Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459904 (CVE-2013-1635) - <dev-lang/php-{5.3.23,5.4.13}: Multiple vulnerabilities in the SOAP extensions has been discovered and corrected (CVE-2013-{1635,1643})
Summary: <dev-lang/php-{5.3.23,5.4.13}: Multiple vulnerabilities in the SOAP extension...
Status: RESOLVED FIXED
Alias: CVE-2013-1635
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.mandriva.com/en/support/se...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-01 17:02 UTC by Thomas Deutschmann (RETIRED)
Modified: 2014-12-12 10:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2013-03-01 17:02:20 UTC
From $URL:

Description:
PHP does not validate the configration directive soap.wsdl_cache_dir
before writing SOAP wsdl cache files to the filesystem. Thus an
attacker is able to write remote wsdl files to arbitrary locations
(CVE-2013-1635).

PHP allows the use of external entities while parsing SOAP wsdl
files which allows an attacker to read arbitrary files. If a web
application unserializes user-supplied data and tries to execute
any method of it, an attacker can send serialized SoapClient
object initialized in non-wsdl mode which will make PHP to parse
automatically remote XML-document specified in the location option
parameter (CVE-2013-1643).


PHP version 5.3.22 and 5.4.12, which fixes these vulnerabilities were published on 21.02.2013. They are not yet available within Gentoo.

Reproducible: Always
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 02:03:27 UTC
Thanks for the report, Thomas.
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2013-03-04 11:52:36 UTC
Versions now available in the tree.(In reply to comment #0)
> From $URL:
> 
> PHP version 5.3.22 and 5.4.12, which fixes these vulnerabilities were
> published on 21.02.2013. They are not yet available within Gentoo.
> 

5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13 and 5.4.23, which are both currently in RC1, and is expected soon.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2013-03-04 12:31:45 UTC
(In reply to comment #2)
> 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13
> and 5.4.23, which are both currently in RC1, and is expected soon.

Sure?

http://marc.info/?l=php-cvs&m=136135762417447&w=2

And have a look at the sourcecode: https://github.com/php/php-src/tree/PHP-5.3.22/ext/soap

The fix was introduced with commit https://github.com/php/php-src/commit/8710d330dadf614d9ebb7e5d4dc62b4ce9c9eeda (just a cherry pick - there are more related commits).

Comparing with the current current 5.3.23 tree, they didn't change anything (at least in ext/soap). Well, they fixed another (unrelated) TSRM bug.

But I must admit , that it is not really clear. They posted to the mailing list, that everyone should test 5.3.23RC because of the near release because of the mentioned CVE fixes. The prepared NEWS for 5.3.23 does also contain a notice about the CVEs (the NEWS for 5.3.22 doesn't).

...but because it is a minor, I agree with you, that we can wait for 5.3.23 and 5.4.13, which should get released this week.
Comment 4 Ole Markus With (RETIRED) gentoo-dev 2013-03-04 14:17:15 UTC
8e76d040(In reply to comment #3)
> (In reply to comment #2)
> > 5.3.22 and 5.4.12 is still affected. These issues will be fixed in 5.4.13
> > and 5.4.23, which are both currently in RC1, and is expected soon.
> 
> Sure?
> 
> But I must admit , that it is not really clear. They posted to the mailing
> list, that everyone should test 5.3.23RC because of the near release because
> of the mentioned CVE fixes. The prepared NEWS for 5.3.23 does also contain a
> notice about the CVEs (the NEWS for 5.3.22 doesn't).
> 

It is a bit unclear, but there are more recent commits that looks related.

Anyways, I should have the new versions ready by Friday if the release is on time.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-03-06 23:31:30 UTC
CVE-2013-1643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1643):
  The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote
  attackers to read arbitrary files via a SOAP WSDL file containing an XML
  external entity declaration in conjunction with an entity reference, related
  to an XML External Entity (XXE) issue in the soap_xmlParseFile and
  soap_xmlParseMemory functions.

CVE-2013-1635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1635):
  ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not
  validate the relationship between the soap.wsdl_cache_dir directive and the
  open_basedir directive, which allows remote attackers to bypass intended
  access restrictions by triggering the creation of cached SOAP WSDL files in
  an arbitrary directory.
Comment 6 Ole Markus With (RETIRED) gentoo-dev 2013-03-17 18:35:02 UTC
Versions with fixes in the tree now. Ready for stabilisation.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-20 23:14:07 UTC
Arches, please test and mark stable:
=dev-lang/php-5.3.23
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd"

=dev-lang/php-5.4.13
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos"
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-22 16:16:54 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-03-22 16:19:42 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-03-23 14:07:50 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-03-23 14:08:13 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-23 14:08:38 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-23 14:09:02 UTC
arm stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-23 18:30:18 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2013-03-31 11:09:44 UTC
sh stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-04-01 19:42:43 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-04-02 10:54:13 UTC
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-04-13 20:46:10 UTC
s390 stable
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 17:20:59 UTC
GLSA vote: yes
Comment 20 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 14:31:58 UTC
Added to existing GLSA request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-08-29 11:13:03 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-08-29 11:17:54 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 10:48:57 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:25:49 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 25 Antheminfo 2014-12-12 10:55:51 UTC
Thanks for Sharing this information