#506706 - php5: CVE-2008-3658 patch not completely implemented.

Debian Bug report logs - #506706
php5: CVE-2008-3658 patch not completely implemented.

Package: php5; Maintainer for php5 is (unknown);

Reported by: Jan-Willem Korver <janwillem@fruitlounge.com>

Date: Sun, 23 Nov 2008 22:03:02 UTC

Severity: normal

Found in version php5/5.2.0-8+etch13

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#506706; Package php5. (Sun, 23 Nov 2008 22:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jan-Willem Korver <janwillem@fruitlounge.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.

Your message specified a Severity: in the pseudo-header, but the severity value normal / exempt was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.

(Sun, 23 Nov 2008 22:03:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php5 Version: 5.2.0-8+etch13 Severity: normal / exempt Justification: no longer builds from source (in some cases) The "CVE-2008-3658: Buffer overflow in the imageloadfont function." patch makes a call to the overflow2() function which is an undefined reference. That particular function is defined in gd_security.c which is part of the php5 source tree but is not included in this Debian source package. As a result the package will fail to build when it is configured to include the bundled GD library which comes with php5 rather than linking to the shared version which it defaults to. As it is Debian policy to build this package against the shared GD library that comes with the distribution, this report will never be an issue. For the record and completeness I thought it would be best to make mention of it anyway. Jan-Willem Korver (janwillem@fruitlounge.com) -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.23-1-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages php5 depends on: ii libapache2-mod- 5.2.0-8+etch13 server-side, HTML-embedded scripti ii php5-cgi 5.2.0-8+etch13 server-side, HTML-embedded scripti ii php5-common 5.2.0-8+etch13 Common files for packages built fr php5 recommends no packages. -- no debconf information

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Fri, 08 Jan 2010 16:42:04 GMT) (full text, mbox, link).

Notification sent to Jan-Willem Korver <janwillem@fruitlounge.com>:
Bug acknowledged by developer. (Fri, 08 Jan 2010 16:42:04 GMT) (full text, mbox, link).

Message #10 received at 506706-done@bugs.debian.org (full text, mbox, reply):

Not an issue in debian php5. -- Ondřej Surý <ondrej@sury.org> http://blog.rfc1925.org/

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 06 Feb 2010 07:27:23 GMT) (full text, mbox, link).

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:07:39 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #506706 php5: CVE-2008-3658 patch not completely implemented.

Debian Bug report logs - #506706
php5: CVE-2008-3658 patch not completely implemented.