Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Nov 2009 06:59:16 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        arek@wup-katowice.pl
Cc:        freebsd-questions@freebsd.org
Subject:   Re: php4-gd
Message-ID:  <4AF90F44.1070509@infracaninophile.co.uk>
In-Reply-To: <4AF90A6E.3040907@wup-katowice.pl>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
Arek Czereszewski wrote:
> Hello,
> 
> I have on some web servers php4-gd port installed
> and I am totally confused.
> Portaudit says
> 
> Affected package: php4-gd-4.4.9
> Type of problem: gd -- '_gdGetColors' remote buffer overflow
> vulnerability.
> Reference: 
> <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>;
> 
> On this site is info about: 5.2.11 and 5.3.0
> 
> On Securityfocus is info also about 4.4.9
> but on cve.mitre.org is not.
> 
> Any idea where is the true?
> Are my servers with php4-gd are secure or not?

This is a bug in the underlying gd library rather than in PHP itself. There
are fixes to two related ports:  if you've  updated graphics/gd to the latest
version (gd-2.0.35_2,1), and built the latest port revision of the php5-gd
module (which is  php5-gd-5.2.11_2) then those should have been  secured.

However, the PHP4 version of the gd module is still at version 
php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch
for CVE-2009-3546 in the php4 sources -- so it seems you are still vulnerable
when using PHP4.  This is to be expected: the PHP project is deprecating PHP4
and putting all their effort in to developing PHP5 instead.  Patches may
be forthcoming eventually, but who knows when?

Basically, if you're running PHP4 on a public site then you should be making
plans to upgrade to PHP5 ASAP. 

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkr5D00ACgkQ8Mjk52CukIxwPQCfQN+LrM/CVGnq1zsSKR2wqfxp
4w4AoIY0X9T5EofK/LsQy8StBad73QwH
=0RIU
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AF90F44.1070509>