Bugzilla – Bug 807707
VUL-1: php5: CVE-2013-1635 CVE-2013-1643 SOAP security issues
Last modified: 2018-10-19 18:09:24 UTC
Hi. There is a security bug in package 'php5'. This information is from 'Debian'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: http://www.debian.org/security/ CVE number: CVE-2013-1635 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635 CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE number: CVE-2013-1643 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643 CVSS v2 Base Score: 2.6 (low) (AV:N/AC:H/Au:N/C:P/I:N/A:N) Original posting: CVE-2013-1643 SOAP security issues -------- Original-Nachricht -------- Betreff: [Full-disclosure] [SECURITY] [DSA 2639-1] php5 security update Weitersenden-Datum: Tue, 5 Mar 2013 17:23:09 +0000 (UTC) Weitersenden-Von: list@bendel.debian.org (Mailing List Manager) Datum: Tue, 5 Mar 2013 18:22:41 +0100 (CET) Von: Thijs Kinkhorst <thijs@debian.org> Antwort an: full-disclosure@lists.grok.org.uk An: debian-security-announce@lists.debian.org ------------------------------------------------------------------------- Debian Security Advisory DSA-2639-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst March 05, 2013 http://www.debian.org/security/faq ------------------------------------------------------------------------- Package : php5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1635 CVE-2013-1643 Debian Bug : 702221 Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2013-1635 If a PHP application accepted untrusted SOAP object input remotely from clients, an attacker could read system files readable for the webserver. CVE-2013-1643 The soap.wsdl_cache_dir function did not take PHP open_basedir restrictions into account. Note that Debian advises against relying on open_basedir restrictions for security. For the stable distribution (squeeze), these problems have been fixed in version 5.3.3-7+squeeze15. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 5.4.4-14. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org
bugbot adjusting priority
Name: CVE-2013-1635 {Novell Bug: 807707} ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=918196 Reference: CONFIRM: http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74 ====================================================== Name: CVE-2013-1643 {Novell Bug: 807707} The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunctio n with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=918187 Reference: CONFIRM: http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
From https://bugzilla.redhat.com/show_bug.cgi?id=918187 some more information and incremental CVE ID: Comment 5 Vincent Danen 2013-03-20 10:24:15 EDT This issue was not correctly fixed in 5.4.12 or 5.3.22, so CVE-2013-1824 was assigned to the incorrect fix present in 5.4.12 and 5.3.22. It was correctly fixed in 5.4.13 and 5.3.22. Since we have not fixed this in our package yet, CVE-2013-1824 does not apply to us (we never provided the incorrect fix). As Remi noted: First fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=afe98b7829d50806559acac9b530acb8283c3bf4 Improved fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=188c196d4da60bdde9190d2fc532650d17f7af2d Revert previous + real fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6 Fix ZTS: http://git.php.net/?p=php-src.git;a=commitdiff;h=fcd4b5335a6df4e0676ee32e2267ca71d70fe623
Mike, which package does the L3:39030 customer need the PTF for, php5 (PHP 5.2) or php53 (PHP 5.3)? I haven't checked yet whether 5.2 is affected and whether the fixes apply.
Created attachment 538575 [details] using this one for CVE-2013-1635
Created attachment 538576 [details] using this one for CVE-2013-1643
11sp3 sr#26144
Should I do update now?
Ping :-). I'll significantly decrease priority and severity in case it is still ordinary VUL-1.
Decreasing priority and severity to the state before L3.
Patches from comment 16 and comment 17 applied to 10sp3, 11, php53/11sp2, 12.2, and 12.3. php53/11sp3 has these fixes yet (comment 18). See ibs/obs home:pgajdos:maintenance:php5*.
This is an autogenerated message for OBS integration: This bug (807707) was mentioned in https://build.opensuse.org/request/show/183542 Maintenance /
This is an autogenerated message for OBS integration: This bug (807707) was mentioned in https://build.opensuse.org/request/show/183662 Evergreen:11.2 / php5
openSUSE-SU-2013:1244-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 807707,828020,829207 CVE References: CVE-2013-1635,CVE-2013-1643,CVE-2013-4113,CVE-2013-4635 Sources used: openSUSE 12.3 (src): php5-5.3.17-3.4.1 openSUSE 12.2 (src): php5-5.3.15-1.16.1
openSUSE-SU-2013:1249-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 807707,828020,829207 CVE References: CVE-2013-1635,CVE-2013-1643,CVE-2013-4113,CVE-2013-4635 Sources used: openSUSE 11.4 (src): php5-5.3.5-355.1
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64) SLES4VMWARE 11-SP1-LTSS (i386, x86_64)
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: apache2-mod_php53, php53, php53-bcmath, php53-bz2, php53-calendar, php53-ctype, php53-curl, php53-dba, php53-debuginfo, php53-debugsource, php53-devel, php53-dom, php53-enchant, php53-exif, php53-fastcgi, php53-fileinfo, php53-fpm, php53-ftp, php53-gd, php53-gettext, php53-gmp, php53-iconv, php53-imap, php53-intl, php53-json, php53-ldap, php53-mbstring, php53-mcrypt, php53-mysql, php53-odbc, php53-openssl, php53-pcntl, php53-pdo, php53-pear, php53-pgsql, php53-phar, php53-posix, php53-pspell, php53-readline, php53-shmop, php53-snmp, php53-soap, php53-sockets, php53-sqlite, php53-suhosin, php53-sysvmsg, php53-sysvsem, php53-sysvshm, php53-tidy, php53-tokenizer, php53-wddx, php53-xmlreader, php53-xmlrpc, php53-xmlwriter, php53-xsl, php53-zip, php53-zlib Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
done