The commit at $URL reportedly fixes an integer overflow.
PHP 5.3.6 has been released now, which fixes this issue. However the suhosin patch does not work for this release yet (the suhosin extension does, though). Do you want to do security stabilisation for 5.3.6 or wait for the revbump with suhosin support?
(In reply to comment #1) > PHP 5.3.6 has been released now, which fixes this issue. However the suhosin > patch does not work for this release yet (the suhosin extension does, though). > Do you want to do security stabilisation for 5.3.6 or wait for the revbump with > suhosin support? I am ok waiting if it is not too long, say less than one or two weeks. What do you think? Thanks.
Security Enhancements and Fixes in PHP 5.3.6: * Enforce security in the fastcgi protocol parsing with fpm SAPI. * Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153) * Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092) * Fixed bug #54055 (buffer overrun with high values for precision ini setting). * Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708) * Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)
*** Bug 354875 has been marked as a duplicate of this bug. ***
For the record, Suhosin does patch some local security issues, and some edge-cases concerning bad coding practice, but I do not consider suhosin to be essential concerning PHP security. At least compared to the security issues resolved by PHP 5.3.6. The PHP team also rejects the suhosin patch, if that matters. That being said, I do not mind waiting a few weeks extra for the suhosin patch to be updated and I do believe that end-users expect suhosin to be supported by a security-stabled PHP version. Normally the patch is updated within a few weeks, but as always, there is no guarantee, and as far as I know, no official sources contributing any information about the progress.
Suhosin has yet to do a new release and I have not seen any ETA for the patch. I think we need to do stabilisation now. Once again, the PHP devs do not consider suhosin a security enhancement and I only wanted to wait because many users expect suhosin support. So what do you think? Can we move ahead and request stabilisation?
(In reply to comment #6) > > So what do you think? Can we move ahead and request stabilisation? Works for me. Thank you. Arches, please test and mark stable: =dev-lang/php-5.3.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Created attachment 267915 [details] Build log Fails econf
(In reply to comment #8) > Created attachment 267915 [details] > Build log > > Fails econf Can you create a bug with all the usual info? Particularly `emerge --info php' Thanks.
(In reply to comment #9) > Can you create a bug with all the usual info? Particularly `emerge --info php' > > Thanks. done, bug 361445 ;)
ppc/ppc64 stable
Stable for HPPA.
x86 stable
amd64 done, thanks Agostino
Tested OK on SPARC, tested by browsing phpsysinfo. Looks good, could stabilise.
arm stable
alpha/ia64/s390/sh/sparc stable
Thanks, everyone. Added to existing GLSA request.
CVE-2011-1471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1471): Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls. CVE-2011-1470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1470): The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function. CVE-2011-1469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1469): Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper. CVE-2011-1468 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1468): Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function. CVE-2011-1467 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1467): Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409. CVE-2011-1466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1466): Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function. CVE-2011-1464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1464): Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument. CVE-2011-1153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1153): Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call. CVE-2011-1092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1092): Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function. CVE-2011-0708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0708): exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read. CVE-2011-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0421): The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
This issue was resolved and addressed in GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml by GLSA coordinator Tobias Heinlein (keytoaster).