[php-maint] php5/5.3.3-6 ready

Ondřej Surý ondrej at debian.org
Tue Dec 7 20:28:54 UTC 2010

Hi Raphael,

just let me say - glad to have you back :-).

> On 7 December 2010 09:02, Ondřej Surý <ondrej at sury.org> wrote:
>> Hi,
>> I have php5/5.3.3-5 built with following changes:
>>  php5 (5.3.3-6) unstable; urgency=medium
>>  .
>>   * Cherry-pick fix for crashes on invalid parameters in intl extension.
>>     (CVE-2010-4409).
> According to Tomas Hoger setSymbol is also affected, but in both cases
> they appear to be ICU bugs. I will have to investigate whether we
> want/can fix them in ICU directly.

Ok, we'll monitor that. (And god I hate SVN.)

> P.S. The commit related to CVE-2010-1128 that you added to
> debian-lenny is not really worthy, IMHO. Based on the analysis, the
> patch only really helps Windows, where the situation is worse because
> gettimeofday() is emulated via a function that doesn't provide
> microseconds resolution, AFAIR. Hence my note on DSA-2089.
> That said, I don't oppose to including it on the next upload.

The lenny upload misses the reject NULL filenames because I didn't
have time to go through all rejected patches from 5.3 branch backport
and change the surrounding code from zend_get_params to
zend_parse_params (or how the function which returns the length of the
param called). Should be quite easy to fix if one have enough time.

Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list