Upstream pecl-http 3.0.1 fixes a buffer overflow, see: https://pecl.php.net/package-changelog.php?package=pecl_http&release=3.0.1 http://seclists.org/oss-sec/2016/q2/619 https://bugs.php.net/bug.php?id=71719
dev-php/pecl-http-3.0.1 (in slot 7) and dev-php/pecl-http-2.5.6 (in slot 2) were added to the tree. It is unclear if the pecl-http-1.x (slot 0) is affected since that code base was abandoned and newer versions are basically a rewrite. The Proof of Concept file is gone from the PHP security bug so I am unable to test it.
Just noticed the proof of concent file was put as a test in the new version. I cannot get dev-php/pecl-http-1.7.6-r3 to segfault with 5.5 and the provided file and adjusted script. gdb runs clean in my limited testing.
@ Brian: OK. Thanks for testing. And now that PHP 5.5 is EOL and doesn't get sec fixes anymore it wouldn't really matter. @ Arches, please test and mark stable: =dev-php/pecl-http-2.5.6 Stable target(s): amd64 x86
As a reminder to arches, two dependencies must be stabled together with dev-php/pecl-http-2.5.6 Target keywords and packages: =dev-php/pecl-raphf-1.1.2 amd64 x86 =dev-php/pecl-propro-1.0.2 amd64 x86 =dev-php/pecl-http-2.5.6 amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The 1.x versions of pecl-http were slated for removal anyway, so I've cleaned them up, even if they aren't in fact vulnerable (comment #2).
This issue was resolved and addressed in GLSA 201612-17 at https://security.gentoo.org/glsa/201612-17 by GLSA coordinator Aaron Bauman (b-man).
