php5: multiple security issues fixed in php 5.2.1

Debian Bug report logs - #410561
php5: multiple security issues fixed in php 5.2.1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5: multiple security issues fixed in php 5.2.1

Date: Sun, 11 Feb 2007 20:08:40 +0100

Package: php5
Version: 5.2.0-8
Severity: grave
Tags: security
Justification: user security hole


PHP 5.2.1 fixes some security problems. See

http://www.php.net/releases/5_2_1.php
http://secunia.com/advisories/24089/

PHP 4.4 is affected by at least some of the issues, too.

Message #10 received at 410561@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: pkg-php-maint@lists.alioth.debian.org

Cc: 410561@bugs.debian.org

Subject: Re: [php-maint] Bug#410561: php5: multiple security issues fixed in php 5.2.1

Date: Sun, 11 Feb 2007 22:01:22 +0100

Oh my goddess :-(

> PHP 5.2.1 fixes some security problems. See
> 
> http://www.php.net/releases/5_2_1.php
> http://secunia.com/advisories/24089/

Seems there is a lot of stack and buffer overflows fixed.
Unfortunatelly our lovely PHP upstream maintainers bundled
a lot of stuff into 5.2.1 as well including changes in default
behaviour.  I would love to have 5.2.1 in etch, but I am prepared to go
cherry picking.

Steve, what's your opinion?  Cesspool will remain cesspool, so I don't
see big difference between 5.2.0 and 5.2.1 in terms of bugginess.

> PHP 4.4 is affected by at least some of the issues, too.

That troubles me :-(((, since new php4 is not available.

Ondrej.
-- 
Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
Kulturní občasník              ***  http://www.obcasnik.cz/

Message #17 received at 410561@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Ondřej Surý <ondrej@sury.org>, 410561@bugs.debian.org

Cc: pkg-php-maint@lists.alioth.debian.org

Subject: Re: Bug#410561: [php-maint] Bug#410561: php5: multiple security issues fixed in php 5.2.1

Date: Sun, 11 Feb 2007 19:37:29 -0800

On Sun, Feb 11, 2007 at 10:01:22PM +0100, Ondřej Surý wrote:
> Oh my goddess :-(

> > PHP 5.2.1 fixes some security problems. See

> > http://www.php.net/releases/5_2_1.php
> > http://secunia.com/advisories/24089/

> Seems there is a lot of stack and buffer overflows fixed.
> Unfortunatelly our lovely PHP upstream maintainers bundled
> a lot of stuff into 5.2.1 as well including changes in default
> behaviour.  I would love to have 5.2.1 in etch, but I am prepared to go
> cherry picking.

> Steve, what's your opinion?  Cesspool will remain cesspool, so I don't
> see big difference between 5.2.0 and 5.2.1 in terms of bugginess.

Well, as you mention changes to default behavior, the difference is the
impact that such changes would have on other apps that depend on the current
behavior.  So I'm afraid this needs to be handled in a way that we get the
security fixes without whatever random changes upstream has decided to make.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #22 received at 410561@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Steve Langasek <vorlon@debian.org>, 410561@bugs.debian.org

Cc: Ondřej Surý <ondrej@sury.org>, pkg-php-maint@lists.alioth.debian.org

Subject: Re: Bug#410561: [php-maint] Bug#410561: php5: multiple security issues fixed in php 5.2.1

Date: Mon, 12 Feb 2007 07:37:56 +0100

[Message part 1 (text/plain, inline)]

hey guys,

i should have some time to put forward on this starting wednesday or so.
i believe the folks at redhat are also in our position wrt php4 and have
been independently working on digging up the packages, so i threw
an email to the guy doing it.  hopefully that'll lower the burden just a
bit.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 410561@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>, team <team@security.debian.org>

Cc: 410561 <410561@bugs.debian.org>

Subject: update on latest batch of CVE's for php

Date: Mon, 19 Feb 2007 00:02:51 +0100

[Message part 1 (text/plain, inline)]

hey folks,

just fyi, i put a nice big chunk of time into analyzing the latest batch
of CVE's (2007-0905 - 0911), but there is still significant work to be
done before we're ready for an update.  here's a quick summary, followed
by a CVE-by-CVE status.

