Re: PHP5 status

To: Markus Koschany <apo@debian.org>, Roberto C. Sánchez <roberto@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: PHP5 status
From: Abhijith PA <abhijith@disroot.org>
Date: Tue, 12 Feb 2019 07:44:41 +0530
Message-id: <[🔎] fd5f5e77-1f44-a637-dcd0-282f8b22bed6@disroot.org>
In-reply-to: <[🔎] fa8b98d8-4be2-7654-c312-4a84efdc0f9f@debian.org>
References: <[🔎] fa8b98d8-4be2-7654-c312-4a84efdc0f9f@debian.org>

Hi Markus and Roberto

On Tuesday 12 February 2019 02:13 AM, Markus Koschany wrote:
> Hello,
> 
> I noticed that both of you work on PHP5. Please coordinate the next
> upload. We should package version 5.6.40 which will fix all known
> issues. I have contacted security@php.net and they confirmed to me that
> they will assign new CVE numbers shortly.

That was very stupid of me. I was working on CVE-2018-1000888 in
php-pear and this ships via php5 in jessie. I didn't noticed php5
already entered dla-needed.txt and I went directly changing php-pear to
php5. Anyway I release DLA for my upload.

--abhijith

diff -Nru php5-5.6.39+dfsg/debian/changelog php5-5.6.39+dfsg/debian/changelog
--- php5-5.6.39+dfsg/debian/changelog	2018-12-17 02:58:06.000000000 +0530
+++ php5-5.6.39+dfsg/debian/changelog	2019-02-11 17:49:14.000000000 +0530
@@ -1,3 +1,12 @@
+php5 (5.6.39+dfsg-0+deb8u2) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-1000888: CWE-915 vulnerability in the Archive_Tar class
+    of php-pear
+    - Update d/rules to accomodate new patch 
+
+ -- Abhijith PA <abhijith@debian.org>  Mon, 11 Feb 2019 17:38:14 +0530
+
 php5 (5.6.39+dfsg-0+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff -Nru php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch
--- php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch	1970-01-01 05:30:00.000000000 +0530
+++ php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch	2019-02-11 17:32:34.000000000 +0530
@@ -0,0 +1,20 @@
+Origin: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000888
+Bug-Debian: https://bugs.debian.org/919147
+Bug: https://pear.php.net/bugs/bug.php?id=23782
+Author: Abhijith PA <abhijith@debian.org>
+Index: Archive/Tar.php
+===================================================================
+--- a/Archive/Tar.php
++++ b/Archive/Tar.php
+@@ -1767,6 +1767,10 @@ class Archive_Tar extends PEAR
+      */
+     private function _maliciousFilename($file)
+     {
++        if (strpos($file, 'phar://') === 0) {
++            return true;
++        }
++
+         if (strpos($file, '/../') !== false) {
+             return true;
+         }
diff -Nru php5-5.6.39+dfsg/debian/rules php5-5.6.39+dfsg/debian/rules
--- php5-5.6.39+dfsg/debian/rules	2018-12-17 02:58:06.000000000 +0530
+++ php5-5.6.39+dfsg/debian/rules	2019-02-11 17:35:43.000000000 +0530
@@ -279,6 +279,7 @@
 	       $(CURDIR)/pear-build/usr/bin/peardev
 	sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" $(CURDIR)/pear-build/usr/share/php/PEAR/Config.php
 	patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-Builder-print-info-about-php5-dev.patch
+	patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-CVE-2018-1000888.patch
 	touch build-pear-stamp
 
 configure: configure-apache2-stamp configure-apache2filter-stamp configure-cli-stamp configure-phpdbg-stamp configure-embed-stamp configure-fpm-stamp configure-cgi-stamp

Reply to:

Follow-Ups:
- Re: PHP5 status
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- PHP5 status
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Bug#921663: Please add python-certbot update to jessie-backports
Next by Date: Re: Bug#921663: Please add python-certbot update to jessie-backports
Previous by thread: PHP5 status
Next by thread: Re: PHP5 status
Index(es):
- Date
- Thread