Debian Bug report logs -
#646675
CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8
Reported by: Ingo Juergensmann <ij@2011.bluespice.org>
Date: Wed, 26 Oct 2011 05:54:02 UTC
Severity: serious
Tags: patch, security
Fixed in version 5.3.9-1
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 05:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Juergensmann <ij@2011.bluespice.org>
:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 05:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: roundcube
Version: 0.6+dfsg-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi!
Well, yesterday out of nothing my webmailer roundcube started to refuse
to work. At least as I remember it. For some reasons reloading the Inbox
just showed the "Loading..." message on the screen, but there was no
list of mails anymore. Funny enough other folders do actually work as
before. But anyway, doing an update did not help and improve anything.
(I really don't know whether I updated before or after because of the
first occurence of this issue.)
There's an entry in syslog when loading the Inbox folder:
Oct 26 07:24:59 muaddib suhosin[32432]: ALERT - Include filename
('http://www.gnu.org/s/hello/manual/automake/ ?.php') is an URL that is
not allowed (attacker '127.0.0.1', file
'/usr/share/roundcube/program/include/iniset.php', line 110
This lead to bug #1488086 in the Roundcube issue tracker which states:
This messages made me wonder why suhosin thinks there's an include
going on. Line 111 of iniset.php shows:
include_once("$filename.php");
It seems like roundcube wants to include what is displayed in the
subject, which happens to be a url - and suhosin legitimately blocks
this attempt.
In short, I can send an email to a user on a suhosin protected mail
server and make his inbox unavailable. Needless to say, the user cannot
delete this email himself via RoundCube. In my case, I had to delete the
email file on the server to make roundcube show the inbox again.
In Debian there's bug #619411 that is related to PATH setting in
iniset.php, but I'm not sure if this is really related to #1488086 in
the Roundcube issue tracker and my problem? However, disabling suhosin
doesn't seem the right way to "solve" this issue and the trac issue
tracker suggests a security related problem.
Regards,
Ingo
--- System information. ---
Architecture: amd64
Kernel: Linux 3.0.0-2-amd64
Debian Release: wheezy/sid
500 unstable www.debian-multimedia.org
500 unstable ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
====================================-+-================
roundcube-core (= 0.6+dfsg-1) | 0.6+dfsg-1
dbconfig-common | 1.8.47
debconf (>= 0.5) | 1.5.41
OR debconf-2.0 |
ucf | 3.0025+nmu2
apache2 | 2.2.21-2
OR lighttpd |
OR httpd |
php5 | 5.3.8-2
php5-mcrypt | 5.3.8-2
php5-gd | 5.3.8-2
php5-intl | 5.3.8-2
php-mdb2 (>= 2.5.0) | 2.5.0b2-1
php-auth | 1.6.2-1
php-net-smtp (>= 1.4.2) | 1.6.0-1
php-net-socket | 1.0.9-2
php-mail-mime (>= 1.8.0) | 1.8.0-2
php5-pspell | 5.3.8-2
tinymce (>= 3) | 3.4.3.2+dfsg0-1
libjs-jquery (>= 1.6.4) | 1.6.4-1
libmagic1 | 5.09-2
roundcube-sqlite (= 0.6+dfsg-1) | 0.6+dfsg-1
OR roundcube-mysql (= 0.6+dfsg-1) | 0.6+dfsg-1
OR roundcube-pgsql (= 0.6+dfsg-1) | 0.6+dfsg-1
Package's Recommends field is empty.
Suggests (Version) | Installed
================================-+-===========
php-auth-sasl (>= 1.0.3) |
php-crypt-gpg |
roundcube-plugins |
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 07:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 07:03:08 GMT) (full text, mbox, link).
Message #10 received at 646675@bugs.debian.org (full text, mbox, reply):
Hi Ingo,
I use roundcube with suhosin, but not 0.6 yet. What do you mean by "out of
nowhere"?
cheers,
Holger
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 07:03:17 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 07:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 07:30:03 GMT) (full text, mbox, link).
Message #18 received at 646675@bugs.debian.org (full text, mbox, reply):
On 26.10.2011 09:01, Holger Levsen wrote:
> I use roundcube with suhosin, but not 0.6 yet. What do you mean by
> "out of
> nowhere"?
Ha! Just discovered: it's working again. BUT: when I used reportbug-ng
this morning to report the bug, it started iceweasel - and I use
iceweasel to sort my mails into folders. So when it started up it
started filtering my mails and apparently filtered the mail in question
out of the way.
So, my best guess is: when you receive an email with an URL in the
subject, this bug will hit you as well.
--
Ciao... // Fon: 0381-2744150
. Ingo \X/ http://blog.windfluechter.net
gpg pubkey: http://www.juergensmann.de/ij_public_key.
Information stored
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 07:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 07:30:05 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 07:30:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 07:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 07:51:04 GMT) (full text, mbox, link).
Message #31 received at 646675@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 26, 2011 at 09:01:07AM +0200, Holger Levsen wrote:
> I use roundcube with suhosin, but not 0.6 yet. What do you mean by "out of
> nowhere"?
Well, I was at work, enjoying a working roundcube and reading my mails and
then, as far as I remember, I reloaded the Inbox and it said "Loading..."
and "Loading..." and "Loading..." all the time. This sometime happens
because I'm behind a restrictive firewall and using a Apache mod-proxy
forward from my dedicated server to my home server via VPN and from now and
then the connection gets stalled. Usually I restart the involved apaches
then and it usually is working again. But not yesterday.
Then I made a dist-upgrade on my home server, but no improvement. I then
looked into syslog and roundcube log and decided to postpone this issue when
I'm back home to exclude any mod-proxy issues.
When home again the problem still persisted even when using my home server
locally. Dovecot imapd still works as tested with mail.app on OSX and
mutt+iceweasel on Debian.
The "out of nowhere" relates to my memorization that RC actually did work,
but then suddenly stopped working without doing an upgrade first. But
reading the trac issue on RC it might be that I received a mail with an URL
in the Subject, which then caused RC to not work anymore: "out of nowhere".
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
Information stored
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 07:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 07:51:06 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 07:51:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 08:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 08:09:11 GMT) (full text, mbox, link).
Message #44 received at 646675@bugs.debian.org (full text, mbox, reply):
severity 646675 important
thanks
On Mittwoch, 26. Oktober 2011, Ingo Jürgensmann wrote:
> So, my best guess is: when you receive an email with an URL in the
> subject, this bug will hit you as well.
Severity set to 'important' from 'serious'
Request was from Holger Levsen <holger@layer-acht.org>
to control@bugs.debian.org
.
(Wed, 26 Oct 2011 08:09:13 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 08:09:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 11:12:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Philipp Kern <pkern@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 11:12:42 GMT) (full text, mbox, link).
Message #54 received at 646675@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 646675 + security
severity 646675 serious
thanks
Erhm,
On Wed, Oct 26, 2011 at 10:06:14AM +0200, Holger Levsen wrote:
> severity 646675 important
> thanks
am I the only one who has insanely loud alarm bells when reading his report,
the ticket and everything?
It includes a foreign site and we can be happy that suhosin blocks it. (I'm
working from the information in the roundcube ticket[0]. I didn't investigate
it myself.) But suhosin is not the default?
Kind regards
Philipp Kern
[0] http://trac.roundcube.net/ticket/1488086
[signature.asc (application/pgp-signature, inline)]
Severity set to 'serious' from 'important'
Request was from Philipp Kern <pkern@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Oct 2011 11:12:48 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 11:13:01 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 11:39:46 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 11:39:49 GMT) (full text, mbox, link).
Message #64 received at 646675@bugs.debian.org (full text, mbox, reply):
Hi Philipp,
On Mittwoch, 26. Oktober 2011, Philipp Kern wrote:
> It includes a foreign site and we can be happy that suhosin blocks it.
> (I'm working from the information in the roundcube ticket[0].
>
> [0] http://trac.roundcube.net/ticket/1488086
I missed the details in that ticket... thanks for correcting me!
cheers,
Holger
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 17:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 17:51:03 GMT) (full text, mbox, link).
Message #69 received at 646675@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 646675 + patch
thanks
OoO Peu avant le début de l'après-midi du mercredi 26 octobre 2011, vers
13:07, Philipp Kern <pkern@debian.org> disait :
>> severity 646675 important
>> thanks
> am I the only one who has insanely loud alarm bells when reading his report,
> the ticket and everything?
> It includes a foreign site and we can be happy that suhosin blocks it. (I'm
> working from the information in the roundcube ticket[0]. I didn't investigate
> it myself.) But suhosin is not the default?
Yes, the problem seems pretty severe. I am unable to reproduce it, even
with the conditions listed in the ticket [0]. The ticket is not marked
as fixed but the patch has been applied [1]. 0.6 does not seem
vulnerable, only 0.5.4 and older.
Ingo, you reported the bug against 0.6. Is it really the version that is
affected by the problem? It seems already patched.
[0]: http://trac.roundcube.net/ticket/1488086
[1]: http://trac.roundcube.net/changeset/5222
--
Vincent Bernat ☯ http://vincent.bernat.im
die_if_kernel("Penguin instruction from Penguin mode??!?!", regs);
2.2.16 /usr/src/linux/arch/sparc/kernel/traps.c
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Vincent Bernat <bernat@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Oct 2011 17:51:09 GMT) (full text, mbox, link).
Information stored
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 17:51:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 17:51:16 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 17:51:18 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 18:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 18:15:03 GMT) (full text, mbox, link).
Message #84 received at 646675@bugs.debian.org (full text, mbox, reply):
On 26.10.2011 19:48, Vincent Bernat wrote:
> Ingo, you reported the bug against 0.6. Is it really the version that
> is
> affected by the problem? It seems already patched.
Well, yes, I wrote the bug report on the same machine where RC is
running.
The message in question is most likely this one:
To: debian-devel@lists.debian.org, webmasters@gnu.org
Cc: Ivan Shmakov <oneingray@gmail.com>
Subject: http://www.gnu.org/s/hello/manual/automake/ ?
Message-ID: <86r521mn20.fsf_-_@gray.siamics.net>
At least that's the same URL in the subject line suhosin is complaining
about.
--
Ciao... // Fon: 0381-2744150
. Ingo \X/ http://blog.windfluechter.net
gpg pubkey: http://www.juergensmann.de/ij_public_key.
Information stored
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 18:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 18:15:05 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 18:15:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 20:45:03 GMT) (full text, mbox, link).
Message #97 received at 646675@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
OoO Pendant le journal télévisé du mercredi 26 octobre 2011, vers 20:12,
Ingo Jürgensmann <ij@2011.bluespice.org> disait :
>> Ingo, you reported the bug against 0.6. Is it really the version that
>> is affected by the problem? It seems already patched.
> Well, yes, I wrote the bug report on the same machine where RC is
> running.
> The message in question is most likely this one:
> To: debian-devel@lists.debian.org, webmasters@gnu.org
> Cc: Ivan Shmakov <oneingray@gmail.com>
> Subject: http://www.gnu.org/s/hello/manual/automake/ ?
> Message-ID: <86r521mn20.fsf_-_@gray.siamics.net>
> At least that's the same URL in the subject line suhosin is
> complaining about.
Now that the message is in another folder, you don't have the problem
any more, even if you visit this folder? Does the problem comes back if
you move the message to inbox?
--
Vincent Bernat ☯ http://vincent.bernat.im
Don't just echo the code with comments - make every comment count.
- The Elements of Programming Style (Kernighan & Plauger)
[Message part 2 (application/pgp-signature, inline)]
Information stored
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 20:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 20:45:05 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 20:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 20:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 20:57:05 GMT) (full text, mbox, link).
Message #110 received at 646675@bugs.debian.org (full text, mbox, reply):
Am 26.10.2011 um 22:40 schrieb Vincent Bernat:
> Now that the message is in another folder, you don't have the problem
> any more, even if you visit this folder? Does the problem comes back if
> you move the message to inbox?
