Issue affecting php5?

To: debian-lts@lists.debian.org
Subject: Issue affecting php5?
From: Roberto C. Sánchez <roberto@debian.org>
Date: Wed, 15 Nov 2017 06:26:08 -0500
Message-id: <[🔎] 20171115112608.h7itgeq3jqs5pjrm@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

Hello all.  I wanted to bring something up that I noticed while
investigating the most recent php5 issue.

I was looking at PHP's GitHub and I noticed this commit:
https://github.com/php/php-src/commit/f6e8ce812174343b5c9fd1860f9e2e2864428567

The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
However, CVE-2017-14107 is only listed for libzip in the security
tracker.  I looked at the build log and php5 in wheezy definitely builds
the file that was modified in that commit.  My conclusion is that php5
in wheezy embeds and builds a vulnerable version of libzip. Is it then
correct to add php5 as being affected by that CVE in data/CVE/list?

I confirmed that php7.0 and php7.1 in sid do not build the affected file
(either because they do not ship it or because the embedded libzip is
not used.  I cannot confirm php5.6 in jessie because there are no build
logs, but I suspect it might be vulnerable as well.

Thoughts?  Suggestions?

Regards,

-Roberto

[0] https://security-tracker.debian.org/tracker/CVE-2017-16826
-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Issue affecting php5?
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: CVE-2017-9935 / tiff
Next by Date: Re: About libreoffice CVE
Previous by thread: Re: About libreoffice CVE
Next by thread: Re: Issue affecting php5?
Index(es):
- Date
- Thread