Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358791 (CVE-2011-1092) - <dev-lang/php-5.3.6: Multiple vulnerabilities (CVE-2010-3870,CVE-2011-{0421,0708,1092,1153,1464,1466,1467,1468,1469,1470,1471})
Summary: <dev-lang/php-5.3.6: Multiple vulnerabilities (CVE-2010-3870,CVE-2011-{0421,0...
Status: RESOLVED FIXED
Alias: CVE-2011-1092
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://svn.php.net/viewvc/?view=revis...
Whiteboard: A1 [glsa]
Keywords:
: CVE-2011-0708 (view as bug list)
Depends on: 361389
Blocks:
  Show dependency tree
 
Reported: 2011-03-14 04:39 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-10 20:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (php-5.3.6:20110330-213344.log,27.68 KB, text/plain)
2011-03-30 21:45 UTC, Agostino Sarubbo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-14 04:39:21 UTC
The commit at $URL reportedly fixes an integer overflow.
Comment 1 Ole Markus With (RETIRED) gentoo-dev 2011-03-18 11:45:02 UTC
PHP 5.3.6 has been released now, which fixes this issue. However the suhosin patch does not work for this release yet (the suhosin extension does, though). Do you want to do security stabilisation for 5.3.6 or wait for the revbump with suhosin support?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 23:10:41 UTC
(In reply to comment #1)
> PHP 5.3.6 has been released now, which fixes this issue. However the suhosin
> patch does not work for this release yet (the suhosin extension does, though).
> Do you want to do security stabilisation for 5.3.6 or wait for the revbump with
> suhosin support?

I am ok waiting if it is not too long, say less than one or two weeks. What do you think? Thanks.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 23:13:18 UTC
Security Enhancements and Fixes in PHP 5.3.6:

    * Enforce security in the fastcgi protocol parsing with fpm SAPI.
    * Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
    * Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
    * Fixed bug #54055 (buffer overrun with high values for precision ini setting).
    * Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
    * Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 23:13:40 UTC
*** Bug 354875 has been marked as a duplicate of this bug. ***
Comment 5 Ole Markus With (RETIRED) gentoo-dev 2011-03-20 01:23:13 UTC
For the record, Suhosin does patch some local security issues, and some edge-cases concerning bad coding practice, but I do not consider suhosin to be essential concerning PHP security. At least compared to the security issues resolved by PHP 5.3.6. The PHP team also rejects the suhosin patch, if that matters.

That being said, I do not mind waiting a few weeks extra for the suhosin patch to be updated and I do believe that end-users expect suhosin to be supported by a security-stabled PHP version. Normally the patch is updated within a few weeks, but as always, there is no guarantee, and as far as I know, no official sources contributing any information about the progress.
Comment 6 Ole Markus With (RETIRED) gentoo-dev 2011-03-30 19:47:50 UTC
Suhosin has yet to do a new release and I have not seen any ETA for the patch. I think we need to do stabilisation now. Once again, the PHP devs do not consider suhosin a security enhancement and I only wanted to wait because many users expect suhosin support.

So what do you think? Can we move ahead and request stabilisation?
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-03-30 20:08:33 UTC
(In reply to comment #6)
>
> So what do you think? Can we move ahead and request stabilisation?

Works for me. Thank you.

Arches, please test and mark stable:
=dev-lang/php-5.3.6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Agostino Sarubbo gentoo-dev 2011-03-30 21:45:50 UTC
Created attachment 267915 [details]
Build log

Fails econf
Comment 9 Ole Markus With (RETIRED) gentoo-dev 2011-03-31 06:07:06 UTC
(In reply to comment #8)
> Created attachment 267915 [details]
> Build log
> 
> Fails econf

Can you create a bug with all the usual info? Particularly `emerge --info php'

Thanks.
Comment 10 Agostino Sarubbo gentoo-dev 2011-03-31 10:04:28 UTC
(In reply to comment #9)
> Can you create a bug with all the usual info? Particularly `emerge --info php'
> 
> Thanks.

done, bug 361445  ;)
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-01 16:42:41 UTC
ppc/ppc64 stable
Comment 12 Jeroen Roovers gentoo-dev 2011-04-02 16:32:19 UTC
Stable for HPPA.
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-04-02 20:19:34 UTC
x86 stable
Comment 14 Christoph Mende (RETIRED) gentoo-dev 2011-04-02 21:05:08 UTC
amd64 done, thanks Agostino
Comment 15 Alex Buell 2011-04-04 00:03:44 UTC
Tested OK on SPARC, tested by browsing phpsysinfo. Looks good, could stabilise.
Comment 16 Markus Meier gentoo-dev 2011-04-05 05:24:50 UTC
arm stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2011-04-09 13:51:09 UTC
alpha/ia64/s390/sh/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2011-04-09 16:07:44 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 23:28:57 UTC
CVE-2011-1471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1471):
  Integer signedness error in zip_stream.c in the Zip extension in PHP before
  5.3.6 allows context-dependent attackers to cause a denial of service (CPU
  consumption) via a malformed archive file that triggers errors in zip_fread
  function calls.

CVE-2011-1470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1470):
  The Zip extension in PHP before 5.3.6 allows context-dependent attackers to
  cause a denial of service (application crash) via a ziparchive stream that
  is not properly handled by the stream_get_contents function.

CVE-2011-1469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1469):
  Unspecified vulnerability in the Streams component in PHP before 5.3.6
  allows context-dependent attackers to cause a denial of service (application
  crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP
  wrapper.

CVE-2011-1468 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1468):
  Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might
  allow remote attackers to cause a denial of service (memory consumption) via
  (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to
  the openssl_decrypt function.

CVE-2011-1467 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1467):
  Unspecified vulnerability in the NumberFormatter::setSymbol (aka
  numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows
  context-dependent attackers to cause a denial of service (application crash)
  via an invalid argument, a related issue to CVE-2010-4409.

CVE-2011-1466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1466):
  Integer overflow in the SdnToJulian function in the Calendar extension in
  PHP before 5.3.6 allows context-dependent attackers to cause a denial of
  service (application crash) via a large integer in the first argument to the
  cal_from_jd function.

CVE-2011-1464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1464):
  Buffer overflow in the strval function in PHP before 5.3.6, when the
  precision configuration option has a large value, might allow
  context-dependent attackers to cause a denial of service (application crash)
  via a small numerical value in the argument.

CVE-2011-1153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1153):
  Multiple format string vulnerabilities in phar_object.c in the phar
  extension in PHP 5.3.5 and earlier allow context-dependent attackers to
  obtain sensitive information from process memory, cause a denial of service
  (memory corruption), or possibly execute arbitrary code via format string
  specifiers in an argument to a class method, leading to an incorrect
  zend_throw_exception_ex call.

CVE-2011-1092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1092):
  Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows
  context-dependent attackers to cause a denial of service (crash) and
  possibly read sensitive memory via a large third argument to the shmop_read
  function.

CVE-2011-0708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0708):
  exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
  performs an incorrect cast, which allows remote attackers to cause a denial
  of service (application crash) via an image with a crafted Image File
  Directory (IFD) that triggers a buffer over-read.

CVE-2011-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0421):
  The _zip_name_locate function in zip_name_locate.c in the Zip extension in
  PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
  argument, which might allow context-dependent attackers to cause a denial of
  service (NULL pointer dereference) via an empty ZIP archive that is
  processed with a (1) locateName or (2) statName operation.
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-10 20:45:04 UTC
This issue was resolved and addressed in
 GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml
by GLSA coordinator Tobias Heinlein (keytoaster).