Bug#530914: marked as done (CVE-2008-5498: Array index error in the imageRotate function in PHP 5.2.8 and earlier)

Thu, 13 Aug 2009 15:30:17 -0700 

Your message dated Thu, 13 Aug 2009 17:26:56 -0500
with message-id <[email protected]>
and subject line Re: [php-maint] Bug#530914: CVE-2008-5498: Array index error 
in the imageRotate function in PHP 5.2.8 and earlier
has caused the Debian Bug report #530914,
regarding CVE-2008-5498: Array index error in the imageRotate function in PHP 
5.2.8 and earlier
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
530914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530914
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: php5
Version: 5.2.6.dfsg.1-1+lenny3
Severity: normal
Tags: patch


CVE-2008-5498 describes a potential remote vulnerability in imageRoate:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498

A PCI scan found this a Medium severity and I need this fixed to pass the scan.

Patch from upstream:

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.23&r2=1.90.2.1.2.24&sortby=date&view=patch

--- /repository/php-src/ext/gd/libgd/gd.c 2008/07/31 09:22:17  1.90.2.1.2.23
+++ /repository/php-src/ext/gd/libgd/gd.c 2008/12/10 13:33:10  1.90.2.1.2.24
@@ -3136,7 +3136,7 @@
      return NULL;
         }
 
-  if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) {
   +  if (!gdImageTrueColor(src) && (clrBack < 0 || 
clrBack>=gdImageColorsTotal(src))) {
            return NULL;
               }
    



-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: powerpc (ppc64)

Kernel: Linux 2.6.26-2-powerpc64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---
--- Begin Message --- 
Hi,

I'm closing this report since nobody seems to be interested in it.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---

Reply via email to