Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626460 (CVE-2017-11362) - <dev-lang/php-{7.0.21, 7.1.7}: Stack-based buffer over-read in msgfmt_parse_message function
Summary: <dev-lang/php-{7.0.21, 7.1.7}: Stack-based buffer over-read in msgfmt_parse_m...
Alias: CVE-2017-11362
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Reported: 2017-07-28 15:12 UTC by Agostino Sarubbo
Modified: 2017-09-24 19:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-28 15:12:31 UTC
From ${URL} :

In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7,
ext/intl/msgformat/msgformat_parse.c does not restrict the locale
length, which allows remote attackers to cause a denial of service
(stack-based buffer overflow and application crash) or possibly have
unspecified other impact within International Components for Unicode
(ICU) for C/C++ via a long first argument to the msgfmt_parse_message

Upstream bug:

Upstream patch:;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Orlitzky gentoo-dev 2017-07-29 11:37:33 UTC
Those versions are already being stabilized in bug 624052.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-24 14:54:27 UTC
Added to a GLSA Request 

@Security please add cve to database

Gentoo Security Padawan
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 19:03:23 UTC
This issue was resolved and addressed in
 GLSA 201709-21 at
by GLSA coordinator Aaron Bauman (b-man).