[php-maint] Re: php and apache DSAs

sean finney seanius at debian.org
Sat Aug 26 10:32:15 UTC 2006 

apologies if you're receiving a second copy of this, i apparently hosed
the config of one of my MTA's...

On Fri, Aug 25, 2006 at 09:12:48PM +0200, Martin Schulze wrote:
> Er...  If I write broken code, I must not wonder why the resulting
> program is broken as well.  I'm sorry.  We cannot fix stupidity.

fair enough.

> Err.. yes, except that both htmlspecialchars() and htmlentities()
> would "fix" the string already.  Again, this is broken programming
> that triggers a problem.  Nothing for a security advisory.

okay.

> Feel free to ask the SRM team if they are happy with a PHP update.

i don't think any of the previous issues warrant a s-p-u update,
though if there were one for unrelated reasons i'd think of
including them as well.

> Who the hell would do *this*?  Honestly!  Reality check!

/me r's tfm for the function and agrees.

> > > > +    - CVE-2005-3353: Possible DoS via malformed jpegs in
exif_read_data()
> 
> I agree that this seems to warrant a security update.
> 
> Ok, so we're down to one vulnerability that may require fixing.
> 
> Could you provide a patch with only this one?

sure, i'll prepare something this afternoon.

On Fri, Aug 25, 2006 at 09:34:50PM +0200, Martin Schulze wrote:
> > I think at least CVE-2006-3017, CVE-2005-3389, CVE-2006-4020, and
php bug
> > #38112 should be fixed. But I read your answer as "no" to my second
> > question.
> 
> Interesting, most of them were not on the list from Sean, hence
copied.

yeah.  i'd been working with a list that was forwarded to me by either
moritz or micah, and i haven't done any extra checking to see whether
there were more.  

> CVE-2006-3017 - unset() fails to unset variables due to duplicate hash
val
> 
> This one I accept as bug that warrants a security update.
> Upstream patch attached for reference and maybe for Sean to
> include it.

i'll add that to the list.

On Sat, Aug 26, 2006 at 11:28:01AM +0200, Martin Schulze wrote:
> > Yes, it's in the php4-gd package. PHP on sarge crashes with the 
> > example gif from the bug report. Of course, I don't know whether
this 
> > can be used to execute arbitrary code, but I expect that it is
easier 
> > to fix it than to analyse it.
> 
> Stefan/Sean, could you retrieve the patch for it?  Maybe ask
> pajoye at php.net.

if noone else does by the time i get the previously mentioned stuff
done, i'll see if i can dig it up.  stefan, if you want to help out
more with this, we should probably coordinate over irc/icq/im/whatever
to make sure we don't duplicate any effort.  i'll be stepping out to do
some saturday shopping but will be back in a few hours.

	sean


-- 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060826/ebf29139/attachment.pgp

More information about the pkg-php-maint mailing list