Bugzilla – Bug 976996
VUL-0: CVE-2015-8866: php5,php53: libxml_disable_entity_loader() setting is shared between threads
Last modified: 2016-06-21 11:18:37 UTC
1- libxml_disable_entity_loader setting is shared between threads https://bugs.php.net/bug.php?id=64938 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. Use CVE-2015-8866. Note that the related http://framework.zend.com/security/advisory/ZF2015-06 issue was already assigned CVE-2015-5161. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8866 http://seclists.org/oss-sec/2016/q2/138 http://bugs.gw.com/view.php?id=522#c1237
bugbot adjusting priority
Created attachment 674908 [details] test flow Johannes, I am not sure I am understanding the issue correctly. See the test flow. It seems that the default value of the variable in the question for the request still varies and it should be always false, if I understand correctly. That is with 7.0.6, 5.6.20 and with 5.6.1 patched via commit from comment 0.
Packages submitted.
This is an autogenerated message for OBS integration: This bug (976996) was mentioned in https://build.opensuse.org/request/show/391944 13.2 / php5
(In reply to Petr Gajdos from comment #2) hm, that is strange. I would expect it to be true by default and not to vary. So I'm not sure if the patch really fixes the issue. https://bugs.php.net/bug.php?id=64938 mentions that the default is true (== do not load external entities, makes sense) since 5.4.13. But in the fix it enables it by default (also states it in the comment): + /* Enable the entity loader by default. This ensure that + * other threads/requests that might have disable the loader + * do not affect the current request. + */ + LIBXML(entity_loader_disabled) = 0; Can you please clarify this with upstream what they really intent to do here? Either I don't get it or what they do here is wrong.
.
A mail sent to stas at php.
Few lines above, in PHP_MINIT_FUNCTION(), the _php_libxml_per_request_initialization variable is set depending on sapi_module.name value, and it is set to zero if sapi_module.name is "fpm-fcgi". The patch adds the line into the condition which body is called when _php_libxml_per_request_initialization is not zero. Therefore I guess the code added by the patch is not called for fpm. But the original report is about fpm, so I am a bit confused. Tested with just 13.2/mod_php5 and I dare to say there is the expected difference in BEFORE and AFTER the patch is applied, indeed.
This is an autogenerated message for OBS integration: This bug (976996) was mentioned in https://build.opensuse.org/request/show/393784 13.2 / php5
Stas Malyshev replied: " The default should be false, so if it's still leaking between threads, the bug should be reopened, if it's getting to true by some other means (not leaking between threads) then new bug should be opened. "
This is an autogenerated message for OBS integration: This bug (976996) was mentioned in https://build.opensuse.org/request/show/394633 13.2 / php5
My reply follows. It seems that I am not hitting the original problem ("setting is shared between threads"). In any case, I am not sure how to test the original issue is fixed, therefore. ---------- Hello Stas, thank you for your reply. On Mon, May 09, 2016 at 01:37:14PM -0700, Stanislav Malyshev wrote: > The default should be false, so if it's still leaking between threads, > the bug should be reopened, if it's getting to true by some other means > (not leaking between threads) then new bug should be opened. As beginner I hope this setting: pm.max_children = 1 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 1 leads to single childern and only this is dealing with incomming requests. In that case the default value in php script seem to consistently equal to the value set by previous run. It is false on the beginning (i. e. do not load external entities, if I understand correctly). So should I file a new bug report? Petr $ http://localhost:60081/test.php?id=1 1 default: bool(false) 1 set disable: bool(true) 1 get disable: bool(true) $ http://localhost:60081/test.php?id=1 1 default: bool(true) 1 set disable: bool(true) 1 get disable: bool(true) $ http://localhost:60081/test.php?id=1 1 default: bool(true) 1 set disable: bool(true) 1 get disable: bool(true) $ http://localhost:60081/test.php?id=2 2 default: bool(true) 2 set disable: bool(false) 2 get disable: bool(false) $ http://localhost:60081/test.php?id=2 2 default: bool(false) 2 set disable: bool(false) 2 get disable: bool(false) $ http://localhost:60081/test.php?id=2 2 default: bool(false) 2 set disable: bool(false) 2 get disable: bool(false) $ http://localhost:60081/test.php?id=3 3 default: bool(false) 3 set disable: bool(true) 3 get disable: bool(true) $ http://localhost:60081/test.php?id=3 3 default: bool(true) 3 set disable: bool(true) 3 get disable: bool(true) $ http://localhost:60081/test.php?id=4 4 default: bool(true) 4 set disable: bool(false) 4 get disable: bool(false) $ http://localhost:60081/test.php?id=5 5 default: bool(false) 5 set disable: bool(true) 5 get disable: bool(true) $ http://localhost:60081/test.php?id=6 6 default: bool(true) 6 set disable: bool(false) 6 get disable: bool(false) $ http://localhost:60081/test.php?id=7 7 default: bool(false) 7 set disable: bool(true) 7 get disable: bool(true) $ http://localhost:60081/test.php?id=8 8 default: bool(true) 8 set disable: bool(false) 8 get disable: bool(false) $ http://localhost:60081/test.php?id=9 9 default: bool(false) 9 set disable: bool(true) 9 get disable: bool(true) $ http://localhost:60081/test.php?id=10 10 default: bool(true) 10 set disable: bool(false) 10 get disable: bool(false) $ http://localhost:60081/test.php?id=10 10 default: bool(false) 10 set disable: bool(false) 10 get disable: bool(false) $ ----------
openSUSE-SU-2016:1274-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 976775,976996,976997,977000,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-3074,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073 Sources used: openSUSE 13.2 (src): php5-5.6.1-57.1
SUSE-SU-2016:1277-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 976996,976997,977000,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-56.1 SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-56.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-56.1
released
SUSE-SU-2016:1310-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 976996,976997,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4073 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-62.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-62.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-62.1
openSUSE-SU-2016:1373-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 976996,976997,977000,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-47.1
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-71.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-71.1 SUSE Manager 2.1 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-71.1
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1