Hi Markus and Roberto On Tuesday 12 February 2019 02:13 AM, Markus Koschany wrote: > Hello, > > I noticed that both of you work on PHP5. Please coordinate the next > upload. We should package version 5.6.40 which will fix all known > issues. I have contacted secur...@php.net and they confirmed to me that > they will assign new CVE numbers shortly.
That was very stupid of me. I was working on CVE-2018-1000888 in php-pear and this ships via php5 in jessie. I didn't noticed php5 already entered dla-needed.txt and I went directly changing php-pear to php5. Anyway I release DLA for my upload. --abhijith
diff -Nru php5-5.6.39+dfsg/debian/changelog php5-5.6.39+dfsg/debian/changelog --- php5-5.6.39+dfsg/debian/changelog 2018-12-17 02:58:06.000000000 +0530 +++ php5-5.6.39+dfsg/debian/changelog 2019-02-11 17:49:14.000000000 +0530 @@ -1,3 +1,12 @@ +php5 (5.6.39+dfsg-0+deb8u2) jessie-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2018-1000888: CWE-915 vulnerability in the Archive_Tar class + of php-pear + - Update d/rules to accomodate new patch + + -- Abhijith PA <abhij...@debian.org> Mon, 11 Feb 2019 17:38:14 +0530 + php5 (5.6.39+dfsg-0+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch --- php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 1970-01-01 05:30:00.000000000 +0530 +++ php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 2019-02-11 17:32:34.000000000 +0530 @@ -0,0 +1,20 @@ +Origin: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000888 +Bug-Debian: https://bugs.debian.org/919147 +Bug: https://pear.php.net/bugs/bug.php?id=23782 +Author: Abhijith PA <abhij...@debian.org> +Index: Archive/Tar.php +=================================================================== +--- a/Archive/Tar.php ++++ b/Archive/Tar.php +@@ -1767,6 +1767,10 @@ class Archive_Tar extends PEAR + */ + private function _maliciousFilename($file) + { ++ if (strpos($file, 'phar://') === 0) { ++ return true; ++ } ++ + if (strpos($file, '/../') !== false) { + return true; + } diff -Nru php5-5.6.39+dfsg/debian/rules php5-5.6.39+dfsg/debian/rules --- php5-5.6.39+dfsg/debian/rules 2018-12-17 02:58:06.000000000 +0530 +++ php5-5.6.39+dfsg/debian/rules 2019-02-11 17:35:43.000000000 +0530 @@ -279,6 +279,7 @@ $(CURDIR)/pear-build/usr/bin/peardev sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" $(CURDIR)/pear-build/usr/share/php/PEAR/Config.php patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-Builder-print-info-about-php5-dev.patch + patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-CVE-2018-1000888.patch touch build-pear-stamp configure: configure-apache2-stamp configure-apache2filter-stamp configure-cli-stamp configure-phpdbg-stamp configure-embed-stamp configure-fpm-stamp configure-cgi-stamp
