Debian Bug report logs -
#382256
php5: CVE-2006-4020: arbitrary code execution in php
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 9 Aug 2006 19:18:18 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Fixed in version php5/5.1.6-1
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#382256; Package php5.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-4020:
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows
context-dependent attackers to execute arbitrary code via a sscanf PHP
function call that performs argument swapping, which increments an
index past the end of an array and triggers a buffer over-read.
patch is at
http://bugs.php.net/bug.php?id=38322
Please mention the CVE-id in the changelog
Tags added: upstream, fixed-upstream
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #18 received at 382256-close@bugs.debian.org (full text, mbox, reply):
Source: php5
Source-Version: 5.1.6-1
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache-mod-php5_5.1.6-1_i386.deb
to pool/main/p/php5/libapache-mod-php5_5.1.6-1_i386.deb
libapache2-mod-php5_5.1.6-1_i386.deb
to pool/main/p/php5/libapache2-mod-php5_5.1.6-1_i386.deb
php-pear_5.1.6-1_all.deb
to pool/main/p/php5/php-pear_5.1.6-1_all.deb
php5-cgi_5.1.6-1_i386.deb
to pool/main/p/php5/php5-cgi_5.1.6-1_i386.deb
php5-cli_5.1.6-1_i386.deb
to pool/main/p/php5/php5-cli_5.1.6-1_i386.deb
php5-common_5.1.6-1_i386.deb
to pool/main/p/php5/php5-common_5.1.6-1_i386.deb
php5-curl_5.1.6-1_i386.deb
to pool/main/p/php5/php5-curl_5.1.6-1_i386.deb
php5-dev_5.1.6-1_i386.deb
to pool/main/p/php5/php5-dev_5.1.6-1_i386.deb
php5-gd_5.1.6-1_i386.deb
to pool/main/p/php5/php5-gd_5.1.6-1_i386.deb
php5-ldap_5.1.6-1_i386.deb
to pool/main/p/php5/php5-ldap_5.1.6-1_i386.deb
php5-mhash_5.1.6-1_i386.deb
to pool/main/p/php5/php5-mhash_5.1.6-1_i386.deb
php5-mysql_5.1.6-1_i386.deb
to pool/main/p/php5/php5-mysql_5.1.6-1_i386.deb
php5-odbc_5.1.6-1_i386.deb
to pool/main/p/php5/php5-odbc_5.1.6-1_i386.deb
php5-pgsql_5.1.6-1_i386.deb
to pool/main/p/php5/php5-pgsql_5.1.6-1_i386.deb
php5-recode_5.1.6-1_i386.deb
to pool/main/p/php5/php5-recode_5.1.6-1_i386.deb
php5-snmp_5.1.6-1_i386.deb
to pool/main/p/php5/php5-snmp_5.1.6-1_i386.deb
php5-sqlite_5.1.6-1_i386.deb
to pool/main/p/php5/php5-sqlite_5.1.6-1_i386.deb
php5-sybase_5.1.6-1_i386.deb
to pool/main/p/php5/php5-sybase_5.1.6-1_i386.deb
php5-xmlrpc_5.1.6-1_i386.deb
to pool/main/p/php5/php5-xmlrpc_5.1.6-1_i386.deb
php5-xsl_5.1.6-1_i386.deb
to pool/main/p/php5/php5-xsl_5.1.6-1_i386.deb
php5_5.1.6-1.diff.gz
to pool/main/p/php5/php5_5.1.6-1.diff.gz
php5_5.1.6-1.dsc
to pool/main/p/php5/php5_5.1.6-1.dsc
php5_5.1.6-1_all.deb
to pool/main/p/php5/php5_5.1.6-1_all.deb
php5_5.1.6.orig.tar.gz
to pool/main/p/php5/php5_5.1.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 382256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 19 Aug 2006 14:41:43 +0200
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev php5-sqlite libapache-mod-php5
Architecture: source i386 all
Version: 5.1.6-1
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (meta-package)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-ldap - LDAP module for php5
php5-mhash - MHASH module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 370165 382256 383596
Changes:
php5 (5.1.6-1) unstable; urgency=high
.
[ Adam Conrad ]
* Drop 041-shut_up_snmp.patch, which was no longer needed as of 5.1.0.
.
[ Ondřej Surý ]
* Acknowledge NMU.
* New upstream release (Closes: #383596)
- Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
- Fixed overflows inside str_repeat() and wordwrap() functions on 64bit
systems.
- Fixed possible open_basedir/safe_mode bypass in cURL extension and
with realpath cache. (CVE-2006-2563) (Closes: #370165)
- Fixed overflow in GD extension on invalid GIF images.
- Fixed a buffer overflow inside sscanf() function. (CVE-2006-4020)
(Closes: #382256)
- Fixed an out of bounds read inside stripos() function.
- Fixed memory_limit restriction on 64 bit system (really with 5.1.6).
* Bump libdb build-dep from libdb4.3 to libdb4.4, to match with apache.
Files:
d9870c2a028f87ad4df2563b0b5f07d8 1780 web optional php5_5.1.6-1.dsc
04d6166552289eaeff771f5ec953b065 8187896 web optional php5_5.1.6.orig.tar.gz
2f4c299b734b3c70d2df288e514bfc02 98681 web optional php5_5.1.6-1.diff.gz
0ef1341372f6d13671cffc4ecac12591 137928 web optional php5-common_5.1.6-1_i386.deb
d38b9c2d796e302f02f24552b9ce91b9 2336464 web optional libapache-mod-php5_5.1.6-1_i386.deb
a0aefbf7a81d2d3c93ca11b531f443d1 2336872 web optional libapache2-mod-php5_5.1.6-1_i386.deb
3d1a67a54b5c9e43949b4a78632a83be 4614638 web optional php5-cgi_5.1.6-1_i386.deb
ac15ff085794ae685d648c171dabd9a3 2327886 web optional php5-cli_5.1.6-1_i386.deb
9f5fcd2aaeec68999c11f3bdc1497f72 308430 devel optional php5-dev_5.1.6-1_i386.deb
ed74c9598c683d1f7652a13b02b2d3cc 25228 web optional php5-curl_5.1.6-1_i386.deb
8f38daacf4ce27f6a6362db424e7beb7 34588 web optional php5-gd_5.1.6-1_i386.deb
3f61378ce79a7e54f66e9194b5e61427 20620 web optional php5-ldap_5.1.6-1_i386.deb
25eb02a8ecb1468d72cce5d67d8a3fae 8446 web optional php5-mhash_5.1.6-1_i386.deb
b1b2fe83326ede22f61f3d9f30dd1408 23048 web optional php5-mysql_5.1.6-1_i386.deb
add739d791b3b603429c79a691bee08e 28478 web optional php5-odbc_5.1.6-1_i386.deb
945e087facacafb8d61150642d957da3 42220 web optional php5-pgsql_5.1.6-1_i386.deb
7593c4f6174d8e416bf6bc69cab9ddc3 8150 web optional php5-recode_5.1.6-1_i386.deb
7af62a6ff67092a14d67739e523cc6ef 14478 web optional php5-snmp_5.1.6-1_i386.deb
b8443f42244814a5e2b3921240757ada 26896 web optional php5-sqlite_5.1.6-1_i386.deb
0e8d717ebb6e097ed4608ae9ff19cbe0 21704 web optional php5-sybase_5.1.6-1_i386.deb
faaa2f16da9331827ca1ac93bcc6bfa9 39760 web optional php5-xmlrpc_5.1.6-1_i386.deb
cd072c565d511785cbe65b16ffc769b2 15476 web optional php5-xsl_5.1.6-1_i386.deb
e34c637b341b67bd3890cf9f157605d1 1034 web optional php5_5.1.6-1_all.deb
f1847014aa298a4f92bec7106d5dd8ef 305630 web optional php-pear_5.1.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE+D3u9OZqfMIN8nMRAoxvAJ9SbKPOc9Zk807LloPI0SUFpYaRgQCcDzl2
X80ixJddVsoSZ40kadVbsNY=
=RsQp
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 00:01:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:13:34 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon