[Buildroot] [PATCH] php: security bump to version 7.1.7
Peter Korsgaard
peter at korsgaard.com
Tue Jul 11 19:32:15 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2017-7890 - Buffer over-read into uninitialized memory. The GIF
> decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be
> reached with a call to the imagecreatefromstring() function) uses
> constant-sized color tables of size 3 * 256, but does not zero-out these
> arrays before use.
> CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229 -
> Out-of-bonds access in oniguruma regexp library.
> CVE-2017-11144 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
> 7.1.7, the openssl extension PEM sealing code did not check the return value
> of the OpenSSL sealing function, which could lead to a crash of the PHP
> interpreter, related to an interpretation conflict for a negative number in
> ext/openssl/openssl.c, and an OpenSSL documentation omission.
> CVE-2017-11145 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
> 7.1.7, lack of a bounds check in the date extension's timelib_meridian
> parsing code could be used by attackers able to supply date strings to leak
> information from the interpreter, related to an ext/date/lib/parse_date.c
> out-of-bounds read affecting the php_parse_date function.
> CVE-2017-11146 - In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x
> through 7.1.7, lack of bounds checks in the date extension's
> timelib_meridian parsing code could be used by attackers able to supply date
> strings to leak information from the interpreter, related to
> ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date
> function. NOTE: this vulnerability exists because of an incomplete fix for
> CVE-2017-11145.
> While we're at it, add a hash for the license file.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list