Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 895416 (CVE-2023-0567, CVE-2023-0568, CVE-2023-0662) - <dev-lang/php-{7.4.33-r2,8.0.28,8.1.16,8.2.3}: multiple vulnerabilities
Summary: <dev-lang/php-{7.4.33-r2,8.0.28,8.1.16,8.2.3}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-0567, CVE-2023-0568, CVE-2023-0662
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.php.net/ChangeLog-8.php#8...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 895624
Blocks:
  Show dependency tree
 
Reported: 2023-02-19 14:27 UTC by rx80
Modified: 2024-07-15 07:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description rx80 2023-02-19 14:27:40 UTC
From changelog for 8.2.3, 8.1.16, 8.0.28

    Core:
        Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567)
        Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
    SAPI:
        Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
Comment 1 Larry the Git Cow gentoo-dev 2023-02-20 19:43:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8a5c3e91728ad636d1e36b7b793d3b7688ca45b

commit c8a5c3e91728ad636d1e36b7b793d3b7688ca45b
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-02-20 19:41:08 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-02-20 19:43:14 +0000

    dev-lang/php: Version bump for 8.2.3
    
    Bug: https://bugs.gentoo.org/895416
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest         |   1 +
 dev-lang/php/php-8.2.3.ebuild | 759 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 760 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cb938cd4f61ab78f72abb7c421e03d6d57499e9

commit 6cb938cd4f61ab78f72abb7c421e03d6d57499e9
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-02-20 18:48:48 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-02-20 19:43:14 +0000

    dev-lang/php: Version bump for 8.1.16
    
    Bug: https://bugs.gentoo.org/895416
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.1.16.ebuild | 757 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 758 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fe23c565f19e1b0af60f3081854aab95f94c903

commit 5fe23c565f19e1b0af60f3081854aab95f94c903
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-02-20 18:27:49 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-02-20 19:43:13 +0000

    dev-lang/php: Version bump for 8.0.28
    
    Bug: https://bugs.gentoo.org/895416
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/Manifest          |   1 +
 dev-lang/php/php-8.0.28.ebuild | 759 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 760 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b711589df12322ac7ca3cbe4e5889a623dc81a96

commit b711589df12322ac7ca3cbe4e5889a623dc81a96
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2023-02-20 18:07:03 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2023-02-20 19:43:13 +0000

    dev-lang/php: Revbump for backporting CVE patches to 7.4
    
    Bug: https://bugs.gentoo.org/895416
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-lang/php/files/php-7.4.33-CVE-2023-0567.patch | 114 ++++
 dev-lang/php/files/php-7.4.33-CVE-2023-0568.patch |  37 ++
 dev-lang/php/files/php-7.4.33-CVE-2023-0662.patch |  48 ++
 dev-lang/php/php-7.4.33-r2.ebuild                 | 753 ++++++++++++++++++++++
 4 files changed, 952 insertions(+)
Comment 2 rx80 2023-02-20 20:36:07 UTC
Thank you for your quick update. 8.2.3 tested on two amd64 machines, in cli and fpm mode, installs and works as expected.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-20 20:47:29 UTC
Thanks!