Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 624052

Summary: <dev-lang/php-{5.6.31, 7.0.21}: Multiple vulnerabilities
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/07/05/4
Whiteboard: B3 [noglsa]
Package list:
dev-lang/php-5.6.31 dev-lang/php-7.0.21
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 624054    

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-06 19:49:52 UTC
from $URL:

issues fixed in PHP at the moment

#73807 Performance problem with processing post request over 2000000 chars
https://bugs.php.net/bug.php?id=73807
http://git.php.net/?p=php-src.git;a=commitdiff;h=0f8cf3b8497dc45c010c44ed9e96518e11e19fc3

#74145 wddx parsing empty boolean tag leads to SIGSEGV
https://bugs.php.net/bug.php?id=74145
http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9

#74651 negative-size-param (-1) in memcpy in zif_openssl_seal()
https://bugs.php.net/bug.php?id=74651
http://git.php.net/?p=php-src.git;a=commitdiff;h=89637c6b41b510c20d262c17483f582f115c66d6

#74819 wddx_deserialize() heap out-of-bound read via php_parse_date()
https://bugs.php.net/bug.php?id=74819
PHP 5.6 -
http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
PHP 7.0  -
http://git.php.net/?p=php-src.git;a=commitdiff;h=6b18d956de38ecd8913c3d82ce96eb0368a1f9e5

Also, requests from past releases:

PHP 5.6.28 + 7.0.13
#73192 parse_url return wrong hostname
https://bugs.php.net/bug.php?id=73192
http://git.php.net/?p=php-src.git;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4

5.6.30 + 7.0.15
#73773 Seg fault when loading hostile phar
https://bugs.php.net/bug.php?id=73773
http://git.php.net/?p=php-src.git;a=commitdiff;h=e5246580a85f031e1a3b8064edbaa55c1643a451
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2017-07-07 14:55:58 UTC
Arches, Please test and mark stable
Comment 2 Sergei Trofimovich gentoo-dev 2017-07-08 11:14:29 UTC
ia64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-07-12 08:17:54 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-07-12 08:18:45 UTC
x86 stable
Comment 5 Tobias Klausmann gentoo-dev 2017-07-16 11:14:01 UTC
Stable on alpha.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 03:39:17 UTC
Thanks ago,klausman and slyfox any news from hppa, sparc, ppc and ppc64?
Comment 7 Markus Meier gentoo-dev 2017-07-25 18:51:55 UTC
arm stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-07-30 18:47:26 UTC
ppc/ppc64 stable
Comment 9 Sergei Trofimovich gentoo-dev 2017-09-07 09:26:29 UTC
ia64 stable (tested by Dakon)
Comment 10 Sergei Trofimovich gentoo-dev 2017-09-07 19:26:00 UTC
> ia64 stable (tested by Dakon)
My apologies. Meant to write "sparc stable (tested by Dakon)"
Comment 11 Sergei Trofimovich gentoo-dev 2017-09-23 14:03:11 UTC
hppa stable \o/

Last arch is done here.
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-23 14:18:27 UTC
Thank you all,

@Maintainers, please proceed to clean the tree from vulnerable versions.

@Security please vote.

Gentoo Security Padawan
ChrisADR
Comment 13 Michael Orlitzky gentoo-dev 2017-09-24 11:13:04 UTC
The vulnerable versions are gone.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-24 12:39:34 UTC
GLSA Vote: No