lp:ubuntu/breezy-security/php5

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

10. By Martin Pitt on 2007-03-07

* debian/patches/CVE-2007-0906_streams.patch:
  - Extend streams string variables to accomodate null byte. (LP: #87481)
  - Fix backported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/main/streams/streams.c?r1=1.82.2.6.2.9&r2=1.82.2.6.2.10

9. By Martin Pitt on 2007-02-21

* SECURITY UPDATE: Remote code execution.
* Add debian/patches/CVE-2007-0906_session.patch:
  - Buffer overflow in the session extension.
  - http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.22&r2=1.417.2.8.2.23
* Add debian/patches/CVE-2007-0906_streams.patch:
  - Buffer overflows in the stream filters functions.
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/streamsfuncs.c?r1=1.58.2.6.2.12&r2=1.58.2.6.2.13
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/streamsfuncs.c?r1=1.98&r2=1.99
* Add debian/patches/CVE-2007-0906_string.patch:
  - Buffer overflow in the string extension.
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.629&r2=1.631
* Add debian/patches/CVE-2007-0907.patch:
  - Buffer underflow in sapi_header_op() that can be exploited to crash the
    PHP interpreter.
  - http://cvs.php.net/viewvc.cgi/php-src/main/SAPI.c?r1=1.202.2.7.2.3&r2=1.202.2.7.2.4
* Add debian/patches/CVE-2007-0908.patch:
  - Fix forgotten initialization of key_length and buffer overflow in the
    wddx extension that could be exploited to reveal memory that is not
    supposed to be accessible (potential information disclosure).
  - http://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?r1=1.119.2.10.2.8&r2=1.119.2.10.2.10
* Add debian/patches/CVE-2007-0909_print.patch:
  - Fix format string vulnerability on 64 bit systems in the *print()
    functions.
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.82.2.1.2.11&r2=1.82.2.1.2.12
* Add debian/patches/CVE-2007-0910.patch:
  - Fix clobbering of superglobal variables during session variable
    unserialization.
  - http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.458&r2=1.459
  - http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.24&r2=1.417.2.8.2.26
  - http://cvs.php.net/viewvc.cgi/php-src/main/php_variables.c?r1=1.104.2.10.2.3&r2=1.104.2.10.2.4
* Add debian/patches/CVE-2007-0988.patch:
  - Fix infinite loop in zend_hash_init() when unserializing untrusted data
    on 64 bit systems.
  - http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_hash.c?r1=1.121.2.4.2.5&r2=1.121.2.4.2.6

8. By Martin Pitt on 2006-11-02

* SECURITY UPDATE: Remote code execution.
* Add debian/patches/CVE-2006-5465.patch:
  - Fix buffer overflows in htmlentities() and htmlspecialchars().
  - Ported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1.111.2.2.2.2&r2=1.111.2.2.2.3
* Add debian/patches/200-chdir_openbasedir_bypass.patch:
  - Fix open_basedir bypass in chdir().
  - Ported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.147.2.3&r2=1.147.2.3.2.1
* Add debian/patches/201-tempnam_openbasedir_bypass.patch:
  - Fix open_basedir bypass in tempnam().
  - Ported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/main/php_open_temporary_file.c?r1=1.34.2.1.2.1&r2=1.34.2.1.2.3

7. By Martin Pitt on 2006-10-10

* SECURITY UPDATE: Multiple vulnerabilities.
* Fix CVE number in 5.1.2-1ubuntu3.1 changelog: The curl open_basedir
  bypass is actually CVE-2006-4483, not -2563.
* Add debian/patches/CVE-2006-4485.patch:
  - Fix buffer overread in stripos().
  - Ported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?view=diff&r1=1.547&r2=1.548
* Add debian/patches/CVE-2006-4486.patch:
  - Fix integer overflow and memory_limit bypass on 64 bit platforms.
  - Patch stolen from RedHat security update, not fixed upstream yet.
* Add debian/patches/CVE-2006-4625.patch:
  - Fix open_basedir/safe_mode bypass with ini_restore().
  - Ported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?r1=1.39.2.2&r2=1.39.2.3
* Add debian/patches/CVE-2006-4812.patch:
  - Fix integer overflow in Zend's ecalloc().
  - Ported from upstream CVS:
    http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.161&r2=1.162
* Note for CVE tracking: This version is not vulnerable to CVE-2006-0200.

