testing php5 for Wheezy LTS

To: debian-lts@lists.debian.org
Subject: testing php5 for Wheezy LTS
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sat, 28 May 2016 22:50:14 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1605282244020.23968@jupiter.server.alteholz.net>

Hi,

this seems to be the month of testing requests. I uploaded version5.4.45-0+deb7u3 of php5 to:

 https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/
 https://people.debian.org/~alteholz/packages/wheezy-lts/php5/i386/

Please give it a try and tell me about any problems you met. There arestill some CVEs open, they will be fixed in a later upload.


Thanks!
 Thorsten



Changes:
 * CVE-2015-8865.patch
   The file_check_mem function in funcs.c in file before 5.23, as used
   in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20,
   and 7.x before 7.0.5, mishandles continuation-level jumps, which
   allows context-dependent attackers to cause a denial of service
   (buffer overflow and application crash) or possibly execute arbitrary
   code via a crafted magic file.
 * CVE-2015-8866.patch
   libxml_disable_entity_loader setting is shared between threads
   ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when
   PHP-FPM is used, does not isolate each thread from
   libxml_disable_entity_loader changes in other threads, which allows
   remote attackers to conduct XML External Entity (XXE) and XML Entity
   Expansion (XEE) attacks via a crafted XML document, a related issue
   to CVE-2015-5161.
 * CVE-2015-8878.patch
   main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before
   5.6.12 does not ensure thread safety, which allows remote attackers to
   cause a denial of service (race condition and heap memory corruption)
   by leveraging an application that performs many temporary-file accesses.
 * CVE-2015-8879.patch
   The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12
   mishandles driver behavior for SQL_WVARCHAR columns, which allows
   remote attackers to cause a denial of service (application crash) in
   opportunistic circumstances by leveraging use of the odbc_fetch_array
   function to access a certain type of Microsoft SQL Server table.
 * CVE-2016-4070.patch
   Integer overflow in the php_raw_url_encode function in ext/standard/url.c
   in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows
   remote attackers to cause a denial of service (application crash) via a
   long string to the rawurlencode function.
 * CVE-2016-4071.patch
   Format string vulnerability in the php_snmp_error function in
   ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
   before 7.0.5 allows remote attackers to execute arbitrary code via
   format string specifiers in an SNMP::get call.
 * CVE-2016-4072.patch
   The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
   before 7.0.5 allows remote attackers to execute arbitrary code via a
   crafted filename, as demonstrated by mishandling of \0 characters by
   the phar_analyze_path function in ext/phar/phar.c.
 * CVE-2016-4073.patch
   Multiple integer overflows in the mbfl_strcut function in
   ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before
   5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial
   of service (application crash) or possibly execute arbitrary code via
   a crafted mb_strcut call.
 * CVE-2016-4343.patch
   The phar_make_dirstream function in ext/phar/dirstream.c in PHP before
   5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files,
   which allows remote attackers to cause a denial of service
   (uninitialized pointer dereference) or possibly have unspecified other
   impact via a crafted TAR archive.
 * CVE-2016-4537.patch
   The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35,
   5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer
   for the scale argument, which allows remote attackers to cause a
   denial of service or possibly have unspecified other impact via a
   crafted call.
 * CVE-2016-4539.patch
   The xml_parse_into_struct function in ext/xml/xml.c in PHP before
   5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
   attackers to cause a denial of service (buffer under-read and
   segmentation fault) or possibly have unspecified other impact via
   crafted XML data in the second argument, leading to a parser level
   of zero.
 * CVE-2016-4540+4541.patch
   The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c
   in before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows
   remote attackers to cause a denial of service (out-of-bounds read)
   or possibly have unspecified other impact via a negative offset.
 * CVE-2016-4542+4543+4544.patch
   The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35,
   5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes,
   which allows remote attackers to cause a denial of service
   (out-of-bounds read) or possibly have unspecified other impact via
   crafted header data.

Reply to:

Follow-Ups:
- Re: testing php5 for Wheezy LTS
  - From: Joost van Baal-Ilić <joostvb+debian-lts-20160530-2@uvt.nl>

Prev by Date: Re: Debian LTS: uploaded packages to wheezy-security not available
Next by Date: Re: wheezy eglibc packages to test
Previous by thread: Call for testing: upcoming libxml2 security update
Next by thread: Re: testing php5 for Wheezy LTS
Index(es):
- Date
- Thread