[php-maint] php5/5.3.3-6 ready
Ondřej Surý
ondrej at debian.org
Tue Dec 7 20:28:54 UTC 2010
Hi Raphael,
just let me say - glad to have you back :-).
> On 7 December 2010 09:02, Ondřej Surý <ondrej at sury.org> wrote:
>> Hi,
>>
>> I have php5/5.3.3-5 built with following changes:
>>
>> php5 (5.3.3-6) unstable; urgency=medium
>> .
>> * Cherry-pick fix for crashes on invalid parameters in intl extension.
>> (CVE-2010-4409).
>
> According to Tomas Hoger setSymbol is also affected, but in both cases
> they appear to be ICU bugs. I will have to investigate whether we
> want/can fix them in ICU directly.
Ok, we'll monitor that. (And god I hate SVN.)
> P.S. The commit related to CVE-2010-1128 that you added to
> debian-lenny is not really worthy, IMHO. Based on the analysis, the
> patch only really helps Windows, where the situation is worse because
> gettimeofday() is emulated via a function that doesn't provide
> microseconds resolution, AFAIR. Hence my note on DSA-2089.
> That said, I don't oppose to including it on the next upload.
The lenny upload misses the reject NULL filenames because I didn't
have time to go through all rejected patches from 5.3 branch backport
and change the surrounding code from zend_get_params to
zend_parse_params (or how the function which returns the length of the
param called). Should be quite easy to fix if one have enough time.
Ondrej
--
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/
More information about the pkg-php-maint
mailing list