Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090401144555.7dddaa32@redhat.com>
Date: Wed, 1 Apr 2009 14:45:55 +0200
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: PHP 5.2.9

Hi!

PHP 5.2.9 was released some time ago, mentioning couple of security
fixes, that do not seem to have CVEs assigned:
  http://www.php.net/releases/5_2_9.php

# Fixed explode() behavior with empty string to respect negative limit.
  (Shire)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.77&r2=1.445.2.14.2.78

Our maintainer has asked upstream about this one, as it changes
behavior of explode() and does not have obvious security consequences.
Upstream security team confirmed that this one was tagged as security
by mistake.


# Fixed a crash on extract in zip when files or directories entry names
  contain a relative path. (Pierre)
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49

This should only affect php 5.2.7 or versions that have original fix
for CVE-2008-5658 backported.


# Fixed a segfault when malformed string is passed to json_decode().
  (Scott)
http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15

This is PHP 5.2.0+ only, as previous versions do not have json
extension.

Only two CVEs should be needed.  Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.