diff -u php5-5.3.2/debian/changelog php5-5.3.2/debian/changelog
--- php5-5.3.2/debian/changelog
+++ php5-5.3.2/debian/changelog
@@ -1,3 +1,16 @@
+php5 (5.3.2-1ubuntu4.27) lucid-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
+    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
+      as over-runs in ext/fileinfo/libmagic/cdf.c
+    - CVE-2014-3587
+  * SECURITY UPDATE: denial of service in dns_get_record
+    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
+      ext/standard/dns.c
+    - CVE-2014-3587
+
+ -- Seth Arnold <seth.arnold@canonical.com>  Wed, 03 Sep 2014 23:27:31 -0700
+
 php5 (5.3.2-1ubuntu4.26) lucid-security; urgency=medium
 
   * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
diff -u php5-5.3.2/debian/patches/series php5-5.3.2/debian/patches/series
--- php5-5.3.2/debian/patches/series
+++ php5-5.3.2/debian/patches/series
@@ -128,0 +129,2 @@
+CVE-2014-3587.patch
+CVE-2014-3597.patch
only in patch2:
unchanged:
--- php5-5.3.2.orig/debian/patches/CVE-2014-3587.patch
+++ php5-5.3.2/debian/patches/CVE-2014-3587.patch
@@ -0,0 +1,18 @@
+From 7ba1409a1aee5925180de546057ddd84ff267947 Mon Sep 17 00:00:00 2001
+From: Remi Collet <rcollet@redhat.com>
+Date: Thu, 14 Aug 2014 17:19:03 -0700
+Subject: [PATCH] Fix bug #67716 - Segfault in cdf.c
+
+Index: b/ext/fileinfo/libmagic/cdf.c
+===================================================================
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -759,7 +759,7 @@
+ 	for (i = 0; i < sh.sh_properties; i++) {
+ 		q = (const uint32_t *)((const char *)p +
+ 		    CDF_TOLE4(p[(i << 1) + 1])) - 2;
+-		if (q > e) {
++		if (q < p || q > e) {
+ 			DPRINTF(("Ran of the end %p > %p\n", q, e));
+ 			goto out;
+ 		}
only in patch2:
unchanged:
--- php5-5.3.2.orig/debian/patches/CVE-2014-3597.patch
+++ php5-5.3.2/debian/patches/CVE-2014-3597.patch
@@ -0,0 +1,266 @@
+Origin: https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05
+From: Remi Collet
+Subject: Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597
+
+---
+ ext/standard/dns.c |   84 +++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 60 insertions(+), 24 deletions(-)
+
+Index: b/ext/standard/dns.c
+===================================================================
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -402,8 +402,14 @@
+ 
+ #if HAVE_FULL_DNS_FUNCS
+ 
++#define CHECKCP(n) do { \
++       if (cp + n > end) { \
++               return NULL; \
++       } \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+ {
+ 	u_short type, class, dlen;
+ 	u_long ttl;
+@@ -415,16 +421,18 @@
+ 
+ 	*subarray = NULL;
+ 
+-	n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++	n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ 	if (n < 0) {
+ 		return NULL;
+ 	}
+ 	cp += n;
+ 
++	CHECKCP(10);
+ 	GETSHORT(type, cp);
+ 	GETSHORT(class, cp);
+ 	GETLONG(ttl, cp);
+ 	GETSHORT(dlen, cp);
++	CHECKCP(dlen);
+ 	if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ 		cp += dlen;
+ 		return cp;
+@@ -441,12 +449,14 @@
+ 	add_assoc_string(*subarray, "host", name, 1);
+ 	switch (type) {
+ 		case DNS_T_A:
++			CHECKCP(4);
+ 			add_assoc_string(*subarray, "type", "A", 1);
+ 			snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ 			add_assoc_string(*subarray, "ip", name, 1);
+ 			cp += dlen;
+ 			break;
+ 		case DNS_T_MX:
++			CHECKCP(2);
+ 			add_assoc_string(*subarray, "type", "MX", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pri", n);
+@@ -465,7 +475,7 @@
+ 			if (type == DNS_T_PTR) {
+ 				add_assoc_string(*subarray, "type", "PTR", 1);
+ 			}
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+@@ -475,18 +485,22 @@
+ 		case DNS_T_HINFO:
+ 			/* See RFC 1010 for values */
+ 			add_assoc_string(*subarray, "type", "HINFO", 1);
++			CHECKCP(1);
+ 			n = *cp & 0xFF;
+ 			cp++;
++			CHECKCP(n);
+ 			add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
+ 			cp += n;
++			CHECKCP(1);
+ 			n = *cp & 0xFF;
+ 			cp++;
++			CHECKCP(n);
+ 			add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
+ 			cp += n;
+ 			break;
+ 		case DNS_T_TXT:
+ 			{
+-				int ll = 0;
++				int l1 = 0, l2 = 0;
