PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

  • Done
  • quality assurance status badge
Details
3 participants
  • Alex Sassmannshausen
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 24 Jul 2017 20:57
(address . bug-guix@gnu.org)
20170724185744.GA4997@jasmine.lan
Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:


This one looks especially bad:


Can someone please take a look at this?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2QyQACgkQJkb6MLrK
fwib1Q/6AvhmCk96bwJY9x9xI4vu9iTV7abi0nN2aKWtERlQpRWMCU6d1RKhPz67
OQtT8XYB2mmvuPRl5lk3QT0Bl0+LeLBkhE2jyP0zGMoNVLqatDb4PhuBh+JmyF65
MJd+AJ+Vqy5jV6PIPVK1LbwTSuFegF1BzEpvKyn2PkXvH//dsF+7PxL6rP39qsId
gkbH4Xce7Ou7zCvJDBZ4C9JOuhLDxZiUQO99EVCMMubmVatNeB/nNlg6mugapLmV
KWdRUjD2+jLNmjLeRGyCyzr0/bbt1RvHpcCHopKh6iOnDpjMtoajJXvLseAgpPJp
Ck2p36fjBAdX9U1zAlKdLdMjAZNRJvtPL47zOBsXlfzFYsOghmBPhIUvVA6tycTo
cNYGdjfM92UvSQs0SP30HsxruHsIHYZmx7GYM/BsiiwiOX+R7bsGrPY4jIo4hABs
CJpkyEsI7oR1xp8CyuYyibA6NCnq7zFIBhbK6FAho0/SXbGHWlY6eJL/X15SiduJ
TTJFKM8+YDxvGmExd/1oAIgNH+39Ck0siaI7zlU7v3SXSD9fMVTji23UdMnVTY/E
OYZRgs5IMAeP6N7TUIePC7bfAB+1JsJrRpWz3CTpuxdcMXZRpKA95o0CgbJ/X7y+
Vi934pZF12NRi7t+Wuv8jCEg3PzF/ujXLTaBIvByMpcrcooWl8A=
=WEg8
-----END PGP SIGNATURE-----


A
A
Alex Sassmannshausen wrote on 25 Jul 2017 17:26
(name . Leo Famulari)(address . leo@famulari.name)(address . 27808@debbugs.gnu.org)
87k22wo7v8.fsf@pompo.co
Hi Leo,

I've just submitted a patch to update PHP to version 7.1.7, which
resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
(but also on the previous version), so I could not fully build it
(disabling tests results in a working version of PHP).

The relevant patch is at 27826. If someone could try building it, on
x86_64 then we could be sure it's just my local environment that messes
things up…

Alex

Leo Famulari writes:

Toggle quote (11 lines)
> Apparently our PHP package is vulnerable to CVE-2017-11144,
> CVE-2017-11145, and CVE-2017-11362:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
>
> This one looks especially bad:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
>
> Can someone please take a look at this?
L
L
Leo Famulari wrote on 25 Jul 2017 20:41
(name . Alex Sassmannshausen)(address . alex@pompo.co)(address . 27808@debbugs.gnu.org)
20170725184153.GA24552@jasmine.lan
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
Toggle quote (7 lines)
> Hi Leo,
>
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).

I got this building with that patch:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll3kPEACgkQJkb6MLrK
fwijKg//eHcD8K78TyXq3L4jBVTB8xUv6rOEJZnU6fwifd1PtBtYyw3ujJUXX8V3
GpjfTmsKTA1L/QKz4J8O2tlxFlfsltv93Fqd9Fi00rkkEIuFrcoAp4FaqoXh6skp
sTCr5khqmqtZkIk+kzXiqAxNyCFUor9dPOOLf9nMD1EkyFPLnbbpNSiUxif6XFhC
RKJp4no788sVaiysy3RKQ25JIkLVTyYuA7518j4vl1geZgawFpio31dux0vU2IwB
bljeA8c9AieKu+RVMjEJnNRWzXDz8TdsKxQkRZgnr3mF9XQpQG3ALeFeiw+yDwRs
ISiTKevi2++VevR7PgufB6kC3l+3r8zq96sQ1N1+1sTo5Iv+P6RU8v1UEabj492I
EudndrLUofn5D+sYaD3x/BvS7HTla6VoiPEp0INqQSSrcORNSHQpdFuqX5AXaWOH
BiaOC5OCtC4dpHaM4qqY1bqjT44qsebK+dj41g9Q79B0vrSMYY15UZTBnnrNBgwC
aZDagzTjQu66Ygy6muZ7JWO8Xopo27h5+dVme7w1IF79EZnlUEcpA4vJoe2JtOlA
ic4Zb/trA83OhT4JA6XpXdzIjbHDALl5SXP/xRvbgFvftyhgKwQP85wqU0AEVdNR
GIVm8iTCULqaFI72saHptLI1Yyu8OCL7kFn+y7bsXO/foIyFXIw=
=DBPa
-----END PGP SIGNATURE-----


A
A
Alex Sassmannshausen wrote on 25 Jul 2017 21:44
(name . Leo Famulari)(address . leo@famulari.name)
87inignvxw.fsf@pompo.co
Toggle quote (19 lines)
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>>
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================

OK that's what I've got too.

I guess it will need some investigation… :-(

Thanks for testing!

Alex

Leo Famulari writes:
L
L
Ludovic Courtès wrote on 31 Jul 2017 17:32
Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
(name . Alex Sassmannshausen)(address . alex@pompo.co)
87379c39mp.fsf@gnu.org
Hi Alex,

Alex Sassmannshausen <alex@pompo.co> skribis:

Toggle quote (23 lines)
>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(

Any update? :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo’.
A
A
Alex Sassmannshausen wrote on 31 Jul 2017 18:22
(name . Ludovic Courtès)(address . ludo@gnu.org)
87k22ok24j.fsf@pompo.co
Ludovic Courtès writes:

Toggle quote (31 lines)
> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update? :-)
>
> Would be good not to leave the vulnerable version in the distro.

Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that. So at the earliest I could contribute those
patches this weekend.

Alex

Toggle quote (3 lines)
>
> TIA,
> Ludo’.
L
L
Ludovic Courtès wrote on 3 Aug 2017 00:01
control message for bug #27808
(address . control@debbugs.gnu.org)
87ini5sk73.fsf@gnu.org
tags 27808 security
A
A
Alex Sassmannshausen wrote on 20 Aug 2017 22:10
Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
(name . Ludovic Courtès)(address . ludo@gnu.org)
87fucmuhjt.fsf@pompo.co
Hi

I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.

I will try to close the bugs (27826 & 27808).

Alex

Alex Sassmannshausen writes:

Toggle quote (43 lines)
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
A
A
Alex Sassmannshausen wrote on 20 Aug 2017 22:11
87efs6uhi6.fsf@pompo.co
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.

Alex

Alex Sassmannshausen writes:

Toggle quote (43 lines)
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
Closed
?