Date: Wed, 1 Apr 2009 14:45:55 +0200 From: Tomas Hoger <thoger@...hat.com> To: OSS Security <oss-security@...ts.openwall.com> Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: PHP 5.2.9 Hi! PHP 5.2.9 was released some time ago, mentioning couple of security fixes, that do not seem to have CVEs assigned: http://www.php.net/releases/5_2_9.php # Fixed explode() behavior with empty string to respect negative limit. (Shire) http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.418.104.22.168.77&r2=1.422.214.171.124.78 Our maintainer has asked upstream about this one, as it changes behavior of explode() and does not have obvious security consequences. Upstream security team confirmed that this one was tagged as security by mistake. # Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre) http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=126.96.36.199&r2=188.8.131.52 This should only affect php 5.2.7 or versions that have original fix for CVE-2008-5658 backported. # Fixed a segfault when malformed string is passed to json_decode(). (Scott) http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=184.108.40.206&r2=220.127.116.11 This is PHP 5.2.0+ only, as previous versions do not have json extension. Only two CVEs should be needed. Thank you! -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.