Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533998 (CVE-2014-9425) - <dev-lang/php-{5.4.37,5.5.21,5.6.5}: Multiple Vulnerabilities (CVE-{2014-9425},{2015-{0231,0232}})
Summary: <dev-lang/php-{5.4.37,5.5.21,5.6.5}: Multiple Vulnerabilities (CVE-{2014-9425...
Status: RESOLVED FIXED
Alias: CVE-2014-9425
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 538756
Blocks:
  Show dependency tree
 
Reported: 2014-12-30 09:52 UTC by Agostino Sarubbo
Modified: 2015-04-18 22:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-30 09:52:25 UTC
From ${URL} :

I found a double-free in PHP: https://bugs.php.net/bug.php?id=68676

And it has been patched in the following commits:

http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e
http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb
http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6

It has existed since 2002.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-31 13:52:01 UTC
CVE-2014-9425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9425):
  Double free vulnerability in the zend_ts_hash_graceful_destroy function in
  zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through
  5.6.4 allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via unknown vectors.
Comment 2 Tomáš Mózes 2015-01-23 07:03:39 UTC
Versions 5.5.21 and 5.6.5 are out fixing this issue. Plus more CVEs and fixes for 5.4 branch.
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2015-01-23 13:58:22 UTC
(In reply to Tomas Mozes from comment #2)
> Versions 5.5.21 and 5.6.5 are out fixing this issue. Plus more CVEs and
> fixes for 5.4 branch.

Ebuilds are out too. Go ahead with stabilisation if you want.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-01-24 01:01:36 UTC
Arches, please test and mark stable:

=dev-lang/php-5.4.37
=dev-lang/php-5.5.21

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 5 Jeroen Roovers gentoo-dev 2015-01-25 09:42:40 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-25 11:13:50 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-25 11:14:40 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-01-31 10:33:29 UTC
ppc stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-01-31 22:25:08 UTC
CVE-2015-0232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0232):
  The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37,
  5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to
  execute arbitrary code or cause a denial of service (uninitialized pointer
  free and application crash) via crafted EXIF data in a JPEG image.

CVE-2015-0231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0231):
  Use-after-free vulnerability in the process_nested_data function in
  ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21,
  and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via
  a crafted unserialize call that leverages improper handling of duplicate
  numerical keys within the serialized properties of an object.  NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2014-8142.
Comment 10 Markus Meier gentoo-dev 2015-02-01 21:04:53 UTC
arm stable
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-04 06:34:04 UTC
Note:
Dependency on Bug #538756 is for cleanup only, it does not affect stabilization.
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-16 10:21:40 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-18 08:50:47 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-02-23 11:39:29 UTC
ia64 stable
Comment 15 Tobias Klausmann gentoo-dev 2015-02-23 18:47:29 UTC
Stable on alpha.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-24 00:44:33 UTC
Arches and Maintainer(s), Thank you for your work.
Added to existing GLSA request.

Maintainer(s), please drop the vulnerable version(s), when the Dependency is satisfied.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:38:17 UTC
This issue was resolved and addressed in
 GLSA 201503-03 at http://security.gentoo.org/glsa/glsa-201503-03.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-16 03:48:34 UTC
Re-Opening for Cleanup. Vulnerable Versions in Tree.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-18 22:17:43 UTC
Maintainer(s), Thank you for you for cleanup.

Closing