Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624870 (CVE-2017-11147) - <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
Summary: <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile fu...
Alias: CVE-2017-11147
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2017-07-13 13:40 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-07-13 14:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-13 13:40:00 UTC
From URL:

In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

Comment 1 Brian Evans (RETIRED) gentoo-dev 2017-07-13 14:12:15 UTC
I know this is a new CVE.. but it's a 7 month old released version.  Nothing for PHP or upstream to do here.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 14:17:49 UTC
GLSA Vote: No