It was discovered that the fix for CVE-2014-8142 (use after free vulnerability in unserialize(), see bug 1175718) was incomplete. Upstream bug: https://bugs.php.net/bug.php?id=68710 Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=b585a3aed7880a5fa5c18e2b838fc96f40e075bd
Fixed upstream in PHP 5.6.5, 5.5.21, and 5.4.37: http://php.net/ChangeLog-5.php#5.6.5 http://php.net/ChangeLog-5.php#5.5.21 http://php.net/ChangeLog-5.php#5.4.37
When will updated package for php-5.3.3 in RHEL6 release?
AS for CVE-2014-8142, PHP 5.3 is not affected but this vulnerability.
(this is not redhat system below) PHP 5.3.3 may not be affected, but my PHP 5.3.29 does crash: [~/rpm/packages/php (PHP_5_3)⚡] ➔ gdb --args /usr/bin/php53 CVE-2015-0231.php GNU gdb (GDB) 7.8.1-1 (PLD Linux) Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pld-linux". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/php53...Reading symbols from /usr/lib/debug/usr/bin/php53.debug...done. done. (gdb) r Starting program: /usr/bin/php53 CVE-2015-0231.php warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". PHP Warning: Cannot open '/usr/share/browscap/php_browscap.ini' for reading in Unknown on line 0 PHP 5.3.29 - php53-common-5.3.29-8.x86_64 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7ca2644 in zend_get_class_entry (zobject=0x6ae558) at /usr/src/debug/php-5.3.29/Zend/zend_API.c:229 229 if (Z_OBJ_HT_P(zobject)->get_class_entry) { (gdb) bt #0 0x00007ffff7ca2644 in zend_get_class_entry (zobject=0x6ae558) at /usr/src/debug/php-5.3.29/Zend/zend_API.c:229 #1 0x00007ffff7b99732 in object_common2 (rval=0x7fffffff9f88, p=0x7fffffff9fa8, max=0x6a9b31 "", var_hash=0x7fffffff9fb0, elements=8) at /usr/src/debug/php-5.3.29/ext/standard/var_unserializer.c:374 #2 0x00007ffff7c3d678 in php_var_unserialize (rval=0x7fffffff9f88, p=0x7fffffff9fa8, max=0x6a9b31 "", var_hash=0x7fffffff9fb0) at /usr/src/debug/php-5.3.29/ext/standard/var_unserializer.c:684 #3 0x00007ffff7c2e886 in zif_unserialize (ht=<optimized out>, return_value=0x6ae558, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.3.29/ext/standard/var.c:936 #4 0x00007ffff7d2e60a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff07bd068) at /usr/src/debug/php-5.3.29/Zend/zend_vm_execute.h:322 #5 0x00007ffff7ce4e43 in execute (op_array=0x6a9990) at /usr/src/debug/php-5.3.29/Zend/zend_vm_execute.h:107 #6 0x00007ffff7ca1b37 in zend_execute_scripts (type=7005528, type@entry=8, retval=0x6ad078, retval@entry=0x0, file_count=6322960, file_count@entry=3) at /usr/src/debug/php-5.3.29/Zend/zend.c:1331 #7 0x00007ffff7c4f86b in php_execute_script (primary_file=0x7fffffffc540) at /usr/src/debug/php-5.3.29/main/main.c:2331 #8 0x0000000000404182 in main (argc=7005528, argv=0x6ad078) at /usr/src/debug/php-5.3.29/sapi/cli/php_cli.c:1193 (gdb)
if someone interested, then i found patches for 5.3.29 from here: https://webtatic.com/news/2015/01/latest-updates-php-5-3-29-4-security-release/ https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html
php-5.6.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
php-5.5.21-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5 and 6 or the versions of php53 as shipped with Red Hat Enterprise Linux 5 as the original flaw (CVE-2014-8142) did not affect these versions.
I confirm that php 5.3.3 is not affected. None of the upstream reproducer cause segfault (bug 68594, 68710) The affected piece of code have been add in 5.3.9 [1] So this CVE probably affects php >= 5.3.9. [1] https://github.com/php/php-src/commit/d3fdacb99fab186654bdf2f3adb17d9c628202f0
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html