From $URL: Description: PHP does not validate the configration directive soap.wsdl_cache_dir before writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to write remote wsdl files to arbitrary locations (CVE-2013-1635). PHP allows the use of external entities while parsing SOAP wsdl files which allows an attacker to read arbitrary files. If a web application unserializes user-supplied data and tries to execute any method of it, an attacker can send serialized SoapClient object initialized in non-wsdl mode which will make PHP to parse automatically remote XML-document specified in the location option parameter (CVE-2013-1643). PHP version 5.3.22 and 5.4.12, which fixes these vulnerabilities were published on 21.02.2013. They are not yet available within Gentoo. Reproducible: Always
Thanks for the report, Thomas.
Versions now available in the tree.(In reply to comment #0) > From $URL: > > PHP version 5.3.22 and 5.4.12, which fixes these vulnerabilities were > published on 21.02.2013. They are not yet available within Gentoo. > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 and 5.4.23, which are both currently in RC1, and is expected soon.
(In reply to comment #2) > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 > and 5.4.23, which are both currently in RC1, and is expected soon. Sure? http://marc.info/?l=php-cvs&m=136135762417447&w=2 And have a look at the sourcecode: https://github.com/php/php-src/tree/PHP-5.3.22/ext/soap The fix was introduced with commit https://github.com/php/php-src/commit/8710d330dadf614d9ebb7e5d4dc62b4ce9c9eeda (just a cherry pick - there are more related commits). Comparing with the current current 5.3.23 tree, they didn't change anything (at least in ext/soap). Well, they fixed another (unrelated) TSRM bug. But I must admit , that it is not really clear. They posted to the mailing list, that everyone should test 5.3.23RC because of the near release because of the mentioned CVE fixes. The prepared NEWS for 5.3.23 does also contain a notice about the CVEs (the NEWS for 5.3.22 doesn't). ...but because it is a minor, I agree with you, that we can wait for 5.3.23 and 5.4.13, which should get released this week.
8e76d040(In reply to comment #3) > (In reply to comment #2) > > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 > > and 5.4.23, which are both currently in RC1, and is expected soon. > > Sure? > > But I must admit , that it is not really clear. They posted to the mailing > list, that everyone should test 5.3.23RC because of the near release because > of the mentioned CVE fixes. The prepared NEWS for 5.3.23 does also contain a > notice about the CVEs (the NEWS for 5.3.22 doesn't). > It is a bit unclear, but there are more recent commits that looks related. Anyways, I should have the new versions ready by Friday if the release is on time.
CVE-2013-1643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1643): The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. CVE-2013-1635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1635): ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.
Versions with fixes in the tree now. Ready for stabilisation.
Arches, please test and mark stable: =dev-lang/php-5.3.23 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd" =dev-lang/php-5.4.13 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos"
amd64 stable
x86 stable
ppc stable
ppc64 stable
alpha stable
arm stable
Stable for HPPA.
sh stable
ia64 stable
sparc stable
s390 stable
GLSA vote: yes
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
Thanks for Sharing this information