From ${URL} : It was reported[1] to the full-disclosure mailing list that PHP's configure script uses a predictable filename in /tmp/, "/tmp/phpglibccheck". A local attacker could use this flaw to perform a symbolic link attack against a user building the source RPM or running the configure script. [1] http://seclists.org/fulldisclosure/2014/Jun/21 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This issue has been assigned CVE-2014-3981 [0]. An initial commit to attempt to fix this issue is found in [1] however note RedHat's comment regarding the quality of it in [2]. As far as I know this still not been included in any released version. References: [0] http://seclists.org/oss-sec/2014/q2/483 [1] http://git.php.net/?p=php-src.git;a=commitdiff;h=91bcadd [2] https://bugzilla.redhat.com/show_bug.cgi?id=1104978#c4
Ebuild for this one has been committed and can be stabilised
Thanks Ole. This issue is reported as fixed in 5.4.30 and 5.5.14 now included in the tree
Arches, please test and mark stable: =dev-lang/php-5.4.30 =dev-lang/php-5.5.14 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
CVE-2014-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3981): acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
amd64 stable
Stable for HPPA.
arm stable
x86 stable
alpha stable
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request
@maintainers: thanks for cleanup
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).