624870 – (CVE-2017-11147) <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

Bug 624870 (CVE-2017-11147) - <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

Summary: <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile fu...

Status:	RESOLVED FIXED

Alias:	CVE-2017-11147

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.cvedetails.com/cve/CVE-20...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-07-13 13:40 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2017-07-13 14:17 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-13 13:40:00 UTC

From URL:

In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

References:

http://php.net/ChangeLog-7.php 
https://bugs.php.net/bug.php?id=73773 
http://openwall.com/lists/oss-security/2017/07/10/6 
http://php.net/ChangeLog-5.php 
http://git.php.net/?p=php-src.git;a=commit;h=e5246580a85f031e1a3b8064edbaa55c1643a451

Comment 1 Brian Evans (RETIRED) gentoo-dev

2017-07-13 14:12:15 UTC

I know this is a new CVE.. but it's a 7 month old released version.  Nothing for PHP or upstream to do here.

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-07-13 14:17:49 UTC

GLSA Vote: No