Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Oct 2006 19:49:55 +0200
From:      Thomas <freebsdlists@bsdunix.ch>
To:        Jonathan Horne <freebsd@dfwlp.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: PHP new vulnarabilities
Message-ID:  <453274C3.7090409@bsdunix.ch>
In-Reply-To: <200610151239.12127.freebsd@dfwlp.com>
References:  <45322A1D.8070204@hadara.ps>	<20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Jonathan

Jonathan Horne schrieb:
> On Sunday 15 October 2006 08:12, Joerg Pernfuss wrote:
>> On Sun, 15 Oct 2006 14:31:25 +0200
>>
>> "Khaled J. Hussein" <khaled@hadara.ps> wrote:
>>> hi all
>>>
>>> last time i found this when i run portaudit -Fda
>>>
>>> Affected package: php5-5.1.6
>>> Type of problem: php -- _ecalloc Integer Overflow Vulnerability.
>>> Reference:
>>> <http://www.FreeBSD.org/ports/portaudit/e329550b-54f7-11db-a5ae-00508d6a6
>>> 2df.html>
>>>
>>> how can i fix this
>> update ypur portstree. you'll get php5-5.1.6_1 which fixes the _ecalloc
>> overflow, but not yet the open_basedir race condition.
>>
>> 	Joerg
> 
> ive been scratching my head on this one for a few days too.  i have a box at 
> home, that is running 6.2-PRERELEASE.  when i try to install the lang/php5 
> port, i get:
> 
> [root@athena /usr/ports/lang/php5]# make install clean    
> ===>  php5-5.1.6_1 has known vulnerabilities:
> => php -- open_basedir Race Condition Vulnerability.
>    Reference: 
> <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>;
> => Please update your ports tree and try again.
> *** Error code 1
> 
> Stop in /usr/ports/lang/php5.
> 
> however, my server is running the same port, with no issue whatsoever.
> 
> [root@zeus /etc/mail]# pkg_info | grep php5
> php5-5.1.6_1
> (and many extensions too)
> 
> perplexing that one box could have it, while another one (using the same 
> updated ports tree), refuses it.  could be related to the code branch im 
> following on my workstaion versus my server?

Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
can use:
make -DDISABLE_VULNERABILITIES install clean
It will ignore the vuxml entry.

Cheers,
Thomas

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?453274C3.7090409>