XSS in phpinfo() Reproducible: Always Steps to Reproduce: POC: http://localhost/phpinfo.php?a[]=<script>alert(/XSS/);</script>
Here we'll handle the bugs for this month of PHP bugs that are not already fixed in 4.4.6, and 5.2.1-r* at the same time (unfortunately 5.1 will contain remaining issues). Status is [upstream] If you find bugs that are already fixed in our versions, please comment on bug 153911 instead (status [stable]) * phpinfo() XSS
*** Bug 169498 has been marked as a duplicate of this bug. ***
*** Bug 170583 has been marked as a duplicate of this bug. ***
Two issues (20 and 21) with bypass of safemode and openbasedir with compressions: PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability Both unfixed in 5.2.1.
MOPB-22, MOPB-23, MOPB-24, all unfixed in 5.2.1
PHP team, do you know if there is a planned upstream upgrade after this Month?
http://ilia.ws/archives/165-5.2.2RC1-Released-for-Testing.html Probably add this p.mask'ed?
Mandriva just fixed these ones: CVE-2007-1001 CVE-2007-1285 CVE-2007-1286 CVE-2007-1711 CVE-2007-1718 Btw isn't it around time that we get the PHP issues cleaned up?
And Ubuntu fixed these: CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1484 CVE-2007-1521 CVE-2007-1583 CVE-2007-1700 CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1888 CVE-2007-1900
I know, just waiting on upstream to release 5.2.2, which should be this week, I'll keep you updated. Best regards, CHTEKK.
*** Bug 177015 has been marked as a duplicate of this bug. ***
(In reply to comment #10) > I know, just waiting on upstream to release 5.2.2, which should be this week, > I'll keep you updated. > Best regards, CHTEKK. 4.4.7/5.5.2 is out...
*** Bug 177016 has been marked as a duplicate of this bug. ***
*** Bug 177169 has been marked as a duplicate of this bug. ***
*** Bug 177201 has been marked as a duplicate of this bug. ***
PHP 4.4.7 is also released, so fix should be out.. ??
(In reply to comment #16) > PHP 4.4.7 is also released, so fix should be out.. ?? Please, stop producing even more unproductive noise here.
Ebuilds for 4.4.7 and 5.2.2 are ready, I'm only waiting on Suhosin to update its patches, then they will go into the tree, so just be patient, thanks. ;) Best regards, CHTEKK.
@CHTEKK: http://www.hardened-php.net/suhosin/_media/suhosin-patch-5.2.2rc2-0.9.6.2.patch.gz applies cleanly to 5.2.2-release btw...
PHP 4.4.7 and PHP 5.2.2 are in the tree, with updated Suhosin support. Enjoy as always, best regards, CHTEKK.
Thx Luca. Arches please test and mark stable. Target keywords are: php-4.4.7.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd" php-5.2.2-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
It also appears to fix: CVE-2007-2509 CVE-2007-2510 CVE-2007-2511
ppc stable
sparc stable.
ia64 + x86 stable
Status in alpha: - 4.4.7 have the same failing tests that were present in bug 153911. Marked stable. - 5.2.1 presents some new failing tests: -------------------- Bug #40236 (php -a function allocation eats memory) [Zend/tests/bug40236.phpt] Bug #16069 [ext/iconv/tests/bug16069.phpt] iconv stream filter [ext/iconv/tests/iconv_stream_filter.phpt] touch() tests [ext/standard/tests/file/touch.phpt] phpinfo() CGI [ext/standard/tests/general_functions/phpinfo2.phpt] CLI long options [sapi/cli/tests/015.phpt] -------------------- I expect the usual Lucca's OK to go for the stable keyword in php5 Thanks.
(In reply to comment #26) > Bug #40236 (php -a function allocation eats memory) [Zend/tests/bug40236.phpt] > Bug #16069 [ext/iconv/tests/bug16069.phpt] > iconv stream filter [ext/iconv/tests/iconv_stream_filter.phpt] > touch() tests [ext/standard/tests/file/touch.phpt] > phpinfo() CGI [ext/standard/tests/general_functions/phpinfo2.phpt] > CLI long options [sapi/cli/tests/015.phpt] The first one is the only real new one in 5.2.2, the 2 iconv tests fail since forever and the other three failures were always present in 5.2 series (at least on my x86/amd64 test boxes). php -a still works fine here, so I'd say 5.2.2 can be stabled safely. Thanks and best regards, CHTEKK.
Failed tests in dev-lang/php5.2.2-r1 on HPPA (excluding all tests mentioned above): easter_date() [ext/calendar/tests/easter_date.phpt] unixtojd() [ext/calendar/tests/unixtojd.phpt] Bug #36436 DBA problem with Berkeley DB4 [ext/dba/tests/bug36436.phpt] DBA DB4 handler test [ext/dba/tests/dba_db4.phpt] gmp_divexact() tests (OK to fail with GMP =< 4.2.1) [ext/gmp/tests/011.phpt] IPv6 Loopback test [ext/sockets/tests/ipv6loop.phpt] Generic pack()/unpack() tests [ext/standard/tests/strings/pack.phpt] microtime() function [ext/standard/tests/time/001.phpt] (warn: system dependent) libtidy handling of 'new-blocklevel-tags' [ext/tidy/tests/024.phpt]
Failed tests in dev-lang/php-4.4.7 on HPPA (excluding all tests mentioned above): DBA DB4 handler test [ext/dba/tests/dba_db4.phpt] microtime() function [ext/standard/tests/time/001.phpt] (warn: system dependent)
(In reply to comment #28) > Failed tests in dev-lang/php5.2.2-r1 on HPPA (excluding all tests mentioned > above): > > easter_date() [ext/calendar/tests/easter_date.phpt] > unixtojd() [ext/calendar/tests/unixtojd.phpt] Known to fail in 5.2 series. > Bug #36436 DBA problem with Berkeley DB4 [ext/dba/tests/bug36436.phpt] > DBA DB4 handler test [ext/dba/tests/dba_db4.phpt] New ones, probably related to newer DB4's? Still, nothing to worry about. > gmp_divexact() tests (OK to fail with GMP =< 4.2.1) [ext/gmp/tests/011.phpt] There only is 4.2.1 in the tree, so this is expected to fail. > IPv6 Loopback test [ext/sockets/tests/ipv6loop.phpt] > Generic pack()/unpack() tests [ext/standard/tests/strings/pack.phpt] > microtime() function [ext/standard/tests/time/001.phpt] (warn: system > dependent) System dependant, the IPv6 one I know to fail and iirc the pack stuff also changes depending on arch. > libtidy handling of 'new-blocklevel-tags' [ext/tidy/tests/024.phpt] Yup, because the libtidy version we have in the tree doesn't implement those tags, and the test fails. (In reply to comment #29) > Failed tests in dev-lang/php-4.4.7 on HPPA (excluding all tests mentioned > above): > > DBA DB4 handler test [ext/dba/tests/dba_db4.phpt] > microtime() function [ext/standard/tests/time/001.phpt] (warn: system > dependent) As above, probably related to BDB version, and the other is even warned to be system dependant. All in all, I'd say you can stable both PHPs on HPPA too without worries. Best regards and thanks, CHTEKK.
AMD64 done. Best regards, CHTEKK.
alpha stable. Thanks guys.
Both stable for HPPA.
ppc64 stable. sorry for being late.
oh btw, it was glsa 200705-19, sorry for the late.