6. By Martin Pitt on 2006-09-06

* SECURITY UPDATE: Multiple vulnerabilities.
* debian/patches/CVE-2006-4020.patch:
  - sscanf buffer overflow
  - http://bugs.php.net/bug.php?id=38322
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.3
* debian/patches/CVE-2006-4481.patch:
  - safe_mode/open_basedir bypass with file_exists() and imap_reopen()
  - http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.208.2.8&r2=1.208.2.9
    (imap_reopen())
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/filestat.c?r1=1.136.2.8&r2=1.136.2.9
    (file_exists())
* debian/patches/CVE-2006-4482.patch:
  - str_repeat() and wordwrap() buffer overflow on 64 bit systems
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.10&r2=1.445.2.14.2.11
* debian/patches/CVE-2006-4484.patch:
  - GIF parser overflow
  - http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.5.4.4&r2=1.5.4.5

5. By Martin Pitt on 2006-07-18

* SECURITY UPDATE: Multiple vulnerabilities.
* debian/patches/CVE-2006-0996.patch:
  - XSS in phpinfo() [CVE-2006-0996]
  - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c?r1=1.260&r2=1.261
* debian/patches/CVE-2006-1490.patch:
  - Memory disclosure in html_entity_decode() [CVE-2006-1490]
  - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?r1=1.112&r2=1.113
* debian/patches/CVE-2006-1494.patch:
  - Bypassing open_basedir restrictions with tempnam()
    [CVE-2006-1494, CVE-2006-2660]
  - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.279.2.70.2.4&r2=1.279.2.70.2.5
* debian/patches/CVE-2006-1608.patch:
  - Bypassing open_basedir restrictions with copy() via a source argument
    containing a compress.zlib:// URI [CVE-2006-1494]
  - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.382.2.10&r2=1.382.2.11
* debian/patches/CVE-2006-1990.patch:
  - Integer overflow in wordwrap function (usually not triggerable from
    outside). [CVE-2006-1990]
  - Zend/zend_alloc.c: Fix variable declaration to work on 64-bit systems to
    plug this vulnerability on amd64/ia64, too. (not yet fixed upstream)
* debian/patches/CVE-2006-1991.patch:
  - DoS with out-of-bounds offset argument to substr_compare()
    [CVE-2006-1991]
* debian/patches/CVE-2006-2563.patch:
  - Bypassing safe mode/open_basedir restrictions with curl module
    [CVE-2006-2563]
  - Patch taken from Mandriva, not fixed upstream.
* debian/patches/CVE-2006-3011.patch:
  - Bypassing safe mode/open_basedir restrictions with error_log() with
    'php://' or other schema in the third argument. [CVE-2006-3011]
  - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.9&r2=1.543.2.51.2.10
* debian/patches/CVE-2006-3017.patch:
  - Fix zend_hash_del() (previously could delete the wrong element, which
    prevented a variable from being unset even when the PHP unset function
    was called, which might cause the variable's value to be used in
    security-relevant operations). [CVE-2006-3017]
  - http://cvs.php.net/viewcvs.cgi/Zend/zend_hash.c?r1=1.87.4.8.2.1&r2=1.87.4.8.2.3
* debian/patches/CVE-2006-3018.patch:
  - Heap corruption in session extension. [CVE-2006-3018]
  - http://cvs.php.net/viewcvs.cgi/php-src/ext/session/mod_files.c?r1=1.102&r2=1.103
* Note: This version already has the fix for CVE-2006-3016 (Check session
  name for invalid characters to prevent CRLF and other malicious
  injections.)

4. By Adam Conrad on 2006-03-08

* SECURITY UPDATE: multiple fixes backported from 5.1.2 and CVS:
  - Fix multiple HTTP response splitting vulnerabilities in sessions and
    the header() function, due to lack of input validation; CVE-2006-0207
    + Add safety checks in the header() function to make sure that we
      don't get newlines injected by (mis)use of user input in headers.
    + Add a check for invalid characters in session names, so that we
      aren't subject to HTTP response splitting vulnerabilities in
      the Set-Cookie header we send back out as a result of user input.
    + Bring in a patch that got lost between php4 and php5, preventing
      us from sending session cookies when we were just handed one,
      unless the session ID has changed, eliminating another vector.
  - Filter HTML error reporting, preventing cross-site scripting attacks
    when both display_errors and html_errors are enabled; CVE-2006-0208

3. By Adam Conrad on 2005-12-23

* SECURITY UPDATE: multiple fixes backported from new upstream releases:
  - Resolves a local denial of service in the apache2 SAPI, which can
    be triggered by using session.save_path in .htaccess; CVE-2005-3319
  - Resolves an infinite loop in the exif_read_data function which can
    be triggered with a specially-crafted JPEG image; CVE-2005-3353
  - Resolves a vulnerability in the parse_str function whereby a remote
    attacker can fool PHP into turning on register_globals, thus making
    applications vulnerable to global variable injections; CVE-2005-3389
  - Resolves a vulnerability in the RFC1867 file upload feature where, if
    register_globals is enabled, a remote attacker can modify the GLOBALS
    array with a multipart/form-data POST request; see CVE-2005-3390
  - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
  - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
    and open_basedir bypasses between virtual hosts; CVE-2005-3392
  - Resolves a CRLF injection vulnerability in the mb_send_mail function,
    allowing injection of arbitrary mail headers; see CVE-2005-3883

2. By Adam Conrad on 2005-10-09

Resync with Debian, bringing in two security fixes, a file conflict fix,
and two 64-bit memory corruption and segfault fixes (no other changes).

1. By Adam Conrad on 2005-10-09

Import upstream version 5.0.5