Bug 591710 (CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7133, CVE-2016-7134)

Summary:	<dev-lang/php-5.6.25: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	php-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secure.php.net/ChangeLog-5.php#5.6.25
Whiteboard:	A3 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	594498
Bug Blocks:

Description Hanno Böck gentoo-dev

2016-08-20 06:48:45 UTC

New PHP releases, as usual a bunch of security fixes, e.g. (probably incomplete):
Fixed bug #72681 (PHP Session Data Injection Vulnerability).
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).
Fixed bug #72674 (Heap overflow in curl_escape).
Fixed bug #72730 (imagegammacorrect allows arbitrary write access).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
Fixed bug #72782 (Heap Overflow due to integer overflows).
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
Fixed bug #72749 (wddx_deserialize allows illegal memory access) (Stas)

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-02 10:58:25 UTC

Additional vulnerabilities fixed in the mentioned versions (see CVE request at http://www.openwall.com/lists/oss-security/2016/09/02/5):


GD:

 - select_colors write out-of-bounds
   PHP-Bug: https://bugs.php.net/bug.php?id=72697


EXIF:

 - Memory Leakage In exif_process_IFD_in_TIFF
   PHP-Bug: https://bugs.php.net/bug.php?id=72627


WDDX:

 - wddx_deserialize null dereference
   PHP-Bug: https://bugs.php.net/bug.php?id=72750

 - wddx_deserialize null dereference with invalid xml
   PHP-Bug: https://bugs.php.net/bug.php?id=72790

 - wddx_deserialize null dereference in php_wddx_pop_element
   PHP-Bug: https://bugs.php.net/bug.php?id=72799


PHP 7.0.10 only:

Core:

 - memory allocator fails to realloc small block to large one
   PHP-Bug: https://bugs.php.net/bug.php?id=72742

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-04 17:44:41 UTC

An additional bug became a vulnerability:

Core:

 - (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization)
   PHP-Bug: https://bugs.php.net/72663


CVEs are now assigned: http://www.openwall.com/lists/oss-security/2016/09/02/9

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-04 18:30:39 UTC

Arches, please test and mark stable:
=dev-lang/php-5.6.25
=dev-lang/php-7.0.10

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-09-04 18:40:01 UTC

Please disregard the reference to PHP 7 above, the correct atom is 

Arches, please test and mark stable:
=dev-lang/php-5.6.25
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-09 05:02:14 UTC

Stable for HPPA.

Comment 6 Agostino Sarubbo gentoo-dev

2016-09-10 12:49:53 UTC

amd64 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-14 13:28:00 UTC

Stable for PPC64.

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2016-09-17 09:52:18 UTC

Stable on alpha.

Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-09-20 19:59:24 UTC

Stabilization of newer version in bug 594498

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2016-11-30 21:48:59 UTC

This issue was resolved and addressed in
 GLSA 201611-22 at https://security.gentoo.org/glsa/201611-22
by GLSA coordinator Aaron Bauman (b-man).