Univention Bugzilla – Full Text Bug Listing |
Summary: | php5: Multiple issues (4.0) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Janek Walkenhorst <walkenhorst> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P2 | CC: | gohmann, hahn, requate |
Version: | UCS 4.0 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.0-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Moritz Muehlenhoff
2014-11-25 13:01:13 CET
Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8116, CVE-2014-8117) Denial of service in the CGI module (CVE-2014-9427) Memory corruption in processing EXIF tags (CVE-2015-0232) (In reply to Moritz Muehlenhoff from comment #1) > Denial of service issues in the ELF parser of the filemagic extensions > (CVE-2014-8116, CVE-2014-8117) CVE-2014-8116 doesn't affect the PHP packages in UCS 3.2 and UCS 4.0. These vulnerabilities were fixed during the import of the Wheezy 7.8 point update in Bug 37511: Out of bounds reads when parsing ELF section headers in the file extension (CVE-2014-3710) Denial of service when parsing awk files in the filemagic extension (CVE-2013-7345) Out of bounds read in mkgmtime() (CVE-2014-3668) Heap corruption issue in processing exif thumbnails (CVE-2014-3670) Integer overflow in unserialize() (CVE-2014-3669) Denial of service in the CGI module (CVE-2014-9427) These are still unfixed: Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459) Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8117) Memory corruption in processing EXIF tags (CVE-2015-0232) NULL pointer dereference in pgsql extension (CVE-2015-1352) (the version in UCS 3.2 is not affected) Denial of service via long pascal strings (CVE-2014-9652) Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) Denial of Service due to use after free in phar_object.c (CVE-2015-2301) Heap overflow vulnerability in regcomp.c (CVE-2015-2305) ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331) New issues: Fixed in new upstream version 5.4.39-0+deb7u2: * Use-after-free vulnerability in the process_nested_data function allows execution of arbitrary code by remote attackers (CVE-2015-2787) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) Currently still unfixed: * Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783) * Remote code execution with apache 2.4 apache2handler (CVE-2015-3330) * Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329) New status summary: Fixed in upstream Debian package version 5.4.39-0+deb7u2: CVE-2015-0232 CVE-2015-1352 CVE-2014-9652 CVE-2015-0273 CVE-2015-2301 CVE-2015-2305 CVE-2015-2331 CVE-2015-2787 CVE-2015-2348 These issues have been classified as "Minor issue" in Debian: CVE-2014-5459 These issues are already fixed in ucs4.0-1: CVE-2014-3710 CVE-2013-7345 CVE-2014-3670 CVE-2014-3669 CVE-2014-3668 CVE-2014-8117 CVE-2014-9427 Currently still unfixed: CVE-2015-2783 CVE-2015-3330 CVE-2015-3329 The above and the follwoing issue are fixed in upstream 5.4.41-0+deb7u1: CVE-2015-4025 / CVE-2015-4026 Multiple function didn't check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code. CVE-2015-4021 Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives. Also fixed in 5.4.41-0+deb7u1: * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) New issues: * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644) Fixed in 5.4.44-0+deb7u1: CVE-2015-4598 CVE-2015-4643 CVE-2015-4644 Additionally the following issues have been fixed: * Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589) * Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590) New issues fixed in 5.4.45-0+deb7u1: * use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834) * Use after free vulnerability in session deserializer (CVE-2015-6835) * SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836) * Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838) Tests (i386): OK Advisory: 2015-09-17-php5.yaml Jenkins regression: 20_appcenter.20_can_apps_be_installed.test The "auralis" app is now no longer installable: univention-auralis -> auralis-fastcgi=2.5.2.0-1 -> php5-fpm -> php5-common=5.4.36-0.210.201502031505 The package was built: logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log_amd64_20150917202032.bz2 logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log.bz2 $ find -name php5-fpm\* ./amd64/php5-fpm_5.4.45-0.213.201509171749_amd64.deb ./i386/php5-fpm_5.4.45-0.213.201509171749_i386.deb It got releases as unmaintained: <http://updates-test.software-univention.de/4.0/unmaintained/component/4.0-3-errata-test/amd64/> (In reply to Philipp Hahn from comment #17) > Jenkins regression: 20_appcenter.20_can_apps_be_installed.test > The "auralis" app is now no longer installable: > > univention-auralis -> auralis-fastcgi=2.5.2.0-1 -> php5-fpm -> > php5-common=5.4.36-0.210.201502031505 > > The package was built: > logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749. > log_amd64_20150917202032.bz2 > logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log.bz2 > > $ find -name php5-fpm\* > ./amd64/php5-fpm_5.4.45-0.213.201509171749_amd64.deb > ./i386/php5-fpm_5.4.45-0.213.201509171749_i386.deb > > It got releases as unmaintained: > <http://updates-test.software-univention.de/4.0/unmaintained/component/4.0-3- > errata-test/amd64/> This is checked in announce/announce_errata (and has to be fixed manually during the errata announce. * OK - tests (amd64) * OK - php5 update * OK - horde login/mail delivery still possible * OK - owncloud login/upload/download * OK - php -r 'phpinfo();' * OK - 2015-09-17-php5.yaml |