Re: RFC - pleast test php5 (5.4.45-0+deb7u7), ready for upload
As I've not received any feedback on the below RFC, I intend to make the
upload in ~12 hours.
Regards,
-Roberto
On Fri, Feb 03, 2017 at 06:57:13PM -0500, Roberto C. Sánchez wrote:
> Greetings all,
>
> I have finished preparing an LTS upload of php5 (5.4.45-0+deb7u7) and
> your assistance with testing these packages before upload would be most
> welcome. Please try these out and let me know if you encounter any
> issues.
>
> Here are the relevant links:
>
> .changes file:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.changes
>
> build log:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.build
>
> source:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7.dsc
>
> debdiff against previous version:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u6_5.4.45-0+deb7u7.diff
>
> Here is the advisory text I plan to publish after the upload:
>
> **********************************************************************
> *DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT*
> **********************************************************************
>
> Package : php5
> Version : 5.4.45-0+deb7u7
> CVE ID : CVE-2016-2554 CVE-2016-3141 CVE-2016-3142 CVE-2016-4342
> CVE-2016-9934 CVE-2016-9935 CVE-2016-10158
> CVE-2016-10159 CVE-2016-10160 CVE-2016-10161
> PHP-Bugs : 71323 70979 71039 71459 71391 71335
>
>
> Several issues have been discovered in PHP (recursive acronym for PHP:
> Hypertext Preprocessor), a widely-used open source general-purpose
> scripting language that is especially suited for web development and can
> be embedded into HTML.
>
> * CVE-2016-2554
> Stack-based buffer overflow in ext/phar/tar.c allows remote
> attackers to cause a denial of service (application crash) or
> possibly have unspecified other impact via a crafted TAR archive.
> * CVE-2016-3141
> Use-after-free vulnerability in wddx.c in the WDDX extension allows
> remote attackers to cause a denial of service (memory corruption and
> application crash) or possibly have unspecified other impact by
> triggering a wddx_deserialize call on XML data containing a crafted
> var element.
> * CVE-2016-3142
> The phar_parse_zipfile function in zip.c in the PHAR extension in
> PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to
> obtain sensitive information from process memory or cause a denial
> of service (out-of-bounds read and application crash) by placing a
> PK\x05\x06 signature at an invalid location.
> * CVE-2016-4342
> ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18,
> and 7.x before 7.0.3 mishandles zero-length uncompressed data, which
> allows remote attackers to cause a denial of service (heap memory
> corruption) or possibly have unspecified other impact via a crafted
> (1) TAR, (2) ZIP, or (3) PHAR archive.
> * CVE-2016-9934
> ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows
> remote attackers to cause a denial of service (NULL pointer
> dereference) via crafted serialized data in a wddxPacket XML
> document, as demonstrated by a PDORow string.
> * CVE-2016-9935
> The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
> 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a
> denial of service (out-of-bounds read and memory corruption) or
> possibly have unspecified other impact via an empty boolean element
> in a wddxPacket XML document.
> * CVE-2016-10158
> The exif_convert_any_to_int function in ext/exif/exif.c in PHP
> before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows
> remote attackers to cause a denial of service (application crash)
> via crafted EXIF data that triggers an attempt to divide the minimum
> representable negative integer by -1.
> * CVE-2016-10159
> Integer overflow in the phar_parse_pharfile function in
> ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows
> remote attackers to cause a denial of service (memory consumption or
> application crash) via a truncated manifest entry in a PHAR archive.
> * CVE-2016-10160
> Off-by-one error in the phar_parse_pharfile function in
> ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows
> remote attackers to cause a denial of service (memory corruption) or
> possibly execute arbitrary code via a crafted PHAR archive with an
> alias mismatch.
> * CVE-2016-10161
> The object_common1 function in ext/standard/var_unserializer.c in
> PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1
> allows remote attackers to cause a denial of service (buffer
> over-read and application crash) via crafted serialized data that is
> mishandled in a finish_nested_data call.
> * BUG-71323.patch
> Output of stream_get_meta_data can be falsified by its input
> * BUG-70979.patch
> Crash on bad SOAP request
> * BUG-71039.patch
> exec functions ignore length but look for NULL termination
> * BUG-71459.patch
> Integer overflow in iptcembed()
> * BUG-71391.patch
> NULL Pointer Dereference in phar_tar_setupmetadata()
> * BUG-71335.patch
> Type confusion vulnerability in WDDX packet deserialization
>
>
> For Debian 7 "Wheezy", these problems have been fixed in version
> 5.4.45-0+deb7u7.
>
> We recommend that you upgrade your php5 packages.
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
>
> **********************************************************************
> *DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT*
> **********************************************************************
>
> --
> Roberto C. Sánchez
> http://people.connexer.com/~roberto
> http://www.connexer.com
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Reply to: