[php-maint] [Fwd: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities]

sean finney seanius at debian.org
Wed May 6 13:02:15 UTC 2009


honestly, i'm not surprised, based on the size of the changes and
the very messy/manual process of picking out related/needed changes
for the etch version.

i can take a look but it will probably be a couple days.


	sean

On Wed, May 06, 2009 at 01:51:18PM +0200, Thijs Kinkhorst wrote:
> All,
> 
> Seems there was a problem afterall with the zip extension. If anyone is
> able to dive into this, that would be great.
> 
> 
> Thijs
> Date: Wed, 6 May 2009 10:57:26 +0200
> From: Sébastien Le Ray <s.le_ray at eutech-ssii.com>
> To: debian-security at lists.debian.org
> Subject: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several
> 	vulnerabilities
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Le Mon,  4 May 2009 22:57:57 +0200 (CEST),
> Thijs Kinkhorst <thijs at debian.org> a écrit :
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > -
> > ------------------------------------------------------------------------
> > Debian Security Advisory DSA-1789-1
> > security at debian.org
> > http://www.debian.org/security/                          Thijs
> > Kinkhorst May 04, 2009
> > http://www.debian.org/security/faq
> > -
> > ------------------------------------------------------------------------
> > 
> > Package        : php5
> > Vulnerability  : several
> > Problem type   : remote
> > Debian-specific: no
> > CVE Id(s)      : CVE-2008-2107 CVE-2008-2108 CVE-2008-5557
> > CVE-2008-5624 CVE-2008-5658 CVE-2008-5814 CVE-2009-0754 CVE-2009-1271 
> > Debian Bugs    : 507101 507857 508021 511493 523028 523049 
> > 
> > Several remote vulnerabilities have been discovered in the PHP 5
> > hypertext preprocessor. The Common Vulnerabilities and Exposures
> > project identifies the following problems.
> > 
> > The following four vulnerabilities have already been fixed in the
> > stable (lenny) version of php5 prior to the release of lenny. This
> > update now addresses them for etch (oldstable) aswell:
> > 
> > 
> > CVE-2008-5658
> > 
> >     Directory traversal vulnerability in the ZipArchive::extractTo
> > function allows attackers to write arbitrary files via a ZIP file
> > with a file whose name contains .. (dot dot) sequences.
> > 
> 
> Hi,
> 
> It seems that there were some side effects. Since the upgrade we've PHP
> crashes with:
> *** glibc detected *** double free or corruption (fasttop): 0x08718200
> ***
> 
> The crash occurs inside the extractTo function, please tell me if you
> need any additional information.
> 
> Regards
> 
> Sébastien
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAkoBUPYACgkQd0QYNjAhJByo1ACfXa19m4icUAwVhtUd+/M+Z7J5
> r+QAnRCLhvY1tfcsSqfKiXAW/OAEvXGn
> =ThD4
> -----END PGP SIGNATURE-----

> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090506/9ea5813b/attachment.pgp>


More information about the pkg-php-maint mailing list