A stack buffer overflow exists in the latest stable release of PHP-7.1.5 and PHP-5.6.30 in PHP INI parsing API, which may accept network / local filesystem input. On malformed inputs, a stack buffer overflow in zend_ini_do_op() could write 1-byte off a fixed size stack buffer. On installations with the stack smashing mitigation, this would cause an immediate DoS; up to optimization levels, build options and stack buffer overflow mitigations, this vulnerability may allow corrupting other local variables or the frame pointer, potentially allows remotely executing code.
Please confirm that this fix is in =dev-lang/php-7.0.23 as being stabilized as part of bug 629452
(In reply to Yury German from comment #1)
> Please confirm that this fix is in =dev-lang/php-7.0.23 as being stabilized
> as part of bug 629452
This bug was fixed with PHP 7.0.21 and 7.1.7
Also fixed with PHP 5.6.31 as well
This issue was resolved and addressed in
GLSA 201709-21 at https://security.gentoo.org/glsa/201709-21
by GLSA coordinator Aaron Bauman (b-man).