CVE-2020-7066 (https://nvd.nist.gov/vuln/detail/CVE-2020-7066): get_headers() silently truncates after a null byte CVE-2020-7065 (https://nvd.nist.gov/vuln/detail/CVE-2020-7065): mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full CVE-2020-7064 (https://nvd.nist.gov/vuln/detail/CVE-2020-7064): Use-of-uninitialized-value in exif
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecac5f4b721b650a2d076167d4124c56e07bf983 commit ecac5f4b721b650a2d076167d4124c56e07bf983 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 15:27:24 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 15:38:45 +0000 dev-lang/php: bump to v7.4.4 Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.4.4.ebuild | 746 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 747 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2dfe14621bcf66d3e8ee11fba000dbf6c0cf7b99 commit 2dfe14621bcf66d3e8ee11fba000dbf6c0cf7b99 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 15:25:50 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 15:38:44 +0000 dev-lang/php: bump to v7.3.16 Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.3.16.ebuild | 756 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 757 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e20fca4c025f9708f1508db9a68f54c1ccacdf6 commit 4e20fca4c025f9708f1508db9a68f54c1ccacdf6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 15:24:11 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 15:38:43 +0000 dev-lang/php: bump to v7.2.29 Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.2.29.ebuild | 755 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 756 insertions(+)
amd64 stable
ppc stable
ppc64 stable
arm stable
x86 stable
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
sparc stable
ia64 stable
arm64 stable
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f4e65f7cef12a36a016a18f3eb2a3e3397052c commit 99f4e65f7cef12a36a016a18f3eb2a3e3397052c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-01 16:50:30 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-01 16:50:30 +0000 dev-lang/php: security cleanup (bug #713484) Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 7 - dev-lang/php/php-7.2.26.ebuild | 750 ------------------------------------- dev-lang/php/php-7.2.27.ebuild | 750 ------------------------------------- dev-lang/php/php-7.2.28-r1.ebuild | 755 ------------------------------------- dev-lang/php/php-7.3.13.ebuild | 751 ------------------------------------- dev-lang/php/php-7.3.14.ebuild | 751 ------------------------------------- dev-lang/php/php-7.3.15-r1.ebuild | 756 -------------------------------------- dev-lang/php/php-7.4.3-r1.ebuild | 746 ------------------------------------- 8 files changed, 5266 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8cc1e413a464528a5798b1dde931e836980c522 commit d8cc1e413a464528a5798b1dde931e836980c522 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-01 16:48:24 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-01 16:48:24 +0000 dev-lang/php: mark hppa stable (bug #713484) Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/php-7.2.29.ebuild | 2 +- dev-lang/php/php-7.3.16.ebuild | 2 +- dev-lang/php/php-7.4.4.ebuild | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
Repository is clean, all done!
(In reply to GLSAMaker/CVETool Bot from comment #8) > This issue was resolved and addressed in > GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57 > by GLSA coordinator Thomas Deutschmann (whissi). Not sure where it is the best place to report this, but hopefully this gets seen by someone who does. The GLSA 202003-57 doesn't seem quite right: even after installing an unaffected version (eg: 7.3.17), the glsa-check still triggers for 202003-57.
Please show us output of `eshowkw dev-lang/php`
Keywords for dev-lang/php: | | u | | a a a p s r | n | | l m r i p h m s p i m | e u s | r | p d a m a p c x p 6 3 a s i | a s l | e | h 6 r 6 6 p 6 8 p 8 9 r c p | p e o | p | a 4 m 4 4 c 4 6 a k 0 c v s | i d t | o ----------+-----------------------------+---------+------- 7.2.29 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.2 | gentoo 7.2.30 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o | gentoo ----------+-----------------------------+---------+------- 7.3.16 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.3 | gentoo [I]7.3.17 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o | gentoo ----------+-----------------------------+---------+------- 7.4.4 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.4 | gentoo 7.4.5 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o | gentoo
I'm seeing the same issue. It seems old non-vulnerable versions are detected as affected by glsa: Checking GLSA 202003-57 >>> The following updates will be performed for this GLSA: >>> No upgrade path exists for these packages: dev-lang/php-7.3.17, dev-lang/php-7.2.30 I believe this: glsa-202003-57.xml: <unaffected range="rge">7.2.29</unaffected> glsa-202003-57.xml: <unaffected range="rge">7.3.16</unaffected> should be "ge" instead of "rge". This would be in line with older PHP advisories like glsa-201910-01.
@ Hanno: It's not that easy. Using "ge" would mean that anything >=7.2.29, this includes vulnerable 7.3.15, is not affected. But let's move that to bug 718844.
