Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512492 (CVE-2014-3981)

Summary: <dev-lang/php-{5.4.30,5.5.14}: insecure temporary file use in the configure script (CVE-2014-3981)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1104999
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-06-05 08:53:48 UTC
From ${URL} :

It was reported[1] to the full-disclosure mailing list that PHP's configure script uses a predictable 
filename in /tmp/, "/tmp/phpglibccheck". A local attacker could use this flaw to perform a symbolic link 
attack against a user building the source RPM or running the configure script.

[1] http://seclists.org/fulldisclosure/2014/Jun/21


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-22 18:57:03 UTC
This issue has been assigned CVE-2014-3981 [0]. An initial commit to attempt to fix this issue is found in [1] however note RedHat's comment regarding the quality of it in [2]. As far as I know this still not been included in any released version. 


References: 
[0] http://seclists.org/oss-sec/2014/q2/483
[1] http://git.php.net/?p=php-src.git;a=commitdiff;h=91bcadd
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1104978#c4
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2014-06-27 10:41:21 UTC
Ebuild for this one has been committed and can be stabilised
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-27 15:24:44 UTC
Thanks Ole. 

This issue is reported as fixed in 5.4.30 and 5.5.14 now included in the tree
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-06-27 16:16:49 UTC
Arches, please test and mark stable:

=dev-lang/php-5.4.30
=dev-lang/php-5.5.14

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-06-27 16:28:11 UTC
CVE-2014-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3981):
  acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier,
  allows local users to overwrite arbitrary files via a symlink attack on the
  /tmp/phpglibccheck file.
Comment 6 Agostino Sarubbo gentoo-dev 2014-06-28 09:58:37 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-28 21:29:01 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2014-06-29 18:55:47 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-07-05 11:24:34 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-07-05 11:26:31 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-07-05 11:27:14 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-07-05 11:27:39 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-07-05 11:28:03 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-07-05 11:29:19 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 20:07:45 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

Added to existing GLSA Request
Comment 16 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-17 15:08:10 UTC
@maintainers: thanks for cleanup
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:27:57 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).