Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 912331 (CVE-2023-3823, CVE-2023-3824) - <dev-lang/php-{8.0.30,8.1.23,8.2.9}: multiple vulnerabilities
Summary: <dev-lang/php-{8.0.30,8.1.23,8.2.9}: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-3823, CVE-2023-3824
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-8.php#8...
Whiteboard: C2 [glsa?]
Keywords:
Depends on: 912332 921178
Blocks:
  Show dependency tree
 
Reported: 2023-08-15 23:54 UTC by Michael Orlitzky
Modified: 2024-02-12 02:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2023-08-15 23:54:21 UTC 
Libxml:
  Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity
  loading in XML without enabling it). (CVE-2023-3823)

Phar:
  Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in
  phar_dir_read()). (CVE-2023-3824)
Comment 1 Larry the Git Cow gentoo-dev 2023-08-16 00:01:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78205d9878dfc9826ce1d7046d2f7c2b3dd5d073

commit 78205d9878dfc9826ce1d7046d2f7c2b3dd5d073
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-08-15 23:51:49 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-08-15 23:55:23 +0000

    dev-lang/php: add 8.0.30
    
    Fixes CVE-2023-3823 and CVE-2023-3824.
    
    Bug: https://bugs.gentoo.org/912331
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.0.30.ebuild | 757 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 758 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-08 18:55:59 UTC 
Also fixed in 8.1.22, 8.2.9. First fixed 8.1 in Gentoo was 8.1.23.