Summary: | dev-lang/php <5.2.6-r2: safe_mode bypass, code execution, DoS (CVE-2008-2829) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | michal, php-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Christian Hoffmann (RETIRED)
2008-07-02 21:52:10 UTC
Security, feel free to do your thing and call for stabilization. I've not been able to create a test case for the c-client issue, and I just discovered there are at least two other places where similar overflows can occur (which are not addressed by the patch). So I'd suggest to use this as an intermediate solution, we're waiting on another fix anyway, so -r3 is going to happen in any case. Arches, please test and mark stable: =dev-lang/php-5.2.6-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" ppc and ppc64 done amd64 stable, tested with mythweb, phpmyadmin, phpsysinfo, ampache... Hello, what about this: http://bugs.gentoo.org/230809 (In reply to comment #5) > what about this: http://bugs.gentoo.org/230809 It's not a regression (I just verified) and as such, it should not prevent a new version going stable for security reasons. BTW, I'm also assuming that it is related to libtool-2.2* and as such doesn't affect stable anyway. Use FEATURES=-stricter as a workaround. And let's keep the rest of this discussion in the relevant bug. :) x86 stable alpha/ia64/sparc stable I forgot to bump the dependency on c-client to 2006k in php-5.2.6-r2, I just committed the fixed *DEPEND. Keyword-wise this is no problem as all arches, which have -r2 stable also have the required c-client version stable. sh/arm/s390: You need to stabilize >=net-libs/c-client-2006k before stabling this version of php (or any later). hppa is fine, as far as I can see. Stable for HPPA. Removing the blocking bug as it is easily worked around by not setting FFLAGS. GLSA 200811-05, thanks everyone, especially hoffie. |