Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 756775 - <dev-lang/php-{7.3.25,7.4.13}: Multiple vulnerabilities
Summary: <dev-lang/php-{7.3.25,7.4.13}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-7.php#7...
Whiteboard: B3 [glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-11-26 02:20 UTC by John Helmert III
Modified: 2020-12-23 20:21 UTC (History)
2 users (show)

See Also:
Package list:
dev-lang/php-7.3.25 dev-lang/php-7.4.13
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-11-26 02:20:54 UTC
A number of security bugs appear to have been fixed in PHP 7.4.13:

Fixed bug #62474 (com_event_sink crashes on certain arguments).
Fixed bug #76618 (segfault on imap_reopen).
Fixed bug #80239 (imap_rfc822_write_address() leaks memory).
Fixed bug #80242 (imap_mail_compose() segfaults for multipart with rfc822).
Fixed bug #72413 (mysqlnd segfault (fetch_row second parameter typemismatch)).
Fixed bug #44618 (Fetching may rely on uninitialized data).
Comment 1 John Helmert III gentoo-dev Security 2020-11-26 02:22:34 UTC
Please bump.

Note - it appears Bugzilla interpreted the "bug #xxxxx" strings in my previous comment as references to bugs in our Bugzilla, but they are copied from the PHP changelog and refer to their bug tracker.

Thanks!
Comment 2 John Helmert III gentoo-dev Security 2020-11-26 15:48:15 UTC
Several of these fixed in 7.3.25:

Fixed bug #62474 (com_event_sink crashes on certain arguments).
Fixed bug #76618 (segfault on imap_reopen).
Fixed bug #80239 (imap_rfc822_write_address() leaks memory).
Fixed bug #80242 (imap_mail_compose() segfaults for multipart with rfc822).
Fixed bug #44618 (Fetching may rely on uninitialized data).
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-12-04 00:28:03 UTC
x86 stable
Comment 4 Sergei Trofimovich gentoo-dev 2020-12-04 19:17:18 UTC
ppc/ppc64 stable
Comment 5 Sam James archtester gentoo-dev Security 2020-12-06 23:20:59 UTC
arm64 done
Comment 6 Sam James archtester gentoo-dev Security 2020-12-07 05:19:40 UTC
arm done
Comment 7 Rolf Eike Beer 2020-12-11 18:16:26 UTC
sparc stable
Comment 8 Matt Turner gentoo-dev 2020-12-15 04:21:10 UTC
dropped to ~hppa
Comment 9 Sam James archtester gentoo-dev Security 2020-12-15 10:34:13 UTC
amd64 done

all arches done
Comment 10 Larry the Git Cow gentoo-dev 2020-12-16 18:48:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af490b398669857e7fcba0c408cd8050ac573931

commit af490b398669857e7fcba0c408cd8050ac573931
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-12-16 18:48:07 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-12-16 18:48:18 +0000

    dev-lang/php: security cleanup (bug #756775)
    
    Bug: https://bugs.gentoo.org/756775
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest          |   9 -
 dev-lang/php/php-7.2.33.ebuild | 759 ----------------------------------------
 dev-lang/php/php-7.3.21.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.3.22.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.3.23.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.3.24.ebuild | 760 -----------------------------------------
 dev-lang/php/php-7.4.10.ebuild | 750 ----------------------------------------
 dev-lang/php/php-7.4.11.ebuild | 750 ----------------------------------------
 dev-lang/php/php-7.4.12.ebuild | 750 ----------------------------------------
 dev-lang/php/php-7.4.9.ebuild  | 750 ----------------------------------------
 10 files changed, 6808 deletions(-)
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-12-23 00:40:50 UTC
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:21:11 UTC
This issue was resolved and addressed in
 GLSA 202012-16 at https://security.gentoo.org/glsa/202012-16
by GLSA coordinator Thomas Deutschmann (whissi).