Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 687026

Summary: <dev-lang/php-{5.6.40-r4,7.1.30,7.2.19,7.3.6}: multiple vulnerabilities
Product: Gentoo Security Reporter: Brian Evans (RETIRED) <grknight>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: php-bugs
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
dev-lang/php-5.6.40-r4 alpha amd64 arm ia64 ppc ppc64 x86 hppa sparc dev-lang/php-7.1.30 alpha amd64 arm arm64 ia64 ppc ppc64 x86 hppa sparc dev-lang/php-7.2.19 alpha amd64 arm arm64 ia64 ppc ppc64 x86 hppa sparc dev-lang/php-7.3.6 alpha amd64 arm arm64 ia64 ppc ppc64 x86 hppa sparc
 Runtime testing required: ---
Bug Depends on: 690154    
Bug Blocks:    

Description Brian Evans (RETIRED) gentoo-dev 2019-05-30 18:23:52 UTC 
The latest round of PHP releases are security based.  All seem to relate to memory issues

(Note 5.6.40-r4 has backported all security patches since final release)

Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (CVE-2019-11035)
Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG). (CVE-2019-11036)
Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). (CVE-2019-11040)
Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). (CVE-2019-11038)
Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow). (CVE-2019-11039)
Comment 1 Brian Evans (RETIRED) gentoo-dev 2019-05-30 19:09:44 UTC 
Arches, please test and mark stable
Comment 2 Rolf Eike Beer archtester 2019-05-31 21:02:48 UTC 
sparc stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-06-04 09:56:51 UTC 
Adding 7.3.6.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-06-04 15:18:11 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-06-04 16:47:22 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-06-05 06:49:38 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-06-05 07:14:53 UTC 
ppc stable
Comment 8 Frank Krömmelbein 2019-06-05 20:50:54 UTC 
Now that you have stabilized php slot 7.3, could you then please also stabilize the corresponding virtual/httpd-php-7.3 ?
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-06-05 21:29:43 UTC 
(In reply to Frank Krömmelbein from comment #8)
> Now that you have stabilized php slot 7.3, could you then please also
> stabilize the corresponding virtual/httpd-php-7.3 ?

Good point. I did this and will keep doing for arches which have stabilized a dev-lang/php:7.3 version.
Comment 10 Frank Krömmelbein 2019-06-05 22:31:01 UTC 
(In reply to Thomas Deutschmann from comment #9)
> 
> Good point. I did this and will keep doing for arches which have stabilized
> a dev-lang/php:7.3 version.

Thank you Thomas.
Unfortunately that was not enough, this entry in use.stable.mask must also be removed:

# Brian Evans <grknight@gentoo.org> (11 Jan 2019)
# Mask PHP 7.3 target while unstable
php_targets_php7-3
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2019-06-05 23:50:40 UTC 
We cannot do this until major architectures have stabilized or we would have to add masks for slacking architectures. Let's wait a few days, we also need bug 687326. I started a CI run in https://github.com/gentoo/gentoo/pull/12201.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-06-06 02:37:40 UTC 
arm64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2019-06-06 06:55:07 UTC 
ia64 stable
Comment 14 Rolf Eike Beer archtester 2019-06-08 08:46:02 UTC 
hppa stable
Comment 15 Agostino Sarubbo gentoo-dev 2019-06-08 18:20:51 UTC 
alpha stable
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2019-07-18 14:44:10 UTC 
Superseded by bug 690154.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-08 17:56:08 UTC 
All done, repository is clean.