+ 				zval *entries = NULL;
+ 
+ 				add_assoc_string(*subarray, "type", "TXT", 1);
+@@ -495,37 +509,41 @@
+ 				MAKE_STD_ZVAL(entries);
+ 				array_init(entries);
+ 				
+-				while (ll < dlen) {
+-					n = cp[ll];
+-					if ((ll + n) >= dlen) {
++				while (l1 < dlen) {
++					n = cp[l1];
++					if ((l1 + n) >= dlen) {
+ 						// Invalid chunk length, truncate
+-						n = dlen - (ll + 1);
++						n = dlen - (l1 + 1);
++					}
++					if (n) {
++						memcpy(tp + l2 , cp + l1 + 1, n);
++						add_next_index_stringl(entries, cp + l1 + 1, n, 1);
+ 					}
+-					memcpy(tp + ll , cp + ll + 1, n);
+-					add_next_index_stringl(entries, cp + ll + 1, n, 1);
+-					ll = ll + n + 1;
++					l1 = l1 + n + 1;
++					l2 = l2 + n;
+ 				}
+-				tp[dlen] = '\0';
++				tp[l2] = '\0';
+ 				cp += dlen;
+ 
+-				add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
++				add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ 				add_assoc_zval(*subarray, "entries", entries);
+ 			}
+ 			break;
+ 		case DNS_T_SOA:
+ 			add_assoc_string(*subarray, "type", "SOA", 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+ 			cp += n;
+ 			add_assoc_string(*subarray, "mname", name, 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+ 			cp += n;
+ 			add_assoc_string(*subarray, "rname", name, 1);
++			CHECKCP(5*4);
+ 			GETLONG(n, cp);
+ 			add_assoc_long(*subarray, "serial", n);
+ 			GETLONG(n, cp);
+@@ -539,6 +557,7 @@
+ 			break;
+ 		case DNS_T_AAAA:
+ 			tp = (u_char*)name;
++			CHECKCP(8*2);
+ 			for(i=0; i < 8; i++) {
+ 				GETSHORT(s, cp);
+ 				if (s != 0) {
+@@ -573,6 +592,7 @@
+ 		case DNS_T_A6:
+ 			p = cp;
+ 			add_assoc_string(*subarray, "type", "A6", 1);
++			CHECKCP(1);
+ 			n = ((int)cp[0]) & 0xFF;
+ 			cp++;
+ 			add_assoc_long(*subarray, "masklen", n);
+@@ -608,6 +628,7 @@
+ 				cp++;
+ 			}
+ 			for (i = (n + 8) / 16; i < 8; i++) {
++				CHECKCP(2);
+ 				GETSHORT(s, cp);
+ 				if (s != 0) {
+ 					if (tp > (u_char *)name) {
+@@ -637,7 +658,7 @@
+ 			tp[0] = '\0';
+ 			add_assoc_string(*subarray, "ipv6", name, 1);
+ 			if (cp < p + dlen) {
+-				n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++				n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 				if (n < 0) {
+ 					return NULL;
+ 				}
+@@ -646,6 +667,7 @@
+ 			}
+ 			break;
+ 		case DNS_T_SRV:
++			CHECKCP(3*2);
+ 			add_assoc_string(*subarray, "type", "SRV", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pri", n);
+@@ -653,7 +675,7 @@
+ 			add_assoc_long(*subarray, "weight", n);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "port", n);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+@@ -661,21 +683,35 @@
+ 			add_assoc_string(*subarray, "target", name, 1);
+ 			break;
+ 		case DNS_T_NAPTR:
++			CHECKCP(2*2);
+ 			add_assoc_string(*subarray, "type", "NAPTR", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "order", n);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pref", n);
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
+ 			cp += n;
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
+ 			cp += n;
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
+ 			cp += n;
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+@@ -842,7 +878,7 @@
+ 			while (an-- && cp && cp < end) {
+ 				zval *retval;
+ 
+-				cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
++				cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
+ 				if (retval != NULL && store_results) {
+ 					add_next_index_zval(return_value, retval);
+ 				}
+@@ -855,7 +891,7 @@
+ 				while (ns-- > 0 && cp && cp < end) {
+ 					zval *retval = NULL;
+ 
+-					cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
++					cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
+ 					if (retval != NULL) {
+ 						add_next_index_zval(authns, retval);
+ 					}
+@@ -867,7 +903,7 @@
+ 				while (ar-- > 0 && cp && cp < end) {
+ 					zval *retval = NULL;
+ 
+-					cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++					cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ 					if (retval != NULL) {
+ 						add_next_index_zval(addtl, retval);
+ 					}