Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 1 Apr 2009 14:45:55 +0200
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: PHP 5.2.9

Hi!

PHP 5.2.9 was released some time ago, mentioning couple of security
fixes, that do not seem to have CVEs assigned:
  http://www.php.net/releases/5_2_9.php

# Fixed explode() behavior with empty string to respect negative limit.
  (Shire)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.77&r2=1.445.2.14.2.78

Our maintainer has asked upstream about this one, as it changes
behavior of explode() and does not have obvious security consequences.
Upstream security team confirmed that this one was tagged as security
by mistake.


# Fixed a crash on extract in zip when files or directories entry names
  contain a relative path. (Pierre)
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49

This should only affect php 5.2.7 or versions that have original fix
for CVE-2008-5658 backported.


# Fixed a segfault when malformed string is passed to json_decode().
  (Scott)
http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15

This is PHP 5.2.0+ only, as previous versions do not have json
extension.

Only two CVEs should be needed.  Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux