On Fri, Feb 14, 2014 at 11:53 PM, Salvatore Bonaccorso <car...@debian.org>wrote:
> I clone this bugreport, as php5 embedding a modified copy of libmagic > would also be affected by CVE-2014-1943. > Thanks. I've looked at the build logs it does seems like the fileinfo extension uses the internal libmagic during build (verified upstream forced this since PHP 5.3.0 at http://git.php.net/?p=php-src.git;a=commitdiff;h=ccc012d3f656236c29c075a9e5dfbe850e00915b ) But I'm still not sure why do we have a libmagic-dev build-dep and a hard coded dependency on libmagic1 for the various SAPIs. But that's a side note... The question is: do we want to patch this ourselves, or wait for PHP to provide the fix based on the linked commits? I guess the latter would be best, unless it will take them too much time. Kaplan