From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 24 Jul 2017 18:58:01 +0000
Resent-Message-ID: <handler.27808.B.150092267926729@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 27808@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.150092267926729
          (code B ref -1); Mon, 24 Jul 2017 18:58:01 +0000
Received: (at submit) by debbugs.gnu.org; 24 Jul 2017 18:57:59 +0000
Received: from localhost ([127.0.0.1]:54668 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dZiYJ-0006x3-6j
	for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:59 -0400
Received: from eggs.gnu.org ([208.118.235.92]:36732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1dZiYH-0006wq-VO
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiYB-000594-T1
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,SUBJ_ALL_CAPS,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:50969)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dZiYB-00058y-PC
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:51 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55935)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiYA-0008J8-Kx
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiY6-00057w-Of
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:50 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40127)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dZiY6-00057J-2B
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:46 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 41F8E2243C;
 Mon, 24 Jul 2017 14:57:45 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 24 Jul 2017 14:57:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=YQD
 J6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+exs=; b=Km+CdiFXncl5PlhxysK
 Nc7LbQqKD1gksNlpk2EntqWGaHx8NrEmAldZul4j/PsTmQuOn0VaR8I/uQUOqGkt
 fCH38X3z9v3bwiuA8vEp9MMjvLRYSiKR36iSCM3qDDpfTJtqJ/iFr+6R/uK+t71F
 8h4OAhsLEEkzKaDZs5FH/I24=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=YQDJ6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+e
 xs=; b=UdajGBe5I2Getbc+DQKRW99epEW+/nb022GMQkMg9RsSonx7J239etq2u
 MPoQ4nKw+30RFL+y9i6+6zVtyn/JoQ7xDfS0V/Z6Woa/Y1CxQmpZ4OokWIDYupFN
 DUFJKVO9vOKuQNK1TePly2FGBlvMA5Q+SxHfMobJNGjY9gSuFyqEdKXxX/vUbk6u
 TN+B3H43IFc9BEqWVc2NNjXwQKkjvLuUAQDShBcSsLJoZka1O8YJyYEAK0OXmDV8
 OQFyS6Ld6t0RBbEmt9zEtMx5zkMxrpSHcdgz7xg/FgM/+/iQxpR4mbrwwc5Z/lQy
 Lfp6eNx2XedbZbm5kE7MzOrV/MwxA==
X-ME-Sender: <xms:KUN2WdwkhVhQ8l34BzxUyrWsYow3zhHnieElBJE0hYmGQZa3EoWO9Q>
X-Sasl-enc: l39okwTZHiGjh0UHSZDFrfBrKGsALzMy993YLqJ5nwdZ 1500922665
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 03CB27E2DE
 for <bug-guix@gnu.org>; Mon, 24 Jul 2017 14:57:44 -0400 (EDT)
Date: Mon, 24 Jul 2017 14:57:44 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170724185744.GA4997@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.2 (-----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.2 (-----)


--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145

This one looks especially bad:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

Can someone please take a look at this?

--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2QyQACgkQJkb6MLrK
fwib1Q/6AvhmCk96bwJY9x9xI4vu9iTV7abi0nN2aKWtERlQpRWMCU6d1RKhPz67
OQtT8XYB2mmvuPRl5lk3QT0Bl0+LeLBkhE2jyP0zGMoNVLqatDb4PhuBh+JmyF65
MJd+AJ+Vqy5jV6PIPVK1LbwTSuFegF1BzEpvKyn2PkXvH//dsF+7PxL6rP39qsId
gkbH4Xce7Ou7zCvJDBZ4C9JOuhLDxZiUQO99EVCMMubmVatNeB/nNlg6mugapLmV
KWdRUjD2+jLNmjLeRGyCyzr0/bbt1RvHpcCHopKh6iOnDpjMtoajJXvLseAgpPJp
Ck2p36fjBAdX9U1zAlKdLdMjAZNRJvtPL47zOBsXlfzFYsOghmBPhIUvVA6tycTo
cNYGdjfM92UvSQs0SP30HsxruHsIHYZmx7GYM/BsiiwiOX+R7bsGrPY4jIo4hABs
CJpkyEsI7oR1xp8CyuYyibA6NCnq7zFIBhbK6FAho0/SXbGHWlY6eJL/X15SiduJ
TTJFKM8+YDxvGmExd/1oAIgNH+39Ck0siaI7zlU7v3SXSD9fMVTji23UdMnVTY/E
OYZRgs5IMAeP6N7TUIePC7bfAB+1JsJrRpWz3CTpuxdcMXZRpKA95o0CgbJ/X7y+
Vi934pZF12NRi7t+Wuv8jCEg3PzF/ujXLTaBIvByMpcrcooWl8A=
=WEg8
-----END PGP SIGNATURE-----

