ubuntu lucid erroneously reports php 5.3.2 as most recent

Asked by Dan Pouliot on 2011-07-27

I recently built an Amazon EC2 server with a 10.04 AMI from Alestic:
ebs/ubuntu-images/ubuntu-lucid-10.04-i386-server-20110601

My server reports php 5.3.2 is installed and up-to-date.

However, I did a security scan of my site (veracitypci.com), here's the report:

PHP is prone to multiple memory corruption and buffer overflow security vulnerabilities.
PHP Versions Prior to 5.3.3/5.2.14 are affected
IMPACT: An attacker can exploit these issues to execute arbitrary code, gain access to sensitive information, and bypass security
restrictions. Other attacks are also possible.

SOLUTION: The vendor has released PHP Version 5.3.3 and 5.2.14 to address these issues.

How can I get an updated version of PHP via apt-get?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu php5 Edit question
Assignee:
No assignee Edit question
Solved by:
Dan Pouliot
Solved:
2011-07-29
Last query:
2011-07-29
Last reply:
2011-07-28
Brad Crittenden (bac) said : #1

Hi Dan,

The latest release of PHP5 for 10.04 is described here:
https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.9

As you see, the latest is a variant of 5.3.2.

Until a later version of PHP5 is back ported to 10.04, it will not be available via apt-get.

I am moving your question to the Ubuntu project as it is more appropriate there.

Dan Pouliot (zg-webmaster) said : #2

Hi Brad,
thanks for helping me out, I'm new to launchpad so I appreciate your patience.

I'm glad to hear that nothing is wrong per se. It sounds like I just need to be patient and the update will come eventually.

mycae (mycae) said : #3

>I'm glad to hear that nothing is wrong per se. It sounds like I just need to be patient and the update >will come eventually.

No, not even that -- security fixes for core packages such as php are usually backported to earlier ubuntu package numbers. Rather than updating everything, just the security fixes are pulled out and applied to the earlier 5.3.2 series to create a 5.3.2-1ubuntuX version.

Here is the changelog.

