From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 20 16:10:25 2017 Received: (at 27808) by debbugs.gnu.org; 20 Aug 2017 20:10:25 +0000 Received: from localhost ([127.0.0.1]:46955 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1djWYC-0005lt-QN for submit@debbugs.gnu.org; Sun, 20 Aug 2017 16:10:25 -0400 Received: from mail.pompo.co ([87.243.223.35]:59618 helo=ronja.pompo.co) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1djWYA-0005lb-QE; Sun, 20 Aug 2017 16:10:23 -0400 Received: from hypatia (host81-158-26-86.range81-158.btcentralplus.com [81.158.26.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ronja.pompo.co (Postfix) with ESMTPSA id 977F2402E5; Sun, 20 Aug 2017 20:10:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail; t=1503259815; bh=jPaMPoXJon2W1IOBlfQtPkDYdcSPeLXCn4FTTT2eH8o=; h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From; b=I0OCCkgQJ9TYf+HHt5bIssjUvp3HHFi9++ixpYNsm59iKmL5XOI42VsSYNm/ZX4XG iL6V6yLmKmdQYA7s4wHECa33MDokBomgxxXt1kSAamDCXR5ZucTv/ScH5Ab95Ek4Jt qejjyjMTuPRH0pPWSOvUOd+ET5Na3YP2vuxxbKfA= References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co> <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co> <87379c39mp.fsf@gnu.org> <87k22ok24j.fsf@pompo.co> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Alex Sassmannshausen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 In-reply-to: <87k22ok24j.fsf@pompo.co> Date: Sun, 20 Aug 2017 22:10:14 +0200 Message-ID: <87fucmuhjt.fsf@pompo.co> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 27808 Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: alex@pompo.co Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Hi I believe this issue is now resolved as Julien Lepiller seems to have pushed a working version of PHP 7.1.8 on 3 August with commit 1cec3462323717e063c98b6404e9c5c5ef037bdd. I will try to close the bugs (27826 & 27808). Alex Alex Sassmannshausen writes: > Ludovic Courtès writes: > >> Hi Alex, >> >> Alex Sassmannshausen skribis: >> >>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >>>>> Hi Leo, >>>>> >>>>> I've just submitted a patch to update PHP to version 7.1.7, which >>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >>>>> (but also on the previous version), so I could not fully build it >>>>> (disabling tests results in a working version of PHP). >>>> >>>> I got this building with that patch: >>>> >>>> ===================================================================== >>>> FAILED TEST SUMMARY >>>> --------------------------------------------------------------------- >>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt] >>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt] >>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt] >>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt] >>>> ===================================================================== >>> >>> OK that's what I've got too. >>> >>> I guess it will need some investigation… :-( >> >> Any update? :-) >> >> Would be good not to leave the vulnerable version in the distro. > > Agreed, though I am in no position to investigate this. I was going to > propose a patch that disabled those 4 tests, but I will need to > investigate how to do that. So at the earliest I could contribute those > patches this weekend. > > Alex > >> >> TIA, >> Ludo’.