Stay Secure with the Latest Linux Advisories

security advisoryFedoracode execution

Fedora: 2019-a8121923d5 critical: php-brumann unserialize Security

## php-typo3-phar-stream-wrapper2 ### v2.1.2 Handling mime-type & Windows paths #### Resolved Issues - \#34: Normalize resolved Windows path to Unix-style - \#42: Avoid analysing non-phar files on alias resolving - \#40: Add Windows tests using AppVeyor - \#33: Add alternative mime-type resolving (without ext- fileinfo) ### v2.1.1 Phar Alias Handling & Performance Releases v3.1.1 and. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-a8121923d5 2019-06-27 00:54:08.536484 --------------------------------------------------------------------------------Name : php-brumann-polyfill-unserialize Product : Fedora 30 Version : 1.0.3 Release : 1.fc30 URL : https://github.com/dbrumann/polyfill-unserialize Summary : Backports unserialize options introduced in PHP 7.0 Description : Backports unserialize options introduced in PHP 7.0 to older PHP versions. This was originally designed as a Proof of Concept for Symfony Issue [#21090](https://github.com/symfony/symfony/pull/21090). You can use this package in projects that rely on PHP versions older than PHP 7.0. In case you are using PHP 7.0+ the original unserialize() will be used instead. From the [documentation](https://www.php.net/manual/en/function.unserialize.php): > Warning: Do not pass untrusted user input to unserialize(). Unserialization > can result in code being loaded and executed due to object instantiation and > autoloading, and a malicious user may be able to exploit this. This warning holds true even when `allowed_classes` is used. Autoloader: /usr/share/php/Brumann/Polyfill/autoload.php --------------------------------------------------------------------------------Update Information: ## php-typo3-phar-stream-wrapper2 ### v2.1.2 Handling mime-type & Windows paths #### Resolved Issues - \#34: Normalize resolved Windows path to Unix-style -\#42: Avoid analysing non-phar files on alias resolving - \#40: AddWindows tests using AppVeyor - \#33: Add alternative mime-type resolving (without ext-fileinfo) ### v2.1.1 Phar Alias Handling & Performance Releases v3.1.1 and v.2.1.1 aim to overcome drawbacks in Phar's alias resolving from Phar stub as well as solving performance aspects. ### v2.1.0 Phar Alias Handling #### Description Releases v3.1.0 and v.2.1.0 aim to overcome drawbacks in Phar's alias resolving (either by Phar archives using `Phar::setAlias()` in meta-data or `Phar::mapPhar()` in stub code). Merged pull-requests - Phar alias resolving (v3: #10, #12, v2: #14, #15) - Phar alias handling and (v3: #16, #17, v2: #20) #### Migration In case custom Assertable interceptors have been used, path resolving has to be adjusted in order to make use of alias resolving features. ##### before - example in v3.0.1 $baseFile Helper::determineBaseFile($path); ##### after - example in v3.1.0 $invocation = Manager::instance()-> resolve($path); $baseName $invocation-> getBaseName(); // previously called $baseFile #### Open Issues There have been reports about flaws using `stream_select()` and according `stream_cast()` in `PharStreamWrapper`. Since it was not possible to reproduce the behavior in an isolated scenario and specific platform requiresments were not clear, these aspects have not been covered by these releses - see #8 and #19 for details. #### Features - added low-level `Phar\Reader` for stub & meta-data (incl. alias) and their model representations - added `Resolver\PharInvocationResolver` in order to resolve/handle alias names - added `Interceptor\ConjunctionInterceptor` for combining multiple interceptors - added `Interceptor\PharMetaDataInterceptor` for actually testing against insecure deserialization in meta-data of Phar archives ## php-brumann-polyfill-unserialize Backports unserialize options introduced in PHP 7.0 to older PHP versions. This was originally designed as a Proof of Concept for Symfony Issue [#21090](https://github.com/symfony/symfony/pull/21090). Youcan use this package in projects that rely on PHP versions older than PHP 7.0. In case you are using PHP 7.0+ the original unserialize() will be used instead. From the [documentation](https://www.php.net/manual/en/function.unserialize.php): > Warning: Do not pass untrusted user input to unserialize(). Unserialization > can result in code being loaded and executed due to object instantiation and > autoloading, and a malicious user may be able to exploit this. This warning holds true even when `allowed_classes` is used. --------------------------------------------------------------------------------References: [ 1 ] Bug #1708649 - CVE-2019-11831 phar-stream-wrapper: TYP03 does not prevent directory traversal resulting in bypass of deserialization of protection mechanism https://bugzilla.redhat.com/show_bug.cgi?id=1708649 [ 2 ] Bug #1708646 - CVE-2019-11830 phar-stream-wrapper: mishandling of phar stub parsing leads to bypass a deserialization of protection mechanism https://bugzilla.redhat.com/show_bug.cgi?id=1708646 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-a8121923d5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . The latest update to Fedora's php-brumann-polyfill-unserialize includes crucial corrections for unserialize processing and vulnerabilities.. php Update, Fedora Security, serialization Issues, PHP Handling. . Severity: Critical. LinuxSecurity.com Team

Jun 26, 2019 •Critical Fedora