189968 – php-4.4.8_pre20070816 incorrectly flagged

Bug 189968 - php-4.4.8_pre20070816 incorrectly flagged

Summary: php-4.4.8_pre20070816 incorrectly flagged

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2007-08-23 21:42 UTC by Kristian Poul Herkild
Modified:	2007-10-22 11:37 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Poul Herkild 2007-08-23 21:42:29 UTC

php-4.4.8_pre20070816 is flagged with four GLSA:

200610-14 ( PHP: Integer overflow ) 
200608-28 ( PHP: Arbitary code execution ) 
200703-21 ( PHP: Multiple vulnerabilities ) 
200705-19 ( PHP: Multiple vulnerabilities )

*Sigh* ... sorry for bringing this up :-/

Comment 1 Sheldon Hearn 2007-08-26 11:17:05 UTC

(In reply to comment #0)
> php-4.4.8_pre20070816 is flagged with four GLSA:
> 
> 200610-14 ( PHP: Integer overflow ) 
> 200608-28 ( PHP: Arbitary code execution ) 
> 200703-21 ( PHP: Multiple vulnerabilities ) 
> 200705-19 ( PHP: Multiple vulnerabilities )

These GLSAs really need to be fixed properly.  I'd suggest marking all of them not vulnerable for >=dev-lang/php-4.4.8 so this doesn't reoccur for every new minor version of PHP.

Comment 2 Sheldon Hearn 2007-08-26 11:20:44 UTC

(In reply to comment #1)
> These GLSAs really need to be fixed properly.  I'd suggest marking all of them
> not vulnerable for >=dev-lang/php-4.4.8 so this doesn't reoccur for every new
> minor version of PHP.

Ah, I see.  That would mark them invulnerable for all versions of 5 too. *sigh*

Guess the GLSAs will need to be fixed for every new point release in both slots. :-(

Comment 3 Jonas Fietz 2007-09-07 06:50:13 UTC

What really needs to be done is making GLSAs in general slot aware I guess. But right now, I can't really take them serious any more because in 99% of the cases it was just a php-update where nobody updated the GLSAs. And that is a serious problem.

Comment 4 Arnaud Launay 2007-09-19 09:05:47 UTC

Anyhow, if someone could fix it by marking 4.4.8_pre not vulnerable, it would make the tweak at least for now...

Same problem for mysql -- except that there is no 4.1 version corrected yet...

Comment 5 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2007-09-24 18:12:21 UTC

we have had this issue in the past with other packages. please add the specific 4.4.8_x versions to the glsas. thanks.

Comment 6 Christian Hoffmann (RETIRED) gentoo-dev

2007-10-20 08:58:32 UTC

While the GLSAs do not describe php-4 issues only, it's still correct now. php-4 is supposed to be considered vulnerable, so I think this can be closed now.

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-10-20 09:12:12 UTC

as explained on bug #189172, PHP-4 users are strongly advised to upgrade to PHP-5 anyway, so closing this one.

Comment 8 Honza 2007-10-21 21:50:49 UTC

Php 4 is supposed to be vulnerable to 200710-02, but not by 200610-14, 200608-28, 200703-21 and 200705-19. And upgrading to php-5 is not as simple, they're not compatible (but it's true Gentoo can't do little with it ... maybee ... what about using some patches backported by debian ? How much vulnerable are they ?).

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2007-10-22 11:37:09 UTC

(In reply to comment #8)
> And upgrading to php-5 is not as simple,
> they're not compatible (but it's true Gentoo can't do little with it ... maybee
> ... what about using some patches backported by debian ? How much vulnerable
> are they ?).

If you want to put the effort into that, try talking to the PHP team about maintaining PHP 4. You'd have to start by identifying for each of the issues covered by GLSA 200710-02 whether PHP 4 is affected and find/backport, verify and apply a patch for it.