Ubuntu
php4 package

[UVF Exception] Sync php4 4.4.4 from Debian unstable

Bug #65266 reported by Michael Bienia
4
Affects Status Importance Assigned to Milestone
php4 (Ubuntu)
Fix Released
Medium
Adam Conrad

Bug Description

Reason:

Excerpt from the Debian changelog:

* New upstream release [4.4.4]
     - Added missing safe_mode/open_basedir checks inside the error_log(),
       file_exists(), imap_open() and imap_reopen() functions.
     - Fixed overflows inside str_repeat() and wordwrap() functions on 64bit
       systems.
     - Fixed possible open_basedir/safe_mode bypass in cURL extension.
       (CVE-2006-2563)
     - Fixed overflow in GD extension on invalid GIF images.
     - Fixed a buffer overflow inside sscanf() function. (CVE-2006-4020)
       (Closes: 382261)
     - Fixed memory_limit restriction on 64 bit system.

   * New upstream release [4.4.3]
     - Disallow certain characters in session names. (CVE-2006-3016)
     - Fixed a bug that would allow variable to survive unset().
       (CVE-2006-3017) (Closes: #382259)
     - Fixed a buffer overflow inside the wordwrap() function.
     - Prevent jumps to parent directory via the 2nd parameter of
       the tempnam() function.
     - Improved safe_mode check for the error_log() function.
     - Fixed cross-site scripting inside the phpinfo() function.

Revision history for this message
Michael Bienia (geser) wrote :

diffstat between 4.4.2 and 4.4.4

Revision history for this message
Michael Bienia (geser) wrote :
Revision history for this message
Michael Bienia (geser) wrote :

As php4 (both the new version and the current one in edgy) build-depends on libdb4.3-dev and libdb4.4-dev (both can't be installed at the same time) the package can't be build currently.
I hope this will be resolved before the release.
I will attach a build.log when it can be build again.

Changed in php4:
assignee: nobody → motu-uvf
Revision history for this message
Daniel Holbach (dholbach) wrote :

I asked the PHP master for input.

Changed in php4:
importance: Undecided → Medium
Revision history for this message
Adam Conrad (adconrad) wrote :

I'm probably going to end up rolling apache1.3 back to db4.3 for edgy, which means php4 can't be synced unmodified, so I'll have to upload a slightly mangled version to cope. I do agree with the request for the UVF exception, though, so if dholbach approves it, I'll do the upload.

Revision history for this message
Daniel Holbach (dholbach) wrote :

Absolutely!

Changed in php4:
status: Unconfirmed → Confirmed
assignee: motu-uvf → adconrad
Revision history for this message
Michael Bienia (geser) wrote :

php4 6:4.4.4-8 is in feisty.

Changed in php4:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.