Debian Bug report logs - #422567
strip_tags() does not handle single quotes correctly

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Sean W. Mahan" <sean@paragoogle.com>

To: submit@bugs.debian.org

Subject: strip_tags() does not handle single quotes correctly

Date: Sun, 06 May 2007 17:26:14 -0700

Package: php5
Version: 5.2.0-8+etch3

This bug - apparently a regression - has been already been reported to
the PHP team here: http://bugs.php.net/bug.php?id=40704
PHP's bug-tracking system reports that this issue was resolved in CVS as
of March 3rd, but it affects the current Debian stable package.  I am
copying Steffen Weber's example:

Reproduce code:
---------------
<?php
$html = "<div>Bug ' Trigger</div> Missing Text";
var_dump(strip_tags($html));
?>

Expected result:
----------------
Prints "Bug ' Trigger Missing Text".

Actual result:
--------------
Prints "Bug ' Trigger".


I presume this is issue can be resolved by incorporating the appropriate
updated code for strip_tags() into Debian's build.

Message #10 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: "Sean W. Mahan" <sean@paragoogle.com>, 422567@bugs.debian.org

Subject: Re: [php-maint] Bug#422567: strip_tags() does not handle single quotes correctly

Date: Mon, 07 May 2007 07:51:33 +0200

[Message part 1 (text/plain, inline)]

hi sean,

On Sun, 2007-05-06 at 17:26 -0700, Sean W. Mahan wrote:
> This bug - apparently a regression - has been already been reported to
> the PHP team here: http://bugs.php.net/bug.php?id=40704
> PHP's bug-tracking system reports that this issue was resolved in CVS as
> of March 3rd, but it affects the current Debian stable package.  I am
> copying Steffen Weber's example:
> 
> I presume this is issue can be resolved by incorporating the appropriate
> updated code for strip_tags() into Debian's build.

unfortunately, it's difficult and time consuming for us to track down
the fixes for bugs like this, esp when the folks at php.net often don't
give any clues beyond "fixed in CVS" and an approximate date (in this
case there's a filename in the BR too at least, but that was thanks to
the reporter)

so if you are willing to take the time to dig up the fix we can consider
whether it warrants an update to the stable branch of php.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 422567@bugs.debian.org (full text, mbox, reply):

From: "Sean W. Mahan" <sean@paragoogle.com>

To: sean finney <seanius@debian.org>

Cc: 422567@bugs.debian.org

Subject: Re: [php-maint] Bug#422567: strip_tags() does not handle single quotes correctly

Date: Mon, 07 May 2007 00:55:29 -0700

> so if you are willing to take the time to dig up the fix we can consider
> whether it warrants an update to the stable branch of php.
>   

Thanks for getting back to me, Sean,

The fix is in ext/standard/string.c - here's the PHP.net diff to the
previous version:

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.44&r2=1.445.2.14.2.45

I must admit I don't know anything about C or your preferred method . 
The line numbers are different, but I downloaded the php5 source package
and pasted the changes in on the appropriate lines.  Pasted below is a
diff of the Debian-provided php5-5.2.0/ext/standard/string.c for
5.2.0-8+etch3, and a copy with the affected lines added.

Please let me know if there's a more appropriate way to submit this. 
Thanks for your work on Debian!

-Sean


4179c4179
<                                               state = 0;
---
>                                               in_q = state = 0;
4194c4194
<                                                       state = 0;
---
>                                                       in_q = state = 0;
4200c4200
<                                               state = 0;
---
>                                               in_q = state = 0;
4206c4206
<                                                       state = 0;
---
>                                                       in_q = state = 0;
4230a4231,4237
>                               if (state && p != buf && *(p-1) != '\\'
&& (!in_q || *p == in_q)) {
>                                       if (in_q) {
>                                               in_q = 0;
>                                       } else {
>                                               in_q = *p;
>                                       }
>                               }

Message #20 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: "Sean W. Mahan" <sean@paragoogle.com>

Cc: 422567@bugs.debian.org

Subject: Re: [php-maint] Bug#422567: strip_tags() does not handle single quotes correctly

Date: Mon, 07 May 2007 18:21:28 +0200

[Message part 1 (text/plain, inline)]

On Mon, 2007-05-07 at 00:55 -0700, Sean W. Mahan wrote:
> 
> Thanks for getting back to me, Sean,
> 
> The fix is in ext/standard/string.c - here's the PHP.net diff to the
> previous version:
> 
> http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.44&r2=1.445.2.14.2.45

okay, thanks for finding this.

> I must admit I don't know anything about C or your preferred method . 
> The line numbers are different, but I downloaded the php5 source package
> and pasted the changes in on the appropriate lines.  Pasted below is a
> diff of the Debian-provided php5-5.2.0/ext/standard/string.c for
> 5.2.0-8+etch3, and a copy with the affected lines added.
> 
> Please let me know if there's a more appropriate way to submit this. 

for future reference, "diff -u" is the preferred diff output format,
which you can also get from the above url by following the link towards
"patch".   assuming the patch applies cleanly, that's really all we
need.

i'll ping one of the release managers and ask what they think about
adding the fix for this.  it's a pretty small patch so they might
actually say yes.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Penny Leach <penny@she.geek.nz>

To: Debian Bug Tracking System <422567@bugs.debian.org>

Subject: php5: update to release manager ping?

Date: Tue, 15 May 2007 12:54:20 +1200

Package: php5
Version: 5.2.0-8+etch3
Followup-For: Bug #422567

Hi Sean - is there an update on this? I'm starting to see a lot of people being hit by this problem.  I've pinned all the machines I have control over bu t webapps running on php5 are starting to get bug reports about it :)

Cheers
Penny


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)

Message #30 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Penny Leach <penny@she.geek.nz>, 422567@bugs.debian.org, "Sean W. Mahan" <sean@paragoogle.com>

Subject: Re: [php-maint] Bug#422567: php5: update to release manager ping?

Date: Tue, 15 May 2007 20:42:32 +0200

[Message part 1 (text/plain, inline)]

hi penny, sean,

On Tue, 2007-05-15 at 12:54 +1200, Penny Leach wrote:
> Package: php5
> Version: 5.2.0-8+etch3
> Followup-For: Bug #422567
> 
> Hi Sean - is there an update on this? I'm starting to see a lot of people being hit by this problem.  I've pinned all the machines I have control over bu t webapps running on php5 are starting to get bug reports about it :)

i haven't followed up yet with the release managers, sorry about that. 

however, i've backported the fix out of cvs and built some packages for
testing.  you can put

deb http://people.debian.org/~seanius/php5/etch ./

in your sources.list (i'd recommend only temporarily)and then you should
be able to apt-get upgrade to it.  or you can just go to that url and
fetch the debs manually.  you also get a few minor not-yet-released
security fixes for free :)

md5sums (if you're paranoid) :

79cd5d3bd9198aa1d36c95608f91ee0c  libapache-mod-php5_5.2.0-8
+etch5~pu1_i386.deb
c34d645209cd5f1924db59d8c32a5b5f  libapache2-mod-php5_5.2.0-8
+etch5~pu1_i386.deb
540dc9176e4c11212099662aaa11b480  php-pear_5.2.0-8+etch5~pu1_all.deb
8f9cef786a49cb94357d68ceb29033da  php5-cgi_5.2.0-8+etch5~pu1_i386.deb
a0c69ab33c41fe6dd63e5329fc55f9ca  php5-cli_5.2.0-8+etch5~pu1_i386.deb
1161dd802c292d19cf13411b8654c753  php5-common_5.2.0-8+etch5~pu1_i386.deb
72b56b411e93d684c24e00767280a664  php5-curl_5.2.0-8+etch5~pu1_i386.deb
418e7fdf2a815c47c6e744a924d42a0e  php5-dev_5.2.0-8+etch5~pu1_i386.deb
7088c1855eb0842deb3508cfde91c61c  php5-gd_5.2.0-8+etch5~pu1_i386.deb
efe8bd30e924ca9dd8480d72bba9c2cc  php5-imap_5.2.0-8+etch5~pu1_i386.deb
5db08ab9b802b9834babe074ad149d9d  php5-interbase_5.2.0-8
+etch5~pu1_i386.deb
353840fc5a587aa336d43f96285c91a0  php5-ldap_5.2.0-8+etch5~pu1_i386.deb
5893e101e421dd04573129feb169f4d5  php5-mcrypt_5.2.0-8+etch5~pu1_i386.deb
4c0602a094ba68efed5c4b9576fe4c65  php5-mhash_5.2.0-8+etch5~pu1_i386.deb
7124ea383da9cb3c619ae66ca1086998  php5-mysql_5.2.0-8+etch5~pu1_i386.deb
3d310abbe59b204a076afaa1d45db51d  php5-odbc_5.2.0-8+etch5~pu1_i386.deb
db8c113525417d077b891135cd2781fa  php5-pgsql_5.2.0-8+etch5~pu1_i386.deb
e4c83698989a9a5591aafaf334cabbf7  php5-pspell_5.2.0-8+etch5~pu1_i386.deb
5217189676bb5e7ba45c55862db654c3  php5-recode_5.2.0-8+etch5~pu1_i386.deb
a0b918457a2bb195405b9aaa751e5420  php5-snmp_5.2.0-8+etch5~pu1_i386.deb
5c5fea5baecd5ff97d5328f61d815498  php5-sqlite_5.2.0-8+etch5~pu1_i386.deb
6a42064d0c0c50074bcd50f774b33c48  php5-sybase_5.2.0-8+etch5~pu1_i386.deb
34051412287af21a1bda074bdab0b61d  php5-tidy_5.2.0-8+etch5~pu1_i386.deb
926506f56e7978b0094a656e3e27fc87  php5-xmlrpc_5.2.0-8+etch5~pu1_i386.deb
91734380c76bdcf34d38a09bf3433d0c  php5-xsl_5.2.0-8+etch5~pu1_i386.deb
72ecd3dee3357690fc394c6fc1b350d0  php5_5.2.0-8+etch5~pu1.diff.gz
28eb40f7d88224aeb1e3af9f96b26bee  php5_5.2.0-8+etch5~pu1.dsc
15d35c9c27575db8708cf2a8bc7d4795  php5_5.2.0-8+etch5~pu1_all.deb
0ba791c15891494e2f38d9e1e9c5074c  php5_5.2.0-8+etch5~pu1_i386.changes


i've run the test code provided by sean and it seems fixed in the new
version, but i need some brave souls to try it out and make sure that
it didn't introduce any further regressions :)  so, could you give it a
shot and let me know either way?



thanks,
	sean

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Martin Langhoff <martin@catalyst.net.nz>

To: 422567@bugs.debian.org

Subject: Testing the new package...

Date: Wed, 16 May 2007 17:17:17 +1200

Talked briefly with Penny about running `make test` in the builddir and
whether the tests included with PHP cover strip_tags().

I don't remember if the dpkg toolchain has an easy way to optionally run
make test during the build. A quick grep of the testsuite doesn't turn
up any instance of strip_tags.

cheers,


m
-- 
-----------------------------------------------------------------------
Martin @ Catalyst .Net .NZ  Ltd, PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/           PHYS: Level 2, 150-154 Willis St
OFFICE: +64(4)916-7224  UK: 0845 868 5733 ext 7224  MOB: +64(21)364-017
      Make things as simple as possible, but no simpler - Einstein
-----------------------------------------------------------------------

Message #42 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Martin Langhoff <martin@catalyst.net.nz>, 422567@bugs.debian.org

Subject: Re: [php-maint] Bug#422567: Testing the new package...

Date: Wed, 16 May 2007 08:34:17 +0200

[Message part 1 (text/plain, inline)]

hi martin,

On Wed, 2007-05-16 at 17:17 +1200, Martin Langhoff wrote:
> Talked briefly with Penny about running `make test` in the builddir and
> whether the tests included with PHP cover strip_tags().
> 
> I don't remember if the dpkg toolchain has an easy way to optionally run
> make test during the build. A quick grep of the testsuite doesn't turn
> up any instance of strip_tags.

i think later versions of php5 (5.2.2) have a test guarding for this,
but that wasn't part of the patch i backported.  about running tests
during build in general, yes i think it's a good idea to have the tests
run as part of the build procedure.  in fact this was discussed as
recently as a week or two ago... the only reason it hasn't been done is
a lack of time--most my php time gets spent on security issues lately,
it seems :(


	sean

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 422567@bugs.debian.org (full text, mbox, reply):

From: "Richard Burton" <richard@atomwide.com>

To: <422567@bugs.debian.org>

Subject: Have run this on test box about to try it on live setup

Date: Wed, 16 May 2007 11:37:11 +0100

Hi all

I have tested Sean's new version and its seems to work fine on my test
box, I will be rolling this out to 1 of our live servers running
multiple copies of Moodle later today, will let you know how I get on.

Kind Regards
 
Richard Burton
 
--
Richard Burton at Atomwide Ltd Tel 0870 236 5000 Fax 0871 236 5000
Unit 2, Ravensquay Business Centre,
Cray Avenue, Orpington, Kent, BR5 4BQ
Mailto:richard@atomwide.com               http://www.atomwide.com/
--
Atomwide Ltd is a company registered in England and Wales with company
number 2142875

Message #52 received at 422567@bugs.debian.org (full text, mbox, reply):

From: "Richard Burton" <richard@atomwide.com>

To: <422567@bugs.debian.org>

Subject: Feedback on testing of updated packeges

Date: Fri, 18 May 2007 10:28:30 +0100

Hi all

I have now been running

php5-mysql_5.2.0-8+etch5~pu1_i386.deb
php5-gd_5.2.0-8+etch5~pu1_i386.deb
php5-common_5.2.0-8+etch5~pu1_i386.deb
libapache2-mod-php5_5.2.0-8+etch5~pu1_i386.deb

with eaccelerator 0.9.5 for the best part of 2 days and have not had any
reports of adverse effects.

Kind Regards
 
Richard Burton
 
--
Richard Burton at Atomwide Ltd Tel 0870 236 5000 Fax 0871 236 5000
Unit 2, Ravensquay Business Centre,
Cray Avenue, Orpington, Kent, BR5 4BQ
Mailto:richard@atomwide.com               http://www.atomwide.com/
--
Atomwide Ltd is a company registered in England and Wales with company
number 2142875

Message #59 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Penny Leach <penny@catalyst.net.nz>

To: 422567@bugs.debian.org

Subject: security update in etch has same problem

Date: Thu, 24 May 2007 10:54:54 +1200

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sean,

I installed the updated package this morning:

 *** 5.2.0-8+etch4 0
        500 http://security.debian.org etch/updates/main Packages

And it still has the same problem....

I'm attaching the script that I've been testing with (obfuscated, it's a
forum post)

The version from http://people.debian.org/~seanius/php5/etch works
perfectly though.



Penny


- --
Penny Leach | penny@catalyst.net.nz  | +64 21 736 695
Catalyst IT | http://catalyst.net.nz | +64 4 803 2218
GPG 8347 00FC B5BF 6CC0 0FC9 AB90 1875 120A A30E C22B


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGVMY+GHUSCqMOwisRApbVAJ4zE4touQfstpi1fOnMnP2XW9o0aQCfaill
j25sC2pVUuFP5WSbPQ11TCY=
=W89B
-----END PGP SIGNATURE-----

[php5bug.php (application/x-php, inline)]

Message #64 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Penny Leach <penny@catalyst.net.nz>, 422567@bugs.debian.org

Subject: Re: [php-maint] Bug#422567: security update in etch has same problem

Date: Thu, 24 May 2007 07:50:01 +0200

[Message part 1 (text/plain, inline)]

hi penny et al,

On Thursday 24 May 2007 00:54, Penny Leach wrote:
> Hi Sean,
>
> I installed the updated package this morning:
>
>  *** 5.2.0-8+etch4 0
>         500 http://security.debian.org etch/updates/main Packages
>
> And it still has the same problem....

right.  that package is the same the normal etch version, plus a few unrelated 
security fixes.  so both should be broken, but that one should be a little 
safer :)

anyway, after speaking with the SRM's they've decided that this is an 
acceptable update to stable, so the version i posted on people.debian.org 
should make it into the next point release of stable.  thanks to everyone who 
spent the time to test it and report back.


	sean

[Message part 2 (application/pgp-signature, inline)]

Message #69 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Martin Langhoff <martin@catalyst.net.nz>

To: sean finney <seanius@debian.org>, 422567@bugs.debian.org

Cc: Penny Leach <penny@catalyst.net.nz>

Subject: Re: Bug#422567: [php-maint] Bug#422567: security update in etch has same problem

Date: Thu, 24 May 2007 21:31:01 +1200

sean finney wrote:
> right.  that package is the same the normal etch version, plus a few unrelated 
> security fixes.  so both should be broken, but that one should be a little 
> safer :)
> 
> anyway, after speaking with the SRM's they've decided that this is an 
> acceptable update to stable, so the version i posted on people.debian.org 
> should make it into the next point release of stable.  thanks to everyone who 
> spent the time to test it and report back.

Sean,

thanks for the update. This means that the regression introduced with
the security upload is going to stay there for a while (until we get a
point release of stable)?

If so... it sounds pretty bad. Debian is used widely in the hosting
space, where PHP is bread-and-butter. And this is a dataloss bug: users
post their forms, and any passable CMS will run html-ish content past
strip_tags() which will eat valid user input. Oooops!

I'm not convinced that it's a good idea to sit on this regression... the
options seem to be

 - new secure package, eats data for breakfast (default)
 - pin the package to the old vulnerable, non-data-eating
 - use unofficial packages
 - avoid etch

cheers


m

Message #74 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Martin Langhoff <martin@catalyst.net.nz>

Cc: 422567@bugs.debian.org, Penny Leach <penny@catalyst.net.nz>

Subject: Re: Bug#422567: [php-maint] Bug#422567: security update in etch has same problem

Date: Thu, 24 May 2007 16:56:28 +0200

[Message part 1 (text/plain, inline)]

hi martin

On Thursday 24 May 2007 11:31, Martin Langhoff wrote:
> thanks for the update. This means that the regression introduced with
> the security upload is going to stay there for a while (until we get a
> point release of stable)?

was the regression introduced by the security upload, or was it just generally 
a problem with 5.2.0?  as far as i knew it was the latter... ?

> I'm not convinced that it's a good idea to sit on this regression... the
> options seem to be
>
>  - new secure package, eats data for breakfast (default)
>  - pin the package to the old vulnerable, non-data-eating
>  - use unofficial packages
>  - avoid etch

the unofficial packages have all of the recent security vulnerabilities in 
them as well, so i don't think it's so bad to have to use them.  and as far 
as the next point release goes, it should be Real Soon Now.


	sean

[Message part 2 (application/pgp-signature, inline)]

Message #79 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Martin Langhoff <martin@catalyst.net.nz>

To: sean finney <seanius@debian.org>

Cc: 422567@bugs.debian.org, Penny Leach <penny@catalyst.net.nz>

Subject: Re: Bug#422567: security update in etch has same problem

Date: Fri, 25 May 2007 08:10:19 +1200

sean finney wrote:
> was the regression introduced by the security upload, or was it just generally 
> a problem with 5.2.0?  as far as i knew it was the latter... ?

No - the problem was introduced by Etch+3. There's a security patch that
supposedly fixes handling of nulls in strip_tags() -- which introduces
this regression. I think it was the initial patch that the PHP folk put
together, and then later fixed up.

The debian package has the initial patch with the regression, but not
the subsequent fixup.

> the unofficial packages have all of the recent security vulnerabilities in 
> them as well, so i don't think it's so bad to have to use them.  and as far 
> as the next point release goes, it should be Real Soon Now.

I don't know how soon is RSN -- I hope it's Really RSN so we don't have
to worry ;-) -- but Etch has a working unsafe PHP, while Etch+security
has a broken PHP.

Re unofficial packages, all I can say is THANKS, but... I am sure 90% of
the sysadmins looking after Etch boxes with PHP installed in production
don't know there's even a problem. Users will lose data, complain, and
after much pain and dataloss eventually clued-up sysadmins will read
this bug and find your packages. Having it fixed in security.d.o makes a
lot more sense...

cheers,


m
-- 
-----------------------------------------------------------------------
Martin @ Catalyst .Net .NZ  Ltd, PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/           PHYS: Level 2, 150-154 Willis St
OFFICE: +64(4)916-7224  UK: 0845 868 5733 ext 7224  MOB: +64(21)364-017
      Make things as simple as possible, but no simpler - Einstein
-----------------------------------------------------------------------

Message #84 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Penny Leach <penny@catalyst.net.nz>

To: Martin Langhoff <martin@catalyst.net.nz>, 422567@bugs.debian.org

Subject: Re: Bug#422567: security update in etch has same problem

Date: Fri, 25 May 2007 08:45:19 +1200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Langhoff wrote:


hey can you stop CCing me on these? I am actually subscribed to the bug :)



- --
Penny Leach | penny@catalyst.net.nz  | +64 21 736 695
Catalyst IT | http://catalyst.net.nz | +64 4 803 2218
GPG 8347 00FC B5BF 6CC0 0FC9 AB90 1875 120A A30E C22B


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGVflfGHUSCqMOwisRAhT+AJsGyQfVDRKUwCnkV2CskL5+1c+89wCgnmo8
zdhVGDGJOk9TzTfbMvxSvEU=
=d3ix
-----END PGP SIGNATURE-----

Message #89 received at 422567@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Martin Langhoff <martin@catalyst.net.nz>

Cc: 422567@bugs.debian.org

Subject: Re: Bug#422567: security update in etch has same problem

Date: Thu, 24 May 2007 23:25:28 +0200

[Message part 1 (text/plain, inline)]

On Thursday 24 May 2007 22:10, Martin Langhoff wrote:
> No - the problem was introduced by Etch+3. There's a security patch that
> supposedly fixes handling of nulls in strip_tags() -- which introduces
> this regression. I think it was the initial patch that the PHP folk put
> together, and then later fixed up.
>
> The debian package has the initial patch with the regression, but not
> the subsequent fixup.

okay, thanks for helping with the clarifications.  if it was a regression in 
the security update then it's possible that an update could also go through 
via another security update.  i'll go ahead and merge it into the etch branch  
and then you'll get it from either the stable point release or the next
security release, whichever comes first.  


	sean

[Message part 2 (application/pgp-signature, inline)]

Message #94 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Penny Leach <penny@catalyst.net.nz>

To: 422567@bugs.debian.org

Subject: Re: Bug#422567: security update in etch has same problem

Date: Fri, 25 May 2007 09:42:55 +1200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sean finney wrote:
> okay, thanks for helping with the clarifications.  if it was a regression in 
> the security update then it's possible that an update could also go through 
> via another security update.  i'll go ahead and merge it into the etch branch  
> and then you'll get it from either the stable point release or the next
> security release, whichever comes first.  


Hey Sean, that would be fantastic.  Thanks a lot for being so responsive
on this bug :)

Penny


- --
Penny Leach | penny@catalyst.net.nz  | +64 21 736 695
Catalyst IT | http://catalyst.net.nz | +64 4 803 2218
GPG 8347 00FC B5BF 6CC0 0FC9 AB90 1875 120A A30E C22B


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGVgbfGHUSCqMOwisRAh8BAKDIE9vUIQ4TuNgZpBZBRa/I91N5xACggMue
AiX93ZBPk1osbjKDdQTGdlM=
=Q8pq
-----END PGP SIGNATURE-----

Message #99 received at 422567@bugs.debian.org (full text, mbox, reply):

From: Martin Langhoff <martin@catalyst.net.nz>

To: 422567@bugs.debian.org

Subject: Re: Bug#422567: security update in etch has same problem

Date: Fri, 25 May 2007 09:55:50 +1200

Penny Leach wrote:
> Hey Sean, that would be fantastic.  Thanks a lot for being so responsive
> on this bug :)

<aol>! :-)

m

Message #104 received at 422567-close@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: 422567-close@bugs.debian.org

Subject: Bug#422567: fixed in php5 5.2.0-8+etch5~pu1

Date: Sat, 02 Jun 2007 09:41:53 +0000

Source: php5
Source-Version: 5.2.0-8+etch5~pu1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache-mod-php5_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/libapache-mod-php5_5.2.0-8+etch5~pu1_amd64.deb
libapache2-mod-php5_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/libapache2-mod-php5_5.2.0-8+etch5~pu1_amd64.deb
php-pear_5.2.0-8+etch5~pu1_all.deb
  to pool/main/p/php5/php-pear_5.2.0-8+etch5~pu1_all.deb
php5-cgi_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-cgi_5.2.0-8+etch5~pu1_amd64.deb
php5-cli_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-cli_5.2.0-8+etch5~pu1_amd64.deb
php5-common_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-common_5.2.0-8+etch5~pu1_amd64.deb
php5-curl_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-curl_5.2.0-8+etch5~pu1_amd64.deb
php5-dev_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-dev_5.2.0-8+etch5~pu1_amd64.deb
php5-gd_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-gd_5.2.0-8+etch5~pu1_amd64.deb
php5-imap_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-imap_5.2.0-8+etch5~pu1_amd64.deb
php5-interbase_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-interbase_5.2.0-8+etch5~pu1_amd64.deb
php5-ldap_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-ldap_5.2.0-8+etch5~pu1_amd64.deb
php5-mcrypt_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-mcrypt_5.2.0-8+etch5~pu1_amd64.deb
php5-mhash_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-mhash_5.2.0-8+etch5~pu1_amd64.deb
php5-mysql_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-mysql_5.2.0-8+etch5~pu1_amd64.deb
php5-odbc_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-odbc_5.2.0-8+etch5~pu1_amd64.deb
php5-pgsql_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-pgsql_5.2.0-8+etch5~pu1_amd64.deb
php5-pspell_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-pspell_5.2.0-8+etch5~pu1_amd64.deb
php5-recode_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-recode_5.2.0-8+etch5~pu1_amd64.deb
php5-snmp_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-snmp_5.2.0-8+etch5~pu1_amd64.deb
php5-sqlite_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-sqlite_5.2.0-8+etch5~pu1_amd64.deb
php5-sybase_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-sybase_5.2.0-8+etch5~pu1_amd64.deb
php5-tidy_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-tidy_5.2.0-8+etch5~pu1_amd64.deb
php5-xmlrpc_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-xmlrpc_5.2.0-8+etch5~pu1_amd64.deb
php5-xsl_5.2.0-8+etch5~pu1_amd64.deb
  to pool/main/p/php5/php5-xsl_5.2.0-8+etch5~pu1_amd64.deb
php5_5.2.0-8+etch5~pu1.diff.gz
  to pool/main/p/php5/php5_5.2.0-8+etch5~pu1.diff.gz
php5_5.2.0-8+etch5~pu1.dsc
  to pool/main/p/php5/php5_5.2.0-8+etch5~pu1.dsc
php5_5.2.0-8+etch5~pu1_all.deb
  to pool/main/p/php5/php5_5.2.0-8+etch5~pu1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 422567@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
sean finney <seanius@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 May 2007 21:55:51 +0200
