Ubuntu
php5 package

CVE-2008-5557: heap overflows in the mbstring extension

Bug #317672 reported by Mark Lee
254
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: php5

See: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5557

The patch in question has been applied in Debian as of 5.2.6.dfsg.1-1, and I have also applied the patch in the php5 source package I maintain in my PPA: <https://launchpad.net/~malept/+archive>

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.6-2ubuntu4.1

---------------
php5 (5.2.6-2ubuntu4.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via crafted font file. (LP: #286851)
    - debian/patches/120-SECURITY-CVE-2008-3658.patch: make sure font->nchars,
      font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
      test script ext/gd/tests/imageloadfont_invalid.phpt.
    - CVE-2008-3658
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via the delimiter argument to the explode function. (LP: #286851)
    - debian/patches/121-SECURITY-CVE-2008-3659.patch: make sure needle_length
      is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
      script ext/standard/tests/strings/explode_bug.phpt.
    - CVE-2008-3659
  * SECURITY UPDATE: denial of service via a request with multiple dots
    preceding the extension. (ex: foo..php) (LP: #286851)
    - debian/patches/122-SECURITY-CVE-2008-3660.patch: improve .. cleaning with
      a new is_valid_path() function in sapi/cgi/cgi_main.c.
    - CVE-2008-3660
  * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
    string containing HTML entity. (LP: #317672)
    - debian/patches/123-SECURITY-CVE-2008-5557.patch: improve
      mbfl_filt_conv_html_dec_flush() error handling in
      ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
    - CVE-2008-5557
  * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
    settings.
    - debian/patches/124-SECURITY-CVE-2008-5624.patch: make sure the page_uid
      and page_gid get initialized properly in ext/standard/basic_functions.c.
      Also, init server_context before processing config variables in
      sapi/apache/mod_php5.c.
    - CVE-2008-5624
  * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
    entry in a .htaccess file.
    - debian/patches/125-SECURITY-CVE-2008-5625.patch: enforce restrictions
      when merging in dir entry in sapi/apache/mod_php5.c and
      sapi/apache2handler/apache_config.c.
    - CVE-2008-5625
  * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
    file with dot-dot filenames.
    - debian/patches/126-SECURITY-CVE-2008-5658.patch: clean up filename paths
      in ext/zip/php_zip.c with new php_zip_realpath_r(),
      php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
    - CVE-2008-5658

 -- Marc Deslauriers <email address hidden> Mon, 26 Jan 2009 08:43:21 -0500

Changed in php5:
status: New → Fix Released
Thierry Carrez (ttx)
Changed in php5 (Ubuntu Hardy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.