Bug 635356 (CVE-2017-9841)

Upstream Fix:
https://github.com/sebastianbergmann/phpunit/
commit 284a69fb88a2d0845d23f42974a583d8f59bf5a5

Adding associate patch and URL for reference.

@maintainer(s), please verify if vulnerable versions in tree before 5.7.15-r1 are indeed affected. Call for stabilization if needed, thank you

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 2 Michael Orlitzky 2017-10-25 18:41:16 UTC

We'll still update PHPUnit, but this doesn't really affect us. No one on Gentoo is going to copy-paste /usr/share/php/PHPUnit into their public website directory. This is only a risk because Composer does that if you don't tell it to store "vendor" somewhere else.

Comment 3 Christopher Díaz Riveros (RETIRED) 2017-10-26 00:43:16 UTC

(In reply to Michael Orlitzky from comment #2)
> We'll still update PHPUnit, but this doesn't really affect us. No one on
> Gentoo is going to copy-paste /usr/share/php/PHPUnit into their public
> website directory. This is only a risk because Composer does that if you
> don't tell it to store "vendor" somewhere else.

Thanks for the clarification Michael, since it's a specific configuration in order to be vulnerable I'm downgrading to C2. Please call stabilization when ready.

Comment 4 Michael Orlitzky 2017-11-05 23:56:20 UTC

Please stabilize the latest phpunit-5.7.15-r1, and I'll remove the remaining 4.x version afterwards.

There may be packages in the tree whose test suites require phpunit-4.x, but I'll mask USE=test for them in that case. PHPUnit-5.x isn't even the latest series, and we can't keep the old versions around forever.

Comment 5 Stabilization helper bot 2017-11-13 00:03:53 UTC

An automated check of this bug failed - repoman reported dependency errors (38 lines truncated): 

> dependency.bad dev-php/phpunit/phpunit-5.7.15-r1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['<dev-php/sebastian-version-3.0']
> dependency.bad dev-php/phpunit/phpunit-5.7.15-r1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['<dev-php/sebastian-version-3.0']
> dependency.bad dev-php/phpunit/phpunit-5.7.15-r1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['<dev-php/sebastian-version-3.0']
> dependency.bad dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-php/sebastian-version-1.0']
> dependency.bad dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-php/sebastian-version-1.0']
> dependency.bad dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['>=dev-php/sebastian-version-1.0']

Comment 6 Thomas Deutschmann (RETIRED) 2017-11-13 00:49:36 UTC

x86 stable

Comment 7 Agostino Sarubbo 2017-11-13 20:13:32 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

(In reply to Michael Orlitzky from comment #4)
> PHPUnit-5.x isn't even the latest series, and we can't keep the old versions around forever.

True, as noted from https://phpunit.de/
"Support for PHPUnit 5 ends on February 2, 2018."

Could you also confirm that commit 0c1ae1b5324fa10f96129c5679b788cc1ca9468e was the one actually applied and tested against? It was labeled as correct fix for 1956. See https://github.com/sebastianbergmann/phpunit/commit/0c1ae1b5324fa10f96129c5679b788cc1ca9468e . Not sure how I missed it. 

@Security, New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 9 Michael Orlitzky 2017-11-14 12:45:25 UTC

(In reply to Daj' Uan (Jmbailey) from comment #8)
> 
> Could you also confirm that commit 0c1ae1b5324fa10f96129c5679b788cc1ca9468e
> was the one actually applied and tested against?

Confirmed.

Comment 10 Larry the Git Cow 2017-11-14 14:47:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce0e623ff9c189a860febe202512bd4a8a9e931b

commit ce0e623ff9c189a860febe202512bd4a8a9e931b
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2017-11-14 14:34:35 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2017-11-14 14:42:03 +0000

    dev-php/phpunit: stabilize PHPUnit on all arches.
    
    The latest (and only, as of right now) version of PHPUnit in the tree
    has been stabilized on amd64 and x86 in bug 635356 to fix
    CVE-2017-9841. However, that new version now comes with a bunch of
    pure-PHP dependencies, all of which were unstable for most
    arches. That left a significant number of packages in permanent ~arch,
    as punishment for having a test suite. Since PHPUnit and its
    dependencies are all pure-PHP, I'm taking this opportunity to
    stabilize them all under the ALLARCHES umbrella.
    
