Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 912331 (CVE-2023-3823, CVE-2023-3824)

Summary: <dev-lang/php-{8.0.30,8.1.23,8.2.9}: multiple vulnerabilities
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ajak
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.php.net/ChangeLog-8.php#8.0.30
Whiteboard: C2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 912332, 921178    
Bug Blocks:    

Description Michael Orlitzky gentoo-dev 2023-08-15 23:54:21 UTC
Libxml:
  Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity
  loading in XML without enabling it). (CVE-2023-3823)

Phar:
  Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in
  phar_dir_read()). (CVE-2023-3824)
Comment 1 Larry the Git Cow gentoo-dev 2023-08-16 00:01:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78205d9878dfc9826ce1d7046d2f7c2b3dd5d073

commit 78205d9878dfc9826ce1d7046d2f7c2b3dd5d073
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-08-15 23:51:49 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-08-15 23:55:23 +0000

    dev-lang/php: add 8.0.30
    
    Fixes CVE-2023-3823 and CVE-2023-3824.
    
    Bug: https://bugs.gentoo.org/912331
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.0.30.ebuild | 757 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 758 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-08 18:55:59 UTC
Also fixed in 8.1.22, 8.2.9. First fixed 8.1 in Gentoo was 8.1.23.