Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 857054 (CVE-2022-31627) - <dev-lang/php-8.1.8: heap buffer overflow in finfo_buffer
Summary: <dev-lang/php-8.1.8: heap buffer overflow in finfo_buffer
Status: RESOLVED FIXED
Alias: CVE-2022-31627
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-8.php#8...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 857075
Blocks:
  Show dependency tree
 
Reported: 2022-07-08 19:51 UTC by John Helmert III
Modified: 2022-09-29 14:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-08 19:51:54 UTC
"Fixed bug #81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627)"

Please stabilize 8.1.8. Presumably other branches will get the patch
too, so no need to clean them up.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2022-07-08 21:56:06 UTC
(In reply to John Helmert III from comment #0)
> "Fixed bug #81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627)"
> 
> Please stabilize 8.1.8. Presumably other branches will get the patch
> too, so no need to clean them up.

This bug is specific to the 8.1 slot.  It stems from a custom patch created by the PHP team specifically for 8.1.  Older versions apparently did things differently.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-08 22:06:05 UTC
Thanks!
Comment 3 Larry the Git Cow gentoo-dev 2022-07-09 12:52:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cdeacff00b3466376b13bed5d05ce970f6e3ceb

commit 4cdeacff00b3466376b13bed5d05ce970f6e3ceb
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2022-07-09 12:48:56 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2022-07-09 12:51:59 +0000

    dev-lang/php: Drop old
    
    Bug: https://bugs.gentoo.org/857054
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest         |   1 -
 dev-lang/php/php-8.1.7.ebuild | 759 ------------------------------------------
 2 files changed, 760 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:23:40 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-09-29 14:48:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4447c90f117a8f0928cc5e880f3cfc9fde7ee918

commit 4447c90f117a8f0928cc5e880f3cfc9fde7ee918
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:23:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:00 +0000

    [ GLSA 202209-20 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/799776
    Bug: https://bugs.gentoo.org/810526
    Bug: https://bugs.gentoo.org/819510
    Bug: https://bugs.gentoo.org/833585
    Bug: https://bugs.gentoo.org/850772
    Bug: https://bugs.gentoo.org/857054
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-20.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:51:45 UTC
GLSA released, all done!