiteboard: A2 [glsa cve]
Keywords:
: 549798 (view as bug list)
Depends on: 547310
Blocks:
  Show dependency tree
 
Reported: 2015-05-15 10:24 UTC by Agostino Sarubbo
Modified: 2016-06-19 00:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-15 10:24:09 UTC 
5.6.9, 5.5.25, or 5.4.41 fix Two Memory Corruption Vulnerabilities
Comment 1 Agostino Sarubbo gentoo-dev 2015-05-18 15:12:53 UTC 
*** Bug 549798 has been marked as a duplicate of this bug. ***
Comment 2 Tomáš Mózes 2015-05-19 10:11:26 UTC 
Can we please get the fixed versions to portage?
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2015-05-19 13:05:52 UTC 
(In reply to Tomas Mozes from comment #2)
> Can we please get the fixed versions to portage?

Are they not?

@security, btw, feel free to stabilise
Comment 4 Tomáš Mózes 2015-05-19 13:41:02 UTC 
(In reply to Ole Markus With from comment #3)
> (In reply to Tomas Mozes from comment #2)
> > Can we please get the fixed versions to portage?
> 
> Are they not?
> 
> @security, btw, feel free to stabilise

I don't see them in portage, nor by looking at:
https://packages.gentoo.org/package/dev-lang/php

Am I missing something? :)
Comment 5 Ole Markus With (RETIRED) gentoo-dev 2015-05-19 14:38:15 UTC 
(In reply to Tomas Mozes from comment #4)
> (In reply to Ole Markus With from comment #3)
> > (In reply to Tomas Mozes from comment #2)
> > > Can we please get the fixed versions to portage?
> > 
> > Are they not?
> > 
> > @security, btw, feel free to stabilise
> 
> I don't see them in portage, nor by looking at:
> https://packages.gentoo.org/package/dev-lang/php
> 
> Am I missing something? :)

Seems like I forgot to do something rather important ... My bad.

They should be there shortly.
Comment 6 Tomáš Mózes 2015-05-19 19:05:02 UTC 
(In reply to Ole Markus With from comment #5)
> Seems like I forgot to do something rather important ... My bad.
> 
> They should be there shortly.

Thanks!
Comment 7 Agostino Sarubbo gentoo-dev 2015-05-20 15:19:08 UTC 
Arches, please test and mark stable:
=dev-lang/php-5.4.41
=dev-lang/php-5.5.25
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-22 04:31:57 UTC 
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-05-22 12:40:32 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-05-22 12:40:51 UTC 
x86 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-26 05:25:05 UTC 
Stable for PPC64.
Comment 12 Tony Vroon (RETIRED) gentoo-dev 2015-05-26 08:04:13 UTC 
Arches, please test & mark stable:
=dev-lang/php-5.5.25-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

This is to address a libvpx related compile-time failure, as described in bug #547310.
Comment 13 Richard Freeman gentoo-dev 2015-05-26 08:36:01 UTC 
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-05-27 13:06:49 UTC 
arm stable
Comment 15 Brian Evans (RETIRED) gentoo-dev 2015-05-28 13:42:11 UTC 
Readding arm for the new 5.5.25-r1 target.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 16:48:24 UTC 
List of Vulnerabilities:

Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 16:52:02 UTC 
Stabilization for 5.6.9 which has these vulnerabilities as well is part of Bug 550164
Comment 18 Jack Morgan (RETIRED) gentoo-dev 2015-06-01 01:50:07 UTC 
ia64 stable
Comment 19 Jack Morgan (RETIRED) gentoo-dev 2015-06-02 05:05:10 UTC 
sparc stable
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-09 13:49:44 UTC 
Both CVE-2015-3329 and CVE-2015-2783 were also fixed as part of the 5.6.9 stabilisation.

From http://php.net/ChangeLog-5.php:
----
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
----
Comment 21 Agostino Sarubbo gentoo-dev 2015-06-11 07:18:39 UTC 
x86 stable
Comment 22 Markus Meier gentoo-dev 2015-06-11 19:09:04 UTC 
arm stable
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 12:27:54 UTC 
CVE-2015-4026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4026):
  The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and
  5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character,
  which might allow remote attackers to bypass intended extension restrictions
  and execute files with unexpected names via a crafted first argument.  NOTE:
  this vulnerability exists because of an incomplete fix for CVE-2006-7243.

CVE-2015-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4025):
  PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a
  pathname upon encountering a \x00 character in certain situations, which
  allows remote attackers to bypass intended extension restrictions and access
  files or directories with unexpected names via a crafted argument to (1)
  set_include_path, (2) tempnam, (3) rmdir, or (4) readlink.  NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2006-7243.

CVE-2015-4022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4022):
  Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before
  5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP
  servers to execute arbitrary code via a long reply to a LIST command,
  leading to a heap-based buffer overflow.

CVE-2015-4021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4021):
  The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41,
  5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first
  character of a filename is different from the \0 character, which allows
  remote attackers to cause a denial of service (integer underflow and memory
  corruption) via a crafted entry in a tar archive.
Comment 24 Agostino Sarubbo gentoo-dev 2015-06-24 09:01:39 UTC 
ppc stable
Comment 25 Agostino Sarubbo gentoo-dev 2015-07-03 10:04:44 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 26 Yury German Gentoo Infrastructure gentoo-dev 2015-07-06 04:47:56 UTC 
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).
Vulnerable Versions are: 5.4.{39,40}, 5.5.{22,23,24,25}

Added to an existing GLSA Request.
Comment 27 Yury German Gentoo Infrastructure gentoo-dev 2015-09-08 05:33:26 UTC 
Maintainer(s), Thank you for you for cleanup.
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 00:26:55 UTC 
This issue was resolved and addressed in
 GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10
by GLSA coordinator Kristian Fiskerstrand (K_F).