Please unblock php5/5.3.3-3 (Was: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var())
Hi Adam, Moritz,
On Sun, Nov 7, 2010 at 20:20, Adam D. Barratt <email@example.com> wrote:
> On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
>> On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
>> > Hi Moritz and Adam,
>> > I have prepared 5.3.3-3 in the git, but I would like to seek
>> > debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
>> > (with prolonged delay to 15 days)... btw thanks for that ... so
>> > should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
>> > testing and then upload 5.3.3-3 with urgency=high and request an
>> > unblock again?
>> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
>> with the current age-days and followup with the CVE-2010-3710
>> after that.
>> Maybe this would also allow the PHP maintainers to include a final
>> fix for 546164?
> 5.3.3-2 has now migrated to testing. The upstream fix for CVE-2010-3710
> looks small and sane enough to be included in a -3 upload.
The 5.3.3 with:
* Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
amount of data (CVE-2010-3710, Closes: #601619)
was uploaded just now.
> From reading the log for 546164 I'm not sure what the fix would look like, but would
> be prepared to look at fixing it in squeeze.
I have reported this bug to the upstream as I was able to reproduce
the symlink attack quite easily and overwrite /etc/passwd (create
download_dir, symlink package.xml to /etc/passwd and asking root user
to install any package).
There are more directories like that (cache_dir, temp_dir) in PEAR and
it probably needs an attention from upstream.
Ondřej Surý <firstname.lastname@example.org>