Summary: | <dev-lang/php-{5.3.23,5.4.13}: Multiple vulnerabilities in the SOAP extensions has been discovered and corrected (CVE-2013-{1635,1643}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=485252 | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2013-03-01 17:02:20 UTC
Thanks for the report, Thomas. Versions now available in the tree.(In reply to comment #0) > From $URL: > > PHP version 5.3.22 and 5.4.12, which fixes these vulnerabilities were > published on 21.02.2013. They are not yet available within Gentoo. > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 and 5.4.23, which are both currently in RC1, and is expected soon. (In reply to comment #2) > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 > and 5.4.23, which are both currently in RC1, and is expected soon. Sure? http://marc.info/?l=php-cvs&m=136135762417447&w=2 And have a look at the sourcecode: https://github.com/php/php-src/tree/PHP-5.3.22/ext/soap The fix was introduced with commit https://github.com/php/php-src/commit/8710d330dadf614d9ebb7e5d4dc62b4ce9c9eeda (just a cherry pick - there are more related commits). Comparing with the current current 5.3.23 tree, they didn't change anything (at least in ext/soap). Well, they fixed another (unrelated) TSRM bug. But I must admit , that it is not really clear. They posted to the mailing list, that everyone should test 5.3.23RC because of the near release because of the mentioned CVE fixes. The prepared NEWS for 5.3.23 does also contain a notice about the CVEs (the NEWS for 5.3.22 doesn't). ...but because it is a minor, I agree with you, that we can wait for 5.3.23 and 5.4.13, which should get released this week. 8e76d040(In reply to comment #3) > (In reply to comment #2) > > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 > > and 5.4.23, which are both currently in RC1, and is expected soon. > > Sure? > > But I must admit , that it is not really clear. They posted to the mailing > list, that everyone should test 5.3.23RC because of the near release because > of the mentioned CVE fixes. The prepared NEWS for 5.3.23 does also contain a > notice about the CVEs (the NEWS for 5.3.22 doesn't). > It is a bit unclear, but there are more recent commits that looks related. Anyways, I should have the new versions ready by Friday if the release is on time. CVE-2013-1643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1643): The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. CVE-2013-1635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1635): ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. Versions with fixes in the tree now. Ready for stabilisation. Arches, please test and mark stable: =dev-lang/php-5.3.23 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd" =dev-lang/php-5.4.13 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos" amd64 stable x86 stable ppc stable ppc64 stable alpha stable arm stable Stable for HPPA. sh stable ia64 stable sparc stable s390 stable GLSA vote: yes Added to existing GLSA request. This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). Thanks for Sharing this information |