PHP :: Bug #41285 :: better fix for CVE-2007-1887-1888/MOPB-41

Bug #41285	better fix for CVE-2007-1887-1888/MOPB-41
Submitted:	2007-05-04 16:55 UTC	Modified:	2010-12-12 15:37 UTC
From:	seanius at debian dot org	Assigned:	iliaa (profile)
Status:	Closed	Package:	SQLite related
PHP Version:	5.2.2	OS:	source code
Private report:	No	CVE-ID:	2007-1887

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	seanius at debian dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-05-04 16:55 UTC] seanius at debian dot org

Description:
------------
from what i understand, your fix for the above mentioned vulnerabilities was to patch the bundled sqlite libraries to handle certain parameters that might be null pointers.   however, for distributions where php is built against external sqlite packages, this  has no effect and the resulting packages are still vulnerable unless the sqlite packages are independantly patched.

in the debian php packages, we've patched the php_sqlite module to check for the null pointers outside of the call to the sqlite functions, thus not requiring a patch or change in the behaviour of the sqlite libraries.

anyway, if you want to continue keeping a patched bundled version of sqlite, that's fine, but i thought i'd share this.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-04 16:59 UTC] seanius at debian dot org

oops, forgot the patch... here it is.

http://svn.debian.org/wsvn/pkg-php/php5/trunk/debian/patches/119-CVE-2007-1887-1888-MOPB-41.patch?op=file&rev=0&sc=0

[2007-05-05 15:36 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2010-12-12 15:37 UTC] felipe@php.net

-CVE-ID: +CVE-ID: 2007-1887

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 15:01:32 2024 UTC