From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 25 15:44:26 2017 Received: (at 27808) by debbugs.gnu.org; 25 Jul 2017 19:44:26 +0000 Received: from localhost ([127.0.0.1]:56346 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1da5kn-0007So-RT for submit@debbugs.gnu.org; Tue, 25 Jul 2017 15:44:26 -0400 Received: from mail.pompo.co ([87.243.223.35]:51460 helo=ronja.pompo.co) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1da5km-0007SV-IT; Tue, 25 Jul 2017 15:44:25 -0400 Received: from pegasus (unknown [109.131.47.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ronja.pompo.co (Postfix) with ESMTPSA id E8823402E5; Tue, 25 Jul 2017 19:44:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail; t=1501011858; bh=a2GLiLt38wFx1Dm6LDIHrdHjur6vcZ6zPKeLpO05D7k=; h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From; b=HznY8KrA8IHTLICAS+Gr/vavzGoSJ/G6gNlqRLn2/uzzRyHhrccuE5XnKuqKw9VHb Nch3kI4ZG18vFB/tSZZERNa7tkcd8tSun/K5A/vgdjgr4yl0cH2GJ7H2zyWGFJSiws VeQciv6rRWsXF7T0On6og8Rfwi3/hUR7zaoz0r40= References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co> <20170725184153.GA24552@jasmine.lan> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Alex Sassmannshausen To: Leo Famulari Subject: Re: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 In-reply-to: <20170725184153.GA24552@jasmine.lan> Date: Tue, 25 Jul 2017 21:44:11 +0200 Message-ID: <87inignvxw.fsf@pompo.co> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 27808 Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: alex@pompo.co Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) > On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >> Hi Leo, >> >> I've just submitted a patch to update PHP to version 7.1.7, which >> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >> (but also on the previous version), so I could not fully build it >> (disabling tests results in a working version of PHP). > > I got this building with that patch: > > ===================================================================== > FAILED TEST SUMMARY > --------------------------------------------------------------------- > Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt] > Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt] > Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt] > Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt] > ===================================================================== OK that's what I've got too. I guess it will need some investigation… :-( Thanks for testing! Alex Leo Famulari writes: