For PHP 5.6, the Gentoo PHP team has backported the patches from 7.1: PHP 5.6.40-r1, 7.1.27, 7.2.16, 7.3.3: Core: Fixed bug #77630 (rename() across the device may allow unwanted access during processing). CVE-2019-9637 EXIF: Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). CVE-2019-9641 Fixed bug #77540 (Invalid Read on exif_process_SOFn). CVE-2019-9640 Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). CVE-2019-9638 Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). CVE-2019-9639 PHAR: Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). No CVE Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). No CVE SPL: Fixed bug #77431 (openFile() silently truncates after a null byte). No CVE
Arches, please test and mark stable
amd64 stable
arm stable
sparc stable
ia64 stable
ppc stable
ppc64 stable
alpha stable
hppa stable
CVE ID: CVE-2019-9637 Summary: An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. CVE ID: CVE-2019-9641 Summary: An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. CVE ID: CVE-2019-9640 Summary: An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn CVE ID: CVE-2019-9638 Summary: An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len. CVE ID: CVE-2019-9639 Summary: An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.
x86 stable
@maintainers, please drop vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07ec5a4c06ae6ea67f7fc450550ed142ca5c3869 commit 07ec5a4c06ae6ea67f7fc450550ed142ca5c3869 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-28 00:01:54 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-28 00:02:09 +0000 dev-lang/php: security cleanup Bug: https://bugs.gentoo.org/681074 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 6 - dev-lang/php/php-5.6.40.ebuild | 785 ----------------------------------------- dev-lang/php/php-7.1.26.ebuild | 736 -------------------------------------- dev-lang/php/php-7.2.14.ebuild | 748 --------------------------------------- dev-lang/php/php-7.2.15.ebuild | 748 --------------------------------------- dev-lang/php/php-7.3.1.ebuild | 748 --------------------------------------- dev-lang/php/php-7.3.2.ebuild | 749 --------------------------------------- 7 files changed, 4520 deletions(-)
tree is clean
