ports/153719: lang/php5 is vulnerable
Chris Tandiono
christandiono at tbp.berkeley.edu
Thu Jan 6 08:40:10 UTC 2011
>Number: 153719
>Category: ports
>Synopsis: lang/php5 is vulnerable
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 06 08:40:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Chris Tandiono
>Release: 8.0-RELEASE-p3
>Organization:
>Environment:
FreeBSD host.local 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #0: Wed May 26 05:45:12 UTC 2010 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
lang/php5 5.3.4 is vulnerable to a DoS attack involving floating point numbers (when compiled with the default CFLAGS).
>How-To-Repeat:
Compile php5 from ports without specifying SSE math instructions. The produced 387 instructions will cause PHP to infinite loop on certain floating point numbers.
>Fix:
Arch Linux has a "PHP 5.3.5" but AFAICT it's not been released yet. One workaround is to enable SSE instructions at compile-time.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list