Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 666256 (CVE-2018-17082)

Summary: <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request (CVE-2018-17082)
Product: Gentoo Security Reporter: Brian Evans (RETIRED) <grknight>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, leho, php-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.php.net/bug.php?id=76582
Whiteboard: A3 [glsa+ cve]
Package list:
dev-lang/php-5.6.38 dev-lang/php-7.0.32 dev-lang/php-7.1.22 dev-lang/php-7.2.10 dev-libs/libzip-1.3.0 arm
 Runtime testing required: ---

Description Brian Evans (RETIRED) gentoo-dev 2018-09-15 03:45:34 UTC 
Versions prior to those listed, are vulnerable to an XSS attack simply by sending a request to an Apache server to process a PHP script.

CVE pending.

Arches, please test and mark stable.
Comment 1 Stabilization helper bot gentoo-dev 2018-09-15 04:08:29 UTC 
An automated check of this bug failed - repoman reported dependency errors (500 lines truncated): 

> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
Comment 2 Tomáš Mózes 2018-09-15 09:59:44 UTC 
*** Bug 666264 has been marked as a duplicate of this bug. ***
Comment 3 Mart Raudsepp gentoo-dev 2018-09-15 10:07:12 UTC 
arm64 does not have any stable PHP; please look who you CC :)
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-15 10:20:42 UTC 
amd64 stable
Comment 5 Stabilization helper bot gentoo-dev 2018-09-15 11:07:16 UTC 
An automated check of this bug failed - repoman reported dependency errors (404 lines truncated): 

> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
Comment 6 Stabilization helper bot gentoo-dev 2018-09-15 12:07:47 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 7 Leho Kraav (:macmaN @lkraav) 2018-09-15 17:03:59 UTC 
I think `virtual/httpd-php-7.2` needs to also be bumped stable with this?
Comment 8 Rolf Eike Beer archtester 2018-09-16 07:31:57 UTC 
sparc done.
Comment 9 Brandon Holbrook 2018-09-17 16:51:37 UTC 
Agree with comment #7

If we are using this bug to stabilize PHP-7.2, we should also remove "php_targets_php7-2" from profiles/base/use.stable.mask
Comment 10 Brian Evans (RETIRED) gentoo-dev 2018-09-17 17:50:26 UTC 
(In reply to Brandon Holbrook from comment #9)
> Agree with comment #7
> 
> If we are using this bug to stabilize PHP-7.2, we should also remove
> "php_targets_php7-2" from profiles/base/use.stable.mask

This will be done at the appropriate time.  It's a bunch of extra work do that part one arch at a time instead of everyone together.
Comment 11 Matt Turner gentoo-dev 2018-09-18 19:16:25 UTC 
ppc/ppc64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-18 22:33:09 UTC 
ia64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-18 23:10:21 UTC 
hppa has no stable php keywords
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-19 17:37:02 UTC 
x86 stable
Comment 15 Markus Meier gentoo-dev 2018-09-24 18:17:19 UTC 
arm stable
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-11 14:30:10 UTC 
Stable on alpha.
Comment 17 Larry the Git Cow gentoo-dev 2018-10-11 14:41:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9b41d63fc172ef8fa87fb99b6a283926f82cf80

commit c9b41d63fc172ef8fa87fb99b6a283926f82cf80
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-10-11 14:38:47 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-10-11 14:41:39 +0000

    dev-lang/php: Drop security vulnerable versions
    
    Bug: https://bugs.gentoo.org/666256
    Bug: https://bugs.gentoo.org/668000
    Signed-off-by: Brian Evans <grknight@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-lang/php/Manifest          |   3 -
 dev-lang/php/php-5.6.36.ebuild | 777 -----------------------------------------
 dev-lang/php/php-7.0.30.ebuild | 751 ---------------------------------------
 dev-lang/php/php-7.1.18.ebuild | 731 --------------------------------------
 4 files changed, 2262 deletions(-)
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2018-12-02 15:45:54 UTC 
This issue was resolved and addressed in
 GLSA 201812-01 at https://security.gentoo.org/glsa/201812-01
by GLSA coordinator Aaron Bauman (b-man).