Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532914 (CVE-2014-8142) - <dev-lang/php-{5.4.36,5.5.20,5.6.4}: Multiple vulnerabilities (CVE-2014-{8142,9427})
Summary: <dev-lang/php-{5.4.36,5.5.20,5.6.4}: Multiple vulnerabilities (CVE-2014-{8142...
Status: RESOLVED FIXED
Alias: CVE-2014-8142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-18 09:53 UTC by Agostino Sarubbo
Modified: 2015-03-08 14:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-18 09:53:43 UTC
http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340

This commit fixes a NULL Pointer Dereference Vulnerability.

Reference: https://bugs.php.net/bug.php?id=68545
Comment 1 Tomáš Mózes 2014-12-18 19:27:09 UTC
5.20 released fixing this issue:
http://php.net/ChangeLog-5.php#5.5.20
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2014-12-19 15:12:36 UTC
Bumped. Stabilise if necessary.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-19 22:55:53 UTC
Changing description to multiple vulnerabilities to also cover CVE-2014-8142: "Fixed bug #68594 (Use after free vulnerability in unserialize())(CVE-2014-8142)." described for the same updates
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-19 23:21:44 UTC
Arches, please stabilize: 

=dev-lang/php-5.5.20
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=dev-lang/php-5.4.36
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-21 09:25:58 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-12-21 11:38:17 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-21 11:43:03 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-23 09:36:46 UTC
alpha stable
Comment 9 Markus Meier gentoo-dev 2014-12-23 12:44:16 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-24 14:36:48 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-24 14:46:53 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-25 11:28:23 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-26 09:30:00 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-29 01:48:12 UTC
CVE-2014-8142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8142):
  Use-after-free vulnerability in the process_nested_data function in
  ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20,
  and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via
  a crafted unserialize call that leverages improper handling of duplicate
  keys within the serialized properties of an object, a different
  vulnerability than CVE-2004-1019.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 01:50:34 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 21:02:52 UTC
CVE-2014-9427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9427):
  sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
  through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php
  file, does not properly consider the mapping's length during processing of
  an invalid file that begins with a # character and lacks a newline
  character, which causes an out-of-bounds read and might (1) allow remote
  attackers to obtain sensitive information from php-cgi process memory by
  leveraging the ability to upload a .php file or (2) trigger unexpected code
  execution if a valid PHP script is present in memory locations adjacent to
  the mapping.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 02:25:18 UTC
Maintainer(s), it has been 30 days since request for cleanup. 
Please drop the vulnerable versions.
Comment 18 Sergey Popov gentoo-dev 2015-03-07 09:25:55 UTC
Cleanup would be done in bug #533998
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:38:09 UTC
This issue was resolved and addressed in
 GLSA 201503-03 at http://security.gentoo.org/glsa/glsa-201503-03.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).