[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Bug Watch Updater]

** Changed in: debian
   Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/286851

Title:
  CVE-2008-3658,2008-3659,2008-3660

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/286851/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Launchpad Bug Tracker]

** Branch linked: lp:~ubuntu-branches/ubuntu/dapper/php5/dapper-security

** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/php5/gutsy-security

** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/php5/hardy-security

** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/php5/intrepid-
security

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Launchpad Bug Tracker]

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.5

---
php5 (5.2.4-2ubuntu5.5) hardy-security; urgency=low

  * SECURITY UPDATE: php_admin_value and php_admin_flag restrictions bypass via
ini_set. (LP: #228095)
- debian/patches/120_SECURITY_CVE-2007-5900.patch: add new
  zend_alter_ini_entry_ex() function that extends zend_alter_ini_entry() by
  making sure the entry can be modified in Zend/zend_ini.{c,h},
  Zend/zend_vm_def.h, and Zend/zend_vm_execute.h.
- CVE-2007-5900
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
via crafted font file. (LP: #286851)
- debian/patches/121_SECURITY_CVE-2008-3658.patch: make sure font->nchars,
  font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
  test script ext/gd/tests/imageloadfont_invalid.phpt.
- CVE-2008-3658
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
via the delimiter argument to the explode function. (LP: #286851)
- debian/patches/122_SECURITY_CVE-2008-3659.patch: make sure needle_length
  is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
  script ext/standard/tests/strings/explode_bug.phpt.
- CVE-2008-3659
  * SECURITY UPDATE: denial of service via a request with multiple dots
preceding the extension. (ex: foo..php) (LP: #286851)
- debian/patches/123_SECURITY_CVE-2008-3660.patch: improve .. cleaning with
  a new is_valid_path() function in sapi/cgi/cgi_main.c.
- CVE-2008-3660
  * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
string containing HTML entity. (LP: #317672)
- debian/patches/124_SECURITY_CVE-2008-5557.patch: improve
  mbfl_filt_conv_html_dec_flush() error handling in
  ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
- CVE-2008-5557
  * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
settings.
- debian/patches/125_SECURITY_CVE-2008-5624.patch: make sure the page_uid
  and page_gid get initialized properly in ext/standard/basic_functions.c.
  Also, init server_context before processing config variables in
  sapi/apache/mod_php5.c.
- CVE-2008-5624
  * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
entry in a .htaccess file.
- debian/patches/126_SECURITY_CVE-2008-5625.patch: enforce restrictions
  when merging in dir entry in sapi/apache/mod_php5.c and
  sapi/apache2handler/apache_config.c.
- CVE-2008-5625
  * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
file with dot-dot filenames.
- debian/patches/127_SECURITY_CVE-2008-5658.patch: clean up filename paths
  in ext/zip/php_zip.c with new php_zip_realpath_r(),
  php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
- CVE-2008-5658

 -- Marc DeslauriersTue, 27 Jan 2009
14:22:51 -0500

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Launchpad Bug Tracker]

This bug was fixed in the package php5 - 5.2.6-2ubuntu4.1

---
php5 (5.2.6-2ubuntu4.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible arbitrary code execution
via crafted font file. (LP: #286851)
- debian/patches/120-SECURITY-CVE-2008-3658.patch: make sure font->nchars,
  font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
  test script ext/gd/tests/imageloadfont_invalid.phpt.
- CVE-2008-3658
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
via the delimiter argument to the explode function. (LP: #286851)
- debian/patches/121-SECURITY-CVE-2008-3659.patch: make sure needle_length
  is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
  script ext/standard/tests/strings/explode_bug.phpt.
- CVE-2008-3659
  * SECURITY UPDATE: denial of service via a request with multiple dots
preceding the extension. (ex: foo..php) (LP: #286851)
- debian/patches/122-SECURITY-CVE-2008-3660.patch: improve .. cleaning with
  a new is_valid_path() function in sapi/cgi/cgi_main.c.
- CVE-2008-3660
  * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
string containing HTML entity. (LP: #317672)
- debian/patches/123-SECURITY-CVE-2008-5557.patch: improve
  mbfl_filt_conv_html_dec_flush() error handling in
  ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
- CVE-2008-5557
  * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
settings.
- debian/patches/124-SECURITY-CVE-2008-5624.patch: make sure the page_uid
  and page_gid get initialized properly in ext/standard/basic_functions.c.
  Also, init server_context before processing config variables in
  sapi/apache/mod_php5.c.
- CVE-2008-5624
  * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
entry in a .htaccess file.
- debian/patches/125-SECURITY-CVE-2008-5625.patch: enforce restrictions
  when merging in dir entry in sapi/apache/mod_php5.c and
  sapi/apache2handler/apache_config.c.
- CVE-2008-5625
  * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
file with dot-dot filenames.
- debian/patches/126-SECURITY-CVE-2008-5658.patch: clean up filename paths
  in ext/zip/php_zip.c with new php_zip_realpath_r(),
  php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
- CVE-2008-5658

 -- Marc DeslauriersMon, 26 Jan 2009
08:43:21 -0500

** Changed in: php5 (Ubuntu)
   Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5557

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5624

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5625

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5658

** Changed in: php5 (Ubuntu Hardy)
   Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-5900

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Jamie Strandboge]

** Changed in: php5 (Ubuntu)
   Status: New => Confirmed

** Changed in: php5 (Ubuntu Hardy)
   Status: New => Confirmed

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Mark Lee]

I didn't mean to add that CVE to this bug. I'll file it in a separate
bug.

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5557

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Mark Lee]

For what it's worth, I used the patches from the Debian Lenny php5
package without modification to backport to Hardy.  The resulting
package is available in my PPA:
.  The package also contains the
patch for CVE-2008-5557, and an updated PEAR installation.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5557

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Thilo Uttendorfer]

I'm still not sure if the packages are affected at all, nevertheless I managed 
to use the patches from Debian: php5 (5.2.0-8+etch13). You need the following 
patches from debian/patches/
139-CVE-2008-3659.patch
140-CVE-2008-3658.patch
141-CVE-2008-3660.patch

Then you need to update debian/patches/series and change some small
things in 141-CVE-2008-3660.patch (I can post that, if somebody is
interested).

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Russell Smith]

** Bug watch added: Debian Bug tracker #499987
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987

** Also affects: debian via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987
   Importance: Unknown
   Status: Unknown

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Russell Smith]

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3658

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3659

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3660

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[Thilo Uttendorfer]

These CVEs aren't fixed for hardy (and probably gutsy), too. Is there an
update planned or are the ubuntu packages not affected?

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660

[SwissSign Operations Team]

** Visibility changed to: Public

-- 
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs