Welcome to our monthly php security bug... I'll be adding php-5.2.6-r6 in a minute, which contains several possibly security-relevant fixes: #1 The patch for the recent pcre issue (bug 228091, CVE-2008-2371) has been updated (it now uses the official patch from pcre upstream, instead of the attached version to our bug). As far as I can see, this does not introduce any security-relevant improvements. #2 Specially crafted font fails can lead to an overflow in ext/gd's imageloadfont() function; this is at least a DoS issue which might even allow for code execution; Pierre (gd maintainer) thinks it might well be possible that the font file is user-supplied in certain webapps, as such this could be a remote code execution vulnerability at worst. #3 PHP (as cgi/fastcgi) crashes when accessing foo..php (double-dot); probably just a crash issue, at worst this could be called DoS #4 PHP's ext/xmlrpc's xmlrpc_server_register_introspection_callback function crashes w/ invalid callbacks (local crash issue only) #5 It was possible to circumvent safe_mode by using stream wrappers in functions which did not expect any. See bug 228369 for details (CVE-2008-2665, CVE-2008-2666) #6 PHP's internal memnstr() function allowed for overflows. It is used by the PHP function explode() (which is very common and often works on user-supplied data). This at least allows for DoS and maybe even for code execution (local or remote, depending on the webapp). Some upstream developers seem to try to actively make this issue look less critical [1]. [1] http://news.php.net/php.cvs/52039
Bleh, one of the patches introduces a strange segfault, which I am unable to track down quickly. This will have to wait for tomorrow then.
*** Bug 229287 has been marked as a duplicate of this bug. ***
#7 There was some memory corruption issue (would probably rather hard to exploit) See http://bugs.php.net/bug.php?id=45178 http://bugs.php.net/bug.php?id=33595 php-5.2.6-r6 is in the tree (the weird segfault I was referring to just happens in some edge cases and is not a regression, so this shouldn't prevent us from stabling this). Issue #6 was previously tracked in bug 229287, btw. Ready for stablization from my side.
Arches, please test and stabilize: =dev-lang/php-5.2.6-r6 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd To do: alpha arm hppa ia64 ppc ppc64 s390 sh sparc x86 Please note that there have been two versions of php-5.2.6-r6 in the tree. Both install the very same files, but the first version did not build on some systems. In short: If you see a build problem related to "yyerror" symbols, cvs up first. ;)
ppc64 stable
x86 stable, amd64 was already done by hoffie.
Stable for HPPA.
alpha/ia64/sparc stable
ppc stable
CVE-2008-3658: #2 (gd issue) CVE-2008-3659: #6 memnstr() overflow CVE-2008-3660: #3 FastCGI-related "foo..php" crash
Debian classifies this as RCE (#2 and #6). http://www.debian.org/security/2008/dsa-1647
GLSA 200811-05, thanks everyone, especially hoffie.
