GNU bug report logs - #27808
PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 24 Jul 2017 18:58:01 UTC

Severity: normal

Tags: security

Done: Alex Sassmannshausen <alex <at> pompo.co>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27808 in the body.
You can then email your comments to 27808 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Mon, 24 Jul 2017 18:58:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 24 Jul 2017 18:58:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Date: Mon, 24 Jul 2017 14:57:44 -0400
[Message part 1 (text/plain, inline)]
Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145

This one looks especially bad:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

Can someone please take a look at this?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Tue, 25 Jul 2017 15:27:01 GMT) Full text and rfc822 format available.

Message #8 received at 27808 <at> debbugs.gnu.org (full text, mbox):

From: Alex Sassmannshausen <alex <at> pompo.co>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27808 <at> debbugs.gnu.org
Subject: Re: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Date: Tue, 25 Jul 2017 17:26:35 +0200
Hi Leo,

I've just submitted a patch to update PHP to version 7.1.7, which
resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
(but also on the previous version), so I could not fully build it
(disabling tests results in a working version of PHP).

The relevant patch is at 27826. If someone could try building it, on
x86_64 then we could be sure it's just my local environment that messes
things up…

Alex

Leo Famulari writes:

> Apparently our PHP package is vulnerable to CVE-2017-11144,
> CVE-2017-11145, and CVE-2017-11362:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
>
> This one looks especially bad:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
>
> Can someone please take a look at this?




Information forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Tue, 25 Jul 2017 18:42:01 GMT) Full text and rfc822 format available.

Message #11 received at 27808 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Sassmannshausen <alex <at> pompo.co>
Cc: 27808 <at> debbugs.gnu.org
Subject: Re: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Date: Tue, 25 Jul 2017 14:41:53 -0400
[Message part 1 (text/plain, inline)]
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
> Hi Leo,
> 
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).

I got this building with that patch:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Tue, 25 Jul 2017 19:45:01 GMT) Full text and rfc822 format available.

Message #14 received at 27808 <at> debbugs.gnu.org (full text, mbox):

From: Alex Sassmannshausen <alex <at> pompo.co>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27826 <at> debbugs.gnu.org, 27808 <at> debbugs.gnu.org
Subject: Re: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Date: Tue, 25 Jul 2017 21:44:11 +0200
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>> 
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================

OK that's what I've got too.

I guess it will need some investigation… :-(

Thanks for testing!

Alex

Leo Famulari writes:





Information forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Mon, 31 Jul 2017 15:33:02 GMT) Full text and rfc822 format available.

Message #17 received at 27808 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Alex Sassmannshausen <alex <at> pompo.co>
Cc: 27826 <at> debbugs.gnu.org, 27808 <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
 CVE-2017-11362
Date: Mon, 31 Jul 2017 17:32:14 +0200
Hi Alex,

Alex Sassmannshausen <alex <at> pompo.co> skribis:

>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>> 
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(

Any update?  :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Mon, 31 Jul 2017 16:23:01 GMT) Full text and rfc822 format available.

Message #20 received at 27808 <at> debbugs.gnu.org (full text, mbox):

From: Alex Sassmannshausen <alex <at> pompo.co>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 27826 <at> debbugs.gnu.org, 27808 <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
 CVE-2017-11362
Date: Mon, 31 Jul 2017 18:22:20 +0200
Ludovic Courtès writes:

> Hi Alex,
>
> Alex Sassmannshausen <alex <at> pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update?  :-)
>
> Would be good not to leave the vulnerable version in the distro.

Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that.  So at the earliest I could contribute those
patches this weekend.

Alex

>
> TIA,
> Ludo’.




Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Wed, 02 Aug 2017 22:02:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#27808; Package guix. (Sun, 20 Aug 2017 20:11:01 GMT) Full text and rfc822 format available.

Message #25 received at 27808 <at> debbugs.gnu.org (full text, mbox):

From: Alex Sassmannshausen <alex <at> pompo.co>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 27826 <at> debbugs.gnu.org, 27808 <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
 CVE-2017-11362
Date: Sun, 20 Aug 2017 22:10:14 +0200
Hi

I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.

I will try to close the bugs (27826 & 27808).

Alex

Alex Sassmannshausen writes:

> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex <at> pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update?  :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that.  So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.





Reply sent to alex <at> pompo.co:
You have taken responsibility. (Sun, 20 Aug 2017 20:12:02 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Sun, 20 Aug 2017 20:12:02 GMT) Full text and rfc822 format available.

Message #30 received at 27808-done <at> debbugs.gnu.org (full text, mbox):

From: Alex Sassmannshausen <alex <at> pompo.co>
To: 27826-done <at> debbugs.gnu.org, 27808-done <at> debbugs.gnu.org
Subject: Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
 CVE-2017-11362
Date: Sun, 20 Aug 2017 22:11:13 +0200
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.

Alex

Alex Sassmannshausen writes:

> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex <at> pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update?  :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that.  So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.





bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 18 Sep 2017 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 6 years and 193 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.