Question on recent PHP VuXML info

Jille Timmermans jille at quis.cx
Mon Sep 8 16:34:17 UTC 2008 

Andrew Storms wrote:
> Not sure if this is the correct place for VuXML questions, but the FreeBSD
> VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty
> dead given the last update was in 2007 according to the archives.
> 
> We were previously tracking this entry, which pretty much sat for a while
> without an applicable upgradeable resolution available.
> 
> Affected package: php5-posix-5.2.6
> Type of problem: php -- input validation error in posix_access function.
> Reference:
> <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849
> .html>
> 
> -----------
> 
> Then late last week, the same VuXML ID started reporting this information
> instead:
> 
> Affected package: php5-5.2.6
> Type of problem: php -- input validation error in safe_mode.
> Reference: 
> <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849
> .html>
> 
> ------------
> 
> 
> The generic question I'm asking is: What happened and why?  Seems to me that
> if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then
> it's name and description shouldn't just apparently change one day.
There was an input validation bug in a function that was used in all
posix_ functions that used files (http://../ ended up in /) which
bypassed safe_mode.
> 
> So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID,
> the same bug, a new description, does the newer supercede, etc, etc?  Where
> can I get the background on what went on here?
It was only in the posix module, not in entire PHP.

ale@ took the fixing patch from PHP-cvs and attached it as a patch to
the port a few days ago (or at least committed it)
Afaik the vuxml also updated then; and I think ale@ took a look at the
patch and changed the vuxml to say the portrevision with that patch
wasn't vulnerable anymore, and also clearified the description.

-- Jille
> 
> Thanks.
> 
> -_S
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list