aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2017-07-11 11:02:20 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2017-07-19 16:01:36 +0200
commita28f8f15bda11a1f068aa64a998808c9836b16ba (patch)
tree5c02c87c0255d99945684ad2197144135557495c
parentd51d7742b561a21bf5f45596e4f24bfc9b5cea19 (diff)
downloadbuildroot-a28f8f15bda11a1f068aa64a998808c9836b16ba.tar.gz
buildroot-a28f8f15bda11a1f068aa64a998808c9836b16ba.tar.bz2
php: security bump to version 7.1.7
Fixes the following security issues: CVE-2017-7890 - Buffer over-read into uninitialized memory. The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be reached with a call to the imagecreatefromstring() function) uses constant-sized color tables of size 3 * 256, but does not zero-out these arrays before use. CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229 - Out-of-bonds access in oniguruma regexp library. CVE-2017-11144 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission. CVE-2017-11145 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, lack of a bounds check in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to an ext/date/lib/parse_date.c out-of-bounds read affecting the php_parse_date function. CVE-2017-11146 - In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x through 7.1.7, lack of bounds checks in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-11145. While we're at it, add a hash for the license file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 91f4c9d41209a19d16c9b7813facdea2e32e2015) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/php/php.hash5
-rw-r--r--package/php/php.mk2
2 files changed, 5 insertions, 2 deletions
diff --git a/package/php/php.hash b/package/php/php.hash
index 0c8518b13b..c724f6d8ce 100644
--- a/package/php/php.hash
+++ b/package/php/php.hash
@@ -1,2 +1,5 @@
# From http://php.net/downloads.php
-sha256 01584dc521ab7ec84b502b61952f573652fe6aa00c18d6d844fb9209f14b245b php-7.1.6.tar.xz
+sha256 0d42089729be7b2bb0308cbe189c2782f9cb4b07078c8a235495be5874fff729 php-7.1.7.tar.xz
+
+# License file
+sha256 a44951f93b10c87c3f7cd9f311d95999c57c95ed950eec32b14c1c7ea6baf25e LICENSE
diff --git a/package/php/php.mk b/package/php/php.mk
index ed12dd354a..0733bc9a2c 100644
--- a/package/php/php.mk
+++ b/package/php/php.mk
@@ -4,7 +4,7 @@
#
################################################################################
-PHP_VERSION = 7.1.6
+PHP_VERSION = 7.1.7
PHP_SITE = http://www.php.net/distributions
PHP_SOURCE = php-$(PHP_VERSION).tar.xz
PHP_INSTALL_STAGING = YES