From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Sassmannshausen Subject: bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Date: Mon, 31 Jul 2017 18:22:20 +0200 Message-ID: <87k22ok24j.fsf@pompo.co> References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co> <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co> <87379c39mp.fsf@gnu.org> Reply-To: alex@pompo.co Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39764) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dcDTF-0005Ga-Dq for bug-guix@gnu.org; Mon, 31 Jul 2017 12:23:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dcDTC-0005e9-24 for bug-guix@gnu.org; Mon, 31 Jul 2017 12:23:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:32902) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dcDTB-0005dj-Uj for bug-guix@gnu.org; Mon, 31 Jul 2017 12:23:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dcDTB-0007va-L7 for bug-guix@gnu.org; Mon, 31 Jul 2017 12:23:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87379c39mp.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org Ludovic Courtès writes: > Hi Alex, > > Alex Sassmannshausen skribis: > >>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >>>> Hi Leo, >>>> >>>> I've just submitted a patch to update PHP to version 7.1.7, which >>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >>>> (but also on the previous version), so I could not fully build it >>>> (disabling tests results in a working version of PHP). >>> >>> I got this building with that patch: >>> >>> ===================================================================== >>> FAILED TEST SUMMARY >>> --------------------------------------------------------------------- >>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt] >>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt] >>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt] >>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt] >>> ===================================================================== >> >> OK that's what I've got too. >> >> I guess it will need some investigation… :-( > > Any update? :-) > > Would be good not to leave the vulnerable version in the distro. Agreed, though I am in no position to investigate this. I was going to propose a patch that disabled those 4 tests, but I will need to investigate how to do that. So at the earliest I could contribute those patches this weekend. Alex > > TIA, > Ludo’.