Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 180556

Summary: dev-lang/php Multiple issues (CVE-2007-{1887|1900|2756|2872})
Product: Gentoo Security Reporter: Bernd Marienfeldt <bernd>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chainsaw, clemente.aguiar, clmason, conikost, david, kostko, lars, mail, php-bugs, sgtphou, steffen.weber, wschlich
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://news.php.net/php.announce/70
Whiteboard: B? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 187120    
Bug Blocks:    
Attachments:
Description Flags
Updated ebuild for php-5.2.3
none
svn diff (overlays.g.o/proj/php) to get all necessary changes (updated patches)
none
updated svn diff, including the exif patch
none
php-overlay: svn diff (including important patches from php-cvs up to June 21th)
none
php-5.2.3-fixed-issues none

Description Bernd Marienfeldt 2007-06-01 15:33:41 UTC
"The PHP development team would like to announce the immediate  
availability of PHP 5.2.3. This release continues to improve the  
security and the stability of the 5.X branch as well as addressing  
two regressions introduced by the previous 5.2 releases. These  
regressions relate to the timeout handling over non-blocking SSL  
connections and the lack of HTTP_RAW_POST_DATA in certain conditions.  
All users are encouraged to upgrade to this release."


Reproducible: Always
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-02 14:16:48 UTC
php please advise and patch as necessary.
Comment 2 Lubomir Rintel 2007-06-04 20:53:14 UTC
CVE-2007-2856 says:

Buffer overflow in the Dart Communications PowerTCP ZIP Compression ActiveX control in DartZip.dll 1.8.5.3, when Internet Explorer 6 is used, allows user-assisted remote attackers to execute arbitrary code via a long first argument to the QuickZip function, a related issue to CVE-2007-2855.

This is probably unrelated, isn't it? You probably meant CVE-2007-2756.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-05 05:38:58 UTC
Thx Lubomir, it was a typo.
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2007-06-07 00:57:28 UTC
There is a fix¹ for the broken fix for the chunk_split() issue. Guess our poor php souls know already. One can only shake his head...


[1] http://blog.php-security.org/archives/86-Chunk_split-Overflow-not-fixed-at-all....html
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-07 11:38:37 UTC
php please advise.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2007-06-09 16:19:26 UTC
Created attachment 121589 [details, diff]
Updated ebuild for php-5.2.3

I attached an ebuild for php-5.2.3. While the change to the ebuild was pretty easy (sapi/cgi/php is now called sapi/cgi/php-cgi) the patchset needed some bigger changes.
These were the changes as far as I can remember (in comparison to 5.2.2 patchset):
  * php5/
    * manually reapplied php5-make_test.patch and regenerated patch
    * copied all other patches from there, they still apply cleanly
  * opt/
    * had to reapply and manually fix some hunks for php5.2.3-fastbuild.patch -- it now applies cleanly again and build works; didn't do any extensive tests though
    * copied all other patches from there
  * (ex 5.2.2/; now:) 5.2.3/
    * copied php5.2.2-dba_config.patch, php5.2.2-mysql-charsetphpini.patch, php5.2.2-mysqli-charsetphpini.patch, php5.2.2-pdo_mysql-charsetphpini.patch
    * dropped all other patches
    * added a lot of fixes from php-cvs which i considered worth adding:
      * php5.2.3-chunk_split-fix2.patch (this is the one mentioned in comment 4)
      * php5.2.3-fix-simplexml-segfault-41582.patch: see http://bugs.php.net/bug.php?id=41582
      * php5.2.3-gd-better-image-dimension-checks.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.26&r2=1.312.2.20.2.27&pathrev=PHP_5_2 
      * php5.2.3-gd-fix-integer-overflows.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29&pathrev=PHP_5_2  http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.11&r2=1.90.2.1.2.12&pathrev=PHP_5_2 
      * php5.2.3-gd-gif-invalid-color-index-segfault.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.5.4.2.2.11&r2=1.5.4.2.2.12&pathrev=PHP_5_2  http://bugs.php.net/bug.php?id=41630
      * php5.2.3-mopb-02-2007-improvement.patch: http://cvs.php.net/viewvc.cgi/php-src/main/php_variables.c?r1=1.104.2.10.2.8&r2=1.104.2.10.2.9&pathrev=PHP_5_2
      * php5.2.3-php_admin-vs-ini_set.patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?r1=1.39.2.2.2.8&r2=1.39.2.2.2.9&pathrev=PHP_5_2 http://bugs.php.net/bug.php?id=41561 (circumvention of ini settings set bei php_admin_* apache config flags)
      * php5.2.3-strripos-fix-segfault.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.62&r2=1.445.2.14.2.63&pathrev=PHP_5_2
      * php5.2.3-ze2-segfault-object+switch.patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_execute.c?r1=1.716.2.12.2.19&r2=1.716.2.12.2.20&pathrev=PHP_5_2 http://bugs.php.net/bug.php?id=41608
      * php5.2.3-zip-addEmptyDir-fix-crash.patch: http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.33&r2=1.1.2.34&pathrev=PHP_5_2

So most of these patches fix segfaults or some kind of overflows. I hardly have any C knowledge and as such I cannot judge if those overflows could be exploited in any way, but I thought it's always better to fix them even if there is no security problem as they are at least annoying.
All those patches belong to a patchset tar ball which can be found here: http://home.hoffie.info/php-patchset-5.2.3-r1.tar.bz2 [1]

The attached ebuild will not work unless CHTEKK uploads the proper patchset tarball to his server.
Meanwhile, I have modified the ebuild to instead download that patchset from above url; the modified ebuild is located here: http://home.hoffie.info/php-5.2.3.ebuild [1]

I'm going to attach the output of svn diff for the php overlay as well.
I hope this contribution helps a bit.

[1] I know that one is not supposed to reference externally hosted data if possible, but the patchset tarball and the modified ebuild are just there for convenience, all important data (for developers) is attached to this bug. Also, I didn't want to pollute this bug with redundant attachments.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2007-06-09 16:22:03 UTC
Created attachment 121591 [details, diff]
svn diff (overlays.g.o/proj/php) to get all necessary changes (updated patches)
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2007-06-11 14:20:08 UTC
Created attachment 121740 [details, diff]
updated svn diff, including the exif patch

"Fixed memory corruption when reading exif data of a non-file" doesn't sound like it should remain unpatched either, so I suggest additionally adding http://cvs.php.net/viewvc.cgi/php-src/ext/exif/exif.c?r1=1.173.2.5.2.19&r2=1.173.2.5.2.20&pathrev=PHP_5_2
I updated the svn diff attachment and the php-patchset tarball on my server.
Comment 9 Jakub Moc (RETIRED) gentoo-dev 2007-06-21 17:51:05 UTC
*** Bug 182801 has been marked as a duplicate of this bug. ***
Comment 10 Christian Hoffmann (RETIRED) gentoo-dev 2007-06-21 19:44:00 UTC
Created attachment 122723 [details, diff]
php-overlay: svn diff (including important patches from php-cvs up to June 21th)

And yet another bunch of new patches:
  * php5.2.3-glob-openbasedir-fix.patch
  * php5.2.3-session-urlencode-cookie-values.patch
  * php5.2.3-zend-ini-memory-interruption-vuln.patch
  * php5.2.3-mysql-infile-openbasedir.patch
  * php5.2.3-mysqli-infile-openbasedir.patch
  * php5.2.3-pdo_mysql-infile-openbasedir.patch
References included in file PATCHES.
Tarball on my server updated, updated svn diff attached.

Please tell me if posting the updated patchsets creates to much noise... I'm just trying to make pushing the update as easy as possible for CHTEKK, who seems to be busy with exams.
Comment 11 Hanno Böck gentoo-dev 2007-07-02 12:50:06 UTC
Don't know if this is worth opening another bug:
http://securityreason.com/achievement_securityalert/45

This flood of php-vulnerabilities is scary...
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2007-07-05 18:05:22 UTC
*** Bug 184324 has been marked as a duplicate of this bug. ***
Comment 13 Wolfram Schlich (RETIRED) gentoo-dev 2007-07-10 22:22:54 UTC
Any news on this?
IIRC CHTEKK is busy with some exams, so is anybody else going to take care
of this not so unimportant update?
Comment 14 Christian Hoffmann (RETIRED) gentoo-dev 2007-07-11 09:13:30 UTC
(In reply to comment #13)
> Any news on this?
> IIRC CHTEKK is busy with some exams, so is anybody else going to take care
> of this not so unimportant update?
Approx. two weeks ago, CHTEKK gave me access to the php-experimental overlay, and as such my work regarding php-5.2.3 is currently done there. That's why I didn't post any updates in this bug.

