[php-maint] php5/5.3.3-6 ready

Raphael Geissert geissert at debian.org
Tue Dec 7 20:14:31 UTC 2010


Hi Ondřej,

On 7 December 2010 09:02, Ondřej Surý <ondrej at sury.org> wrote:
> Hi,
>
> I have php5/5.3.3-5 built with following changes:
>
>  php5 (5.3.3-6) unstable; urgency=medium
>  .
>   * Cherry-pick fix for crashes on invalid parameters in intl extension.
>     (CVE-2010-4409).

According to Tomas Hoger setSymbol is also affected, but in both cases
they appear to be ICU bugs. I will have to investigate whether we
want/can fix them in ICU directly.

>  * Cherry pick complete fix to reject filenames with NULL (CVE requested)

FTR, the problem is already partially mitigated by the suhosin extension, heh.


Thanks for the upload.


P.S. The commit related to CVE-2010-1128 that you added to
debian-lenny is not really worthy, IMHO. Based on the analysis, the
patch only really helps Windows, where the situation is worse because
gettimeofday() is emulated via a function that doesn't provide
microseconds resolution, AFAIR. Hence my note on DSA-2089.
That said, I don't oppose to including it on the next upload.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net



More information about the pkg-php-maint mailing list