Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 266125 (CVE-2009-1271) - <dev-lang/php-5.2.8-r2: multiple vulnerabilities (CVE-2009-1271 and others)
Summary: <dev-lang/php-5.2.8-r2: multiple vulnerabilities (CVE-2009-1271 and others)
Status: RESOLVED FIXED
Alias: CVE-2009-1271
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-14 16:41 UTC by Christian Hoffmann (RETIRED)
Modified: 2010-01-05 21:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2009-04-14 16:41:54 UTC
Looks like I've failed and have never filed a bug for the security-relevant fixes which have been introduced in php-5.2.8-r2.
So here we go:

#1 015_json_decode-crash.patch (CVE-2009-1271)
   Further references: [1] [2]
   Impact: Local DoS (persistent php setups)
#2 016_extract-crash.patch (crash in PHP's explode() function)
   Further references: [3] [4] [5]
   Impact: Local DoS (persistent php setups)

Those have been fixed since 5.2.8-r2, which is already stable on all arches. So nothing to do here, just archiving purposes.

[1] http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15&diff_format=u
[2] http://cvs.php.net/viewvc.cgi/php-src/ext/json/tests/001.phpt?r1=1.1.2.4&r2=1.1.2.5&diff_format=u
[3] http://bugs.php.net/bug.php?id=46873
[4] http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/array/bug46873.phpt?view=markup&revision=1.1
[5] http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.61&r2=1.308.2.21.2.62&diff_format=u
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-04 06:53:04 UTC
We already have a request for bug 249875 in, so YES.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:13:52 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.