Issue affecting php5?
Hello all. I wanted to bring something up that I noticed while
investigating the most recent php5 issue.
I was looking at PHP's GitHub and I noticed this commit:
https://github.com/php/php-src/commit/f6e8ce812174343b5c9fd1860f9e2e2864428567
The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
However, CVE-2017-14107 is only listed for libzip in the security
tracker. I looked at the build log and php5 in wheezy definitely builds
the file that was modified in that commit. My conclusion is that php5
in wheezy embeds and builds a vulnerable version of libzip. Is it then
correct to add php5 as being affected by that CVE in data/CVE/list?
I confirmed that php7.0 and php7.1 in sid do not build the affected file
(either because they do not ship it or because the embedded libzip is
not used. I cannot confirm php5.6 in jessie because there are no build
logs, but I suspect it might be vulnerable as well.
Thoughts? Suggestions?
Regards,
-Roberto
[0] https://security-tracker.debian.org/tracker/CVE-2017-16826
--
Roberto C. Sánchez
Reply to: