606626 – (CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161) <dev-lang/php-5.6.30: multiple vulnerabilities

Bug 606626 (CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161) - <dev-lang/php-5.6.30: multiple vulnerabilities

Summary: <dev-lang/php-5.6.30: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.php.net/ChangeLog-5.php#5....
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:
Blocks:	CVE-2016-9935
	Show dependency tree

Reported:	2017-01-20 17:07 UTC by Michael Orlitzky
Modified:	2017-02-21 00:33 UTC (History)
CC List:	0 users

See Also:
Package list:	=dev-lang/php-5.6.30
Runtime testing required:	Yes

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-01-20 17:07:41 UTC

I don't see any CVEs for this yet, but the following stand out in the changelog.

  Phar:
    Fixed bug #73764 (Crash while loading hostile phar archive).
    Fixed bug #73768 (Memory corruption when loading hostile phar).
    Fixed bug #73773 (Seg fault when loading hostile phar).

The fixed v5.6.30 is already in the tree and can be stabilized.

The unstable 7.0 and 7.1 series also got new security releases. The 7.1 version isn't marked as such, but looking at e.g. PHP bug 73831, it should have been. In any case, since they were both unstable, I dropped the old versions immediately.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2017-01-28 07:44:29 UTC

@arches, please stabilize.

Comment 2 Tobias Klausmann (RETIRED) gentoo-dev

2017-01-28 19:54:09 UTC

Stable on alpha.

Comment 3 Agostino Sarubbo gentoo-dev

2017-01-29 13:56:11 UTC

amd64 stable

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-29 20:30:33 UTC

Stable for HPPA PPC64.

Comment 5 Agostino Sarubbo gentoo-dev

2017-01-31 11:44:21 UTC

x86 stable

Comment 6 Michael Weber (RETIRED) gentoo-dev

2017-02-08 07:28:16 UTC

ppc stable

Comment 7 Markus Meier gentoo-dev

2017-02-12 20:05:23 UTC

arm stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-13 01:36:24 UTC

Already added to existing GLSA.

Comment 9 Agostino Sarubbo gentoo-dev

2017-02-17 10:58:12 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-02-18 14:45:51 UTC

ia64 stable.

Maintainer(s), please cleanup.

Comment 11 Michael Orlitzky gentoo-dev

2017-02-18 16:23:19 UTC

(In reply to Agostino Sarubbo from comment #10)
> 
> Maintainer(s), please cleanup.

Done.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2017-02-21 00:33:38 UTC

This issue was resolved and addressed in
 GLSA 201702-29 at https://security.gentoo.org/glsa/201702-29
by GLSA coordinator Thomas Deutschmann (whissi).