* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
@ 2017-07-24 18:57 Leo Famulari
2017-07-25 15:26 ` Alex Sassmannshausen
0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2017-07-24 18:57 UTC (permalink / raw)
To: 27808
[-- Attachment #1: Type: text/plain, Size: 357 bytes --]
Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
This one looks especially bad:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
Can someone please take a look at this?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-24 18:57 bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Leo Famulari
@ 2017-07-25 15:26 ` Alex Sassmannshausen
2017-07-25 18:41 ` Leo Famulari
0 siblings, 1 reply; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-07-25 15:26 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27808
Hi Leo,
I've just submitted a patch to update PHP to version 7.1.7, which
resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
(but also on the previous version), so I could not fully build it
(disabling tests results in a working version of PHP).
The relevant patch is at 27826. If someone could try building it, on
x86_64 then we could be sure it's just my local environment that messes
things up…
Alex
Leo Famulari writes:
> Apparently our PHP package is vulnerable to CVE-2017-11144,
> CVE-2017-11145, and CVE-2017-11362:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
>
> This one looks especially bad:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
>
> Can someone please take a look at this?
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-25 15:26 ` Alex Sassmannshausen
@ 2017-07-25 18:41 ` Leo Famulari
2017-07-25 19:44 ` Alex Sassmannshausen
0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2017-07-25 18:41 UTC (permalink / raw)
To: Alex Sassmannshausen; +Cc: 27808
[-- Attachment #1: Type: text/plain, Size: 1055 bytes --]
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
> Hi Leo,
>
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).
I got this building with that patch:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-25 18:41 ` Leo Famulari
@ 2017-07-25 19:44 ` Alex Sassmannshausen
2017-07-31 15:32 ` bug#27808: [bug#27826] " Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-07-25 19:44 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27826, 27808
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>>
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================
OK that's what I've got too.
I guess it will need some investigation… :-(
Thanks for testing!
Alex
Leo Famulari writes:
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-25 19:44 ` Alex Sassmannshausen
@ 2017-07-31 15:32 ` Ludovic Courtès
2017-07-31 16:22 ` Alex Sassmannshausen
0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2017-07-31 15:32 UTC (permalink / raw)
To: Alex Sassmannshausen; +Cc: 27826, 27808
Hi Alex,
Alex Sassmannshausen <alex@pompo.co> skribis:
>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(
Any update? :-)
Would be good not to leave the vulnerable version in the distro.
TIA,
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-31 15:32 ` bug#27808: [bug#27826] " Ludovic Courtès
@ 2017-07-31 16:22 ` Alex Sassmannshausen
2017-08-20 20:10 ` Alex Sassmannshausen
2017-08-20 20:11 ` Alex Sassmannshausen
0 siblings, 2 replies; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-07-31 16:22 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27826, 27808
Ludovic Courtès writes:
> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update? :-)
>
> Would be good not to leave the vulnerable version in the distro.
Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that. So at the earliest I could contribute those
patches this weekend.
Alex
>
> TIA,
> Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-31 16:22 ` Alex Sassmannshausen
@ 2017-08-20 20:10 ` Alex Sassmannshausen
2017-08-20 20:11 ` Alex Sassmannshausen
1 sibling, 0 replies; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-08-20 20:10 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27826, 27808
Hi
I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.
I will try to close the bugs (27826 & 27808).
Alex
Alex Sassmannshausen writes:
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-31 16:22 ` Alex Sassmannshausen
2017-08-20 20:10 ` Alex Sassmannshausen
@ 2017-08-20 20:11 ` Alex Sassmannshausen
1 sibling, 0 replies; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-08-20 20:11 UTC (permalink / raw)
To: 27826-done, 27808-done
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.
Alex
Alex Sassmannshausen writes:
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-08-20 20:12 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-24 18:57 bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Leo Famulari
2017-07-25 15:26 ` Alex Sassmannshausen
2017-07-25 18:41 ` Leo Famulari
2017-07-25 19:44 ` Alex Sassmannshausen
2017-07-31 15:32 ` bug#27808: [bug#27826] " Ludovic Courtès
2017-07-31 16:22 ` Alex Sassmannshausen
2017-08-20 20:10 ` Alex Sassmannshausen
2017-08-20 20:11 ` Alex Sassmannshausen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).