Created by James Westby on 2009-06-27 and last modified on 2009-06-27
Get this branch:
bzr branch lp:ubuntu/gutsy-security/php5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

27. By Marc Deslauriers on 2009-01-29

* SECURITY UPDATE: denial of service and possible code execution from
  integer overflow in libgd. Although the system libgd was fixed in USN-557-1,
  php5 would not gracefully handle the error return code, resulting in a
  denial of service.
  - debian/patches/119_SECURITY_CVE-2007-3996.patch: check return codes when
    calling libgd in ext/gd/gd.c.
  - CVE-2007-3996
* SECURITY UPDATE: php_admin_value and php_admin_flag restrictions bypass via
  ini_set. (LP: #228095)
  - debian/patches/120_SECURITY_CVE-2007-5900.patch: add new
    zend_alter_ini_entry_ex() function that extends zend_alter_ini_entry() by
    making sure the entry can be modified in Zend/zend_ini.{c,h},
    Zend/zend_vm_def.h, and Zend/zend_vm_execute.h.
  - CVE-2007-5900
* SECURITY UPDATE: denial of service and possible arbitrary code execution
  via crafted font file. (LP: #286851)
  - debian/patches/121_SECURITY_CVE-2008-3658.patch: make sure font->nchars,
    font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
    test script ext/gd/tests/imageloadfont_invalid.phpt.
  - CVE-2008-3658
* SECURITY UPDATE: denial of service and possible arbitrary code execution
  via the delimiter argument to the explode function. (LP: #286851)
  - debian/patches/122_SECURITY_CVE-2008-3659.patch: make sure needle_length
    is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
    script ext/standard/tests/strings/explode_bug.phpt.
  - CVE-2008-3659
* SECURITY UPDATE: denial of service via a request with multiple dots
  preceding the extension. (ex: foo..php) (LP: #286851)
  - debian/patches/123_SECURITY_CVE-2008-3660.patch: improve .. cleaning with
    a new is_valid_path() function in sapi/cgi/cgi_main.c.
  - CVE-2008-3660
* SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
  string containing HTML entity. (LP: #317672)
  - debian/patches/124_SECURITY_CVE-2008-5557.patch: improve
    mbfl_filt_conv_html_dec_flush() error handling in
  - CVE-2008-5557
* SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
  - debian/patches/125_SECURITY_CVE-2008-5624.patch: make sure the page_uid
    and page_gid get initialized properly in ext/standard/basic_functions.c.
    Also, init server_context before processing config variables in
  - CVE-2008-5624
* SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
  entry in a .htaccess file.
  - debian/patches/126_SECURITY_CVE-2008-5625.patch: enforce restrictions
    when merging in dir entry in sapi/apache/mod_php5.c and
  - CVE-2008-5625
* SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
  file with dot-dot filenames.
  - debian/patches/127_SECURITY_CVE-2008-5658.patch: clean up filename paths
    in ext/zip/php_zip.c with new php_zip_realpath_r(),
    php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
  - CVE-2008-5658

26. By Jamie Strandboge on 2008-07-22

* debian/patches/SECURITY_CVE-2008-2050.patch: possible stack overflow and
  sending of unitialized paddings
* debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
  multibyte chars inside escapeshellcmd()
* debian/patches/SECURITY_CVE-2008-0599.patch: properly consider operator
  precedence when calculating length of PATH_TRANSLATED
* debian/patches/SECURITY_CVE-2007-4850.patch: fixed a safe_mode bypass in
* Add debian/patches/SECURITY_CVE-2008-2829.patch: unsafe usage of
  deprecated imap functions (patch from Debian)
* Add debian/patches/SECURITY_CVE-2008-1384.patch: integer overflow in
  printf() (patch from Debian)
* Add debian/patches/SECURITY_CVE-2008-2107+2108.patch: weak random number
* Add debian/patches/SECURITY_CVE-2007-4782.patch: DoS via long string in
  the fnmatch functions
* debian/patches/SECURITY_526-pcre_compile.patch: avoid stack overflow (fix
  from pcre 7.6)
* Update debian/patches/207-htmlentity-utf8-fix.patch: fail on improperly
  finished UTF sequence
* Add debian/patches/SECURITY_CVE-2008-2371.patch: buffer overflow.
  Backported upstream patches.
* References
  LP: #227464

25. By Kees Cook on 2007-12-01

* SECURITY UPDATE: fix segfault in session management.
* Update 204-start-session-cookies.patch: thanks to Malcolm Scott.
* References

24. By Kees Cook on 2007-10-19

* SECURITY UPDATE: multiple vulnerabilities. Thanks to Sean Finney for
  help locating upstream fixes.
* Add 200-string-wordwrap.patch: wordwrap function can be made to crash.
  Backported upstream fixes (CVE-2007-3998).
* Add 201-strspn-oob-read.patch: memory reading, possible crash via strspn.
  chunk_split. Backported upstream fixes (CVE-2007-4657).
* Add 202-money-format-abuse.patch: money_format format string vulnerable.
  Backported upstream fixes (CVE-2007-4658).
* Add 203-openssl_make_REQ-overflow.patch: overflow in openssl_make_REQ.
  Applied and corrected upstream fixes (CVE-2007-4662).
* Add 204-start-session-cookies.patch: overwrite cookie values.
  Applied upstream fixes (CVE-2007-3799).
* Add 206-chunk_split-fixes.patch: memory reading, possible crash via
  chunk_split. Merged various upstream fixes (CVE-2007-2872, CVE-2007-4660,
* Add 206-cookie-nesting-fix.patch: corruption/crashes via deeply nested
  variables. Backported upstream fixes (CVE-2007-1285, CVE-2007-4670).
* Add 207-htmlentity-utf8-fix.patch: don't accept partial utf8 sequences.
  Backported upstream fixes (CVE-2007-5898).
* Add 208-session-id-leak.patch: don't send session id to remote forms.
  Backported upstream fixes (CVE-2007-5899).
* References

23. By LaMont Jones on 2007-10-04

Trigger rebuild for hppa

22. By Soren Hansen on 2007-09-03

* debian/rules:
  - Fix broken memory_limit mangling for php5-cli. (LP: #109079)
  - Don't clean out debian/copyright. (iz soyuz bug..)
* debian/php5-cli.postinst, debian/rules:
  - Use same php.ini-dist for all flavours. The only difference used to be
    cli having a higher memory_limit value, but upstream has changed this to
    128MB, which is higher than both of the previous values.

21. By Matthias Klose on 2007-08-10

debian/rules: Correctly mangle PHP5_* macros for lpia.

20. By Matthias Klose on 2007-08-09

debian/rules: Correctly mangle PHP5_* macros for lpia.

19. By Steve Kowalik on 2007-07-05

Rebuild for the libcurl transition mess.

18. By Soren Hansen on 2007-06-11

* Merge from debian unstable, remaining changes:
 - debian/changelog: Add some missing CVEs.
 - debian/control: DebianMaintainerField
 - debian/control, debian/rules: Disable a few build dependencies and
   accompanying binary packages which we do not want to support in main:
   + firebird2-dev/php5-interbase (we have a separate php-interbase source)
   + libc-client-dev/php5-imap (we have a separate php-imap source)
   + libmcrypt-dev/php5-mcrypt (separate php-mcrypt source)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.