Bug#1016972: marked as done (php8.1: CVE-2022-31627)

[Debian Bug Tracking System]

Your message dated Fri, 28 Oct 2022 21:29:15 +0200
with message-id <y1wtiz3tuemfv...@eldamar.lan>
and subject line Re: Accepted php8.1 8.1.12-1 (source) into unstable
has caused the Debian Bug report #1016972,
regarding php8.1: CVE-2022-31627
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1016972: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016972
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: php8.1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for php8.1.

It's specific to 8.1.x

CVE-2022-31627[0]:
| In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as
| finfo_buffer, due to incorrect patch applied to the third party code
| from libmagic, incorrect function may be used to free allocated
| memory, which may lead to heap corruption.

PHP Bug: https://bugs.php.net/bug.php?id=81723
https://github.com/php/php-src/commit/ca6d511fa54b34d5b75bf120a86482a1b9e1e686


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31627
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31627

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: php8.1
Source-Version: 8.1.12-1

On Fri, Oct 28, 2022 at 06:37:31PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Fri, 28 Oct 2022 19:32:24 +0200
> Source: php8.1
> Architecture: source
> Version: 8.1.12-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian PHP Maintainers <team+pkg-...@tracker.debian.org>
> Changed-By: Ondřej Surý <ond...@debian.org>
> Changes:
>  php8.1 (8.1.12-1) unstable; urgency=medium
>  .
>    * New upstream version 8.1.12
>     + CVE-2022-31630: OOB read due to insufficient input validation in
>       imageloadfont()
>     + CVE-2022-37454: buffer overflow in hash_update() on long parameter
> Checksums-Sha1:
>  e90232a73a5a2da9bfad5c326d8a90c658a4aa76 5694 php8.1_8.1.12-1.dsc
>  5edef81be360eba654ea015bdb3fa10654b8ff94 11747176 php8.1_8.1.12.orig.tar.xz
>  de98b50219ac62cffdc81ba67b2a55719a7ed055 833 php8.1_8.1.12.orig.tar.xz.asc
>  389af6a53f115e275da3c3592448cc7eb3c385c8 67180 php8.1_8.1.12-1.debian.tar.xz
>  6c6e020d1e8abd088a85dd7c428310a9ba77c6d6 32723 
> php8.1_8.1.12-1_amd64.buildinfo
> Checksums-Sha256:
>  90795e4d2e65d029aacd300ae90f374925c43ce689f2967e41a6808ce4e3df46 5694 
> php8.1_8.1.12-1.dsc
>  08243359e2204d842082269eedc15f08d2eca726d0e65b93fb11f4bfc51bbbab 11747176 
> php8.1_8.1.12.orig.tar.xz
>  3f1a4452a9cfed4c7a4872eef471e0cd18a43ebd5d8d695ffcd483d705d54a53 833 
> php8.1_8.1.12.orig.tar.xz.asc
>  168572ef036c1718280ddf3512cdf7990319eb261814f3f741a5de585352df9d 67180 
> php8.1_8.1.12-1.debian.tar.xz
>  7037afc052e4e915450b8a91349fe5f2f3b6ade052fb1ec2ae154567a66cb2ac 32723 
> php8.1_8.1.12-1_amd64.buildinfo
> Files:
>  3b1f8fd6cca9a906cf242f5e49bc34e2 5694 php optional php8.1_8.1.12-1.dsc
>  6a30e4eb25ff9a73dafe7582ae838c17 11747176 php optional 
> php8.1_8.1.12.orig.tar.xz
>  2fd0ab115a84fe8f3a38e4ea2218b467 833 php optional 
> php8.1_8.1.12.orig.tar.xz.asc
>  531ac3f146be4d26011bd74dae2f98a1 67180 php optional 
> php8.1_8.1.12-1.debian.tar.xz
>  38fec20b5efe2b21774da0b986330432 32723 php optional 
> php8.1_8.1.12-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmNcHk5fFIAAAAAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
> NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
> WcLHTw//dm0yY2ewj0kpC32mNo/1mijOM/kafe247ujZgmfX52vUA+WLOGn532eG
> RYBi6KmKpYxxK+3ThEGRNdGk7px8pmButGzaU+myeRhFSIciQB4IB0J+YtUXtuBp
> 8F946T8yKvoGT+WqPbA1BdE77F92tqbHdObzAoHEl4cRTaY2Wxp+zR8F0Vz/Wd0o
> TrJBzKMwm7skLJ44WLXcOJ0DSEerDHFO9lRpEzo/aYedv6OjtV7PvBbcDkAKvQAP
> CjO5AbKcT2McAMZL///KryJAksfkCvdUg3zOEAva8js1b03rzT9oKc6VrnM41WT3
> KFciwOCVuzcytGeaR0JC05xmxqD9vbeTRqdk0GsmpFgftkr2RvUhdLC/GsvUByk1
> df4EM2BdWEkCErx9fofeZOJZItMf7+7Cq7dXLMSE+js87GITAn7SpKhpHMp3hU8Q
> dP4TixdhF6uZwwVWZI2aCJ18RmFl+BoyQSNOxU4pYKmtPD0w47ytJhAyuYKO7RpS
> ooLR8KI9Q8zT6IPaILUDnpE/mGBoKL8k9+YAmTWi13io1QTg5A1o4awCRd4MdtzG
> rmB2PDrmQrNZEogeqfYN878xwiagxK7ovYwwXP3NP2NFwu3HoeL+014geJB6RKGl
> i4ba0qavHtBfN0OX9JyUgS2ekfszGVn7tCsiZCoQ+fOXe54ouic=
> =LT9J
> -----END PGP SIGNATURE-----
> 

--- End Message ---