+php5 (5.3.2-1ubuntu4.9) lucid-security; urgency=low
+
+ * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix
+ mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452)
+
+ -- Steve Beattie <email address hidden> Mon, 02 May 2011 09:21:53 -0700
+
+php5 (5.3.2-1ubuntu4.8) lucid-security; urgency=low
+
+ * SECURITY UPDATE: arbitrary files removal via cronjob
+ - debian/php5-common.php5.cron.d: take greater care when removing
+ session files.
+ - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
+ - CVE-2011-0441
+ * SECURITY UPDATE: symlink tmp races in pear install
+ - debian/patches/php5-pear-CVE-2011-1072.patch: improved
+ tempfile handling.
+ - debian/rules: apply patch manually after unpacking PEAR phar
+ archive.
+ - CVE-2011-1072
+ * SECURITY UPDATE: more symlink races in pear install
+ - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
+ file handler.
+ - debian/rules: apply patch manually after unpacking PEAR phar
+ archive.
+ - CVE-2011-1144
+ * SECURITY UPDATE: pathname restriction bypass vulnerability
+ - debian/patches/php5-CVE-2006-7243.patch: check for passed
+ filenames containing NULL bytes.
+ - CVE-2006-7243
+ * SECURITY UPDATE: use-after-free vulnerability
+ - debian/patches/php5-CVE-2010-4697.patch: retain reference to
+ object until getter/setter are done.
+ - CVE-2010-4697
+ * SECURITY UPDATE: denial of service through application crash with
+ invalid images
+ - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
+ steps are either 4 or 16.
+ - CVE-2010-4698
+ * SECURITY UPDATE: denial of service through application crash
+ - debian/patches/php5-CVE-2011-0420.patch: improve grapheme_extract()
+ argument validation.
+ - CVE-2011-0420
+ * SECURITY UPDATE: denial of service through application crash
+ - debian/patches/php5-CVE-2011-0421.patch: fail operation gracefully
+ when handling zero sized zipfile with the FL_UNCHANGED argument
+ - CVE-2011-0421
+ * SECURITY UPDATE: denial of service through application crash when
+ handling images with invalid exif tags
+ - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking
+ - CVE-2011-0708
+ * SECURITY UPDATE: denial of service and possible data disclosure
+ through integer overflow
+ - debian/patches/php5-CVE-2011-1092.patch: better boundary
+ condition checks in shmop_read()
+ - CVE-2011-1092
+ * SECURITY UPDATE: use-after-free vulnerability
+ - debian/patches/php5-CVE-2011-1148.patch: improve reference
+ counting
+ - CVE-2011-1148
+ * SECURITY UPDATE: format string vulnerability
+ - debian/patches/php5-CVE-2011-1153.patch: correctly quote format
+ strings
+ - CVE-2011-1153
+ * SECURITY UPDATE: denial of service through buffer overflow crash
+ (code execution mitigated by compilation with Fortify Source)
+ - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision
+ to ensure fitting within MAX_BUF_SIZE
+ - CVE-2011-1464
+ * SECURITY UPDATE: denial of service through application crash via
+ integer overflow.
+ - debian/patches/php5-CVE-2011-1466.patch: improve boundary
+ condition checking in SdnToJulian()
+ - CVE-2011-1466
+ * SECURITY UPDATE: denial of service through application crash
+ - debian/patches/php5-CVE-2011-1467.patch: check for invalid
+ attribute symbols in NumberFormatter::setSymbol()
+ - CVE-2011-1467
+ * SECURITY UPDATE: denial of service through memory leak
+ - debian/patches/php5-CVE-2011-1468.patch: fix memory leak of
+ openssl contexts
+ - CVE-2011-1468
+ * SECURITY UPDATE: denial of service through application crash
+ when using HTTP proxy with the FTP wrapper
+ - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling
+ - CVE-2011-1469
+ * SECURITY UPDATE: denial of service through application crash when
+ handling ziparchive streams
+ - debian/patches/php5-CVE-2011-1470.patch: set necessary elements of
+ the meta data structure
+ - CVE-2011-1470
+ * SECURITY UPDATE: denial of service through application crash when
+ handling malformed zip files
+ - debian/patches/php5-CVE-2011-1471.patch: correct integer
+ signedness error when handling zip_fread() return value.
+ - CVE-2011-1471
+
+ -- Steve Beattie <email address hidden> Thu, 21 Apr 2011 11:07:40 -0700
+
+php5 (5.3.2-1ubuntu4.7) lucid-security; urgency=low
+
+ * debian/patches/php5-CVE-2010-3436-regression.patch: update
+ main/fopen_wrappers.c to include fix for open_basedir restriction
+ regression (LP: #701896)
+
+ -- Steve Beattie <email address hidden> Wed, 12 Jan 2011 07:28:55 -0800
+
+php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low
+
+ * SECURITY UPDATE: open_basedir bypass
+ - debian/patches/php5-CVE-2010-3436.patch: more strict checking in
+ php_check_specific_open_basedir()
+ - CVE-2010-3436
+ * SECURITY UPDATE: NULL pointer dereference crash
+ - debian/patches/php5-CVE-2010-3709.patch: check for NULL when
+ getting zip comment
+ - CVE-2010-3709
+ * SECURITY UPDATE: memory consumption denial of service
+ - debian/patches/php5-CVE-2010-3710.patch: check for email address
+ longer than RFC 2821 allows
+ - CVE-2010-3710
+ * SECURITY UPDATE: xml decode bypass
+ - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding
+ - CVE-2010-3870
+ * SECURITY UPDATE: integer overflow can cause an application crash
+ - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in
+ NumberFormatter::getSymbol()
+ - CVE-2010-4409
+ * SECURITY UPDATE: infinite loop/denial of service when dealing with
+ certain textual forms of MAX_FLOAT (LP: #697181)
+ - debian/patches/php5-CVE-2010-4645.patch: treat local doubles
+ as volatile to avoid x87 registers in zend_strtod()
+ - CVE-2010-4645
+
+ -- Steve Beattie <email address hidden> Fri, 07 Jan 2011 10:56:23 -0800
+
+php5 (5.3.2-1ubuntu4.5) lucid-security; urgency=low
+
+ * SECURITY UPDATE: denial of service and possible memory corruption via
+ negative size in HTTP chunked encoding stream
+ - debian/patches/CVE-2010-1866.patch: prevent chunk_size from
+ overflowing in ext/standard/filters.c.
+ - CVE-2010-1866
+ * SECURITY UPDATE: arbitrary code execution via empty SQL query
+ - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
+ ext/sqlite/sqlite.c.
+ - CVE-2010-1868
+ * SECURITY UPDATE: denial of service via fnmatch stack consumption
+ - debian/patches/CVE-2010-1917.patch: limit size of pattern in
+ ext/standard/file.c.
+ - CVE-2010-1917
+ * SECURITY UPDATE: arbitrary memory disclosure and possible code
+ execution via phar extension
+ - debian/patches/CVE-2010-2094.patch: use correct format string in
+ ext/phar/dirstream.c, ext/phar/stream.c.
+ - CVE-2010-2094
+ - CVE-2010-2950
+ * SECURITY UPDATE: sensitive information disclosure or arbitrary code
+ execution via use-after-free in SplObjectStorage unserializer
+ - debian/patches/CVE-2010-2225.patch: fix logic in
+ ext/spl/spl_observer.c, ext/standard/{php_var.h,var_unserializer.*},
+ add tests to ext/spl/tests.
+ - CVE-2010-2225
+ * SECURITY UPDATE: sensitive information disclosure via error messages
+ - debian/patches/CVE-2010-2531.patch: don't display data when flushing
+ output buffer in ext/standard/{var.c,php_var.h}, fix tests in
+ ext/standard/tests/general_functions.
+ - CVE-2010-2531
+ * SECURITY UPDATE: arbitrary session variable modification via crafted
+ session variable name
+ - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
+ ext/session/session.c.
+ - CVE-2010-3065
+ * debian/patches/lp564920-fix-big-files.patch: Fix downloading of large
+ files (LP: #564920)
+
+ -- Marc Deslauriers <email address hidden> Fri, 17 Sep 2010 08:14:26 -0400
+
+php5 (5.3.2-1ubuntu4.2) lucid-proposed; urgency=low
+
+ * debian/patches/session_save_path.patch: Save PHP sessions to
+ /var/lib/php rather than /tmp (LP: #573222)
+
+ -- Chuck Short <email address hidden> Mon, 10 May 2010 04:00:03 -0400
+
+php5 (5.3.2-1ubuntu4.1) lucid-proposed; urgency=low
+
+ * debian/patches/fix-mysql-badmem.patch: Fix mysql crash when using php5-cgi. (LP: #567043)
+
+ -- Chuck Short <email address hidden> Mon, 03 May 2010 11:23:43 -0400
+
+php5 (5.3.2-1ubuntu4) lucid; urgency=low
+
+ * debian/control, debian/rules: Re-enable libedit-dev. (LP: #548823)
+
+ -- Chuck Short <email address hidden> Mon, 05 Apr 2010 15:33:21 -0400
+
+php5 (5.3.2-1ubuntu3) lucid; urgency=low
+
+ * debian/control: Fix upgrade of php5-ldap from 5.3.1. (LP: #)
+
+ -- Chuck Short <email address hidden> Sun, 28 Mar 2010 15:41:34 -0400
+
+php5 (5.3.2-1ubuntu2) lucid; urgency=low
+
+ * debian/control: Dont build with libmcrypt-dev.
+
+ -- Chuck Short <email address hidden> Fri, 26 Mar 2010 14:39:36 -0400
+
+php5 (5.3.2-1ubuntu1) lucid; urgency=low
+
+ * Merge from debian unstable:
+ - debian/control:
+ * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
+ * Dropped libmysqlclient15-dev, build against mysql 5.1.
+ * Dropped libcurl-dev not in the archive.
+ * Suggest php5-suhosin rather than recommends.
+ * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in
+ universe.
+ * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1)
+ * Dropped locales-all.
+ - modulelist: Drop imap, interbase, and mcrypt.
+ - debian/rules:
+ * Dropped building of mcrypt, imap, and interbase.
+ * Install apport hook for php5.
+ - Dropped debian/patches/libedit_is_editline.patch.
+

