Summary: | Multiple Vulnerabilities in PHP (CAN-2004-1018, CAN-2004-1019, CAN-2004-1063, CAN-2004-1064) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | critical | CC: | christian.korff, cycloon, php-bugs | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://www.hardened-php.net/advisories/012004.txt | ||||||
Whiteboard: | A1 [glsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 74627 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Hanno Böck
2004-12-15 13:11:10 UTC
After a quick test, it seems that just copying the php-5.0.2-r1.ebuild and mod_php-5.0.2.ebuild to 5.0.3 works. *** This bug has been marked as a duplicate of 72735 *** Reopening to handle stable marking. Arches please mark 4.3.10 stable. stable on ppc *** Bug 74600 has been marked as a duplicate of this bug. *** stable on ppc64 stable on amd64. Please make sure that you test & mark the following packages: * dev-php/php-4.3.10 * dev-php/mod_php-4.3.10 * dev-php/php-cgi-4.3.10 PHP 5.0.2 wasn't marked stable, so we don't need (and shouldn't be!) marking PHP-5.0.3 as stable. Best regards, Stu There are more fixed than just what was reported in Stefan's advisory : See http://www.php.net/release_4_3_10.php --------------------- CAN-2004-1018 - shmop_write() out of bounds memory write access. CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions. CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code. CAN-2004-1020 - addslashes() not escaping \0 correctly. CAN-2004-1063 - safe_mode execution directory bypass. CAN-2004-1064 - arbitrary file access through path truncation. CAN-2004-1065 - exif_read_data() overflow on long sectionname. magic_quotes_gpc could lead to one level directory traversal with file uploads. --------------------- Created attachment 46114 [details]
build log
4.3.10 doesn't build on my sparc
I'm getting the same (broken) results as Joker for my ultra. Could you please trace the errors in the zend .c file that is referenced in your errors there. (php|php-cgi)-4.3.10 built on two i386 machines FYI Just had to fiddle with java and LDPATHs Sparc: please see bug #74627 I don't know why it didn't catch PPC. Probably because ppc is including stdint.h, linux/types.h or bits/types.h somewhere else which sparc isn't. I'm currently building fixed ebuilds for sparc, be back soon. php-4.3.10, mod_php-4.3.10 & php-cgi-4.3.10 sparc stable with the fix. It's just applied for sparc since i won't have access to a ppc box until tomorrow and it seems it's required and/or could break them. BTW, ppc forgot about php-cgi. Alpha stable. SeJo you forget to mark mod_php stable. See comment #9 ppc done. Thx Micheal, please remember to remove CC:-) GLSA 200412-14 hppa, ia64, mips, s390 : please mark stable to benefit from GLSA. Mips Stable. Already stable on hppa |