Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2010-3710: DoS in filter_var()

Related Vulnerabilities: CVE-2010-3710  

Source

Debian Bug report logs - #601619
CVE-2010-3710: DoS in filter_var()

version graph

Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for php5 is src:php5 (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 27 Oct 2010 20:42:01 UTC

Severity: important

Tags: security

Fixed in version php5/5.3.3-3

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Wed, 27 Oct 2010 20:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 27 Oct 2010 20:42:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-3710: DoS in filter_var()
Date: Wed, 27 Oct 2010 22:37:51 +0200
Package: php5
Severity: important
Tags: security

Please pull this in for Squeeze:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3710

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5 depends on:
pn  libapache2-mod-php5 | libapac <none>     (no description available)
pn  php5-common                   <none>     (no description available)

php5 recommends no packages.

php5 suggests no packages.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Wed, 27 Oct 2010 21:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 27 Oct 2010 21:45:03 GMT) (full text, mbox, link).

Message #10 received at 601619@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 601619@bugs.debian.org
Cc: ,control@bugs.debian.org
Subject: [debian/debian-sid] Fix CVE-2010-3710 by cherry-picking r303779 from php svn (Closes: #601619)
Date: Wed, 27 Oct 2010 21:42:07 +0000
tag 601619 pending
thanks

Date: Wed Oct 27 23:38:51 2010 +0200
Author: Ondřej Surý <ondrej@sury.org>
Commit ID: c4ae415c6f6cf3ba995fd9c39b658cb229e536a7
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=c4ae415c6f6cf3ba995fd9c39b658cb229e536a7
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=c4ae415c6f6cf3ba995fd9c39b658cb229e536a7

    Fix CVE-2010-3710 by cherry-picking r303779 from php svn (Closes: #601619)

Added tag(s) pending. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Wed, 27 Oct 2010 21:45:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Wed, 27 Oct 2010 21:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 27 Oct 2010 21:48:04 GMT) (full text, mbox, link).

Message #17 received at 601619@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 601619@bugs.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, debian-release@lists.debian.org
Subject: Re: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var()
Date: Wed, 27 Oct 2010 23:45:21 +0200
Hi Moritz and Adam,

I have prepared 5.3.3-3 in the git, but I would like to seek
debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
(with prolonged delay to 15 days)... btw thanks for that ...  so
should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
testing and then upload 5.3.3-3 with urgency=high and request an
unblock again?

Ondrej

On Wed, Oct 27, 2010 at 22:37, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: php5
> Severity: important
> Tags: security
>
> Please pull this in for Squeeze:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3710
>
> Cheers,
>        Moritz
>
> -- System Information:
> Debian Release: squeeze/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
> Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages php5 depends on:
> pn  libapache2-mod-php5 | libapac <none>     (no description available)
> pn  php5-common                   <none>     (no description available)
>
> php5 recommends no packages.
>
> php5 suggests no packages.
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Thu, 28 Oct 2010 16:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 28 Oct 2010 16:27:03 GMT) (full text, mbox, link).

Message #22 received at 601619@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Ond??ej Surý <ondrej@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 601619@bugs.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, debian-release@lists.debian.org
Subject: Re: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var()
Date: Thu, 28 Oct 2010 18:24:11 +0200
On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
> Hi Moritz and Adam,
> 
> I have prepared 5.3.3-3 in the git, but I would like to seek
> debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
> (with prolonged delay to 15 days)... btw thanks for that ...  so
> should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
> testing and then upload 5.3.3-3 with urgency=high and request an
> unblock again?

This issue doesn't seem urgent. I would recommend to let 5.3.3-2
with the current age-days and followup with the CVE-2010-3710
after that.

Maybe this would also allow the PHP maintainers to include a final
fix for 546164?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Sun, 07 Nov 2010 19:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 07 Nov 2010 19:24:03 GMT) (full text, mbox, link).

Message #27 received at 601619@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Ondrej Surý <ondrej@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 601619@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var()
Date: Sun, 07 Nov 2010 19:20:46 +0000
On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
> > Hi Moritz and Adam,
> > 
> > I have prepared 5.3.3-3 in the git, but I would like to seek
> > debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
> > (with prolonged delay to 15 days)... btw thanks for that ...  so
> > should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
> > testing and then upload 5.3.3-3 with urgency=high and request an
> > unblock again?
> 
> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
> with the current age-days and followup with the CVE-2010-3710
> after that.
> 
> Maybe this would also allow the PHP maintainers to include a final
> fix for 546164?

5.3.3-2 has now migrated to testing.  The upstream fix for CVE-2010-3710
looks small and sane enough to be included in a -3 upload.  From reading
the log for 546164 I'm not sure what the fix would look like, but would
be prepared to look at fixing it in squeeze.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Sun, 14 Nov 2010 14:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 14 Nov 2010 14:45:02 GMT) (full text, mbox, link).

Message #32 received at 601619@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Moritz Muehlenhoff <jmm@debian.org>, 601619@bugs.debian.org, debian-release@lists.debian.org
Subject: Please unblock php5/5.3.3-3 (Was: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var())
Date: Sun, 14 Nov 2010 15:42:26 +0100
Hi Adam, Moritz,

On Sun, Nov 7, 2010 at 20:20, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
>> On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
>> > Hi Moritz and Adam,
>> >
>> > I have prepared 5.3.3-3 in the git, but I would like to seek
>> > debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
>> > (with prolonged delay to 15 days)... btw thanks for that ...  so
>> > should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
>> > testing and then upload 5.3.3-3 with urgency=high and request an
>> > unblock again?
>>
>> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
>> with the current age-days and followup with the CVE-2010-3710
>> after that.
>>
>> Maybe this would also allow the PHP maintainers to include a final
>> fix for 546164?
>
> 5.3.3-2 has now migrated to testing.  The upstream fix for CVE-2010-3710
> looks small and sane enough to be included in a -3 upload.

The 5.3.3 with:

   * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
     amount of data (CVE-2010-3710, Closes: #601619)

was uploaded just now.

> From reading the log for 546164 I'm not sure what the fix would look like, but would
> be prepared to look at fixing it in squeeze.

I have reported this bug to the upstream as I was able to reproduce
the symlink attack quite easily and overwrite /etc/passwd (create
download_dir, symlink package.xml to /etc/passwd and asking root user
to install any package).

There are more directories like that (cache_dir, temp_dir) in PEAR and
it probably needs an attention from upstream.

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Sun, 14 Nov 2010 15:09:07 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 14 Nov 2010 15:09:07 GMT) (full text, mbox, link).

Message #37 received at 601619-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: 601619-close@bugs.debian.org
Subject: Bug#601619: fixed in php5 5.3.3-3
Date: Sun, 14 Nov 2010 15:05:39 +0000
Source: php5
Source-Version: 5.3.3-3

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache2-mod-php5_5.3.3-3_amd64.deb
  to main/p/php5/libapache2-mod-php5_5.3.3-3_amd64.deb
libapache2-mod-php5filter_5.3.3-3_amd64.deb
  to main/p/php5/libapache2-mod-php5filter_5.3.3-3_amd64.deb
php-pear_5.3.3-3_all.deb
  to main/p/php5/php-pear_5.3.3-3_all.deb
php5-cgi_5.3.3-3_amd64.deb
  to main/p/php5/php5-cgi_5.3.3-3_amd64.deb
php5-cli_5.3.3-3_amd64.deb
  to main/p/php5/php5-cli_5.3.3-3_amd64.deb
php5-common_5.3.3-3_amd64.deb
  to main/p/php5/php5-common_5.3.3-3_amd64.deb
php5-curl_5.3.3-3_amd64.deb
  to main/p/php5/php5-curl_5.3.3-3_amd64.deb
php5-dbg_5.3.3-3_amd64.deb
  to main/p/php5/php5-dbg_5.3.3-3_amd64.deb
php5-dev_5.3.3-3_amd64.deb
  to main/p/php5/php5-dev_5.3.3-3_amd64.deb
php5-enchant_5.3.3-3_amd64.deb
  to main/p/php5/php5-enchant_5.3.3-3_amd64.deb
php5-gd_5.3.3-3_amd64.deb
  to main/p/php5/php5-gd_5.3.3-3_amd64.deb
php5-gmp_5.3.3-3_amd64.deb
  to main/p/php5/php5-gmp_5.3.3-3_amd64.deb
php5-imap_5.3.3-3_amd64.deb
  to main/p/php5/php5-imap_5.3.3-3_amd64.deb
php5-interbase_5.3.3-3_amd64.deb
  to main/p/php5/php5-interbase_5.3.3-3_amd64.deb
php5-intl_5.3.3-3_amd64.deb
  to main/p/php5/php5-intl_5.3.3-3_amd64.deb
php5-ldap_5.3.3-3_amd64.deb
  to main/p/php5/php5-ldap_5.3.3-3_amd64.deb
php5-mcrypt_5.3.3-3_amd64.deb
  to main/p/php5/php5-mcrypt_5.3.3-3_amd64.deb
php5-mysql_5.3.3-3_amd64.deb
  to main/p/php5/php5-mysql_5.3.3-3_amd64.deb
php5-odbc_5.3.3-3_amd64.deb
  to main/p/php5/php5-odbc_5.3.3-3_amd64.deb
php5-pgsql_5.3.3-3_amd64.deb
  to main/p/php5/php5-pgsql_5.3.3-3_amd64.deb
php5-pspell_5.3.3-3_amd64.deb
  to main/p/php5/php5-pspell_5.3.3-3_amd64.deb
php5-recode_5.3.3-3_amd64.deb
  to main/p/php5/php5-recode_5.3.3-3_amd64.deb
php5-snmp_5.3.3-3_amd64.deb
  to main/p/php5/php5-snmp_5.3.3-3_amd64.deb
php5-sqlite_5.3.3-3_amd64.deb
  to main/p/php5/php5-sqlite_5.3.3-3_amd64.deb
php5-sybase_5.3.3-3_amd64.deb
  to main/p/php5/php5-sybase_5.3.3-3_amd64.deb
php5-tidy_5.3.3-3_amd64.deb
  to main/p/php5/php5-tidy_5.3.3-3_amd64.deb
php5-xmlrpc_5.3.3-3_amd64.deb
  to main/p/php5/php5-xmlrpc_5.3.3-3_amd64.deb
php5-xsl_5.3.3-3_amd64.deb
  to main/p/php5/php5-xsl_5.3.3-3_amd64.deb
php5_5.3.3-3.diff.gz
  to main/p/php5/php5_5.3.3-3.diff.gz
php5_5.3.3-3.dsc
  to main/p/php5/php5_5.3.3-3.dsc
php5_5.3.3-3_all.deb
  to main/p/php5/php5_5.3.3-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 601619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Oct 2010 23:39:37 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.3.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 601619
Changes: 
 php5 (5.3.3-3) unstable; urgency=high
 .
   * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
     amount of data (CVE-2010-3710, Closes: #601619)
Checksums-Sha1: 
 b22899c23af6e6ada19c569d90f51b83f4be43e2 2752 php5_5.3.3-3.dsc
 7319312fc3016f115908dd149c807d8701142fd1 189160 php5_5.3.3-3.diff.gz
 3457d1ab2ce5855cc118dfc0012045deda475c10 544600 php5-common_5.3.3-3_amd64.deb
 62e1605f4ee0c908d51b5c5efde4f9e7a5e28124 3035342 libapache2-mod-php5_5.3.3-3_amd64.deb
 e1067728c6ea7827cc4457ed51a85affb138d4a7 3034596 libapache2-mod-php5filter_5.3.3-3_amd64.deb
 feb328169610e3f99a43babd27d6d2d741a146f6 5881716 php5-cgi_5.3.3-3_amd64.deb
 33ff980072d32307c0aa46c08f10d199195e7ab0 2940140 php5-cli_5.3.3-3_amd64.deb
 de2e663cdd0306317443c64d02000007b3dc182f 408846 php5-dev_5.3.3-3_amd64.deb
 da8616497cd9386e1a80cd250f7ce66c4ce1e7c9 10290558 php5-dbg_5.3.3-3_amd64.deb
 6d98a71b437445e17655ddbd66005f0b5c1ed07f 27016 php5-curl_5.3.3-3_amd64.deb
 cb05c20c0fd8318e273cd5c88a7162d984e10267 8870 php5-enchant_5.3.3-3_amd64.deb
 4ebffc15f90f14d02b77b6fab5ddaf04ed7c7269 38918 php5-gd_5.3.3-3_amd64.deb
 99fa173ce3694aaa03aefba7ec4a3ccda8d5a693 16406 php5-gmp_5.3.3-3_amd64.deb
 dd1feacfee7b4d655827eec847955443c429b369 34986 php5-imap_5.3.3-3_amd64.deb
 4794d086ae2d8ec6f6e5645094d9d785e4fdbc83 49334 php5-interbase_5.3.3-3_amd64.deb
 1b2cfa604d0e5f1526029345f97af76232395160 59346 php5-intl_5.3.3-3_amd64.deb
 5047f97bbd2ec9c54af9e88530cb91921a965217 19776 php5-ldap_5.3.3-3_amd64.deb
 e06f24459bf7f612eda8f30233d46a83af0cffc1 15170 php5-mcrypt_5.3.3-3_amd64.deb
 cd2ba480bc7ffd095181c0a9f67b9b619fcf3c56 76494 php5-mysql_5.3.3-3_amd64.deb
 5358b057c150c25a5fdb28e4379d22251a4c646a 35798 php5-odbc_5.3.3-3_amd64.deb
 37eca79df66091cc52625f0b1e8611cb812655de 60348 php5-pgsql_5.3.3-3_amd64.deb
 0b1cdb384e8e7750e08d0a44c693f446c39c4500 8092 php5-pspell_5.3.3-3_amd64.deb
 a8a4bcea7153342a57c01413c18249e673f14d44 4306 php5-recode_5.3.3-3_amd64.deb
 0c6b7ab6ac4a063ceb9a172e967115470ec36913 11292 php5-snmp_5.3.3-3_amd64.deb
 fcb9bc038b489ca41c3c6cb88adc0cb993b122fc 56072 php5-sqlite_5.3.3-3_amd64.deb
 a3a997faf8d225c19ddf35d2f04ff8a0ab485c70 26664 php5-sybase_5.3.3-3_amd64.deb
 65a477d9d4678a3fe1ad0d47c9b99b7e0d5829f2 18216 php5-tidy_5.3.3-3_amd64.deb
 35e17371d8284cf751405fde28b1b2cf45720f47 34728 php5-xmlrpc_5.3.3-3_amd64.deb
 4272594df62f592adfc267959d02f761e8303440 13290 php5-xsl_5.3.3-3_amd64.deb
 f6fdcf9ca3e2313b71dcf9acfcb3c1839023daa0 1054 php5_5.3.3-3_all.deb
 9d4367b1618f975b32769a79e521e14f72ede210 364594 php-pear_5.3.3-3_all.deb
Checksums-Sha256: 
 37ed275497ec35725c19f670f1269f91309634582c8c9d0a49b79bdedb2ff9f4 2752 php5_5.3.3-3.dsc
 91daf343d3856a4f5539790b3005b85e264903208e66fa15a7ce85b8520500b9 189160 php5_5.3.3-3.diff.gz
 78cbbc2f7d24d38d627ef6cea2f93a362046fa864d6788a9d032e38cd4fc7cbf 544600 php5-common_5.3.3-3_amd64.deb
 3b5242c2139066607300ea3fa8771c1ed11e1a39692e45a4a92a7bb73d144f62 3035342 libapache2-mod-php5_5.3.3-3_amd64.deb
 7337aaec090535caf9e81b8016c922505b03c77f27a31a4875617f5b0a1d1b60 3034596 libapache2-mod-php5filter_5.3.3-3_amd64.deb
 567b552475799e72abd5cc9bf5c7fee2a89ce74aa81fdf3ba68450a806fd32b0 5881716 php5-cgi_5.3.3-3_amd64.deb
 65bd34750301e4902de361ae0909e178f0663b4f372bff3529bae662e616765d 2940140 php5-cli_5.3.3-3_amd64.deb
 b978cc5c0ea5a44e3a1816e2dd08c028bcd8d0441996931c2e9e1a8ff9a05fb8 408846 php5-dev_5.3.3-3_amd64.deb
 45d5cdbddb8e9c22f03ee5760a44d1fbeb1848811f0d1a5c350f0ba595aaf984 10290558 php5-dbg_5.3.3-3_amd64.deb
 f2eda15aba0f3c458a5d850e015053353e6c79d8e8d657674959ffd67004baa2 27016 php5-curl_5.3.3-3_amd64.deb
 6ed710a9568ac4dbd4dd9a23d62872ea38a7c03ce87a8d6421e6e45cbd098d0d 8870 php5-enchant_5.3.3-3_amd64.deb
 52a274931dea13b8a3da526513e85e075346dc62c15b936c21ad5c44780b743b 38918 php5-gd_5.3.3-3_amd64.deb
 ea0ea037969c2a88eb350baa1013465f3c2f306d6f79497da1b5aae70e791a82 16406 php5-gmp_5.3.3-3_amd64.deb
 2e5026ba605b36e246b571b8c1d6b350797b4dfc27aff594c4866faf54ac698e 34986 php5-imap_5.3.3-3_amd64.deb
 bbe11b6b9d9dd23306268765fe90f1fe8524fb7bec594f728029865aee696651 49334 php5-interbase_5.3.3-3_amd64.deb
 eef642a18cf22755a5f012f7befc85d9edba2a1b6c4596ded59ba436d32b556e 59346 php5-intl_5.3.3-3_amd64.deb
 9334632e38162a7c40c9e63d33261f3ee4dda708ee3f2c8d3aca0ee1e79e9856 19776 php5-ldap_5.3.3-3_amd64.deb
 3b3493a79e34b44e0a493e377bcebfb367bd50229a4839cf6dcbe85dbd73a97e 15170 php5-mcrypt_5.3.3-3_amd64.deb
 7c93f209685852e7dd1373d99493d2eec85c78b9a264fe221b1fa6e8dcee214d 76494 php5-mysql_5.3.3-3_amd64.deb
 d89190705746d2c545af0b57df0425618bf78e2f29438bfb4d0c4993e2816b83 35798 php5-odbc_5.3.3-3_amd64.deb
 3a89c80bc6051e9c36a8d7e3702da0a85e67d80b431f458b3e033c5e40be21bc 60348 php5-pgsql_5.3.3-3_amd64.deb
 5b276fcf19072948be7747155aa1971a25df06ae29fc831c994b03697ade15af 8092 php5-pspell_5.3.3-3_amd64.deb
 2a01c10d51a634d6e59ae85590d7d0cb2bccdc0f1133f2fd1927f87a96029068 4306 php5-recode_5.3.3-3_amd64.deb
 66299b60081c533c68c17b02b6af4c019a243e6a5cf9ef7abddf4204223ecd28 11292 php5-snmp_5.3.3-3_amd64.deb
 ad473a9469e884e4aeca00e21f0120323152b20b0e0acaca83996ae0730b7544 56072 php5-sqlite_5.3.3-3_amd64.deb
 af69d0a00aaac22ed820327a0781db463b7e81a1da7c7ae7bb7494c2d7f234e3 26664 php5-sybase_5.3.3-3_amd64.deb
 9cf6e46caeaddd2bee83b519c8fcf8a8c2e2ab90d08b625f5915bbc23e6b0c13 18216 php5-tidy_5.3.3-3_amd64.deb
 f0fc36e90dac12c28196fdd030ec095134bd8a5a234b7206e256293a42d530e8 34728 php5-xmlrpc_5.3.3-3_amd64.deb
 1ad748935eedbd464b8f4cf356d9a51c69f387df8cf2addd24b82ec3a78f06d4 13290 php5-xsl_5.3.3-3_amd64.deb
 ff4f82d75b35eb65a660a22fb7803ab41e7305401faa2ce02169553814795d4a 1054 php5_5.3.3-3_all.deb
 229e2d4cb1c3a5f0b6a73e816f4bc1841ce38674679e051c8685f4f64d8af10b 364594 php-pear_5.3.3-3_all.deb
Files: 
 a5be61554314c7aced84ec4eaee2f1d6 2752 php optional php5_5.3.3-3.dsc
 dd8a7a30e9b003d8262193116c0e9248 189160 php optional php5_5.3.3-3.diff.gz
 0a66779aba35998262f0465d00f11ff6 544600 php optional php5-common_5.3.3-3_amd64.deb
 bcb8898d481eb9af70c8758b4a350b80 3035342 httpd optional libapache2-mod-php5_5.3.3-3_amd64.deb
 eff9665c98389186a4f17f8999db76e4 3034596 httpd optional libapache2-mod-php5filter_5.3.3-3_amd64.deb
 526fde39ef955b3be06fe0ca9ff33188 5881716 php optional php5-cgi_5.3.3-3_amd64.deb
 2d690a739bab86665f0893f618cee86f 2940140 php optional php5-cli_5.3.3-3_amd64.deb
 e0ad3f1ad38c9532e05c1f4e4b56cae9 408846 php optional php5-dev_5.3.3-3_amd64.deb
 f792b0fd32d8b7f032f58f6e7a7d85e5 10290558 debug extra php5-dbg_5.3.3-3_amd64.deb
 ecb2ac9f3c41b2cef16c8fd63a2d444e 27016 php optional php5-curl_5.3.3-3_amd64.deb
 98469ef1991d436fb41ed6ab761732d7 8870 php optional php5-enchant_5.3.3-3_amd64.deb
 c4a10561322db6b602077986a06e4c5b 38918 php optional php5-gd_5.3.3-3_amd64.deb
 8dbf088afc42d61ac6dd88e57e1108fb 16406 php optional php5-gmp_5.3.3-3_amd64.deb
 8aba42a7e191f3c848ac1eb480d42caf 34986 php optional php5-imap_5.3.3-3_amd64.deb
 d31bbd1283a215b02402b47c99924152 49334 php optional php5-interbase_5.3.3-3_amd64.deb
 1fed8b59d264bcd08e5cd3d8df1740d8 59346 php optional php5-intl_5.3.3-3_amd64.deb
 856922333b1c9932fdfaebb03a16d5ec 19776 php optional php5-ldap_5.3.3-3_amd64.deb
 04dbc4f4a114f3954b1870a9b77480f0 15170 php optional php5-mcrypt_5.3.3-3_amd64.deb
 a172c59f3a6c57562be059141f1f8c6b 76494 php optional php5-mysql_5.3.3-3_amd64.deb
 22c6c311ddcaf76e2c1d811702f83b08 35798 php optional php5-odbc_5.3.3-3_amd64.deb
 4c242025553f743bf1690c97ef24dbdd 60348 php optional php5-pgsql_5.3.3-3_amd64.deb
 e0df101295e83f7f03f32ec46d2df07b 8092 php optional php5-pspell_5.3.3-3_amd64.deb
 bab9aed69774223a32b41f6bc92437b1 4306 php optional php5-recode_5.3.3-3_amd64.deb
 8c6663e9cff85e505efaaeb3b88a76ce 11292 php optional php5-snmp_5.3.3-3_amd64.deb
 fafcd343c60fa4d74e6c8b0bc57068b9 56072 php optional php5-sqlite_5.3.3-3_amd64.deb
 9838d8e52eccf70a96432ac299099814 26664 php optional php5-sybase_5.3.3-3_amd64.deb
 419a834b7664821fa67d2c862b3dbe5b 18216 php optional php5-tidy_5.3.3-3_amd64.deb
 415932c901e807bc8f81590e5a5c2d00 34728 php optional php5-xmlrpc_5.3.3-3_amd64.deb
 19ca6500cf13116f4859f342a67bc493 13290 php optional php5-xsl_5.3.3-3_amd64.deb
 9d39e3943820e79f22504c27dec35ee8 1054 php optional php5_5.3.3-3_all.deb
 915aaea90adac91222c8fada8db4d7bb 364594 php optional php-pear_5.3.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzf9HIACgkQ9OZqfMIN8nMDCwCfUsnjmuxhs52h4xV5VCbGvdmK
0p0An0Iy62FKbgRZ9x4JazB4SfZ5hgI9
=iB7c
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#601619; Package php5. (Sun, 14 Nov 2010 15:12:09 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 14 Nov 2010 15:12:09 GMT) (full text, mbox, link).

Message #42 received at 601619@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ondřej Surý <ondrej@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Moritz Muehlenhoff <jmm@debian.org>, 601619@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Please unblock php5/5.3.3-3 (Was: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var())
Date: Sun, 14 Nov 2010 15:09:03 +0000
On Sun, 2010-11-14 at 15:42 +0100, Ondřej Surý wrote:
> On Sun, Nov 7, 2010 at 20:20, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> > On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
> >> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
> >> with the current age-days and followup with the CVE-2010-3710
> >> after that.
[...]
> > 5.3.3-2 has now migrated to testing.  The upstream fix for CVE-2010-3710
> > looks small and sane enough to be included in a -3 upload.
> 
> The 5.3.3 with:
> 
>    * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
>      amount of data (CVE-2010-3710, Closes: #601619)
> 
> was uploaded just now.

Thanks; unblocked.

Regards,

Adam

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 07 Jan 2011 07:31:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:38:27 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started