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc php5-pspell libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-tidy php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mcrypt php5-mysql php5-common php5-imap php5-snmp php5-dev php5-sqlite libapache-mod-php5 php5-interbase
Architecture: source amd64 all
Version: 5.2.0-8+etch5~pu1
Distribution: proposed-updates
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: sean finney <seanius@debian.org>
Description: 
 libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 422567
Changes: 
 php5 (5.2.0-8+etch5~pu1) proposed-updates; urgency=low
 .
   * fix for regression in single quote escaping (closes: #422567).
Files: 
 02e3a46affa1c6ee85a521755171495a 1984 web optional php5_5.2.0-8+etch5~pu1.dsc
 cdf53fa940d11559af95974e4eb3eb7b 115888 web optional php5_5.2.0-8+etch5~pu1.diff.gz
 a7c60d75a4a3daa94df9e43db658bdf0 217304 web optional php5-common_5.2.0-8+etch5~pu1_amd64.deb
 0a2d197280908063fc3752d3ce3f5ee1 2508490 web optional libapache-mod-php5_5.2.0-8+etch5~pu1_amd64.deb
 5bf621e396866f3917d434d5f5673cef 2509080 web optional libapache2-mod-php5_5.2.0-8+etch5~pu1_amd64.deb
 afd2a0290a8b82d663a2346d9651504d 4859510 web optional php5-cgi_5.2.0-8+etch5~pu1_amd64.deb
 ffd4e9a0554f6170befc4bc25b7305c4 2450616 web optional php5-cli_5.2.0-8+etch5~pu1_amd64.deb
 617bbe97e1a768ac611098a6fe63182d 342056 devel optional php5-dev_5.2.0-8+etch5~pu1_amd64.deb
 219319a0322afdbe94c4a458dc54b109 24972 web optional php5-curl_5.2.0-8+etch5~pu1_amd64.deb
 af85a7ee3106448cead4cac3620b7545 37044 web optional php5-gd_5.2.0-8+etch5~pu1_amd64.deb
 f73efc33e4705140c660d5450549af86 36690 web optional php5-imap_5.2.0-8+etch5~pu1_amd64.deb
 c42460e4cbfabc8f26319cd210cb270e 46754 web optional php5-interbase_5.2.0-8+etch5~pu1_amd64.deb
 1be9ad9d36166edbb2a77f63186d0058 18664 web optional php5-ldap_5.2.0-8+etch5~pu1_amd64.deb
 f4bb1a40c7818e120fcae30822fd9842 13490 web optional php5-mcrypt_5.2.0-8+etch5~pu1_amd64.deb
 bcc6609a0b7a0e2821e393a9e5494776 5262 web optional php5-mhash_5.2.0-8+etch5~pu1_amd64.deb
 40dce37df1bd35542892a597a5af756d 71756 web optional php5-mysql_5.2.0-8+etch5~pu1_amd64.deb
 3c69df0cb7f6c80497e79cd5db0efe52 36404 web optional php5-odbc_5.2.0-8+etch5~pu1_amd64.deb
 710649b5610731d0c288e6b217bd77cc 54160 web optional php5-pgsql_5.2.0-8+etch5~pu1_amd64.deb
 0cbf9de96bec36e8876b0154d32b19f3 9402 web optional php5-pspell_5.2.0-8+etch5~pu1_amd64.deb
 b09c100d33874a0a511fa35a7b47e85c 4900 web optional php5-recode_5.2.0-8+etch5~pu1_amd64.deb
 2760aade2916e5dea9a512d48523ab2f 12056 web optional php5-snmp_5.2.0-8+etch5~pu1_amd64.deb
 7c42bec2fcf7b8a13dbdb32e0db3eb35 38442 web optional php5-sqlite_5.2.0-8+etch5~pu1_amd64.deb
 a3969961dc2dfaea1779b0a3fd95d7b3 19436 web optional php5-sybase_5.2.0-8+etch5~pu1_amd64.deb
 d4adf23d69688e6b29f35e39e3e8d7a2 17566 web optional php5-tidy_5.2.0-8+etch5~pu1_amd64.deb
 0a6cc61e28a1108c1eb6a29431991cda 39158 web optional php5-xmlrpc_5.2.0-8+etch5~pu1_amd64.deb
 040bde8b6c59fc5577516d01a1b77873 13024 web optional php5-xsl_5.2.0-8+etch5~pu1_amd64.deb
 7d1b6caf627e786227498d8373c7b9ef 1046 web optional php5_5.2.0-8+etch5~pu1_all.deb
 691c61c729548a19cecc04a730334af6 306894 web optional php-pear_5.2.0-8+etch5~pu1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGVKHsynjLPm522B0RAiiaAJ9xn99uuxq1KnXvbpwsqwl5pda/SQCfXdbo
t+QN1EpTyJWVvoa1FXbLXkI=
=kEB3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.