Again, lots of crash fixes (think of DoS) and one security issue whose impact I don't know: 1. CVE-2008-0599 [1] (that's all what the commit message says; it must be related to wrong logic when handling paths in CGI environments) 2. Crash in metaphone(), see upstream bug 44242 [2]. Looks like a buffer overflow, but only off-by-one and there will simply be written a ASCIIZ after the end of the allocated space -- this should not allow for code execution, imo, but I'm not exactly sure. This function might take user input in web apps, so it would be exploitable remotely. 3. Crash in filter extension when using callbacks. Not many details except for the commit [3], doesn't look like a typical function which takes user input, so rather the problem of the developer and not a typical remote DoS problem. 4. Crash in PDO when using "wrong" prepared statements, upstream bug 44200 [4] IMO this only happens when the code author already has wrong code, so not high priority either 5. Crash in strftime() with large negative values, upstream bug 44216 [5]. Some web apps might take such time stamps as user input => remote DoS 6. Crash when using syslog + USE=threads (ZTS), upstream bug 44152 [6] Does not look like a controllable DoS and only seems to affect some very specific setups. 7. Crash in PDO by passing invalid args to setAttribute, upstream bug 44159 [7]. I don't think one is supposed to pass user input to this function => not a remote DoS problem. 8. Crash in MySQLi extension [8], no clue about circumstances / other impacts Our snapshot (5.2.5_p*) *is* vulnerable to these problems, 5.2.6_rc1 (which I committed some hours ago) has all the fixes. As always, blame upstream, don't blame me for the amount of possible security problems. =) [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 [2] http://bugs.php.net/bug.php?id=44242 [3] http://cvs.php.net/viewvc.cgi/php-src/ext/filter/filter.c?r1=1.52.2.41&r2=1.52.2.42&diff_format=u [4] http://bugs.php.net/bug.php?id=44200 [5] http://bugs.php.net/bug.php?id=44216 [6] http://bugs.php.net/bug.php?id=44152 [7] http://bugs.php.net/bug.php?id=44159 [8] http://cvs.php.net/viewvc.cgi/php-src/ext/mysqli/mysqli.c?r1=1.72.2.16.2.23&r2=1.72.2.16.2.24&diff_format=u
/me blames upstream. Arches, please test and mark stable: =dev-lang/php-5.2.6_rc1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
x86 stable
Stable for HPPA.
alpha/ia64/sparc stable
ppc64 stable
Sorry for the dance again, but a new php revbump fixes regressions, see ChangeLog. Arches, please test and mark stable: =dev-lang/php-5.2.6_rc1-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
ppc64 done
Stable for HPPA. ===================================================================== TEST RESULT SUMMARY --------------------------------------------------------------------- Exts skipped : 31 Exts tested : 48 --------------------------------------------------------------------- Number of tests : 5452 3958 Tests skipped : 1494 ( 27.4%) -------- Tests warned : 1 ( 0.0%) ( 0.0%) Tests failed : 84 ( 1.5%) ( 2.1%) Tests passed : 3873 ( 71.0%) ( 97.9%) --------------------------------------------------------------------- Time taken : 5056 seconds =====================================================================
amd64 stable.
ppc stable
Fixed in release snapshot.
Name: CVE-2008-0599 cgi_main.c in PHP before 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors.
GLSA 200811-05, thanks everyone, especially hoffie.