Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624870 (CVE-2017-11147) - <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
Summary: <dev-lang/php-{5.6.30,7.0.15}: buffer over-read in the phar_parse_pharfile fu...
Status: RESOLVED FIXED
Alias: CVE-2017-11147
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.cvedetails.com/cve/CVE-20...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-13 13:40 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-07-13 14:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-13 13:40:00 UTC
From URL:

In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

References:

http://php.net/ChangeLog-7.php 
https://bugs.php.net/bug.php?id=73773 
http://openwall.com/lists/oss-security/2017/07/10/6 
http://php.net/ChangeLog-5.php 
http://git.php.net/?p=php-src.git;a=commit;h=e5246580a85f031e1a3b8064edbaa55c1643a451
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2017-07-13 14:12:15 UTC
I know this is a new CVE.. but it's a 7 month old released version.  Nothing for PHP or upstream to do here.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2017-07-13 14:17:49 UTC
GLSA Vote: No