Debian Bug report logs - #527560
php5: double free() error in latest etch security update

version graph

Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for php5 is src:php5.

Reported by: sean finney <seanius@debian.org>

Date: Fri, 8 May 2009 06:48:02 UTC

Severity: important

Found in version 5.2.0+dfsg-8+etch15

Fixed in version php5/5.2.0+dfsg-8+etch16

Done: Raphael Geissert <geissert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#527560; Package php5. (Fri, 08 May 2009 06:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 08 May 2009 06:48:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: double free() error in latest etch security update
Date: Fri, 08 May 2009 08:46:28 +0200
Package: php5
Version: 5.2.0+dfsg-8+etch15
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

as reported in <b8c1ff272e7661ce4ab612b601f3b606.squirrel@wm.kinkhorst.nl>:

> It seems that there were some side effects. Since the upgrade we've PHP
> crashes with:
> *** glibc detected *** double free or corruption (fasttop): 0x08718200
> ***
> 
> The crash occurs inside the extractTo function, please tell me if you
> need any additional information.

and i can confirm the problem, which only seems to occur with certain
types of zipfiles/error conditions.


	sean

- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5 depends on:
ii  libapache2-mod-php5       5.2.9.dfsg.1-2 server-side, HTML-embedded scripti
ii  php5-common               5.2.9.dfsg.1-2 Common files for packages built fr

php5 recommends no packages.

php5 suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKA9U6ynjLPm522B0RAmAjAJkBMpDia23FhpVD/+rSiZXC26Q0awCfeHjn
853yjG8TOjCXuwE7vQDBeEs=
=uB1k
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#527560; Package php5. (Fri, 08 May 2009 09:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 08 May 2009 09:03:03 GMT) Full text and rfc822 format available.

Message #10 received at 527560@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: 527560@bugs.debian.org
Cc: ,control@bugs.debian.org
Subject: [debian/debian-etch] fix for double-free regression in patch CVE-2008-5658
Date: Fri, 08 May 2009 09:01:28 +0000
tag 527560 pending
thanks

Date: Fri May 8 08:36:55 2009 +0200
Author: Sean Finney <seanius@debian.org>
Commit ID: ea2f84271823f0bf1fd048c163ca11255c632363
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=ea2f84271823f0bf1fd048c163ca11255c632363
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=ea2f84271823f0bf1fd048c163ca11255c632363

    fix for double-free regression in patch CVE-2008-5658

    Closes: #527560
    Thanks: Sébastien Le Ray <s.le_ray@eutech-ssii.com>
      




Tags added: pending Request was from Sean Finney <seanius@debian.org> to control@bugs.debian.org. (Fri, 08 May 2009 09:03:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#527560; Package php5. (Fri, 08 May 2009 09:15:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 08 May 2009 09:15:17 GMT) Full text and rfc822 format available.

Message #17 received at 527560@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: 527560@bugs.debian.org, S??bastien Le Ray <s.le_ray@eutech-ssii.com>
Subject: Re: [php-maint] Bug#527560: [debian/debian-etch] fix for double-free regression in patch CVE-2008-5658
Date: Fri, 8 May 2009 11:14:29 +0200
[Message part 1 (text/plain, inline)]
hi sébastien,

i've prepared a tentative fix at:

deb http://people.debian.org/~seanius/php/etch ./

could you try it and provide feedback if it resolves the problem (and if there
are any further problems)?


thanks!
	sean

On Fri, May 08, 2009 at 09:01:28AM +0000, Sean Finney wrote:
> tag 527560 pending
> thanks
> 
> Date: Fri May 8 08:36:55 2009 +0200
> Author: Sean Finney <seanius@debian.org>
> Commit ID: ea2f84271823f0bf1fd048c163ca11255c632363
> Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=ea2f84271823f0bf1fd048c163ca11255c632363
> Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=ea2f84271823f0bf1fd048c163ca11255c632363
> 
>     fix for double-free regression in patch CVE-2008-5658
> 
>     Closes: #527560
>     Thanks: S??bastien Le Ray <s.le_ray@eutech-ssii.com>
>       
> 
> 
> 

> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint

-- 
[signature.asc (application/pgp-signature, inline)]

Reply sent to Raphael Geissert <geissert@debian.org>:
You have taken responsibility. (Sat, 05 Dec 2009 22:36:07 GMT) Full text and rfc822 format available.

Notification sent to sean finney <seanius@debian.org>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 22:36:07 GMT) Full text and rfc822 format available.

