CVE request: PHP 5.2.9

[Tomas Hoger <thoger () redhat com>]

Hi!

PHP 5.2.9 was released some time ago, mentioning couple of security
fixes, that do not seem to have CVEs assigned:
  http://www.php.net/releases/5_2_9.php

# Fixed explode() behavior with empty string to respect negative limit.
  (Shire)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.77&r2=1.445.2.14.2.78

Our maintainer has asked upstream about this one, as it changes
behavior of explode() and does not have obvious security consequences.
Upstream security team confirmed that this one was tagged as security
by mistake.


# Fixed a crash on extract in zip when files or directories entry names
  contain a relative path. (Pierre)
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49

This should only affect php 5.2.7 or versions that have original fix
for CVE-2008-5658 backported.


# Fixed a segfault when malformed string is passed to json_decode().
  (Scott)
http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15

This is PHP 5.2.0+ only, as previous versions do not have json
extension.

Only two CVEs should be needed.  Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team