GNU bug report logs -
#27808
PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Mon, 24 Jul 2017 18:58:01 UTC
Severity: normal
Tags: security
Done: Alex Sassmannshausen <alex <at> pompo.co>
Bug is archived. No further changes may be made.
Full log
Message #14 received at 27808 <at> debbugs.gnu.org (full text, mbox):
> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>>
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================
OK that's what I've got too.
I guess it will need some investigation… :-(
Thanks for testing!
Alex
Leo Famulari writes:
This bug report was last modified 7 years and 354 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.