ID: 41285 User updated by: seanius at debian dot org Reported By: seanius at debian dot org Status: Open Bug Type: SQLite related Operating System: source code PHP Version: 5.2.2 New Comment:
oops, forgot the patch... here it is. http://svn.debian.org/wsvn/pkg-php/php5/trunk/debian/patches/119-CVE-2007-1887-1888-MOPB-41.patch?op=file&rev=0&sc=0 Previous Comments: ------------------------------------------------------------------------ [2007-05-04 16:55:33] seanius at debian dot org Description: ------------ from what i understand, your fix for the above mentioned vulnerabilities was to patch the bundled sqlite libraries to handle certain parameters that might be null pointers. however, for distributions where php is built against external sqlite packages, this has no effect and the resulting packages are still vulnerable unless the sqlite packages are independantly patched. in the debian php packages, we've patched the php_sqlite module to check for the null pointers outside of the call to the sqlite functions, thus not requiring a patch or change in the behaviour of the sqlite libraries. anyway, if you want to continue keeping a patched bundled version of sqlite, that's fine, but i thought i'd share this. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41285&edit=1