Date: Tue, 26 Sep 2017 14:37:01 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r450665 - head/security/vuxml Message-ID: <201709261437.v8QEb1Bx088103@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Tue Sep 26 14:37:01 2017 New Revision: 450665 URL: https://svnweb.freebsd.org/changeset/ports/450665 Log: Document issue in php and gd Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 26 14:14:49 2017 (r450664) +++ head/security/vuxml/vuln.xml Tue Sep 26 14:37:01 2017 (r450665) @@ -58,6 +58,40 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="5033e2fc-98ec-4ef5-8e0b-87cfbbc73081"> + <topic>php-gd and gd -- Buffer over-read into uninitialized memory</topic> + <affects> + <package> + <name>libgd</name> + <range><lt>2.2.5</lt></range> + </package> + <package> + <name>php70-gd</name> + <range><lt>7.0.21</lt></range> + </package> + <package> + <name>php71-gd</name> + <range><lt>7.1.7</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>PHP developers report:</p> + <blockquote cite="https://bugs.php.net/bug.php?id=74435">; + <p>The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.</p> + </blockquote> + </body> + </description> + <references> + <url>https://bugs.php.net/bug.php?id=74435</url>; + <cvename>CVE-2017-7890</cvename> + </references> + <dates> + <discovery>2017-08-02</discovery> + <entry>2017-09-26</entry> + </dates> + </vuln> + <vuln vid="d843a984-7f22-484f-ba81-483ddbe30dc3"> <topic>ledger -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201709261437.v8QEb1Bx088103>