Debian Bug report logs - #774154
php5: CVE-2014-9425: double free in Zend/zend_ts_hash.c

version graph

Package: php5; Maintainer for php5 is (unknown);

Reported by: Henri Salo <henri@nerv.fi>

Date: Mon, 29 Dec 2014 16:33:02 UTC

Severity: wishlist

Tags: fixed-upstream, security, upstream

Found in versions php5/5.6.4+dfsg-1, php5/5.4.4-14, php5/5.4.4-1

Fixed in version 5.6.26+dfsg-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.php.net/bug.php?id=68676

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#774154; Package php5. (Mon, 29 Dec 2014 16:33:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 29 Dec 2014 16:33:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: php5: double free in Zend/zend_ts_hash.c
Date: Mon, 29 Dec 2014 18:32:05 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: php5
Version: 5.6.4+dfsg-1
Severity: important
Tags: security, fixed-upstream

Please see https://bugs.php.net/bug.php?id=68676 for details.

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlShggUACgkQXf6hBi6kbk8jNwCfYNiExslA1E8u/+Pxg5458e3C
LIYAoI9ddbXHoOlhsI+513W2q87ZIgFK
=Gc9L
-----END PGP SIGNATURE-----

Changed Bug title to 'CVE-2014-9425: php5: double free in Zend/zend_ts_hash.c' from 'php5: double free in Zend/zend_ts_hash.c' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Mon, 29 Dec 2014 16:48:17 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 29 Dec 2014 18:12:16 GMT) (full text, mbox, link).

Changed Bug title to 'php5: CVE-2014-9425: double free in Zend/zend_ts_hash.c' from 'CVE-2014-9425: php5: double free in Zend/zend_ts_hash.c' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 29 Dec 2014 18:12:17 GMT) (full text, mbox, link).

Marked as found in versions php5/5.4.4-14. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 29 Dec 2014 18:18:11 GMT) (full text, mbox, link).

Marked as found in versions php5/5.4.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 29 Dec 2014 18:18:19 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#774154; Package php5. (Mon, 29 Dec 2014 18:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 29 Dec 2014 18:39:04 GMT) (full text, mbox, link).

Message #20 received at 774154@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Henri Salo <henri@nerv.fi>, 774154@bugs.debian.org
Subject: Re: Bug#774154: php5: double free in Zend/zend_ts_hash.c
Date: Mon, 29 Dec 2014 19:36:30 +0100
Hi Henri,

On Mon, Dec 29, 2014 at 06:32:05PM +0200, Henri Salo wrote:
> Package: php5
> Version: 5.6.4+dfsg-1
> Severity: important
> Tags: security, fixed-upstream
> 
> Please see https://bugs.php.net/bug.php?id=68676 for details.

If I see it correctly, but please double check: the affected code is
present, but the corresponding code is only used if
--enable-maintainer-zts is passed to configure.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#774154; Package php5. (Tue, 30 Dec 2014 15:18:12 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 30 Dec 2014 15:18:12 GMT) (full text, mbox, link).

Message #25 received at 774154@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: Salvatore Bonaccorso <carnil@debian.org>, Henri Salo <henri@nerv.fi>, 774154@bugs.debian.org
Subject: Re: [php-maint] Bug#774154: php5: double free in Zend/zend_ts_hash.c
Date: Tue, 30 Dec 2014 16:17:17 +0100
Control: severity -1 wishlist

On Mon, Dec 29, 2014, at 19:36, Salvatore Bonaccorso wrote:
> Hi Henri,
> 
> On Mon, Dec 29, 2014 at 06:32:05PM +0200, Henri Salo wrote:
> > Package: php5
> > Version: 5.6.4+dfsg-1
> > Severity: important
> > Tags: security, fixed-upstream
> > 
> > Please see https://bugs.php.net/bug.php?id=68676 for details.
> 
> If I see it correctly, but please double check: the affected code is
> present, but the corresponding code is only used if
> --enable-maintainer-zts is passed to configure.

I think you are correct. We don't compile PHP5 with ZTS in Debian.
Marking it as wishlist, since the bug is there, but it doesn't affect
us.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Severity set to 'wishlist' from 'important' Request was from Ondřej Surý <ondrej@sury.org> to 774154-submit@bugs.debian.org. (Tue, 30 Dec 2014 15:18:12 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://bugs.php.net/bug.php?id=68676'. Request was from Olivier Berger <obergix@debian.org> to control@bugs.debian.org. (Mon, 05 Jan 2015 14:12:05 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Fri, 13 Jan 2017 13:06:54 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Fri, 13 Jan 2017 13:06:54 GMT) (full text, mbox, link).

Message #34 received at 774154-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 413713-done@bugs.debian.org,440775-done@bugs.debian.org,447764-done@bugs.debian.org,500087-done@bugs.debian.org,618462-done@bugs.debian.org,628079-done@bugs.debian.org,639268-done@bugs.debian.org,643282-done@bugs.debian.org,697800-done@bugs.debian.org,715264-done@bugs.debian.org,727143-done@bugs.debian.org,730067-done@bugs.debian.org,731055-done@bugs.debian.org,752100-done@bugs.debian.org,759195-done@bugs.debian.org,760454-done@bugs.debian.org,774154-done@bugs.debian.org,774975-done@bugs.debian.org,776564-done@bugs.debian.org,778596-done@bugs.debian.org,782778-done@bugs.debian.org,783246-done@bugs.debian.org,788060-done@bugs.debian.org,789442-done@bugs.debian.org,789702-done@bugs.debian.org,790472-done@bugs.debian.org,790841-done@bugs.debian.org,792239-done@bugs.debian.org,795572-done@bugs.debian.org,797799-done@bugs.debian.org,799136-done@bugs.debian.org,799851-done@bugs.debian.org,800564-done@bugs.debian.org,801831-done@bugs.debian.org,803260-done@bugs.debian.org,803305-done@bugs.debian.org,805591-done@bugs.debian.org,810244-done@bugs.debian.org,811130-done@bugs.debian.org,814907-done@bugs.debian.org,815794-done@bugs.debian.org,815797-done@bugs.debian.org,817917-done@bugs.debian.org,819139-done@bugs.debian.org,827486-done@bugs.debian.org,828498-done@bugs.debian.org,833133-done@bugs.debian.org,833543-done@bugs.debian.org,834579-done@bugs.debian.org,841618-done@bugs.debian.org,845890-done@bugs.debian.org,846244-done@bugs.debian.org,848661-done@bugs.debian.org,849767-done@bugs.debian.org,664595-done@bugs.debian.org,
Cc: php5@packages.debian.org, php5@packages.qa.debian.org
Subject: Bug#841781: Removed package(s) from unstable
Date: Fri, 13 Jan 2017 13:05:30 +0000
Version: 5.6.26+dfsg-1+rm

Dear submitter,

as the package php5 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/841781

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 11 Feb 2017 07:33:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:44:26 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.