AFAIK CHTEKK won't have much time in the future either as he is currently doing his military service. He said that he will be at home at the weekends, but I don't know if this still applies and whether he will have time for PHP then.

(In reply to comment #11)
> Don't know if this is worth opening another bug:
> http://securityreason.com/achievement_securityalert/45
I have still not found a patch to fix this issue, but I just committed a patch to the php overlay (not part of any patchset yet) which at least fixes the mail.force_extra_parameters shell command injection problem, so it basically makes the exploit useless. However, it still doesn't fix the initial problem.
Comment 15 Conrad Kostecki gentoo-dev 2007-07-13 09:33:35 UTC
@Christian

Are you going to push PHP 5.2.3 into Portage?
Comment 16 Christian Hoffmann (RETIRED) gentoo-dev 2007-07-13 12:11:57 UTC
I can't since I'm no Gentoo Developer. And proxy-maintaing something big like this.. I don't know whether this would be a good idea.
Anyway, I plan to continue working in php-experimental and if any dev feels like merging the work from there to the tree I certainly don't have any objections (as long as CHTEKK agrees ;)).
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-15 07:28:16 UTC
Christian please post here when you have an updated ebuild in the overlay.
Comment 18 Christian Hoffmann (RETIRED) gentoo-dev 2007-07-15 17:04:58 UTC
(In reply to comment #14)
> (In reply to comment #11)
> > Don't know if this is worth opening another bug:
> > http://securityreason.com/achievement_securityalert/45
> I have still not found a patch to fix this issue, but I just committed a patch
> to the php overlay (not part of any patchset yet) which at least fixes the
> mail.force_extra_parameters shell command injection problem, so it basically
> makes the exploit useless. However, it still doesn't fix the initial problem.
It was me being a bit blind while watching cvs commits. Both a fix for error_log and session.save_path have been in CVS for 4 days. They are included in our latest patchset now.

(In reply to comment #17)
> Christian please post here when you have an updated ebuild in the overlay.
dev-lang/php-5.2.3-r2 is in the overlay now. It includes the fix(es) for CVE-2007-3378 (this is the same as above mentioned securityreason URL) and for yet another crash bug (http://bugs.php.net/bug.php?id=41919).
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-15 18:00:19 UTC
Thx Christian. Now we just need someone to check and commit before calling arches...
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-15 20:51:22 UTC
(In reply to comment #19)
> Thx Christian. Now we just need someone to check and commit before calling
> arches...
> 

As I was running 5.2.3-r2 from the overlay on a couple of boxes with no problems so far I wouldn't mind comitting -r3 - if someone from the php allows me to do so (or is the complete php herd somewhat away?)
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-15 20:54:53 UTC
(In reply to comment #20)
> As I was running 5.2.3-r2 from the overlay on a couple of boxes with no
> problems so far I wouldn't mind comitting -r3 - if someone from the php allows
> me to do so (or is the complete php herd somewhat away?)

read: was running -r1, wouldn't mind committing -r2 *sigh*
Comment 22 Jakub Moc (RETIRED) gentoo-dev 2007-07-16 19:26:59 UTC
*** Bug 185586 has been marked as a duplicate of this bug. ***
Comment 23 Luca Longinotti (RETIRED) gentoo-dev 2007-07-21 15:23:22 UTC
I give my approval to commit the latest PHP 5.2.3 from the PHP Overlay, follow hoffie's judgement on this, as I trust him and he's atm much more on top of PHP things than I am... Sorry for the long delays.
Best regards, CHTEKK.
Comment 24 Christian Hoffmann (RETIRED) gentoo-dev 2007-07-21 15:59:04 UTC
Thanks, CHTEKK.

php-5.2.3-r3 is in the overlay now, it includes the fix for our bug 185586 and an additional crash fix for some SPL/ArrayObject stuff.
dertobi123 is going to commit this soon.
The following tests are known to fail:
  double to string conversion tests [Zend/tests/double_to_string.phpt]
  Bug #16069 (ICONV transliteration failure) [ext/iconv/tests/bug16069.phpt]
  iconv stream filter [ext/iconv/tests/iconv_stream_filter.phpt]
  touch() tests [ext/standard/tests/file/touch.phpt]
  phpinfo() CGI [ext/standard/tests/general_functions/phpinfo2.phpt]
  CLI long options [sapi/cli/tests/015.phpt]
There are probably more test failures (with some extensions).
Comment 25 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-22 21:19:07 UTC
I just committed 5.2.3-r3. Please note the changed behaviour wrt open_basedir and session.save_path, you might want to add a note about this to the GLSA (if there's one).
Comment 26 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-28 07:37:38 UTC
Thx Tobias.

Arches please test and mark stable. Target keywords are:

"alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-28 10:19:21 UTC
ppc stable
Comment 28 Raúl Porcel (RETIRED) gentoo-dev 2007-07-28 16:54:26 UTC
alpha/ia64/x86 stable
Comment 29 Steve Dibb (RETIRED) gentoo-dev 2007-07-28 17:34:52 UTC
amd64 stable
Comment 30 Jeroen Roovers gentoo-dev 2007-07-28 18:10:32 UTC
Stable for HPPA.
Comment 31 Markus Rothe (RETIRED) gentoo-dev 2007-07-30 07:07:32 UTC
ppc64 stable
Comment 32 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-30 12:13:37 UTC
sparc stable.
Comment 33 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-30 15:31:45 UTC
This one is ready for GLSA vote. Note that we should probably wait for bug #187120.
Comment 34 Matt Drew (RETIRED) gentoo-dev 2007-08-05 10:34:17 UTC
I vote yes pending bug #187120, which'll probably bump us up another rev at least.
Comment 35 Jakub Moc (RETIRED) gentoo-dev 2007-08-10 19:34:38 UTC
OK, arches please test and stabilize php-5.2.4_pre200708051230-r2. Most importantly, it fixes the apache segfaults in Bug 187120 (the session behaviour change regarding open_basedir/safe_mode was reverted upstream by the new patch). Other fixes include:

- floating point exception inside wordwrap()
- ArrayObject::exchangeArray hangs Apache (PHP bug #41691).

plus a bunch of others, unrelated to security.

Thanks!
Comment 36 Sune Kloppenborg Jeppesen gentoo-dev 2007-08-11 06:45:26 UTC
Back to stable to get the regression fixed. Arches please test and mark stable.
Comment 37 Raúl Porcel (RETIRED) gentoo-dev 2007-08-11 17:39:24 UTC
alpha/ia64/x86 stable
Comment 38 Steve Dibb (RETIRED) gentoo-dev 2007-08-12 19:40:11 UTC
amd64 stable
Comment 39 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-13 20:50:02 UTC
sparc stable.
Comment 40 Markus Rothe (RETIRED) gentoo-dev 2007-08-14 18:01:36 UTC
ppc64 stable
Comment 41 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-14 18:34:43 UTC
ppc stable
Comment 42 Jeroen Roovers gentoo-dev 2007-08-15 01:49:29 UTC
Stable for HPPA.
Comment 43 Ivan Yarych 2007-08-15 06:50:47 UTC
PHP 5.2.4 RC1 Released
http://ilia.ws/archives/175-5.2.4-RC1-Released.html
Comment 44 Jakub Moc (RETIRED) gentoo-dev 2007-08-15 06:53:09 UTC
(In reply to comment #43)
> PHP 5.2.4 RC1 Released
> http://ilia.ws/archives/175-5.2.4-RC1-Released.html

Thanks, but this snapshot is *newer* than RC1. 

Comment 45 Robert Buchholz (RETIRED) gentoo-dev 2007-09-26 21:40:49 UTC
Created attachment 131973 [details]
php-5.2.3-fixed-issues

Comprehensive list of security issues fixed here.
Comment 46 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-07 11:30:11 UTC
GLSA 200710-02, sorry for the delay.