From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6712 to the following vulnerability: Name: CVE-2013-6712 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712 Assigned: 20131108 Reference: https://bugs.php.net/bug.php?id=66060 Reference: http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071 The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
It is ready. Go ahead.
(In reply to Ole Markus With from comment #1) > It is ready. Go ahead. What about the previous series? (5.4-5.3)
(In reply to Agostino Sarubbo from comment #2) > (In reply to Ole Markus With from comment #1) > > It is ready. Go ahead. > > What about the previous series? (5.4-5.3) 5.4 should have a fix already. 5.3 is affected, but do not have a release with a fix.
CVE-2013-6712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6712): The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
Are we ready for stabilization on all trees effected for this?
(In reply to Yury German from comment #5) > Are we ready for stabilization on all trees effected for this? Sure. Also, a fix for 5.3 has been released and is available in the tree.
Arches, please test and mark stable: =dev-lang/php-5.3.28 =dev-lang/php-5.4.23 =dev-lang/php-5.5.7 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
sparc stable
(In reply to Agostino Sarubbo from comment #8) > amd64 stable What combination of USE flags allowed you to work around bug #494240?
arm stable
alpha stable
Bug 494240 prevented certain people from merging php-5.3.28. I committed a revbump that fixes this issue. If we could have this version stabilied, that would be much appreciated.
(In reply to Ole Markus With from comment #16) > Bug 494240 prevented certain people from merging php-5.3.28. I committed a > revbump that fixes this issue. If we could have this version stabilied, that > would be much appreciated. You'll need to add the arch aliases back, then. CC'ing ago had no effect. Stable for HPPA.
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Ole Markus With from comment #16) > Bug 494240 prevented certain people from merging php-5.3.28. I committed a > revbump that fixes this issue. If we could have this version stabilied, that > would be much appreciated. amd64 stable on that
Added to existing GLSA draft. Maintainer(s), please drop the vulnerable version(s).
Arches and Mainter(s), Thank you for your work.
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).