Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 756775 - <dev-lang/php-{7.3.25,7.4.13}: Multiple vulnerabilities
Summary: <dev-lang/php-{7.3.25,7.4.13}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-7.php#7...
Whiteboard: B3 [glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-11-26 02:20 UTC by John Helmert III
Modified: 2020-12-23 20:21 UTC (History)
2 users (show)

See Also:
Package list:
dev-lang/php-7.3.25 dev-lang/php-7.4.13
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-26 02:20:54 UTC 
A number of security bugs appear to have been fixed in PHP 7.4.13:

Fixed bug #62474 (com_event_sink crashes on certain arguments).
Fixed bug #76618 (segfault on imap_reopen).
Fixed bug #80239 (imap_rfc822_write_address() leaks memory).
Fixed bug #80242 (imap_mail_compose() segfaults for multipart with rfc822).
Fixed bug #72413 (mysqlnd segfault (fetch_row second parameter typemismatch)).
Fixed bug #44618 (Fetching may rely on uninitialized data).
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-26 02:22:34 UTC 
Please bump.

Note - it appears Bugzilla interpreted the "bug #xxxxx" strings in my previous comment as references to bugs in our Bugzilla, but they are copied from the PHP changelog and refer to their bug tracker.

Thanks!
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-26 15:48:15 UTC 
Several of these fixed in 7.3.25:

Fixed bug #62474 (com_event_sink crashes on certain arguments).
Fixed bug #76618 (segfault on imap_reopen).
Fixed bug #80239 (imap_rfc822_write_address() leaks memory).
Fixed bug #80242 (imap_mail_compose() segfaults for multipart with rfc822).
Fixed bug #44618 (Fetching may rely on uninitialized data).
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-04 00:28:03 UTC 
x86 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-04 19:17:18 UTC 
ppc/ppc64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-06 23:20:59 UTC 
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-07 05:19:40 UTC 
arm done
Comment 7 Rolf Eike Beer archtester 2020-12-11 18:16:26 UTC 
sparc stable
Comment 8 Matt Turner gentoo-dev 2020-12-15 04:21:10 UTC 
dropped to ~hppa
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-15 10:34:13 UTC 
amd64 done

all arches done
Comment 10 Larry the Git Cow gentoo-dev 2020-12-16 18:48:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af490b398669857e7fcba0c408cd8050ac573931

commit af490b398669857e7fcba0c408cd8050ac573931
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-12-16 18:48:07 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-12-16 18:48:18 +0000

    dev-lang/php: security cleanup (bug #756775)
    
    Bug: https://bugs.gentoo.org/756775
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest          |   9 -
 dev-lang/php/php-7.2.33.ebuild | 759 ----------------------------------------
 dev-lang/php/php-7.3.21.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.3.22.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.3.23.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.3.24.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.4.10.ebuild | 750 ----------------------------------------
 dev-lang/php/php-7.4.11.ebuild | 750 ----------------------------------------
 dev-lang/php/php-7.4.12.ebuild | 750 ----------------------------------------
 dev-lang/php/php-7.4.9.ebuild  | 750 ----------------------------------------
 10 files changed, 6808 deletions(-)
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 00:40:50 UTC 
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:21:11 UTC 
This issue was resolved and addressed in
 GLSA 202012-16 at https://security.gentoo.org/glsa/202012-16
by GLSA coordinator Thomas Deutschmann (whissi).