Welcome to our monthly php security bug...
I'll be adding php-5.2.6-r6 in a minute, which contains several possibly security-relevant fixes:
#1 The patch for the recent pcre issue (bug 228091, CVE-2008-2371) has been
updated (it now uses the official patch from pcre upstream, instead of
the attached version to our bug).
As far as I can see, this does not introduce any security-relevant
#2 Specially crafted font fails can lead to an overflow in ext/gd's
imageloadfont() function; this is at least a DoS issue which might even
allow for code execution; Pierre (gd maintainer) thinks it might well
be possible that the font file is user-supplied in certain webapps,
as such this could be a remote code execution vulnerability at worst.
#3 PHP (as cgi/fastcgi) crashes when accessing foo..php (double-dot);
probably just a crash issue, at worst this could be called DoS
#4 PHP's ext/xmlrpc's xmlrpc_server_register_introspection_callback
function crashes w/ invalid callbacks (local crash issue only)
#5 It was possible to circumvent safe_mode by using stream
wrappers in functions which did not expect any.
See bug 228369 for details (CVE-2008-2665, CVE-2008-2666)
#6 PHP's internal memnstr() function allowed for overflows. It is used by
the PHP function explode() (which is very common and often works on
user-supplied data). This at least allows for DoS and maybe even for
code execution (local or remote, depending on the webapp).
Some upstream developers seem to try to actively make this issue look
less critical .
Bleh, one of the patches introduces a strange segfault, which I am unable to track down quickly. This will have to wait for tomorrow then.
*** Bug 229287 has been marked as a duplicate of this bug. ***
#7 There was some memory corruption issue (would probably rather hard to
php-5.2.6-r6 is in the tree (the weird segfault I was referring to just happens in some edge cases and is not a regression, so this shouldn't prevent us from stabling this).
Issue #6 was previously tracked in bug 229287, btw.
Ready for stablization from my side.
Arches, please test and stabilize:
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd
To do: alpha arm hppa ia64 ppc ppc64 s390 sh sparc x86
Please note that there have been two versions of php-5.2.6-r6 in the tree. Both install the very same files, but the first version did not build on some systems. In short: If you see a build problem related to "yyerror" symbols, cvs up first. ;)
x86 stable, amd64 was already done by hoffie.
Stable for HPPA.
CVE-2008-3658: #2 (gd issue)
CVE-2008-3659: #6 memnstr() overflow
CVE-2008-3660: #3 FastCGI-related "foo..php" crash
Debian classifies this as RCE (#2 and #6).
GLSA 200811-05, thanks everyone, especially hoffie.