Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 427354 (CVE-2012-2688)

Summary: <dev-lang/php-5.3.15 : Multiple vulnerabilities (CVE-2012-{2688,3365})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 427024    

Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-20 16:08:45 UTC 
CVE-2012-3365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3365):
  The SQLite functionality in PHP before 5.3.15 allows remote attackers to
  bypass the open_basedir protection mechanism via unspecified vectors.

CVE-2012-2688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2688):
  Unspecified vulnerability in the _php_stream_scandir function in the stream
  implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown
  impact and remote attack vectors, related to an "overflow."
Comment 1 Agostino Sarubbo gentoo-dev 2012-07-20 16:37:14 UTC 
@php, ok to stabilize 5.3.15?
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2012-07-20 18:03:13 UTC 
Ack. Please go ahead.
Comment 3 Agostino Sarubbo gentoo-dev 2012-07-20 19:19:17 UTC 
Arches, please test and mark stable:
=dev-lang/php-5.3.15
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-22 08:57:08 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-07-23 15:45:54 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2012-07-23 21:21:59 UTC 
arm stable
Comment 7 Richard Freeman gentoo-dev 2012-07-24 16:26:01 UTC 
amd64 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-07-28 18:18:30 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-03 11:40:21 UTC 
Since 5.4.4 is vulnerable too, ARM still needs to stabilise:
=dev-lang/php-5.4.5
Comment 10 Markus Meier gentoo-dev 2012-08-11 14:11:47 UTC 
arm stable
Comment 11 Michael Weber (RETIRED) gentoo-dev 2012-08-22 12:33:33 UTC 
ppc stable.
Comment 12 Anthony Basile gentoo-dev 2012-09-16 16:30:46 UTC 
stable ppc64
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-16 21:22:55 UTC 
Thanks, everyone.

I will add this to the PHP GLSA request and draft.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:55 UTC 
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).