Upstream pecl-http 3.0.1 fixes a buffer overflow, see:
dev-php/pecl-http-3.0.1 (in slot 7) and dev-php/pecl-http-2.5.6 (in slot 2) were added to the tree.
It is unclear if the pecl-http-1.x (slot 0) is affected since that code base was abandoned and newer versions are basically a rewrite.
The Proof of Concept file is gone from the PHP security bug so I am unable to test it.
Just noticed the proof of concent file was put as a test in the new version.
I cannot get dev-php/pecl-http-1.7.6-r3 to segfault with 5.5 and the provided file and adjusted script. gdb runs clean in my limited testing.
@ Brian: OK. Thanks for testing. And now that PHP 5.5 is EOL and doesn't get sec fixes anymore it wouldn't really matter.
please test and mark stable: =dev-php/pecl-http-2.5.6
Stable target(s): amd64 x86
As a reminder to arches, two dependencies must be stabled together with dev-php/pecl-http-2.5.6
Target keywords and packages:
=dev-php/pecl-raphf-1.1.2 amd64 x86
=dev-php/pecl-propro-1.0.2 amd64 x86
=dev-php/pecl-http-2.5.6 amd64 x86
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
The 1.x versions of pecl-http were slated for removal anyway, so I've cleaned them up, even if they aren't in fact vulnerable (comment #2).
This issue was resolved and addressed in
GLSA 201612-17 at https://security.gentoo.org/glsa/201612-17
by GLSA coordinator Aaron Bauman (b-man).