The security related bug exists actually in libgd 2.1.1, but PHP implemented a workaround for it. Additionally, <PHP 7.0.6 is affected by CVE-2016-3078 .
@maintainers: Fixed in 5.5.35, 5.6.21, 7.0.6, please bump
I've tested 7.0.6 just by copying 7.0.5, builds and works fine.
Oh COME ON we were ONE DAY away from getting a 7.x version of PHP stabilized. I just pushed the new versions. Gitweb isn't responding, but I did, I promise: commit 48d953fc98d7d35e55cee779860407fa57b3cd9b Author: Michael Orlitzky <mjo@gentoo.org> Date: Wed May 4 08:26:50 2016 -0400 dev-lang/php: version bump all three series with security fixes. Gentoo-Bug: 581834 Package-Manager: portage-2.2.26
(In reply to Michael Orlitzky from comment #3) > Oh COME ON we were ONE DAY away from getting a 7.x version of PHP > stabilized. This situation is kind of tricky and keeps us in a magical ring. But, since we have vulnerable versions of 5.5 and 5.6 in the tree as well, cannot we just stabilize 7.0.5 and later 7.0.6?
(In reply to Tomáš Mózes from comment #4) > (In reply to Michael Orlitzky from comment #3) > > Oh COME ON we were ONE DAY away from getting a 7.x version of PHP > > stabilized. > > This situation is kind of tricky and keeps us in a magical ring. But, since > we have vulnerable versions of 5.5 and 5.6 in the tree as well, cannot we > just stabilize 7.0.5 and later 7.0.6? Those will be removed as soon as possible... Brian also pointed out that we need to think about what extensions to stabilize at the same time as php:7.0. I was thinking that we could stabilize dev-lang/php:7.0 and then do the extensions one-at-a-time, but it looks like that might cause some breakage in the meantime.
Arches, please test and mark stable: =dev-lang/php-5.5.35 =dev-lang/php-5.6.21 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
(In reply to Michael Orlitzky from comment #5) > I was thinking that we could stabilize dev-lang/php:7.0 and then do > the extensions one-at-a-time, but it looks like that might cause some > breakage in the meantime. What breakage do you mean? I also thought about stabilizing 7.0 and then the extensions.
Stable for PPC64.
Stable for HPPA.
arm stable
Stable on alpha.
CVE-2016-4544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544): The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. CVE-2016-4543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543): The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. CVE-2016-4542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542): The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. CVE-2016-4541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541): The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset. CVE-2016-4540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540): The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset. CVE-2016-4539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539): The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero. CVE-2016-4538 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538): The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call. CVE-2016-4537 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537): The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call. CVE-2016-3074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074): Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The vulnerable versions have been removed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94e4793bd629845d3fb829defc4e276aae5b210d
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201611-22 at https://security.gentoo.org/glsa/201611-22 by GLSA coordinator Aaron Bauman (b-man).