 * executive summary

most of the vulnerabilities have been found and the patches isolated,
after some aggressive pruning of the 200k lines of diff code and digging
through upstream cvs commit logs. some of the patches are incomplete,
and some have additional non-related changes that need to be filtered
out.

also, i've similarly reduced the 40k lines of diff code from 4.4.5 to
around 1.5k lines of relevant patches.  however, i want to make sure
that we get php5 fixed up first, as it's not unimaginable that somethign
was left out of the 4.4.5 release.

all of my work-in-progress patches and any other pertinent data
can be found at

	http://people.debian.org/~seanius/security/php

in this directory there are a number of patches named in a rather
self-descriptive manner.  there's also a group of CHECKME patches, which
i thought may belong to one of the CVE patches listed here (see below),
or otherwise caught my attention for some reason (the fopen one looks
really suspicious, for example)

 * CVE-2007-0905 (safe_mode/open_basedir bypass in session extension)

for starters i'm going on the assumption that this one won't be a high
priority for us, as the prevailing attitude for safe_mode/open_basedir
is that it's broken by design and thus we don't want to reinforce the
illusion of security... or at least spend our time on it.

however, it looks like the fixes for this might be mixed up with another
CVE (2007-0906 part 1), so we might end up fixing it incidentally as
part of this other fix, which i don't think we should go out of our way
to avoid.

 * CVE-2007-0906 (Multiple buffer overflows in various extensions)

you really have to love the level of information provided.  "multiple
buffer overflows... ...cause a denial of service and execute
arbitrary code via unspecified vectors..."

anyway, i've isolated the meat of the each of the changes (see links
at bottom of mail).  for some of them i have the exact lines of code
that fix the problem, for others i have the lines of code mixed up
with other possibly unrelated changes in the same file, which still
needs to be sorted out.

 * CVE-2007-0907 (Buffer underflow in sapi_header_op)

found and isolated.

 * CVE-2007-0908 (information disclosure via wddx extension)

debian does not ship the wddx extension, so no fix needed.

 * CVE-2007-0909 (fmt string vulnerabilities in print and odbc funcs)

i've found the odbc function fix, but i'm not sure about exactly what
are the format string fixes.  i've found two or three patches, at least
one of which are responsible for fixing it (some of the
CHECKME-*-maybecve.diff patches at the above link), but need more time
and possibly a little help to determine the fix.

 * CVE-2007-0910 (clobbering of certain super-global variables)

i believe i've found this, though a confirmation from upstream would
be nice.

 * CVE-2007-0911 (segfaults from str_irepalce due to off-by-one)

we're not currently affected by this as it is a regression introduced in
5.2.1, but we shoudl remember to have a patch for it when we get around
to releasing 5.2.1.

 * Next steps

there's a little more cleanup that needs to be done in some of the
patches, and some level of verification from the upstream authors would
be very useful.  PoC code would probably be too much to ask for...
after we feel comfortable about the fixes, we can compare the
accumulated patches to the cleaned up diff i've extracted from php4
(there's a 4.4.4_4.4.5-somethingsomething.diff in the above link)

reading through the upstream mail archive (as well as the CVE
descriptions themselves) upstream seems rather tight-lipped about
details, so i'm a bit pessimistic that we'll actually get any kind of
positive feedback from them.  i'd love to be proved wrong though so i'll
give it a shot.  might also be worth contacting stefan esser as i think
he knows the details of most of these CVE's.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 410561@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: sean finney <seanius@debian.org>, 410561@bugs.debian.org

Subject: My current PHP patch collection

Date: Tue, 20 Feb 2007 19:17:51 +0100

[Message part 1 (text/plain, inline)]

Hi,

just in case it is useful for anything, I collected some patches for
the current CVEs, based on an analysis of Joe Orton and some CVS digging.

I keep my current writeup at

  http://people.ubuntu.com/~pitti/tmp/php-patches.txt

There are still some outstanding issues, though, but I'll keep you
posted if you wish.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 410561@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 410561@bugs.debian.org

Subject: Re: My current PHP patch collection

Date: Wed, 21 Feb 2007 08:34:59 +0100

[Message part 1 (text/plain, inline)]

hey pitti,

On Tue, 2007-02-20 at 19:17 +0100, Martin Pitt wrote:
> just in case it is useful for anything, I collected some patches for
> the current CVEs, based on an analysis of Joe Orton and some CVS digging.
> 
> I keep my current writeup at
> 
>   http://people.ubuntu.com/~pitti/tmp/php-patches.txt
> 
> There are still some outstanding issues, though, but I'll keep you
> posted if you wish.

