643564 – <dev-lang/php-{5.6.33,7.0.27,7.1.13}: multiple vulnerabilities

Bug 643564 - <dev-lang/php-{5.6.33,7.0.27,7.1.13}: multiple vulnerabilities

Summary: <dev-lang/php-{5.6.33,7.0.27,7.1.13}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:	639072
	Show dependency tree

Reported:	2018-01-05 15:39 UTC by Brian Evans (RETIRED)
Modified:	2018-02-06 22:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-lang/php-5.6.33 dev-lang/php-7.0.27 dev-lang/php-7.1.13
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Evans (RETIRED) gentoo-dev

2018-01-05 15:39:15 UTC

PHP versions before 5.6.33 in the 5.6 series, 7.0.27 in the 7.0 series, 7.1.13 in the 7.1 series and 7.2.1 in the 7.2 series have 2 Denial of Service bugs.

04 Jan 2018
GD:
Fixed bug https://bugs.php.net/bug.php?id=75571 (Potential infinite loop in gdImageCreateFromGifCtx).
Phar:
Fixed bug https://bugs.php.net/bug.php?id=74782 (Reflected XSS in .phar 404 page).

Arches please test and mark stable the noted versions

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-06 05:28:10 UTC

x86 stable

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2018-01-06 11:42:38 UTC

sparc stable (thanks to Rolf Eike Beer)

Comment 3 Agostino Sarubbo gentoo-dev

2018-01-06 17:54:25 UTC

amd64 stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2018-01-06 21:35:36 UTC

ppc/ppc64 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2018-01-07 11:37:01 UTC

hppa stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-01-10 22:33:52 UTC

ia64 stable

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2018-01-20 18:49:14 UTC

Stable on alpha.

Comment 8 Markus Meier gentoo-dev

2018-02-05 21:22:51 UTC

arm stable, all arches done.

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2018-02-06 01:48:26 UTC

@php, please clean the vulnerable versions.

Comment 10 Larry the Git Cow gentoo-dev

2018-02-06 13:53:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcfe61770cdb79778b192326d7dec09a4c7ee4ec

commit bcfe61770cdb79778b192326d7dec09a4c7ee4ec
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-02-06 13:52:42 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-02-06 13:52:42 +0000

    dev-lang/php: Drop old vulnerable versions
    
    Bug: https://bugs.gentoo.org/643564
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 dev-lang/php/Manifest          |   2 -
 dev-lang/php/php-5.6.32.ebuild | 771 -----------------------------------------
 dev-lang/php/php-7.0.25.ebuild | 739 ---------------------------------------
 3 files changed, 1512 deletions(-)}

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2018-02-06 22:13:53 UTC

(In reply to Larry the Git Cow from comment #10)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=bcfe61770cdb79778b192326d7dec09a4c7ee4ec
> 
> commit bcfe61770cdb79778b192326d7dec09a4c7ee4ec
> Author:     Brian Evans <grknight@gentoo.org>
> AuthorDate: 2018-02-06 13:52:42 +0000
> Commit:     Brian Evans <grknight@gentoo.org>
> CommitDate: 2018-02-06 13:52:42 +0000
> 
>     dev-lang/php: Drop old vulnerable versions
>     
>     Bug: https://bugs.gentoo.org/643564
>     Package-Manager: Portage-2.3.24, Repoman-2.3.6
> 
>  dev-lang/php/Manifest          |   2 -
>  dev-lang/php/php-5.6.32.ebuild | 771
> -----------------------------------------
>  dev-lang/php/php-7.0.25.ebuild | 739 ---------------------------------------
>  3 files changed, 1512 deletions(-)}

Thank you, Brian!

GLSA Vote: No