"The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release." Reproducible: Always
php please advise and patch as necessary.
CVE-2007-2856 says: Buffer overflow in the Dart Communications PowerTCP ZIP Compression ActiveX control in DartZip.dll 1.8.5.3, when Internet Explorer 6 is used, allows user-assisted remote attackers to execute arbitrary code via a long first argument to the QuickZip function, a related issue to CVE-2007-2855. This is probably unrelated, isn't it? You probably meant CVE-2007-2756.
Thx Lubomir, it was a typo.
There is a fix¹ for the broken fix for the chunk_split() issue. Guess our poor php souls know already. One can only shake his head... [1] http://blog.php-security.org/archives/86-Chunk_split-Overflow-not-fixed-at-all....html
php please advise.
Created attachment 121589 [details, diff] Updated ebuild for php-5.2.3 I attached an ebuild for php-5.2.3. While the change to the ebuild was pretty easy (sapi/cgi/php is now called sapi/cgi/php-cgi) the patchset needed some bigger changes. These were the changes as far as I can remember (in comparison to 5.2.2 patchset): * php5/ * manually reapplied php5-make_test.patch and regenerated patch * copied all other patches from there, they still apply cleanly * opt/ * had to reapply and manually fix some hunks for php5.2.3-fastbuild.patch -- it now applies cleanly again and build works; didn't do any extensive tests though * copied all other patches from there * (ex 5.2.2/; now:) 5.2.3/ * copied php5.2.2-dba_config.patch, php5.2.2-mysql-charsetphpini.patch, php5.2.2-mysqli-charsetphpini.patch, php5.2.2-pdo_mysql-charsetphpini.patch * dropped all other patches * added a lot of fixes from php-cvs which i considered worth adding: * php5.2.3-chunk_split-fix2.patch (this is the one mentioned in comment 4) * php5.2.3-fix-simplexml-segfault-41582.patch: see http://bugs.php.net/bug.php?id=41582 * php5.2.3-gd-better-image-dimension-checks.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.26&r2=1.312.2.20.2.27&pathrev=PHP_5_2 * php5.2.3-gd-fix-integer-overflows.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29&pathrev=PHP_5_2 http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.11&r2=1.90.2.1.2.12&pathrev=PHP_5_2 * php5.2.3-gd-gif-invalid-color-index-segfault.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.5.4.2.2.11&r2=1.5.4.2.2.12&pathrev=PHP_5_2 http://bugs.php.net/bug.php?id=41630 * php5.2.3-mopb-02-2007-improvement.patch: http://cvs.php.net/viewvc.cgi/php-src/main/php_variables.c?r1=1.104.2.10.2.8&r2=1.104.2.10.2.9&pathrev=PHP_5_2 * php5.2.3-php_admin-vs-ini_set.patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?r1=1.39.2.2.2.8&r2=1.39.2.2.2.9&pathrev=PHP_5_2 http://bugs.php.net/bug.php?id=41561 (circumvention of ini settings set bei php_admin_* apache config flags) * php5.2.3-strripos-fix-segfault.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.62&r2=1.445.2.14.2.63&pathrev=PHP_5_2 * php5.2.3-ze2-segfault-object+switch.patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_execute.c?r1=1.716.2.12.2.19&r2=1.716.2.12.2.20&pathrev=PHP_5_2 http://bugs.php.net/bug.php?id=41608 * php5.2.3-zip-addEmptyDir-fix-crash.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.33&r2=1.1.2.34&pathrev=PHP_5_2 So most of these patches fix segfaults or some kind of overflows. I hardly have any C knowledge and as such I cannot judge if those overflows could be exploited in any way, but I thought it's always better to fix them even if there is no security problem as they are at least annoying. All those patches belong to a patchset tar ball which can be found here: http://home.hoffie.info/php-patchset-5.2.3-r1.tar.bz2 [1] The attached ebuild will not work unless CHTEKK uploads the proper patchset tarball to his server. Meanwhile, I have modified the ebuild to instead download that patchset from above url; the modified ebuild is located here: http://home.hoffie.info/php-5.2.3.ebuild [1] I'm going to attach the output of svn diff for the php overlay as well. I hope this contribution helps a bit. [1] I know that one is not supposed to reference externally hosted data if possible, but the patchset tarball and the modified ebuild are just there for convenience, all important data (for developers) is attached to this bug. Also, I didn't want to pollute this bug with redundant attachments.
Created attachment 121591 [details, diff] svn diff (overlays.g.o/proj/php) to get all necessary changes (updated patches)
Created attachment 121740 [details, diff] updated svn diff, including the exif patch "Fixed memory corruption when reading exif data of a non-file" doesn't sound like it should remain unpatched either, so I suggest additionally adding http://cvs.php.net/viewvc.cgi/php-src/ext/exif/exif.c?r1=1.173.2.5.2.19&r2=1.173.2.5.2.20&pathrev=PHP_5_2 I updated the svn diff attachment and the php-patchset tarball on my server.
*** Bug 182801 has been marked as a duplicate of this bug. ***
Created attachment 122723 [details, diff] php-overlay: svn diff (including important patches from php-cvs up to June 21th) And yet another bunch of new patches: * php5.2.3-glob-openbasedir-fix.patch * php5.2.3-session-urlencode-cookie-values.patch * php5.2.3-zend-ini-memory-interruption-vuln.patch * php5.2.3-mysql-infile-openbasedir.patch * php5.2.3-mysqli-infile-openbasedir.patch * php5.2.3-pdo_mysql-infile-openbasedir.patch References included in file PATCHES. Tarball on my server updated, updated svn diff attached. Please tell me if posting the updated patchsets creates to much noise... I'm just trying to make pushing the update as easy as possible for CHTEKK, who seems to be busy with exams.
