Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629452 (CVE-2017-12932) - <dev-lang/php-{7.0.23, 7.1.9} :heap-use-after-free when unserializing invalid array size
Summary: <dev-lang/php-{7.0.23, 7.1.9} :heap-use-after-free when unserializing invalid...
Status: RESOLVED FIXED
Alias: CVE-2017-12932
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=74103
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-31 14:16 UTC by Brian Evans (RETIRED)
Modified: 2017-09-24 19:03 UTC (History)
1 user (show)

See Also:
Package list:
=dev-lang/php-7.0.23
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans (RETIRED) gentoo-dev 2017-08-31 14:16:20 UTC
CVE-2017-12932:

ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
Comment 1 Michael Orlitzky gentoo-dev 2017-08-31 18:53:59 UTC
I added php-7.0.23 to the tree, but I don't see a fixed release of the 7.1 series yet.
Comment 2 D'juan McDonald (domhnall) 2017-09-03 20:39:54 UTC
(In reply to Michael Orlitzky from comment #1)
> I don't see a fixed release of the 7.1 series yet.

This patch was posted:
https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4

also see ${URL}: particularly, bug #74622.

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 3 Michael Orlitzky gentoo-dev 2017-09-03 21:34:54 UTC
Brian added the official php-7.1.9 and I just dropped php-7.1.8, so we're ready to stabilize php-7.0.23.
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-04 20:36:42 UTC
ia64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 07:23:02 UTC
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:13:47 UTC
sparc stable (thanks to Dakon)
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-09 19:03:08 UTC
ppc/ppc64 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-10 07:37:03 UTC
Stable on alpha.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-10 20:18:02 UTC
amd64 tested, ok
Comment 10 Markus Meier gentoo-dev 2017-09-18 04:29:39 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-09-20 09:59:50 UTC
amd64 stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-23 14:16:54 UTC
x86 stable


@ Maintainers: Please cleanup and drop <dev-lang/php-7.0.23!
Comment 13 Michael Orlitzky gentoo-dev 2017-09-24 11:11:59 UTC
The vulnerable versions are gone (thanks Brian).
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-24 14:34:51 UTC
GLSA Request filed.

Gentoo Security Padawan 
ChrisADR
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 19:03:31 UTC
This issue was resolved and addressed in
 GLSA 201709-21 at https://security.gentoo.org/glsa/201709-21
by GLSA coordinator Aaron Bauman (b-man).