From https://bugzilla.redhat.com/show_bug.cgi?id=1154503: An out-of-bounds read flaw was found in PHP's mkgmtime() function. This could possibly cause the PHP interpreter to crash. This issue has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2. References: http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e https://bugs.php.net/bug.php?id=68027 http://php.net/ChangeLog-5.php From https://bugzilla.redhat.com/show_bug.cgi?id=1154502: A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code. This issue has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2. References: http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b https://bugs.php.net/bug.php?id=68113 http://php.net/ChangeLog-5.php From https://bugzilla.redhat.com/show_bug.cgi?id=1154500: An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure. It is not clear if code execution is possible or not. It was reported that this issue only affects 32-bit systems. It has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2. References: http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159 https://bugs.php.net/bug.php?id=68044 http://php.net/ChangeLog-5.php @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Please go ahead with stabilisation.
I've tested 5.4.34 and 5.5.18 on amd64 (about 15 servers), both seem to work fine.
Arches, please test and mark stable: =dev-lang/php-5.4.34 =dev-lang/php-5.5.18 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
sparc stable
Stable on alpha.
arm stable
ppc stable
ppc64 stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA is being drafted.
CVE-2014-3670 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3670): The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function. CVE-2014-3669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3669): Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. CVE-2014-3668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3668): Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation.
This issue was resolved and addressed in GLSA 201411-04 at http://security.gentoo.org/glsa/glsa-201411-04.xml by GLSA coordinator Sean Amoss (ackle).
How is it possible that according to "glsa-check -l" i'm affected by those two GLSAs when my php installations are up to date? # glsa-check -l affected [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. 201408-11 [N] PHP: Multiple vulnerabilities ( dev-lang/php ) 201411-04 [N] PHP: Multiple vulnerabilities ( dev-lang/php ) # equery l php * Searching for php ... [IP-] [ ] dev-lang/php-5.4.36:5.4 [IP-] [ ] dev-lang/php-5.5.20:5.5 Kind regards
(In reply to Timo Eissler from comment #16) > How is it possible that according to "glsa-check -l" i'm affected by those > two GLSAs when my php installations are up to date? This has to do with the way GLSAmake works without supporting slots, so a GLSA needs to retroactively be updated to add versions not vulnerable if not using the latest slot. Please file a new bug about it under Gentoo Security with component GLSA errors. Some more detailed info specific to this case for your benefit (you can look this up in the glsa xml in /usr/portage/metadata/glsa). <unaffected range="ge">5.5.16</unaffected> <unaffected range="rge">5.4.32</unaffected> <unaffected range="rge">5.3.29</unaffected> <unaffected range="rge">5.4.34</unaffected> <vulnerable range="lt">5.5.16</vulnerable> I.e anything below 5.5.16 is by default vulnerable according to its definition, but there are added exceptions for *>= (rge, i.e. it ignores revision bumps after this version) for 5.4.32 and 5.4.34, this fix in this specific case is for us to add further 5.4 versions (e.g. up to 5.4.40) to the list of unaffected packages. Anyhow, upen a new bug about it and we'll get to it..