[php-maint] Bug#441433: CVE-2007-3806, CVE-2007-2519 and CVE-2007-3799

[Nico Golde]

Package: php5
Version: 5.2.3-1
Severity: important
Tags: security

Hi,
3 CVEs had been issued against php5:

CVE-2007-3799[0]:
The session_start function in ext/session in PHP 4.x up to 
4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert 
arbitrary attributes into the session cookie via special 
characters in a cookie that is obtained from (1) PATH_INFO, 
(2) the session_id function, and (3) the session_start 
function, which are not encoded or filtered when the new 
session cookie is generated.

CVE-2007-2519[1]:
Directory traversal vulnerability in the installer in PEAR 
1.0 through 1.5.3 allows user-assisted remote attackers to 
overwrite arbitrary files via a .. (dot dot) sequence in the 
(1) install-as attribute in the file element in package.xml 
1.0 or the (2) as attribute in the install element in 
package.xml 2.0. NOTE: it could be argued that this does not 
cross privilege boundaries in typical installations, since 
the code being installed could perform the same actions.

CVE-2007-3806[2]:
The glob function in PHP 5.2.3 allows context-dependent 
attackers to cause a denial of service and possibly execute 
arbitrary code via an invalid value of the flags parameter, 
probably related to memory corruption.

Please include the CVE ids in your changelog entries if you
fix the issues.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3799
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2519
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3806
-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070909/a545b3dc/attachment-0001.pgp