Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 594498 (CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418)

Summary: <dev-lang/php-5.6.26: Multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve cleanup]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 591710    

Description Agostino Sarubbo gentoo-dev 2016-09-20 10:58:27 UTC
From ${URL} :

Fixed bug #73007 (add locale length check). (CVE-2016-7416)
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
Fixed bug #73029 (Missing type check when unserializing SplArray). (CVE-2016-7417)
Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction). (CVE-2016-7411)
Fixed bug #72860 (wddx_deserialize use-after-free). (CVE-2016-7413)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand gentoo-dev 2016-09-20 19:57:55 UTC
Arches please stabilize:
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Tobias Klausmann gentoo-dev 2016-09-21 12:31:33 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2016-09-21 13:18:38 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-23 04:46:48 UTC
Stable for HPPA.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-24 07:06:42 UTC
Stable for PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-29 08:43:36 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:38:36 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 12:39:30 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:15:21 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 13:31:56 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2016-10-31 05:50:46 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:49:06 UTC
This issue was resolved and addressed in
 GLSA 201611-22 at
by GLSA coordinator Aaron Bauman (b-man).