php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67720 Backport security and usability fixes to PHP 5.3
Submitted: 2014-07-30 17:21 UTC Modified: 2016-07-30 14:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: neweracracker at gmail dot com Assigned: johannes (profile)
Status: Closed Package: *General Issues
PHP Version: 5.3 OS: Irrelevant
Private report: No CVE-ID: None
 [2014-07-30 17:21 UTC] neweracracker at gmail dot com
Description:
------------
I noticed security related bugfixes were backported to PHP 5.3 branch:
http://git.php.net/?p=php-src.git;a=shortlog;h=refs/heads/PHP-5.3

It is my opinion that there are more two bugfixes to be backported. One is a usability fix for the SSL certificates using GeneralizedTime format, see bugs #65698 and #66636.

Another one is for issues related with type confusion:
http://git.php.net/?p=php-src.git;a=commit;h=b4a4db467b6a1e90131705832f1a3613a60c4259

I have made the following patches, adapted from git commits, against PHP 5.3.28 source tar and there maybe some changes in the current code I have not accounted for.

I would like to see this backported to PHP 5.3 branch. And, when time comes right, a final release for PHP 5.3 (PHP 5.3.29).

Thanks for all the hard work.

Regards,
NewEraCracker


Patches

php5.3.28-type-check-fix-new (last revision 2014-07-30 23:27 UTC by neweracracker at gmail dot com)
php5.3.29dev-bug65698-bug66636 (last revision 2014-07-30 20:50 UTC by neweracracker at gmail dot com)
php5.3.28-type-check-fix (last revision 2014-07-30 17:22 UTC by neweracracker at gmail dot com)
php5.3.28-bug65698-bug66636 (last revision 2014-07-30 17:21 UTC by neweracracker at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-30 17:40 UTC] requinix@php.net
-Status: Open +Status: Wont fix -PHP Version: Irrelevant +PHP Version: 5.3
 [2014-07-30 17:40 UTC] requinix@php.net
PHP 5.3 is EOL, however it will have one final release for some security fixes.
No usability fixes, no warning fixes.

http://markmail.org/thread/hqzeneo77i35pn5z
 [2014-07-30 20:06 UTC] nikic@php.net
-Assigned To: +Assigned To: johannes
 [2014-07-30 20:06 UTC] nikic@php.net
@requinix: At least the second patch may be classified as a security fix (same as the phpingo one). And if I understood correctly, the first patch fixes problems (maybe a BC break?) introduced by another security patch.

Assigning johannes so he can check whether or not these should be included.
 [2014-07-30 20:55 UTC] neweracracker at gmail dot com
That's correct nikic.
 [2014-07-30 21:58 UTC] requinix@php.net
-Status: Wont fix +Status: Open
 [2014-07-30 21:58 UTC] requinix@php.net
Alright. When I checked the patches I only saw changes to type checks, warning messages, and year calculations. Meanwhile the two bugs didn't mention potential security problems: a Y2K bug that would expire future certs and an incorrect warning about valid dates.

I'll flip this back to open so there's no confusion about why it's wontfix.
 [2016-07-30 14:00 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-07-30 14:00 UTC] nikic@php.net
Closing as 5.3.29 is long gone. Looking at the changelog both patches seem to have made it in (http://php.net/ChangeLog-5.php#5.3.29).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 00:01:28 2024 UTC