[Secure-testing-team] [php-maint] php updates, part 1

sean finney seanius at debian.org
Wed Apr 29 15:47:24 UTC 2009 

On Wed, Apr 29, 2009 at 12:23:04AM +0200, sean finney wrote:
> i believe i've managed to get the last couple fixes that need to be done for 
> php5,  and this should all be put into git now.  i'm gonna sleep on it though
> and review tomorrow morning before i build/tag/upload.

i've just tagged/uploaded it.  thanks to thijs for catching a stable/oldstable
reference mixup at the last minute.  for reference, the upload fixes
the following issues:

    - CVE-2008-5624: proper initialization of uid/gid for apache2 sapi.
    - CVE-2008-5557: heap overflows in the mbstring extension.
    - CVE-2008-5658: directory traversal in the zip extension
    - CVE-2008-2107/CVE-2008-2108: crypto weaknesses in php_rand module
    - CVE-2009-0754.patch: mbstring.func_overload leakage between vhosts
    - CVE-2008-5814: XSS vulnerability via display_errors
    - (no CVE): file truncation via inifile handler for the dba functions.

*** note one issue is missing (i overlooked it until writing this mail),
so there will be yet another upload coming shortly. ***

it also has the following non-security-but-previously-discussed changes:

  * Backport the patch from lenny/sid to use the system timezone database
    instead of the embedded php timezone database which is out of date.
    Patch: 143-use_embedded_timezonedb.patch (closes: #471104).
  * Repack the etch version of php5, stripping out the (unused) dbase
    module which contained licensing problems (closes: #341420).

the following changes are not addressed:

	CVE-2007-4659	low*	no
	Description: The zend_alter_ini_entry function in PHP before 5.2.4 does not properly handle an interruption to the flow of execution triggered by a memory_limit violation, which has unknown impact and attack vectors.
	Rationale: no info/proof

	CVE-2008-2829	low	no
	Description: 	php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.
	Rationale: impossible to fix without a new version of libc-client-dev

	CVE-2009-1271		
	Description: The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before ...
	Rationale: i missed this one, it needs to be addressed.  we already have a fix in lenny which applies cleanly...

	CVE-2009-1272	
	Description: The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x ...
	does not affect us, as we never took the "broken" fix for CVE-2008-5658
	


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090429/75988be5/attachment.pgp>

More information about the Secure-testing-team mailing list