Stefan Esser has discovered various serious security issues in php (see link).
Updates to 4.3.10 and 5.0.3 with fixes are available.
After a quick test, it seems that just copying the php-5.0.2-r1.ebuild and mod_php-5.0.2.ebuild to 5.0.3 works.
*** This bug has been marked as a duplicate of 72735 ***
Reopening to handle stable marking.
Arches please mark 4.3.10 stable.
stable on ppc
*** Bug 74600 has been marked as a duplicate of this bug. ***
stable on ppc64
stable on amd64.
Please make sure that you test & mark the following packages:
PHP 5.0.2 wasn't marked stable, so we don't need (and shouldn't be!) marking PHP-5.0.3 as stable.
There are more fixed than just what was reported in Stefan's advisory :
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions.
CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1063 - safe_mode execution directory bypass.
CAN-2004-1064 - arbitrary file access through path truncation.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.
Created attachment 46114 [details]
4.3.10 doesn't build on my sparc
I'm getting the same (broken) results as Joker for my ultra.
Could you please trace the errors in the zend .c file that is referenced in your errors there.
(php|php-cgi)-4.3.10 built on two i386 machines FYI
Just had to fiddle with java and LDPATHs
Sparc: please see bug #74627
I don't know why it didn't catch PPC.
Probably because ppc is including stdint.h, linux/types.h or bits/types.h somewhere else which sparc isn't.
I'm currently building fixed ebuilds for sparc, be back soon.
php-4.3.10, mod_php-4.3.10 & php-cgi-4.3.10 sparc stable with the fix. It's just applied for sparc since i won't have access to a ppc box until tomorrow and it seems it's required and/or could break them.
BTW, ppc forgot about php-cgi.
SeJo you forget to mark mod_php stable. See comment #9
Thx Micheal, please remember to remove CC:-)
hppa, ia64, mips, s390 : please mark stable to benefit from GLSA.
Already stable on hppa