Summary: | dev-php/{mod_php,php,php-cgi}-5.0.4 includes critical security fixes | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Andreas Korthaus <akorthaus> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | trivial | CC: | gentoo, GertThiel, gurligebis, hanno, jlp.bugs, mail, me, php-bugs, security, umbra, voxus | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://www.php.net/ChangeLog-5.php | ||||||||
Whiteboard: | ~1 [noglsa] jaervosz | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Andreas Korthaus
2005-03-31 14:41:31 UTC
isn't it a "security release"? "The addressed security issues include fixes to the exif and fbsql extensions, as well as fixes to unserialize(), swf_definepoly() and getimagesize()." Perhaps 5.0.4 will be re-released: http://news.php.net/php.internals/15720 (I'm not sure if it's a joke...) It wasn't an April Fool's joke ;-) PHP 5.0.4 has been re-relesed: http://news.php.net/php.internals/15738 old release, 31 Mar 2005: * PHP 5.0.4 (tar.bz2) [4,618Kb] - 31 Mar 2005 md5: 47727afde39329d5cebda4cb5e5ecee0 * PHP 5.0.4 (tar.gz) [5,700Kb] - 31 Mar 2005 md5: c8f5fa441fd99c1b363bd2a071a0bd97 new release, 03 Apr 2005: * PHP 5.0.4 (tar.bz2) [4,620Kb] - 03 Apr 2005 md5: fb1aac107870f897d26563a9cc5053c0 * PHP 5.0.4 (tar.gz) [5,702Kb] - 03 Apr 2005 md5: 8edf259bcfab4cfc890a4bb4e7c3649f Note: The PHP 5.0.4 source packages were re-released due to a missing file in the embedded PEAR distribution. There are no changes in this re-release other than the addition of the missing file. http://www.php.net/downloads.php#v5 I did the following to get php-5.0.4 and php-cgi-5.0.4: For php: cd /usr/portage/dev-php/php cp php-5.0.3-r1.ebuild php-5.0.4.ebuild Remove both patches. ebuild manifest + digest. For php-cgi: cd /usr/portage/dev-php/php-cgi cp php-cgi-5.0.3.ebuild php-cgi-5.0.4.ebuild Remove the patch. ebuild manifest + digest. Worked out fine for me, using the re-release of 5.0.4. The patches removed are: php-5.0.3-missing-arches.patch: Adds ia64 and s390 for some check. The resp. code seems to be refactored in 5.0.4, and since I see no mention of any specific arch there (except to cope with some ARM speciality) I'd guess that the patch is no longer needed. But I can't say that for sure. libmbfl-headers.patch: This one seems to have made it into this release of PHP, so it's no longer needed. Created attachment 55756 [details, diff]
Changes for php-5.0.3-r1.ebuild to make it work as php-5.0.4.ebuild.
Removes two patches (not sure about the other one (for ia64 and s390). The
other one is already in php-5.0.4.tar.bz2.) .
Tested on amd64.
Created attachment 55757 [details, diff]
Changes for php-cgi-5.0.3.ebuild to make it work as php-cgi-5.0.4.ebuild.
Removes one patch for ia64 and s390. Not sure whether it is still needed, as
the file being patched seems to have been factored.
Tested on amd64.
Release of php-4.3.11: http://bugs.gentoo.org/show_bug.cgi?id=87517 Security Advisory for 4.3.11 and 5.0.4: :http://www.idefense.com/application/poi/display?id=222 Sadly, it seems as if PHP5 will not get unmasked soon: http://bugs.gentoo.org/show_bug.cgi?id=87517#10 When I use this, I get the following: Installing helper programs: /var/tmp/portage/php-5.0.4/image//usr/bin/ program: phpize program: php-config program: phpextdist make: Nothing to be done for `install'. make: Nothing to be done for `install'. make: Nothing to be done for `install'. make: Nothing to be done for `install'. * Setting extension_dir in php.ini * Setting correct include_path * Fixing PEAR cache location man: gzipping man page: php.1 prepallstrip: strip: strip --strip-unneeded strip: strip --strip-unneeded usr/bin/php usr/lib/libphp5.so usr/lib/libphp5.so will contain runtime text relocations Text relocations require a lot of extra work to be preformed by the dynamic linker which will cause serious performance impact on IA-32 and might not function properly on other architectures hppa for example. If you are a programmer please take a closer look at this package and consider writing a patch which addresses this problem. making executable: /usr/lib/libphp5.so >>> Completed installing php-5.0.4 into /var/tmp/portage/php-5.0.4/image/ --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-dev-php_-_php-5.0.4-12624.log" open_wr: /var/lib/net-snmp/snmpapp.conf open_wr: /var/lib/net-snmp/snmpapp.conf open_wr: /var/lib/net-snmp/snmpapp.conf open_wr: /var/lib/net-snmp/snmpapp.conf open_wr: /var/lib/net-snmp/snmpapp.conf open_wr: /var/lib/net-snmp/snmpapp.conf -------------------------------------------------------------------------------- tombstone php # ls -a /var/lib/net-snmp/ . .. .keep emerge info: tombstone php # emerge info Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.4.27-gentoo-r1 i686) ================================================================= System uname: 2.4.27-gentoo-r1 i686 Intel(R) Xeon(TM) CPU 2.40GHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.3,dev-lang/python-2.1.3-r1 [2.3.3 (#1, Feb 19 2004, 15:11:46)] distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.3.3, 2.1.3-r1 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.15.90.0.1.1-r3 sys-devel/libtool: 1.5.2-r7 virtual/os-headers: 2.4.21 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://vlaai.snt.ipv6.utwente.nl/pub/os/linux/gentoo/ http://128.213.5.34/gentoo/ http://mirror.datapipe.net/gentoo" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acl afs alsa apache2 apm avi bash-completion bcmath berkdb bitmap-fonts crypt cups curl doc emacs emacs-w3 emboss encode esd ethereal fam fdftk firebird flac flash foomaticdb fortran gd gdbm gif gpm gtk gtk2 guile hardenedphp icq imagemagick imap imlib inetd innodb ipv6 jabber jack java jikes jpeg junit kerberos krb4 ldap libg++ libwww mad maildir mcal mikmod ming motif mp3 mpatrol mpeg mysql ncurses nls odbc oggvorbis opengl oss pam pdflib perl png postgis postgres ppds prelude proj python qt quicktime readline ruby samba sasl sdl slang slp snmp spell sqlite sse ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb vhosts x86 xml xml2 xmms xpm xv yaz zeo zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS tombstone php # tombstone php # epm -qa|grep apache apache-manual-2.0.49-r1 apache-2.0.54 (local ebuild is copy of 2.0.53) tombstone php # epm -qa |grep php phpmyadmin-2.6.2_rc1 php-docs-200403 php-5.0.3 (portage ebuild) mod_php-5.0.4 (local ebuild is copy of 5.0.3-r2) Nevermind... I noticed a comment somewhere indicating that snmp in php5 is broken now, so this works with USE="-snmp" there seems to be a problem with my posted security advisory link above, here is another one: http://secunia.com/advisories/14792/ : Critical: Highly critical Impact: Unknown, DoS, System access Where: From remote Solution Status: Vendor Patch Software: PHP 4.2.x, PHP 4.3.x, PHP 5.0.x Every system checking image-uploads using getimagesize(), as recommended in the manual, is open to this "higly critical remote access"! So I recommend upgrading to the ebuilds posted by Kevin, as there is still no 5.0.4 ebuild in portage, and no unmasked mod_php-5 ebuild for 6 weeks now. For me it worked, thank you Kevin! the getimagesize() bug is not really new. But I would also suggest to provide a php-5.0.4 in portage tree for those which are using it. Unmasking mod_php5 is probably another story. BTW I am using php5 for some months now without any real problems on a site with about 100-200 visitors a day. It's not new? The one with possible remote execution? This one is the biggest problem (IMHO): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1042 "Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count." This fix for 4.3.11 also has been merged to 5.0.4, too: http://cvs.php.net/php-src/ext/exif/exif.c?r1=1.170&onb=0 I have used mod_php-5.0.3-r2.ebuild for some time in production enviroment on different servers without any problems, and use 5.0.4 for some weeks now (I have applications which need php5). I wrote about some (small) problems with mod_php-5.0.3-r2.ebuild in the following bug: http://bugs.gentoo.org/show_bug.cgi?id=88082 (--enable-maintainer-zts, not --enable-experimental-zts, why is php5-prefork.patch needed) thanks to Stuart mod_php-5.0.4 is in portage now (still masked)! http://packagestest.gentoo.org/ebuilds/?mod_php-5.0.4 http://stu.gnqs.org/diary/gentoo.php?title=mod_php_5_0_4_now_in_portage&more=1&c=1&tb=1&pb=1 *** Bug 88696 has been marked as a duplicate of this bug. *** I unmasked and installed 5.0.4 on PPC with no trouble at all with Apache 2.0.54. This is a security-issue, why isn't it assigned to security? Beside that, a security-fix is not an "enhancement". security: php5 is hard-masked, and you already released all of the relevant GLSAs (as the bugs were in 4.3.10 as well). php5 is not masked! laverne portage # grep php-5 /usr/portage/profiles/package.mask =dev-php/mod_php-5* Only mod_php is masked, standalone php is not, so the current version in portage is vulnerable. Robin please bump or mask. php-5.0.4 in the tree now. note that some arch keywords were dropped due to a new dependancy. sparc, ppc64, arm, ia64 : please add the ~ keyword to dev-php/php-5.0.4 if you can. Robin: I guess you should bump php-cgi too, as the current ~ version (unmasked) is vulnerable too. added ~ppc64 Hm. Now they are all masked and at 5.0.4 level. So we're done from security POV. Please reopen if you disagree. |