CVE-2008-5557: heap overflows in the mbstring extension
Bug #317672 reported by
Mark Lee
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: php5
See: http://
The patch in question has been applied in Debian as of 5.2.6.dfsg.1-1, and I have also applied the patch in the php5 source package I maintain in my PPA: <https:/
Changed in php5 (Ubuntu Hardy): | |
status: | New → Fix Released |
To post a comment you must log in.
This bug was fixed in the package php5 - 5.2.6-2ubuntu4.1
---------------
php5 (5.2.6-2ubuntu4.1) intrepid-security; urgency=low
* SECURITY UPDATE: denial of service and possible arbitrary code execution patches/ 120-SECURITY- CVE-2008- 3658.patch: make sure font->nchars, tests/imageload font_invalid. phpt. patches/ 121-SECURITY- CVE-2008- 3659.patch: make sure needle_length tests/strings/ explode_ bug.phpt. Also, add test tests/strings/ explode_ bug.phpt. patches/ 122-SECURITY- CVE-2008- 3660.patch: improve .. cleaning with cgi_main. c. patches/ 123-SECURITY- CVE-2008- 5557.patch: improve filt_conv_ html_dec_ flush() error handling in mbstring/ libmbfl/ filters/ mbfilter_ htmlent. c. patches/ 124-SECURITY- CVE-2008- 5624.patch: make sure the page_uid basic_functions .c. apache/ mod_php5. c. patches/ 125-SECURITY- CVE-2008- 5625.patch: enforce restrictions mod_php5. c and apache2handler/ apache_ config. c. patches/ 126-SECURITY- CVE-2008- 5658.patch: clean up filename paths realpath_ r(), zip_virtual_ file_ex( ) and php_zip_ make_relative_ path() functions.
via crafted font file. (LP: #286851)
- debian/
font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
test script ext/gd/
- CVE-2008-3658
* SECURITY UPDATE: denial of service and possible arbitrary code execution
via the delimiter argument to the explode function. (LP: #286851)
- debian/
is sane in ext/standard/
script ext/standard/
- CVE-2008-3659
* SECURITY UPDATE: denial of service via a request with multiple dots
preceding the extension. (ex: foo..php) (LP: #286851)
- debian/
a new is_valid_path() function in sapi/cgi/
- CVE-2008-3660
* SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
string containing HTML entity. (LP: #317672)
- debian/
mbfl_
ext/
- CVE-2008-5557
* SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
settings.
- debian/
and page_gid get initialized properly in ext/standard/
Also, init server_context before processing config variables in
sapi/
- CVE-2008-5624
* SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
entry in a .htaccess file.
- debian/
when merging in dir entry in sapi/apache/
sapi/
- CVE-2008-5625
* SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
file with dot-dot filenames.
- debian/
in ext/zip/php_zip.c with new php_zip_
php_
- CVE-2008-5658
-- Marc Deslauriers <email address hidden> Mon, 26 Jan 2009 08:43:21 -0500