Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581834 - <dev-lang/php-{5.5.35,5.6.21,7.0.6} - libgd: signedness vulnerability (CVE-2016-{3074,4537,4538,4539,4540,4541,4542,4543,4544})
Summary: <dev-lang/php-{5.5.35,5.6.21,7.0.6} - libgd: signedness vulnerability (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: 578734
  Show dependency tree
 
Reported: 2016-05-02 11:30 UTC by Zoltán Halassy
Modified: 2016-11-30 21:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zoltán Halassy 2016-05-02 11:30:36 UTC
The security related bug exists actually in libgd 2.1.1, but PHP implemented a workaround for it.

Additionally, <PHP 7.0.6 is affected by CVE-2016-3078 .
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2016-05-03 20:15:09 UTC
@maintainers: Fixed in 5.5.35, 5.6.21, 7.0.6, please bump
Comment 2 Tomáš Mózes 2016-05-04 12:05:38 UTC
I've tested 7.0.6 just by copying 7.0.5, builds and works fine.
Comment 3 Michael Orlitzky gentoo-dev 2016-05-04 14:27:58 UTC
Oh COME ON we were ONE DAY away from getting a 7.x version of PHP stabilized. I just pushed the new versions. Gitweb isn't responding, but I did, I promise:

  commit 48d953fc98d7d35e55cee779860407fa57b3cd9b
  Author: Michael Orlitzky <mjo@gentoo.org>
  Date:   Wed May 4 08:26:50 2016 -0400

      dev-lang/php: version bump all three series with security fixes.

      Gentoo-Bug: 581834

      Package-Manager: portage-2.2.26
Comment 4 Tomáš Mózes 2016-05-04 16:18:03 UTC
(In reply to Michael Orlitzky from comment #3)
> Oh COME ON we were ONE DAY away from getting a 7.x version of PHP
> stabilized.

This situation is kind of tricky and keeps us in a magical ring. But, since we have vulnerable versions of 5.5 and 5.6 in the tree as well, cannot we just stabilize 7.0.5 and later 7.0.6?
Comment 5 Michael Orlitzky gentoo-dev 2016-05-04 16:28:50 UTC
(In reply to Tomáš Mózes from comment #4)
> (In reply to Michael Orlitzky from comment #3)
> > Oh COME ON we were ONE DAY away from getting a 7.x version of PHP
> > stabilized.
> 
> This situation is kind of tricky and keeps us in a magical ring. But, since
> we have vulnerable versions of 5.5 and 5.6 in the tree as well, cannot we
> just stabilize 7.0.5 and later 7.0.6?

Those will be removed as soon as possible... Brian also pointed out that we need to think about what extensions to stabilize at the same time as php:7.0. I was thinking that we could stabilize dev-lang/php:7.0 and then do the extensions one-at-a-time, but it looks like that might cause some breakage in the meantime.
Comment 6 Agostino Sarubbo gentoo-dev 2016-05-12 08:33:41 UTC
Arches, please test and mark stable:
=dev-lang/php-5.5.35
=dev-lang/php-5.6.21
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2016-05-12 10:26:33 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-05-12 10:27:05 UTC
x86 stable
Comment 9 Tomáš Mózes 2016-05-12 11:00:44 UTC
(In reply to Michael Orlitzky from comment #5)
> I was thinking that we could stabilize dev-lang/php:7.0 and then do
> the extensions one-at-a-time, but it looks like that might cause some
> breakage in the meantime.

What breakage do you mean? I also thought about stabilizing 7.0 and then the extensions.
Comment 10 Jeroen Roovers gentoo-dev 2016-05-13 13:57:27 UTC
Stable for PPC64.
Comment 11 Jeroen Roovers gentoo-dev 2016-05-14 08:14:06 UTC
Stable for HPPA.
Comment 12 Markus Meier gentoo-dev 2016-05-19 18:27:38 UTC
arm stable
Comment 13 Tobias Klausmann gentoo-dev 2016-05-21 11:33:33 UTC
Stable on alpha.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 11:33:14 UTC
CVE-2016-4544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544):
  The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before
  5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF
  start data, which allows remote attackers to cause a denial of service
  (out-of-bounds read) or possibly have unspecified other impact via crafted
  header data.

CVE-2016-4543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543):
  The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before
  5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD
  sizes, which allows remote attackers to cause a denial of service
  (out-of-bounds read) or possibly have unspecified other impact via crafted
  header data.

CVE-2016-4542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542):
  The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35,
  5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct
  spprintf arguments, which allows remote attackers to cause a denial of
  service (out-of-bounds read) or possibly have unspecified other impact via
  crafted header data.

CVE-2016-4541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541):
  The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP
  before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
  attackers to cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via a negative offset.

CVE-2016-4540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540):
  The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP
  before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
  attackers to cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via a negative offset.

CVE-2016-4539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539):
  The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35,
  5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a
  denial of service (buffer under-read and segmentation fault) or possibly
  have unspecified other impact via crafted XML data in the second argument,
  leading to a parser level of zero.

CVE-2016-4538 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538):
  The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x
  before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without
  considering whether they are copies of the _zero_, _one_, or _two_ global
  variable, which allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted call.

CVE-2016-4537 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537):
  The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x
  before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale
  argument, which allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted call.

CVE-2016-3074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074):
  Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2)
  allows remote attackers to cause a denial of service (crash) or potentially
  execute arbitrary code via crafted compressed gd2 data, which triggers a
  heap-based buffer overflow.
Comment 15 Agostino Sarubbo gentoo-dev 2016-07-08 08:19:17 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-07-08 08:43:37 UTC
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-07-08 13:30:00 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 18 Michael Orlitzky gentoo-dev 2016-07-09 14:23:53 UTC
The vulnerable versions have been removed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94e4793bd629845d3fb829defc4e276aae5b210d
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-10 00:15:16 UTC
Added to existing GLSA.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:48:33 UTC
This issue was resolved and addressed in
 GLSA 201611-22 at https://security.gentoo.org/glsa/201611-22
by GLSA coordinator Aaron Bauman (b-man).