When I access my Debian-Devel folder the problem occurs in that folder. When I move it back to Inbox it happens there again... so, it's reproducible over here...
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
Information stored
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 20:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Jürgensmann <ij@2011.bluespice.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 20:57:10 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 20:57:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#646675
; Package roundcube
.
(Wed, 26 Oct 2011 22:13:45 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Oct 2011 22:13:45 GMT) (full text, mbox, link).
Message #123 received at 646675@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
reassign 646675 src:php5
retitle 646675 CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8
tags 646675 + patch
thanks
OoO En cette soirée bien amorcée du mercredi 26 octobre 2011, vers
22:55, Ingo Jürgensmann <ij@2011.bluespice.org> disait :
>> Now that the message is in another folder, you don't have the problem
>> any more, even if you visit this folder? Does the problem comes back if
>> you move the message to inbox?
> When I access my Debian-Devel folder the problem occurs in that
> folder. When I move it back to Inbox it happens there again... so,
> it's reproducible over here...
The problem has been fixed in roundcube 0.6. It was related to an
incorrect use of is_a() function. Since PHP 5.3.8, is_a() function would
trigger autoload when the first argument is a string. Roundcube prior to
0.6 is affected but 0.6 is not. However, you hit the bug because MDB2 is
affected by it too (we don't use the shipped copy).
More info about this change in this bug report:
https://bugs.php.net/bug.php?id=55475
It has been assigned CVE ID 2011-3379 and it has been decided by the PHP
project to revert the change:
http://svn.php.net/viewvc/?view=revision&revision=317183
This fix has not been applied to Debian package yet.
There are two possible outcomes :
1. Patch a lot of PHP stuff to handle this new behaviour of is_a() (and
the old behaviour too) by testing if the first argument is an object
first. This means that this bug should be cloned for MDB2.
2. Consider this bug as a PHP bug and apply the mentioned patch to PHP
5.3.8 in Debian.
I think that the most reasonable outcome is the second one since the fix
has been commited to land in PHP 5.3.9. Therefore, I reassign this bug
to src:php5. Tell me if you disagree.
--
Vincent Bernat ☯ http://vincent.bernat.im
Write and test a big program in small pieces.
- The Elements of Programming Style (Kernighan & Plauger)
[Message part 2 (application/pgp-signature, inline)]
Bug reassigned from package 'roundcube' to 'src:php5'.
Request was from Vincent Bernat <bernat@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Oct 2011 22:14:01 GMT) (full text, mbox, link).
Bug No longer marked as found in versions roundcube/0.6+dfsg-1.
Request was from Vincent Bernat <bernat@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Oct 2011 22:14:02 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8' from '[roundcube] RC doesn't load INBOX anymore - suhosin reports URL is not allowed'
Request was from Vincent Bernat <bernat@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Oct 2011 22:14:02 GMT) (full text, mbox, link).
Information stored
:
Bug#646675
; Package src:php5
.
(Wed, 26 Oct 2011 22:14:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and filed, but not forwarded.
(Wed, 26 Oct 2011 22:14:22 GMT) (full text, mbox, link).
Message sent on
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug#646675.
(Wed, 26 Oct 2011 22:14:24 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@sury.org>
:
You have taken responsibility.
(Mon, 23 Jan 2012 10:32:50 GMT) (full text, mbox, link).
Notification sent
to Ingo Juergensmann <ij@2011.bluespice.org>
:
Bug acknowledged by developer.
(Mon, 23 Jan 2012 10:32:55 GMT) (full text, mbox, link).
Message #142 received at 646675-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.9-1
php5 (5.3.9-1) unstable; urgency=low
.
* Remove obsolete sqlite(2) module from php5-sqlite
* Use correct signals in php5-fpm init script (Closes: #645934)
* Imported Upstream version 5.3.9
* Adapt debian/patches to 5.3.9 release
--
Ondřej Surý <ondrej@sury.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 21 Feb 2012 07:38:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:43:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.