Hi Markus and Roberto

On Tuesday 12 February 2019 02:13 AM, Markus Koschany wrote:
> Hello,
> 
> I noticed that both of you work on PHP5. Please coordinate the next
> upload. We should package version 5.6.40 which will fix all known
> issues. I have contacted secur...@php.net and they confirmed to me that
> they will assign new CVE numbers shortly.

That was very stupid of me. I was working on CVE-2018-1000888 in
php-pear and this ships via php5 in jessie. I didn't noticed php5
already entered dla-needed.txt and I went directly changing php-pear to
php5. Anyway I release DLA for my upload.

--abhijith
diff -Nru php5-5.6.39+dfsg/debian/changelog php5-5.6.39+dfsg/debian/changelog
--- php5-5.6.39+dfsg/debian/changelog   2018-12-17 02:58:06.000000000 +0530
+++ php5-5.6.39+dfsg/debian/changelog   2019-02-11 17:49:14.000000000 +0530
@@ -1,3 +1,12 @@
+php5 (5.6.39+dfsg-0+deb8u2) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-1000888: CWE-915 vulnerability in the Archive_Tar class
+    of php-pear
+    - Update d/rules to accomodate new patch 
+
+ -- Abhijith PA <abhij...@debian.org>  Mon, 11 Feb 2019 17:38:14 +0530
+
 php5 (5.6.39+dfsg-0+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff -Nru php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 
php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch
--- php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 1970-01-01 
05:30:00.000000000 +0530
+++ php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 2019-02-11 
17:32:34.000000000 +0530
@@ -0,0 +1,20 @@
+Origin: 
https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
+Bug-Debian-Security: 
https://security-tracker.debian.org/tracker/CVE-2018-1000888
+Bug-Debian: https://bugs.debian.org/919147
+Bug: https://pear.php.net/bugs/bug.php?id=23782
+Author: Abhijith PA <abhij...@debian.org>
+Index: Archive/Tar.php
+===================================================================
+--- a/Archive/Tar.php
++++ b/Archive/Tar.php
+@@ -1767,6 +1767,10 @@ class Archive_Tar extends PEAR
+      */
+     private function _maliciousFilename($file)
+     {
++        if (strpos($file, 'phar://') === 0) {
++            return true;
++        }
++
+         if (strpos($file, '/../') !== false) {
+             return true;
+         }
diff -Nru php5-5.6.39+dfsg/debian/rules php5-5.6.39+dfsg/debian/rules
--- php5-5.6.39+dfsg/debian/rules       2018-12-17 02:58:06.000000000 +0530
+++ php5-5.6.39+dfsg/debian/rules       2019-02-11 17:35:43.000000000 +0530
@@ -279,6 +279,7 @@
               $(CURDIR)/pear-build/usr/bin/peardev
        sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" 
$(CURDIR)/pear-build/usr/share/php/PEAR/Config.php
        patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i 
$(CURDIR)/debian/PEAR-Builder-print-info-about-php5-dev.patch
+       patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i 
$(CURDIR)/debian/PEAR-CVE-2018-1000888.patch
        touch build-pear-stamp
 
 configure: configure-apache2-stamp configure-apache2filter-stamp 
configure-cli-stamp configure-phpdbg-stamp configure-embed-stamp 
configure-fpm-stamp configure-cgi-stamp

Reply via email to