Message #22 received at 527560-close@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 527560-close@bugs.debian.org
Subject: Bug#527560: fixed in php5 5.2.0+dfsg-8+etch16
Date: Sat, 05 Dec 2009 22:34:27 +0000
Source: php5
Source-Version: 5.2.0+dfsg-8+etch16

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache-mod-php5_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/libapache-mod-php5_5.2.0+dfsg-8+etch16_amd64.deb
libapache2-mod-php5_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/libapache2-mod-php5_5.2.0+dfsg-8+etch16_amd64.deb
php-pear_5.2.0+dfsg-8+etch16_all.deb
  to main/p/php5/php-pear_5.2.0+dfsg-8+etch16_all.deb
php5-cgi_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-cgi_5.2.0+dfsg-8+etch16_amd64.deb
php5-cli_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-cli_5.2.0+dfsg-8+etch16_amd64.deb
php5-common_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-common_5.2.0+dfsg-8+etch16_amd64.deb
php5-curl_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-curl_5.2.0+dfsg-8+etch16_amd64.deb
php5-dev_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-dev_5.2.0+dfsg-8+etch16_amd64.deb
php5-gd_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-gd_5.2.0+dfsg-8+etch16_amd64.deb
php5-imap_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-imap_5.2.0+dfsg-8+etch16_amd64.deb
php5-interbase_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-interbase_5.2.0+dfsg-8+etch16_amd64.deb
php5-ldap_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-ldap_5.2.0+dfsg-8+etch16_amd64.deb
php5-mcrypt_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-mcrypt_5.2.0+dfsg-8+etch16_amd64.deb
php5-mhash_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-mhash_5.2.0+dfsg-8+etch16_amd64.deb
php5-mysql_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-mysql_5.2.0+dfsg-8+etch16_amd64.deb
php5-odbc_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-odbc_5.2.0+dfsg-8+etch16_amd64.deb
php5-pgsql_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-pgsql_5.2.0+dfsg-8+etch16_amd64.deb
php5-pspell_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-pspell_5.2.0+dfsg-8+etch16_amd64.deb
php5-recode_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-recode_5.2.0+dfsg-8+etch16_amd64.deb
php5-snmp_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-snmp_5.2.0+dfsg-8+etch16_amd64.deb
php5-sqlite_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-sqlite_5.2.0+dfsg-8+etch16_amd64.deb
php5-sybase_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-sybase_5.2.0+dfsg-8+etch16_amd64.deb
php5-tidy_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-tidy_5.2.0+dfsg-8+etch16_amd64.deb
php5-xmlrpc_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-xmlrpc_5.2.0+dfsg-8+etch16_amd64.deb
php5-xsl_5.2.0+dfsg-8+etch16_amd64.deb
  to main/p/php5/php5-xsl_5.2.0+dfsg-8+etch16_amd64.deb
php5_5.2.0+dfsg-8+etch16.diff.gz
  to main/p/php5/php5_5.2.0+dfsg-8+etch16.diff.gz
php5_5.2.0+dfsg-8+etch16.dsc
  to main/p/php5/php5_5.2.0+dfsg-8+etch16.dsc
php5_5.2.0+dfsg-8+etch16_all.deb
  to main/p/php5/php5_5.2.0+dfsg-8+etch16_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 527560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 24 Nov 2009 00:16:19 -0600
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc php5-pspell libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-tidy php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mcrypt php5-mysql php5-common php5-imap php5-snmp php5-dev php5-sqlite libapache-mod-php5 php5-interbase
Architecture: source amd64 all
Version: 5.2.0+dfsg-8+etch16
Distribution: oldstable-security
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 527560 535888
