Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 857054 (CVE-2022-31627)

Summary: <dev-lang/php-8.1.8: heap buffer overflow in finfo_buffer
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.php.net/ChangeLog-8.php#8.1.8
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 857075    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-08 19:51:54 UTC 
"Fixed bug #81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627)"

Please stabilize 8.1.8. Presumably other branches will get the patch
too, so no need to clean them up.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2022-07-08 21:56:06 UTC 
(In reply to John Helmert III from comment #0)
> "Fixed bug #81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627)"
> 
> Please stabilize 8.1.8. Presumably other branches will get the patch
> too, so no need to clean them up.

This bug is specific to the 8.1 slot.  It stems from a custom patch created by the PHP team specifically for 8.1.  Older versions apparently did things differently.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-08 22:06:05 UTC 
Thanks!
Comment 3 Larry the Git Cow gentoo-dev 2022-07-09 12:52:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cdeacff00b3466376b13bed5d05ce970f6e3ceb

commit 4cdeacff00b3466376b13bed5d05ce970f6e3ceb
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2022-07-09 12:48:56 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2022-07-09 12:51:59 +0000

    dev-lang/php: Drop old
    
    Bug: https://bugs.gentoo.org/857054
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest         |   1 -
 dev-lang/php/php-8.1.7.ebuild | 759 ------------------------------------------
 2 files changed, 760 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:23:40 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-09-29 14:48:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4447c90f117a8f0928cc5e880f3cfc9fde7ee918

commit 4447c90f117a8f0928cc5e880f3cfc9fde7ee918
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:23:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:00 +0000

    [ GLSA 202209-20 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/799776
    Bug: https://bugs.gentoo.org/810526
    Bug: https://bugs.gentoo.org/819510
    Bug: https://bugs.gentoo.org/833585
    Bug: https://bugs.gentoo.org/850772
    Bug: https://bugs.gentoo.org/857054
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-20.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:51:45 UTC 
GLSA released, all done!