[php-maint] Bug#739012: Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
Lior Kaplan
kaplan at debian.org
Fri Feb 14 22:48:48 UTC 2014
On Fri, Feb 14, 2014 at 11:53 PM, Salvatore Bonaccorso <carnil at debian.org>wrote:
> I clone this bugreport, as php5 embedding a modified copy of libmagic
> would also be affected by CVE-2014-1943.
>
Thanks.
I've looked at the build logs it does seems like the fileinfo extension
uses the internal libmagic during build (verified upstream forced this
since PHP 5.3.0 at
http://git.php.net/?p=php-src.git;a=commitdiff;h=ccc012d3f656236c29c075a9e5dfbe850e00915b
)
But I'm still not sure why do we have a libmagic-dev build-dep and a hard
coded dependency on libmagic1 for the various SAPIs. But that's a side
note...
The question is: do we want to patch this ourselves, or wait for PHP to
provide the fix based on the linked commits? I guess the latter would be
best, unless it will take them too much time.
Kaplan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20140215/6917f876/attachment-0001.html>
More information about the pkg-php-maint
mailing list