[Secure-testing-team] [php-maint] Bug#479723: php 5.2.6 Security Fixes

sean finney seanius at debian.org
Thu May 8 20:31:13 UTC 2008 

hi everyone (again)

sat down and spent some time looking at these:

On Wednesday 07 May 2008 11:52:41 pm Kees Cook wrote:
> On Tue, May 06, 2008 at 10:16:25AM +0000, Moritz Naumann wrote:
> >     * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
> > Nigmatulin)
> >       --> CVE-2008-2050 (acc. to
> > http://marc.info/?l=oss-security&m=120974347717937)
> >       --> not tracked by Debian yet
>
> http://marc.info/?l=php-cvs&m=120721829703242&w=2

this patch matches the one i referenced earlier

> >     * Properly address incomplete multibyte chars inside escapeshellcmd()
> > (Ilia, Stefan Esser)
> >       --> CVE-2008-2051 (acc. to
> > http://marc.info/?l=oss-security&m=120974347717937)
> >       --> not tracked yet
>
> http://marc.info/?l=php-cvs&m=120579496007399&w=2

likewise
	
>
> >     * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
> >       --> CVE-2008-0599 (acc. to http://www.php.net/ChangeLog-5.php)
> >       --> already tracked at
> > http://security-tracker.debian.net/tracker/CVE-2008-0599

this looks like a coding error introduced >> 5.2.0, thus no fix needed afaict.

> http://marc.info/?l=php-cvs&m=120415902925033&w=2
>
> >     * Fixed a safe_mode bypass in cURL identified by Maksymilian
> > Arciemowicz. (Ilia)
> >       --> CVE-2007-4850 (acc. to
> > http://securityreason.com/achievement_securityalert/51)
> >       --> already tracked at
> > http://security-tracker.debian.net/tracker/CVE-2007-4850
> >       --> missing source package reference at
> > http://security-tracker.debian.net/tracker/source-package/php5
>
> http://marc.info/?l=php-cvs&m=119963956428826&w=2

as has already been stated, we don't bother looking at safe_mode bypasses.

> On Tue, May 06, 2008 at 04:47:32PM +0200, Moritz Muehlenhoff wrote:
> > > http://www.php.net/ChangeLog-5.php lists several security fixes which
> > > are included in upstream PHP 5.2.6:
> >
> > Thanks, there are two more, which I found and which I just commited to
> > the tracker:
> >
> > +CVE-2008-XXXX [php integer overflow in printf]
> > +       - php5 <unfixed>
> > +       NOTE: http://www.php.net/ChangeLog-5.php
> > +       NOTE: Needs further details or digging in SVN
>
> http://marc.info/?l=php-cvs&m=120579485607237&w=2

this matches up as well.

> > +CVE-2008-XXXX [php suboptimal seeding]
> > +       - php5 <unfixed> (low)
> > +       - php4 <unfixed> (low)
> > +       NOTE: http://www.sektioneins.de/advisories/SE-2008-02.txt
> > +       NOTE: I don't believe we need to address this, likely no-dsa, but
> > needs further checking
>
> http://marc.info/?l=php-cvs&m=117601921106002&w=2
> "However, the last one is from Sun Apr  8 08:04:31 2007 UTC, which seems
> like ages ago.  We might already have that one?"

the relevant code is either gone or totally refactored in mcrypt.c it seems, 
so i'll assume that it's fixed unless someone digs up proof to the contrary.


anyway, the patches are all in svn now, and they cleanly apply.  i have not 
tested the build/update though, and will not have time to do this until 
sometime next week most likely.  could someone else pick it up from here?


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080508/1a8b0ffe/attachment.pgp

More information about the Secure-testing-team mailing list