From ${URL} : In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function. Upstream bug: https://bugs.php.net/bug.php?id=73473 Upstream patch: http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Those versions are already being stabilized in bug 624052.
Added to a GLSA Request @Security please add cve to database Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201709-21 at https://security.gentoo.org/glsa/201709-21 by GLSA coordinator Aaron Bauman (b-man).