[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Issue affecting php5?



Hello all.  I wanted to bring something up that I noticed while
investigating the most recent php5 issue.

I was looking at PHP's GitHub and I noticed this commit:
https://github.com/php/php-src/commit/f6e8ce812174343b5c9fd1860f9e2e2864428567

The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
However, CVE-2017-14107 is only listed for libzip in the security
tracker.  I looked at the build log and php5 in wheezy definitely builds
the file that was modified in that commit.  My conclusion is that php5
in wheezy embeds and builds a vulnerable version of libzip. Is it then
correct to add php5 as being affected by that CVE in data/CVE/list?

I confirmed that php7.0 and php7.1 in sid do not build the affected file
(either because they do not ship it or because the embedded libzip is
not used.  I cannot confirm php5.6 in jessie because there are no build
logs, but I suspect it might be vulnerable as well.

Thoughts?  Suggestions?

Regards,

-Roberto

[0] https://security-tracker.debian.org/tracker/CVE-2017-16826
-- 
Roberto C. Sánchez


Reply to: