Secure testing team - Apr 2009 - php updates, part 1

hey folks,

just fyi i''m starting the process of preparing some overdue php
updates.
i''ve just uploaded the first and easiest one: php5/lenny. 
i''ve tagged and
uploaded this to the security upload queue.

following this there will also be php5/etch and php4/etch.  i expect these
to trickle in over the next couple days, hopefully before wednesday as
i''m going on a short VAC.  not that any of these are uber critical or
anything though.

when we last last off with php5/etch some time ago there was some contention
about the invasiveness of some of the patches/fixes.  therefore please double 
check the changes and bring up potential issues if you find them.


	sean

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090426/fe8f7706/attachment.pgp>

Hi Sean,

On snein 26 April 2009, sean finney wrote:
> just fyi i''m starting the process of preparing some overdue php
updates.
> i''ve just uploaded the first and easiest one: php5/lenny. 
i''ve tagged and
> uploaded this to the security upload queue.
Great, it has built for nearly all archs now. Thanks!
> following this there will also be php5/etch and php4/etch.  i expect these
> to trickle in over the next couple days, hopefully before wednesday as
> i''m going on a short VAC.  not that any of these are uber critical
or
> anything though.
Great. I''ll release php5 as soon as we have both lenny and etch, php4
can be
done separately.
> when we last last off with php5/etch some time ago there was some
> contention about the invasiveness of some of the patches/fixes.  therefore
> please double check the changes and bring up potential issues if you find
> them.
I will test your builds on a few places and will let you know if I see any 
trouble.


thanks,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090428/3a19144d/attachment.pgp>

and just a short follow up,

On Tue, Apr 28, 2009 at 11:49:02AM +0200, Thijs Kinkhorst
wrote:
> Great. I''ll release php5 as soon as we have both lenny and etch,
php4 can be
> done separately.
i believe i''ve managed to get the last couple fixes that need to be
done for
php5,  and this should all be put into git now.  i''m gonna sleep on it
though
and review tomorrow morning before i build/tag/upload.

i also don''t have an etch system to test this on, so volunteers would
be
helpful.  i don''t think any of the patches are too scary besides the
zip
one, and that one passes the PoC test at least.
 
> I will test your builds on a few places and will let you know if I see any 
> trouble.
awesome.



	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090429/d222dd17/attachment.pgp>

On Wed, Apr 29, 2009 at 12:23:04AM +0200, sean finney
wrote:
> i believe i''ve managed to get the last couple fixes that need to
be done for
> php5,  and this should all be put into git now.  i''m gonna sleep
on it though
> and review tomorrow morning before i build/tag/upload.
i''ve just tagged/uploaded it.  thanks to thijs for catching a
stable/oldstable
reference mixup at the last minute.  for reference, the upload fixes
the following issues:

    - CVE-2008-5624: proper initialization of uid/gid for apache2 sapi.
    - CVE-2008-5557: heap overflows in the mbstring extension.
    - CVE-2008-5658: directory traversal in the zip extension
    - CVE-2008-2107/CVE-2008-2108: crypto weaknesses in php_rand module
    - CVE-2009-0754.patch: mbstring.func_overload leakage between vhosts
    - CVE-2008-5814: XSS vulnerability via display_errors
    - (no CVE): file truncation via inifile handler for the dba functions.

*** note one issue is missing (i overlooked it until writing this mail),
so there will be yet another upload coming shortly. ***

it also has the following non-security-but-previously-discussed changes:

  * Backport the patch from lenny/sid to use the system timezone database
    instead of the embedded php timezone database which is out of date.
    Patch: 143-use_embedded_timezonedb.patch (closes: #471104).
  * Repack the etch version of php5, stripping out the (unused) dbase
    module which contained licensing problems (closes: #341420).

the following changes are not addressed:

	CVE-2007-4659	low*	no
	Description: The zend_alter_ini_entry function in PHP before 5.2.4 does not
properly handle an interruption to the flow of execution triggered by a
memory_limit violation, which has unknown impact and attack vectors.
	Rationale: no info/proof

	CVE-2008-2829	low	no
	Description: 	php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses
obsolete API calls that allow context-dependent attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a long IMAP request,
which triggers an "rfc822.c legacy routine buffer overflow" error
message.
	Rationale: impossible to fix without a new version of libc-client-dev

	CVE-2009-1271		
	Description: The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x
before ...
	Rationale: i missed this one, it needs to be addressed.  we already have a fix
in lenny which applies cleanly...

	CVE-2009-1272	
	Description: The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x
...
	does not affect us, as we never took the "broken" fix for
CVE-2008-5658
	


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090429/75988be5/attachment.pgp>

hi everyone,

this will be my final mail on this for a while, as i''ll be on VAC in
berlin
until monday :)

i''ve just done a second upload catching the extra missed vulnerability,
version 5.2.0+dfsg-8+etch15.  i''ve built it with "-sa
-v5.2.0-8+etch13" so
the changes from 8+etch14 should also be in there, and the upload also
includes the orig.tar.gz.

i don''t know if the orig.tar.gz was needed in the second upload or if
it
will cause problems.  therefore i''ve also uploaded everything to a
temporary
area at http://people.debian.org/~seanius/incoming, so if you need to change
something and/or re-build/re-upload, you can use what''s there.


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090429/a95c1638/attachment.pgp>