reassign 646675 src:php5 retitle 646675 CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8 tags 646675 + patch thanks
OoO En cette soirée bien amorcée du mercredi 26 octobre 2011, vers 22:55, Ingo Jürgensmann <i...@2011.bluespice.org> disait : >> Now that the message is in another folder, you don't have the problem >> any more, even if you visit this folder? Does the problem comes back if >> you move the message to inbox? > When I access my Debian-Devel folder the problem occurs in that > folder. When I move it back to Inbox it happens there again... so, > it's reproducible over here... The problem has been fixed in roundcube 0.6. It was related to an incorrect use of is_a() function. Since PHP 5.3.8, is_a() function would trigger autoload when the first argument is a string. Roundcube prior to 0.6 is affected but 0.6 is not. However, you hit the bug because MDB2 is affected by it too (we don't use the shipped copy). More info about this change in this bug report: https://bugs.php.net/bug.php?id=55475 It has been assigned CVE ID 2011-3379 and it has been decided by the PHP project to revert the change: http://svn.php.net/viewvc/?view=revision&revision=317183 This fix has not been applied to Debian package yet. There are two possible outcomes : 1. Patch a lot of PHP stuff to handle this new behaviour of is_a() (and the old behaviour too) by testing if the first argument is an object first. This means that this bug should be cloned for MDB2. 2. Consider this bug as a PHP bug and apply the mentioned patch to PHP 5.3.8 in Debian. I think that the most reasonable outcome is the second one since the fix has been commited to land in PHP 5.3.9. Therefore, I reassign this bug to src:php5. Tell me if you disagree. -- Vincent Bernat ☯ http://vincent.bernat.im Write and test a big program in small pieces. - The Elements of Programming Style (Kernighan & Plauger)
pgpXHwbmTenPU.pgp
Description: PGP signature
