Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 691564 (CVE-2019-11041, CVE-2019-11042) - <dev-lang/php-{5.6.40-r5,7.1.31,7.2.21,7.3.8} - Security vulnerabilities in phar and exif extensions
Summary: <dev-lang/php-{5.6.40-r5,7.1.31,7.2.21,7.3.8} - Security vulnerabilities in p...
Status: RESOLVED FIXED
Alias: CVE-2019-11041, CVE-2019-11042
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-06 13:07 UTC by Brian Evans (RETIRED)
Modified: 2019-08-14 14:54 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/php-5.6.40-r5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 dev-lang/php-7.1.31 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86 dev-lang/php-7.2.21 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86 dev-lang/php-7.3.8 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans (RETIRED) gentoo-dev 2019-08-06 13:07:31 UTC
The following vulnerabilities where fixed in the latest PHP release:

EXIF:
Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
Phar:
Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-08-06 22:03:42 UTC
arm64 stable
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-07 08:42:38 UTC
amd64 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-07 08:43:03 UTC
arm stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-07 08:43:37 UTC
x86 stable
Comment 5 Rolf Eike Beer archtester 2019-08-08 18:47:06 UTC
sparc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-08-10 09:58:37 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-08-11 17:02:54 UTC
hppa stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-08-13 10:58:54 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-08-13 11:08:10 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-08-14 07:35:01 UTC
alpha stable.

Maintainer(s), please cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2019-08-14 12:42:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bc9e720b51592ab68209d2348aca6767e8cc129

commit 2bc9e720b51592ab68209d2348aca6767e8cc129
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-08-14 12:42:14 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-08-14 12:42:14 +0000

    dev-lang/php: Drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/691564
    Package-Manager: Portage-2.3.71, Repoman-2.3.17
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest             |   4 -
 dev-lang/php/php-5.6.40-r4.ebuild | 789 --------------------------------------
 dev-lang/php/php-7.1.30.ebuild    | 737 -----------------------------------
 dev-lang/php/php-7.2.20.ebuild    | 749 ------------------------------------
 dev-lang/php/php-7.3.7-r1.ebuild  | 750 ------------------------------------
 5 files changed, 3029 deletions(-)