Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 189172 - =dev-lang/php-4*: Multiple vulnerabilities
Summary: =dev-lang/php-4*: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://cvs.php.net/viewvc.cgi/php-src...
Whiteboard: B? [glsa]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2007-08-16 22:32 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-08-09 22:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2007-08-16 22:32:12 UTC
php-4.4.7 is vulnerable to multiple security problems:
  * Segfault in gd extension with invalid color index data (DoS?)
  * MOPB-02-2007 [1] (DoS)
  * integer overflow inside chunk_split() (DoS?)
  * integer overlow in str[c]spn() (DoS?)
  * MOPB-03-2007 [2] (DoS)
  * open_basedir/safe_mode bypass using INFILE LOCAL with mysql (information disclosure?)
  * open_basedir/safe_mode bypass by using session.save_path or error_log in
  open_basedir and safe_mode (CVE-2007-3378) (local code execution under certain circumstances?)

No 4.4.8 release was announced yet, that's why I packaged php-4.4.8_pre20070816 and added it to php-testing overlay. It is supposed to fix all above mentioned bugs and I'm going to merge it to the tree in two days or so (so that more testing can happen).

Bug 180556 also mentions some of these vulnerabilities, but this bug is supposed to be the tracker for php-4* while the other is for php-5* now.


1 - http://php-security.org/MOPB/MOPB-02-2007.html
2 - http://php-security.org/MOPB/MOPB-03-2007.html
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2007-08-18 13:13:08 UTC
php-4.4.8_pre20070816 which is supposed to fix these issues is in the tree now.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-19 19:01:46 UTC
Arches please test and mark stable. Target keywords are:

php-4.4.8_pre20070816.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-19 21:00:47 UTC
grep FAIL `qlogs -f php-4.4.8`
 * Waiting for 361 to finish... Done!
FAIL Handling of max_input_nesting_level being reached [tests/basic/027.phpt]
FAIL Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt]
FAIL Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt]
FAIL Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill color) [ext/gd/tests/bug27582_1.phpt]
FAIL Bug #16069 [ext/iconv/tests/bug16069.phpt]
FAIL pspell basic tests (warning: may fail with pspell/aspell < GNU Aspell 0.50.3) [ext/pspell/tests/01pspell_basic.phpt]
FAIL Bug #41655: open_basedir bypass via glob() [ext/standard/tests/file/bug41655_1.phpt]
FAIL Invalid format type validation [ext/standard/tests/strings/unpack.phpt]
FAILED TEST SUMMARY

Stable for HPPA.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2007-08-20 18:51:13 UTC
(In reply to comment #3)
> grep FAIL `qlogs -f php-4.4.8`
>  * Waiting for 361 to finish... Done!
> FAIL Handling of max_input_nesting_level being reached [tests/basic/027.phpt]
Cannot reproduce this one, neither in portage environment nor with the usual run-tests.php.
> FAIL Bug #41655: open_basedir bypass via glob() [ext/standard/tests/file/bug41655_1.phpt]
This test fails if the test is run under /tmp (it assumes it is run somwhere else)... so for me this test PASSes in portage environment; do you have PORTAGE_TMPDIR=/tmp by chance?
Anyway, I really don't think it can be broken on one arch and work on another.
All other test failures are either because of portage environment or failed in previous releases as well...

Comment 5 Markus Ullmann (RETIRED) gentoo-dev 2007-08-20 21:17:24 UTC
Stable on x86
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-21 17:47:45 UTC
sparc stable.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-22 14:58:44 UTC
ppc stable
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-08-23 00:05:48 UTC
amd64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-08-24 16:00:28 UTC
alpha/ia64 stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:21:00 UTC
ppc64 stable
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-09-05 00:21:33 UTC
I vote yes - this is a (sadly) major package, and these are longstanding, serious problems.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-08 12:02:36 UTC
voting yes too, we'll do a global glsa with bug #180556 and bug #179158.
Comment 13 Christian Hoffmann (RETIRED) gentoo-dev 2007-10-11 17:39:58 UTC
Ok, until now more vulnerabilities have been found (just to name some examples -- iconv* and dl() stuff, see php-5) and as discussed on IRC with the rest of the PHP team and security, we are going to mask =dev-lang/php-4* around Oct 18th. It's impossible for us to keep up with security problems as php-4 upstream is pretty inactive.
Security, I guess you want to send a mask GLSA in this case.
Comment 14 Christian Hoffmann (RETIRED) gentoo-dev 2007-10-19 19:53:55 UTC
=dev-lang/php-4* and related packages in p.mask now.
Comment 15 Andrei Ivanov 2007-10-20 07:20:42 UTC
So what's the solution, just upgrade to php5?
I have to choose between having an insecure server or the web sites that require php4 not working at all... :-(
Comment 16 Anant Narayanan (RETIRED) gentoo-dev 2007-10-20 07:25:04 UTC
(In reply to comment #15)
> I have to choose between having an insecure server or the web sites that
> require php4 not working at all... :-(

PHP 4 will be discontinued upstream in some time anyway, we highly recommend you upgrade to PHP 5.
Comment 17 Jakub Moc (RETIRED) gentoo-dev 2007-10-20 07:26:57 UTC
(In reply to comment #15)
> So what's the solution, just upgrade to php5?

Yes, that's the only solution since upstream development of PHP4 is dead.

http://www.gentoo.org/news/en/gwn/20071008-newsletter.xml#doc_chap1
http://forums.gentoo.org/viewtopic-t-597851.html
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-20 08:23:27 UTC
Actually we released GLSA 200710-02 [1] which tags PHP < 5.2.4_pxxxxxx as vulnerable. Since glsa-check isn't slot-aware, it considers PHP-4 vulnerable too. So I don't see the point in releasing another GLSA for PHP-4, I think we should just close this bug now. Any objections?

[1] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2007-10-20 11:56:37 UTC
(In reply to comment #18)
> Actually we released GLSA 200710-02 [1] which tags PHP < 5.2.4_pxxxxxx as
> vulnerable. Since glsa-check isn't slot-aware, it considers PHP-4 vulnerable
> too. So I don't see the point in releasing another GLSA for PHP-4, I think we
> should just close this bug now. Any objections?

ACK. We could have made that clearer in the GLSA, though. Should we update it with a sentence in the resolution?
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-21 17:52:46 UTC
A note to php4 users would be nice I guess.
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-22 21:32:53 UTC
(In reply to comment #20)
> A note to php4 users would be nice I guess.
> 

http://forums.gentoo.org/viewtopic-t-597851.html

This post has also been seen on gentoo-announce on October 16th. Honestly, I don't see what we could add to that...
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-06 19:07:19 UTC
Finally closing, there was GLSA 200710-02, plus the post on forums and gentoo-announce (comment #21). Feel free to reopen if you disagree, but honestly I think users have been warned enough...
Comment 23 Sang Shuduo 2007-12-30 11:28:19 UTC
(In reply to comment #2)
> Arches please test and mark stable. Target keywords are:
> 
> php-4.4.8_pre20070816.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390
> sh sparc x86 ~x86-fbsd"
> 

how about mips? I can't see mips in the list but I really need run it on an mips server. thanks.
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 11:45:16 UTC
PHP 4.x is unsupported upstream and in Gentoo, sorry.

You could try asking the mips people directly in another bug.
Comment 25 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-09 22:12:33 UTC
Just for reference, php-4 has been removed from the tree entirely now. It is still available in the "php-4" overlay available via layman. Keep in mind that it is completely unsupported by security, so use it at your own risk...