Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 703326 (CVE-2019-11045, CVE-2019-11046, CVE-2019-11047, CVE-2019-11049, CVE-2019-11050)

Summary: <dev-lang/php-{7.2.26,7.3.13,7.4.1}: multiple vulnerabilities (CVE-2019-{11045,11046,11047,11049,11050})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
dev-lang/php-7.2.26 dev-lang/php-7.3.13
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-19 02:53:05 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-12-19 02:57:05 UTC
Bcmath:
Fixed bug https://bugs.php.net/bug.php?id=78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)

Core:
Fixed bug https://bugs.php.net/bug.php?id=78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
Fixed bug https://bugs.php.net/bug.php?id=78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049).


EXIF:
Fixed bug https://bugs.php.net/bug.php?id=78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
Fixed bug https://bugs.php.net/bug.php?id=78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047)
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-23 09:22:06 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-24 08:09:15 UTC
x86 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:02:14 UTC
arm stable
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-12-25 20:05:05 UTC
arm64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2019-12-25 21:02:34 UTC
hppa/ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-30 15:54:26 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-31 08:18:29 UTC
ppc64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-01-17 20:15:36 UTC
GLSA Vote: No!

Repository is clean, all done!