713484 – (CVE-2020-7064, CVE-2020-7065, CVE-2020-7066) <dev-lang/php-{7.2.29,7.3.16,7.4.4}: multiple vulnerabilities (CVE-2020-{7064,7065,7066})

Bug 713484 (CVE-2020-7064, CVE-2020-7065, CVE-2020-7066) - <dev-lang/php-{7.2.29,7.3.16,7.4.4}: multiple vulnerabilities (CVE-2020-{7064,7065,7066})

Summary: <dev-lang/php-{7.2.29,7.3.16,7.4.4}: multiple vulnerabilities (CVE-2020-{7064...

Status:	RESOLVED FIXED

Alias:	CVE-2020-7064, CVE-2020-7065, CVE-2020-7066

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:	714836
Blocks:
	Show dependency tree

Reported:	2020-03-19 15:36 UTC by GLSAMaker/CVETool Bot
Modified:	2020-04-22 14:06 UTC (History)
CC List:	2 users (show)

See Also:	718844
Package list:	dev-lang/php-7.2.29 dev-lang/php-7.3.16 dev-lang/php-7.4.4
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2020-03-19 15:36:43 UTC

CVE-2020-7066 (https://nvd.nist.gov/vuln/detail/CVE-2020-7066):
  get_headers() silently truncates after a null byte

CVE-2020-7065 (https://nvd.nist.gov/vuln/detail/CVE-2020-7065):
  mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full

CVE-2020-7064 (https://nvd.nist.gov/vuln/detail/CVE-2020-7064):
  Use-of-uninitialized-value in exif

Comment 1 Larry the Git Cow gentoo-dev

2020-03-19 15:38:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecac5f4b721b650a2d076167d4124c56e07bf983

commit ecac5f4b721b650a2d076167d4124c56e07bf983
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-19 15:27:24 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 15:38:45 +0000

    dev-lang/php: bump to v7.4.4
    
    Bug: https://bugs.gentoo.org/713484
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest         |   1 +
 dev-lang/php/php-7.4.4.ebuild | 746 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 747 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2dfe14621bcf66d3e8ee11fba000dbf6c0cf7b99

commit 2dfe14621bcf66d3e8ee11fba000dbf6c0cf7b99
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-19 15:25:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 15:38:44 +0000

    dev-lang/php: bump to v7.3.16
    
    Bug: https://bugs.gentoo.org/713484
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.3.16.ebuild | 756 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 757 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e20fca4c025f9708f1508db9a68f54c1ccacdf6

commit 4e20fca4c025f9708f1508db9a68f54c1ccacdf6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-19 15:24:11 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 15:38:43 +0000

    dev-lang/php: bump to v7.2.29
    
    Bug: https://bugs.gentoo.org/713484
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-7.2.29.ebuild | 755 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 756 insertions(+)

Comment 2 Agostino Sarubbo gentoo-dev

2020-03-26 08:28:36 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2020-03-26 08:30:03 UTC

ppc stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-03-26 08:30:43 UTC

ppc64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-03-26 10:19:28 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-03-26 10:25:33 UTC

x86 stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-26 13:13:51 UTC

Added to an existing GLSA request.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2020-03-26 13:33:24 UTC

This issue was resolved and addressed in
 GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-26 13:34:47 UTC

Re-opening for remaining architectures.

Comment 10 Rolf Eike Beer archtester

2020-03-28 09:55:39 UTC

sparc stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2020-03-29 17:24:42 UTC

ia64 stable

Comment 12 Mart Raudsepp gentoo-dev

2020-03-30 17:24:45 UTC

arm64 stable

Comment 13 Sam James archtester

2020-04-01 04:48:35 UTC

@maintainer(s), please cleanup

Comment 14 Larry the Git Cow gentoo-dev

2020-04-01 16:50:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f4e65f7cef12a36a016a18f3eb2a3e3397052c

commit 99f4e65f7cef12a36a016a18f3eb2a3e3397052c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-01 16:50:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-01 16:50:30 +0000

    dev-lang/php: security cleanup (bug #713484)
    
    Bug: https://bugs.gentoo.org/713484
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/Manifest             |   7 -
 dev-lang/php/php-7.2.26.ebuild    | 750 -------------------------------------
 dev-lang/php/php-7.2.27.ebuild    | 750 -------------------------------------
 dev-lang/php/php-7.2.28-r1.ebuild | 755 -------------------------------------
 dev-lang/php/php-7.3.13.ebuild    | 751 -------------------------------------
 dev-lang/php/php-7.3.14.ebuild    | 751 -------------------------------------
 dev-lang/php/php-7.3.15-r1.ebuild | 756 --------------------------------------
 dev-lang/php/php-7.4.3-r1.ebuild  | 746 -------------------------------------
 8 files changed, 5266 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8cc1e413a464528a5798b1dde931e836980c522

commit d8cc1e413a464528a5798b1dde931e836980c522
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-01 16:48:24 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-01 16:48:24 +0000

    dev-lang/php: mark hppa stable (bug #713484)
    
    Bug: https://bugs.gentoo.org/713484
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-lang/php/php-7.2.29.ebuild | 2 +-
 dev-lang/php/php-7.3.16.ebuild | 2 +-
 dev-lang/php/php-7.4.4.ebuild  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-01 16:51:06 UTC

Repository is clean, all done!

Comment 16 mentalstring 2020-04-18 17:11:49 UTC

(In reply to GLSAMaker/CVETool Bot from comment #8)
> This issue was resolved and addressed in
>  GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57
> by GLSA coordinator Thomas Deutschmann (whissi).

Not sure where it is the best place to report this, but hopefully this gets seen by someone who does.

The GLSA 202003-57 doesn't seem quite right: even after installing an unaffected version (eg: 7.3.17), the glsa-check still triggers for 202003-57.

Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-19 01:40:10 UTC

Please show us output of `eshowkw dev-lang/php`

Comment 18 mentalstring 2020-04-19 09:03:34 UTC

Keywords for dev-lang/php:
          |                             |   u     |  
          | a a   a     p         s r   |   n     |  
          | l m   r i   p   h m s p i m | e u s   | r
          | p d a m a p c x p 6 3 a s i | a s l   | e
          | h 6 r 6 6 p 6 8 p 8 9 r c p | p e o   | p
          | a 4 m 4 4 c 4 6 a k 0 c v s | i d t   | o
----------+-----------------------------+---------+-------
   7.2.29 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.2 | gentoo
   7.2.30 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o     | gentoo
----------+-----------------------------+---------+-------
   7.3.16 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.3 | gentoo
[I]7.3.17 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o     | gentoo
----------+-----------------------------+---------+-------
    7.4.4 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.4 | gentoo
    7.4.5 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o     | gentoo

Comment 19 Hanno Böck gentoo-dev

2020-04-22 07:12:58 UTC

I'm seeing the same issue. It seems old non-vulnerable versions are detected as affected by glsa:

Checking GLSA 202003-57
>>> The following updates will be performed for this GLSA:
>>> No upgrade path exists for these packages:
     dev-lang/php-7.3.17, dev-lang/php-7.2.30


I believe this:
glsa-202003-57.xml:      <unaffected range="rge">7.2.29</unaffected>
glsa-202003-57.xml:      <unaffected range="rge">7.3.16</unaffected>
should be "ge" instead of "rge".

This would be in line with older PHP advisories like glsa-201910-01.

Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-22 14:06:20 UTC

@ Hanno: It's not that easy. Using "ge" would mean that anything >=7.2.29, this includes vulnerable 7.3.15, is not affected. But let's move that to bug 718844.