Summary: | dev-lang/php: integer overflow (CVE-2015-1353) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED UPSTREAM | ||
Severity: | major | CC: | php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/01/20/8 | ||
Whiteboard: | A2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-01-24 20:06:37 UTC
@Maintainers: Any information on this? From what I can see the fix is currently not applied to http://git.php.net/?p=php-src.git;a=blob;f=ext/calendar/gregor.c;h=069fe6eb5ae7160dfae0fd62d9bdf28987953cd7;hb=HEAD . Is it something we should backport? Is anyone aware of an upstream bug report for this issue? I am not aware of anything related to that issue. Still not committed. There is a pull request here: https://github.com/php/php-src/pull/1008 I don't think this is worth backporting. Is anyone doing access control based on the output of a Gregorian/Julian calendar conversion function after the user supplies the year input? It's a stretch. I suggest we get the fix whenever upstream adopts it. "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it cannot be considered a security issue in the originally named product because of that product's specification. Notes: none." Withdrawn upstream. |