Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 525960 (CVE-2014-3668) - <dev-lang/php-{5.4.34,5.5.18}: multiple vulnerabilities (CVE-2014-{3668,3669,3670})
Summary: <dev-lang/php-{5.4.34,5.5.18}: multiple vulnerabilities (CVE-2014-{3668,3669,...
Status: RESOLVED FIXED
Alias: CVE-2014-3668
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-20 09:44 UTC by Agostino Sarubbo
Modified: 2014-12-24 17:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-20 09:44:27 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1154503:

An out-of-bounds read flaw was found in PHP's mkgmtime() function. This could possibly cause the 
PHP interpreter to crash.

This issue has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2.

References:
http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
https://bugs.php.net/bug.php?id=68027
http://php.net/ChangeLog-5.php



From https://bugzilla.redhat.com/show_bug.cgi?id=1154502:

A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code.

This issue has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2.

References:
http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
https://bugs.php.net/bug.php?id=68113
http://php.net/ChangeLog-5.php



From https://bugzilla.redhat.com/show_bug.cgi?id=1154500:

An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure. It is not clear if code execution is possible or not.

It was reported that this issue only affects 32-bit systems. It has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2.

References:
http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159
https://bugs.php.net/bug.php?id=68044
http://php.net/ChangeLog-5.php


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Ole Markus With (RETIRED) gentoo-dev 2014-10-20 09:48:21 UTC
Please go ahead with stabilisation.
Comment 2 Tomáš Mózes 2014-10-24 10:41:18 UTC
I've tested 5.4.34 and 5.5.18 on amd64 (about 15 servers), both seem to work fine.
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-24 13:12:09 UTC
Arches, please test and mark stable:
=dev-lang/php-5.4.34
=dev-lang/php-5.5.18
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Jeroen Roovers gentoo-dev 2014-10-25 06:57:53 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-10-27 14:16:53 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-10-27 14:18:12 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-29 12:02:50 UTC
sparc stable
Comment 8 Tobias Klausmann gentoo-dev 2014-10-29 14:07:27 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2014-10-30 18:59:55 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-11-02 09:48:14 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-02 09:48:30 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-11-02 09:48:46 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Sean Amoss gentoo-dev Security 2014-11-03 23:44:55 UTC
GLSA is being drafted.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-11-03 23:47:11 UTC
CVE-2014-3670 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3670):
  The exif_ifd_make_value function in exif.c in the EXIF extension in PHP
  before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on
  floating-point arrays incorrectly, which allows remote attackers to cause a
  denial of service (heap memory corruption and application crash) or possibly
  execute arbitrary code via a crafted JPEG image with TIFF thumbnail data
  that is improperly handled by the exif_thumbnail function.

CVE-2014-3669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3669):
  Integer overflow in the object_custom function in
  ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18,
  and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via an argument to
  the unserialize function that triggers calculation of a large length value.

CVE-2014-3668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3668):
  Buffer overflow in the date_from_ISO8601 function in the mkgmtime
  implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before
  5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers
  to cause a denial of service (application crash) via (1) a crafted first
  argument to the xmlrpc_set_type function or (2) a crafted argument to the
  xmlrpc_decode function, related to an out-of-bounds read operation.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-11-09 16:58:10 UTC
This issue was resolved and addressed in
 GLSA 201411-04 at http://security.gentoo.org/glsa/glsa-201411-04.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 16 Timo Eissler 2014-12-24 16:17:18 UTC
How is it possible that according to "glsa-check -l" i'm affected by those two GLSAs when my php installations are up to date?

# glsa-check -l affected                                                                                                                              
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201408-11 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
201411-04 [N] PHP: Multiple vulnerabilities ( dev-lang/php )

# equery l php
 * Searching for php ...
[IP-] [  ] dev-lang/php-5.4.36:5.4
[IP-] [  ] dev-lang/php-5.5.20:5.5

Kind regards
Comment 17 Kristian Fiskerstrand gentoo-dev Security 2014-12-24 17:33:32 UTC
(In reply to Timo Eissler from comment #16)
> How is it possible that according to "glsa-check -l" i'm affected by those
> two GLSAs when my php installations are up to date?

This has to do with the way GLSAmake works without supporting slots, so a GLSA needs to retroactively be updated to add versions not vulnerable if not using the latest slot. Please file a new bug about it under Gentoo Security with component GLSA errors.

Some more detailed info specific to this case for your benefit (you can look this up in the glsa xml in /usr/portage/metadata/glsa).
  <unaffected range="ge">5.5.16</unaffected>
      <unaffected range="rge">5.4.32</unaffected>
      <unaffected range="rge">5.3.29</unaffected>
      <unaffected range="rge">5.4.34</unaffected>
      <vulnerable range="lt">5.5.16</vulnerable>

I.e anything below 5.5.16 is by default vulnerable according to its definition, but there are added exceptions for *>= (rge, i.e. it ignores revision bumps after this version) for 5.4.32 and 5.4.34, this fix in this specific case is for us to add further 5.4 versions (e.g. up to 5.4.40) to the list of unaffected packages. 

Anyhow, upen a new bug about it and we'll get to it..