Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 578734

Summary: <dev-lang/php-{5.5.34,5.6.20,7.0.5}: Multiple vulnerabilities (CVE-2015-8865,CVE-2016-{4071,4072,4073})
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: himbeere, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.php.net/ChangeLog-5.php#5.5.34
Whiteboard: A2 [glsa glsa blocked cve]
Package list:
Runtime testing required: ---
Bug Depends on: 581834    
Bug Blocks:    

Description Tomáš Mózes 2016-04-01 07:19:36 UTC
Not an april joke ;)
Comment 1 Michael Orlitzky gentoo-dev 2016-04-04 21:23:43 UTC
I just pushed out the fixed versions.
Comment 2 Agostino Sarubbo gentoo-dev 2016-04-07 07:52:40 UTC
Arches, please test and mark stable:
=dev-lang/php-5.5.34
=dev-lang/php-5.6.20
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Tomáš Mózes 2016-04-07 08:46:47 UTC
What about 7.0.5?
Comment 4 Agostino Sarubbo gentoo-dev 2016-04-07 08:51:15 UTC
(In reply to Tomáš Mózes from comment #3)
> What about 7.0.5?

the slot 7 is not stable, the stabilization won't happen in a security bug.
Comment 5 Agostino Sarubbo gentoo-dev 2016-04-07 09:21:29 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-07 09:21:59 UTC
x86 stable
Comment 7 Tomáš Mózes 2016-04-07 12:33:09 UTC
(In reply to Agostino Sarubbo from comment #4)
> (In reply to Tomáš Mózes from comment #3)
> > What about 7.0.5?
> 
> the slot 7 is not stable, the stabilization won't happen in a security bug.

That was more a question towards the php team.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-08 08:23:59 UTC
Stable for PPC64.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-10 07:14:25 UTC
Stable for HPPA.
Comment 10 Markus Meier gentoo-dev 2016-04-19 15:45:24 UTC
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-21 09:53:29 UTC
Alpha is skipping these in favor of =dev-lang/php-5.5.35/=dev-lang/php-5.6.21 from bug 581834.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 11:30:03 UTC
CVE-2016-4073 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073):
  Multiple integer overflows in the mbfl_strcut function in
  ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before
  5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of
  service (application crash) or possibly execute arbitrary code via a crafted
  mb_strcut call.

CVE-2016-4072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072):
  The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before
  7.0.5 allows remote attackers to execute arbitrary code via a crafted
  filename, as demonstrated by mishandling of \0 characters by the
  phar_analyze_path function in ext/phar/phar.c.

CVE-2016-4071 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071):
  Format string vulnerability in the php_snmp_error function in
  ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before
  7.0.5 allows remote attackers to execute arbitrary code via format string
  specifiers in an SNMP::get call.

CVE-2015-8865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865):
  The file_check_mem function in funcs.c in file before 5.23, as used in the
  Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before
  7.0.5, mishandles continuation-level jumps, which allows context-dependent
  attackers to cause a denial of service (buffer overflow and application
  crash) or possibly execute arbitrary code via a crafted magic file.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:48:26 UTC
This issue was resolved and addressed in
 GLSA 201611-22 at https://security.gentoo.org/glsa/201611-22
by GLSA coordinator Aaron Bauman (b-man).