Don't know if this is worth opening another bug: http://securityreason.com/achievement_securityalert/45 This flood of php-vulnerabilities is scary...
*** Bug 184324 has been marked as a duplicate of this bug. ***
Any news on this? IIRC CHTEKK is busy with some exams, so is anybody else going to take care of this not so unimportant update?
(In reply to comment #13) > Any news on this? > IIRC CHTEKK is busy with some exams, so is anybody else going to take care > of this not so unimportant update? Approx. two weeks ago, CHTEKK gave me access to the php-experimental overlay, and as such my work regarding php-5.2.3 is currently done there. That's why I didn't post any updates in this bug. AFAIK CHTEKK won't have much time in the future either as he is currently doing his military service. He said that he will be at home at the weekends, but I don't know if this still applies and whether he will have time for PHP then. (In reply to comment #11) > Don't know if this is worth opening another bug: > http://securityreason.com/achievement_securityalert/45 I have still not found a patch to fix this issue, but I just committed a patch to the php overlay (not part of any patchset yet) which at least fixes the mail.force_extra_parameters shell command injection problem, so it basically makes the exploit useless. However, it still doesn't fix the initial problem.
@Christian Are you going to push PHP 5.2.3 into Portage?
I can't since I'm no Gentoo Developer. And proxy-maintaing something big like this.. I don't know whether this would be a good idea. Anyway, I plan to continue working in php-experimental and if any dev feels like merging the work from there to the tree I certainly don't have any objections (as long as CHTEKK agrees ;)).
Christian please post here when you have an updated ebuild in the overlay.
(In reply to comment #14) > (In reply to comment #11) > > Don't know if this is worth opening another bug: > > http://securityreason.com/achievement_securityalert/45 > I have still not found a patch to fix this issue, but I just committed a patch > to the php overlay (not part of any patchset yet) which at least fixes the > mail.force_extra_parameters shell command injection problem, so it basically > makes the exploit useless. However, it still doesn't fix the initial problem. It was me being a bit blind while watching cvs commits. Both a fix for error_log and session.save_path have been in CVS for 4 days. They are included in our latest patchset now. (In reply to comment #17) > Christian please post here when you have an updated ebuild in the overlay. dev-lang/php-5.2.3-r2 is in the overlay now. It includes the fix(es) for CVE-2007-3378 (this is the same as above mentioned securityreason URL) and for yet another crash bug (http://bugs.php.net/bug.php?id=41919).
Thx Christian. Now we just need someone to check and commit before calling arches...
(In reply to comment #19) > Thx Christian. Now we just need someone to check and commit before calling > arches... > As I was running 5.2.3-r2 from the overlay on a couple of boxes with no problems so far I wouldn't mind comitting -r3 - if someone from the php allows me to do so (or is the complete php herd somewhat away?)
(In reply to comment #20) > As I was running 5.2.3-r2 from the overlay on a couple of boxes with no > problems so far I wouldn't mind comitting -r3 - if someone from the php allows > me to do so (or is the complete php herd somewhat away?) read: was running -r1, wouldn't mind committing -r2 *sigh*
*** Bug 185586 has been marked as a duplicate of this bug. ***
I give my approval to commit the latest PHP 5.2.3 from the PHP Overlay, follow hoffie's judgement on this, as I trust him and he's atm much more on top of PHP things than I am... Sorry for the long delays. Best regards, CHTEKK.
Thanks, CHTEKK. php-5.2.3-r3 is in the overlay now, it includes the fix for our bug 185586 and an additional crash fix for some SPL/ArrayObject stuff. dertobi123 is going to commit this soon. The following tests are known to fail: double to string conversion tests [Zend/tests/double_to_string.phpt] Bug #16069 (ICONV transliteration failure) [ext/iconv/tests/bug16069.phpt] iconv stream filter [ext/iconv/tests/iconv_stream_filter.phpt] touch() tests [ext/standard/tests/file/touch.phpt] phpinfo() CGI [ext/standard/tests/general_functions/phpinfo2.phpt] CLI long options [sapi/cli/tests/015.phpt] There are probably more test failures (with some extensions).
I just committed 5.2.3-r3. Please note the changed behaviour wrt open_basedir and session.save_path, you might want to add a note about this to the GLSA (if there's one).
Thx Tobias. Arches please test and mark stable. Target keywords are: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
ppc stable
alpha/ia64/x86 stable
amd64 stable
Stable for HPPA.
ppc64 stable
sparc stable.
This one is ready for GLSA vote. Note that we should probably wait for bug #187120.
I vote yes pending bug #187120, which'll probably bump us up another rev at least.
OK, arches please test and stabilize php-5.2.4_pre200708051230-r2. Most importantly, it fixes the apache segfaults in Bug 187120 (the session behaviour change regarding open_basedir/safe_mode was reverted upstream by the new patch). Other fixes include: - floating point exception inside wordwrap() - ArrayObject::exchangeArray hangs Apache (PHP bug #41691). plus a bunch of others, unrelated to security. Thanks!
Back to stable to get the regression fixed. Arches please test and mark stable.
PHP 5.2.4 RC1 Released http://ilia.ws/archives/175-5.2.4-RC1-Released.html
(In reply to comment #43) > PHP 5.2.4 RC1 Released > http://ilia.ws/archives/175-5.2.4-RC1-Released.html Thanks, but this snapshot is *newer* than RC1.
Created attachment 131973 [details] php-5.2.3-fixed-issues Comprehensive list of security issues fixed here.
GLSA 200710-02, sorry for the delay.