thanks for this.  yes please do keep me posted.  what are the
outstanding issues, btw?  hopefully between you, myself, and joe's work
i can get a security release prepared by this weekend.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 410561@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: sean finney <seanius@debian.org>

Cc: Martin Pitt <mpitt@debian.org>, 410561@bugs.debian.org

Subject: Re: My current PHP patch collection

Date: Wed, 21 Feb 2007 10:41:58 +0100

[Message part 1 (text/plain, inline)]

Hi Sean,

sean finney [2007-02-21  8:34 +0100]:
> what are the outstanding issues, btw?  hopefully between you,
> myself, and joe's work i can get a security release prepared by this
> weekend.

In fact I sorted out all the outstanding issues yesterday and updated
the file, so you might not even have seen the TODO items.

Also, I ignored the php-interbase part of CVE-2007-0906 because this
bit is in Ubuntu universe, but it affects php4-interbase in Sarge and
php5-interbase in testing/unstable.

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 410561@bugs.debian.org (full text, mbox, reply):

From: Martin Sebald <msebald@hot-chilli.net>

To: 410561@bugs.debian.org

Subject: Fw: Re: Error 500 when trying to edit tt_news entry

Date: Thu, 1 Mar 2007 13:04:46 +0100

Hi all,

me and most of all my customers having serious problems with a Typo3
extension called tt_news. When trying to edit a tt_news entry by clicking
on the edit icon in the backend the server produces a 500 error.

I contacted Rupert Germann in December 2006, the author of tt_news and
after trying and sorting out he believes that this is a PHP 5.2.0 issue.
Attached the mail Rupert sent me. As I'm not a programmer I cannot say for
sure if Rupert is right. But at least it reads comprehensible to me.

As tt_news is a very popular extension plus I sure that also other
extensions or complete different PHP applications have problems with this
xml parsing bugs I hope that this is fixed very soon. I was waiting for the
release of PHP 5.2.1 and after that the release of the Debian package since
then. 

Thanks and regards,
Martin


===8<===========This is a forwarded message============

Von: Rupert Germann
An: Martin Sebald
Datum: Dienstag, 12. Dezember 2006, 10:34:17 [GMT +0100]
Betreff: Re: Error 500 when trying to edit tt_news entry

===8<==============Original message text===============

hi Martin,

I also tried it with PHP 5.2.0-7 on Debian and after I wasted some hours with 
unsuccesful testing/debugging I downgraded to the former 5.1.6 version.
The error seems to be located in the xmlparser of PHP. The extension manager 
from TYPO3 could not parse the extensions.xml file and also the parsing of 
big flexform xml files (like tt_news uses) failed.

In the TYPO3 mailinglists there are several theads about the PHP 5.2 problems, 
f.i.:
http://lists.netfielders.de/pipermail/typo3-english/2006-November/033111.html
http://lists.netfielders.de/pipermail/typo3-english/2006-November/033273.html
http://lists.netfielders.de/pipermail/typo3-english/2006-November/033480.html

conclusion is that you either should downgrade to 5.1.6 or you could try the 
5.2.1dev version where people say that this problem is fixed.

greets
rupert

===8<===========End of original message text===========

Message #56 received at 410561@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@ubuntu.com>

To: 410561@bugs.debian.org

Subject: php-patches.txt updated

Date: Wed, 7 Mar 2007 11:34:59 +0100

Hi,

just a quick heads-up:

we just got a bug report about a regression in streams [1], I pulled
the patch that fixes it from upstream CVS and updated [2]. The patch
required a little backporting, but nothing too serious (feel free to
take them from the ubuntu -security uploads if you need).

Martin

[1] https://launchpad.net/bugs/87481
[2] http://people.ubuntu.com/~pitti/tmp/php-patches.txt
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

Message #61 received at 410561-done@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 410561-done@bugs.debian.org

Subject: Re: php5: multiple security issues fixed in php 5.2.1

Date: Tue, 13 Mar 2007 16:12:03 -0700

Version: 5.2.0-8+etch4

These bugs have also been fixed in the testing-proposed-updates upload of
php5 5.2.0-8+etch4, so marking as such.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Send a report that this bug log contains spam.