Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550770 (CVE-2015-4024) - <dev-php/suhosin-0.9.38: Remote DoS Vulnerability (CVE-2015-4024)
Summary: <dev-php/suhosin-0.9.38: Remote DoS Vulnerability (CVE-2015-4024)
Status: RESOLVED FIXED
Alias: CVE-2015-4024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://raw.githubusercontent.com/ste...
Whiteboard: C3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-29 19:56 UTC by cyberbat
Modified: 2015-07-22 17:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description cyberbat 2015-05-29 19:56:50 UTC 
2015-05-21 - 0.9.38
    - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
    - allow https location for suhosin.filter.action
    - fixed newline detection for suhosin.mail.protect
    - Added suhosin.upload.max_newlines to protect againt DOS attack via many 
      MIME headers in RFC1867 uploads (CVE-2015-4024)
    - mail related test cases now work on linux
Comment 1 Brian Evans (RETIRED) gentoo-dev 2015-06-10 14:24:33 UTC 
Arches, please mark stable

Target keywords:
dev-php/suhosin-0.9.38 alpha amd64 arm hppa ia64 sparc x86

Note: Upstream acknowledges these tests fail on php 5.4 [1]  So please expect these tests to fail.
Testing: suhosin.executor.eval.blacklist=max [tests/executor/eval_blacklist.phpt]
Testing: suhosin.executor.eval.blacklist=printf via call_user_func [tests/executor/eval_blacklist_printf.phpt]
Testing: suhosin.executor.eval.whitelist=printf via call_user_func [tests/executor/eval_whitelist_call_user_func.phpt]
Testing: suhosin.executor.func.blacklist=printf [tests/executor/function_blacklist_printf.phpt]
Testing: suhosin.executor.func.whitelist=call_user_func [tests/executor/function_whitelist_call_user_func.phpt]

[1] https://github.com/stefanesser/suhosin/issues/68
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-11 04:26:24 UTC 
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2015-06-11 07:08:11 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-06-11 07:18:12 UTC 
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-06-13 07:26:38 UTC 
CVE-2015-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4024):
  Algorithmic complexity vulnerability in the multipart_buffer_headers
  function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and
  5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU
  consumption) via crafted form data that triggers an improper order-of-growth
  outcome.
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-17 08:52:32 UTC 
sparc stable
Comment 7 Markus Meier gentoo-dev 2015-06-19 17:14:24 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-07-03 09:57:09 UTC 
alpha stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-22 16:35:01 UTC 
ia64 stable

cleanup please!

GLSA vote: no.
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-22 17:00:41 UTC 
GLSA Vote: No
Comment 11 Brian Evans (RETIRED) gentoo-dev 2015-07-22 17:06:42 UTC 
Cleanup done.
+  22 Jul 2015; Brian Evans <grknight@gentoo.org> -suhosin-0.9.37.1.ebuild:
+  Remove security vulnerable version
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-22 17:17:35 UTC 
(In reply to Brian Evans from comment #11)
> Cleanup done.
> +  22 Jul 2015; Brian Evans <grknight@gentoo.org> -suhosin-0.9.37.1.ebuild:
> +  Remove security vulnerable version

Thanks for cleanup