Is there any reason why PHP security bug #69699 was not backported to php5.5?

Asked by Mauro Faccenda on 2016-03-30

Hi,

I had my systems scanned for PCI compliance and they found that the PHP version I am using (5.5.9+dfsg-1ubuntu4.14) on my Ubuntu 14.04 (Trusty) systems are susceptible to a issue identified by CVE-2015-3152.

Digging a little, I've found that it was fixed on https://bugs.php.net/bug.php?id=69669, as I know that usually the package maintainers backport security fixes to the version distributed by the distribution, I was trying to find some artifact that would show that it is already fixed, and I couldn't find. So I went to check the package code if the fix was there and for my surprise, it isn't.

So, I've figured out that the issue would only affect the php5-mysqlnd package which are not even installed. And I hope they accept this as a reason to discard the issue on my systems.

However, I am still curious why this fix wasn't backported and that's why I am asking this here.

It would be nice to have the package changelog showing that the issue is fixed on the package as well.

Anyway, thanks in advance.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu php5 Edit question
Assignee:
No assignee Edit question
Last query:
2016-03-30
Last reply:
2016-03-31

I suggest you report a bug. Mark it as a security bug

Manfred Hampl (m-hampl) said : #2

See https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3152.html for the current status of patching the packages

I do not see any reference to php, but only to MySQL other databases. So I am wondering how a PCI compliance scanner would list php as vulnerable.

Mauro Faccenda (faccenda) said : #3

@actionparsnip, yeah. I was willing to do that, however as it is an security issue ~8 months old, I was wondering if there might be any reason it was not patched. I think I'll file the bug anyway and let people figure that out there.

@m-hampl, It seems that the Ubuntu folks didn't relate the vulnerability to PHP in addition to MySQL. The bug affects PHP as well, as you can see on the fix PHP devs released: https://bugs.php.net/bug.php?id=69669

The PCI scanner is dumb, it is based only on the PHP version (5.5.9) I am running and listed the vulnerabilities not fixed, so yeah, if you have a package installed that is managed by the distribution, there is always tons of false positives, as it doesn't consider the backported fixes.

I thought this was the same case, I am glad I was more careful and got some time to check if that issue was patched and figured it was not.

Thanks for the input guys. =)

Manfred Hampl (m-hampl) said : #4

Sorry, I apparently have overlooked the mysqlnd routine inside php

I agree with actionparsnip that this is worth creating a bug report.

Can you help with this problem?

Provide an answer of your own, or ask Mauro Faccenda for more information if necessary.

To post a message you must log in.