Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 666256 (CVE-2018-17082) - <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request (CVE-2018-17082)
Summary: <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw ...
Status: RESOLVED FIXED
Alias: CVE-2018-17082
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
: 666264 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-09-15 03:45 UTC by Brian Evans
Modified: 2018-12-02 15:45 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/php-5.6.38 dev-lang/php-7.0.32 dev-lang/php-7.1.22 dev-lang/php-7.2.10 dev-libs/libzip-1.3.0 arm
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans Gentoo Infrastructure gentoo-dev 2018-09-15 03:45:34 UTC
Versions prior to those listed, are vulnerable to an XSS attack simply by sending a request to an Apache server to process a PHP script.

CVE pending.

Arches, please test and mark stable.
Comment 1 Stabilization helper bot gentoo-dev 2018-09-15 04:08:29 UTC
An automated check of this bug failed - repoman reported dependency errors (500 lines truncated): 

> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
Comment 2 Tomáš Mózes 2018-09-15 09:59:44 UTC
*** Bug 666264 has been marked as a duplicate of this bug. ***
Comment 3 Mart Raudsepp gentoo-dev 2018-09-15 10:07:12 UTC
arm64 does not have any stable PHP; please look who you CC :)
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-09-15 10:20:42 UTC
amd64 stable
Comment 5 Stabilization helper bot gentoo-dev 2018-09-15 11:07:16 UTC
An automated check of this bug failed - repoman reported dependency errors (404 lines truncated): 

> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
Comment 6 Stabilization helper bot gentoo-dev 2018-09-15 12:07:47 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 7 Leho Kraav (:macmaN @lkraav) 2018-09-15 17:03:59 UTC
I think `virtual/httpd-php-7.2` needs to also be bumped stable with this?
Comment 8 Rolf Eike Beer archtester 2018-09-16 07:31:57 UTC
sparc done.
Comment 9 Brandon Holbrook 2018-09-17 16:51:37 UTC
Agree with comment #7

If we are using this bug to stabilize PHP-7.2, we should also remove "php_targets_php7-2" from profiles/base/use.stable.mask
Comment 10 Brian Evans Gentoo Infrastructure gentoo-dev 2018-09-17 17:50:26 UTC
(In reply to Brandon Holbrook from comment #9)
> Agree with comment #7
> 
> If we are using this bug to stabilize PHP-7.2, we should also remove
> "php_targets_php7-2" from profiles/base/use.stable.mask

This will be done at the appropriate time.  It's a bunch of extra work do that part one arch at a time instead of everyone together.
Comment 11 Matt Turner gentoo-dev 2018-09-18 19:16:25 UTC
ppc/ppc64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-18 22:33:09 UTC
ia64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-18 23:10:21 UTC
hppa has no stable php keywords
Comment 14 Thomas Deutschmann gentoo-dev Security 2018-09-19 17:37:02 UTC
x86 stable
Comment 15 Markus Meier gentoo-dev 2018-09-24 18:17:19 UTC
arm stable
Comment 16 Tobias Klausmann gentoo-dev 2018-10-11 14:30:10 UTC
Stable on alpha.
Comment 17 Larry the Git Cow gentoo-dev 2018-10-11 14:41:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9b41d63fc172ef8fa87fb99b6a283926f82cf80

commit c9b41d63fc172ef8fa87fb99b6a283926f82cf80
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-10-11 14:38:47 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-10-11 14:41:39 +0000

    dev-lang/php: Drop security vulnerable versions
    
    Bug: https://bugs.gentoo.org/666256
    Bug: https://bugs.gentoo.org/668000
    Signed-off-by: Brian Evans <grknight@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-lang/php/Manifest          |   3 -
 dev-lang/php/php-5.6.36.ebuild | 777 -----------------------------------------
 dev-lang/php/php-7.0.30.ebuild | 751 ---------------------------------------
 dev-lang/php/php-7.1.18.ebuild | 731 --------------------------------------
 4 files changed, 2262 deletions(-)
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2018-12-02 15:45:54 UTC
This issue was resolved and addressed in
 GLSA 201812-01 at https://security.gentoo.org/glsa/201812-01
by GLSA coordinator Aaron Bauman (b-man).