573892 – <dev-lang/php-{5.5.32,5.6.18,7.0.3}: Multiple vulnerabilities

Bug 573892 - <dev-lang/php-{5.5.32,5.6.18,7.0.3}: Multiple vulnerabilities

Summary: <dev-lang/php-{5.5.32,5.6.18,7.0.3}: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa]
Keywords:

Depends on:	577376
Blocks:	574238
	Show dependency tree

Reported:	2016-02-05 06:01 UTC by Tomáš Mózes
Modified:	2016-06-19 00:27 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomáš Mózes 2016-02-05 06:01:51 UTC

Version 5.6.18 04 Feb 2016

    Core:
        Fixed bug #71039 (exec functions ignore length but look for NULL termination).
        Fixed bug #71089 (No check to duplicate zend_extension).
        Fixed bug #71201 (round() segfault on 64-bit builds).
        Added support for new HTTP 451 code.
        Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).
        Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
        Fixed bug #71459 (Integer overflow in iptcembed()).
    Apache2handler:
        Fix >2G Content-Length headers in apache2handler.
    FTP:
        Implemented FR #55651 (Option to ignore the returned FTP PASV address).
    Opcache:
        Fixed bug #71127 (Define in auto_prepend_file is overwrite).
        Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).
    PCRE:
        Upgraded bundled PCRE library to 8.38.
    Phar:
        Fixed bug #71354 (Heap corruption in tar/zip/phar parser).
        Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
        Fixed bug #71488 (Stack overflow when decompressing tar archives).
    Session:
        Fixed bug #69111 (Crash in SessionHandler::read()).
    SOAP:
        Fixed bug #70979 (crash with bad soap request).
    SPL:
        Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading).
    WDDX:
        Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).


Version 5.5.32 04 Feb 2016

    Core:
        Fixed bug #71039 (exec functions ignore length but look for NULL termination).
        Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
        Fixed bug #71459 (Integer overflow in iptcembed()).
    GD:
        Improved the fix for bug #70976.
    PCRE:
        Upgraded pcrelib to 8.38.
    Phar:
        Fixed bug #71354 (Heap corruption in tar/zip/phar parser).
        Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
        Fixed bug #71488 (Stack overflow when decompressing tar archives).
    WDDX:
        Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).

Comment 1 Michael Orlitzky gentoo-dev

2016-02-05 15:24:50 UTC

Thanks, let's include php-7.0.3 in this too:

http://www.php.net/ChangeLog-7.php#7.0.3

Comment 2 Michael Orlitzky gentoo-dev

2016-02-05 18:28:37 UTC

Fixed versions are in the tree:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1bd543020b616c0cec56007ee7b2c3c4900b9f7

Comment 3 Tomáš Mózes 2016-02-05 20:30:46 UTC

Thank you Michael.

Comment 4 Mike Limansky 2016-02-09 09:50:27 UTC

I'm using 5.6.18 for several days on production server. Works fine for me. Any plans for stabilization?

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-09 11:18:06 UTC

Arches, please stabilize: 
=dev-lang/php-5.5.32
stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=dev-lang/php-5.6.18
stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 6 Mikle Kolyada (RETIRED) archtester

2016-02-09 11:48:28 UTC

no

>>> Creating Manifest for /home/zlogene/gentoo/dev-lang/php                                                                                                                                                                                  
  dependency.bad [fatal]        28
   dev-lang/php/php-5.6.18.ebuild: DEPEND: amd64(default/linux/amd64/13.0)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: RDEPEND: amd64(default/linux/amd64/13.0)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/gnome)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/gnome/systemd)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome/systemd)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/kde)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/kde)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/kde/systemd)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']
   dev-lang/php/php-5.6.18.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/kde/systemd)
['>=app-eselect/eselect-php-0.9.1[apache2?,fpm?]']

Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-09 12:57:23 UTC

(In reply to Kristian Fiskerstrand from comment #5)
> Arches, please stabilize: 
> =dev-lang/php-5.5.32
> stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> 
> =dev-lang/php-5.6.18
> stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

this also requires 
=app-eselect/eselect-php-0.9.1
stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 8 Michael Orlitzky gentoo-dev

2016-02-09 13:06:36 UTC

(In reply to Kristian Fiskerstrand from comment #7)
> 
> this also requires 
> =app-eselect/eselect-php-0.9.1
> stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Yeah, sorry -- I fixed two bugs in revisions of 5.6.17 and 7.0.2 by adding calls to "eselect cleanup..." in pkg_postinst(). To do that I wanted to be sure I had a version of eselect-php that I trust to cleanup.

Stabilizing eselect-php-0.9.1 is going to introduce the -DPHP change to stable users, but,

  1) It's going to happen eventually.

  2) I believe we're fully backwards compatible now (see the news item discussion on -dev).

So all things considered, I think eselect-php-0.9.1 can be stabilized too. I would have liked it to sit in ~arch a little longer, but find me 30 days where PHP doesn't have a security bug...

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2016-02-09 15:41:06 UTC

Stable on alpha.

Comment 10 Agostino Sarubbo gentoo-dev

2016-02-11 12:28:04 UTC

amd64 stable

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2016-02-12 07:24:04 UTC

Stable for HPPA PPC64.

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2016-03-14 11:53:06 UTC

@arches, please stabilize.

Comment 13 Agostino Sarubbo gentoo-dev

2016-03-15 17:40:03 UTC

x86 stable

Comment 14 Agostino Sarubbo gentoo-dev

2016-03-16 14:10:09 UTC

ppc stable

Comment 15 Agostino Sarubbo gentoo-dev

2016-03-19 12:29:42 UTC

sparc stable

Comment 16 Agostino Sarubbo gentoo-dev

2016-03-20 12:25:59 UTC

ia64 stable

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2016-06-19 00:27:59 UTC

This issue was resolved and addressed in
 GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10
by GLSA coordinator Kristian Fiskerstrand (K_F).