[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#609007: marked as done (unblock: php5/5.3.3-7)



Your message dated Thu, 6 Jan 2011 14:18:46 +0100
with message-id <20110106131846.GN2813@radis.liafa.jussieu.fr>
and subject line Re: Bug#609007: unblock: php5/5.3.3-7
has caused the Debian Bug report #609007,
regarding unblock: php5/5.3.3-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
609007: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609007
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock


Please unblock package php5

New upload fixes one CVE, one remote DoS (infinite loop which will
probably get a CVE as well) and several fixes for segfauls and memory
leaks cherry picked from upstream SVN.

The diffstat looks quite small with exception of
memory-leak-inside-highlight_string because the patched file is
autogenerated and contains lots of:

-#line 1014 "Zend/zend_language_scanner.c"
+#line 1024 "Zend/zend_language_scanner.c"

changes.

Here's the diffstat for php5_5.3.3-6 php5_5.3.3-7

 debian/patches/CVE-2010-4150.patch                                                      |   15 
 debian/patches/do-not-overwrite-GLOBALS-and-this.patch                                  |   43 
 debian/patches/fix-crash-if-aa-steps-are-invalid.patch                                  |   14 
 debian/patches/fix-crash-with-entity-declarations-in-simplexml.patch                    |   41 
 debian/patches/fix-for-NULL-deref-in-zend_language_scanner.patch                        |   13 
 debian/patches/fix-infinite-loop-with-x87-cpu.patch                                     |   24 
 debian/patches/fix-integer-overflow-in-SdnToJulian.patch                                |   90 
 debian/patches/fix-leak-and-possible-crash-introduced-by-the-null-poisoning-patch.patch |   61 
 debian/patches/fix-leaks-and-crash-bug-when-passing-the-callback-as-variable.patch      |   11 
 debian/patches/fix-memory-leak-inside-highlight_string.patch                            | 2571 ++++++++++
 debian/patches/fix-segfault-in-pgsql_stmt_execute-when-postgres-is-down.patch           |   11 
 debian/patches/fix-segfault-when-extending-SplFixedArray.patch                          |   40 
 debian/patches/fix-segfault-when-node-is-NULL-in-simplexml.patch                        |   11 
 debian/patches/fix-segfault-when-using-several-cloned-intl-objects.patch                |  130 
 debian/patches/fix-sqlite3-columnName-segfaults-on-bad-column_number.patch              |   57 
 php5-5.3.3/debian/README.source                                                         |    6 
 php5-5.3.3/debian/changelog                                                             |   25 
 php5-5.3.3/debian/patches/series                                                        |   15 
 18 files changed, 3178 insertions(+)

unblock php5/5.3.3-7

-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick-backports'), (500, 'maverick')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



--- End Message ---
--- Begin Message ---
On Wed, Jan  5, 2011 at 13:15:32 +0100, Ondřej Surý wrote:

> Please unblock package php5
> 
Unblocked, and set urgency so it can migrate after 2 days instead of 10.

> New upload fixes one CVE, one remote DoS (infinite loop which will
> probably get a CVE as well) and several fixes for segfauls and memory

It got CVE-2010-4645.

> leaks cherry picked from upstream SVN.
> 
> The diffstat looks quite small with exception of
> memory-leak-inside-highlight_string because the patched file is
> autogenerated and contains lots of:
> 
> -#line 1014 "Zend/zend_language_scanner.c"
> +#line 1024 "Zend/zend_language_scanner.c"
> 
It's also a bit confusing in that
fix-for-NULL-deref-in-zend_language_scanner.patch changes the lex file
but fix-memory-leak-inside-highlight_string.patch has the corresponding
.c file change (along with the memory leak fix).

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply to: