From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Sassmannshausen Subject: bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Date: Sun, 20 Aug 2017 22:10:14 +0200 Message-ID: <87fucmuhjt.fsf@pompo.co> References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co> <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co> <87379c39mp.fsf@gnu.org> <87k22ok24j.fsf@pompo.co> Reply-To: alex@pompo.co Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34630) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1djWYr-0004GE-7X for bug-guix@gnu.org; Sun, 20 Aug 2017 16:11:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1djWYo-000177-2P for bug-guix@gnu.org; Sun, 20 Aug 2017 16:11:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:38276) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1djWYn-00016r-VR for bug-guix@gnu.org; Sun, 20 Aug 2017 16:11:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1djWYn-0005mq-Ld for bug-guix@gnu.org; Sun, 20 Aug 2017 16:11:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87k22ok24j.fsf@pompo.co> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org Hi I believe this issue is now resolved as Julien Lepiller seems to have pushed a working version of PHP 7.1.8 on 3 August with commit 1cec3462323717e063c98b6404e9c5c5ef037bdd. I will try to close the bugs (27826 & 27808). Alex Alex Sassmannshausen writes: > Ludovic Courtès writes: > >> Hi Alex, >> >> Alex Sassmannshausen skribis: >> >>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >>>>> Hi Leo, >>>>> >>>>> I've just submitted a patch to update PHP to version 7.1.7, which >>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >>>>> (but also on the previous version), so I could not fully build it >>>>> (disabling tests results in a working version of PHP). >>>> >>>> I got this building with that patch: >>>> >>>> ===================================================================== >>>> FAILED TEST SUMMARY >>>> --------------------------------------------------------------------- >>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt] >>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt] >>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt] >>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt] >>>> ===================================================================== >>> >>> OK that's what I've got too. >>> >>> I guess it will need some investigation… :-( >> >> Any update? :-) >> >> Would be good not to leave the vulnerable version in the distro. > > Agreed, though I am in no position to investigate this. I was going to > propose a patch that disabled those 4 tests, but I will need to > investigate how to do that. So at the earliest I could contribute those > patches this weekend. > > Alex > >> >> TIA, >> Ludo’.