Bug#511493: marked as done (CVE-2008-5557: buffer overflow)
Your message dated Sat, 28 Feb 2009 20:40:27 +0100 with message-id 20090228194027.ga15...@rangda.stickybit.se and subject line fixed in previous version but not recorded has caused the Debian Bug report #511493, regarding CVE-2008-5557: buffer overflow to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 511493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511493 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: php5 Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for php5. CVE-2008-5557[0]: | Heap-based buffer overflow in | ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring | extension in PHP 4.3.0 through 5.2.6 allows context-dependent | attackers to execute arbitrary code via a crafted string containing an | HTML entity, which is not properly handled during Unicode conversion, | related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) | mb_convert_variables, and (4) mb_parse_str functions. There are some more information available in the php bugreport[1], including the PoC which seems to work. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://security-tracker.debian.net/tracker/CVE-2008-5557 [1] http://bugs.php.net/bug.php?id=45722 ---End Message--- ---BeginMessage--- Version: 5.2.6.dfsg.1-1+lenny1 The following bugs are fixed in lenny, but were not recorded as such because there was an unreleased version in between uploads which was not automatically processed for Closes: lines. signature.asc Description: Digital signature ---End Message---
Bug#511493: marked as done (CVE-2008-5557: buffer overflow)
Your message dated Tue, 13 Jan 2009 22:21:41 +0100 with message-id 20090113212141.gb29...@rangda.stickybit.se and subject line Re: [php-maint] Bug#511493: CVE-2008-5557: buffer overflow has caused the Debian Bug report #511493, regarding CVE-2008-5557: buffer overflow to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 511493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511493 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: php5 Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for php5. CVE-2008-5557[0]: | Heap-based buffer overflow in | ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring | extension in PHP 4.3.0 through 5.2.6 allows context-dependent | attackers to execute arbitrary code via a crafted string containing an | HTML entity, which is not properly handled during Unicode conversion, | related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) | mb_convert_variables, and (4) mb_parse_str functions. There are some more information available in the php bugreport[1], including the PoC which seems to work. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://security-tracker.debian.net/tracker/CVE-2008-5557 [1] http://bugs.php.net/bug.php?id=45722 ---End Message--- ---BeginMessage--- Version: 5.2.6.dfsg.1-2 fixed in unstable. an upload was skipped so closing manually. sean signature.asc Description: Digital signature ---End Message---