Ubuntu
php5 package

[SRU] Crash on using unitialized vals and __get/__set

  1. Hardy (8.04)
  2. Bug #515740
Bug #515740 reported by Pontiy_Pilat
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
Low
Unassigned
Hardy
Won't Fix
Low
Unassigned
Karmic
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: php5

Reproduce code:
---------------
<?php
class Foo {
 function __get($k) {
  return null;
 }
 function __set($k, $v) {
  $this->$k = $v;
 }
}

$c = new Foo();

$c->arr[0]["k"] = 1;
$c->arr[0]["k2"] = $ref;
for($cnt=0;$cnt<6;$cnt++) {
 $ref = chop($undef);
 $c->arr[$cnt]["k2"] = $ref;
}
?>

http://bugs.php.net/bug.php?id=43201

Segmentation fault

Fixed in php 5.2.6

Related branches

lp:~zulcss/ubuntu/hardy/php5/php5-sru-515740
On hold for merging into lp:ubuntu/hardy/php5
Ubuntu Server: Pending requested
Diff: 8772 lines (+8537/-11)
42 files modified
debian/changelog (+234/-0)
debian/patches/043-recode_size_t.patch (+10/-10)
debian/patches/119-sybase-alias.patch (+41/-0)
debian/patches/120_SECURITY_CVE-2007-5900.patch (+145/-0)
debian/patches/121_SECURITY_CVE-2008-3658.patch (+64/-0)
debian/patches/122_SECURITY_CVE-2008-3659.patch (+40/-0)
debian/patches/123_SECURITY_CVE-2008-3660.patch (+83/-0)
debian/patches/124_SECURITY_CVE-2008-5557.patch (+47/-0)
debian/patches/125_SECURITY_CVE-2008-5624.patch (+48/-0)
debian/patches/126_SECURITY_CVE-2008-5625.patch (+92/-0)
debian/patches/127_SECURITY_CVE-2008-5658.patch (+360/-0)
debian/patches/128_SECURITY_CVE-2008-5814.patch (+22/-0)
debian/patches/129_SECURITY_CVE-2009-0754.patch (+27/-0)
debian/patches/130_SECURITY_CVE-2009-1271.patch (+50/-0)
debian/patches/131_SECURITY_CVE-2009-2687.patch (+20/-0)
debian/patches/CVE-2008-7068.patch (+18/-0)
debian/patches/CVE-2009-2626.patch (+44/-0)
debian/patches/CVE-2009-3291.patch (+36/-0)
debian/patches/CVE-2009-3292.patch (+71/-0)
debian/patches/CVE-2009-3557.patch (+17/-0)
debian/patches/CVE-2009-3558.patch (+16/-0)
debian/patches/CVE-2009-4017.patch (+59/-0)
debian/patches/CVE-2009-4018.patch (+50/-0)
debian/patches/CVE-2009-4142.patch (+4493/-0)
debian/patches/CVE-2009-4143.patch (+30/-0)
debian/patches/SECURITY_CVE-2007-4782.patch (+15/-0)
debian/patches/SECURITY_CVE-2007-4850.patch (+13/-0)
debian/patches/SECURITY_CVE-2007-5898.patch (+155/-0)
debian/patches/SECURITY_CVE-2007-5899.patch (+104/-0)
debian/patches/SECURITY_CVE-2008-0599.patch (+13/-0)
debian/patches/SECURITY_CVE-2008-1384.patch (+32/-0)
debian/patches/SECURITY_CVE-2008-2050.patch (+23/-0)
debian/patches/SECURITY_CVE-2008-2051.patch (+65/-0)
debian/patches/SECURITY_CVE-2008-2107+2108.patch (+12/-0)
debian/patches/SECURITY_CVE-2008-2371.patch (+12/-0)
debian/patches/SECURITY_CVE-2008-2829.patch (+80/-0)
debian/patches/backport-upstream-43201.patch (+1084/-0)
debian/patches/fix-xmlrpc-datetime.patch (+78/-0)
debian/patches/security526-pcre_compile.patch (+39/-0)
debian/patches/series (+38/-0)
debian/patches/use_embedded_timezonedb.patch (+655/-0)
debian/rules (+2/-1)
Revision history for this message
Chuck Short (zulcss) wrote :

Which version of php are you using?

Regards
chuck

Changed in php5 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Pontiy_Pilat (p-p) wrote :

Hardy LTS
5.2.4-2ubuntu5.10

Revision history for this message
Chuck Short (zulcss) wrote :

I am not able to reproduce this in lucid. This is probably a good candidate for an SRU though.

Regards
chuck

Changed in php5 (Ubuntu):
status: Incomplete → Fix Released
Mathias Gug (mathiaz)
Changed in php5 (Ubuntu Karmic):
status: New → Won't Fix
Changed in php5 (Ubuntu Hardy):
importance: Undecided → Wishlist
importance: Wishlist → Low
status: New → Confirmed
Revision history for this message
Chuck Short (zulcss) wrote :

Statement of Impact: PHP in hardy was shipped with a bug that if the user provides code modifying the result of __get (erroneously) and using undefined variables causes code to crash.

http://bugs.php.net/bug.php?id=43201

Addressed:

Fixed in php 5.2.12/5.3 I have backported the patch for hardy.

How to Reproduce: Run the code that was previously provided.

Regression potential: none.

summary: - Crash on using unitialized vals and __get/__set
+ [SRU] Crash on using unitialized vals and __get/__set
Revision history for this message
Martin Pitt (pitti) wrote :

I do not accept this update until bug 240519 gets verified. Since that one seems pretty much dead, it might be that we need to revert it, and reupload this fix without the 240519 change.

Revision history for this message
Jonathan Riddell (jr) wrote :

Rejecting upload in hardy-proposed as discussed on irc with zul

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Hardy has seen the end of its life and is no longer receiving any updates. Marking the Hardy task for this ticket as "Won't Fix".

Changed in php5 (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.