HTTPoxy vulnerability
CVE-2016-5385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385): PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
This issue has been fixed in 5.6.24, 5.5.38, and 7.0.9.
*** Bug 589744 has been marked as a duplicate of this bug. ***
(In reply to Hanno Boeck from comment #0) > The latest PHP updates fix a worrying number of security issues. > > These from the zpstream changelog sound like being security relevant (for > 7.0.9, but most issues affect all three version trees): > Fixed bug #72513 (Stack-based buffer overflow vulnerability in > virtual_file_ex). > Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and > applications). > Fixed bug #72541 (size_t overflow lead to heap corruption). > Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). > Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read > access). > Fixed bug #72519 (imagegif/output out-of-bounds access). > Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). > Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow). > Fixed bug #72494 (imagecropauto out-of-bounds access). > Fixed bug #72533 (locale_accept_from_http out-of-bounds access). > Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read > access). > Fixed bug #72399 (Use-After-Free in MBString (search_re)). > Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to > heap overflow in mdecrypt_generic). > Fixed bug #72306 (Heap overflow through proc_open and $env parameter). > Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). > Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session > Deserialization). > Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and > unserialize()). > Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn > simplestring.c). > Fixed bug #72520 (Stack-based buffer overflow vulnerability in > php_stream_zip_opener). > > This one > https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000- > dollar/ > got a bit more public attention. > > Please bump. Not sure if 5.5.x should still be bumped or just declared to be > deprecated, as it won't receive any further security updates.
Arches, please test and mark stable: =dev-lang/php-5.5.38 =dev-lang/php-5.6.24 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
I had some unrelated changes staged that collided with this fix. I've pushed them as dev-lang/php-5.6.24-r1, which you SHOULD NOT stabilize as part of this bug. Brian's dev-lang/php-5.6.24 (no -r1) is safer.
amd64 stable
x86 stable
Stable for PPC64.
Stable for HPPA.
arm stable
Stable on alpha.
PHP 5.5 was removed from the visibility of this bug due to commit c34a770c53d85ea5cd446c2d20af39f33107775b which masked the version: > # Brian Evans <grknight@gentoo.org> (22 Aug 2016) > # PHP 5.5 has reached end of life and will no longer receive security updates. > # Also include associated packages which do not work on newer versions > # Removal in 90 days > virtual/httpd-php:5.5 > dev-lang/php:5.5
PHP 5.5 is masked per Thomas' comments and all vulnerable versions removed.
Removing stabilization dependency.