649368 – (CVE-2018-7584) <dev-lang/php-{5.6.34,7.0.28,7.1.15}: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response (CVE-2018-7584)

Bug 649368 (CVE-2018-7584) - <dev-lang/php-{5.6.34,7.0.28,7.1.15}: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response (CVE-2018-7584)

Summary: <dev-lang/php-{5.6.34,7.0.28,7.1.15}: Stack-based buffer under-read in ext/st...

Status:	RESOLVED FIXED

Alias:	CVE-2018-7584

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.php.net/bug.php?id=75981
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	652420
Blocks:
	Show dependency tree

Reported:	2018-03-02 16:08 UTC by GLSAMaker/CVETool Bot
Modified:	2018-05-26 14:25 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-03-02 16:08:35 UTC

CVE-2018-7584 (https://nvd.nist.gov/vuln/detail/CVE-2018-7584):
  In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x
  through 7.2.2, there is a stack-based buffer under-read while parsing an
  HTTP response in the php_stream_url_wrap_http_ex function in
  ext/standard/http_fopen_wrapper.c. This subsequently results in copying a
  large string.

Comment 1 Brian Evans (RETIRED) gentoo-dev

2018-03-15 16:37:47 UTC

Ebuilds added.

Arches, please test and mark stable.

Side note: PHP 5.6.x and 7.0.x will be EOL by the end of 2018.  Only security fixes from this point forward for both.  First security issue beyond that will be cause for removal.

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-15 22:01:23 UTC

ia64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2018-03-16 17:57:20 UTC

amd64 stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-17 12:35:00 UTC

commit a84f4e81164388f51b5efd080797bf39d0349b11
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Mar 16 22:10:26 2018 +0100

    dev-lang/php: stable 7.1.15 for sparc, bug #649368

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-18 00:44:56 UTC

x86 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-30 17:40:07 UTC

commit 3a90cba9679a1af769488df6116ed0748a2ea011
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri Mar 30 11:06:25 2018 +0200

    dev-lang/php: Stable for HPPA too.

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2018-03-31 17:53:46 UTC

Stable on alpha.

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2018-03-31 22:03:09 UTC

Stable on alpha.

Comment 9 Markus Meier gentoo-dev

2018-04-08 10:54:06 UTC

arm stable, all arches done.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2018-05-26 14:25:38 UTC

GLSA Vote: No

Cleanup will happen in bug #652420