Comment 1 Moritz Muehlenhoff 2014-12-15 10:23:11 CET

Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8116, CVE-2014-8117)

Comment 2 Moritz Muehlenhoff 2015-01-05 09:38:11 CET

Denial of service in the CGI module (CVE-2014-9427)

Comment 3 Moritz Muehlenhoff 2015-02-02 09:41:31 CET

Memory corruption in processing EXIF tags (CVE-2015-0232)

Comment 4 Moritz Muehlenhoff 2015-02-03 15:16:14 CET

(In reply to Moritz Muehlenhoff from comment #1)
> Denial of service issues in the ELF parser of the filemagic extensions
> (CVE-2014-8116, CVE-2014-8117)

CVE-2014-8116 doesn't affect the PHP packages in UCS 3.2 and UCS 4.0.

Comment 5 Moritz Muehlenhoff 2015-02-03 15:20:16 CET

These vulnerabilities were fixed during the import of the Wheezy 7.8 point update in Bug 37511:

Out of bounds reads when parsing ELF section headers in the file extension (CVE-2014-3710)
Denial of service when parsing awk files in the filemagic extension (CVE-2013-7345)
Out of bounds read in mkgmtime() (CVE-2014-3668)
Heap corruption issue in processing exif thumbnails (CVE-2014-3670)
Integer overflow in unserialize() (CVE-2014-3669)
Denial of service in the CGI module (CVE-2014-9427)


These are still unfixed:

Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459)
Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8117)
Memory corruption in processing EXIF tags (CVE-2015-0232)

Comment 6 Moritz Muehlenhoff 2015-02-04 09:26:37 CET

NULL pointer dereference in pgsql extension (CVE-2015-1352) (the version in UCS 3.2 is not affected)

Comment 7 Arvid Requate 2015-02-19 18:11:48 CET

Denial of service via long pascal strings (CVE-2014-9652)

Comment 8 Arvid Requate 2015-03-19 00:01:09 CET

Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273)

Denial of Service due to use after free in phar_object.c (CVE-2015-2301)

Comment 9 Arvid Requate 2015-03-24 19:53:33 CET

Heap overflow vulnerability in regcomp.c (CVE-2015-2305)

ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331)

Comment 10 Arvid Requate 2015-04-24 12:03:35 CEST

New issues:

Fixed in new upstream version 5.4.39-0+deb7u2:

* Use-after-free vulnerability in the process_nested_data function allows execution of arbitrary code by remote attackers (CVE-2015-2787)
* Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348)

Currently still unfixed:

* Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783)
* Remote code execution with apache 2.4 apache2handler (CVE-2015-3330)
* Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329)

Comment 11 Arvid Requate 2015-05-07 16:23:04 CEST

New status summary:

Fixed in upstream Debian package version 5.4.39-0+deb7u2:
CVE-2015-0232 CVE-2015-1352 CVE-2014-9652 CVE-2015-0273 CVE-2015-2301 CVE-2015-2305 CVE-2015-2331 CVE-2015-2787 CVE-2015-2348


These issues have been classified as "Minor issue" in Debian:
CVE-2014-5459


These issues are already fixed in ucs4.0-1:
CVE-2014-3710 CVE-2013-7345 CVE-2014-3670 CVE-2014-3669 CVE-2014-3668 CVE-2014-8117 CVE-2014-9427


Currently still unfixed:
CVE-2015-2783 CVE-2015-3330 CVE-2015-3329

Comment 12 Arvid Requate 2015-06-08 19:27:18 CEST

The above and the follwoing issue are fixed in upstream 5.4.41-0+deb7u1:

CVE-2015-4025 / CVE-2015-4026

    Multiple function didn't check for NULL bytes in path names.

CVE-2015-4024

    Denial of service when processing multipart/form-data requests.

CVE-2015-4022

    Integer overflow in the ftp_genlist() function may result in
    denial of service or potentially the execution of arbitrary code.

CVE-2015-4021

    Multiple vulnerabilities in the phar extension may result in
    denial of service or potentially the execution of arbitrary code
    when processing malformed archives.

Comment 13 Arvid Requate 2015-07-13 13:01:05 CEST

Also fixed in 5.4.41-0+deb7u1:

* missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412)

* Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147)

* Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148)

* Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601)

* Incomplete Class unserialization type confusion (CVE-2015-4602)

* exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603)

* denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605)

Comment 14 Arvid Requate 2015-07-13 13:01:25 CEST

New issues:

* missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598)

* integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643)

* NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)

Comment 15 Arvid Requate 2015-09-16 11:47:00 CEST

Fixed in 5.4.44-0+deb7u1:

CVE-2015-4598 CVE-2015-4643 CVE-2015-4644

Additionally the following issues have been fixed:

* Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589)

* Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590)


New issues fixed in 5.4.45-0+deb7u1:

* use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834)

* Use after free vulnerability in session deserializer (CVE-2015-6835)

* SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836)

* Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838)

Comment 16 Janek Walkenhorst 2015-09-17 19:08:55 CEST

Tests (i386): OK
Advisory: 2015-09-17-php5.yaml

Comment 17 Philipp Hahn 2015-09-25 12:50:22 CEST

Jenkins regression: 20_appcenter.20_can_apps_be_installed.test
The "auralis" app is now no longer installable:

univention-auralis -> auralis-fastcgi=2.5.2.0-1 -> php5-fpm -> php5-common=5.4.36-0.210.201502031505

The package was built:
logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log_amd64_20150917202032.bz2
logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log.bz2

$ find -name php5-fpm\*
./amd64/php5-fpm_5.4.45-0.213.201509171749_amd64.deb
./i386/php5-fpm_5.4.45-0.213.201509171749_i386.deb

It got releases as unmaintained: <http://updates-test.software-univention.de/4.0/unmaintained/component/4.0-3-errata-test/amd64/>

Comment 18 Felix Botner 2015-10-01 18:38:14 CEST

(In reply to Philipp Hahn from comment #17)
> Jenkins regression: 20_appcenter.20_can_apps_be_installed.test
> The "auralis" app is now no longer installable:
> 
> univention-auralis -> auralis-fastcgi=2.5.2.0-1 -> php5-fpm ->
> php5-common=5.4.36-0.210.201502031505
> 
> The package was built:
> logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.
> log_amd64_20150917202032.bz2
> logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log.bz2
> 
> $ find -name php5-fpm\*
> ./amd64/php5-fpm_5.4.45-0.213.201509171749_amd64.deb
> ./i386/php5-fpm_5.4.45-0.213.201509171749_i386.deb
> 
> It got releases as unmaintained:
> <http://updates-test.software-univention.de/4.0/unmaintained/component/4.0-3-
> errata-test/amd64/>

This is checked in announce/announce_errata (and has to be fixed manually during the errata announce.

* OK - tests (amd64)
* OK - php5 update 
* OK - horde login/mail delivery still possible
* OK - owncloud login/upload/download
* OK - php -r 'phpinfo();'

* OK - 2015-09-17-php5.yaml

Comment 19 Janek Walkenhorst 2015-10-15 11:53:18 CEST

<http://errata.software-univention.de/ucs/4.0/342.html>