CVE-2011-2202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2202): The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
5.3.7 fixes a whole number of security issues. Also interesting: Seems we can get suhosin back for 5.3.7: http://twitter.com/#!/i0n1c/status/104194056384552960
(In reply to comment #1) > 5.3.7 fixes a whole number of security issues. Also interesting: Seems we can > get suhosin back for 5.3.7: > http://twitter.com/#!/i0n1c/status/104194056384552960 Yep. An update to the suhosin patch was released. I am not going to release 5.3.7 because of the crypt() breakage, but rather wait for 5.3.7pl1, 5.3.8 or whatever they end up calling it. I expect it should be released shortly.
5.3.8 is released and can be stabilised. You also need to stabilise dev-db/sqlite-3.7.7.1 Also note related bug 38026. This version includes suhosin, which may make some security people happy.
(In reply to comment #3) > 5.3.8 is released and can be stabilised. > You also need to stabilise dev-db/sqlite-3.7.7.1 > > Also note related bug 38026. > > This version includes suhosin, which may make some security people happy. Great, thank you. Arches, please test and mark stable: =dev-lang/php-5.3.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Sorry for the bugspam. The correct target list is: Arches, please test and mark stable: =dev-lang/php-5.3.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =dev-db/sqlite-3.7.7.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Thanks, ago, for keeping me honest.
(In reply to comment #3) > Also note related bug 38026. Probably not the bug you wanted to mention.
(In reply to comment #6) > (In reply to comment #3) > > Also note related bug 38026. > > Probably not the bug you wanted to mention. Quite. Seems like I missed a bit. I was aiming for bug 380261. Sorry about that.
Stable for HPPA.
amd64 ok
ppc/ppc64 stable
x86 done. Thanks
amd64 done. Thanks Agostino
arm stable
CVE-2011-3268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268): Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483. CVE-2011-3267 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267): PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors. CVE-2011-3182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182): PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.
alpha/ia64/s390/sh/sparc stable
All arches done, Please add glsa request.
Thanks, folks. Added to existing GLSA request.
CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483): crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
This issue was resolved and addressed in GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml by GLSA coordinator Tobias Heinlein (keytoaster).
