Debian Bug report logs - #783107
php5: CVE-2015-4604 CVE-2015-4605

version graph

Package: src:php5; Maintainer for src:php5 is (unknown);

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 22 Apr 2015 08:39:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Merged with 783099

Found in version php5/5.6.7+dfsg-1

Fixed in versions php5/5.6.9+dfsg-1, php5/5.6.9+dfsg-0+deb8u1, php5/5.4.41-0+deb7u1, 5.6.9+dfsg-1

Done: Lior Kaplan <kaplanlior@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#783099; Package src:php5. (Wed, 22 Apr 2015 08:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 22 Apr 2015 08:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: php5: Fileinfo on specific file causes spurious OOM and/or segfault
Date: Wed, 22 Apr 2015 11:35:45 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source: php5
Version: 5.6.7+dfsg-1
Severity: grave
Tags: security, upstream, fixed-upstream

Hi,

the following vulnerability was published for PHP5,

"""
When calling finfo::file() or finfo::buffer() with a crafted string, PHP will
crash by either segfaulting or trying to allocate an large amount of memory
(4GiB).

This was found in the wild when a user uploaded a file (running finfo on
arbitrary files uploaded by users is one of its main use cases.). I've since
anonymised the file, and made it more minimal. At this stage, very small changes
to the string make it produce different behaviour - removing the remaining 'a',
's', or 'y' characters, for instance, will allow finfo to process it fine.
"""

For further information see:
  https://bugs.php.net/bug.php?id=68819
  https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVN11hAAoJECet96ROqnV0NFwP/1WyM6/jYhMkuyyjIDuGJLR6
5agci0HcM64R5It7Dvoy7HPtP431Qg5XvtJBn2P5YRq9Kgh1g0T7NeA4jbQIQEQs
lj/zO4zfBSnhCvkCbsqhLDYDASx1M2esXgfXy4EDejBPvVMSPtSr3GjVt9Ptufty
/GgA3FRf+XDDNNDebGsDVvkKH5pAvK7QN8R8UsmG8uiEYP9+vdlwdAK5pykrWsGa
yZEm7x/OXjETTnjIoz+0p89ExFBBuNyryhMQGVfiJxivTMHaHMBuZ/2BlBhIM0S2
VTf42JtlLTmG6NZW71OplY2kN1f+p+ADXy/OUtwbV700tuk58wIwt+r5Ymqa9wmA
crO2xyNm2CgA0K6Vew0vEYBWVc7fFQQuGhQX6lKOwng3OXaM3Xo9BzEvrOGVrTgz
sw7ilWb4kfUTjtZoAYVOqL0YTafMi3CzjmH3MzeFMyxMRtYlqgc7S+KrqJXWMX2A
TlqA2WhAOMIHNG8xxuXdwlzzVRoPakY0Jkgx5XdUlU9QdNmeIljcxdPAIXHAeEAj
IPSBQFUjAZABB7GWKgZcyJv6p2Z9nc5GkQ9RYm297QtGbPVYGUfmBZsJOloJfXIF
V4dRZWkVoonbaC5WtjaGPyOIHnl35AZ7Hl4MkQ5JMzScbN3u1BooY1+NXNBsHTPL
JLN2O58YQiTodP1AZWfx
=y0h8
-----END PGP SIGNATURE-----

Bug 783099 cloned as bugs 783107, 783108 Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:21:11 GMT) (full text, mbox, link).

Merged 783099 783107 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 22 Apr 2015 13:12:07 GMT) (full text, mbox, link).

Added tag(s) unreproducible. Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Thu, 23 Apr 2015 07:33:16 GMT) (full text, mbox, link).

Removed tag(s) unreproducible. Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Thu, 23 Apr 2015 07:45:05 GMT) (full text, mbox, link).

Marked as fixed in versions php5/5.6.9+dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 12 Jun 2015 05:39:10 GMT) (full text, mbox, link).

Marked as fixed in versions php5/5.6.9+dfsg-0+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 12 Jun 2015 05:39:12 GMT) (full text, mbox, link).

Marked as fixed in versions php5/5.4.41-0+deb7u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 12 Jun 2015 05:39:14 GMT) (full text, mbox, link).

Changed Bug title to 'php5: CVE-2015-4604 CVE-2015-4605' from 'php5: Fileinfo on specific file causes spurious OOM and/or segfault' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 17 Jun 2015 07:21:09 GMT) (full text, mbox, link).

Message #22 received at 783099-done@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplanlior@gmail.com>
To: 783099-done@bugs.debian.org
Subject: Fixed
Date: Mon, 17 Aug 2015 13:41:56 +0200
[Message part 1 (text/plain, inline)]
Version: 5.6.9+dfsg-1

This issue has been fixed for unstable, testing, stable and oldstable.
Closing the bug.

[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 18 Feb 2016 07:26:32 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:25:29 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.