Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?

To: debian-security@lists.debian.org
Subject: Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
From: jaroslav@thinline.cz
Date: Thu, 20 Jun 2013 14:58:21 +0200
Message-id: <[🔎] b40bea6ef5fa68ec21535a14c41d4cf7@thinline.cz>
In-reply-to: <[🔎] c5b48821b259544f890a450b82c86b8d.squirrel@aphrodite.kinkhorst.nl>
References: <[🔎] 4f30b839fc2833d33b7561a16595518c@thinline.cz> <[🔎] c5b48821b259544f890a450b82c86b8d.squirrel@aphrodite.kinkhorst.nl>

Dne 20.06.2013 14:13, Thijs Kinkhorst napsal:

On Thu, June 20, 2013 09:08, jaroslav@thinline.cz wrote:
Can someone please confirm that the Wheezy package is really not
vulnerable? I tried to use the test code from PHP (attached below) on
multiple PHP versions, but it doesn't cause segfaults (as it's supposed
to) on any of those I tried (Not even on PHP 5.3.23, which is supposed
to be vulnerable.)

The bug was originally introduced in PHP upstream with this commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=18bb426587d62f93c54c40bf8535eb8416603629

As you can verify, that code is not present in Debian Wheezy, making
Wheezy not vulnerable to this bug.


Cheers,
Thijs


Great, thanks a lot

Reply to:

References:
- PHP5 in Wheezy vulnerable to CVE-2013-2110?
  - From: jaroslav@thinline.cz
- Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
Next by Date: Re: [SECURITY] [DSA 2712-1] otrs2 security update
Previous by thread: Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
Next by thread: Re: [SECURITY] [DSA 2712-1] otrs2 security update
Index(es):
- Date
- Thread