Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Le Mon, 4 May 2009 22:57:57 +0200 (CEST),
Thijs Kinkhorst <thijs@debian.org> a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1789-1
> security@debian.org
> http://www.debian.org/security/ Thijs
> Kinkhorst May 04, 2009
> http://www.debian.org/security/faq
> -
> ------------------------------------------------------------------------
>
> Package : php5
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE Id(s) : CVE-2008-2107 CVE-2008-2108 CVE-2008-5557
> CVE-2008-5624 CVE-2008-5658 CVE-2008-5814 CVE-2009-0754 CVE-2009-1271
> Debian Bugs : 507101 507857 508021 511493 523028 523049
>
> Several remote vulnerabilities have been discovered in the PHP 5
> hypertext preprocessor. The Common Vulnerabilities and Exposures
> project identifies the following problems.
>
> The following four vulnerabilities have already been fixed in the
> stable (lenny) version of php5 prior to the release of lenny. This
> update now addresses them for etch (oldstable) aswell:
>
>
> CVE-2008-5658
>
> Directory traversal vulnerability in the ZipArchive::extractTo
> function allows attackers to write arbitrary files via a ZIP file
> with a file whose name contains .. (dot dot) sequences.
>
Hi,
It seems that there were some side effects. Since the upgrade we've PHP
crashes with:
*** glibc detected *** double free or corruption (fasttop): 0x08718200
***
The crash occurs inside the extractTo function, please tell me if you
need any additional information.
Regards
Sébastien
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoBUPYACgkQd0QYNjAhJByo1ACfXa19m4icUAwVhtUd+/M+Z7J5
r+QAnRCLhvY1tfcsSqfKiXAW/OAEvXGn
=ThD4
-----END PGP SIGNATURE-----
Reply to: