Created by James Westby on 2009-06-27 and last modified on 2012-02-17
Get this branch:
bzr branch lp:ubuntu/dapper-updates/php5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

28. By Steve Beattie on 2011-05-04

* debian/patches/pear/php5-pear-CVE-2011-1144_regression.patch: fix
  mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452)
* debian/patches/php5-CVE-2010-4697_regression.patch: fix regression
  in reference counting added by fix for CVE-2010-4697 (LP: #776642)

27. By Steve Beattie on 2011-04-28

* SECURITY UPDATE: arbitrary files removal via cronjob
  - debian/php5-common.php5.cron.d: take greater care when removing
    session files.
  - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
  - CVE-2011-0441
* SECURITY UPDATE: symlink tmp races in pear install
  - debian/patches/php5-pear-CVE-2011-1072.patch: improved
    tempfile handling.
  - debian/rules: apply patch manually after unpacking PEAR phar
  - CVE-2011-1072
* SECURITY UPDATE: more symlink races in pear install
  - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
    file handler.
  - debian/rules: apply patch manually after unpacking PEAR phar
  - CVE-2011-1144
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2010-4697.patch: retain reference to
    object until getter/setter are done.
  - CVE-2010-4697
* SECURITY UPDATE: denial of service through application crash with
  invalid images
  - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
    steps are either 4 or 16.
  - CVE-2010-4698
* SECURITY UPDATE: denial of service through application crash when
  handling images with invalid exif tags
  - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking
  - CVE-2011-0708
* SECURITY UPDATE: denial of service and possible data disclosure
  through integer overflow
  - debian/patches/php5-CVE-2011-1092.patch: better boundary
    condition checks in shmop_read()
  - CVE-2011-1092
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2011-1148.patch: improve reference
  - CVE-2011-1148
* SECURITY UPDATE: denial of service through buffer overflow crash
  (code execution mitigated by compilation with Fortify Source)
  - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision
    to ensure fitting within MAX_BUF_SIZE
  - CVE-2011-1464
* SECURITY UPDATE: denial of service through application crash via
  integer overflow.
  - debian/patches/php5-CVE-2011-1466.patch: improve boundary
    condition checking in SdnToJulian()
  - CVE-2011-1466
* SECURITY UPDATE: denial of service through application crash
  when using HTTP proxy with the FTP wrapper
  - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling
  - CVE-2011-1469

26. By Steve Beattie on 2011-01-12

* main/fopen_wrappers.c: update to include fix for open_basedir
  restriction regression (LP: #701896)
  - http://svn.php.net/viewvc?view=revision&revision=305698

25. By Steve Beattie on 2011-01-10

* SECURITY UPDATE: overflow leading to xml decode bypass
  - ext/xml/xml.c: convert short to int to prevent overflow in
    bit operations
  - http://svn.php.net/viewvc/?view=revision&revision=287790
  - CVE-2009-5016
* SECURITY UPDATE: xml decode bypass
  - ext/xml/xml.c: improve utf8 decoding
  - ext/xml/tests/bug49687.phpt: add testcase
  - http://svn.php.net/viewvc/?view=revision&revision=304959
  - CVE-2010-3780
* SECURITY UPDATE: open_basedir bypass
  - main/fopen_wrappers.c: more strict checking in
  - http://svn.php.net/viewvc?view=revision&revision=303824
  - CVE-2010-3436
* SECURITY UPDATE: infinite loop/denial of service when dealing with
  certain textual forms of MAX_FLOAT (LP: #697181)
  - Zend/zend_strtod.c: treat local doubles as volatile to avoid
    x87 registers in zend_strtod()
  - http://svn.php.net/viewvc?view=revision&revision=263637
  - http://svn.php.net/viewvc?view=revision&revision=307095
  - CVE-2010-4645

24. By Marc Deslauriers on 2010-09-16

* SECURITY UPDATE: denial of service via xmlrpc crafted argument
  - debian/patches/CVE-2010-0397.patch: make sure method_name isn't empty
    in ext/xmlrpc/xmlrpc-epi-php.c, add test to
  - CVE-2010-0397
* SECURITY UPDATE: weak entropy in Linear Congruential Generator (LCG)
  - debian/patches/CVE-2010-1128.patch: add more entropy in
  - CVE-2010-1128
* SECURITY UPDATE: safe_mode bypass via trailing slash in dir pathnames
  - debian/patches/CVE-2010-1129.patch: properly validate pathname in
  - CVE-2010-1129
* SECURITY UPDATE: arbitrary code execution via empty SQL query
  - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
  - CVE-2010-1868
* SECURITY UPDATE: denial of service via fnmatch stack consumption
  - debian/patches/CVE-2010-1917.patch: limit size of pattern in
  - CVE-2010-1917
* SECURITY UPDATE: sensitive information disclosure via error messages
  - debian/patches/CVE-2010-2531.patch: don't display data when flushing
    output buffer in ext/standard/{var.c,php_var.h}.
  - CVE-2010-2531
* SECURITY UPDATE: arbitrary session variable modification via crafted
  session variable name
  - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
  - CVE-2010-3065

23. By Marc Deslauriers on 2010-01-06

* SECURITY UPDATE: information disclosure and denial of service via
  zend_restore_ini_entry_cb function.
  - debian/patches/CVE-2009-2626.patch: gracefully handle failure in
  - CVE-2009-2626
* SECURITY UPDATE: Cross-site scripting via incomplete htmlspecialchars
  - debian/patches/CVE-2009-4142.patch: rewrite handling logic in
    ext/standard/html.c, add ext/standard/tests/strings/bug49785.phpt
    test script.
  - CVE-2009-4142
* SECURITY UPDATE: restrictions bypass via incorrect session data
  - debian/patches/CVE-2009-4143.patch: protect from interrupt
    corruption in ext/session/session.c.
  - CVE-2009-4143

