Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710304 (CVE-2020-7061, CVE-2020-7062, CVE-2020-7063) - <dev-lang/php-{7.4.3,7.3.15,7.2.28}: multiple vulnerabilities (CVE-2020-{7061,7062,7063})
Summary: <dev-lang/php-{7.4.3,7.3.15,7.2.28}: multiple vulnerabilities (CVE-2020-{7061...
Alias: CVE-2020-7061, CVE-2020-7062, CVE-2020-7063
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on:
Reported: 2020-02-20 16:13 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-26 13:33 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/php-7.4.3-r1 dev-lang/php-7.3.15-r1 dev-lang/php-7.2.28-r1 virtual/httpd-php-7.4
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-20 16:13:35 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-20 16:16:25 UTC
CVE-2020-7061: heap-buffer-overflow in phar_extract_file

CVE-2020-7062: Null Pointer Dereference in PHP Session Upload Progress

CVE-2020-7063: Files added to tar with Phar::buildFromIterator have all-access permissions
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-02-23 12:16:08 UTC
amd64 stable
Comment 3 Larry the Git Cow gentoo-dev 2020-02-23 22:49:48 UTC
The bug has been referenced in the following commit(s):

commit 6bfa335a2777b3d09e8c3be3e4d1996e93dc694b
Author:     Thomas Deutschmann <>
AuthorDate: 2020-02-23 22:49:38 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-02-23 22:49:38 +0000

    virtual/httpd-php: amd64 stable (bug #710304)
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <>

 virtual/httpd-php/httpd-php-7.4.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-24 11:29:03 UTC
ia64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-24 11:32:22 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-24 11:44:54 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-24 12:51:07 UTC
x86 stable
Comment 8 Rolf Eike Beer archtester 2020-02-26 22:36:02 UTC
sparc stable
Comment 9 Stabilization helper bot gentoo-dev 2020-03-01 17:01:49 UTC
An automated check of this bug failed - the following atoms are unknown:


Please verify the atom list.
Comment 10 Rolf Eike Beer archtester 2020-03-02 18:28:47 UTC
hppa stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-05 15:06:44 UTC
arm stable
Comment 12 Mart Raudsepp gentoo-dev 2020-03-17 20:48:51 UTC
arm64 stable
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-26 13:12:53 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-03-26 13:33:16 UTC
This issue was resolved and addressed in
 GLSA 202003-57 at
by GLSA coordinator Thomas Deutschmann (whissi).