Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 889882 (CVE-2022-31631) - <dev-lang/php-{7.4.33-r1,8.0.27,8.1.14,8.2.1}: multiple vulnerabilities?
Summary: <dev-lang/php-{7.4.33-r1,8.0.27,8.1.14,8.2.1}: multiple vulnerabilities?
Status: CONFIRMED
Alias: CVE-2022-31631
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-8.php#8...
Whiteboard: B4 [glsa?]
Keywords:
Depends on: 890367 895624
Blocks:
  Show dependency tree
 
Reported: 2023-01-05 19:01 UTC by John Helmert III
Modified: 2023-10-08 23:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-05 19:01:50 UTC 
"This is a security release" according to the 8.1.14
release announcement, and I see this in the changelog:

"Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)"

Unsure if there's any other security-relevant changes.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-05 19:18:07 UTC 
8.2.1 is also released.
Comment 2 Larry the Git Cow gentoo-dev 2023-01-05 21:30:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea29351e6d832a664c9205ece3e60ef28ca8917a

commit ea29351e6d832a664c9205ece3e60ef28ca8917a
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-01-05 21:29:41 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-01-05 21:30:13 +0000

    dev-lang/php: Version bump for 8.1.14
    
    Bug: https://bugs.gentoo.org/889882
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.1.14.ebuild | 757 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 758 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=227858dba6257113140653f501de91625567cc5c

commit 227858dba6257113140653f501de91625567cc5c
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-01-05 21:11:33 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-01-05 21:30:13 +0000

    dev-lang/php: Version bump for 8.0.27
    
    Bug: https://bugs.gentoo.org/889882
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.0.27.ebuild | 759 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 760 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7cb74e0dfb7422871ba57d0dc76fc8531576f32e

commit 7cb74e0dfb7422871ba57d0dc76fc8531576f32e
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-01-05 20:46:07 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-01-05 21:30:13 +0000

    dev-lang/php: Apply CVE-2022-31631 patch to 7.4.33
    
    Bug: https://bugs.gentoo.org/889882
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/files/php-7.4.33-CVE-2022-31631.patch |  50 ++
 dev-lang/php/php-7.4.33-r1.ebuild                  | 750 +++++++++++++++++++++
 2 files changed, 800 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-01-06 00:08:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=335f8c2846f9c33f907d5deb92ead13a690f12c7

commit 335f8c2846f9c33f907d5deb92ead13a690f12c7
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-01-06 00:08:12 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-01-06 00:08:12 +0000

    dev-lang/php: Version bump for 8.2.1
    
    Bug: https://bugs.gentoo.org/889882
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest         |   1 +
 dev-lang/php/php-8.2.1.ebuild | 759 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 760 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-06 04:51:53 UTC 
Please stabilize when ready.