624052 – <dev-lang/php-{5.6.31, 7.0.21}: Multiple vulnerabilities

Bug 624052 - <dev-lang/php-{5.6.31, 7.0.21}: Multiple vulnerabilities

Summary: <dev-lang/php-{5.6.31, 7.0.21}: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2017-11628
	Show dependency tree

Reported:	2017-07-06 19:49 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2017-09-24 12:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-lang/php-5.6.31 dev-lang/php-7.0.21
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-06 19:49:52 UTC

from $URL:

issues fixed in PHP at the moment

#73807 Performance problem with processing post request over 2000000 chars
https://bugs.php.net/bug.php?id=73807
http://git.php.net/?p=php-src.git;a=commitdiff;h=0f8cf3b8497dc45c010c44ed9e96518e11e19fc3

#74145 wddx parsing empty boolean tag leads to SIGSEGV
https://bugs.php.net/bug.php?id=74145
http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9

#74651 negative-size-param (-1) in memcpy in zif_openssl_seal()
https://bugs.php.net/bug.php?id=74651
http://git.php.net/?p=php-src.git;a=commitdiff;h=89637c6b41b510c20d262c17483f582f115c66d6

#74819 wddx_deserialize() heap out-of-bound read via php_parse_date()
https://bugs.php.net/bug.php?id=74819
PHP 5.6 -
http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
PHP 7.0  -
http://git.php.net/?p=php-src.git;a=commitdiff;h=6b18d956de38ecd8913c3d82ce96eb0368a1f9e5

Also, requests from past releases:

PHP 5.6.28 + 7.0.13
#73192 parse_url return wrong hostname
https://bugs.php.net/bug.php?id=73192
http://git.php.net/?p=php-src.git;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4

5.6.30 + 7.0.15
#73773 Seg fault when loading hostile phar
https://bugs.php.net/bug.php?id=73773
http://git.php.net/?p=php-src.git;a=commitdiff;h=e5246580a85f031e1a3b8064edbaa55c1643a451

Comment 1 Brian Evans (RETIRED) gentoo-dev

2017-07-07 14:55:58 UTC

Arches, Please test and mark stable

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2017-07-08 11:14:29 UTC

ia64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2017-07-12 08:17:54 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2017-07-12 08:18:45 UTC

x86 stable

Comment 5 Tobias Klausmann (RETIRED) gentoo-dev

2017-07-16 11:14:01 UTC

Stable on alpha.

Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-21 03:39:17 UTC

Thanks ago,klausman and slyfox any news from hppa, sparc, ppc and ppc64?

Comment 7 Markus Meier gentoo-dev

2017-07-25 18:51:55 UTC

arm stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-07-30 18:47:26 UTC

ppc/ppc64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-07 09:26:29 UTC

ia64 stable (tested by Dakon)

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-07 19:26:00 UTC

> ia64 stable (tested by Dakon)
My apologies. Meant to write "sparc stable (tested by Dakon)"

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-23 14:03:11 UTC

hppa stable \o/

Last arch is done here.

Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-23 14:18:27 UTC

Thank you all,

@Maintainers, please proceed to clean the tree from vulnerable versions.

@Security please vote.

Gentoo Security Padawan
ChrisADR

Comment 13 Michael Orlitzky gentoo-dev

2017-09-24 11:13:04 UTC

The vulnerable versions are gone.

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2017-09-24 12:39:34 UTC

GLSA Vote: No