Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 503670 (CVE-2013-7327) - <dev-lang/php-5.5.10: multiple vulnerabilities (CVE-2013-7327, CVE-2014-{1943,2270})
Summary: <dev-lang/php-5.5.10: multiple vulnerabilities (CVE-2013-7327, CVE-2014-{1943...
Status: RESOLVED FIXED
Alias: CVE-2013-7327
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://php.net/archive/2014.php#id20...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-06 21:53 UTC by Hanno Böck
Modified: 2014-08-31 11:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-03-06 21:53:59 UTC
PHP upstream has released version 5.5.10 fixing multiple vulnerabilities.

"The PHP development team announces the immediate availability of PHP 5.5.10. Several bugs were fixed in this release, including security issues related to CVEs. CVE-2014-1943, CVE-2014-2270 and CVE-2013-7327 have been addressed in this release. We recommand all PHP 5.5 users to upgrade to this version."
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-03-13 15:52:08 UTC
Removing some of the CVE's as they are part of different Security Bugs:
CVE-2014-1943 - Bug 501574
CVE-2014-2270 - Bug 503630 - undergoing Stabilization.

Stabilization to dev-lang/php.5.5.10 is happening now as part of Bug 503630 (setting dependency)

CVE Content:
CVE-2014-1943:
The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.

CVE-2014-1943
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-03-24 22:16:09 UTC
Bug 503630 is stabilized 

Added to existing GLSA Request.

Waiting on cleanup as part of 503630.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-15 04:07:28 UTC
Maintainer(s), Thank you for cleanup!
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:27:18 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).