Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710304 (CVE-2020-7061, CVE-2020-7062, CVE-2020-7063) - <dev-lang/php-{7.4.3,7.3.15,7.2.28}: multiple vulnerabilities (CVE-2020-{7061,7062,7063})
Summary: <dev-lang/php-{7.4.3,7.3.15,7.2.28}: multiple vulnerabilities (CVE-2020-{7061...
Status: RESOLVED FIXED
Alias: CVE-2020-7061, CVE-2020-7062, CVE-2020-7063
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-20 16:13 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-26 13:33 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/php-7.4.3-r1 dev-lang/php-7.3.15-r1 dev-lang/php-7.2.28-r1 virtual/httpd-php-7.4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-20 16:13:35 UTC 
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-20 16:16:25 UTC 
CVE-2020-7061: heap-buffer-overflow in phar_extract_file

CVE-2020-7062: Null Pointer Dereference in PHP Session Upload Progress

CVE-2020-7063: Files added to tar with Phar::buildFromIterator have all-access permissions
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-02-23 12:16:08 UTC 
amd64 stable
Comment 3 Larry the Git Cow gentoo-dev 2020-02-23 22:49:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6bfa335a2777b3d09e8c3be3e4d1996e93dc694b

commit 6bfa335a2777b3d09e8c3be3e4d1996e93dc694b
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-02-23 22:49:38 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-02-23 22:49:38 +0000

    virtual/httpd-php: amd64 stable (bug #710304)
    
    Bug: https://bugs.gentoo.org/710304
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 virtual/httpd-php/httpd-php-7.4.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-24 11:29:03 UTC 
ia64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-24 11:32:22 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-24 11:44:54 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-24 12:51:07 UTC 
x86 stable
Comment 8 Rolf Eike Beer archtester 2020-02-26 22:36:02 UTC 
sparc stable
Comment 9 Stabilization helper bot gentoo-dev 2020-03-01 17:01:49 UTC 
An automated check of this bug failed - the following atoms are unknown:

dev-lang/php-7.4.3
dev-lang/php-7.3.15
dev-lang/php-7.2.28

Please verify the atom list.
Comment 10 Rolf Eike Beer archtester 2020-03-02 18:28:47 UTC 
hppa stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-05 15:06:44 UTC 
arm stable
Comment 12 Mart Raudsepp gentoo-dev 2020-03-17 20:48:51 UTC 
arm64 stable
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-26 13:12:53 UTC 
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-03-26 13:33:16 UTC 
This issue was resolved and addressed in
 GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57
by GLSA coordinator Thomas Deutschmann (whissi).