Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 649368 (CVE-2018-7584)

Summary: <dev-lang/php-{5.6.34,7.0.28,7.1.15}: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response (CVE-2018-7584)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: php-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 652420    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-02 16:08:35 UTC
CVE-2018-7584 (
  In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x
  through 7.2.2, there is a stack-based buffer under-read while parsing an
  HTTP response in the php_stream_url_wrap_http_ex function in
  ext/standard/http_fopen_wrapper.c. This subsequently results in copying a
  large string.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2018-03-15 16:37:47 UTC
Ebuilds added.

Arches, please test and mark stable.

Side note: PHP 5.6.x and 7.0.x will be EOL by the end of 2018.  Only security fixes from this point forward for both.  First security issue beyond that will be cause for removal.
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-15 22:01:23 UTC
ia64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2018-03-16 17:57:20 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-17 12:35:00 UTC
commit a84f4e81164388f51b5efd080797bf39d0349b11
Author: Rolf Eike Beer <>
Date:   Fri Mar 16 22:10:26 2018 +0100

    dev-lang/php: stable 7.1.15 for sparc, bug #649368
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-18 00:44:56 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-30 17:40:07 UTC
commit 3a90cba9679a1af769488df6116ed0748a2ea011
Author: Jeroen Roovers <>
Date:   Fri Mar 30 11:06:25 2018 +0200

    dev-lang/php: Stable for HPPA too.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-31 17:53:46 UTC
Stable on alpha.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-31 22:03:09 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-04-08 10:54:06 UTC
arm stable, all arches done.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-05-26 14:25:38 UTC
GLSA Vote: No

Cleanup will happen in bug #652420