From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
	CVE-2017-11362
Date: Mon, 31 Jul 2017 17:32:14 +0200
Message-ID: <87379c39mp.fsf@gnu.org>
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
	<20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53974)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcCgp-0007DI-8O
	for bug-guix@gnu.org; Mon, 31 Jul 2017 11:33:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcCgo-0007Iu-B8
	for bug-guix@gnu.org; Mon, 31 Jul 2017 11:33:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:32875)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dcCgo-0007Ij-7b
	for bug-guix@gnu.org; Mon, 31 Jul 2017 11:33:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcCgo-0006mS-1K
	for bug-guix@gnu.org; Mon, 31 Jul 2017 11:33:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27808.B27808.150151514526006@debbugs.gnu.org>
In-Reply-To: <87inignvxw.fsf@pompo.co> (Alex Sassmannshausen's message of
	"Tue, 25 Jul 2017 21:44:11 +0200")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Alex Sassmannshausen <alex@pompo.co>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org

Hi Alex,

Alex Sassmannshausen <alex@pompo.co> skribis:

>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>=20
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/test=
s/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bu=
g74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/=
tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in D=
eserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> OK that's what I've got too.
>
> I guess it will need some investigation=E2=80=A6 :-(

Any update?  :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo=E2=80=99.

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54006)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcCgs-0007EC-N8
	for guix-patches@gnu.org; Mon, 31 Jul 2017 11:33:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcCgo-0007JF-Qg
	for guix-patches@gnu.org; Mon, 31 Jul 2017 11:33:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:32876)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dcCgo-0007J9-My
	for guix-patches@gnu.org; Mon, 31 Jul 2017 11:33:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcCgo-0006mZ-Go
	for guix-patches@gnu.org; Mon, 31 Jul 2017 11:33:02 -0400
Subject: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
	CVE-2017-11362
Resent-Message-ID: <handler.27826.B27826.150151515326030@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
	<20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co>
Date: Mon, 31 Jul 2017 17:32:14 +0200
In-Reply-To: <87inignvxw.fsf@pompo.co> (Alex Sassmannshausen's message of
	"Tue, 25 Jul 2017 21:44:11 +0200")
Message-ID: <87379c39mp.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Alex Sassmannshausen <alex@pompo.co>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org

Hi Alex,

Alex Sassmannshausen <alex@pompo.co> skribis:

>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>=20
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/test=
s/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bu=
g74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/=
tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in D=
eserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> OK that's what I've got too.
>
> I guess it will need some investigation=E2=80=A6 :-(

Any update?  :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo=E2=80=99.