Debian Bug report logs - #540611
php5: exif buffer overread

Package: php5; Maintainer for php5 is (unknown);

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Sun, 9 Aug 2009 06:18:01 UTC

Severity: important

Tags: security

Merged with 535888

Found in versions php5/5.2.0-8+etch13, php5/5.2.6.dfsg.1-1+lenny3, php5/5.2.9.dfsg.1-4

Fixed in versions 5.2.10.dfsg.1-2, php5/5.3.0-1, php5/5.2.6.dfsg.1-1+lenny4, php5/5.2.0+dfsg-8+etch16

Done: Raphael Geissert <geissert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#540611; Package php5. (Sun, 09 Aug 2009 06:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 09 Aug 2009 06:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

package: php5
version: 5.2.0-8+etch13
severity: important
tags: security

hello, it has been disclosed that php is vulnerable to a buffer
over-read in versions befor 5.2.10.  see:

http://secunia.com/advisories/35441/
http://www.vupen.com/english/advisories/2009/1632

Reply sent to Raphael Geissert <geissert@debian.org>:
You have taken responsibility. (Mon, 10 Aug 2009 02:03:07 GMT) (full text, mbox, link).

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 10 Aug 2009 02:03:07 GMT) (full text, mbox, link).

Message #10 received at 540611-done@bugs.debian.org (full text, mbox, reply):

On Sunday 09 August 2009 01:13:42 Michael S. Gilbert wrote:
>
> hello, it has been disclosed that php is vulnerable to a buffer
> over-read in versions befor 5.2.10.  see:

You already reported it as #535888, there's no need to report it more than 
once.
And no, reopening the report is *not necessary*, the BTS knows what versions 
are affected. *Take a look at the graph at the top if necessary*

And adding another entry to  the security tracker doesn't help either.

>
> http://secunia.com/advisories/35441/
> http://www.vupen.com/english/advisories/2009/1632
>

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#540611; Package php5. (Mon, 10 Aug 2009 03:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 10 Aug 2009 03:00:03 GMT) (full text, mbox, link).

Message #15 received at 540611@bugs.debian.org (full text, mbox, reply):

On Sun, 9 Aug 2009 21:02:36 -0500 Raphael Geissert wrote:

> On Sunday 09 August 2009 01:13:42 Michael S. Gilbert wrote:
> >
> > hello, it has been disclosed that php is vulnerable to a buffer
> > over-read in versions befor 5.2.10.  see:
> 
> You already reported it as #535888, there's no need to report it more than 
> once.
> And no, reopening the report is *not necessary*, the BTS knows what versions 
> are affected. *Take a look at the graph at the top if necessary*
> 
> And adding another entry to  the security tracker doesn't help either.

i appologize for the mistake.  when issues don't get assigned a common
number, it's easy to miss the fact that different reports are actually
the same issue.  it was not my intent to open a duplicate bug, it looked
like this was new.

maybe it's just me, but dealing with issues in multiple releases with
the debian bts is non-obvious and a major pain.  is the "*right*" way
to do this documented somewhere?

mike

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 10 Aug 2009 06:21:03 GMT) (full text, mbox, link).

Message #20 received at 540611@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

hi michael,

On Sun, Aug 09, 2009 at 10:57:09PM -0400, Michael S. Gilbert wrote:
> maybe it's just me, but dealing with issues in multiple releases with
> the debian bts is non-obvious and a major pain.  is the "*right*" way
> to do this documented somewhere?

i've brought this up in the past on -devel because i also find it
annoying.  i wasn't given a good solution apart from "you can probably
do it with usertags", which is more of a cop out than anything else
imho :(

fyi i'm out on vacation now so won't have any time to put forward on
php related stuff for at least another week if not two.

	sean

[signature.asc (application/pgp-signature, inline)]

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 10 Aug 2009 16:24:26 GMT) (full text, mbox, link).

