I committed php-5.2.5-r1 to the tree two days ago. It fixes the following security issues: 1. stream_wrapper_register() crashes with long strings passed as second argument, also affects a lot more functions (all functions in PHP which take a class name; basically any code path which uses do_alloca()), for example: is_subclass_of(), get_class_vars(), class_exists(), property_exists(), get_class_methods() and probably many more; (CVE-2007-6039) 2. xmlrpc_server_call_method() crash 3. multiple getopt() crashes 4. phpbug #43092 (curl_copy_handle() crashes with > 32 chars long URL) 5. Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used) 6. phpbug #42978 pdo_pgsql bound param mismatch crash 7. phpbug #43377 DateTimeZone invalid arg crash 8. phpbug #43386 uninitialized array_globals (unverified possible crash) 9. uninitialized sapi_headers.mimetype (unverified possible crash) 10. phpbug #43495 array_merge_recursive() crash All of them are (possible) crash bugs and there is no statement on whether it is possible to (locally) execute code. Some upstream dev at least suspected issue #1 to be exploitable to run arbitrary code. php-5.2.5-r1 is ready to be stabled, in my opinion (no bugs, test suite shows no regressions, running just fine on two systems of mine).
Rating A4 as local crash issues are not subject to the Vulnerability Policy. Stabling as a precautionary measure for issue (1). Arches, please test and mark stable dev-lang/php-5.2.5-r1. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable, though i'm not sure src_unpack() code. php: Can you double check it please?
cla, I don't see any problems with src_unpack. Although I'm working on improving the ebuild itself, it hasn't changed at all between 5.2.5 and 5.2.5-r1 (except patchset revision and suhosin), so not sure what you want me to verify or check. Removing arm/s390/sh from CC as they already stabled it.
alpha/ia64/sparc stable
Stable for HPPA.
ppc and ppc64 stable
on amd64: the src_unpack() stuff is slightly disturbing to see(warning from aclocal flying by). Other than that it copmiles and installs just fine. Phpmyadmin still works, as does mythweb. Please stable. Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.17-gentoo-r8 x86_64) ================================================================= System uname: 2.6.17-gentoo-r8 x86_64 AMD Turion(tm) 64 Mobile Technology MT-37 Timestamp of tree: Sat, 15 Dec 2007 01:47:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.utf-8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl amd64 apache apache2 bash-completion berkdb cli contrarius cracklib cran crypt cups dhcp gd glsa gpm iconv inquisitio logrotate midi mmx mpeg2 mudflap mysql mysqli mythtv ncurses nfs nls nptl nptlonly openmp pcre perl php portage python qa readline reflection ruby session spl sse sse2 ssl tcpd unicode ups usb v4l v4l2 vfat vim-syntax zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="via" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Stable on amd64, thanks gentoofan23
I tend to vote NO.
I vote no - unless someone comes up with something more than vague suspicions.
Reverting to full NO and closing.
Does not affect current (2008.0) release. Removing release.