Summary: | dev-php5/pecl-apc <=3.0.16 Usage of strcpy in apc.c can cause stack corruption with long filenames (CVE-2008-1488) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | gentoobugs, php-bugs | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://pecl.php.net/bugs/bug.php?id=13415 | ||||||
Whiteboard: | C1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Hanno Böck
2008-03-24 19:06:15 UTC
cve requested via http://thread.gmane.org/gmane.comp.security.oss.general/150 3.0.17 InCVS... archs, please stabilize 3.0.17 causes unreliably error 500 messages on my server, so probably needs further investigation. back to [ebuild] then. 3.0.17 causes segmentation faults, see http://pecl.php.net/bugs/bug.php?id=13511 There is a 3.0.16 ebuild available at http://christian-seiler.de/temp/pecl-apc-3.0.16-CVE-overlay.tar.gz including a patch for CVE-2008-1488 that doesn't cause segmentation faults for me on amd64. (In reply to comment #6) > 3.0.17 causes segmentation faults, see > http://pecl.php.net/bugs/bug.php?id=13511 > > There is a 3.0.16 ebuild available at > http://christian-seiler.de/temp/pecl-apc-3.0.16-CVE-overlay.tar.gz including a > patch for CVE-2008-1488 that doesn't cause segmentation faults for me on amd64. Jan, can you please simply attach the patch (and any non-trivial changes to the ebuild) on this bug? Thanks. Created attachment 147546 [details, diff] pecl-apc-3.0.16-CVE-2008-1488.patch (In reply to comment #7) > Jan, can you please simply attach the patch (and any non-trivial changes to the > ebuild) on this bug? Thanks. Added pecl-apc-3.0.16-CVE-2008-1488.patch The only addidtion to the ebuild is: epatch "${FILESDIR}"/${P}-CVE-2008-1488.patch (In reply to comment #8) > Created an attachment (id=147546) [edit] > pecl-apc-3.0.16-CVE-2008-1488.patch 3.0.16-r1 committed with this patch; lets give it another try... amd64/x86 stable Upstream has released 3.0.18 which should fix the .17-problems. sparc stable ppc stable request filed. GLSA 200804-07, thanks. |