[php-maint] Bug#336645: PHP 4.4.1 fixes security bugs

Steve Langasek vorlon at debian.org
Tue Nov 1 07:31:47 UTC 2005

Hash: SHA1

On Mon, Oct 31, 2005 at 07:14:55PM +0100, Florian Weimer wrote:
> Package: php4
> Tags: security
> Severity: grave

> The Hardened-PHP project has disclosed several security
> vulnerabilites:

>   <http://www.hardened-php.net/advisory_182005.77.html>
>   <http://www.hardened-php.net/advisory_192005.78.html>
>   <http://www.hardened-php.net/advisory_202005.79.html>
>   <http://www.hardened-php.net/globals-problem>

> The "globals problem" appears to be somewhat nasty.  It is not clear
> if it applies to stable's 4.3.10 version because the security feature
> which turned out to be buggy was introduced in 4.3.11, according to
> the fourth link above.  (Maybe PHP before 4.3.11 is vulnerable to some
> other issue; I don't know.)

The globals problem described does apply to php 4.3.10.

However, in reading over the description of the vulnerabilities, I don't
really see any grounds for regarding these as grave securty bugs.  The most
severe of these problems, 202005.79, only has a significant impact when
register_globals is set in the PHP environment -- a setting which has been
strongly deprecated for quite some time, and which is disabled by default in
sarge.  There is a *lot* of PHP application code that is vulnerable to XSS
or remote injection attacks when run with register_globals on, or which does
stupid things with manually registering request variables as global
variables; I'm not convinced that this warrants a grave bug against PHP...

- -- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
Version: GnuPG v1.4.1 (GNU/Linux)


More information about the pkg-php-maint mailing list