5.6.9, 5.5.25, or 5.4.41 fix Two Memory Corruption Vulnerabilities
*** Bug 549798 has been marked as a duplicate of this bug. ***
Can we please get the fixed versions to portage?
(In reply to Tomas Mozes from comment #2) > Can we please get the fixed versions to portage? Are they not? @security, btw, feel free to stabilise
(In reply to Ole Markus With from comment #3) > (In reply to Tomas Mozes from comment #2) > > Can we please get the fixed versions to portage? > > Are they not? > > @security, btw, feel free to stabilise I don't see them in portage, nor by looking at: https://packages.gentoo.org/package/dev-lang/php Am I missing something? :)
(In reply to Tomas Mozes from comment #4) > (In reply to Ole Markus With from comment #3) > > (In reply to Tomas Mozes from comment #2) > > > Can we please get the fixed versions to portage? > > > > Are they not? > > > > @security, btw, feel free to stabilise > > I don't see them in portage, nor by looking at: > https://packages.gentoo.org/package/dev-lang/php > > Am I missing something? :) Seems like I forgot to do something rather important ... My bad. They should be there shortly.
(In reply to Ole Markus With from comment #5) > Seems like I forgot to do something rather important ... My bad. > > They should be there shortly. Thanks!
Arches, please test and mark stable: =dev-lang/php-5.4.41 =dev-lang/php-5.5.25 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
Stable for PPC64.
Arches, please test & mark stable: =dev-lang/php-5.5.25-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" This is to address a libvpx related compile-time failure, as described in bug #547310.
arm stable
Readding arm for the new 5.5.25-r1 target.
List of Vulnerabilities: Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024) Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025) Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022) Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026) Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326) Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)
Stabilization for 5.6.9 which has these vulnerabilities as well is part of Bug 550164
ia64 stable
sparc stable
Both CVE-2015-3329 and CVE-2015-2783 were also fixed as part of the 5.6.9 stabilisation. From http://php.net/ChangeLog-5.php: ---- Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783) Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329) ----
CVE-2015-4026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4026): The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. CVE-2015-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4025): PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. CVE-2015-4022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4022): Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. CVE-2015-4021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4021): The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive.
ppc stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). Vulnerable Versions are: 5.4.{39,40}, 5.5.{22,23,24,25} Added to an existing GLSA Request.
Maintainer(s), Thank you for you for cleanup.
This issue was resolved and addressed in GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10 by GLSA coordinator Kristian Fiskerstrand (K_F).