Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd. Alex
Alex Sassmannshausen writes: > Ludovic Courtès writes: > >> Hi Alex, >> >> Alex Sassmannshausen <a...@pompo.co> skribis: >> >>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >>>>> Hi Leo, >>>>> >>>>> I've just submitted a patch to update PHP to version 7.1.7, which >>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >>>>> (but also on the previous version), so I could not fully build it >>>>> (disabling tests results in a working version of PHP). >>>> >>>> I got this building with that patch: >>>> >>>> ===================================================================== >>>> FAILED TEST SUMMARY >>>> --------------------------------------------------------------------- >>>> Test for DateTime::modify() with absolute time statements >>>> [ext/date/tests/date-time-modify-times.phpt] >>>> Bug #74435 (Buffer over-read into uninitialized memory) >>>> [ext/gd/tests/bug74435.phpt] >>>> Bug #70436: Use After Free Vulnerability in unserialize() >>>> [ext/standard/tests/strings/bug70436.phpt] >>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in >>>> Deserialization [ext/standard/tests/strings/bug72663_3.phpt] >>>> ===================================================================== >>> >>> OK that's what I've got too. >>> >>> I guess it will need some investigation… :-( >> >> Any update? :-) >> >> Would be good not to leave the vulnerable version in the distro. > > Agreed, though I am in no position to investigate this. I was going to > propose a patch that disabled those 4 tests, but I will need to > investigate how to do that. So at the earliest I could contribute those > patches this weekend. > > Alex > >> >> TIA, >> Ludo’.
