Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873376 (CVE-2022-31628, CVE-2022-31629)

Summary: <dev-lang/php-{7.4.32,8.0.24,8.1.11}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: anders.gentoo, mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 873697    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 02:51:32 UTC 
CVE-2022-31628 (https://bugs.php.net/bug.php?id=81726):

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

CVE-2022-31629 (https://bugs.php.net/bug.php?id=81727):

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

The bug reports are private so far, but maybe we can trust the CVE
descriptions here? I've not seen release notifications yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:18:25 UTC 
Well, 7.4.32 is released to fix these and 7.4.31 was skipped.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 13:49:15 UTC 
8.1.11 is released.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 13:51:53 UTC 
commit fe94a60bc978b8b1aa9bd45f4f5ae6503325863e
Author: Brian Evans <grknight@gentoo.org>
Date:   Thu Sep 29 13:29:26 2022 -0400

    dev-lang/php: Version bump for 8.1.11

    Signed-off-by: Brian Evans <grknight@gentoo.org>

commit 6d148e5f3eeb4db3cad1672ca234cea261a1320e
Author: Brian Evans <grknight@gentoo.org>
Date:   Thu Sep 29 13:10:13 2022 -0400

    dev-lang/php: Version bump for 7.4.32

    Signed-off-by: Brian Evans <grknight@gentoo.org>

Please stabilize.
Comment 4 Larry the Git Cow gentoo-dev 2022-09-30 19:50:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=381d51ea868d35beb755abb17bf1f01053ebace4

commit 381d51ea868d35beb755abb17bf1f01053ebace4
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2022-09-30 19:49:36 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2022-09-30 19:49:36 +0000

    dev-lang/php: Version bump for 8.0.24
    
    Bug: https://bugs.gentoo.org/873376
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.0.24.ebuild | 758 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 759 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2022-10-03 14:05:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7f8cbc67adf4cc0132ec89eed8872a8d2c6f8f3

commit a7f8cbc67adf4cc0132ec89eed8872a8d2c6f8f3
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2022-10-03 14:05:06 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2022-10-03 14:05:06 +0000

    dev-lang/php: Drop security vulnerable versions
    
    Bug: https://bugs.gentoo.org/873376
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest             |   8 -
 dev-lang/php/php-7.4.30-r1.ebuild | 748 -------------------------------------
 dev-lang/php/php-7.4.30.ebuild    | 746 -------------------------------------
 dev-lang/php/php-8.0.20.ebuild    | 758 -------------------------------------
 dev-lang/php/php-8.0.21.ebuild    | 758 -------------------------------------
 dev-lang/php/php-8.0.22.ebuild    | 758 -------------------------------------
 dev-lang/php/php-8.0.23.ebuild    | 758 -------------------------------------
 dev-lang/php/php-8.1.10.ebuild    | 756 -------------------------------------
 dev-lang/php/php-8.1.8.ebuild     | 759 --------------------------------------
 dev-lang/php/php-8.1.9.ebuild     | 756 -------------------------------------
 10 files changed, 6805 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 19:16:40 UTC 
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-11-22 04:01:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a1c6623b6eaf15e917c58aa4f27b51911625e28f

commit a1c6623b6eaf15e917c58aa4f27b51911625e28f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-19 03:32:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:39 +0000

    [ GLSA 202211-03 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/867913
    Bug: https://bugs.gentoo.org/873376
    Bug: https://bugs.gentoo.org/877853
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-03.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:03:23 UTC 
GLSA released, all done!