Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 589232 (CVE-2016-5385, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297)

Summary: <dev-lang/php-5.6.24: HTTPoxy + other vulnerabilities
Product: Gentoo Security Reporter: Aaron Bauman (RETIRED) <bman>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno, himbeere, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://php.net/releases/5_6_24.php
Whiteboard: A4 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 589224    

Description Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 12:48:58 UTC
HTTPoxy vulnerability
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 12:49:18 UTC
CVE-2016-5385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385):
  PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
  namespace conflicts and therefore does not protect applications from the
  presence of untrusted client data in the HTTP_PROXY environment variable,
  which might allow remote attackers to redirect an application's outbound
  HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
  HTTP request, as demonstrated by (1) an application that makes a
  getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an
  "httpoxy" issue.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-23 08:53:33 UTC
This issue has been fixed in 5.6.24, 5.5.38, and 7.0.9.
Comment 3 Brian Evans (RETIRED) gentoo-dev 2016-07-26 13:19:01 UTC
*** Bug 589744 has been marked as a duplicate of this bug. ***
Comment 4 Brian Evans (RETIRED) gentoo-dev 2016-07-26 13:20:58 UTC
(In reply to Hanno Boeck from comment #0)
> The latest PHP updates fix a worrying number of security issues. 
> 
> These from the zpstream changelog sound like being security relevant (for
> 7.0.9, but most issues affect all three version trees):
> Fixed bug #72513 (Stack-based buffer overflow vulnerability in
> virtual_file_ex).
> Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
> applications).
> Fixed bug #72541 (size_t overflow lead to heap corruption).
> Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
> Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
> access).
> Fixed bug #72519 (imagegif/output out-of-bounds access).
> Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
> Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
> Fixed bug #72494 (imagecropauto out-of-bounds access).
> Fixed bug #72533 (locale_accept_from_http out-of-bounds access).
> Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read
> access).
> Fixed bug #72399 (Use-After-Free in MBString (search_re)).
> Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to
> heap overflow in mdecrypt_generic).
> Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
> Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).
> Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
> Deserialization).
> Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
> unserialize()).
> Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn
> simplestring.c).
> Fixed bug #72520 (Stack-based buffer overflow vulnerability in
> php_stream_zip_opener).
> 
> This one
> https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-
> dollar/
> got a bit more public attention.
> 
> Please bump. Not sure if 5.5.x should still be bumped or just declared to be
> deprecated, as it won't receive any further security updates.
Comment 5 Brian Evans (RETIRED) gentoo-dev 2016-07-26 14:53:14 UTC
Arches, please test and mark stable:
=dev-lang/php-5.5.38
=dev-lang/php-5.6.24
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 6 Michael Orlitzky gentoo-dev 2016-07-26 21:51:47 UTC
I had some unrelated changes staged that collided with this fix. I've pushed them as dev-lang/php-5.6.24-r1, which you SHOULD NOT stabilize as part of this bug. Brian's dev-lang/php-5.6.24 (no -r1) is safer.
Comment 7 Agostino Sarubbo gentoo-dev 2016-07-28 08:44:48 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-07-28 14:10:02 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-28 18:56:37 UTC
Stable for PPC64.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-30 07:54:24 UTC
Stable for HPPA.
Comment 11 Markus Meier gentoo-dev 2016-08-10 19:38:32 UTC
arm stable
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-03 08:18:55 UTC
Stable on alpha.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-04 18:58:58 UTC
PHP 5.5 was removed from the visibility of this bug due to commit 	c34a770c53d85ea5cd446c2d20af39f33107775b which masked the version:

> # Brian Evans <grknight@gentoo.org> (22 Aug 2016)
> # PHP 5.5 has reached end of life and will no longer receive security updates.
> # Also include associated packages which do not work on newer versions
> # Removal in 90 days
> virtual/httpd-php:5.5
> dev-lang/php:5.5
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 09:21:58 UTC
PHP 5.5 is masked per Thomas' comments and all vulnerable versions removed.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 09:23:06 UTC
Removing stabilization dependency.