PublicDateAtUSN: 2017-07-10
Candidate: CVE-2017-11147
PublicDate: 2017-07-10 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11147
 http://openwall.com/lists/oss-security/2017/07/10/6
 http://php.net/ChangeLog-5.php
 http://php.net/ChangeLog-7.php
 https://ubuntu.com/security/notices/USN-3382-1
 https://ubuntu.com/security/notices/USN-3382-2
Description:
 In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could
 be used by attackers supplying malicious archive files to crash the PHP
 interpreter or potentially disclose information due to a buffer over-read
 in the phar_parse_pharfile function in ext/phar/phar.c.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.php.net/bug.php?id=73773
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H [9.1 CRITICAL]

Patches_php5:
 upstream: https://github.com/php/php-src/commit/e5246580a85f031e1a3b8064edbaa55c1643a451
upstream_php5: released (5.6.30)
precise/esm_php5: released (5.3.10-1ubuntu3.28)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.22)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.22)
vivid/ubuntu-core_php5: DNE
xenial_php5: DNE
yakkety_php5: DNE
zesty_php5: DNE
artful_php5: DNE
devel_php5: DNE

Patches_php7.0:
 upstream: https://github.com/php/php-src/commit/e5246580a85f031e1a3b8064edbaa55c1643a451
 upstream: https://github.com/php/php-src/commit/7f0de1a138a69beb7c537fd1ec84afbc91a45b19 (7.0 merge)
upstream_php7.0: released (7.0.15)
precise/esm_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
vivid/ubuntu-core_php7.0: DNE
xenial_php7.0: not-affected (7.0.18-0ubuntu0.16.04.1)
esm-infra/xenial_php7.0: not-affected (7.0.18-0ubuntu0.16.04.1)
yakkety_php7.0: ignored (reached end-of-life)
zesty_php7.0: not-affected (7.0.18-0ubuntu0.17.04.1)
artful_php7.0: DNE
devel_php7.0: DNE

Patches_php7.1:
 upstream: https://github.com/php/php-src/commit/e5246580a85f031e1a3b8064edbaa55c1643a451
 upstream: https://github.com/php/php-src/commit/7f0de1a138a69beb7c537fd1ec84afbc91a45b19 (7.0 merge)
 upstream: https://github.com/php/php-src/commit/2075fb2b73c2d56c7acfb29773a2dc68b8d2f29d (7.1 merge)
upstream_php7.1: released (7.1.1)
precise/esm_php7.1: DNE
trusty_php7.1: DNE
trusty/esm_php7.1: DNE
vivid/ubuntu-core_php7.1: DNE
xenial_php7.1: DNE
yakkety_php7.1: DNE
zesty_php7.1: DNE
artful_php7.1: not-affected (7.1.6-2ubuntu1)
devel_php7.1: not-affected (7.1.6-2ubuntu1)