Summary: | <dev-lang/php-{5.4.30,5.5.14}: insecure temporary file use in the configure script (CVE-2014-3981) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1104999 | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-06-05 08:53:48 UTC
This issue has been assigned CVE-2014-3981 [0]. An initial commit to attempt to fix this issue is found in [1] however note RedHat's comment regarding the quality of it in [2]. As far as I know this still not been included in any released version. References: [0] http://seclists.org/oss-sec/2014/q2/483 [1] http://git.php.net/?p=php-src.git;a=commitdiff;h=91bcadd [2] https://bugzilla.redhat.com/show_bug.cgi?id=1104978#c4 Ebuild for this one has been committed and can be stabilised Thanks Ole. This issue is reported as fixed in 5.4.30 and 5.5.14 now included in the tree Arches, please test and mark stable: =dev-lang/php-5.4.30 =dev-lang/php-5.5.14 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you! CVE-2014-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3981): acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. amd64 stable Stable for HPPA. arm stable x86 stable alpha stable ppc stable ppc64 stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request @maintainers: thanks for cleanup This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |