CVE is pending From the upstream bug: Description: ------------ This was tested with PHP 5.6.32, but the behavior looks identical in newer versions of PHP. After changing UID and GID, PHP-FPM sets pool worker processes to be dumpable. This allows a local user with the same UID and GID to attach to the PHP-FPM workers and gain access to any restricted resources that are not supposed to be allowed. For a simple example: - Configure PHP-FPM under Apache with two pools running as different users (victim & attacker) - Enable opcache and configure it safely for a multiuser environment (opcache.validate_permission=1). The example here is also assuming a MMAP cache. - Install wordpress in the victim account's docroot and load a few wordpress URLs. - Install a PHP script that sleeps 60 seconds into the "attacker" account's docroot. - Load the sleep script in the attacker account's docroot. - As the attacker account, run "gcore <php-fpm-worker-pid>" to create a coredump of the PHP-FPM worker process. - Run strings on the coredump file to retrieve the victim account's wordpress database username and password. Expected result: ---------------- It should not be possible for unprivileged users to ptrace() the FPM worker processes or cause them to dump core. Actual result: -------------- Sensitive configuration data for other accounts can be accessed directly in the PHP worker process's memory.
@ Arches, please test and mark stable: =dev-lang/php-5.6.35-r1 =dev-lang/php-7.0.29 =dev-lang/php-7.1.16
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e9623fa7915d1dab1287ca3d88d2993f9b0bc30 commit 2e9623fa7915d1dab1287ca3d88d2993f9b0bc30 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-05 05:42:11 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-05 06:08:15 +0000 dev-lang/php: stable 7.1.16 for sparc Bug: https://bugs.gentoo.org/652420 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-lang/php/php-7.1.16.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f01173541d3924e80d84c04e89afbab1d803268 commit 9f01173541d3924e80d84c04e89afbab1d803268 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-05 05:40:46 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-05 06:08:15 +0000 dev-lang/php: stable 7.0.29 for sparc Bug: https://bugs.gentoo.org/652420 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-lang/php/php-7.0.29.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ede0d2048604118a58c448d94c35534e19c7a8e1 commit ede0d2048604118a58c448d94c35534e19c7a8e1 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-05 05:39:21 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-05 06:08:15 +0000 dev-lang/php: stable 5.6.35-r1 for sparc Bug: https://bugs.gentoo.org/652420 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-lang/php/php-5.6.35-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3be98a5dcec121d5df314a279428132a88d63e80 commit 3be98a5dcec121d5df314a279428132a88d63e80 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-05 13:20:41 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-05 13:20:41 +0000 dev-lang/php: amd64 stable Bug: https://bugs.gentoo.org/652420 Package-Manager: Portage-2.3.28, Repoman-2.3.9 dev-lang/php/php-5.6.35-r1.ebuild | 2 +- dev-lang/php/php-7.0.29.ebuild | 2 +- dev-lang/php/php-7.1.16.ebuild | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)}
x86 stable
Stable on alpha.
ia64 stable
arm stable
hppa is no longer a security arch
This bug's CVE ID is 2018-10545
ppc/ppc64 stable
@maintainer(s), please clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31189ba8d3a627d1aa2964dde9410316a7e037d2 commit 31189ba8d3a627d1aa2964dde9410316a7e037d2 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-05-27 15:11:51 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-05-27 15:11:51 +0000 dev-lang/php: Clean up security vulnerable versions Bug: https://bugs.gentoo.org/652420 Package-Manager: Portage-2.3.40, Repoman-2.3.9 dev-lang/php/Manifest | 6 - dev-lang/php/php-5.6.33.ebuild | 771 ---------------------------------------- dev-lang/php/php-5.6.34.ebuild | 775 ----------------------------------------- dev-lang/php/php-7.0.27.ebuild | 741 --------------------------------------- dev-lang/php/php-7.0.28.ebuild | 745 --------------------------------------- dev-lang/php/php-7.1.13.ebuild | 723 -------------------------------------- dev-lang/php/php-7.1.15.ebuild | 727 -------------------------------------- 7 files changed, 4488 deletions(-)
