Your message dated Sat, 08 Mar 2014 15:17:20 +0000
with message-id <e1wmj04-0000db...@franck.debian.org>
and subject line Bug#739012: fixed in php5 5.4.4-14+deb7u8
has caused the Debian Bug report #739012,
regarding php5: CVE-2014-1943: crafted files might result in long computation
times
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
739012: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739012
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: file
Version: 5.11-2
Severity: grave
Tags: security
[ Re-sent to BTS by request of the security team, also updated ]
a bug in the handling of "indirect" magic rules of libmagic leads to
an infinite recursion when trying to determine the file type of
certain files. The has been assigned CVE-2014-1943. Additionally,
other well-crafted files might result in long computation times (five
seconds for a single file while using 100% CPU) and overlong results
(~400k line), something some applications that operate on the file
result might not handle in a sane way.
The issue has been made public by Bernd Melchers who initially found
this bug: http://mx.gw.com/pipermail/file/2014/001327.html
Impact is two-layered. The bug itself has been introduced years ago
(pre oldstable). From jessie on, the default magic file as shipped in
the package contains a file magic rule that is exploitable for a
segmentation fault.
In other words:
jessie: Always affected and in full scale.
squeeze/wheezy: Segmentation fault when using non-standard magic
files that use "indirect" in a certain way. Still vulnerable for the
"computation time" and "overlong" issues mentioned above.
Upstream released 5.17 last night, fixing the bug for all
reproducers I have in my collection. Backporting the patch is not
trivial but hopefully feasible. I'll give that a try later the day.
Christoph
--- End Message ---
--- Begin Message ---
Source: php5
Source-Version: 5.4.4-14+deb7u8
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 739...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 17 Feb 2014 10:07:18 +0100
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi
php5-cli php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl
php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap
php5-mcrypt php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell
php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source all amd64
Version: 5.4.4-14+deb7u8
Distribution: wheezy-security
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-ma...@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2
module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language
(apache 2 filter mo
libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (metapackage)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-enchant - Enchant module for php5
php5-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary)
php5-gd - GD module for php5
php5-gmp - GMP module for php5
php5-imap - IMAP module for php5
php5-interbase - interbase/firebird module for php5
php5-intl - internationalisation module for php5
php5-ldap - LDAP module for php5
php5-mcrypt - MCrypt module for php5
php5-mysql - MySQL module for php5
php5-mysqlnd - MySQL module for php5 (Native Driver)
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-pspell - pspell module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 739012
Changes:
php5 (5.4.4-14+deb7u8) wheezy-security; urgency=low
.
* [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012)
Checksums-Sha1:
692758c491ffa03aaab32bd2500533e1b529f41c 3774 php5_5.4.4-14+deb7u8.dsc
ff524ec033bcf8551fc7771f651025cc7ee35ef9 226178 php5_5.4.4-14+deb7u8.diff.gz
5c652c16e873521aed4de26281f85c6460e0bff1 1028 php5_5.4.4-14+deb7u8_all.deb
4dac1bb808b4b17f8dc3c5c54b9003f86b00e6eb 369298
php-pear_5.4.4-14+deb7u8_all.deb
c824fc593714bbb62dab97ee96859b9398b80a70 587938
php5-common_5.4.4-14+deb7u8_amd64.deb
11a77f3d8c2da4e191c82744199af49d543a5800 2665710
libapache2-mod-php5_5.4.4-14+deb7u8_amd64.deb
74a8c676c298a1cc7b3f9813075cac6d7d0f82e1 2664064
libapache2-mod-php5filter_5.4.4-14+deb7u8_amd64.deb
3c7f20897616d8db03bbd5aeaf5d393b5639eb0e 5101402
php5-cgi_5.4.4-14+deb7u8_amd64.deb
858e701d7dacfb6153bafa6fef4c3e17ee08952c 2557410
php5-cli_5.4.4-14+deb7u8_amd64.deb
10ab95189f23e6b68948702f85d9a9417dd97627 2590556
php5-fpm_5.4.4-14+deb7u8_amd64.deb
0866d879881212b05848c3bbd0015342cd59eb48 2661980
libphp5-embed_5.4.4-14+deb7u8_amd64.deb
544015fe2d9c974317957741cde84d3dd55af763 497494
php5-dev_5.4.4-14+deb7u8_amd64.deb
90917f3b936fd9224b15402de3e23b9b0e76e591 15961400
php5-dbg_5.4.4-14+deb7u8_amd64.deb
6af1b7cc207d9befe858fb2f77ac5c19c04aa043 29178
php5-curl_5.4.4-14+deb7u8_amd64.deb
94d98d7df3d565aae6d0f87416f3aeb12f77846a 9940
php5-enchant_5.4.4-14+deb7u8_amd64.deb
e1dd44c42a4b8d8200aa1e4ad540c8567fde5d2a 35708
php5-gd_5.4.4-14+deb7u8_amd64.deb
9389731407efb76f8e0dc062bd64c1c47ac1c1f3 17174
php5-gmp_5.4.4-14+deb7u8_amd64.deb
e9a46475ae4c31f4de81fdfef53a7deb55002c9e 35612
php5-imap_5.4.4-14+deb7u8_amd64.deb
212f16992b47444ae56c92054b6de7e4e1fe02a1 49614
php5-interbase_5.4.4-14+deb7u8_amd64.deb
117594da5d07d4232611a4890f49719b153da72e 71970
php5-intl_5.4.4-14+deb7u8_amd64.deb
e2324c700a7f76999656c4307863f2710b2e1d73 21770
php5-ldap_5.4.4-14+deb7u8_amd64.deb
19375ac5fa7436e24d6a0f05ad124707cff1b279 16092
php5-mcrypt_5.4.4-14+deb7u8_amd64.deb
302b3e6e4bf45d9f3f1764767fc28e642b2e9e90 80856
php5-mysql_5.4.4-14+deb7u8_amd64.deb
49620e86225015fbeb7b821164a843dc2368484f 162726
php5-mysqlnd_5.4.4-14+deb7u8_amd64.deb
b1a1dcc4f7a5bc3d713735499ef749b48bbafea1 36404
php5-odbc_5.4.4-14+deb7u8_amd64.deb
d6b713d03ab7df1bdd10120116216af4cc5f0e97 61070
php5-pgsql_5.4.4-14+deb7u8_amd64.deb
b31e9d5b44d3ca949276fec53343315ca813953e 8908
php5-pspell_5.4.4-14+deb7u8_amd64.deb
b65802ace4897b433d212577d766288debd021d4 5208
php5-recode_5.4.4-14+deb7u8_amd64.deb
23480d2985fcab5897ea49cc0351ea6b9c13e6cb 21814
php5-snmp_5.4.4-14+deb7u8_amd64.deb
c31cb165dc0aa8f4284aaef9eea5001bd561af1e 30350
php5-sqlite_5.4.4-14+deb7u8_amd64.deb
a106cb40f3d9f9a45c945c0670d85eba4e8ec50c 28442
php5-sybase_5.4.4-14+deb7u8_amd64.deb
597dbb0f76763fce570502b79780c5cd8ff0254f 19606
php5-tidy_5.4.4-14+deb7u8_amd64.deb
8b14847a199247747b5cd7cec0482a730398d77d 36298
php5-xmlrpc_5.4.4-14+deb7u8_amd64.deb
413ac7d88b2e7f27bec629c6feeea53d403d2fb3 15422
php5-xsl_5.4.4-14+deb7u8_amd64.deb
Checksums-Sha256:
1cd13a820a9d87b53939d4f3494c1cc3963202f40c67c995ce11d6ec39db1337 3774
php5_5.4.4-14+deb7u8.dsc
554f8151127babd3a8da84640756914df47ea624267313a41cf6900b543287fa 226178
php5_5.4.4-14+deb7u8.diff.gz
a4f3aca0ad79395bea1576a5b38754ce565a01f28a043cd3cf9d114b8a0ecb2d 1028
php5_5.4.4-14+deb7u8_all.deb
fa23bbf486d2cc0cacdf5f2153398b341813acc98ec35df2db3eab183416d068 369298
php-pear_5.4.4-14+deb7u8_all.deb
f4f574162e7c0a15226883e521c1194f1cbf42dfecae9435f60c0c4fd2d7aa83 587938
php5-common_5.4.4-14+deb7u8_amd64.deb
488322f30e4cad33e6ccad5c12fb0752c7637279b70f27fa7e45e931b3ded3ed 2665710
libapache2-mod-php5_5.4.4-14+deb7u8_amd64.deb
d4bc9c93e1d0d3e4056d0b74650d489892ddb095cbf9bcdb737da44114fea30a 2664064
libapache2-mod-php5filter_5.4.4-14+deb7u8_amd64.deb
35a8936092c0be00dae47badd7766bf3295386f92812fe25c6b3d9cc21e5fffd 5101402
php5-cgi_5.4.4-14+deb7u8_amd64.deb
59bd858ff04a3145068f9848db48a4ac3b419cb834cb9fdfc0b24f31a369580e 2557410
php5-cli_5.4.4-14+deb7u8_amd64.deb
4932bf87a54e98882aa3a26c9fd19f0495acc207a46511b32d1183b357ac7c95 2590556
php5-fpm_5.4.4-14+deb7u8_amd64.deb
57fc836c8303d5bbedd4f247eb73313b9b55effa4495defc0dcdde0ce4c803cb 2661980
libphp5-embed_5.4.4-14+deb7u8_amd64.deb
6e47e16c513aa7c3791550da5327e7871b0ca841f0574dc8798b1121130dda98 497494
php5-dev_5.4.4-14+deb7u8_amd64.deb
03569bf4b2e12bbd5ebab80f1b71d93100d51a4186b9b38c9c24bd32d3f6d21e 15961400
php5-dbg_5.4.4-14+deb7u8_amd64.deb
5a67fdf83e0c9add52c8a736ee5c45a861c2089a298e278323bfe157d988451a 29178
php5-curl_5.4.4-14+deb7u8_amd64.deb
ee2048f3674899a17e67dce1cdacce24bf0deeb37b513237077c40104244690c 9940
php5-enchant_5.4.4-14+deb7u8_amd64.deb
46dd946c189931bf93289c82429eb3791a2fc7375c2b499564c52aa0696c65cd 35708
php5-gd_5.4.4-14+deb7u8_amd64.deb
b3c3dc563535d69973586cd8ed5d8843b1bad7843c46bae3a8353accefd1066c 17174
php5-gmp_5.4.4-14+deb7u8_amd64.deb
ca5cfc6a2e2db9b6b21fb5d1774914f04328eac73451a883ae00f641f0faf04f 35612
php5-imap_5.4.4-14+deb7u8_amd64.deb
5ead179824e62244592f111c511317d0e1f24044ad700d61914e48a70a523ac6 49614
php5-interbase_5.4.4-14+deb7u8_amd64.deb
669c16b7d4fbaf9e04439b16b6ef75090129d3a654bf71e420a3486a974776bd 71970
php5-intl_5.4.4-14+deb7u8_amd64.deb
77efa1540983fe952726059dc6f681b340d693906ec3efd2784e83b54a93b6c5 21770
php5-ldap_5.4.4-14+deb7u8_amd64.deb
d71d9cd179421652a827910b283ded3c81063337a9ee4b2adbc8c5ce754244d1 16092
php5-mcrypt_5.4.4-14+deb7u8_amd64.deb
f0e986a94a19b3980c43304b979f124d62ddf504b94aa5043a701719e05fe89e 80856
php5-mysql_5.4.4-14+deb7u8_amd64.deb
a00daa5a1728455f796d0a86ab4662d2cb8a28fad63e4f08159651bfd8329a9f 162726
php5-mysqlnd_5.4.4-14+deb7u8_amd64.deb
9715f04f7e901d9029efe60eda8d1e09b73fca795d237f9638b0017a18d7aeee 36404
php5-odbc_5.4.4-14+deb7u8_amd64.deb
41f4fe7a933b7813cba243585ee0e41374b877cea912c9422575f2f2fb8f495d 61070
php5-pgsql_5.4.4-14+deb7u8_amd64.deb
ada7d2ecc33159f7066d3cab8f2c67d052dee5e4ce2919cfa77122d221f722cc 8908
php5-pspell_5.4.4-14+deb7u8_amd64.deb
a989d7890d0579f965feca7f45d7db9510f24243dbe9a958ed277e58d6549fcd 5208
php5-recode_5.4.4-14+deb7u8_amd64.deb
b050f0278d48333521d46640888ffdecfaf5cd06fbe3098df8dfd5d6d1905a87 21814
php5-snmp_5.4.4-14+deb7u8_amd64.deb
1ab914ed12eb8609d66f0ff55af5d16e191dc4726bccb4fbe0062e1efbdaba07 30350
php5-sqlite_5.4.4-14+deb7u8_amd64.deb
8aa8dc7544817b472b4024854cf81c66eb700d30c946035d402faaaf289150b8 28442
php5-sybase_5.4.4-14+deb7u8_amd64.deb
46d86f9620592754c65c3f3c313d0279ffa9c594502e156780b3e2997f47bc29 19606
php5-tidy_5.4.4-14+deb7u8_amd64.deb
6098f10fd372240b4e6e9f83d6a8a93aa9d74663a246ed227727ce501cbd8431 36298
php5-xmlrpc_5.4.4-14+deb7u8_amd64.deb
249b508921ed8dd0748bb25118babdc95e55006e2f3ee54f20402a09391a4229 15422
php5-xsl_5.4.4-14+deb7u8_amd64.deb
Files:
167bdaa26c445bbd9f06900366fdb4d3 3774 php optional php5_5.4.4-14+deb7u8.dsc
35f7231e659ed4cd52e4043ac1ae1acd 226178 php optional
php5_5.4.4-14+deb7u8.diff.gz
ab6f354418db2335939dc8ced9ac8322 1028 php optional php5_5.4.4-14+deb7u8_all.deb
208382e435baba60c50aca5fc5f3610c 369298 php optional
php-pear_5.4.4-14+deb7u8_all.deb
b235647efaabc793f8e75eb659d1bb03 587938 php optional
php5-common_5.4.4-14+deb7u8_amd64.deb
083f6e5f3a1d4ac2d1d6759bc14c89a8 2665710 httpd optional
libapache2-mod-php5_5.4.4-14+deb7u8_amd64.deb
e70879a2414e3d4acabc6c36c890be51 2664064 httpd extra
libapache2-mod-php5filter_5.4.4-14+deb7u8_amd64.deb
8e66f6dc25080b9a495bc1b39532aefc 5101402 php optional
php5-cgi_5.4.4-14+deb7u8_amd64.deb
6c7c947e63de4917f6571b805599f5e2 2557410 php optional
php5-cli_5.4.4-14+deb7u8_amd64.deb
ce5ce58560bcad88577cb1b7376bc216 2590556 php optional
php5-fpm_5.4.4-14+deb7u8_amd64.deb
6d6f0b793ed3e29cdc7d8118b8d5d7c3 2661980 php optional
libphp5-embed_5.4.4-14+deb7u8_amd64.deb
6d4be04dc05ea6439b17741e91e75ea4 497494 php optional
php5-dev_5.4.4-14+deb7u8_amd64.deb
d0ab22e641ce272fc2e47182be0a3fb6 15961400 debug extra
php5-dbg_5.4.4-14+deb7u8_amd64.deb
262bb723bfb704f684ac6e3bc36584f7 29178 php optional
php5-curl_5.4.4-14+deb7u8_amd64.deb
173d1a4d754256546ffb22f6088615a8 9940 php optional
php5-enchant_5.4.4-14+deb7u8_amd64.deb
3cc45c8dd5d5ddece8349e8752a65f8e 35708 php optional
php5-gd_5.4.4-14+deb7u8_amd64.deb
7710401d471bd45a4a810d7aa2d23a33 17174 php optional
php5-gmp_5.4.4-14+deb7u8_amd64.deb
139c82fcf284f0df3d5f8c3f51889296 35612 php optional
php5-imap_5.4.4-14+deb7u8_amd64.deb
a96cfd7d1740437ad905b6af0220993e 49614 php optional
php5-interbase_5.4.4-14+deb7u8_amd64.deb
06080e705fbb7d5d46c9ae74fa1d148d 71970 php optional
php5-intl_5.4.4-14+deb7u8_amd64.deb
cccc042a44b2cd54967ba5367e107f5c 21770 php optional
php5-ldap_5.4.4-14+deb7u8_amd64.deb
036614129cc8d9994fe389764a45c80d 16092 php optional
php5-mcrypt_5.4.4-14+deb7u8_amd64.deb
71dd6b0144110692943afda1efd5a357 80856 php optional
php5-mysql_5.4.4-14+deb7u8_amd64.deb
734fa48381966d4f1bd984fbf7a57416 162726 php extra
php5-mysqlnd_5.4.4-14+deb7u8_amd64.deb
c66ab2f40a1522c32f9e7da1702e0497 36404 php optional
php5-odbc_5.4.4-14+deb7u8_amd64.deb
15a776a13d11ef9e8fa99d5a4ef623af 61070 php optional
php5-pgsql_5.4.4-14+deb7u8_amd64.deb
ec5f9d6ccf33412c6ee64b62eed48f33 8908 php optional
php5-pspell_5.4.4-14+deb7u8_amd64.deb
04f06afa555c88cbb6f85974adf732ae 5208 php optional
php5-recode_5.4.4-14+deb7u8_amd64.deb
2a71f2011148231264f7a796d807490c 21814 php optional
php5-snmp_5.4.4-14+deb7u8_amd64.deb
6facd797f446dcf1fd843b79c1470d3a 30350 php optional
php5-sqlite_5.4.4-14+deb7u8_amd64.deb
685f0b8b282c2ff9874a33b2a8576b0b 28442 php optional
php5-sybase_5.4.4-14+deb7u8_amd64.deb
b04d64de72b3ade987f1e3b23bf76f31 19606 php optional
php5-tidy_5.4.4-14+deb7u8_amd64.deb
4a959c956dbac92fc297211e6d928ed8 36298 php optional
php5-xmlrpc_5.4.4-14+deb7u8_amd64.deb
4dc29f0cec34d8d32fc2d31351abc5d2 15422 php optional
php5-xsl_5.4.4-14+deb7u8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlMDX9IACgkQ9OZqfMIN8nM47gCfX4t1vP+IkjM+J5cZPDG+Le+z
Y8UAniVm/Wxc+0/tLHrunjNw01cRfPz2
=ezzm
-----END PGP SIGNATURE-----
--- End Message ---
