Re: CVE request: PHP MOPS-2010-56..60

[Pierre Joye <pierre.php () gmail com>]

On Fri, Aug 20, 2010 at 1:24 PM, Pierre Joye <pierre.php () gmail com> wrote:
> On Fri, Aug 20, 2010 at 1:00 PM, Tomas Hoger <thoger () redhat com> wrote:
> > On Fri, 20 Aug 2010 12:38:31 +0200 Pierre Joye wrote:
> >
> > > > MOPS-2010-056 - MOPS-2010-060 as subject indicates.  Those are
> > > > mysqlnd issues and session serializer issue allowing data
> > > > injection.  Not any from that set of interruption issues that
> > > > exposed one or two problems in different ways.
> > >
> > > As far as I can tell and see, both the mysqlnd and session issues have
> > > been fixed.
> >
> > Raphael posted commit links earlier in this thread.
> >
> > > Phar: http://svn.php.net/viewvc?view=revision&revision=298667
> >
> > I'm aware of that commit.  It does not change
> > php_stream_wrapper_log_error invocation from phar_stream_flush, as
> > mentioned in MOPS-2010-024:
> >
> > http://svn.php.net/viewvc/php/php-src/trunk/ext/phar/stream.c?view=markup&pathrev=298667#l471
> >
> > Hence the question if there is some less obvious change that make that
> > particular cases non-issue too.
>
> I miss that part, thanks for pointing me to it. I will commit a fix
> later today.

Done: http://svn.php.net/viewvc?view=revision&revision=302565

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org