Message #25 received at 540611@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,
* Michael S. Gilbert <michael.s.gilbert@gmail.com> [2009-08-10 05:07]:
> On Sun, 9 Aug 2009 21:02:36 -0500 Raphael Geissert wrote:
> > On Sunday 09 August 2009 01:13:42 Michael S. Gilbert wrote:
> > >
> > > hello, it has been disclosed that php is vulnerable to a buffer
> > > over-read in versions befor 5.2.10.  see:
> > 
> > You already reported it as #535888, there's no need to report it more than 
> > once.
> > And no, reopening the report is *not necessary*, the BTS knows what versions 
> > are affected. *Take a look at the graph at the top if necessary*
> > 
> > And adding another entry to  the security tracker doesn't help either.
> 
> i appologize for the mistake.  when issues don't get assigned a common
> number, it's easy to miss the fact that different reports are actually
> the same issue.  it was not my intent to open a duplicate bug, it looked
> like this was new.
> 
> maybe it's just me, but dealing with issues in multiple releases with
> the debian bts is non-obvious and a major pain.  is the "*right*" way
> to do this documented somewhere?

http://wiki.debian.org/BugsVersionTracking maybe helps you.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 540611@bugs.debian.org (full text, mbox, reply):

On Mon, 10 Aug 2009 08:17:44 +0200, sean finney wrote:
> hi michael,
> 
> On Sun, Aug 09, 2009 at 10:57:09PM -0400, Michael S. Gilbert wrote:
> > maybe it's just me, but dealing with issues in multiple releases with
> > the debian bts is non-obvious and a major pain.  is the "*right*" way
> > to do this documented somewhere?
> 
> i've brought this up in the past on -devel because i also find it
> annoying.  i wasn't given a good solution apart from "you can probably
> do it with usertags", which is more of a cop out than anything else
> imho :(
> 
> fyi i'm out on vacation now so won't have any time to put forward on
> php related stuff for at least another week if not two.

ok, thanks for the info.  have a good one.

mike

Message #35 received at 540611@bugs.debian.org (full text, mbox, reply):

On Mon, 10 Aug 2009 18:05:57 +0200, Nico Golde wrote:
> > maybe it's just me, but dealing with issues in multiple releases with
> > the debian bts is non-obvious and a major pain.  is the "*right*" way
> > to do this documented somewhere?
> 
> http://wiki.debian.org/BugsVersionTracking maybe helps you.

thanks for the link.  this makes it clear how the system is supposed
to work, but it also makes it clear that the system is rather broken --
at least from the standpoint that bugs get closed on the first fix,
rather than when all releases are either fixed or marked as not
affected.

i guess i'll just deal with the broken system as is...

mike

Message #38 received at 540611@bugs.debian.org (full text, mbox, reply):

# if it's the same bug, merge it; don't just close it.
forcemerge 535888 540611
thanks

On Mon, 10 Aug 2009, Michael S. Gilbert wrote:
> On Mon, 10 Aug 2009 18:05:57 +0200, Nico Golde wrote:
> > > maybe it's just me, but dealing with issues in multiple releases
> > > with the debian bts is non-obvious and a major pain. is the
> > > "*right*" way to do this documented somewhere?
> > 
> > http://wiki.debian.org/BugsVersionTracking maybe helps you.
> 
> thanks for the link. this makes it clear how the system is supposed
> to work, but it also makes it clear that the system is rather broken
> -- at least from the standpoint that bugs get closed on the first
> fix, rather than when all releases are either fixed or marked as not
> affected.

Bugs are marked as -done when someone has taken action that fixes the
problem somewhere. The "-done"-ness of a bug is orthogonal to whether
a bug is fixed, absent, or present at a particular version. [It's
included primarily because it's needed for bugs which don't have any
versioning information and because it provides information as to
whether some fix has been found and uploaded for the issue.]

Assuming you've done your job properly, and documented in a changelog
when you've fixed a particular bug, and marked the appropriate
versions as found, everything should be handled correctly.

If you want to know about outstanding issues for a particular
distribution, append the appropriate dist= option for that
distribution.

If you have particular questions about how the BTS works, or you're
unsure as to the proper way to do something, feel free to ask on
debian-debbugs@lists.debian.org or on #debbugs or #debian-bugs on IRC,
or you can track me down if necessary. [But the former three options
almost invariably result in me responding anyway.]

Don Armstrong

-- 
I may not have gone where I intended to go, but I think I have ended
up where I needed to be.
 -- Douglas Adams _The Long Dark Tea-Time of the Soul_

http://www.donarmstrong.com              http://rzlab.ucr.edu

Forcibly Merged 535888 540611. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Mon, 10 Aug 2009 18:39:07 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 14 Sep 2009 07:29:02 GMT) (full text, mbox, link).

Bug unarchived. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sun, 22 Nov 2009 00:42:08 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Jan 2010 07:27:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:01:47 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #540611 php5: exif buffer overread

Debian Bug report logs - #540611
php5: exif buffer overread