Changes: 
 php5 (5.2.0+dfsg-8+etch16) oldstable-security; urgency=high
 .
   [ Sean Finney ]
   * fix for double-free regression in patch CVE-2008-5658 (Closes: #527560)
     - thanks to Sébastien Le Ray <s.le_ray@eutech-ssii.com>
 .
   [ Raphael Geissert ]
   * CVE-2009-2687: DoS via malformed JPEG images with invalid offset fields
      (Closes: #535888)
   * CVE-2009-3292: multiple missing checks processing exif image data
   * CVE-2009-3291: improper handling of nul character in CommonName fields
       of X509 certificates
   * max_file_uploads: prevent, by limiting, temporary files exhaustion DoS
   * Add an entry to debian/NEWS about the new per-request file uploads limit
Files: 
 7b5aa6deaeba26e4c5cf3bb6ae33c27b 2002 web optional php5_5.2.0+dfsg-8+etch16.dsc
 612732624d30561ad7dea430903a2807 134709 web optional php5_5.2.0+dfsg-8+etch16.diff.gz
 3996c8de414790cbf69f63b58eb83f3e 217832 web optional php5-common_5.2.0+dfsg-8+etch16_amd64.deb
 771b474b437c79d99c618b26fe37947a 2434276 web optional libapache-mod-php5_5.2.0+dfsg-8+etch16_amd64.deb
 7df76c20d0638c48fb50ff9837fa2e39 2434744 web optional libapache2-mod-php5_5.2.0+dfsg-8+etch16_amd64.deb
 fe712913c6b77092a1232b12e6c253bb 4718064 web optional php5-cgi_5.2.0+dfsg-8+etch16_amd64.deb
 09a2b12cb5b45d0091155b3164814539 2380798 web optional php5-cli_5.2.0+dfsg-8+etch16_amd64.deb
 d3bb651649ba842036cc8ac3659a78a5 344546 devel optional php5-dev_5.2.0+dfsg-8+etch16_amd64.deb
 ee88dda46b28cc8fb95368df225d1cbd 24968 web optional php5-curl_5.2.0+dfsg-8+etch16_amd64.deb
 3ddb2d6f43bf48d9d39a65be726b0758 37110 web optional php5-gd_5.2.0+dfsg-8+etch16_amd64.deb
 346f128adf65b8a11fa2d8a870ffafe6 36710 web optional php5-imap_5.2.0+dfsg-8+etch16_amd64.deb
 c2b07344538b5a844d2b9d71b2a0af0a 46768 web optional php5-interbase_5.2.0+dfsg-8+etch16_amd64.deb
 1c4cdef714b95add864534d00e307b9e 18648 web optional php5-ldap_5.2.0+dfsg-8+etch16_amd64.deb
 642f1853e66c40ba001d9259a0935a55 13476 web optional php5-mcrypt_5.2.0+dfsg-8+etch16_amd64.deb
 b4ea03d4ee1403fd58ce7911e8014cc5 5254 web optional php5-mhash_5.2.0+dfsg-8+etch16_amd64.deb
 df871b2cc8536d86cb98b1deaba12175 71764 web optional php5-mysql_5.2.0+dfsg-8+etch16_amd64.deb
 4dab2ccdcca8f327dd937bb1726baa09 36432 web optional php5-odbc_5.2.0+dfsg-8+etch16_amd64.deb
 16daf5e82a9290de8a47bd1322851c70 53950 web optional php5-pgsql_5.2.0+dfsg-8+etch16_amd64.deb
 93efa8754c0651aefdd5274a12d080e6 9396 web optional php5-pspell_5.2.0+dfsg-8+etch16_amd64.deb
 97b59510d3c93098377f7ce3d035678f 4898 web optional php5-recode_5.2.0+dfsg-8+etch16_amd64.deb
 a1903f82b61820a26c9dda7539c67256 12052 web optional php5-snmp_5.2.0+dfsg-8+etch16_amd64.deb
 3a4a23a7b9b44034ad431a1bc97c9b43 38442 web optional php5-sqlite_5.2.0+dfsg-8+etch16_amd64.deb
 f4c3bbdb831244db2bdd5335efd3edd5 19420 web optional php5-sybase_5.2.0+dfsg-8+etch16_amd64.deb
 1367309ced589b7e431e208d08c05d4c 17562 web optional php5-tidy_5.2.0+dfsg-8+etch16_amd64.deb
 2b214fc86b2a97dcdbf3bca165eb8082 39156 web optional php5-xmlrpc_5.2.0+dfsg-8+etch16_amd64.deb
 4b4c9d4850a1e333ee06890f74af6c7f 13022 web optional php5-xsl_5.2.0+dfsg-8+etch16_amd64.deb
 64a93759ca8a44ce1499fb425af5ba7d 1044 web optional php5_5.2.0+dfsg-8+etch16_all.deb
 7919b140eee8f8f2e10fedd41fd14fd6 310830 web optional php-pear_5.2.0+dfsg-8+etch16_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksLik4ACgkQYy49rUbZzlohlQCfbDG0/649rPphN3g8t6pO9O/H
HdoAnRpmtkwJKTjIrMd22G4Q9J4kUQcc
=GuSb
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Jan 2010 07:30:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 20:26:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.