# Is Freebsd 9.3 with latest php55 vulnerable to CVE-2014-9426 and CVE-2014-5459?



## elfreebsd (Feb 6, 2015)

Is Freebsd FreeBSD 9.3 ( fully updated with the last php55 version: 5.5.21) vulnerable to the followings:
*PHP Vulnerability: CVE-2014-9426 :*

DISPUTED ** The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable

*PHP Vulnerability: CVE-2014-5459:*

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.


----------



## kpa (Feb 6, 2015)

You can forget the FreeBSD version unless there is something specific in 9.3 that makes it more vulnerable to certain attacks compared to other versions of FreeBSD. The ports tree is the same for all supported versions of FreeBSD so the real question is if the PHP port is vulnerable to the mentioned CVEs.


----------



## rsantos (Feb 6, 2015)

According to _cvedetails_, the 5.5.21 release is not vulnerable.
Edit: cvedetails pages are not updated.

Reading the changelog, I would say so. They fixed some vulnerabilities but not these two.


----------



## elfreebsd (Feb 6, 2015)

Based on this commit for php5.6:
http://git.php.net/?p=php-src.git;a...;hpb=83e55478279f8bb366e5f5a482619c5e47731980

for fixing CVE-2014-9426 vulnerability the committer just removed efree(mfn); line from that part of the function. I looked at the /libmagic/apprentice.c  in the source file of php5.5.21, and that part of the code does not include this efree(mfn); line.
And I checked the previous version like the first version of php55 (php-5.5.0), and that line is not there as well.
can I conclude that this vulnerability is not related to php55 version?


----------



## rsantos (Feb 7, 2015)

Nice catch. I forgot to check their git repositories.
I think you're safe about that one. <:

Regarding CVE-2014-5459, the last commit on REST.php was 8 months ago, so I'd be surprised if it has been fixed.
I'm not an expert, but, as a workaround, you can switch to a different root only directory (perhaps /var/tmp/pear?) if that's not already the case  (I don't have pearl installed).


----------