Dan Pouliot (zg-webmaster) said : #4

ok, now you've got me confused. If the security fixes are in the current version, that doesn't solve my problem, since my security scanner insists my version has security flaws that can only be updated with a newer version. I apologize for my newbie confusion!

mycae (mycae) said : #5

>since my security scanner insists my version has security flaws that can only be updated with a
>newer version

What is the security scanner you are using? It may be wrong, it may be right. if it is simply parsing the version number, then it is probably wrong, because pphp is shipped as source code -- other people can take that php version and change it as they see fit.

The way that it works is that the php guys write some code, called php 5.3.2. This has bugs in it, but the php guys don't know at the time.

the php guys put a "tar.gz (zip)" file on their server somewhere and call it php-5.3.2.tar.gz, or what have you.

Later they identify certain changes to subsequent versions of php as "security fixes" ie, fixes which were bugs that could in theory be used maliciously (varying levels of malicious, from worst being remote root privilege escalation, to least bad being local user being able to crash/hang program).

Now, the php guys are busy writing 5.3.4, now they add a whole bunch of features that break programs that require php 5.3.2, so those programs need to be modified to work with the newer php.

Ubuntu can't afford to ship updates for every program that needs php, cause there is a lot of them. So what they do is simply take the source code (the .gz file), then modify the contents by taking the changes in php 5.3.4 (or whatever) that are security related and then inserting them into their own derivative version of php 5.3.2, which they call php-5.3.2-XubuntuY (its a bit more complex than this -- there are the debian guys too..., but whatever), where X and Y are debian and ubuntu revision numbers.

Without reading that changelog, and correlating the output from your security scanner to the changelog, you cannot say whether or not the particular issue is fixed. If your security scanner is worth its salt, it will list actual online compiled security fixes (so-called "CVE" numbers). If not, I consider the output from the scanner not really valid, and you can ignore it, as it is not actually doing anything beyond "5.3.2 < 5.3.4 therefore OH NOES SECURITAY ERRAS!".

Such behaviour ignores the subtleties of the software environment that you work in, and is counter-productive, as it is confusing because it is wrong on a very important topic.

It may be that your scanner is right, if and only if there are specific patches that the ubuntu people have not applied. If this is the case (it may be, but you need to study the CVEs vs. the ubuntu package changelog), then you can file a security bug which will get a high priority to be fixed. However, it would be good if you could be certain if you are correct.

Now

Dan Pouliot (zg-webmaster) said : #6

Our credit card merchant (veracitypci.com) Runs the scans; but it looks like the actual company running the scan is sysnet.I just double checked my account on their website, and it looks like they reran their skin, and they now say we are compliant. So I'm going to assume that this issue is resolved. Thank you very much for your detailed and timely responses, Now I better understand the software patching process and I also understand that I need to look for CVE numbers when reading the security report. Thanks!