Ubuntu
php5 package

php5-common - Trusty - Failed PCI

Asked by garrett-g@outlook.com

I just had a PCI compliance test and failed due to currently installed Ubuntu packages. PHP5-common was one of them. The auditors identified the listed known exploits for PHP5 5.5.9. When will Ubuntu update their security patches? I want to maintain a single patch source (aptitude) and not have to compile php or apache (yes several exploits were identified with the apache2 trusty updates.

PHP 5.5.9 exploits

CVE-2014-0207 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207)
 - The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
CVE-2014-3478 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478)
 - Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
CVE-2014-3479 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479)
 - The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
CVE-2014-3480 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480)
 - The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVE-2014-3487 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487)
 - The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVE-2014-3515 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515)
 - The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
CVE-2014-3981 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981)
 - acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
CVE-2014-4049 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049)
 - Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
CVE-2014-0207 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207)
 - The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
CVE-2014-3478 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478)
 - Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
CVE-2014-3479 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479)
 - The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
CVE-2014-3480 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480)
 - The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVE-2014-3487 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487)
 - The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVE-2014-3515 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515)
 - The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
CVE-2014-3981 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981)
 - acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
CVE-2014-4049 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049)
 - Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
CVE-2014-0207 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207)
 - The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
CVE-2014-3478 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478)
 - Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
CVE-2014-3479 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479)
 - The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
CVE-2014-3480 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480)
 - The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVE-2014-3487 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487)
 - The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVE-2014-3515 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515)
 - The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
CVE-2014-3981 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981)
 - acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
CVE-2014-4049 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049)
 - Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu php5 Edit question
Assignee:
No assignee Edit question
Solved by:
garrett-g@outlook.com
Solved:
Last query:
Last reply:
Revision history for this message
Thomas Krüger (thkrueger) said : 		#1

The auditor might not have had the inside into the Debian and Ubuntu patching process.
Which IMHO is not the best qualification for the job.
PHP in Ubuntu is patched without updating the version number.
For example you can see at https://launchpad.net/ubuntu/trusty/+source/php5/5.5.9+dfsg-1ubuntu4.3 that many of the bugs you listed have been patched about 8 weeks ago.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

All vulnerabilities (except CVE-2014-3981 - priority: low) have already been patched.

See
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0207.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3478.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3479.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3480.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3487.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3515.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3981.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4049.html

Revision history for this message
garrett-g@outlook.com (garrett-g) said : 		#3

Thanks to all that replied. Deloitte responded with and updated report that shows me passing PCI. The issue was that I setup the machines to not report OS name but some ambiguous value as that was recommend by another audit. This way any potential attacker would not know OS or version to try specific exploits. But Deloitte's test counts on OS name to determine upstream patching.

Thanks for all the very fast responses, great community of contributors. Another reason to stick with Ubuntu.