Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 594498 (CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418) - <dev-lang/php-5.6.26: Multiple vulnerabilities
Summary: <dev-lang/php-5.6.26: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.php.net/ChangeLog-5.php#5....
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks: CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7133, CVE-2016-7134
  Show dependency tree
 
Reported: 2016-09-20 10:58 UTC by Agostino Sarubbo
Modified: 2016-11-30 21:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-20 10:58:27 UTC 
From ${URL} :

Fixed bug #73007 (add locale length check). (CVE-2016-7416)
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
Fixed bug #73029 (Missing type check when unserializing SplArray). (CVE-2016-7417)
Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction). (CVE-2016-7411)
Fixed bug #72860 (wddx_deserialize use-after-free). (CVE-2016-7413)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)




@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-09-20 19:57:55 UTC 
Arches please stabilize:
=dev-lang/php-5.6.26
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-21 12:31:33 UTC 
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2016-09-21 13:18:38 UTC 
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-23 04:46:48 UTC 
Stable for HPPA.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-24 07:06:42 UTC 
Stable for PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-29 08:43:36 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:38:36 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 12:39:30 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:15:21 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 13:31:56 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2016-10-31 05:50:46 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:49:06 UTC 
This issue was resolved and addressed in
 GLSA 201611-22 at https://security.gentoo.org/glsa/201611-22
by GLSA coordinator Aaron Bauman (b-man).