Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624052 - <dev-lang/php-{5.6.31, 7.0.21}: Multiple vulnerabilities
Summary: <dev-lang/php-{5.6.31, 7.0.21}: Multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Blocks: CVE-2017-11628
  Show dependency tree
Reported: 2017-07-06 19:49 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-09-24 12:39 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/php-5.6.31 dev-lang/php-7.0.21
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-06 19:49:52 UTC
from $URL:

issues fixed in PHP at the moment

#73807 Performance problem with processing post request over 2000000 chars;a=commitdiff;h=0f8cf3b8497dc45c010c44ed9e96518e11e19fc3

#74145 wddx parsing empty boolean tag leads to SIGSEGV;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9

#74651 negative-size-param (-1) in memcpy in zif_openssl_seal();a=commitdiff;h=89637c6b41b510c20d262c17483f582f115c66d6

#74819 wddx_deserialize() heap out-of-bound read via php_parse_date()
PHP 5.6 -;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
PHP 7.0  -;a=commitdiff;h=6b18d956de38ecd8913c3d82ce96eb0368a1f9e5

Also, requests from past releases:

PHP 5.6.28 + 7.0.13
#73192 parse_url return wrong hostname;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4

5.6.30 + 7.0.15
#73773 Seg fault when loading hostile phar;a=commitdiff;h=e5246580a85f031e1a3b8064edbaa55c1643a451
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2017-07-07 14:55:58 UTC
Arches, Please test and mark stable
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-08 11:14:29 UTC
ia64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-07-12 08:17:54 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-07-12 08:18:45 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-16 11:14:01 UTC
Stable on alpha.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 03:39:17 UTC
Thanks ago,klausman and slyfox any news from hppa, sparc, ppc and ppc64?
Comment 7 Markus Meier gentoo-dev 2017-07-25 18:51:55 UTC
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-30 18:47:26 UTC
ppc/ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-07 09:26:29 UTC
ia64 stable (tested by Dakon)
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-07 19:26:00 UTC
> ia64 stable (tested by Dakon)
My apologies. Meant to write "sparc stable (tested by Dakon)"
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 14:03:11 UTC
hppa stable \o/

Last arch is done here.
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-23 14:18:27 UTC
Thank you all,

@Maintainers, please proceed to clean the tree from vulnerable versions.

@Security please vote.

Gentoo Security Padawan
Comment 13 Michael Orlitzky gentoo-dev 2017-09-24 11:13:04 UTC
The vulnerable versions are gone.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-24 12:39:34 UTC
GLSA Vote: No