Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606626 (CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161) - <dev-lang/php-5.6.30: multiple vulnerabilities
Summary: <dev-lang/php-5.6.30: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.php.net/ChangeLog-5.php#5....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-9935
  Show dependency tree
 
Reported: 2017-01-20 17:07 UTC by Michael Orlitzky
Modified: 2017-02-21 00:33 UTC (History)
0 users

See Also:
Package list:
=dev-lang/php-5.6.30
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-01-20 17:07:41 UTC
I don't see any CVEs for this yet, but the following stand out in the changelog.

  Phar:
    Fixed bug #73764 (Crash while loading hostile phar archive).
    Fixed bug #73768 (Memory corruption when loading hostile phar).
    Fixed bug #73773 (Seg fault when loading hostile phar).

The fixed v5.6.30 is already in the tree and can be stabilized.

The unstable 7.0 and 7.1 series also got new security releases. The 7.1 version isn't marked as such, but looking at e.g. PHP bug 73831, it should have been. In any case, since they were both unstable, I dropped the old versions immediately.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-28 07:44:29 UTC
@arches, please stabilize.
Comment 2 Tobias Klausmann gentoo-dev 2017-01-28 19:54:09 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-29 13:56:11 UTC
amd64 stable
Comment 4 Jeroen Roovers gentoo-dev 2017-01-29 20:30:33 UTC
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-31 11:44:21 UTC
x86 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-02-08 07:28:16 UTC
ppc stable
Comment 7 Markus Meier gentoo-dev 2017-02-12 20:05:23 UTC
arm stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-02-13 01:36:24 UTC
Already added to existing GLSA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-17 10:58:12 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-18 14:45:51 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 11 Michael Orlitzky gentoo-dev 2017-02-18 16:23:19 UTC
(In reply to Agostino Sarubbo from comment #10)
> 
> Maintainer(s), please cleanup.

Done.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:33:38 UTC
This issue was resolved and addressed in
 GLSA 201702-29 at https://security.gentoo.org/glsa/201702-29
by GLSA coordinator Thomas Deutschmann (whissi).