diff -u php5-5.3.2/debian/changelog php5-5.3.2/debian/changelog
--- php5-5.3.2/debian/changelog
+++ php5-5.3.2/debian/changelog
@@ -1,3 +1,21 @@
+php5 (5.3.2-1ubuntu4.25) lucid-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
+    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
+      ext/fileinfo/libmagic/cdf.c.
+    - CVE-2014-0237
+  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
+    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
+      ext/fileinfo/libmagic/cdf.c.
+    - CVE-2014-0238
+  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
+    parsing
+    - debian/patches/CVE-2014-4049.patch: check length in
+      ext/standard/dns.c.
+    - CVE-2014-4049
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 19 Jun 2014 13:48:46 -0400
+
 php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium
 
   * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
diff -u php5-5.3.2/debian/patches/series php5-5.3.2/debian/patches/series
--- php5-5.3.2/debian/patches/series
+++ php5-5.3.2/debian/patches/series
@@ -119,0 +120,3 @@
+CVE-2014-0237.patch
+CVE-2014-0238.patch
+CVE-2014-4049.patch
only in patch2:
unchanged:
--- php5-5.3.2.orig/debian/patches/CVE-2014-0237.patch
+++ php5-5.3.2/debian/patches/CVE-2014-0237.patch
@@ -0,0 +1,50 @@
+Backport of:
+
+From 68ce2d0ea6da79b12a365e375e1c2ce882c77480 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 26 May 2014 17:50:14 -0700
+Subject: [PATCH] Fix bug #67328 (fileinfo: numerous file_printf calls
+ resulting in performance degradation)
+
+Upstream patch: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d
+---
+ ext/fileinfo/libmagic/cdf.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+Index: php5-5.3.10/ext/fileinfo/libmagic/cdf.c
+===================================================================
+--- php5-5.3.10.orig/ext/fileinfo/libmagic/cdf.c	2014-06-19 13:35:13.041422390 -0400
++++ php5-5.3.10/ext/fileinfo/libmagic/cdf.c	2014-06-19 13:36:29.065424426 -0400
+@@ -854,7 +854,7 @@
+ cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
+     cdf_property_info_t **info, size_t *count)
+ {
+-	size_t i, maxcount;
++	size_t maxcount;
+ 	const cdf_summary_info_header_t *si = sst->sst_tab;
+ 	const cdf_section_declaration_t *sd = (const void *)
+ 	    ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET);
+@@ -867,20 +867,13 @@
+ 	ssi->si_os = CDF_TOLE2(si->si_os);
+ 	ssi->si_class = si->si_class;
+ 	cdf_swap_class(&ssi->si_class);
+-	ssi->si_count = CDF_TOLE2(si->si_count);
++	ssi->si_count = CDF_TOLE4(si->si_count);
+ 	*count = 0;
+ 	maxcount = 0;
+ 	*info = NULL;
+-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
+-		if (i >= CDF_LOOP_LIMIT) {
+-			DPRINTF(("Unpack summary info loop limit"));
+-			errno = EFTYPE;
++	if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset), info,
++		count, &maxcount) == -1) 
+ 			return -1;
+-		}
+-		if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset),
+-		    info, count, &maxcount) == -1)
+-			return -1;
+-	}
+ 	return 0;
+ }
+ 
only in patch2:
unchanged:
--- php5-5.3.2.orig/debian/patches/CVE-2014-4049.patch
+++ php5-5.3.2/debian/patches/CVE-2014-4049.patch
@@ -0,0 +1,27 @@
+From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
+From: Sara Golemon <pollita@php.net>
+Date: Tue, 10 Jun 2014 11:18:02 -0700
+Subject: [PATCH] Fix potential segfault in dns_get_record()
+
+If the remote sends us a packet with a malformed TXT record,
+we could end up trying to over-consume the packet and wander
+off into overruns.
+---
+ ext/standard/dns.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: php5-5.3.2/ext/standard/dns.c
+===================================================================
+--- php5-5.3.2.orig/ext/standard/dns.c	2014-06-19 13:46:43.657440885 -0400
++++ php5-5.3.2/ext/standard/dns.c	2014-06-19 13:46:43.621440884 -0400
+@@ -497,6 +497,10 @@
+ 				
+ 				while (ll < dlen) {
+ 					n = cp[ll];
++					if ((ll + n) >= dlen) {
++						// Invalid chunk length, truncate
++						n = dlen - (ll + 1);
++					}
+ 					memcpy(tp + ll , cp + ll + 1, n);
+ 					add_next_index_stringl(entries, cp + ll + 1, n, 1);
+ 					ll = ll + n + 1;
only in patch2:
unchanged:
--- php5-5.3.2.orig/debian/patches/CVE-2014-0238.patch
+++ php5-5.3.2/debian/patches/CVE-2014-0238.patch
@@ -0,0 +1,38 @@
+Backport of:
+
+From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 26 May 2014 17:42:18 -0700
+Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
+
+Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
+---
+ ext/fileinfo/libmagic/cdf.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+Index: php5-5.3.10/ext/fileinfo/libmagic/cdf.c
+===================================================================
+--- php5-5.3.10.orig/ext/fileinfo/libmagic/cdf.c	2014-06-19 13:37:28.761426025 -0400
++++ php5-5.3.10/ext/fileinfo/libmagic/cdf.c	2014-06-19 13:38:40.381427943 -0400
+@@ -760,6 +760,10 @@
+ 		    inp[i].pi_type, (const char *)q - (const char *)p));
+ 		if (inp[i].pi_type & CDF_VECTOR) {
+ 			nelements = CDF_TOLE4(q[1]);
++			if (nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++				goto out;
++			}
+ 			o = 2;
+ 		} else {
+ 			nelements = 1;
+@@ -815,7 +819,9 @@
+ 				inp = *info + nelem;
+ 			}
+ 			DPRINTF(("nelements = %d\n", nelements));
+-			for (j = 0; j < nelements; j++, i++) {
++			for (j = 0; j < nelements && i < sh.sh_properties; 
++			    j++, i++) 
++			{
+ 				uint32_t l = CDF_TOLE4(q[o]);
+ 				inp[i].pi_str.s_len = l;
+ 				inp[i].pi_str.s_buf = (const char *)(&q[o+1]);