Comment 27 for bug 227464

This has been addressed in Intrepid by updating to PHP 5 here: https://launchpad.net/ubuntu/intrepid/+source/php5/5.2.6-1ubuntu1
Minimal patch above in this post https://bugs.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15
Re: test cases: I've not yet seen widely published exploit code, and I'm not about to change that.
Regression potential:
  It is vaguely possible the escapeshellcmd() change could have unintended affects, but extremely unlikely due to the limited use case
    of the function combined with necessity of using illegal characters in a multi-byte character set. The patches have also been widely tested at this point.
  The rest are pure bug fixes with infinitesimally low chance of side effects.