lp:ubuntu/dapper-updates/php5

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

28. By Steve Beattie on 2011-05-04

* debian/patches/pear/php5-pear-CVE-2011-1144_regression.patch: fix
  mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452)
* debian/patches/php5-CVE-2010-4697_regression.patch: fix regression
  in reference counting added by fix for CVE-2010-4697 (LP: #776642)

27. By Steve Beattie on 2011-04-28

* SECURITY UPDATE: arbitrary files removal via cronjob
  - debian/php5-common.php5.cron.d: take greater care when removing
    session files.
  - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
  - CVE-2011-0441
* SECURITY UPDATE: symlink tmp races in pear install
  - debian/patches/php5-pear-CVE-2011-1072.patch: improved
    tempfile handling.
  - debian/rules: apply patch manually after unpacking PEAR phar
    archive.
  - CVE-2011-1072
* SECURITY UPDATE: more symlink races in pear install
  - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
    file handler.
  - debian/rules: apply patch manually after unpacking PEAR phar
    archive.
  - CVE-2011-1144
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2010-4697.patch: retain reference to
    object until getter/setter are done.
  - CVE-2010-4697
* SECURITY UPDATE: denial of service through application crash with
  invalid images
  - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
    steps are either 4 or 16.
  - CVE-2010-4698
* SECURITY UPDATE: denial of service through application crash when
  handling images with invalid exif tags
  - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking
  - CVE-2011-0708
* SECURITY UPDATE: denial of service and possible data disclosure
  through integer overflow
  - debian/patches/php5-CVE-2011-1092.patch: better boundary
    condition checks in shmop_read()
  - CVE-2011-1092
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2011-1148.patch: improve reference
    counting
  - CVE-2011-1148
* SECURITY UPDATE: denial of service through buffer overflow crash
  (code execution mitigated by compilation with Fortify Source)
  - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision
    to ensure fitting within MAX_BUF_SIZE
  - CVE-2011-1464
* SECURITY UPDATE: denial of service through application crash via
  integer overflow.
  - debian/patches/php5-CVE-2011-1466.patch: improve boundary
    condition checking in SdnToJulian()
  - CVE-2011-1466
* SECURITY UPDATE: denial of service through application crash
  when using HTTP proxy with the FTP wrapper
  - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling
  - CVE-2011-1469

26. By Steve Beattie on 2011-01-12

* main/fopen_wrappers.c: update to include fix for open_basedir
  restriction regression (LP: #701896)
  - http://svn.php.net/viewvc?view=revision&revision=305698

25. By Steve Beattie on 2011-01-10

* SECURITY UPDATE: overflow leading to xml decode bypass
  - ext/xml/xml.c: convert short to int to prevent overflow in
    bit operations
  - http://svn.php.net/viewvc/?view=revision&revision=287790
  - CVE-2009-5016
* SECURITY UPDATE: xml decode bypass
  - ext/xml/xml.c: improve utf8 decoding
  - ext/xml/tests/bug49687.phpt: add testcase
  - http://svn.php.net/viewvc/?view=revision&revision=304959
  - CVE-2010-3780
* SECURITY UPDATE: open_basedir bypass
  - main/fopen_wrappers.c: more strict checking in
    php_check_specific_open_basedir()
  - http://svn.php.net/viewvc?view=revision&revision=303824
  - CVE-2010-3436
* SECURITY UPDATE: infinite loop/denial of service when dealing with
  certain textual forms of MAX_FLOAT (LP: #697181)
  - Zend/zend_strtod.c: treat local doubles as volatile to avoid
    x87 registers in zend_strtod()
  - http://svn.php.net/viewvc?view=revision&revision=263637
  - http://svn.php.net/viewvc?view=revision&revision=307095
  - CVE-2010-4645

24. By Marc Deslauriers on 2010-09-16

* SECURITY UPDATE: denial of service via xmlrpc crafted argument
  - debian/patches/CVE-2010-0397.patch: make sure method_name isn't empty
    in ext/xmlrpc/xmlrpc-epi-php.c, add test to
    ext/xmlrpc/tests/bug51288.phpt.
  - CVE-2010-0397
* SECURITY UPDATE: weak entropy in Linear Congruential Generator (LCG)
  - debian/patches/CVE-2010-1128.patch: add more entropy in
    ext/standard/lcg.c.
  - CVE-2010-1128
* SECURITY UPDATE: safe_mode bypass via trailing slash in dir pathnames
  - debian/patches/CVE-2010-1129.patch: properly validate pathname in
    ext/standard/file.c.
  - CVE-2010-1129
* SECURITY UPDATE: arbitrary code execution via empty SQL query
  - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
    ext/sqlite/sqlite.c.
  - CVE-2010-1868
* SECURITY UPDATE: denial of service via fnmatch stack consumption
  - debian/patches/CVE-2010-1917.patch: limit size of pattern in
    ext/standard/file.c.
  - CVE-2010-1917
* SECURITY UPDATE: sensitive information disclosure via error messages
  - debian/patches/CVE-2010-2531.patch: don't display data when flushing
    output buffer in ext/standard/{var.c,php_var.h}.
  - CVE-2010-2531
* SECURITY UPDATE: arbitrary session variable modification via crafted
  session variable name
  - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
    ext/session/session.c.
  - CVE-2010-3065

23. By Marc Deslauriers on 2010-01-06

* SECURITY UPDATE: information disclosure and denial of service via
  zend_restore_ini_entry_cb function.
  - debian/patches/CVE-2009-2626.patch: gracefully handle failure in
    Zend/zend_ini.c.
  - CVE-2009-2626
* SECURITY UPDATE: Cross-site scripting via incomplete htmlspecialchars
  filtering
  - debian/patches/CVE-2009-4142.patch: rewrite handling logic in
    ext/standard/html.c, add ext/standard/tests/strings/bug49785.phpt
    test script.
  - CVE-2009-4142
* SECURITY UPDATE: restrictions bypass via incorrect session data
  handling
  - debian/patches/CVE-2009-4143.patch: protect from interrupt
    corruption in ext/session/session.c.
  - CVE-2009-4143

22. By Marc Deslauriers on 2009-11-26

* SECURITY UPDATE: file truncation via key with null byte
  - debian/patches/CVE-2008-7068.patch: make sure key and value are sane
    in ext/dba/libinifile/inifile.c.
  - CVE-2008-7068
* SECURITY UPDATE: certificate spoofing via null-byte certs (LP: #446313)
  - debian/patches/CVE-2009-3291.patch: validate certificate's CN length
    in ext/openssl/openssl.c.
  - CVE-2009-3291
* SECURITY UPDATE: denial of service via malformed exif images
  (LP: #446313)
  - debian/patches/CVE-2009-3292.patch: check length, return codes, and
    nesting level in ext/exif/exif.c.
  - CVE-2009-3292
* SECURITY UPDATE: safe_mode bypass via tempam function
  - debian/patches/CVE-2009-3557.patch: check for safe_mode in
    ext/standard/file.c.
  - CVE-2009-3557
* SECURITY UPDATE: open_basedir restrictions bypass via posix_mkfifo
  - debian/patches/CVE-2009-3558.patch: check for open_basedir in
    ext/posix/posix.c.
  - CVE-2009-3558
* SECURITY UPDATE: denial of service via large number of files in
  form-data POST request.
  - debian/patches/CVE-2009-4017.patch: introduce new "max_file_uploads"
    directive and enforce in main/main.c, main/rfc1867.c.
  - ATTENTION: this update changes previous php5 behaviour by limiting
    the number of files in a POST request to 50. This may be increased
    by adding a "max_file_uploads" directive to the php.ini configuration
    file.
  - CVE-2009-4017
* SECURITY UPDATE: safe_mode_protected_env_vars bypass via proc_open()
  - debian/patches/CVE-2009-4018.patch: add safe_mode check in
    ext/standard/proc_open.c
  - CVE-2009-4018

21. By Marc Deslauriers on 2009-08-21

* SECURITY UPDATE: denial of service via malformed JPEG image with
  invalid offset fields
  - debian/patches/229_SECURITY_CVE-2009-2687.patch: validate
    offset_of_ifd in ext/exif/exif.c.
  - CVE-2009-2687

20. By Marc Deslauriers on 2009-04-15

* SECURITY UPDATE: cross-site scripting vulnerability when display_errors
  is enabled.
  - debian/patches/227_SECURITY_CVE-2008-5814.patch: don't print back
    cookie names or values in ext/standard/head.c.
  - CVE-2008-5814
* SECURITY UPDATE: mbstring.func_overload setting in .htaccess affects
  other virtual hosts.
  - debian/patches/228_SECURITY_CVE-2009-0754.patch: don't terminate on
    the first function that is not overloaded in ext/mbstring/mbstring.c.
  - CVE-2009-0754

19. By Marc Deslauriers on 2009-01-29

* SECURITY UPDATE: denial of service and possible code execution from
  integer overflow in libgd. Although the system libgd was fixed in USN-557-1,
  php5 would not gracefully handle the error return code, resulting in a
  denial of service.
  - debian/patches/219_SECURITY_CVE-2007-3996.patch: check return codes when
    calling libgd in ext/gd/gd.c.
  - CVE-2007-3996
* SECURITY UPDATE: php_admin_value and php_admin_flag restrictions bypass via
  ini_set. (LP: #228095)
  - debian/patches/220_SECURITY_CVE-2007-5900.patch: add new
    zend_alter_ini_entry_ex() function that extends zend_alter_ini_entry() by
    making sure the entry can be modified in Zend/zend_ini.{c,h},
    Zend/zend_vm_def.h, and Zend/zend_vm_execute.h. Use the new function for
    bacporting reasons in sapi/cgi/cgi_main.c and sapi/cli/php_cli.c.
  - CVE-2007-5900
* SECURITY UPDATE: denial of service and possible arbitrary code execution
  via crafted font file. (LP: #286851)
  - debian/patches/221_SECURITY_CVE-2008-3658.patch: make sure font->nchars,
    font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
    test script ext/gd/tests/imageloadfont_invalid.phpt.
  - CVE-2008-3658
* SECURITY UPDATE: denial of service and possible arbitrary code execution
  via the delimiter argument to the explode function. (LP: #286851)
  - debian/patches/222_SECURITY_CVE-2008-3659.patch: make sure needle_length
    is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
    script ext/standard/tests/strings/explode_bug.phpt.
  - CVE-2008-3659
* SECURITY UPDATE: denial of service via a request with multiple dots
  preceding the extension. (ex: foo..php) (LP: #286851)
  - debian/patches/223_SECURITY_CVE-2008-3660.patch: improve .. cleaning with
    a new is_valid_path() function in sapi/cgi/cgi_main.c.
  - CVE-2008-3660
* SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
  string containing HTML entity. (LP: #317672)
  - debian/patches/224_SECURITY_CVE-2008-5557.patch: improve
    mbfl_filt_conv_html_dec_flush() error handling in
    ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
  - CVE-2008-5557
* SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
  settings.
  - debian/patches/225_SECURITY_CVE-2008-5624.patch: make sure the page_uid
    and page_gid get initialized properly in ext/standard/basic_functions.c.
    Also, init server_context before processing config variables in
    sapi/apache/mod_php5.c.
  - CVE-2008-5624
* SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
  entry in a .htaccess file.
  - debian/patches/226_SECURITY_CVE-2008-5625.patch: enforce restrictions
    when merging in dir entry in sapi/apache/mod_php5.c and
    sapi/apache2handler/apache_config.c.
  - CVE-2008-5625