Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 555830

Summary: <dev-lang/php-{5.4.43,5.5.27,5.6.11}: BACKRONYM / mysql tls stripping and other vulns (CVE-2015-3152)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: hydrapolic, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2015-07-24 22:25:32 UTC
The latest batch of PHP releases (5.4.43, 5.5.27, 5.6.11) all fix security vulns. CVE-2015-3152 affects all of them (also known as BACKRONYM, TLS stripping for mysql connections, which was originally found in libmysql, but affects PHP's mysqlnd in the same way).

The 5.6.11 release notes mention 5 security fixes, from the changelog these look like security:
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).
Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
Fixed bug #69864 (Segfault in preg_replace_callback).

5.5.43 and 5.5.27 also fix CVE-2015-{5589,5590}, these are not in 5.6, they are already tracked in #555576.

All fixed versions are already in the tree, can we proceed with stabilization?
Comment 1 Michael Orlitzky gentoo-dev 2015-11-19 01:37:27 UTC
The new versions are all stable and the old ones have been removed.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-20 04:03:06 UTC
All packages in the tree have fixes for this vulnerability.  Please advise on GLSA.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-24 12:39:49 UTC
Added to GLSA cc9dae4d6.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 00:27:19 UTC
This issue was resolved and addressed in
 GLSA 201606-10 at
by GLSA coordinator Kristian Fiskerstrand (K_F).