666256 – (CVE-2018-17082) <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request (CVE-2018-17082)

Bug 666256 (CVE-2018-17082) - <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request (CVE-2018-17082)

Summary: <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw ...

Status:	RESOLVED FIXED

Alias:	CVE-2018-17082

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+ cve]
Keywords:

Duplicates (1):	666264 (view as bug list)
Depends on:
Blocks:

Reported:	2018-09-15 03:45 UTC by Brian Evans (RETIRED)
Modified:	2018-12-02 15:45 UTC (History)
CC List:	3 users (show)

See Also:	https://bugs.php.net/bug.php?id=76582
Package list:	dev-lang/php-5.6.38 dev-lang/php-7.0.32 dev-lang/php-7.1.22 dev-lang/php-7.2.10 dev-libs/libzip-1.3.0 arm
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Evans (RETIRED) gentoo-dev

2018-09-15 03:45:34 UTC

Versions prior to those listed, are vulnerable to an XSS attack simply by sending a request to an Apache server to process a PHP script.

CVE pending.

Arches, please test and mark stable.

Comment 1 Stabilization helper bot gentoo-dev

2018-09-15 04:08:29 UTC

An automated check of this bug failed - repoman reported dependency errors (500 lines truncated): 

> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']

Comment 2 Tomáš Mózes 2018-09-15 09:59:44 UTC

*** Bug 666264 has been marked as a duplicate of this bug. ***

Comment 3 Mart Raudsepp gentoo-dev

2018-09-15 10:07:12 UTC

arm64 does not have any stable PHP; please look who you CC :)

Comment 4 Mikle Kolyada (RETIRED) archtester

2018-09-15 10:20:42 UTC

amd64 stable

Comment 5 Stabilization helper bot gentoo-dev

2018-09-15 11:07:16 UTC

An automated check of this bug failed - repoman reported dependency errors (404 lines truncated): 

> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']

Comment 6 Stabilization helper bot gentoo-dev

2018-09-15 12:07:47 UTC

An automated check of this bug succeeded - the previous repoman errors are now resolved.

Comment 7 Leho Kraav (:macmaN @lkraav) 2018-09-15 17:03:59 UTC

I think `virtual/httpd-php-7.2` needs to also be bumped stable with this?

Comment 8 Rolf Eike Beer archtester

2018-09-16 07:31:57 UTC

sparc done.

Comment 9 Brandon Holbrook 2018-09-17 16:51:37 UTC

Agree with comment #7

If we are using this bug to stabilize PHP-7.2, we should also remove "php_targets_php7-2" from profiles/base/use.stable.mask

Comment 10 Brian Evans (RETIRED) gentoo-dev

2018-09-17 17:50:26 UTC

(In reply to Brandon Holbrook from comment #9)
> Agree with comment #7
> 
> If we are using this bug to stabilize PHP-7.2, we should also remove
> "php_targets_php7-2" from profiles/base/use.stable.mask

This will be done at the appropriate time.  It's a bunch of extra work do that part one arch at a time instead of everyone together.

Comment 11 Matt Turner gentoo-dev

2018-09-18 19:16:25 UTC

ppc/ppc64 stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2018-09-18 22:33:09 UTC

ia64 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2018-09-18 23:10:21 UTC

hppa has no stable php keywords

Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-19 17:37:02 UTC

x86 stable

Comment 15 Markus Meier gentoo-dev

2018-09-24 18:17:19 UTC

arm stable

Comment 16 Tobias Klausmann (RETIRED) gentoo-dev

2018-10-11 14:30:10 UTC

Stable on alpha.

Comment 17 Larry the Git Cow gentoo-dev

2018-10-11 14:41:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9b41d63fc172ef8fa87fb99b6a283926f82cf80

commit c9b41d63fc172ef8fa87fb99b6a283926f82cf80
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-10-11 14:38:47 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-10-11 14:41:39 +0000

    dev-lang/php: Drop security vulnerable versions
    
    Bug: https://bugs.gentoo.org/666256
    Bug: https://bugs.gentoo.org/668000
    Signed-off-by: Brian Evans <grknight@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-lang/php/Manifest          |   3 -
 dev-lang/php/php-5.6.36.ebuild | 777 -----------------------------------------
 dev-lang/php/php-7.0.30.ebuild | 751 ---------------------------------------
 dev-lang/php/php-7.1.18.ebuild | 731 --------------------------------------
 4 files changed, 2262 deletions(-)

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2018-12-02 15:45:54 UTC

This issue was resolved and addressed in
 GLSA 201812-01 at https://security.gentoo.org/glsa/201812-01
by GLSA coordinator Aaron Bauman (b-man).