Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587466 (CVE-2016-5873) - <dev-php/pecl-http-{2.5.6,3.0.1}: Buffer overflow in URL parsing (CVE-2016-5873)
Summary: <dev-php/pecl-http-{2.5.6,3.0.1}: Buffer overflow in URL parsing (CVE-2016-5873)
Alias: CVE-2016-5873
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2016-06-29 06:59 UTC by Hanno Böck
Modified: 2016-12-07 10:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2016-07-14 18:35:37 UTC
dev-php/pecl-http-3.0.1 (in slot 7) and dev-php/pecl-http-2.5.6 (in slot 2) were added to the tree.

It is unclear if the pecl-http-1.x (slot 0) is affected since that code base was abandoned and newer versions are basically a rewrite.

The Proof of Concept file is gone from the PHP security bug so I am unable to test it.
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2016-07-14 19:05:23 UTC
Just noticed the proof of concent file was put as a test in the new version.

I cannot get dev-php/pecl-http-1.7.6-r3 to segfault with 5.5 and the provided file and adjusted script. gdb runs clean in my limited testing.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-19 01:43:05 UTC
@ Brian: OK. Thanks for testing. And now that PHP 5.5 is EOL and doesn't get sec fixes anymore it wouldn't really matter.

@ Arches,

please test and mark stable: =dev-php/pecl-http-2.5.6

Stable target(s): amd64 x86
Comment 4 Brian Evans Gentoo Infrastructure gentoo-dev 2016-11-19 02:16:23 UTC
As a reminder to arches, two dependencies must be stabled together with dev-php/pecl-http-2.5.6

Target keywords and packages:

=dev-php/pecl-raphf-1.1.2 amd64 x86
=dev-php/pecl-propro-1.0.2 amd64 x86
=dev-php/pecl-http-2.5.6 amd64 x86
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-19 13:54:36 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-19 13:56:56 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Michael Orlitzky gentoo-dev 2016-11-24 02:04:10 UTC
The 1.x versions of pecl-http were slated for removal anyway, so I've cleaned them up, even if they aren't in fact vulnerable (comment #2).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:30:59 UTC
This issue was resolved and addressed in
 GLSA 201612-17 at
by GLSA coordinator Aaron Bauman (b-man).