[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please unblock php5/5.3.3-3 (Was: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var())

Hi Adam, Moritz,

On Sun, Nov 7, 2010 at 20:20, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
>> On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
>> > Hi Moritz and Adam,
>> >
>> > I have prepared 5.3.3-3 in the git, but I would like to seek
>> > debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
>> > (with prolonged delay to 15 days)... btw thanks for that ...  so
>> > should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
>> > testing and then upload 5.3.3-3 with urgency=high and request an
>> > unblock again?
>> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
>> with the current age-days and followup with the CVE-2010-3710
>> after that.
>> Maybe this would also allow the PHP maintainers to include a final
>> fix for 546164?
> 5.3.3-2 has now migrated to testing.  The upstream fix for CVE-2010-3710
> looks small and sane enough to be included in a -3 upload.

The 5.3.3 with:

   * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
     amount of data (CVE-2010-3710, Closes: #601619)

was uploaded just now.

> From reading the log for 546164 I'm not sure what the fix would look like, but would
> be prepared to look at fixing it in squeeze.

I have reported this bug to the upstream as I was able to reproduce
the symlink attack quite easily and overwrite /etc/passwd (create
download_dir, symlink package.xml to /etc/passwd and asking root user
to install any package).

There are more directories like that (cache_dir, temp_dir) in PEAR and
it probably needs an attention from upstream.

Ondřej Surý <ondrej@sury.org>

Reply to: