918187 – (CVE-2013-1643) CVE-2013-1643 php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files

Bug 918187 (CVE-2013-1643) - CVE-2013-1643 php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files

Summary: CVE-2013-1643 php: Ability to read arbitrary files due use of external entiti...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-1643
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	958614 988714 1037490 1037491
Blocks:	918202 952520 974906
TreeView+	depends on / blocked

Reported:	2013-03-05 16:49 UTC by Jan Lieskovsky
Modified:	2021-02-17 07:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:	php 5.3.23, php 5.4.13
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-12-11 10:35:52 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1307	normal	SHIPPED_LIVE	Moderate: php53 security, bug fix and enhancement update	2013-10-01 00:31:22 UTC
Red Hat Product Errata	RHSA-2013:1615	normal	SHIPPED_LIVE	Moderate: php security, bug fix, and enhancement update	2013-11-20 21:38:52 UTC
Red Hat Product Errata	RHSA-2013:1814	normal	SHIPPED_LIVE	Critical: php security update	2013-12-11 07:25:07 UTC

Description Jan Lieskovsky 2013-03-05 16:49:56 UTC

A security flaw was found in the way SOAP parser of PHP processed certain SOAP objects (due to allowed expansion of XML external entities during SOAP WSDL files parsing, it was previously possible to read arbitrary system files, accessible with the privileges of the PHP application). If a PHP application accepted untrusted SOAP object input remotely from clients, an attacker could use this flaw for unauthorized of read system files (accesible with the privileges of the PHP application).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
[2] https://bugs.gentoo.org/show_bug.cgi?id=459904
[3] http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/

Relevant upstream patch:
[4] http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36

Comment 3 Jan Lieskovsky 2013-03-06 11:17:16 UTC

PHP NEWS file entries:
[5] http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4
[6] http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3

Comment 5 Vincent Danen 2013-03-20 14:24:15 UTC

This issue was not correctly fixed in 5.4.12 or 5.3.22, so CVE-2013-1824 was assigned to the incorrect fix present in 5.4.12 and 5.3.22.  It was correctly fixed in 5.4.13 and 5.3.23.

Since we have not fixed this in our package yet, CVE-2013-1824 does not apply to us (we never provided the incorrect fix).  As Remi noted:


First fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=afe98b7829d50806559acac9b530acb8283c3bf4

Improved fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=188c196d4da60bdde9190d2fc532650d17f7af2d

Revert previous + real fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6

Fix ZTS:
http://git.php.net/?p=php-src.git;a=commitdiff;h=fcd4b5335a6df4e0676ee32e2267ca71d70fe623

Comment 11 Fedora Update System 2013-04-03 04:36:56 UTC

php-5.4.13-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-04-03 04:40:26 UTC

php-5.4.13-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 errata-xmlrpc 2013-09-30 22:13:36 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html

Comment 17 Huzaifa S. Sidhpurwala 2013-10-03 10:59:29 UTC

Statement:

(none)

Comment 18 errata-xmlrpc 2013-11-21 11:17:29 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html

Comment 21 errata-xmlrpc 2013-12-11 02:26:06 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1814 https://rhn.redhat.com/errata/RHSA-2013-1814.html

Note You need to log in before you can comment on or make changes to this bug.