Package: php5 Severity: grave Tags: security, patch Justification: user security hole
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for php5. CVE-2008-5557[0]: | Heap-based buffer overflow in | ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring | extension in PHP 4.3.0 through 5.2.6 allows context-dependent | attackers to execute arbitrary code via a crafted string containing an | HTML entity, which is not properly handled during Unicode conversion, | related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) | mb_convert_variables, and (4) mb_parse_str functions. There are some more information available in the php bugreport[1], including the PoC which seems to work. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://security-tracker.debian.net/tracker/CVE-2008-5557 [1] http://bugs.php.net/bug.php?id=45722 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
