Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Jan 2009 05:48:44 GMT
From:      Mark Foster <mark@foster.cc>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/130603: vuxml submission for php[45]-mbstring
Message-ID:  <200901160548.n0G5miV0025492@www.freebsd.org>
Resent-Message-ID: <200901160550.n0G5o4iC054799@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         130603
>Category:       ports
>Synopsis:       vuxml submission for php[45]-mbstring
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 16 05:50:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Mark Foster
>Release:        7.1
>Organization:
Credentia
>Environment:
FreeBSD frau.foster.cc 7.1-RELEASE-p1 FreeBSD 7.1-RELEASE-p1 #4: Sat Jan 10 20:04:30 PST 2009     root@frau.foster.cc:/usr/obj/usr/src/sys/GENERIC  i386

>Description:

>How-To-Repeat:

>Fix:
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
   <vuln vid="69005cc4-9e60-4f0c-ad48-536a604127e3">
     <topic>php-mbstring -- PHP mbstring Extension Buffer Overflow Vulnerability</topic>
     <affects>
       <package>
         <name>php5-mbstring</name>
         <range><le>5.2.6</le></range>
       </package>
       <package>
         <name>php4-mbstring</name>
         <range><ge>4.3.0</ge></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">;
         <p>SecurityFocus reports:</p>
         <blockquote cite="http://www.securityfocus.com/bid/32948">;
           <p>PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the mbstring extension included in the standard distribution.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver denying service to legitimate users.

PHP 4.3.0 up to and including 5.2.6 are vulnerable. </p>
         </blockquote>
       </body>
     </description>
     <references>
      <bid>32948</bid>
      <url>http://www.securityfocus.com/bid/32948</url>;
      <cvename>CVE-2008-5557</cvename>
     </references>
     <dates>
       <discovery>2008-12-21</discovery>
       <entry>2009-01-15</entry>
     </dates>
   </vuln>



>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901160548.n0G5miV0025492>