* [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
[not found] ` <20170725184153.GA24552@jasmine.lan>
@ 2017-07-25 19:44 ` Alex Sassmannshausen
2017-07-31 15:32 ` Ludovic Courtès
0 siblings, 1 reply; 5+ messages in thread
From: Alex Sassmannshausen @ 2017-07-25 19:44 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27826, 27808
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>>
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================
OK that's what I've got too.
I guess it will need some investigation… :-(
Thanks for testing!
Alex
Leo Famulari writes:
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-25 19:44 ` [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Alex Sassmannshausen
@ 2017-07-31 15:32 ` Ludovic Courtès
2017-07-31 16:22 ` Alex Sassmannshausen
0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2017-07-31 15:32 UTC (permalink / raw)
To: Alex Sassmannshausen; +Cc: 27826, 27808
Hi Alex,
Alex Sassmannshausen <alex@pompo.co> skribis:
>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(
Any update? :-)
Would be good not to leave the vulnerable version in the distro.
TIA,
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-31 15:32 ` Ludovic Courtès
@ 2017-07-31 16:22 ` Alex Sassmannshausen
2017-08-20 20:10 ` Alex Sassmannshausen
2017-08-20 20:11 ` bug#27826: " Alex Sassmannshausen
0 siblings, 2 replies; 5+ messages in thread
From: Alex Sassmannshausen @ 2017-07-31 16:22 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27826, 27808
Ludovic Courtès writes:
> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update? :-)
>
> Would be good not to leave the vulnerable version in the distro.
Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that. So at the earliest I could contribute those
patches this weekend.
Alex
>
> TIA,
> Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-31 16:22 ` Alex Sassmannshausen
@ 2017-08-20 20:10 ` Alex Sassmannshausen
2017-08-20 20:11 ` bug#27826: " Alex Sassmannshausen
1 sibling, 0 replies; 5+ messages in thread
From: Alex Sassmannshausen @ 2017-08-20 20:10 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27826, 27808
Hi
I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.
I will try to close the bugs (27826 & 27808).
Alex
Alex Sassmannshausen writes:
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#27826: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
2017-07-31 16:22 ` Alex Sassmannshausen
2017-08-20 20:10 ` Alex Sassmannshausen
@ 2017-08-20 20:11 ` Alex Sassmannshausen
1 sibling, 0 replies; 5+ messages in thread
From: Alex Sassmannshausen @ 2017-08-20 20:11 UTC (permalink / raw)
To: 27826-done, 27808-done
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.
Alex
Alex Sassmannshausen writes:
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-20 20:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20170724185744.GA4997@jasmine.lan>
[not found] ` <87k22wo7v8.fsf@pompo.co>
[not found] ` <20170725184153.GA24552@jasmine.lan>
2017-07-25 19:44 ` [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Alex Sassmannshausen
2017-07-31 15:32 ` Ludovic Courtès
2017-07-31 16:22 ` Alex Sassmannshausen
2017-08-20 20:10 ` Alex Sassmannshausen
2017-08-20 20:11 ` bug#27826: " Alex Sassmannshausen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).