1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
PublicDateAtUSN: 2017-07-10
Candidate: CVE-2017-11147
PublicDate: 2017-07-10
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11147
http://openwall.com/lists/oss-security/2017/07/10/6
http://php.net/ChangeLog-5.php
http://php.net/ChangeLog-7.php
http://www.ubuntu.com/usn/usn-3382-1
Description:
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could
be used by attackers supplying malicious archive files to crash the PHP
interpreter or potentially disclose information due to a buffer over-read
in the phar_parse_pharfile function in ext/phar/phar.c.
Ubuntu-Description:
Notes:
Bugs:
https://bugs.php.net/bug.php?id=73773
Priority: medium
Discovered-by:
Assigned-to:
Patches_php5:
upstream: https://github.com/php/php-src/commit/e5246580a85f031e1a3b8064edbaa55c1643a451
upstream_php5: released (5.6.30)
precise/esm_php5: needs-triage
trusty_php5: released (5.5.9+dfsg-1ubuntu4.22)
vivid/ubuntu-core_php5: DNE
xenial_php5: DNE
yakkety_php5: DNE
zesty_php5: DNE
devel_php5: DNE
Patches_php7.0:
upstream: https://github.com/php/php-src/commit/e5246580a85f031e1a3b8064edbaa55c1643a451
upstream: https://github.com/php/php-src/commit/7f0de1a138a69beb7c537fd1ec84afbc91a45b19 (7.0 merge)
upstream_php7.0: released (7.0.15)
precise/esm_php7.0: DNE
trusty_php7.0: DNE
vivid/ubuntu-core_php7.0: DNE
xenial_php7.0: not-affected (7.0.18-0ubuntu0.16.04.1)
yakkety_php7.0: ignored (reached end-of-life)
zesty_php7.0: not-affected (7.0.18-0ubuntu0.17.04.1)
devel_php7.0: DNE
Patches_php7.1:
upstream: https://github.com/php/php-src/commit/e5246580a85f031e1a3b8064edbaa55c1643a451
upstream: https://github.com/php/php-src/commit/7f0de1a138a69beb7c537fd1ec84afbc91a45b19 (7.0 merge)
upstream: https://github.com/php/php-src/commit/2075fb2b73c2d56c7acfb29773a2dc68b8d2f29d (7.1 merge)
upstream_php7.1: released (7.1.1)
precise/esm_php7.1: DNE
trusty_php7.1: DNE
vivid/ubuntu-core_php7.1: DNE
xenial_php7.1: DNE
yakkety_php7.1: DNE
zesty_php7.1: DNE
devel_php7.1: not-affected (7.1.6-2ubuntu1)
|