From nobody@FreeBSD.org  Fri Jan 16 05:48:44 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5A79F1065676
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Jan 2009 05:48:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 493B68FC26
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Jan 2009 05:48:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0G5min1025493
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Jan 2009 05:48:44 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n0G5miV0025492;
	Fri, 16 Jan 2009 05:48:44 GMT
	(envelope-from nobody)
Message-Id: <200901160548.n0G5miV0025492@www.freebsd.org>
Date: Fri, 16 Jan 2009 05:48:44 GMT
From: Mark Foster <mark@foster.cc>
To: freebsd-gnats-submit@FreeBSD.org
Subject: vuxml submission for php[45]-mbstring
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         130603
>Category:       ports
>Synopsis:       vuxml submission for converters/php[45]-mbstring
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 16 05:50:04 UTC 2009
>Closed-Date:    Mon Mar 16 17:13:37 UTC 2009
>Last-Modified:  Mon Mar 16 17:20:01 UTC 2009
>Originator:     Mark Foster
>Release:        7.1
>Organization:
Credentia
>Environment:
FreeBSD frau.foster.cc 7.1-RELEASE-p1 FreeBSD 7.1-RELEASE-p1 #4: Sat Jan 10 20:04:30 PST 2009     root@frau.foster.cc:/usr/obj/usr/src/sys/GENERIC  i386

>Description:

>How-To-Repeat:

>Fix:
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="69005cc4-9e60-4f0c-ad48-536a604127e3">
     <topic>php-mbstring -- PHP mbstring Extension Buffer Overflow Vulnerability</topic>
     <affects>
       <package>
         <name>php5-mbstring</name>
         <range><le>5.2.6</le></range>
       </package>
       <package>
         <name>php4-mbstring</name>
         <range><ge>4.3.0</ge></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>SecurityFocus reports:</p>
         <blockquote cite="http://www.securityfocus.com/bid/32948">
           <p>PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the mbstring extension included in the standard distribution.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver denying service to legitimate users.

PHP 4.3.0 up to and including 5.2.6 are vulnerable. </p>
         </blockquote>
       </body>
     </description>
     <references>
      <bid>32948</bid>
      <url>http://www.securityfocus.com/bid/32948</url>
      <cvename>CVE-2008-5557</cvename>
     </references>
     <dates>
       <discovery>2008-12-21</discovery>
       <entry>2009-01-15</entry>
     </dates>
   </vuln>



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Jan 16 08:22:04 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130603 
State-Changed-From-To: open->feedback 
State-Changed-By: miwi 
State-Changed-When: Tue Feb 3 20:36:40 UTC 2009 
State-Changed-Why:  
ale could you please both check, and maybe prepair a patch? when you 
have done please let me know I will document this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130603 
Responsible-Changed-From-To: ale->miwi 
Responsible-Changed-By: ale 
Responsible-Changed-When: Wed Mar 11 14:09:22 UTC 2009 
Responsible-Changed-Why:  
PHP updated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130603 
State-Changed-From-To: feedback->closed 
State-Changed-By: miwi 
State-Changed-When: Mon Mar 16 17:13:36 UTC 2009 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130603 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/130603: commit references a PR
Date: Mon, 16 Mar 2009 17:14:03 +0000 (UTC)

 miwi        2009-03-16 17:13:49 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   - Document php-mbstring -- php mbstring buffer overflow vulnerability
   
   PR:             based on 130603
   
   Revision  Changes    Path
   1.1880    +38 -1     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
