CVE-2008-5557: heap overflows in the mbstring extension

Bug #317672 reported by Mark Lee on 2009-01-15
254
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned

Bug Description

Binary package hint: php5

See: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5557

The patch in question has been applied in Debian as of 5.2.6.dfsg.1-1, and I have also applied the patch in the php5 source package I maintain in my PPA: <https://launchpad.net/~malept/+archive>

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.6-2ubuntu4.1

---------------
php5 (5.2.6-2ubuntu4.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via crafted font file. (LP: #286851)
    - debian/patches/120-SECURITY-CVE-2008-3658.patch: make sure font->nchars,
      font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
      test script ext/gd/tests/imageloadfont_invalid.phpt.
    - CVE-2008-3658
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via the delimiter argument to the explode function. (LP: #286851)
    - debian/patches/121-SECURITY-CVE-2008-3659.patch: make sure needle_length
      is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
      script ext/standard/tests/strings/explode_bug.phpt.
    - CVE-2008-3659
  * SECURITY UPDATE: denial of service via a request with multiple dots
    preceding the extension. (ex: foo..php) (LP: #286851)
    - debian/patches/122-SECURITY-CVE-2008-3660.patch: improve .. cleaning with
      a new is_valid_path() function in sapi/cgi/cgi_main.c.
    - CVE-2008-3660
  * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
    string containing HTML entity. (LP: #317672)
    - debian/patches/123-SECURITY-CVE-2008-5557.patch: improve
      mbfl_filt_conv_html_dec_flush() error handling in
      ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
    - CVE-2008-5557
  * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
    settings.
    - debian/patches/124-SECURITY-CVE-2008-5624.patch: make sure the page_uid
      and page_gid get initialized properly in ext/standard/basic_functions.c.
      Also, init server_context before processing config variables in
      sapi/apache/mod_php5.c.
    - CVE-2008-5624
  * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
    entry in a .htaccess file.
    - debian/patches/125-SECURITY-CVE-2008-5625.patch: enforce restrictions
      when merging in dir entry in sapi/apache/mod_php5.c and
      sapi/apache2handler/apache_config.c.
    - CVE-2008-5625
  * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
    file with dot-dot filenames.
    - debian/patches/126-SECURITY-CVE-2008-5658.patch: clean up filename paths
      in ext/zip/php_zip.c with new php_zip_realpath_r(),
      php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
    - CVE-2008-5658

 -- Marc Deslauriers <email address hidden> Mon, 26 Jan 2009 08:43:21 -0500

Changed in php5:
status: New → Fix Released
Thierry Carrez (ttx) on 2009-08-19
Changed in php5 (Ubuntu Hardy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers