Acknowledgement sent
to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Mon, 24 Jul 2017 18:58:02 GMT) (full text, mbox, link).
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
> Hi Leo,
>
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).
I got this building with that patch:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>>
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================
OK that's what I've got too.
I guess it will need some investigation… :-(
Thanks for testing!
Alex
Leo Famulari writes:
Information forwarded
to bug-guix@gnu.org: bug#27808; Package guix.
(Mon, 31 Jul 2017 15:33:02 GMT) (full text, mbox, link).
Hi Alex,
Alex Sassmannshausen <alex@pompo.co> skribis:
>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(
Any update? :-)
Would be good not to leave the vulnerable version in the distro.
TIA,
Ludo’.
Information forwarded
to bug-guix@gnu.org: bug#27808; Package guix.
(Mon, 31 Jul 2017 16:23:01 GMT) (full text, mbox, link).
Ludovic Courtès writes:
> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update? :-)
>
> Would be good not to leave the vulnerable version in the distro.
Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that. So at the earliest I could contribute those
patches this weekend.
Alex
>
> TIA,
> Ludo’.
Added tag(s) security.
Request was from ludo@gnu.org (Ludovic Courtès)
to control@debbugs.gnu.org.
(Wed, 02 Aug 2017 22:02:02 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org: bug#27808; Package guix.
(Sun, 20 Aug 2017 20:11:01 GMT) (full text, mbox, link).
Hi
I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.
I will try to close the bugs (27826 & 27808).
Alex
Alex Sassmannshausen writes:
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
Reply sent
to alex@pompo.co:
You have taken responsibility.
(Sun, 20 Aug 2017 20:12:02 GMT) (full text, mbox, link).
Notification sent
to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer.
(Sun, 20 Aug 2017 20:12:02 GMT) (full text, mbox, link).
Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.
Alex
Alex Sassmannshausen writes:
> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update? :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that. So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.
bug archived.
Request was from Debbugs Internal Request <help-debbugs@gnu.org>
to internal_control@debbugs.gnu.org.
(Mon, 18 Sep 2017 11:24:04 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.