PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

  • Done
  • quality assurance status badge
Details
3 participants
  • Alex Sassmannshausen
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 24 Jul 2017 20:57
(address . bug-guix@gnu.org)
20170724185744.GA4997@jasmine.lan
Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:


This one looks especially bad:


Can someone please take a look at this?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2QyQACgkQJkb6MLrK
fwib1Q/6AvhmCk96bwJY9x9xI4vu9iTV7abi0nN2aKWtERlQpRWMCU6d1RKhPz67
OQtT8XYB2mmvuPRl5lk3QT0Bl0+LeLBkhE2jyP0zGMoNVLqatDb4PhuBh+JmyF65
MJd+AJ+Vqy5jV6PIPVK1LbwTSuFegF1BzEpvKyn2PkXvH//dsF+7PxL6rP39qsId
gkbH4Xce7Ou7zCvJDBZ4C9JOuhLDxZiUQO99EVCMMubmVatNeB/nNlg6mugapLmV
KWdRUjD2+jLNmjLeRGyCyzr0/bbt1RvHpcCHopKh6iOnDpjMtoajJXvLseAgpPJp
Ck2p36fjBAdX9U1zAlKdLdMjAZNRJvtPL47zOBsXlfzFYsOghmBPhIUvVA6tycTo
cNYGdjfM92UvSQs0SP30HsxruHsIHYZmx7GYM/BsiiwiOX+R7bsGrPY4jIo4hABs
CJpkyEsI7oR1xp8CyuYyibA6NCnq7zFIBhbK6FAho0/SXbGHWlY6eJL/X15SiduJ
TTJFKM8+YDxvGmExd/1oAIgNH+39Ck0siaI7zlU7v3SXSD9fMVTji23UdMnVTY/E
OYZRgs5IMAeP6N7TUIePC7bfAB+1JsJrRpWz3CTpuxdcMXZRpKA95o0CgbJ/X7y+
Vi934pZF12NRi7t+Wuv8jCEg3PzF/ujXLTaBIvByMpcrcooWl8A=
=WEg8
-----END PGP SIGNATURE-----


A
A
Alex Sassmannshausen wrote on 25 Jul 2017 17:26
(name . Leo Famulari)(address . leo@famulari.name)(address . 27808@debbugs.gnu.org)
87k22wo7v8.fsf@pompo.co
Hi Leo,

I've just submitted a patch to update PHP to version 7.1.7, which
resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
(but also on the previous version), so I could not fully build it
(disabling tests results in a working version of PHP).

The relevant patch is at 27826. If someone could try building it, on
x86_64 then we could be sure it's just my local environment that messes
things up…

Alex

Leo Famulari writes:

Toggle quote (11 lines)
> Apparently our PHP package is vulnerable to CVE-2017-11144,
> CVE-2017-11145, and CVE-2017-11362:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
>
> This one looks especially bad:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
>
> Can someone please take a look at this?
L
L
Leo Famulari wrote on 25 Jul 2017 20:41
(name . Alex Sassmannshausen)(address . alex@pompo.co)(address . 27808@debbugs.gnu.org)
20170725184153.GA24552@jasmine.lan
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
Toggle quote (7 lines)
> Hi Leo,
>
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).

I got this building with that patch:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll3kPEACgkQJkb6MLrK
fwijKg//eHcD8K78TyXq3L4jBVTB8xUv6rOEJZnU6fwifd1PtBtYyw3ujJUXX8V3
GpjfTmsKTA1L/QKz4J8O2tlxFlfsltv93Fqd9Fi00rkkEIuFrcoAp4FaqoXh6skp
sTCr5khqmqtZkIk+kzXiqAxNyCFUor9dPOOLf9nMD1EkyFPLnbbpNSiUxif6XFhC
RKJp4no788sVaiysy3RKQ25JIkLVTyYuA7518j4vl1geZgawFpio31dux0vU2IwB
bljeA8c9AieKu+RVMjEJnNRWzXDz8TdsKxQkRZgnr3mF9XQpQG3ALeFeiw+yDwRs
ISiTKevi2++VevR7PgufB6kC3l+3r8zq96sQ1N1+1sTo5Iv+P6RU8v1UEabj492I
EudndrLUofn5D+sYaD3x/BvS7HTla6VoiPEp0INqQSSrcORNSHQpdFuqX5AXaWOH
BiaOC5OCtC4dpHaM4qqY1bqjT44qsebK+dj41g9Q79B0vrSMYY15UZTBnnrNBgwC
aZDagzTjQu66Ygy6muZ7JWO8Xopo27h5+dVme7w1IF79EZnlUEcpA4vJoe2JtOlA
ic4Zb/trA83OhT4JA6XpXdzIjbHDALl5SXP/xRvbgFvftyhgKwQP85wqU0AEVdNR
GIVm8iTCULqaFI72saHptLI1Yyu8OCL7kFn+y7bsXO/foIyFXIw=
=DBPa
-----END PGP SIGNATURE-----


A
A
Alex Sassmannshausen wrote on 25 Jul 2017 21:44
(name . Leo Famulari)(address . leo@famulari.name)
87inignvxw.fsf@pompo.co
Toggle quote (19 lines)
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>>
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================

OK that's what I've got too.

I guess it will need some investigation… :-(

Thanks for testing!

Alex

Leo Famulari writes:
L
L
Ludovic Courtès wrote on 31 Jul 2017 17:32
Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
(name . Alex Sassmannshausen)(address . alex@pompo.co)
87379c39mp.fsf@gnu.org
Hi Alex,

Alex Sassmannshausen <alex@pompo.co> skribis:

Toggle quote (23 lines)
>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(

Any update? :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo’.
A
A
Alex Sassmannshausen wrote on 31 Jul 2017 18:22
(name . Ludovic Courtès)(address . ludo@gnu.org)
87k22ok24j.fsf@pompo.co
Ludovic Courtès writes:

Toggle quote (31 lines)
> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update? :-)
>
> Would be good not to leave the vulnerable version in the distro.

Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that. So at the earliest I could contribute those
patches this weekend.

Alex

Toggle quote (3 lines)
>
> TIA,
> Ludo’.
L
L
Ludovic Courtès wrote on 3 Aug 2017 00:01
control message for bug #27808
(address . control@debbugs.gnu.org)
87ini5sk73.fsf@gnu.org
tags 27808 security
A
A
Alex Sassmannshausen wrote on 20 Aug 2017 22:10
Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
(name . Ludovic Courtès)(address . ludo@gnu.org)
87fucmuhjt.fsf@pompo.co
Hi

I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.

I will try to close the bugs (27826 & 27808).

Alex

Alex Sassmannshausen writes:

Toggle quote (43 lines)
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
A
A
Alex Sassmannshausen wrote on 20 Aug 2017 22:11
87efs6uhi6.fsf@pompo.co
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.

Alex

Alex Sassmannshausen writes:

Toggle quote (43 lines)
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27808@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27808
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch