Re: PHP5 status
Hi Markus and Roberto
On Tuesday 12 February 2019 02:13 AM, Markus Koschany wrote:
> Hello,
>
> I noticed that both of you work on PHP5. Please coordinate the next
> upload. We should package version 5.6.40 which will fix all known
> issues. I have contacted security@php.net and they confirmed to me that
> they will assign new CVE numbers shortly.
That was very stupid of me. I was working on CVE-2018-1000888 in
php-pear and this ships via php5 in jessie. I didn't noticed php5
already entered dla-needed.txt and I went directly changing php-pear to
php5. Anyway I release DLA for my upload.
--abhijith
diff -Nru php5-5.6.39+dfsg/debian/changelog php5-5.6.39+dfsg/debian/changelog
--- php5-5.6.39+dfsg/debian/changelog 2018-12-17 02:58:06.000000000 +0530
+++ php5-5.6.39+dfsg/debian/changelog 2019-02-11 17:49:14.000000000 +0530
@@ -1,3 +1,12 @@
+php5 (5.6.39+dfsg-0+deb8u2) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2018-1000888: CWE-915 vulnerability in the Archive_Tar class
+ of php-pear
+ - Update d/rules to accomodate new patch
+
+ -- Abhijith PA <abhijith@debian.org> Mon, 11 Feb 2019 17:38:14 +0530
+
php5 (5.6.39+dfsg-0+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch
--- php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 1970-01-01 05:30:00.000000000 +0530
+++ php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 2019-02-11 17:32:34.000000000 +0530
@@ -0,0 +1,20 @@
+Origin: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000888
+Bug-Debian: https://bugs.debian.org/919147
+Bug: https://pear.php.net/bugs/bug.php?id=23782
+Author: Abhijith PA <abhijith@debian.org>
+Index: Archive/Tar.php
+===================================================================
+--- a/Archive/Tar.php
++++ b/Archive/Tar.php
+@@ -1767,6 +1767,10 @@ class Archive_Tar extends PEAR
+ */
+ private function _maliciousFilename($file)
+ {
++ if (strpos($file, 'phar://') === 0) {
++ return true;
++ }
++
+ if (strpos($file, '/../') !== false) {
+ return true;
+ }
diff -Nru php5-5.6.39+dfsg/debian/rules php5-5.6.39+dfsg/debian/rules
--- php5-5.6.39+dfsg/debian/rules 2018-12-17 02:58:06.000000000 +0530
+++ php5-5.6.39+dfsg/debian/rules 2019-02-11 17:35:43.000000000 +0530
@@ -279,6 +279,7 @@
$(CURDIR)/pear-build/usr/bin/peardev
sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" $(CURDIR)/pear-build/usr/share/php/PEAR/Config.php
patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-Builder-print-info-about-php5-dev.patch
+ patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-CVE-2018-1000888.patch
touch build-pear-stamp
configure: configure-apache2-stamp configure-apache2filter-stamp configure-cli-stamp configure-phpdbg-stamp configure-embed-stamp configure-fpm-stamp configure-cgi-stamp
Reply to: