oss-sec mailing list archives
Re: Issues without CVE names in PHP 5.3.4/5.2.15 release
From: Pierre Joye <pierre.php () gmail com>
Date: Mon, 13 Dec 2010 18:47:19 +0100
hi, On Mon, Dec 13, 2010 at 5:33 PM, Vincent Danen <vdanen () redhat com> wrote:
Looking at the PHP web site, there are a few issues fixed in the most recent releases that don't seem to have a CVE name: * Fixed crash in zip extract method (possible CWE-170).
Was requested and was not considered as worth a CVE #
* Fixed symbolic resolution support when the target is a DFS share.
Why does it require a CVE #? That's not a security fix but a fix about DFS support on Windows (did not work).
* Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE.
Not sure either if it requires one.
Also doesn't seem to be much info on these readily available. The first seems to be related to this SVN commit (don't see a bug for it): http://svn.php.net/viewvc?view=revision&revision=305848 The second seems to be Windows-specific and is this bug (haven't found the SVN commit for it yet): http://bugs.php.net/bug.php?id=51945 The third seems to be 5.2-specific (no mention in the 5.3 changes), but I've not yet found the bug or SVN commit.
In any case I would like to remember you security () php net as well. We also added now a security flag in our bug tracker, Joe should have access to them as well, ping me if more of the redhat team needs it, or other distrubutions. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Raphael Geissert (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)