Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562882 (CVE-2015-7803) - <dev-lang/php-{5.5.30,5.6.14}: two vulnerabilities (CVE-2015-{7803,7804})
Summary: <dev-lang/php-{5.5.30,5.6.14}: two vulnerabilities (CVE-2015-{7803,7804})
Status: RESOLVED FIXED
Alias: CVE-2015-7803
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-12 07:43 UTC by Agostino Sarubbo
Modified: 2016-06-19 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-12 07:43:48 UTC
From ${URL} :

Hi, the changelog for PHP 5.6.14 and 5.5.30 lists these two issues that
have a security impact:

Null pointer dereference in phar_get_fp_offset()
https://bugs.php.net/bug.php?id=69720

Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"
https://bugs.php.net/bug.php?id=70433

Both result in a crash


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2015-10-28 13:41:03 UTC
Arches, please test and mark stable:
=dev-lang/php-5.5.30
=dev-lang/php-5.6.14
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2015-10-28 14:22:33 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-10-28 14:22:59 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-29 06:42:20 UTC
Stable for PPC64.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-29 07:16:36 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2015-11-01 13:30:37 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-04 14:38:39 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-05 11:00:33 UTC
sparc stable
Comment 9 Markus Meier gentoo-dev 2015-11-05 21:01:08 UTC
arm stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-11-07 23:59:10 UTC
ia64 stable
Comment 11 Michael Orlitzky gentoo-dev 2015-11-19 01:26:20 UTC
I've removed the affected versions, php-5.5.29 and php-5.6.13.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-12-21 19:49:00 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 00:27:44 UTC
This issue was resolved and addressed in
 GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10
by GLSA coordinator Kristian Fiskerstrand (K_F).