[php-maint] remaining security issues (was: Re: Bug#511493 closed by sean finney <seanius at debian.org> (Re: Bug#511493: CVE-2008-5557: buffer overflow))

[Raphael Geissert]

Hi Sean, Steffen,

[Changing subject]

2009/1/14 sean finney <seanius at debian.org>:
> hiya,
>
> (adding pkg-php-maint to the cc, hope that's okay)
>
> On Tue, Jan 13, 2009 at 10:42:22PM +0100, Steffen Joeris wrote:
>> Could you also please check this CVE id[0]?
>
> CVE-2008-5814: XSS vuln if display_errors = On
>
> i'll see if i can find a fix for this, which means a scavenger hunt through
> upstream cvs :/.  seems a bit of a corner case but probably worth fixing.

If it was recently fixed, which I guess, I should be able to find
something on the daily cvs reports. I haven't read any of them since I
went on VAC, but should be able to read them all in a couple of hours.

>
>> Also it would be great to get other known php issues fixed for lenny. Please
>> see php in this list[1]. And then of course it would be nice to get another
>
> CVE-2008-5658: Directory traversal vulnerability in ZipArchive::extractTo
>
> honestly, i don't view this as a php vulnerability, though others might
> disagree.
>

I do not have a strong opinion on this, but maybe it should not be
considered as a security issue, just a normal bug; as it is up to the
server settings whether it is possible to overwrite or write anything
outside the path were the file was meant to be unpacked. If it can
bypass the open_basedir restrictions it should then be considered a
security issue, but it is not relevant to Debian either as there's no
support for apps relying on open_basedir.

BUT, if a patch is available and isn't very obtrusive then I see no
reason not to fix it.

[...]
>> php5 DSA out to fix at least most of the issues for php5 in this list[2].
>
> yeah, as i've lately been moaning on the pkg-php list, merging is a major
> PITA in subversion so I'd rather get everything sorted out in sid and lenny
> before working on etch.
>
>> Would you or some other php5 maintainer have time to work on it? :)
>> I might be able to assist, but would like to have someone who knows php5
>> better than me :)
>

Already said I'm going to read all the remaining cvs commit notifs to
try to hunt down the bug fixes.

[...]
> if you have time in the day to put towards this please feel encouraged,
> just let us know what you're working on so we don't duplicate any effort :)
>

Just a note on this, although I'll try to hunt down the bug fixes I
can not guarantee anything, as it is well known that some are deeply
hidden.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Bob Hope  - "I grew up with six brothers. That's how I learned to
dance - waiting for the bathroom."