Red Hat Bugzilla – Bug 152885
PHP multiple vulnerabilities -- CAN-2004-1018 & CAN-2004-1019 & others
Last modified: 2007-04-18 13:22:28 EDT
integer overflow in pack() (CAN-2004-1018) possible double free in unserializer (CAN-2004-1019) ------- Additional Comments From leonard@den.ottolander.nl 2005-01-23 02:24:33 ---- Created an attachment (id=971) SPEC file and patches (taken from RHEL 2.1's php-4.1.2-2.2) Tar contains a drop in SPEC file for the previous release (4.1.2-7.3.10.legacy) and two patches for CAN-2004-1018 and CAN-2004-1019 taken from RHEL 2.1's php-4.1.2-2.2. SPEC file needs to be renamed. I can upload the signed (S)RPMs if you wish. ------- Additional Comments From deisenst@gtw.net 2005-02-01 22:00:32 ---- It looks like Dominic Hargreaves gave his nod for continuing work on the RHL 7.3 updates for PHP to be continued here -- See Bug 2344#c58 (http://bugzilla.fedora.us/show_bug.cgi?id=2344#c58) and following comments. There seems to be some lack of concensus in Bug 2344 about the approach for a RHL 7.3 fix, but one fellow commented (in Bug 2344 comment 60) that the better approach might be to just take the RHEL 21 patch, which it looks like you have worked with, Leonard, though others seem to be continuing to work with fixing problems with patches in .src.rpm's already submitted. I would vote -- especially if you already have them available -- for you to go ahead and submit signed (S)RPMS in a PHP-signed message here. To that end, I am going to suggest (and make setting changes) that RHL 7.3 work continue in this bugzilla issue, and hope I don't get yelled at! :-) - David ------- Additional Comments From deisenst@gtw.net 2005-02-01 22:05:54 ---- Heh, s/PHP-signed/PGP-signed/ ------- Additional Comments From jpdalbec@ysu.edu 2005-02-02 03:17:27 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New RHL 7.3 RPMs are available from http://www.fedoralegacy.org/contrib/php/ sha1sums: 56aff65e3e4bd96f7d67841c568bb5cb00440b42 php-4.1.2-7.3.13.legacy.i386.rpm 1ca92dd658e52bd20dfa32af0679e2801fa614ee php-4.1.2-7.3.13.legacy.src.rpm 9705bf428bf9f623a2e9ad9db3810f276f09b82f php-devel-4.1.2-7.3.13.legacy.i386.rpm 91935e46c95cae8e428716cfb708c3c920f30e8b php-imap-4.1.2-7.3.13.legacy.i386.rpm 508a2d92d3be043cf4db71673a683916b8686a41 php-ldap-4.1.2-7.3.13.legacy.i386.rpm 0edc9411f29863f027d560ee56fe16b3b4dd317c php-manual-4.1.2-7.3.13.legacy.i386.rpm 46ad83228a7c7d52d931cda63a8de99bc2c1d0f7 php-mysql-4.1.2-7.3.13.legacy.i386.rpm 4a925b0cf8cc343f132c8f2faded04eac6139a25 php-odbc-4.1.2-7.3.13.legacy.i386.rpm b7a4672d4dce582b538b13b5805cc5c86a624636 php-pgsql-4.1.2-7.3.13.legacy.i386.rpm 8086ca9603a49cef80a3168b8aad07ae60c58bd7 php-snmp-4.1.2-7.3.13.legacy.i386.rpm I removed the CAN-2004-1018 patch from the OpenPKG backport patch file since there's a separate patch file for it. I've applied the rest of the OpenPKG backport patch in these RPMs since it seems to work now that the "filename" typo is fixed. I installed php, php-imap, php-ldap, php-pgsql. I tested file uploads, SMTP, IMAP, LDAP, PostgreSQL, and FTP using Horde. No problems other than a pre- existing timeout issue with FTP connections. If anyone knows how to fix that I'd love to hear about it. It's been an issue since I installed vsftpd. (I could revert to wu-ftpd, I guess, but I'd prefer not to.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCANHqJL4A+ldA7asRAhWUAJ9siW8qBApbYCg6YoZLwpqgAsp4pgCgw5rR bcBhJxuNVjsn/tJuuNisNdg= =XN1A -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-11 16:52:55 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on John's packages: 1ca92dd658e52bd20dfa32af0679e2801fa614ee php-4.1.2-7.3.13.legacy.src.rpm - - Source files identical to previous release - - Patches are from RHEL and openpkg backport - - Spec file changes are good - - Builds installs and runs. +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCDW/cLMAs/0C4zNoRAgnQAJ0XMH+Nk0fhlEHs7FElQ9jxaVhR+QCgvcI4 gjUpqECyXkxoeVeudeDsUiE= =fTsd -----END PGP SIGNATURE----- ------- Additional Comments From deisenst@gtw.net 2005-02-18 14:54:44 ---- Pushed to updates-testing. Pekka has put in a VERIFY vote in for php-4.1.2-7.3.13.legacy (see Bug 2344 comment 67). ------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 15:42:57 ---- New packages were pushed to updates-testing. Please add comments to bug 2344. ------- Additional Comments From dom@earth.li 2005-03-07 07:47:25 ---- These updates introduced a problem described in bug 2444. ------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:30 ------- This bug previously known as bug 2394 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2394 Originally filed under the Fedora Legacy product and Package request component. Bug blocks bug(s) 2444. Attachments: SPEC file and patches for RHL 7.3 (taken from RHEL 2.1's php-4.1.2-2.2) https://bugzilla.fedora.us/attachment.cgi?action=view&id=971 Unknown priority P2. Setting to default priority "normal". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl@redhat.com. Previous reporter was leonard@den.ottolander.nl. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
These packages were officially released.