[php-maint] php5/5.3.3-6 ready

[Raphael Geissert]

Heya Ondřej et al :)

On 7 December 2010 14:28, Ondřej Surý <ondrej at debian.org> wrote:
> Hi Raphael,
>
> just let me say - glad to have you back :-).

Heh, still struggling with some overly busy days, but yeah, I'm back :-)

>> On 7 December 2010 09:02, Ondřej Surý <ondrej at sury.org> wrote:
>> According to Tomas Hoger setSymbol is also affected, but in both cases
>> they appear to be ICU bugs. I will have to investigate whether we
>> want/can fix them in ICU directly.
>
> Ok, we'll monitor that. (And god I hate SVN.)

s/setSymbol/getLocale/ and here's the PoC by Maksymilian Arciemowicz
(with the right value to actually make it segfault):
$nx=new IntlDateFormatter("pl", IntlDateFormatter::FULL,
IntlDateFormatter::FULL);
$nx->getLocale(2);

>> P.S. The commit related to CVE-2010-1128 that you added to
>> debian-lenny is not really worthy, IMHO. Based on the analysis, the
>> patch only really helps Windows, where the situation is worse because
>> gettimeofday() is emulated via a function that doesn't provide
>> microseconds resolution, AFAIR. Hence my note on DSA-2089.
>> That said, I don't oppose to including it on the next upload.
>
> The lenny upload misses the reject NULL filenames because I didn't
> have time to go through all rejected patches from 5.3 branch backport
> and change the surrounding code from zend_get_params to
> zend_parse_params (or how the function which returns the length of the
> param called). Should be quite easy to fix if one have enough time.

Yeah, will see if I find some time to include those changes on the
following DSA.
Btw, it got a 2006 CVE, heh. I also added a note to the tracker to
mention the suhosin extension.

sean finney wrote:
> no objections and well done with taking care of php in the past
> few months, btw :)
Indeed, thanks Ondřej (still need to find out how to write ř to stop
c&p'ing it.)

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net