From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Sassmannshausen <alex@pompo.co>
Subject: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Date: Tue, 25 Jul 2017 21:44:11 +0200
Message-ID: <87inignvxw.fsf@pompo.co>
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
	<20170725184153.GA24552@jasmine.lan>
Reply-To: alex@pompo.co
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52950)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1da5lX-0001m3-G3
	for bug-guix@gnu.org; Tue, 25 Jul 2017 15:45:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1da5lP-0002TL-6E
	for bug-guix@gnu.org; Tue, 25 Jul 2017 15:45:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:53671)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1da5lP-0002Sc-1Y
	for bug-guix@gnu.org; Tue, 25 Jul 2017 15:45:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1da5lN-0007UH-P6
	for bug-guix@gnu.org; Tue, 25 Jul 2017 15:45:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27808.B27808.150101186628700@debbugs.gnu.org>
In-reply-to: <20170725184153.GA24552@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org


> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>> 
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================

OK that's what I've got too.

I guess it will need some investigation… :-(

Thanks for testing!

Alex

Leo Famulari writes: