[php-maint] Month of PHP bugs...

sean finney seanius at debian.org
Thu Mar 8 18:51:48 CET 2007


hey ondrej,

On Thu, 2007-03-08 at 14:21 +0100, Ondřej Surý wrote:
> > yeah, that was the cause of the latest round of security updates,
> > actually.  the php folks released 5.2.1 which supposedly fixes all the
> > problems that will be brought up in the MOPB, though we'll see whether
> > or not that's really the case.  anyway, last time i looked we're in good
> > shape wrt the shown bugs--not counting a couple issues not worth fixing
> > (XSS in phpinfo(), etc).
> 
> There are those marked as (U) which were not fixed by 5.2.1 release and
> at least MOPB-14-2007 looks serios (arbitrary memory read caused by
> integer overflow).

looking closer at the code, i don't think this is really a high severity
issue.  it's definitely a problem, but in order for it to be
exploitable, the vulnerable php page in question would need to be doing
something pretty stupid (calling substr_compare where offset+length >
INT_MAX).  so, we should consider digging up the patch for this for the
next php update, but i don't think it really warrants one on its own
unless someone can justify how it could be remotely exploitable in a
sane environment.

i'm still a little burned out from the last security run, but sometime
during this weekend i'll probably sit down and review the latest batch
of MOPB bugs and see where we stand.  my biggest fear is that the fixes
from php.net introduce regressions or possibly open new holes (see the
comments on the wddx vulnerability, which we'll  need to review to see
if it affects us).



	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070308/5e57c909/attachment.pgp


More information about the pkg-php-maint mailing list