[php-maint] Bug#506706: php5: CVE-2008-3658 patch not completely implemented.

Jan-Willem Korver janwillem at fruitlounge.com
Sun Nov 23 21:58:53 UTC 2008

Package: php5
Version: 5.2.0-8+etch13
Severity: normal / exempt
Justification: no longer builds from source (in some cases)

The "CVE-2008-3658: Buffer overflow in the imageloadfont function." patch makes a call to the overflow2() function which is an undefined reference.
That particular function is defined in gd_security.c which is part of the php5 source tree but is not included in this Debian source package.

As a result the package will fail to build when it is configured to include the bundled GD library which comes with php5 rather than linking to
the shared version which it defaults to.

As it is Debian policy to build this package against the shared GD library that comes with the distribution, this report will never be an issue.

For the record and completeness I thought it would be best to make mention of it anyway.

Jan-Willem Korver (janwillem at fruitlounge.com)

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23-1-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages php5 depends on:
ii  libapache2-mod- 5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  php5-cgi        5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  php5-common     5.2.0-8+etch13 Common files for packages built fr

php5 recommends no packages.

-- no debconf information

More information about the pkg-php-maint mailing list