Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 421489 (CVE-2012-2386) - <dev-lang/php-5.3.14: integer overflow in phar, des crypt vulnerability (CVE-2012-{2143,2386,3450})
Summary: <dev-lang/php-5.3.14: integer overflow in phar, des crypt vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2012-2386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/44335
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-16 21:13 UTC by Hanno Böck
Modified: 2012-09-24 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2012-06-16 21:13:33 UTC 
Latest php releases fixed two security issues.

Updates are already in the tree, but it seems no security bug is open and no stabilization is going on. php-team, can we stabilize 5.3.14?
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-06-16 23:15:41 UTC 
Thanks, Hanno.

@php, ok to stabilize 5.3.14?
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2012-06-17 06:46:12 UTC 
Please go ahead
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-06-19 02:57:54 UTC 
Arches, please test and mark stable:
=dev-lang/php-5.3.14
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-06-19 07:24:52 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-06-19 17:34:12 UTC 
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-06-19 23:03:10 UTC 
Stable for HPPA.
Comment 7 Markus Meier gentoo-dev 2012-06-21 04:46:26 UTC 
arm stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-06-23 17:18:31 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-07-03 17:26:25 UTC 
ppc done
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:21:43 UTC 
CVE-2012-2386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386):
  Integer overflow in the phar_parse_tarfile function in tar.c in the phar
  extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a crafted tar file that triggers a heap-based
  buffer overflow.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-07 01:05:58 UTC 
ppc64 will continue in bug 427354
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 01:07:37 UTC 
CVE-2012-3450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450):
  pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before
  5.4.4 does not properly determine the end of the query string during parsing
  of prepared statements, which allows remote attackers to cause a denial of
  service (out-of-bounds read and application crash) via a crafted parameter
  value.
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-16 21:24:58 UTC 
Thanks, everyone.

Adding to existing GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:51 UTC 
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).