hhvm: Various CVEs (CVE-2014-9709 CVE-2015-8865 CVE-2016-1903 CVE-2016-4070 CVE-2016-4539 CVE-2016-6870 CVE-2016-6871 CVE-2016-6872 CVE-2016-6873 CVE-2016-6874 CVE-2016-6875)

Debian Bug report logs - #835032
hhvm: Various CVEs (CVE-2014-9709 CVE-2015-8865 CVE-2016-1903 CVE-2016-4070 CVE-2016-4539 CVE-2016-6870 CVE-2016-6871 CVE-2016-6872 CVE-2016-6873 CVE-2016-6874 CVE-2016-6875)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: hhvm: Various CVEs (CVE-2014-9709 CVE-2015-8865 CVE-2016-1903 CVE-2016-4070 CVE-2016-4539 CVE-2016-6870 CVE-2016-6871 CVE-2016-6872 CVE-2016-6873 CVE-2016-6874 CVE-2016-6875)

Date: Sun, 21 Aug 2016 16:25:03 +0200

Source: hhvm
Version: 3.12.1+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerabilities were published for hhvm. The respective
upstream commits can be found in the security-tracker references.

CVE-2014-9709[0]:
| The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used
| in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers
| to cause a denial of service (buffer over-read and application crash)
| via a crafted GIF image that is improperly handled by the
| gdImageCreateFromGif function.

CVE-2015-8865[1]:
| The file_check_mem function in funcs.c in file before 5.23, as used in
| the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and
| 7.x before 7.0.5, mishandles continuation-level jumps, which allows
| context-dependent attackers to cause a denial of service (buffer
| overflow and application crash) or possibly execute arbitrary code via
| a crafted magic file.

CVE-2016-1903[2]:
| The gdImageRotateInterpolated function in
| ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before
| 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain
| sensitive information or cause a denial of service (out-of-bounds read
| and application crash) via a large bgd_color argument to the
| imagerotate function.

CVE-2016-4070[3]:
| ** DISPUTED ** Integer overflow in the php_raw_url_encode function in
| ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
| before 7.0.5 allows remote attackers to cause a denial of service
| (application crash) via a long string to the rawurlencode function.
| NOTE: the vendor says "Not sure if this qualifies as security issue
| (probably not)."

CVE-2016-4539[4]:
| The xml_parse_into_struct function in ext/xml/xml.c in PHP before
| 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
| attackers to cause a denial of service (buffer under-read and
| segmentation fault) or possibly have unspecified other impact via
| crafted XML data in the second argument, leading to a parser level of
| zero.

CVE-2016-6870[5]:
incorrect use of strndup

CVE-2016-6871[6]:
Fix buffer overrun due to integer overflow in bcmath

CVE-2016-6872[7]:
Fix integer overflow in StringUtil::implode

CVE-2016-6873[8]:
Fix self recursion in compact

CVE-2016-6874[9]:
Fix recursion checks in array_*_recursive

CVE-2016-6875[10]:
Fix infinite recursion in wddx

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9709
[1] https://security-tracker.debian.org/tracker/CVE-2015-8865
[2] https://security-tracker.debian.org/tracker/CVE-2016-1903
[3] https://security-tracker.debian.org/tracker/CVE-2016-4070
[4] https://security-tracker.debian.org/tracker/CVE-2016-4539
[5] https://security-tracker.debian.org/tracker/CVE-2016-6870
[6] https://security-tracker.debian.org/tracker/CVE-2016-6871
[7] https://security-tracker.debian.org/tracker/CVE-2016-6872
[8] https://security-tracker.debian.org/tracker/CVE-2016-6873
[9] https://security-tracker.debian.org/tracker/CVE-2016-6874
[10] https://security-tracker.debian.org/tracker/CVE-2016-6875

Regards,
Salvatore

Message #10 received at 835032-close@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>

To: 835032-close@bugs.debian.org

Subject: Bug#835032: fixed in hhvm 3.12.11+dfsg-1

Date: Sun, 18 Dec 2016 00:50:07 +0000

Source: hhvm
Source-Version: 3.12.11+dfsg-1

We believe that the bug you reported is fixed in the latest version of
hhvm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 835032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated hhvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2016 02:13:55 +0200
Source: hhvm
Binary: hhvm hhvm-dbg hhvm-dev
Architecture: source
Version: 3.12.11+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian HHVM packaging team <pkg-hhvm-team@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description:
 hhvm       - HipHop Virtual Machine, a JIT replacement for PHP - main runtime
 hhvm-dbg   - HipHop Virtual Machine, a JIT replacement for PHP - debugging sym
 hhvm-dev   - HipHop Virtual Machine, a JIT replacement for PHP - development f
Closes: 812023 825077 828340 835032 839303 843281 843439 845852
Changes:
 hhvm (3.12.11+dfsg-1) unstable; urgency=medium
 .
   [ Moritz Muehlenhoff ]
   * New upstream LTS releases, addressing multiple security issues.
     (Closes: #835032)
     From 3.12.2:
      - CVE-2015-8865 - Buffer overwrite in finfo_open with malformed magic
      - Integer overflow in iptcembed
      - CVE-2016-3074 - Fix signedness issue in libgd
      - CVE-2014-9709 - Fix a possible buffer read overflow in gd_gif_in.cpp
      - Prevent a potential nullptr dereference in ext_xsl
      - Don't segfault if you try to remove the last autoloader while
        adding a new one
      - CVE-2016-1903 - imagerotate information leak
      - FILTER_FLAG_STRIP_BACKTICK` was being ignored unless other flags
        are set
      - CVE-2016-4539 - Fix a segfault in xml_parse_into_struct
      - Fix a potential null dereference in ZipArchive::extractTo
      - CVE-2016-4070 - Integer Overflow in php_raw_url_encode
     From 3.12.3:
      - CVE-2016-1000004 - Type safety in simplexml import routines
      - CVE-2016-1000004 - Fix param types for mcrypt_get_block_size()
        to match PHP
      - CVE-2016-1000006 - Fix use-after-free in
        serialize_memoize_param() and ResourceBundle::__construct()
      - CVE-2016-6870 - Use req::strndup in php_mb_parse_encoding_list to
        prevent oob memory write.
      - HHVM-2016-11781481 - Fix nullptr dereference in
        f_mysqli_stmt_bind{param,result}
      - HHVM-2016-11791940 - Avoid invalid array access in JSON_decode()
      - PHP-2016-0072337 - Fix a segfault with invalid dimensions and
        imagescale out of bounds read in ext_gd
     From 3.12.5:
      - CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests
     From 3.12.6:
      - CVE-2016-6871 - Fix buffer overrun due to integer overflow in bcmath
      - CVE-2016-6872 - Fix integer overflow in StringUtil::implode
      - CVE-2016-6873 - Fix self recursion in compact
      - CVE-2016-6874 - Fix recursion checks in array_*_recursive
      - CVE-2016-6875 - Fix infinite recursion in wddx
      - PHP-2015-0070345 - [HHVM][Security] 0003 pcre preg bug 70345
     From 3.12.8:
      - ext_gd: exif_process_IFD_TAG: Use the right offset if reading from
        stream
      - Fix some color related crashes in libgd
      - Don't allow smart_str to overflow int
      - Integer overflow in _gd2GetHeader
      - Fix objprof refcounting
      - Fix buffer overruns in mb_send_mail
      - Integer overflow in gdImagePaletteToTrueColor
      - Null pointer dereference in _gdScaleVert
      - pass2_no_dither out-of-bounds access
     From 3.12.9:
      - Fix off-by-one index check in ThreadSafeLocaleHandler::actuallySetLocale
      - Prevent an integer overflow in _gdContributionsAlloc
      - Fix a potential overflow in tsrm_virtual_file_ex
      - Invalid transparent index can result in OOB read or write
      - Do not treat negative return values from bz2 as size_t
      - Fix OOB read in exif_process_IFD_in_MAKERNOTE
      - Prevent an OOB access in locale_accept_from_http
      - Avoid possible OOB using imagegif
      - Disable bad zend test
      - Add an option to explicitly disable NUMA support.
     From 3.12.10:
      - Fix a bug in StringUtil::Explode
      - Fix a couple of bugs in libgd
     From 3.12.11:
      - Prevent integer overflow in gdImageWebpCtx
      - Check depth values in json_decode
      - Prevent negative gamma values being passed to imagegammacorrect
      - Fix crypt with over-long salts
      - Memory leak in exif_process_IFD_in_TIFF
      - 9da Fix getimagesize returning FALSE on valid jpg
 .
   [ Faidon Liambotis ]
   * Build against libmysqlclient, not libmysqlclient_r. Thanks to Robie Basak
     for the bug report and patch. (Closes: #825077)
   * Build-Depend on default-libmysqlclient-dev instead of libmysqlclient-dev.
     (Closes: #845852)
   * Add /bin/sh shebangs on maintainer scripts. (Closes: #843281)
   * Remove update-alternatives --remove from postrm, already included in prerm
     (and also causes a lintian warning).
   * Remove David Martínez Moreno from the Uploaders, at the request of the MIA
     team. (Closes: #843439)
   * Fix FTBFS with GCC 6, by backporting an upstream fix. (Closes: #812023)
   * Pass -fno-PIE/-no-pie to gcc to prevent a linking error with GCC 6's new
     configuration (--enable-default-pie) in combination with HHVM's
     hand-crafted assembly (translator-asm-helpers.S).
   * Build-Depend on libssl1.0-dev, as HHVM is not ready for OpenSSL 1.1.0 yet.
     (Closes: #828340)
   * Remove Build-Depends on libc-client2007e-dev and thus disable the IMAP
     extension. libc-client2007e-dev depends on libssl-dev 1.1.0, which
     conflicts with libssl1.0-dev and is thus impossible to satisfy.
   * Disable Folly's Fibers, as the current version is incompatible with Boost
     1.61 and thus FTBFS. The incompatibility has been fixed upstream but is
     too intrusive to backport, thus disable the functionality entirely.
     (Closes: #839303)
   * Temporarily disable the mcrouter extension as it requires Folly Fibers,
     that were disabled in this version (see above).
   * Backport an upstream fix to address an ICU Collation sort key
     incompatibility with PHP.
   * Backport an upstream fix to address a segfault when bzip2 and XMLReader
     are being used together.
   * Backport an upstream fix to address inconsistent regexp results when
     running with a newer PCRE version (8.38 instead of 8.32).
   * Disable test pcre_limit.php which now fails for unknown reasons;
     upstream seemingly has disabled the test as well for a while with no ill
     effects.
   * Add a Documentation line to the systemd service file.
   * Bump Standards-Version to 3.9.8, no changes needed.
Checksums-Sha1:
 748ed1098f7f990bad37b5e7a2b48e9e3a12ef06 2927 hhvm_3.12.11+dfsg-1.dsc
 21b4b84d038a866bd2f8cea8aca095778aa77fb2 19565736 hhvm_3.12.11+dfsg.orig.tar.xz
 e098c335c7bd718afda4d39df94223eb273a8745 33224 hhvm_3.12.11+dfsg-1.debian.tar.xz
Checksums-Sha256:
 8c7a9cecd3eb1f02330d104ae1c201509a4bbca90d73164d0fb125136633bb88 2927 hhvm_3.12.11+dfsg-1.dsc
 984f8f90ca31b87bbbf3808d5668e931e312c010adc0c989b3c18510206083c4 19565736 hhvm_3.12.11+dfsg.orig.tar.xz
 d096e5e6e7ebae32634c2a5c28c4dc447c8c605253ef83e45aebddc3daf46611 33224 hhvm_3.12.11+dfsg-1.debian.tar.xz
Files:
 2a88009ef274daf38a9d94b2095cb559 2927 php optional hhvm_3.12.11+dfsg-1.dsc
 4afb0cc4ce02240985b8f37110f9fd0a 19565736 php optional hhvm_3.12.11+dfsg.orig.tar.xz
 172ed92db912629c3e26b66a05ca20fa 33224 php optional hhvm_3.12.11+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEqVksUhy5BAd9ZZgAnQteWx7sjw4FAlhV1hsACgkQnQteWx7s
jw6jkBAA1et6qJxexBetxAQfBQp+h+zbMPbfB3YWBgcfPLRgqr9tuWdk7K2pONfv
kvo7h4rHklVAVuq5U+mGz07qHnpfhAoW9CdoryfTMLc0TQHhAY0PANTHi1R3qGlg
ewFQv5z5ZDEn1RF3YvzW3j7cbhbkZlu3FHSuG4Jlr8K+SDUa7RkftRkEMYHt5PF0
LK1k2zCixQgiugSR2UAGcs1FV0eTl4KqH8lRlZujKJn8aAuMi9RE+6SarD+WN9BM
p3ttJ9/rvWhGsvAIiTd3UB454qOMbgchaF0nskpseTy+WrRkT2F/McC4La+woJC5
YU8vVW4vkNRp+mRhKNaeAhY0hCQr+SKYBi17AK3KHq9GBfRyMZ/ngGdHR8UR1ehA
SeuBMHCpfrHhSuD9xut1UwbYg3NWlVrI9BI6IxP1LoCue9uugVhiTifgt/vnuy36
HvPLljiEie6kcj0g32MZOvUzVWTa1S/5TouSthAVHm/m4xJfnKpo3jJPOn+Moj5H
zrsoZG+3gOUZZluoiFJn1BfihAKtcsXm86A87jETe8ps/Tg4OqV81Wzktu2doN1S
N/g/7Rx/e/PllFWlJrB3qFEAqHy1sj1fmgJHqviB++1eSmVRYTzlvS4oH3R8F62d
jZ/XRcJRRJG8WTLTS0W/Xx+6Chs6TP15xrUpO0FOCJhi43EEOKk=
=zLaQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.