Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649368 (CVE-2018-7584) - <dev-lang/php-{5.6.34,7.0.28,7.1.15}: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response (CVE-2018-7584)
Summary: <dev-lang/php-{5.6.34,7.0.28,7.1.15}: Stack-based buffer under-read in ext/st...
Status: RESOLVED FIXED
Alias: CVE-2018-7584
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=75981
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 652420
Blocks:
  Show dependency tree
 
Reported: 2018-03-02 16:08 UTC by GLSAMaker/CVETool Bot
Modified: 2018-05-26 14:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-02 16:08:35 UTC 
CVE-2018-7584 (https://nvd.nist.gov/vuln/detail/CVE-2018-7584):
  In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x
  through 7.2.2, there is a stack-based buffer under-read while parsing an
  HTTP response in the php_stream_url_wrap_http_ex function in
  ext/standard/http_fopen_wrapper.c. This subsequently results in copying a
  large string.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2018-03-15 16:37:47 UTC 
Ebuilds added.

Arches, please test and mark stable.

Side note: PHP 5.6.x and 7.0.x will be EOL by the end of 2018.  Only security fixes from this point forward for both.  First security issue beyond that will be cause for removal.
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-15 22:01:23 UTC 
ia64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2018-03-16 17:57:20 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-17 12:35:00 UTC 
commit a84f4e81164388f51b5efd080797bf39d0349b11
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Mar 16 22:10:26 2018 +0100

    dev-lang/php: stable 7.1.15 for sparc, bug #649368
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-18 00:44:56 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-30 17:40:07 UTC 
commit 3a90cba9679a1af769488df6116ed0748a2ea011
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri Mar 30 11:06:25 2018 +0200

    dev-lang/php: Stable for HPPA too.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-31 17:53:46 UTC 
Stable on alpha.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-31 22:03:09 UTC 
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-04-08 10:54:06 UTC 
arm stable, all arches done.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-05-26 14:25:38 UTC 
GLSA Vote: No

Cleanup will happen in bug #652420