5.2.6RC1 out!
忙しすぎて色んな事を放置しまくり。。。迷惑を被った方はスミマセン。_| ̄|○
先日の件ですが、出てましたとさ(1・2・3)。RC2は意外と早く出そうな雰囲気。
5.2.5から5.2.6RC1までの修正状況は以下の通り。
個人的にはリリース後のNEWSファイル編集は止めて欲しい。。。とか思ってみたり(行末の半角スペースを削除とか)。
(crashとかleakとか)いくつか気になるキーワードがありますが、CVE-2008-0599の詳細って、どんなんだろ。該当する修正はコレ(1・2・3)。
path_translated_lenの長さを余計に取っていたのは分かるんだけど、そこからの攻撃って。。。うーん。ちょっと見ただけでは分からん。(w
修正される前は「int path_translated_len = ptlen + env_path_info ? strlen(env_path_info) : 0;」だったので、typoの修正っぽい。。。けど、typoから繋がる脆弱性ってのもスゲー。
--- NEWS 2007/11/08 13:44:11 1.2027.2.547.2.999 +++ NEWS 2008/02/28 00:29:29 1.2027.2.547.2.1101 @@ -1,6 +1,167 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -08 Nov 2007 , PHP 5.2.5 +27 Feb 2008, PHP 5.2.6RC1 +- Fixed security issue detailed in CVE-2008-0599. (Rasmus) +- Fixed potential memleak in stream filter parameter for zlib filter (Greg) +- Added Reflection API metadata for the methods of the DOM classes. (Sebastian) +- Fixed weired behavior in CGI parameter parsing. (Dmitry, Hannes Magnusson) +- Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. + (Ilia) +- Fixed a bug with PDO::FETCH_COLUMN|PDO::FETCH_GROUP mode when a column # by + which to group by data is specified. (Ilia) +- Fixed segfault in filter extension when using callbacks. (Arnar Mar Sig, + Felipe) +- Upgraded PCRE to version 7.6 (Nuno) + + +- Fixed bug #44242 (metaphone('CMXFXM') crashes PHP). (Felipe) +- Fixed bug #44233 (MSG_PEEK undefined under BeOS R5). (jonathonfreeman at + gmail dot com, Ilia) +- Fixed bug #44216 (strftime segfaults on large negative value). (Derick) +- Fixed bug #44200 (A crash in PDO when no bound targets exists and yet + bound parameters are present). (Ilia) +- Fixed bug #44209 (strtotime() doesn't support 64 bit timestamps on 64 bit + platforms). (Derick) +- Fixed bug #44206 (OCI8 selecting ref cursors leads to ORA-1000 maximum + open cursors reached). (Oracle Corp.) +- Fixed bug #44197 (socket array keys lost on socket_select). (Felipe) +- Fixed bug #44191 (preg_grep messes up array index). (Felipe) +- Fixed bug #44189 (PDO setAttribute() does not properly validate values for + native numeric options). (Ilia) +- Fixed bug #44184 (Double free of loop-variable on exception). (Dmitry) +- Fixed bug #44171 (Invalid FETCH_COLUMN index does not raise an error). (Ilia) +- Fixed bug #44159 (Crash: $pdo->setAttribute(PDO::STATEMENT_ATTR_CLASS, NULL)). + (Felipe) +- Fixed bug #44152 (Possible crash with syslog logging on ZTS builds). (Ilia) +- Fixed bug #44141 (private parent constructor callable through static + function). (Dmitry) +- Fixed bug #44113 (OCI8 new collection creation can fail with OCI-22303). + (Oracle Corp.) +- Fixed bug #44069 (Huge memory usage with concatenation using . instead of + .=). (Dmitry) +- Fixed bug #44046 (crash inside array_slice() function with an invalid + by-ref offset). (Ilia) +- Fixed bug #44028 (crash inside stream_socket_enable_crypto() when enabling + encryption without crypto type). (Ilia) +- Fixed bug #44018 (RecursiveDirectoryIterator options inconsistancy). (Marcus) +- Fixed bug #44008 (OCI8 incorrect usage of OCI-Lob->close crashes PHP). + (Oracle Corp.) +- Fixed bug #43998 (Two error messages returned for incorrect encoding for + mb_strto[upper|lower]). (Rui) +- Fixed bug #43994 (mb_ereg 'successfully' matching incorrect). (Rui) +- Fixed bug #43954 (Memory leak when sending the same HTTP status code + multiple times). (Scott) +- Fixed bug #43927 (koi8r is missing from html_entity_decode()). + (andy at demos dot su, Tony) +- Fixed faulty fix for bug #40189 (endless loop in zlib.inflate stream filter). + (Greg) +- Fixed bug #43912 (Interbase column names are truncated to 31 characters). + (Ilia) +- Fixed bug #43875 (Two error messages returned for $new and $flag argument + in mysql_connect()). (Hannes) +- Fixed bug #43863 (str_word_count() breaks on cyrillic "ya" in locale cp1251). + (phprus at gmail dot com, Tony) +- Fixed bug #43841 (mb_strrpos offset is byte count for negative values). (Rui) +- Fixed bug #43840 (mb_strpos bounds check is byte count rather than a character + count). (Rui) +- Fixed bug #43808 (date_create never fails (even when it should)). (Derick) +- Fixed bug #43793 (zlib filter is unable to auto-detect gzip/zlib file headers). + (Greg) +- Fixed bug #43703 (Signature compatibility check broken). (Dmitry) +- Fixed bug #43663 (Extending PDO class with a __call() function doesn't work). + (David Soria Parra) +- Fixed bug #43647 (Make FindFile use PATH_SEPARATOR instead of ";"). (Ilia) +- Fixed bug #43635 (mysql extension ingores INI settings on NULL values + passed to mysql_connect()). (Ilia) +- Fixed bug #43620 (Workaround for a bug inside libcurl 7.16.2 that can result + in a crash). (Ilia) +- Fixed bug #43606 (define missing depencies of the exif extension). + (crrodriguez at suse dot de) +- Fixed bug #43589 (a possible infinite loop in bz2_filter.c). (Greg) +- Fixed bug #43580 (removed bogus declaration of a non-existent php_is_url() + function). (Ilia) +- Fixed bug #43559 (array_merge_recursive() doesn't behave as expected with + duplicate NULL values). (Felipe, Tony) +- Fixed bug #43533 (escapeshellarg('') returns null). (Ilia) +- Fixed bug #43527 (DateTime created from a timestamp reports environment + timezone). (Derick) +- Fixed bug #43522 (stream_get_line() eats additional characters). (Felipe, + Ilia, Tony) +- Fixed bug #43507 (SOAPFault HTTP Status 500 - would like to be able to set + the HTTP Status). (Dmitry) +- Fixed bug #43505 (Assign by reference bug). (Dmitry) +- Fixed bug #43497 (OCI8 XML/getClobVal aka temporary LOBs leak UGA memory). + (Chris) +- Fixed bug #43495 (array_merge_recursive() crashes with recursive arrays). + (Ilia) +- Fixed bug #43498 (file_exists() on a proftpd server got SIZE not + allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) +- Fixed bug #43493 (pdo_pgsql does not send username on connect when password + is not available). (Ilia) +- Fixed bug #43491 (Under certain conditions, file_exists() never returns). + (Dmitry) +- Fixed bug #43483 (get_class_methods() does not list all visible methods). + (Dmitry) +- Fixed bug #43482 (array_pad() does not warn on very small pad numbers). + (Ilia) +- Fixed bug #43457 (Prepared statement with incorrect parms doesn't throw + exception with pdo_pgsql driver). (Ilia) +- Fixed bug #43450 (Memory leak on some functions with implicit object + __toString() call). (David C.) +- Fixed bug #43386 (array_globals not reset to 0 properly on init). (Ilia) +- Fixed bug #43377 (PHP crashes with invalid argument for DateTimeZone). (Ilia) +- Fixed bug #43373 (pcntl_fork() should not raise E_ERROR on error). (Ilia) +- Fixed bug #43364 (recursive xincludes don't remove internal xml nodes + properly). (Rob, patch from ddb@bitxtender.de) +- Fixed bug #43092 (curl_copy_handle() crashes with > 32 chars long URL). + (Jani) +- Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is + invalid PHP expression and 'e' option is used). (Jani) +- Fixed bug #43003 (Invalid timezone reported for DateTime objects constructed + using a timestamp). (Derick) +- Fixed bug #43295 (crash because of uninitialized SG(sapi_headers).mimetype). + (Dmitry) +- Fixed bug #43293 (Multiple segfaults in getopt()). (Hannes) +- Fixed bug #43279 (pg_send_query_params() converts all elements in 'params' + to strings). (Ilia) +- Fixed bug #43276 (Incomplete fix for bug #42739, mkdir() under safe_mode). + (Ilia) +- Fixed bug #43248 (backward compatibility break in realpath()). (Dmitry) +- Fixed bug #43221 (SimpleXML adding default namespace in addAttribute). (Rob) +- Fixed bug #43216 (stream_is_local() returns false on "file://"). (Dmitry) +- Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). (Dmitry) +- Fixed bug #43182 (file_put_contents() LOCK_EX does not work properly on file + truncation). (Ilia) +- Fixed bug #43175 (__destruct() throwing an exception with __call() causes + segfault). (Dmitry) +- Fixed bug #43128 (Very long class name causes segfault). (Dmitry) +- Fixed bug #43105 (PHP seems to fail to close open files). (Hannes) +- Fixed bug #42978 (mismatch between number of bound params and values causes + a crash in pdo_pgsql). (Ilia) +- Fixed bug #42945 (preg_split() swallows part of the string). (Nuno) +- Fixed bug #42937 (__call() method not invoked when methods are called on + parent from child class). (Dmitry) +- Fixed bug #42841 (REF CURSOR and oci_new_cursor() crash PHP). (Chris) +- Fixed Bug #42838 (Wrong results in array_diff_uassoc) (Felipe) +- Fixed bug #42779 (Incorrect forcing from HTTP/1.0 request to HTTP/1.1 + response). (Ilia) +- Fixed bug #42736 (xmlrpc_server_call_method() crashes). (Tony) +- Fixed bug #42692 (Procedure 'int1' not present with doc/lit SoapServer). + (Dmitry) +- Fixed bug #42548 (mysqli PROCEDURE calls can't return result sets). (hartmut) +- Fixed bug #42369 (Implicit conversion to string leaks memory). + (David C., Rob). +- Fixed bug #42272 (var_export() incorrectly escapes char(0)). (Derick) +- Fixed bug #42261 (Incorrect lengths for date and boolean data types). + (Ilia) +- Fixed bug #42190 (Constructing DateTime with TimeZone Indicator invalidates + DateTimeZone). (Derick) +- Fixed bug #41941 (oci8 extension not lib64 savvy). (Chris) +- Fixed bug #41599 (setTime() fails after modify() is used). (Derick) +- Fixed bug #41562 (SimpleXML memory issue). (Rob) +- Fixed bug #38468 (Unexpected creation of cycle). (Dmitry) + +08 Nov 2007, PHP 5.2.5