22. By Marc Deslauriers on 2009-11-26

* SECURITY UPDATE: file truncation via key with null byte
  - debian/patches/CVE-2008-7068.patch: make sure key and value are sane
    in ext/dba/libinifile/inifile.c.
  - CVE-2008-7068
* SECURITY UPDATE: certificate spoofing via null-byte certs (LP: #446313)
  - debian/patches/CVE-2009-3291.patch: validate certificate's CN length
    in ext/openssl/openssl.c.
  - CVE-2009-3291
* SECURITY UPDATE: denial of service via malformed exif images
  (LP: #446313)
  - debian/patches/CVE-2009-3292.patch: check length, return codes, and
    nesting level in ext/exif/exif.c.
  - CVE-2009-3292
* SECURITY UPDATE: safe_mode bypass via tempam function
  - debian/patches/CVE-2009-3557.patch: check for safe_mode in
  - CVE-2009-3557
* SECURITY UPDATE: open_basedir restrictions bypass via posix_mkfifo
  - debian/patches/CVE-2009-3558.patch: check for open_basedir in
  - CVE-2009-3558
* SECURITY UPDATE: denial of service via large number of files in
  form-data POST request.
  - debian/patches/CVE-2009-4017.patch: introduce new "max_file_uploads"
    directive and enforce in main/main.c, main/rfc1867.c.
  - ATTENTION: this update changes previous php5 behaviour by limiting
    the number of files in a POST request to 50. This may be increased
    by adding a "max_file_uploads" directive to the php.ini configuration
  - CVE-2009-4017
* SECURITY UPDATE: safe_mode_protected_env_vars bypass via proc_open()
  - debian/patches/CVE-2009-4018.patch: add safe_mode check in
  - CVE-2009-4018

21. By Marc Deslauriers on 2009-08-21

* SECURITY UPDATE: denial of service via malformed JPEG image with
  invalid offset fields
  - debian/patches/229_SECURITY_CVE-2009-2687.patch: validate
    offset_of_ifd in ext/exif/exif.c.
  - CVE-2009-2687

20. By Marc Deslauriers on 2009-04-15

* SECURITY UPDATE: cross-site scripting vulnerability when display_errors
  is enabled.
  - debian/patches/227_SECURITY_CVE-2008-5814.patch: don't print back
    cookie names or values in ext/standard/head.c.
  - CVE-2008-5814
* SECURITY UPDATE: mbstring.func_overload setting in .htaccess affects
  other virtual hosts.
  - debian/patches/228_SECURITY_CVE-2009-0754.patch: don't terminate on
    the first function that is not overloaded in ext/mbstring/mbstring.c.
  - CVE-2009-0754

19. By Marc Deslauriers on 2009-01-29

* SECURITY UPDATE: denial of service and possible code execution from
  integer overflow in libgd. Although the system libgd was fixed in USN-557-1,
  php5 would not gracefully handle the error return code, resulting in a
  denial of service.
  - debian/patches/219_SECURITY_CVE-2007-3996.patch: check return codes when
    calling libgd in ext/gd/gd.c.
  - CVE-2007-3996
* SECURITY UPDATE: php_admin_value and php_admin_flag restrictions bypass via
  ini_set. (LP: #228095)
  - debian/patches/220_SECURITY_CVE-2007-5900.patch: add new
    zend_alter_ini_entry_ex() function that extends zend_alter_ini_entry() by
    making sure the entry can be modified in Zend/zend_ini.{c,h},
    Zend/zend_vm_def.h, and Zend/zend_vm_execute.h. Use the new function for
    bacporting reasons in sapi/cgi/cgi_main.c and sapi/cli/php_cli.c.
  - CVE-2007-5900
* SECURITY UPDATE: denial of service and possible arbitrary code execution
  via crafted font file. (LP: #286851)
  - debian/patches/221_SECURITY_CVE-2008-3658.patch: make sure font->nchars,
    font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
    test script ext/gd/tests/imageloadfont_invalid.phpt.
  - CVE-2008-3658
* SECURITY UPDATE: denial of service and possible arbitrary code execution
  via the delimiter argument to the explode function. (LP: #286851)
  - debian/patches/222_SECURITY_CVE-2008-3659.patch: make sure needle_length
    is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
    script ext/standard/tests/strings/explode_bug.phpt.
  - CVE-2008-3659
* SECURITY UPDATE: denial of service via a request with multiple dots
  preceding the extension. (ex: foo..php) (LP: #286851)
  - debian/patches/223_SECURITY_CVE-2008-3660.patch: improve .. cleaning with
    a new is_valid_path() function in sapi/cgi/cgi_main.c.
  - CVE-2008-3660
* SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
  string containing HTML entity. (LP: #317672)
  - debian/patches/224_SECURITY_CVE-2008-5557.patch: improve
    mbfl_filt_conv_html_dec_flush() error handling in
  - CVE-2008-5557
* SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
  - debian/patches/225_SECURITY_CVE-2008-5624.patch: make sure the page_uid
    and page_gid get initialized properly in ext/standard/basic_functions.c.
    Also, init server_context before processing config variables in
  - CVE-2008-5624
* SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
  entry in a .htaccess file.
  - debian/patches/226_SECURITY_CVE-2008-5625.patch: enforce restrictions
    when merging in dir entry in sapi/apache/mod_php5.c and
  - CVE-2008-5625

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.