Univention Bugzilla – Bug 36997
php5: Multiple issues (4.0)
Last modified: 2017-10-26 13:54:48 CEST
Out of bounds reads when parsing ELF section headers in the file extension (CVE-2014-3710) Denial of service when parsing awk files in the filemagic extension (CVE-2013-7345) Heap corruption issue in processing exif thumbnails (CVE-2014-3670) Integer overflow in unserialize() (CVE-2014-3669) Out of bounds read in mkgmtime() (CVE-2014-3668) Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459) CVE-2013-7345 doesn't affect UCS 3.2, the affected code isn't present yet
Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8116, CVE-2014-8117)
Denial of service in the CGI module (CVE-2014-9427)
Memory corruption in processing EXIF tags (CVE-2015-0232)
(In reply to Moritz Muehlenhoff from comment #1) > Denial of service issues in the ELF parser of the filemagic extensions > (CVE-2014-8116, CVE-2014-8117) CVE-2014-8116 doesn't affect the PHP packages in UCS 3.2 and UCS 4.0.
These vulnerabilities were fixed during the import of the Wheezy 7.8 point update in Bug 37511: Out of bounds reads when parsing ELF section headers in the file extension (CVE-2014-3710) Denial of service when parsing awk files in the filemagic extension (CVE-2013-7345) Out of bounds read in mkgmtime() (CVE-2014-3668) Heap corruption issue in processing exif thumbnails (CVE-2014-3670) Integer overflow in unserialize() (CVE-2014-3669) Denial of service in the CGI module (CVE-2014-9427) These are still unfixed: Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459) Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8117) Memory corruption in processing EXIF tags (CVE-2015-0232)
NULL pointer dereference in pgsql extension (CVE-2015-1352) (the version in UCS 3.2 is not affected)
Denial of service via long pascal strings (CVE-2014-9652)
Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) Denial of Service due to use after free in phar_object.c (CVE-2015-2301)
Heap overflow vulnerability in regcomp.c (CVE-2015-2305) ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331)
New issues: Fixed in new upstream version 5.4.39-0+deb7u2: * Use-after-free vulnerability in the process_nested_data function allows execution of arbitrary code by remote attackers (CVE-2015-2787) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) Currently still unfixed: * Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783) * Remote code execution with apache 2.4 apache2handler (CVE-2015-3330) * Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329)
New status summary: Fixed in upstream Debian package version 5.4.39-0+deb7u2: CVE-2015-0232 CVE-2015-1352 CVE-2014-9652 CVE-2015-0273 CVE-2015-2301 CVE-2015-2305 CVE-2015-2331 CVE-2015-2787 CVE-2015-2348 These issues have been classified as "Minor issue" in Debian: CVE-2014-5459 These issues are already fixed in ucs4.0-1: CVE-2014-3710 CVE-2013-7345 CVE-2014-3670 CVE-2014-3669 CVE-2014-3668 CVE-2014-8117 CVE-2014-9427 Currently still unfixed: CVE-2015-2783 CVE-2015-3330 CVE-2015-3329
The above and the follwoing issue are fixed in upstream 5.4.41-0+deb7u1: CVE-2015-4025 / CVE-2015-4026 Multiple function didn't check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code. CVE-2015-4021 Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives.
Also fixed in 5.4.41-0+deb7u1: * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605)
New issues: * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)
Fixed in 5.4.44-0+deb7u1: CVE-2015-4598 CVE-2015-4643 CVE-2015-4644 Additionally the following issues have been fixed: * Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589) * Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590) New issues fixed in 5.4.45-0+deb7u1: * use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834) * Use after free vulnerability in session deserializer (CVE-2015-6835) * SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836) * Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838)
Tests (i386): OK Advisory: 2015-09-17-php5.yaml
Jenkins regression: 20_appcenter.20_can_apps_be_installed.test The "auralis" app is now no longer installable: univention-auralis -> auralis-fastcgi=2.5.2.0-1 -> php5-fpm -> php5-common=5.4.36-0.210.201502031505 The package was built: logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log_amd64_20150917202032.bz2 logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log.bz2 $ find -name php5-fpm\* ./amd64/php5-fpm_5.4.45-0.213.201509171749_amd64.deb ./i386/php5-fpm_5.4.45-0.213.201509171749_i386.deb It got releases as unmaintained: <http://updates-test.software-univention.de/4.0/unmaintained/component/4.0-3-errata-test/amd64/>
(In reply to Philipp Hahn from comment #17) > Jenkins regression: 20_appcenter.20_can_apps_be_installed.test > The "auralis" app is now no longer installable: > > univention-auralis -> auralis-fastcgi=2.5.2.0-1 -> php5-fpm -> > php5-common=5.4.36-0.210.201502031505 > > The package was built: > logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749. > log_amd64_20150917202032.bz2 > logs/ucs_4.0-0-0-errata4.0-3/php5_5.4.45-0.213.201509171749.log.bz2 > > $ find -name php5-fpm\* > ./amd64/php5-fpm_5.4.45-0.213.201509171749_amd64.deb > ./i386/php5-fpm_5.4.45-0.213.201509171749_i386.deb > > It got releases as unmaintained: > <http://updates-test.software-univention.de/4.0/unmaintained/component/4.0-3- > errata-test/amd64/> This is checked in announce/announce_errata (and has to be fixed manually during the errata announce. * OK - tests (amd64) * OK - php5 update * OK - horde login/mail delivery still possible * OK - owncloud login/upload/download * OK - php -r 'phpinfo();' * OK - 2015-09-17-php5.yaml
<http://errata.software-univention.de/ucs/4.0/342.html>