Re: RFS: php-geoip (updated package)

To: Patrick Matthäi <patrick.matthaei@web.de>
Cc: Sergey B Kirpichev <skirpichev@gmail.com>, team@security.debian.org, debian-mentors@lists.debian.org
Subject: Re: RFS: php-geoip (updated package)
From: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 25 Dec 2008 19:08:25 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.64.0812251857010.13440@eru.sfritsch.de>
In-reply-to: <[🔎] 494D129F.9040705@web.de>
References: <bLaxa-4bP-1@gated-at.bofh.it> <[🔎] 494D129F.9040705@web.de>

Hi,

On Sat, 20 Dec 2008, Patrick Matthäi wrote:

I had a look in your package and this makes me a headache:

php-geoip (1.0.5-1) unstable; urgency=low

 * New upstream release.  Fix security issue:
   + formatting bug in phpinfo()

From the upstream changelog:

* Small bug in phpinfo() when printing version number could crash PHP.

So on a local/remote attacker could crash PHP (also the webserver?) by
just using phpinfo()?

I CCed the security team and this fix should also go in to Lenny and
your urgency should be bumped to something higher than low.


This is more a normal bug than a security issue.

But looking at the diff between 1.0.3 and 1.0.5 and athttp://cvs.php.net/viewvc.cgi/pecl/geoip/geoip.c?r1=1.21&r2=1.22 , itseems the crash bug was only introduced in 1.0.4, which was neverreleased. So there is nothing to fix in lenny.


But thanks for the notice, anyway.

Cheers,
Stefan

Reply to:

Follow-Ups:
- Re: RFS: php-geoip (updated package)
  - From: Sergey B Kirpichev <skirpichev@gmail.com>

References:
- Re: RFS: php-geoip (updated package)
  - From: Patrick Matthäi <patrick.matthaei@web.de>

Prev by Date: RFS: libjinput-java - portable java joystick and gamepad support
Next by Date: Re: RFS: dekiwiki
Previous by thread: Re: RFS: php-geoip (updated package)
Next by thread: Re: RFS: php-geoip (updated package)
Index(es):
- Date
- Thread