First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 74547
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Hanno Boeck <hanno@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
php-cgi-4.3.10-sparc-build.log build log text/plain Christian Birchinger 2004-12-16 04:32 0000 21.01 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 74547 depends on: 74627 Show dependency tree
Bug 74547 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-12-15 13:11 0000 
Stefan Esser has discovered various serious security issues in php (see link).
Updates to 4.3.10 and 5.0.3 with fixes are available.

------- Comment #1 From Hanno Boeck 2004-12-15 14:06:58 0000 ------- 
After a quick test, it seems that just copying the php-5.0.2-r1.ebuild and
mod_php-5.0.2.ebuild to 5.0.3 works.

------- Comment #2 From Rajiv Aaron Manglani 2004-12-15 15:26:16 0000 ------- 

*** This bug has been marked as a duplicate of 72735 ***

------- Comment #3 From Sune Kloppenborg Jeppesen 2004-12-15 22:55:17 0000 ------- 
Reopening to handle stable marking.

------- Comment #4 From Sune Kloppenborg Jeppesen 2004-12-15 22:58:55 0000 ------- 
Arches please mark 4.3.10 stable.

------- Comment #5 From Jochen Maes (RETIRED) 2004-12-16 00:24:17 0000 ------- 
stable on ppc

------- Comment #6 From Sune Kloppenborg Jeppesen 2004-12-16 01:28:42 0000 ------- 
*** Bug 74600 has been marked as a duplicate of this bug. ***

------- Comment #7 From Markus Rothe 2004-12-16 02:19:17 0000 ------- 
stable on ppc64

------- Comment #8 From Dylan Carlson (RETIRED) 2004-12-16 02:40:10 0000 ------- 
stable on amd64.

------- Comment #9 From Stuart Herbert (RETIRED) 2004-12-16 02:46:16 0000 ------- 
Please make sure that you test & mark the following packages:

* dev-php/php-4.3.10
* dev-php/mod_php-4.3.10
* dev-php/php-cgi-4.3.10

PHP 5.0.2 wasn't marked stable, so we don't need (and shouldn't be!) marking PHP-5.0.3 as stable.

Best regards,
Stu

------- Comment #10 From Thierry Carrez (RETIRED) 2004-12-16 03:23:36 0000 ------- 
There are more fixed than just what was reported in Stefan's advisory :
See http://www.php.net/release_4_3_10.php

---------------------
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions.
CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1063 - safe_mode execution directory bypass.
CAN-2004-1064 - arbitrary file access through path truncation.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.
---------------------

------- Comment #11 From Christian Birchinger 2004-12-16 04:32:17 0000 ------- 
Created an attachment (id=46114) [details]
build log

4.3.10 doesn't build on my sparc

------- Comment #12 From Gustavo Zacarias (RETIRED) 2004-12-16 05:53:22 0000 ------- 
I'm getting the same (broken) results as Joker for my ultra.

------- Comment #13 From Robin Johnson 2004-12-16 06:11:17 0000 ------- 
Could you please trace the errors in the zend .c file that is referenced in
your errors there.

------- Comment #14 From Christian Gut 2004-12-16 08:17:12 0000 ------- 
(php|php-cgi)-4.3.10 built on two i386 machines FYI

Just had to fiddle with java and LDPATHs

------- Comment #15 From Robin Johnson 2004-12-16 10:31:15 0000 ------- 
Sparc: please see bug #74627 
I don't know why it didn't catch PPC.

------- Comment #16 From Gustavo Zacarias (RETIRED) 2004-12-16 10:41:48 0000 ------- 
Probably because ppc is including stdint.h, linux/types.h or bits/types.h
somewhere else which sparc isn't.
I'm currently building fixed ebuilds for sparc, be back soon.

------- Comment #17 From Gustavo Zacarias (RETIRED) 2004-12-16 18:36:30 0000 ------- 
php-4.3.10, mod_php-4.3.10 & php-cgi-4.3.10 sparc stable with the fix. It's
just applied for sparc since i won't have access to a ppc box until tomorrow
and it seems it's required and/or could break them.
BTW, ppc forgot about php-cgi.

------- Comment #18 From Bryan Østergaard (RETIRED) 2004-12-17 02:47:56 0000 ------- 
Alpha stable.

------- Comment #19 From Sune Kloppenborg Jeppesen 2004-12-18 03:13:14 0000 ------- 
SeJo you forget to mark mod_php stable. See comment #9

------- Comment #20 From Michael Hanselmann (hansmi) (RETIRED) 2004-12-18 04:23:12 0000 ------- 
ppc done.

------- Comment #21 From Sune Kloppenborg Jeppesen 2004-12-18 04:46:50 0000 ------- 
Thx Micheal, please remember to remove CC:-)

------- Comment #22 From Thierry Carrez (RETIRED) 2004-12-19 06:01:23 0000 ------- 
GLSA 200412-14
hppa, ia64, mips, s390 : please mark stable to benefit from GLSA.

------- Comment #23 From Hardave Riar (RETIRED) 2005-02-21 13:37:26 0000 ------- 
Mips Stable.

------- Comment #24 From René Nussbaumer 2005-06-26 05:12:58 0000 ------- 
Already stable on hppa
First Last Prev Next    No search results available      Search page      Enter new bug