--J2SCkAp4GZ/dPZZf--




From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: Alex Sassmannshausen <alex@pompo.co>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 25 Jul 2017 15:27:01 +0000
Resent-Message-ID: <handler.27808.B27808.150099641228587@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Leo Famulari <leo@famulari.name>
Cc: 27808@debbugs.gnu.org
Reply-To: alex@pompo.co
Received: via spool by 27808-submit@debbugs.gnu.org id=B27808.150099641228587
          (code B ref 27808); Tue, 25 Jul 2017 15:27:01 +0000
Received: (at 27808) by debbugs.gnu.org; 25 Jul 2017 15:26:52 +0000
Received: from localhost ([127.0.0.1]:56091 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1da1jX-0007R1-P5
	for submit@debbugs.gnu.org; Tue, 25 Jul 2017 11:26:51 -0400
Received: from mail.pompo.co ([87.243.223.35]:50947 helo=ronja.pompo.co)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex@pompo.co>) id 1da1jV-0007Qn-Jb
 for 27808@debbugs.gnu.org; Tue, 25 Jul 2017 11:26:50 -0400
Received: from pegasus (unknown [109.131.47.218])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ronja.pompo.co (Postfix) with ESMTPSA id 036BA402E5;
 Tue, 25 Jul 2017 15:26:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail;
 t=1500996403; bh=3kkMq0ZX/KRPXbMXeAoS1IVgW2zZm1WMnuON6RwHQ4E=;
 h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From;
 b=PC8ITTT2XsVpSr3mYoKAAnWtAtcCQPksLMm+/zHLXQmfITnos9WnZbXxiay/AtGNQ
 ceilBEbZkgtdbrQ/Bb6eIzzYvyalBMSNFzH04vXX+PL5+CtRB6QDN/9g4dpNK0Eudq
 /kC/19O/2tYyTJEw7qgnlBJ7SpBxDb1jgSgyJeYA=
References: <20170724185744.GA4997@jasmine.lan>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Alex Sassmannshausen <alex@pompo.co>
In-reply-to: <20170724185744.GA4997@jasmine.lan>
Date: Tue, 25 Jul 2017 17:26:35 +0200
Message-ID: <87k22wo7v8.fsf@pompo.co>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Hi Leo,

I've just submitted a patch to update PHP to version 7.1.7, which
resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
(but also on the previous version), so I could not fully build it
(disabling tests results in a working version of PHP).

The relevant patch is at 27826. If someone could try building it, on
x86_64 then we could be sure it's just my local environment that messes
things up…

Alex

Leo Famulari writes:

> Apparently our PHP package is vulnerable to CVE-2017-11144,
> CVE-2017-11145, and CVE-2017-11362:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
>
> This one looks especially bad:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
>
> Can someone please take a look at this?




From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 25 Jul 2017 18:42:01 +0000
Resent-Message-ID: <handler.27808.B27808.150100811721413@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Alex Sassmannshausen <alex@pompo.co>
Cc: 27808@debbugs.gnu.org
Received: via spool by 27808-submit@debbugs.gnu.org id=B27808.150100811721413
          (code B ref 27808); Tue, 25 Jul 2017 18:42:01 +0000
Received: (at 27808) by debbugs.gnu.org; 25 Jul 2017 18:41:57 +0000
Received: from localhost ([127.0.0.1]:56267 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1da4mL-0005ZJ-Ac
	for submit@debbugs.gnu.org; Tue, 25 Jul 2017 14:41:57 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:35071)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1da4mJ-0005Z9-NO
 for 27808@debbugs.gnu.org; Tue, 25 Jul 2017 14:41:56 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 6EFE92081E;
 Tue, 25 Jul 2017 14:41:55 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Tue, 25 Jul 2017 14:41:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=fAQXaB2XIA8AkJvhW0Y0NlW1nM6rUZnSpl+uyF
 z5o5U=; b=yM1P4U1WcvzhNl8GZL8E/4M1lTpOEa3zH2joxEw9TzxQqJnOXX627j
 no5P+WjLSR4APlXcJPfmEN7gI3tRtxtu9mbAAXaG8MFeeckgFaJYMofeobcgR5jJ
 G+y5H4n1X2lkwvzqiT22gyC5OnbVxJAukz1wuvdwfe2IOXcWipFoo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=fAQXaB2XIA8AkJvhW0
 Y0NlW1nM6rUZnSpl+uyFz5o5U=; b=fa3wA7DCQcnD+roWxXaSjWozhX7LG/oU2n
 JW7JK8zpsziUJsU7uMakjny8yohPTTtTrR2ckNt44SmwfLnhvFQHSJ8JGIcb5mlQ
 HxS0nwWe1I3404DUcoEBhKWAopkkxfuBHhYzmEh7mPz2QVKz8wFEyrmrDwLwsUky
 W3aCJ7vu6xYiCnmA5iIdrdEvhVBHKS/YqPiwFT6coZRkoPb6QRY7fr/lgzBZKhDF
 cRckMAyEh8yqV44eNYavAc6PxT885jpLTcwSHx8XBOkZy8ItFkO2BDj8fhFiuQ7d
 aS6u0k4FkPWUULGsHowlnY8SFPMKhT1GYnDqhbePhgDbcs1RbZ2Q==
X-ME-Sender: <xms:85B3WecgPFY1hJ33AJjABGMMX0db4SRdUz2S8Pb1N2DU7-va1327Ug>
X-Sasl-enc: FZCkMlL+58CE8nswJe4XXTpu3eW6twQTSDfXJfmrIrbR 1501008115
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 2647E243A7;
 Tue, 25 Jul 2017 14:41:55 -0400 (EDT)
Date: Tue, 25 Jul 2017 14:41:53 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170725184153.GA24552@jasmine.lan>
References: <20170724185744.GA4997@jasmine.lan>
 <87k22wo7v8.fsf@pompo.co>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO"
Content-Disposition: inline
In-Reply-To: <87k22wo7v8.fsf@pompo.co>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
> Hi Leo,
>=20
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).

I got this building with that patch:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/d=
ate-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74=
435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tes=
ts/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Dese=
rialization [ext/standard/tests/strings/bug72663_3.phpt]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll3kPEACgkQJkb6MLrK
fwijKg//eHcD8K78TyXq3L4jBVTB8xUv6rOEJZnU6fwifd1PtBtYyw3ujJUXX8V3
GpjfTmsKTA1L/QKz4J8O2tlxFlfsltv93Fqd9Fi00rkkEIuFrcoAp4FaqoXh6skp
sTCr5khqmqtZkIk+kzXiqAxNyCFUor9dPOOLf9nMD1EkyFPLnbbpNSiUxif6XFhC
RKJp4no788sVaiysy3RKQ25JIkLVTyYuA7518j4vl1geZgawFpio31dux0vU2IwB
bljeA8c9AieKu+RVMjEJnNRWzXDz8TdsKxQkRZgnr3mF9XQpQG3ALeFeiw+yDwRs
ISiTKevi2++VevR7PgufB6kC3l+3r8zq96sQ1N1+1sTo5Iv+P6RU8v1UEabj492I
EudndrLUofn5D+sYaD3x/BvS7HTla6VoiPEp0INqQSSrcORNSHQpdFuqX5AXaWOH
BiaOC5OCtC4dpHaM4qqY1bqjT44qsebK+dj41g9Q79B0vrSMYY15UZTBnnrNBgwC
aZDagzTjQu66Ygy6muZ7JWO8Xopo27h5+dVme7w1IF79EZnlUEcpA4vJoe2JtOlA
ic4Zb/trA83OhT4JA6XpXdzIjbHDALl5SXP/xRvbgFvftyhgKwQP85wqU0AEVdNR
GIVm8iTCULqaFI72saHptLI1Yyu8OCL7kFn+y7bsXO/foIyFXIw=
=DBPa
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--




From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: Alex Sassmannshausen <alex@pompo.co>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 25 Jul 2017 19:45:01 +0000
Resent-Message-ID: <handler.27808.B27808.150101186628700@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Leo Famulari <leo@famulari.name>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org
Reply-To: alex@pompo.co
Received: via spool by 27808-submit@debbugs.gnu.org id=B27808.150101186628700
          (code B ref 27808); Tue, 25 Jul 2017 19:45:01 +0000
Received: (at 27808) by debbugs.gnu.org; 25 Jul 2017 19:44:26 +0000
Received: from localhost ([127.0.0.1]:56346 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1da5kn-0007So-RT
	for submit@debbugs.gnu.org; Tue, 25 Jul 2017 15:44:26 -0400
Received: from mail.pompo.co ([87.243.223.35]:51460 helo=ronja.pompo.co)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex@pompo.co>)
 id 1da5km-0007SV-IT; Tue, 25 Jul 2017 15:44:25 -0400
Received: from pegasus (unknown [109.131.47.218])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ronja.pompo.co (Postfix) with ESMTPSA id E8823402E5;
 Tue, 25 Jul 2017 19:44:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail;
 t=1501011858; bh=a2GLiLt38wFx1Dm6LDIHrdHjur6vcZ6zPKeLpO05D7k=;
 h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From;
 b=HznY8KrA8IHTLICAS+Gr/vavzGoSJ/G6gNlqRLn2/uzzRyHhrccuE5XnKuqKw9VHb
 Nch3kI4ZG18vFB/tSZZERNa7tkcd8tSun/K5A/vgdjgr4yl0cH2GJ7H2zyWGFJSiws
 VeQciv6rRWsXF7T0On6og8Rfwi3/hUR7zaoz0r40=
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
 <20170725184153.GA24552@jasmine.lan>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Alex Sassmannshausen <alex@pompo.co>
In-reply-to: <20170725184153.GA24552@jasmine.lan>
Date: Tue, 25 Jul 2017 21:44:11 +0200
Message-ID: <87inignvxw.fsf@pompo.co>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)


> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>> 
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================

OK that's what I've got too.

I guess it will need some investigation… :-(

Thanks for testing!

Alex

Leo Famulari writes:





From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 31 Jul 2017 15:33:01 +0000
Resent-Message-ID: <handler.27808.B27808.150151514526006@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Alex Sassmannshausen <alex@pompo.co>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Received: via spool by 27808-submit@debbugs.gnu.org id=B27808.150151514526006
          (code B ref 27808); Mon, 31 Jul 2017 15:33:01 +0000
Received: (at 27808) by debbugs.gnu.org; 31 Jul 2017 15:32:25 +0000
Received: from localhost ([127.0.0.1]:35549 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dcCgC-0006lO-UL
	for submit@debbugs.gnu.org; Mon, 31 Jul 2017 11:32:25 -0400
Received: from eggs.gnu.org ([208.118.235.92]:34473)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1dcCgB-0006l8-GL
 for 27808@debbugs.gnu.org; Mon, 31 Jul 2017 11:32:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1dcCg5-0006oI-8T
 for 27808@debbugs.gnu.org; Mon, 31 Jul 2017 11:32:18 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:55310)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1dcCg5-0006oA-5N; Mon, 31 Jul 2017 11:32:17 -0400
Received: from [193.50.110.251] (port=37108 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1dcCg4-0001OU-Lc; Mon, 31 Jul 2017 11:32:17 -0400
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
 <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co>
Date: Mon, 31 Jul 2017 17:32:14 +0200
In-Reply-To: <87inignvxw.fsf@pompo.co> (Alex Sassmannshausen's message of
 "Tue, 25 Jul 2017 21:44:11 +0200")
Message-ID: <87379c39mp.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Hi Alex,

Alex Sassmannshausen <alex@pompo.co> skribis:

>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>>=20
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/test=
s/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bu=
g74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/=
tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in D=
eserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> OK that's what I've got too.
>
> I guess it will need some investigation=E2=80=A6 :-(

Any update?  :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo=E2=80=99.




From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: Alex Sassmannshausen <alex@pompo.co>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 31 Jul 2017 16:23:01 +0000
Resent-Message-ID: <handler.27808.B27808.150151815630432@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Reply-To: alex@pompo.co
Received: via spool by 27808-submit@debbugs.gnu.org id=B27808.150151815630432
          (code B ref 27808); Mon, 31 Jul 2017 16:23:01 +0000
Received: (at 27808) by debbugs.gnu.org; 31 Jul 2017 16:22:36 +0000
Received: from localhost ([127.0.0.1]:35577 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dcDSl-0007ul-LP
	for submit@debbugs.gnu.org; Mon, 31 Jul 2017 12:22:35 -0400
Received: from mail.pompo.co ([87.243.223.35]:49034 helo=ronja.pompo.co)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex@pompo.co>)
 id 1dcDSj-0007uV-Va; Mon, 31 Jul 2017 12:22:34 -0400
Received: from pegasus (unknown [109.131.43.227])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ronja.pompo.co (Postfix) with ESMTPSA id 624D3402E3;
 Mon, 31 Jul 2017 16:22:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail;
 t=1501518147; bh=ft7hOFRE4A3XD4rmV9eyZJOb1jOgJQlFp/FvmrPBpYk=;
 h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From;
 b=YYdA7nkiC3X9gDMCB6A4CbkUvS4TY75HWzmatpyDtU9R2S2Vrb5TWGkL3yrLmYGqe
 6V/mDpCzvuUCbWJxa/ECn6P+mD6sotW9nmKO22e+DUR6aSOX8uP4+WHcjebuCwAomA
 OL2OZoURPMOzXRsRLx2n1tMF7qtaWd8GNxcBXC6s=
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
 <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co>
 <87379c39mp.fsf@gnu.org>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Alex Sassmannshausen <alex@pompo.co>
In-reply-to: <87379c39mp.fsf@gnu.org>
Date: Mon, 31 Jul 2017 18:22:20 +0200
Message-ID: <87k22ok24j.fsf@pompo.co>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)


Ludovic Courtès writes:

> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update?  :-)
>
> Would be good not to leave the vulnerable version in the distro.

Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that.  So at the earliest I could contribute those
patches this weekend.

Alex

>
> TIA,
> Ludo’.




From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 02 18:01:49 2017
Received: (at control) by debbugs.gnu.org; 2 Aug 2017 22:01:49 +0000
Received: from localhost ([127.0.0.1]:38995 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dd1i9-0002hI-E4
	for submit@debbugs.gnu.org; Wed, 02 Aug 2017 18:01:49 -0400
Received: from eggs.gnu.org ([208.118.235.92]:35017)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1dd1i7-0002h5-Ps
 for control@debbugs.gnu.org; Wed, 02 Aug 2017 18:01:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1dd1hz-0006gy-Hm
 for control@debbugs.gnu.org; Wed, 02 Aug 2017 18:01:42 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36046)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1dd1hz-0006gs-EA
 for control@debbugs.gnu.org; Wed, 02 Aug 2017 18:01:39 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:47160 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>) id 1dd1hy-0000wl-Cc
 for control@debbugs.gnu.org; Wed, 02 Aug 2017 18:01:39 -0400
Date: Thu, 03 Aug 2017 00:01:36 +0200
Message-Id: <87ini5sk73.fsf@gnu.org>
To: control@debbugs.gnu.org
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #27808
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

tags 27808 security




From unknown Mon Aug 18 17:56:40 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Resent-From: Alex Sassmannshausen <alex@pompo.co>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 20 Aug 2017 20:11:01 +0000
Resent-Message-ID: <handler.27808.B27808.150325982522195@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 27808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 27826@debbugs.gnu.org, 27808@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Reply-To: alex@pompo.co
Received: via spool by 27808-submit@debbugs.gnu.org id=B27808.150325982522195
          (code B ref 27808); Sun, 20 Aug 2017 20:11:01 +0000
Received: (at 27808) by debbugs.gnu.org; 20 Aug 2017 20:10:25 +0000
Received: from localhost ([127.0.0.1]:46955 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1djWYC-0005lt-QN
	for submit@debbugs.gnu.org; Sun, 20 Aug 2017 16:10:25 -0400
Received: from mail.pompo.co ([87.243.223.35]:59618 helo=ronja.pompo.co)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex@pompo.co>)
 id 1djWYA-0005lb-QE; Sun, 20 Aug 2017 16:10:23 -0400
Received: from hypatia (host81-158-26-86.range81-158.btcentralplus.com
 [81.158.26.86])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ronja.pompo.co (Postfix) with ESMTPSA id 977F2402E5;
 Sun, 20 Aug 2017 20:10:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail;
 t=1503259815; bh=jPaMPoXJon2W1IOBlfQtPkDYdcSPeLXCn4FTTT2eH8o=;
 h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From;
 b=I0OCCkgQJ9TYf+HHt5bIssjUvp3HHFi9++ixpYNsm59iKmL5XOI42VsSYNm/ZX4XG
 iL6V6yLmKmdQYA7s4wHECa33MDokBomgxxXt1kSAamDCXR5ZucTv/ScH5Ab95Ek4Jt
 qejjyjMTuPRH0pPWSOvUOd+ET5Na3YP2vuxxbKfA=
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
 <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co>
 <87379c39mp.fsf@gnu.org> <87k22ok24j.fsf@pompo.co>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Alex Sassmannshausen <alex@pompo.co>
In-reply-to: <87k22ok24j.fsf@pompo.co>
Date: Sun, 20 Aug 2017 22:10:14 +0200
Message-ID: <87fucmuhjt.fsf@pompo.co>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Hi

I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.

I will try to close the bugs (27826 & 27808).

Alex

Alex Sassmannshausen writes:

> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update?  :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that.  So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.





From unknown Mon Aug 18 17:56:40 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo@famulari.name>
Subject: bug#27808: closed (Re: [bug#27826] bug#27808: PHP CVE-2017-11144,
 CVE-2017-11145, CVE-2017-11362)
Message-ID: <handler.27808.D27808.150325988222311.notifdone@debbugs.gnu.org>
References: <87efs6uhi6.fsf@pompo.co> <20170724185744.GA4997@jasmine.lan>
X-Gnu-PR-Message: they-closed 27808
X-Gnu-PR-Package: guix
X-Gnu-PR-Keywords: security
Reply-To: 27808@debbugs.gnu.org
Date: Sun, 20 Aug 2017 20:12:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1503259922-22406-1"

This is a multi-part message in MIME format...

------------=_1503259922-22406-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 27808@debbugs.gnu.org.

--=20
27808: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D27808
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1503259922-22406-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 27808-done) by debbugs.gnu.org; 20 Aug 2017 20:11:22 +0000
Received: from localhost ([127.0.0.1]:46962 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1djWZ8-0005nm-5c
	for submit@debbugs.gnu.org; Sun, 20 Aug 2017 16:11:22 -0400
Received: from mail.pompo.co ([87.243.223.35]:59627 helo=ronja.pompo.co)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex@pompo.co>)
 id 1djWZ6-0005nU-HC; Sun, 20 Aug 2017 16:11:20 -0400
Received: from hypatia (host81-158-26-86.range81-158.btcentralplus.com
 [81.158.26.86])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ronja.pompo.co (Postfix) with ESMTPSA id 70E95402E5;
 Sun, 20 Aug 2017 20:11:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail;
 t=1503259874; bh=uXTiy7w5ldozf1mm3OCzY3kv481SU35wOFIKGE8seKc=;
 h=References:From:To:Subject:Reply-To:In-reply-to:Date:From;
 b=ZO/LRAZ9iUxUwByYh68RBTZD1RQqGIw1GZyWfHJ1InSGH13N6UwVNsWayt1b8E0CT
 z6kAIeRN2m2rDVnG1+k7smqBubKO7BGHUlnw/NWMrw/6BzR6QHMRB1frNHoaB/9Gy1
 5T8vsNKymyZr6l+GagBkU8X1wPkyOtVWER5TuTrQ=
References: <20170724185744.GA4997@jasmine.lan> <87k22wo7v8.fsf@pompo.co>
 <20170725184153.GA24552@jasmine.lan> <87inignvxw.fsf@pompo.co>
 <87379c39mp.fsf@gnu.org> <87k22ok24j.fsf@pompo.co>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Alex Sassmannshausen <alex@pompo.co>
To: 27826-done@debbugs.gnu.org, 27808-done@debbugs.gnu.org
Subject: Re: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145,
 CVE-2017-11362
In-reply-to: <87k22ok24j.fsf@pompo.co>
Date: Sun, 20 Aug 2017 22:11:13 +0200
Message-ID: <87efs6uhi6.fsf@pompo.co>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 27808-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: alex@pompo.co
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)


Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.

Alex

Alex Sassmannshausen writes:

> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update?  :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that.  So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.



------------=_1503259922-22406-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 24 Jul 2017 18:57:59 +0000
Received: from localhost ([127.0.0.1]:54668 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dZiYJ-0006x3-6j
	for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:59 -0400
Received: from eggs.gnu.org ([208.118.235.92]:36732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1dZiYH-0006wq-VO
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiYB-000594-T1
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,SUBJ_ALL_CAPS,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:50969)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dZiYB-00058y-PC
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:51 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55935)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiYA-0008J8-Kx
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiY6-00057w-Of
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:50 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40127)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dZiY6-00057J-2B
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:46 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 41F8E2243C;
 Mon, 24 Jul 2017 14:57:45 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 24 Jul 2017 14:57:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=YQD
 J6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+exs=; b=Km+CdiFXncl5PlhxysK
 Nc7LbQqKD1gksNlpk2EntqWGaHx8NrEmAldZul4j/PsTmQuOn0VaR8I/uQUOqGkt
 fCH38X3z9v3bwiuA8vEp9MMjvLRYSiKR36iSCM3qDDpfTJtqJ/iFr+6R/uK+t71F
 8h4OAhsLEEkzKaDZs5FH/I24=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=YQDJ6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+e
 xs=; b=UdajGBe5I2Getbc+DQKRW99epEW+/nb022GMQkMg9RsSonx7J239etq2u
 MPoQ4nKw+30RFL+y9i6+6zVtyn/JoQ7xDfS0V/Z6Woa/Y1CxQmpZ4OokWIDYupFN
 DUFJKVO9vOKuQNK1TePly2FGBlvMA5Q+SxHfMobJNGjY9gSuFyqEdKXxX/vUbk6u
 TN+B3H43IFc9BEqWVc2NNjXwQKkjvLuUAQDShBcSsLJoZka1O8YJyYEAK0OXmDV8
 OQFyS6Ld6t0RBbEmt9zEtMx5zkMxrpSHcdgz7xg/FgM/+/iQxpR4mbrwwc5Z/lQy
 Lfp6eNx2XedbZbm5kE7MzOrV/MwxA==
X-ME-Sender: <xms:KUN2WdwkhVhQ8l34BzxUyrWsYow3zhHnieElBJE0hYmGQZa3EoWO9Q>
X-Sasl-enc: l39okwTZHiGjh0UHSZDFrfBrKGsALzMy993YLqJ5nwdZ 1500922665
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 03CB27E2DE
 for <bug-guix@gnu.org>; Mon, 24 Jul 2017 14:57:44 -0400 (EDT)
Date: Mon, 24 Jul 2017 14:57:44 -0400
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Message-ID: <20170724185744.GA4997@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.2 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.2 (-----)


--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145

This one looks especially bad:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

Can someone please take a look at this?

--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2QyQACgkQJkb6MLrK
fwib1Q/6AvhmCk96bwJY9x9xI4vu9iTV7abi0nN2aKWtERlQpRWMCU6d1RKhPz67
OQtT8XYB2mmvuPRl5lk3QT0Bl0+LeLBkhE2jyP0zGMoNVLqatDb4PhuBh+JmyF65
MJd+AJ+Vqy5jV6PIPVK1LbwTSuFegF1BzEpvKyn2PkXvH//dsF+7PxL6rP39qsId
gkbH4Xce7Ou7zCvJDBZ4C9JOuhLDxZiUQO99EVCMMubmVatNeB/nNlg6mugapLmV
KWdRUjD2+jLNmjLeRGyCyzr0/bbt1RvHpcCHopKh6iOnDpjMtoajJXvLseAgpPJp
Ck2p36fjBAdX9U1zAlKdLdMjAZNRJvtPL47zOBsXlfzFYsOghmBPhIUvVA6tycTo
cNYGdjfM92UvSQs0SP30HsxruHsIHYZmx7GYM/BsiiwiOX+R7bsGrPY4jIo4hABs
CJpkyEsI7oR1xp8CyuYyibA6NCnq7zFIBhbK6FAho0/SXbGHWlY6eJL/X15SiduJ
TTJFKM8+YDxvGmExd/1oAIgNH+39Ck0siaI7zlU7v3SXSD9fMVTji23UdMnVTY/E
OYZRgs5IMAeP6N7TUIePC7bfAB+1JsJrRpWz3CTpuxdcMXZRpKA95o0CgbJ/X7y+
Vi934pZF12NRi7t+Wuv8jCEg3PzF/ujXLTaBIvByMpcrcooWl8A=
=WEg8
-----END PGP SIGNATURE-----

--J2SCkAp4GZ/dPZZf--



------------=_1503259922-22406-1--