Debian Bug report logs - #702221
php5: CVE-2013-1635 CVE-2013-1643

version graph

Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for php5 is src:php5.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 4 Mar 2013 09:42:01 UTC

Severity: grave

Tags: security

Fixed in versions php5/5.4.4-14, php5/5.3.3-7+squeeze15

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#702221; Package php5. (Mon, 04 Mar 2013 09:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 04 Mar 2013 09:42:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: CVE-2013-1635 CVE-2013-1643
Date: Mon, 04 Mar 2013 10:36:12 +0100
Package: php5
Severity: grave
Tags: security
Justification: user security hole

Hi,
two issues have been reported in php5. CVE-2013-1635 doesn't classify as a security
issue per the Debian Security policy, but if the fix is non-intrusive we
could include it nonetheless:

CVE-2013-1643
http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36

CVE-2013-1635
http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#702221; Package php5. (Mon, 04 Mar 2013 12:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 04 Mar 2013 12:39:03 GMT) Full text and rfc822 format available.

Message #10 received at 702221@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 702221@bugs.debian.org
Subject: Re: [php-maint] Bug#702221: php5: CVE-2013-1635 CVE-2013-1643
Date: Mon, 4 Mar 2013 13:37:49 +0100
[Message part 1 (text/plain, inline)]
Argh, thanks for poke.

Building for squeeze-security now.

$ diffstat php5_5.3.3-7+squeeze15.debdiff
 debian/patches/CVE-2013-1635.patch |   48 +++++++++++++
 debian/patches/CVE-2013-1643.patch |  135 +++++++++++++++++++++++++++++++++++++
 php5-5.3.3/debian/changelog        |    7 +
 php5-5.3.3/debian/patches/series   |    2
 4 files changed, 192 insertions(+)

I will upload it directly to security-master if you agree.

O.

On Mon, Mar 4, 2013 at 10:36 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Package: php5
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> two issues have been reported in php5. CVE-2013-1635 doesn't classify as a security
> issue per the Debian Security policy, but if the fix is non-intrusive we
> could include it nonetheless:
>
> CVE-2013-1643
> http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
>
> CVE-2013-1635
> http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74
>
> Cheers,
>         Moritz
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



--
Ondřej Surý <ondrej@sury.org>
[php5_5.3.3-7+squeeze15.debdiff (application/octet-stream, attachment)]

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Mon, 04 Mar 2013 15:06:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 04 Mar 2013 15:06:05 GMT) Full text and rfc822 format available.

Message #15 received at 702221-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 702221-close@bugs.debian.org
Subject: Bug#702221: fixed in php5 5.4.4-14
Date: Mon, 04 Mar 2013 15:04:12 +0000
Source: php5
Source-Version: 5.4.4-14

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702221@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Mar 2013 14:30:16 +0100
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.4.4-14
Distribution: unstable
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-mysqlnd - MySQL module for php5 (Native Driver)
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 702221
Changes: 
 php5 (5.4.4-14) unstable; urgency=high
 .
   * [CVE-2013-1635] Fixed external entity loading
   * [CVE-2013-1643] Check if soap.wsdl_cache_dir confirms to open_basedir
     (Closes: #702221)
Checksums-Sha1: 
 c0baabb4a242a343fabecea6ea5dd4778d08d539 3710 php5_5.4.4-14.dsc
 30b99f26c3fcd082ae030b6e1196b5252fab9ad4 197602 php5_5.4.4-14.diff.gz
 af0a58c0ceb05be46c6ea1ad7035ab67d369362f 587116 php5-common_5.4.4-14_amd64.deb
 7226fbdcbd2ee3b1d1ad8042de5c3974e04c6e57 2664408 libapache2-mod-php5_5.4.4-14_amd64.deb
 1b5c6d7d7ad484937fc0a36e0c732d5c21b20bf6 2663046 libapache2-mod-php5filter_5.4.4-14_amd64.deb
 2b6ae91cd856b55c5be689fbbb1a54b285f9f3be 5098804 php5-cgi_5.4.4-14_amd64.deb
 c1647ba9f5bfeab424e7fd972e053384b30906c1 2556598 php5-cli_5.4.4-14_amd64.deb
 5f53c1ca62ffe86e21038e7e2c8e07027ce3c2f6 2588182 php5-fpm_5.4.4-14_amd64.deb
 91a28565b514a65c1d77f201a2b38372be13d692 2661168 libphp5-embed_5.4.4-14_amd64.deb
 6d2c6fcfcdc9259acbe927880b29ee36edef07b9 497912 php5-dev_5.4.4-14_amd64.deb
 b2ec65b98fce294447b05f44449fa17454aaf0c8 15956090 php5-dbg_5.4.4-14_amd64.deb
 369b5e37862b03218cf690cd6913897da807d3ff 29070 php5-curl_5.4.4-14_amd64.deb
 d5f24c93fcd6a6a764bf747b968400a052f49728 9912 php5-enchant_5.4.4-14_amd64.deb
 0a0e11b0536ee7923559a79ab8fcb54d2045bd85 35684 php5-gd_5.4.4-14_amd64.deb
 eb7a93038c066a4ad9e84a26261c3f096c18f1c8 17148 php5-gmp_5.4.4-14_amd64.deb
 ab65ce8e10f3da1111ed62af10a3b1cd48dde40e 35584 php5-imap_5.4.4-14_amd64.deb
 24f5afa05529350e2e2e0d36820a2d50f30ed0ab 49576 php5-interbase_5.4.4-14_amd64.deb
 f550f30b09583f02855e4caaf52d6769c0b8f0ce 71946 php5-intl_5.4.4-14_amd64.deb
 625148aba8bc942fd8561d6bb55911e897ec0038 21738 php5-ldap_5.4.4-14_amd64.deb
 6eb529537106bec403928a3b24308a06d0ee27e4 16062 php5-mcrypt_5.4.4-14_amd64.deb
 53fb0e3eaa382dc904c4643e283620eac4ae2330 80836 php5-mysql_5.4.4-14_amd64.deb
 f61f30949583e682584c7fb832dc56123f403f93 162358 php5-mysqlnd_5.4.4-14_amd64.deb
 bd543e53dd593623a5f0e04b6badb2de3659b7b0 36638 php5-odbc_5.4.4-14_amd64.deb
 4cf9585151921be2d4bb1831bdfdce626fc111c3 61428 php5-pgsql_5.4.4-14_amd64.deb
 38cfd4dc7f81b1020bd2ccd615c9471364906f3d 8888 php5-pspell_5.4.4-14_amd64.deb
 8f4acf108aa2727680fb9225cca675ce4cbaec34 5182 php5-recode_5.4.4-14_amd64.deb
 b452c087bc9b621ea83df43cbb72588d19c2742a 21790 php5-snmp_5.4.4-14_amd64.deb
 61a6cf0eecdbd6a9d84b582cf582d808aaa46b4f 30326 php5-sqlite_5.4.4-14_amd64.deb
 41682e6b5494a0550cbe9bd93eb8c5947bfd781d 28166 php5-sybase_5.4.4-14_amd64.deb
 21413e2dfad9555ebc44b641ef8b257797be64e6 19584 php5-tidy_5.4.4-14_amd64.deb
 5811b32141f366ccd8198f174e12f9ce450e6f47 36278 php5-xmlrpc_5.4.4-14_amd64.deb
 6d6b3b396ff4eb49ed54791b1476365a6ee31543 15400 php5-xsl_5.4.4-14_amd64.deb
 cf13241db3432897d5f1a9ef2be03079bddd9bac 1016 php5_5.4.4-14_all.deb
 f891f3aa331851972df32d3080e57c62b6977c1e 367388 php-pear_5.4.4-14_all.deb
Checksums-Sha256: 
 9087e645cc65c9befb3a2e7afb572525162554a68aa953a941416581ad7c608a 3710 php5_5.4.4-14.dsc
 c95a6ce7601a3bb92146317d4fcae61357dc1ef0f00acae1e8da6b0dd3c07236 197602 php5_5.4.4-14.diff.gz
 62b368b5408dea65ecb1df115673f561f1bb8c744fbfe343727fa88d5910420c 587116 php5-common_5.4.4-14_amd64.deb
 e47f4894fd176a255b269e689aed9a3dcd944d67363e56678448ae136e112b5f 2664408 libapache2-mod-php5_5.4.4-14_amd64.deb
 0c478ef9b7d8bbdd33c15e38f25e04653cffdfd88b2ee162c1c486bfae56d788 2663046 libapache2-mod-php5filter_5.4.4-14_amd64.deb
 407cebb598e9e7825cb9ecd9c3e5c18eaacc633eb860833a30fe0118b2642d46 5098804 php5-cgi_5.4.4-14_amd64.deb
 8400805e391a0671bdb4e6d573f6025c3d269bc3f0eaef226762f444a14ab979 2556598 php5-cli_5.4.4-14_amd64.deb
 a9d9b900417c8b33a5fce12f850c53e785007d1fd16e046865cee1e3960252c3 2588182 php5-fpm_5.4.4-14_amd64.deb
 9000688ab1621a3ddccd82971e6034743015a82256d6c88a1cd5c24b3d8a6658 2661168 libphp5-embed_5.4.4-14_amd64.deb
 6ebd46505d7ca3bb8e55de2d1f9ce8b605e8fdb56e6b3d729d024470097b590f 497912 php5-dev_5.4.4-14_amd64.deb
 cf8c25de73ff86b87db3cde0f69a0ddc5038cc4fffa74dd7cecdd5fc7db00e82 15956090 php5-dbg_5.4.4-14_amd64.deb
 8170cfdf7ed6f1240e12d09fca31e5a1a2dc8dc1b9926bf5b926165348d9c563 29070 php5-curl_5.4.4-14_amd64.deb
 491f3aae6daf3c2d92414f70293e0e5652b5de3c5b3d80e55cedf2e4c81a1bcb 9912 php5-enchant_5.4.4-14_amd64.deb
 95bf6aff7e18d5704a48b671a273e68b27e3619e52ed8b8cb40088a485c5a928 35684 php5-gd_5.4.4-14_amd64.deb
 56710669af8098d0c52ffa4c79c7151d2983e7c0c7672481d05f8d34d6f8eb7f 17148 php5-gmp_5.4.4-14_amd64.deb
 ebf882e1e76bd5fc5338585e51fda9055b74713dcfc6412597fea0bbce190c26 35584 php5-imap_5.4.4-14_amd64.deb
 5e04b233e94ae0619a531118c0c2ff0cf6f4439f1f2bbfa62dfca3bb0044a529 49576 php5-interbase_5.4.4-14_amd64.deb
 a794c9c9d748efb438df35bb314c063e38103b194306c6aeb6a822eb3319fa8c 71946 php5-intl_5.4.4-14_amd64.deb
 4fd02be9d0998e91021b4d66e20344fd154add200d1ba79be7ff7e57f187b2c7 21738 php5-ldap_5.4.4-14_amd64.deb
 33703259421da6106294139bdfaab6f9b2a934baaf128857a2adaa0806b40d14 16062 php5-mcrypt_5.4.4-14_amd64.deb
 bfd39516cd9880d4665d5a33a5742bd2a3a62129436f755f82ff52a13d76d88e 80836 php5-mysql_5.4.4-14_amd64.deb
 0c09b03f131c14f04d8c586107860f3649d28d1ef0d46ee52f2323209278ede4 162358 php5-mysqlnd_5.4.4-14_amd64.deb
 114b46a84cec9d5947781c0323850412d9e4b22884f8f0bdf6308a7f070eecdc 36638 php5-odbc_5.4.4-14_amd64.deb
 34bda4f7e5dfa585ab0cc8b45d50b2a1d686ab049f3b53b64950094c80a38d26 61428 php5-pgsql_5.4.4-14_amd64.deb
 ecf3f9b9399c8e983d8be3c6b876ab7f5dce4601405181fc20c3e9f91e4c7aed 8888 php5-pspell_5.4.4-14_amd64.deb
 d07013035cb95fd847a25a25fe4319b60a99d5c20ba0bf837fb09bf56531d937 5182 php5-recode_5.4.4-14_amd64.deb
 63b6abfc2a183667ef96b846d502bc199453634fb7dacd0c5bf866636898da62 21790 php5-snmp_5.4.4-14_amd64.deb
 1cff4fe44b98adfbceaad021e79a3bb3303bceac611e7f2d7b5f21657a60468b 30326 php5-sqlite_5.4.4-14_amd64.deb
 f67f99f6a2012b7fb743caf1ad885871f5fb45791136de45c922858a10785e97 28166 php5-sybase_5.4.4-14_amd64.deb
 6ddfad22b1693ec2908d5175d0f0943d3b60ea8299fc39d2a85ba4ac2bc8f847 19584 php5-tidy_5.4.4-14_amd64.deb
 6df73d762a58f62e4f4f3b128e011a599bc8d608e87cfd85521cfb32ce019f2a 36278 php5-xmlrpc_5.4.4-14_amd64.deb
 5bafb66ff8f55d1dbd04741739125328a1622bb253a9adf5779cc1243a742ba3 15400 php5-xsl_5.4.4-14_amd64.deb
 b7aa90c13f87a991fba4c89ffcb66a3da6d30dbb2de0e2fc2ea3765bbc3930a7 1016 php5_5.4.4-14_all.deb
 21458487dcdbc07c8578f62905ab9bdf789b8a51130b67cf31a794d566bec762 367388 php-pear_5.4.4-14_all.deb
Files: 
 d6b48f97389e90e256ca73307e109790 3710 php optional php5_5.4.4-14.dsc
 16637a9f9fe546542197a3a35e1fad9a 197602 php optional php5_5.4.4-14.diff.gz
 233a6fe48d4a3a7069acccdaac63eaf7 587116 php optional php5-common_5.4.4-14_amd64.deb
 14d25fec39c7010e6c3316ade2f50b35 2664408 httpd optional libapache2-mod-php5_5.4.4-14_amd64.deb
 993617c301b8b46d124fbe8e5ae176ff 2663046 httpd extra libapache2-mod-php5filter_5.4.4-14_amd64.deb
 5bbcc11181508e00435e5346d1541ce7 5098804 php optional php5-cgi_5.4.4-14_amd64.deb
 3b98ccc83702daa42550256c311c7aaa 2556598 php optional php5-cli_5.4.4-14_amd64.deb
 fd27543245783549c2fc5e6b24028afa 2588182 php optional php5-fpm_5.4.4-14_amd64.deb
 8c6d50cef1d921ac87da2ba507fe0058 2661168 php optional libphp5-embed_5.4.4-14_amd64.deb
 298d1d3c768740e4f157bc5c90e6917b 497912 php optional php5-dev_5.4.4-14_amd64.deb
 31adbd83e1c3c275a2128839e365e83c 15956090 debug extra php5-dbg_5.4.4-14_amd64.deb
 6d9d69ba06882b5a72494b1944f5cbc0 29070 php optional php5-curl_5.4.4-14_amd64.deb
 09a6851ba3d8af88ffdb3b6d9be45861 9912 php optional php5-enchant_5.4.4-14_amd64.deb
 4f40cb16d6819accb28aeccb2365a67d 35684 php optional php5-gd_5.4.4-14_amd64.deb
 1668aebeb36d79b5f68e0cec9439bb7f 17148 php optional php5-gmp_5.4.4-14_amd64.deb
 d8fb3c377f9c27178dc8af2b9d59eead 35584 php optional php5-imap_5.4.4-14_amd64.deb
 a055331dcaca1095cf656480afd09b41 49576 php optional php5-interbase_5.4.4-14_amd64.deb
 420013edd9f97c645a303ffcff0bd8d1 71946 php optional php5-intl_5.4.4-14_amd64.deb
 9d97ce76f8e01e3f55c6caadc8894672 21738 php optional php5-ldap_5.4.4-14_amd64.deb
 7b8f28aad0b42b4f8d7f0e53aa6ceca9 16062 php optional php5-mcrypt_5.4.4-14_amd64.deb
 ebe1e52b7ecb46fed4ef400459bc262f 80836 php optional php5-mysql_5.4.4-14_amd64.deb
 571bdb4c287e6db2d757a46cf37ba947 162358 php extra php5-mysqlnd_5.4.4-14_amd64.deb
 48aaffef3d4c8c9ad9db3078b832d2af 36638 php optional php5-odbc_5.4.4-14_amd64.deb
 58ad1063e0a2551898dfa0315eba1710 61428 php optional php5-pgsql_5.4.4-14_amd64.deb
 14532103d20dbb2a796b847ef5fcc7b0 8888 php optional php5-pspell_5.4.4-14_amd64.deb
 58f50a81e31c21486af79e3099dae6a7 5182 php optional php5-recode_5.4.4-14_amd64.deb
 fc63bb29b04cd1adc6d339385f04efe8 21790 php optional php5-snmp_5.4.4-14_amd64.deb
 f4e2549cf0d4e071d5163f7313509653 30326 php optional php5-sqlite_5.4.4-14_amd64.deb
 ee4a53cf41871d1dd0de805a6038d474 28166 php optional php5-sybase_5.4.4-14_amd64.deb
 ce11047d8eae96413a8b6ca8294f8980 19584 php optional php5-tidy_5.4.4-14_amd64.deb
 77d5eee15c35912b7eb1d8aa25b5e9b4 36278 php optional php5-xmlrpc_5.4.4-14_amd64.deb
 5317cadbdd499a96a25f7eb5a7a4c3a8 15400 php optional php5-xsl_5.4.4-14_amd64.deb
 203a53f4040d3c77f3830038bf8bde11 1016 php optional php5_5.4.4-14_all.deb
 798a371875545fc69fb770fe5b180360 367388 php optional php-pear_5.4.4-14_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE0s88ACgkQ9OZqfMIN8nMt5gCgr7GExJOjIX/JF55PFvtaGJan
8QYAnj0AN/yWI0yT9vIIvVdyDJZ471Gw
=wUpH
-----END PGP SIGNATURE-----




Marked as fixed in versions php5/5.3.3-7+squeeze15. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 05 Mar 2013 18:36:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:34:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:28:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.