PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

DoneSubmitted by Leo Famulari.
Details
3 participants
  • Alex Sassmannshausen
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 24 Jul 2017 20:57
(address . bug-guix@gnu.org)
20170724185744.GA4997@jasmine.lan
Apparently our PHP package is vulnerable to CVE-2017-11144,CVE-2017-11145, and CVE-2017-11362:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
This one looks especially bad:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
Can someone please take a look at this?
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2QyQACgkQJkb6MLrKfwib1Q/6AvhmCk96bwJY9x9xI4vu9iTV7abi0nN2aKWtERlQpRWMCU6d1RKhPz67OQtT8XYB2mmvuPRl5lk3QT0Bl0+LeLBkhE2jyP0zGMoNVLqatDb4PhuBh+JmyF65MJd+AJ+Vqy5jV6PIPVK1LbwTSuFegF1BzEpvKyn2PkXvH//dsF+7PxL6rP39qsIdgkbH4Xce7Ou7zCvJDBZ4C9JOuhLDxZiUQO99EVCMMubmVatNeB/nNlg6mugapLmVKWdRUjD2+jLNmjLeRGyCyzr0/bbt1RvHpcCHopKh6iOnDpjMtoajJXvLseAgpPJpCk2p36fjBAdX9U1zAlKdLdMjAZNRJvtPL47zOBsXlfzFYsOghmBPhIUvVA6tycTocNYGdjfM92UvSQs0SP30HsxruHsIHYZmx7GYM/BsiiwiOX+R7bsGrPY4jIo4hABsCJpkyEsI7oR1xp8CyuYyibA6NCnq7zFIBhbK6FAho0/SXbGHWlY6eJL/X15SiduJTTJFKM8+YDxvGmExd/1oAIgNH+39Ck0siaI7zlU7v3SXSD9fMVTji23UdMnVTY/EOYZRgs5IMAeP6N7TUIePC7bfAB+1JsJrRpWz3CTpuxdcMXZRpKA95o0CgbJ/X7y+Vi934pZF12NRi7t+Wuv8jCEg3PzF/ujXLTaBIvByMpcrcooWl8A==WEg8-----END PGP SIGNATURE-----

A
A
Alex Sassmannshausen wrote on 25 Jul 2017 17:26
(name . Leo Famulari)(address . leo@famulari.name)(address . 27808@debbugs.gnu.org)
87k22wo7v8.fsf@pompo.co
Hi Leo,
I've just submitted a patch to update PHP to version 7.1.7, whichresolves the CVEs. Unfortunately PHP has 4 test errors on my machine(but also on the previous version), so I could not fully build it(disabling tests results in a working version of PHP).
The relevant patch is at 27826. If someone could try building it, onx86_64 then we could be sure it's just my local environment that messesthings up…
Alex
Leo Famulari writes:
Toggle quote (11 lines)> Apparently our PHP package is vulnerable to CVE-2017-11144,> CVE-2017-11145, and CVE-2017-11362:>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145>> This one looks especially bad:>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362>> Can someone please take a look at this?
L
L
Leo Famulari wrote on 25 Jul 2017 20:41
(name . Alex Sassmannshausen)(address . alex@pompo.co)(address . 27808@debbugs.gnu.org)
20170725184153.GA24552@jasmine.lan
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
Toggle quote (7 lines)> Hi Leo,> > I've just submitted a patch to update PHP to version 7.1.7, which> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine> (but also on the previous version), so I could not fully build it> (disabling tests results in a working version of PHP).
I got this building with that patch:
=====================================================================FAILED TEST SUMMARY---------------------------------------------------------------------Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]=====================================================================
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll3kPEACgkQJkb6MLrKfwijKg//eHcD8K78TyXq3L4jBVTB8xUv6rOEJZnU6fwifd1PtBtYyw3ujJUXX8V3GpjfTmsKTA1L/QKz4J8O2tlxFlfsltv93Fqd9Fi00rkkEIuFrcoAp4FaqoXh6skpsTCr5khqmqtZkIk+kzXiqAxNyCFUor9dPOOLf9nMD1EkyFPLnbbpNSiUxif6XFhCRKJp4no788sVaiysy3RKQ25JIkLVTyYuA7518j4vl1geZgawFpio31dux0vU2IwBbljeA8c9AieKu+RVMjEJnNRWzXDz8TdsKxQkRZgnr3mF9XQpQG3ALeFeiw+yDwRsISiTKevi2++VevR7PgufB6kC3l+3r8zq96sQ1N1+1sTo5Iv+P6RU8v1UEabj492IEudndrLUofn5D+sYaD3x/BvS7HTla6VoiPEp0INqQSSrcORNSHQpdFuqX5AXaWOHBiaOC5OCtC4dpHaM4qqY1bqjT44qsebK+dj41g9Q79B0vrSMYY15UZTBnnrNBgwCaZDagzTjQu66Ygy6muZ7JWO8Xopo27h5+dVme7w1IF79EZnlUEcpA4vJoe2JtOlAic4Zb/trA83OhT4JA6XpXdzIjbHDALl5SXP/xRvbgFvftyhgKwQP85wqU0AEVdNRGIVm8iTCULqaFI72saHptLI1Yyu8OCL7kFn+y7bsXO/foIyFXIw==DBPa-----END PGP SIGNATURE-----

A
A
Alex Sassmannshausen wrote on 25 Jul 2017 21:44
(name . Leo Famulari)(address . leo@famulari.name)
87inignvxw.fsf@pompo.co
Toggle quote (19 lines)> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:>> Hi Leo,>> >> I've just submitted a patch to update PHP to version 7.1.7, which>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine>> (but also on the previous version), so I could not fully build it>> (disabling tests results in a working version of PHP).>> I got this building with that patch:>> =====================================================================> FAILED TEST SUMMARY> ---------------------------------------------------------------------> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]> =====================================================================
OK that's what I've got too.
I guess it will need some investigation… :-(
Thanks for testing!
Alex
Leo Famulari writes:
L
L
Ludovic Courtès wrote on 31 Jul 2017 17:32
Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
(name . Alex Sassmannshausen)(address . alex@pompo.co)
87379c39mp.fsf@gnu.org
Hi Alex,
Alex Sassmannshausen <alex@pompo.co> skribis:
Toggle quote (23 lines)>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:>>> Hi Leo,>>> >>> I've just submitted a patch to update PHP to version 7.1.7, which>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine>>> (but also on the previous version), so I could not fully build it>>> (disabling tests results in a working version of PHP).>>>> I got this building with that patch:>>>> =====================================================================>> FAILED TEST SUMMARY>> --------------------------------------------------------------------->> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]>> =====================================================================>> OK that's what I've got too.>> I guess it will need some investigation… :-(
Any update? :-)
Would be good not to leave the vulnerable version in the distro.
TIA,Ludo’.
A
A
Alex Sassmannshausen wrote on 31 Jul 2017 18:22
(name . Ludovic Courtès)(address . ludo@gnu.org)
87k22ok24j.fsf@pompo.co
Ludovic Courtès writes:
Toggle quote (31 lines)> Hi Alex,>> Alex Sassmannshausen <alex@pompo.co> skribis:>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:>>>> Hi Leo,>>>>>>>> I've just submitted a patch to update PHP to version 7.1.7, which>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine>>>> (but also on the previous version), so I could not fully build it>>>> (disabling tests results in a working version of PHP).>>>>>> I got this building with that patch:>>>>>> =====================================================================>>> FAILED TEST SUMMARY>>> --------------------------------------------------------------------->>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]>>> =====================================================================>>>> OK that's what I've got too.>>>> I guess it will need some investigation… :-(>> Any update? :-)>> Would be good not to leave the vulnerable version in the distro.
Agreed, though I am in no position to investigate this. I was going topropose a patch that disabled those 4 tests, but I will need toinvestigate how to do that. So at the earliest I could contribute thosepatches this weekend.
Alex
Toggle quote (3 lines)>> TIA,> Ludo’.
L
L
Ludovic Courtès wrote on 3 Aug 2017 00:01
control message for bug #27808
(address . control@debbugs.gnu.org)
87ini5sk73.fsf@gnu.org
tags 27808 security
A
A
Alex Sassmannshausen wrote on 20 Aug 2017 22:10
Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
(name . Ludovic Courtès)(address . ludo@gnu.org)
87fucmuhjt.fsf@pompo.co
Hi
I believe this issue is now resolved as Julien Lepiller seems to havepushed a working version of PHP 7.1.8 on 3 August with commit1cec3462323717e063c98b6404e9c5c5ef037bdd.
I will try to close the bugs (27826 & 27808).
Alex
Alex Sassmannshausen writes:
Toggle quote (43 lines)> Ludovic Courtès writes:>>> Hi Alex,>>>> Alex Sassmannshausen <alex@pompo.co> skribis:>>>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:>>>>> Hi Leo,>>>>>>>>>> I've just submitted a patch to update PHP to version 7.1.7, which>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine>>>>> (but also on the previous version), so I could not fully build it>>>>> (disabling tests results in a working version of PHP).>>>>>>>> I got this building with that patch:>>>>>>>> =====================================================================>>>> FAILED TEST SUMMARY>>>> --------------------------------------------------------------------->>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]>>>> =====================================================================>>>>>> OK that's what I've got too.>>>>>> I guess it will need some investigation… :-(>>>> Any update? :-)>>>> Would be good not to leave the vulnerable version in the distro.>> Agreed, though I am in no position to investigate this. I was going to> propose a patch that disabled those 4 tests, but I will need to> investigate how to do that. So at the earliest I could contribute those> patches this weekend.>> Alex>>>>> TIA,>> Ludo’.
A
A
Alex Sassmannshausen wrote on 20 Aug 2017 22:11
87efs6uhi6.fsf@pompo.co
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.
Alex
Alex Sassmannshausen writes:
Toggle quote (43 lines)> Ludovic Courtès writes:>>> Hi Alex,>>>> Alex Sassmannshausen <alex@pompo.co> skribis:>>>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:>>>>> Hi Leo,>>>>>>>>>> I've just submitted a patch to update PHP to version 7.1.7, which>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine>>>>> (but also on the previous version), so I could not fully build it>>>>> (disabling tests results in a working version of PHP).>>>>>>>> I got this building with that patch:>>>>>>>> =====================================================================>>>> FAILED TEST SUMMARY>>>> --------------------------------------------------------------------->>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]>>>> =====================================================================>>>>>> OK that's what I've got too.>>>>>> I guess it will need some investigation… :-(>>>> Any update? :-)>>>> Would be good not to leave the vulnerable version in the distro.>> Agreed, though I am in no position to investigate this. I was going to> propose a patch that disabled those 4 tests, but I will need to> investigate how to do that. So at the earliest I could contribute those> patches this weekend.>> Alex>>>>> TIA,>> Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27808@debbugs.gnu.org