Comment 17 for bug 485973

Luca, you are correct about the USN. The patch in the USN came from Debian but the code in Ubuntu is not built since php-imap is broken out (and therefore, unfortunately, not tested). Looking at the patch, a lot of the differences can be attributed to changing the memory allocation for 'string' from static to dynamic, but there are other changes that are not as clear.

Marc pointed out to me that the patch is from http://patch-tracker.debian.org/patch/series/view/php5/5.2.6.dfsg.1-1+lenny4/CVE-2008-2829.patch. It looks like all of Devid's patches for hardy and later match this patch. I checked the Debian BTS and couldn't find any regressions from applying this patch.

Sorry for the confusion, though this could have been avoided if the debdiffs followed DEP-3 and gave links to the upstream bug and commits.