Ludovic Courtès writes: > Hi Alex, > > Alex Sassmannshausen <[email protected]> skribis: > >>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >>>> Hi Leo, >>>> >>>> I've just submitted a patch to update PHP to version 7.1.7, which >>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >>>> (but also on the previous version), so I could not fully build it >>>> (disabling tests results in a working version of PHP). >>> >>> I got this building with that patch: >>> >>> ===================================================================== >>> FAILED TEST SUMMARY >>> --------------------------------------------------------------------- >>> Test for DateTime::modify() with absolute time statements >>> [ext/date/tests/date-time-modify-times.phpt] >>> Bug #74435 (Buffer over-read into uninitialized memory) >>> [ext/gd/tests/bug74435.phpt] >>> Bug #70436: Use After Free Vulnerability in unserialize() >>> [ext/standard/tests/strings/bug70436.phpt] >>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in >>> Deserialization [ext/standard/tests/strings/bug72663_3.phpt] >>> ===================================================================== >> >> OK that's what I've got too. >> >> I guess it will need some investigation… :-( > > Any update? :-) > > Would be good not to leave the vulnerable version in the distro.
Agreed, though I am in no position to investigate this. I was going to propose a patch that disabled those 4 tests, but I will need to investigate how to do that. So at the earliest I could contribute those patches this weekend. Alex > > TIA, > Ludo’.
