Hi, On Sat, 20 Dec 2008, Patrick Matthäi wrote:
I had a look in your package and this makes me a headache: php-geoip (1.0.5-1) unstable; urgency=low * New upstream release. Fix security issue: + formatting bug in phpinfo()From the upstream changelog:* Small bug in phpinfo() when printing version number could crash PHP. So on a local/remote attacker could crash PHP (also the webserver?) by just using phpinfo()? I CCed the security team and this fix should also go in to Lenny and your urgency should be bumped to something higher than low.
This is more a normal bug than a security issue.But looking at the diff between 1.0.3 and 1.0.5 and at http://cvs.php.net/viewvc.cgi/pecl/geoip/geoip.c?r1=1.21&r2=1.22 , it seems the crash bug was only introduced in 1.0.4, which was never released. So there is nothing to fix in lenny.
But thanks for the notice, anyway. Cheers, Stefan