[Bug 286851] Re: CVE-2008-3658,2008-3659,2008-3660
Launchpad Bug Tracker
286851 at bugs.launchpad.net
Thu Feb 12 16:53:58 GMT 2009
This bug was fixed in the package php5 - 5.2.6-2ubuntu4.1
---------------
php5 (5.2.6-2ubuntu4.1) intrepid-security; urgency=low
* SECURITY UPDATE: denial of service and possible arbitrary code execution
via crafted font file. (LP: #286851)
- debian/patches/120-SECURITY-CVE-2008-3658.patch: make sure font->nchars,
font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
test script ext/gd/tests/imageloadfont_invalid.phpt.
- CVE-2008-3658
* SECURITY UPDATE: denial of service and possible arbitrary code execution
via the delimiter argument to the explode function. (LP: #286851)
- debian/patches/121-SECURITY-CVE-2008-3659.patch: make sure needle_length
is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
script ext/standard/tests/strings/explode_bug.phpt.
- CVE-2008-3659
* SECURITY UPDATE: denial of service via a request with multiple dots
preceding the extension. (ex: foo..php) (LP: #286851)
- debian/patches/122-SECURITY-CVE-2008-3660.patch: improve .. cleaning with
a new is_valid_path() function in sapi/cgi/cgi_main.c.
- CVE-2008-3660
* SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
string containing HTML entity. (LP: #317672)
- debian/patches/123-SECURITY-CVE-2008-5557.patch: improve
mbfl_filt_conv_html_dec_flush() error handling in
ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
- CVE-2008-5557
* SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
settings.
- debian/patches/124-SECURITY-CVE-2008-5624.patch: make sure the page_uid
and page_gid get initialized properly in ext/standard/basic_functions.c.
Also, init server_context before processing config variables in
sapi/apache/mod_php5.c.
- CVE-2008-5624
* SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
entry in a .htaccess file.
- debian/patches/125-SECURITY-CVE-2008-5625.patch: enforce restrictions
when merging in dir entry in sapi/apache/mod_php5.c and
sapi/apache2handler/apache_config.c.
- CVE-2008-5625
* SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
file with dot-dot filenames.
- debian/patches/126-SECURITY-CVE-2008-5658.patch: clean up filename paths
in ext/zip/php_zip.c with new php_zip_realpath_r(),
php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
- CVE-2008-5658
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Mon, 26 Jan 2009
08:43:21 -0500
** Changed in: php5 (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5557
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5624
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5625
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5658
** Changed in: php5 (Ubuntu Hardy)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-5900
--
CVE-2008-3658,2008-3659,2008-3660
https://bugs.launchpad.net/bugs/286851
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list