    The following packages are affected:
    
      * dev-php/File_Iterator
      * dev-php/PHP_CodeCoverage
      * dev-php/PHP_Timer
      * dev-php/PHP_TokenStream
      * dev-php/Text_Template
      * dev-php/doctrine-instantiator
      * dev-php/fedora-autoloader
      * dev-php/myclabs-deepcopy
      * dev-php/phpdocumentor-reflection-common
      * dev-php/phpdocumentor-reflection-docblock
      * dev-php/phpdocumentor-type-resolver
      * dev-php/phpspec-prophecy
      * dev-php/phpunit-mock-objects
      * dev-php/phpunit
      * dev-php/sebastian-code-unit-reverse-lookup
      * dev-php/sebastian-comparator
      * dev-php/sebastian-diff
      * dev-php/sebastian-environment
      * dev-php/sebastian-exporter
      * dev-php/sebastian-global-state
      * dev-php/sebastian-object-enumerator
      * dev-php/sebastian-recursion-context
      * dev-php/sebastian-resource-operations
      * dev-php/sebastian-version
      * dev-php/symfony-yaml
      * dev-php/webmozart-assert
    
    These were all done in a single commit (against the usual better
    judgment) because many of the affected packages have PHPUnit test
    suites that create circular dependencies, and that would involve
    breaking the tree between commits if they had been made individually.
    
    Bug: https://bugs.gentoo.org/635356

 dev-php/File_Iterator/File_Iterator-1.4.2.ebuild                        | 2 +-
 dev-php/PHP_CodeCoverage/PHP_CodeCoverage-4.0.7.ebuild                  | 2 +-
 dev-php/PHP_Timer/PHP_Timer-1.0.9.ebuild                                | 2 +-
 dev-php/PHP_TokenStream/PHP_TokenStream-1.4.11.ebuild                   | 2 +-
 dev-php/Text_Template/Text_Template-1.2.1.ebuild                        | 2 +-
 dev-php/doctrine-instantiator/doctrine-instantiator-1.0.5.ebuild        | 2 +-
 dev-php/fedora-autoloader/fedora-autoloader-0.2.1.ebuild                | 2 +-
 dev-php/myclabs-deepcopy/myclabs-deepcopy-1.6.0.ebuild                  | 2 +-
 .../phpdocumentor-reflection-common-1.0.ebuild                          | 2 +-
 .../phpdocumentor-reflection-docblock-3.1.1.ebuild                      | 2 +-
 .../phpdocumentor-type-resolver-0.2.1.ebuild                            | 2 +-
 dev-php/phpspec-prophecy/phpspec-prophecy-1.7.0.ebuild                  | 2 +-
 dev-php/phpunit-mock-objects/phpunit-mock-objects-3.4.3.ebuild          | 2 +-
 dev-php/phpunit/phpunit-5.7.15-r1.ebuild                                | 2 +-
 .../sebastian-code-unit-reverse-lookup-1.0.1.ebuild                     | 2 +-
 dev-php/sebastian-comparator/sebastian-comparator-1.2.4.ebuild          | 2 +-
 dev-php/sebastian-diff/sebastian-diff-1.4.1-r1.ebuild                   | 2 +-
 dev-php/sebastian-environment/sebastian-environment-2.0.0.ebuild        | 2 +-
 dev-php/sebastian-exporter/sebastian-exporter-2.0.0.ebuild              | 2 +-
 dev-php/sebastian-global-state/sebastian-global-state-1.1.1.ebuild      | 2 +-
 .../sebastian-object-enumerator-2.0.1.ebuild                            | 2 +-
 .../sebastian-recursion-context-2.0.0.ebuild                            | 2 +-
 .../sebastian-resource-operations-1.0.0.ebuild                          | 2 +-
 dev-php/sebastian-version/sebastian-version-2.0.1.ebuild                | 2 +-
 dev-php/symfony-yaml/symfony-yaml-2.1.0.ebuild                          | 2 +-
 dev-php/webmozart-assert/webmozart-assert-1.2.0.ebuild                  | 2 +-
 26 files changed, 26 insertions(+), 26 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b731db1e2b5f6b7efa4a9416b079aca6ce35beac

commit b731db1e2b5f6b7efa4a9416b079aca6ce35beac
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2017-11-14 13:06:19 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2017-11-14 14:41:57 +0000

    dev-php/phpunit: remove unused phpunit-4.3.1.ebuild to fix CVE-2017-9841.
    
    Bug: https://bugs.gentoo.org/635356
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-php/phpunit/Manifest             |  1 -
 dev-php/phpunit/phpunit-4.3.1.ebuild | 37 ------------------------------------
 2 files changed, 38 deletions(-)}

Comment 11 Christopher Díaz Riveros (RETIRED) 2017-11-14 14:55:49 UTC

New GLSA Request filed.

Comment 12 GLSAMaker/CVETool Bot 2017-11-19 20:48:37 UTC

This issue was resolved and addressed in
 GLSA 201711-15 at https://security.gentoo.org/glsa/201711-15
by GLSA coordinator Christopher Diaz Riveros (chrisadr).