atom feed4 messages in org.freebsd.freebsd-securityRe: Question on recent PHP VuXML info
FromSent OnAttachments
Andrew StormsSep 8, 2008 8:33 am 
Jille TimmermansSep 8, 2008 9:07 am 
Jeremy ChadwickSep 8, 2008 9:18 am 
Simon L. NielsenSep 9, 2008 1:49 pm 
Subject:Re: Question on recent PHP VuXML info
From:Jille Timmermans (jil@quis.cx)
Date:Sep 8, 2008 9:07:27 am
List:org.freebsd.freebsd-security

Andrew Storms wrote:

Not sure if this is the correct place for VuXML questions, but the FreeBSD VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty dead given the last update was in 2007 according to the archives.

We were previously tracking this entry, which pretty much sat for a while without an applicable upgradeable resolution available.

Affected package: php5-posix-5.2.6 Type of problem: php -- input validation error in posix_access function. Reference: <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 .html>

-----------

Then late last week, the same VuXML ID started reporting this information instead:

Affected package: php5-5.2.6 Type of problem: php -- input validation error in safe_mode. Reference: <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 .html>

------------

The generic question I'm asking is: What happened and why? Seems to me that if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then it's name and description shouldn't just apparently change one day.

There was an input validation bug in a function that was used in all posix_ functions that used files (http://../ ended up in /) which bypassed safe_mode.

So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, the same bug, a new description, does the newer supercede, etc, etc? Where can I get the background on what went on here?

It was only in the posix module, not in entire PHP.

ale@ took the fixing patch from PHP-cvs and attached it as a patch to the port a few days ago (or at least committed it) Afaik the vuxml also updated then; and I think ale@ took a look at the patch and changed the vuxml to say the portrevision with that patch wasn't vulnerable anymore, and also clearified the description.

-- Jille

Thanks.

-_S