[Pkg-roundcube-maintainers] Bug#646675: "out of nowhere"?
Vincent Bernat
bernat at debian.org
Wed Oct 26 22:55:05 BST 2011
reassign 646675 src:php5
retitle 646675 CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8
tags 646675 + patch
thanks
OoO En cette soirée bien amorcée du mercredi 26 octobre 2011, vers
22:55, Ingo Jürgensmann <ij at 2011.bluespice.org> disait :
>> Now that the message is in another folder, you don't have the problem
>> any more, even if you visit this folder? Does the problem comes back if
>> you move the message to inbox?
> When I access my Debian-Devel folder the problem occurs in that
> folder. When I move it back to Inbox it happens there again... so,
> it's reproducible over here...
The problem has been fixed in roundcube 0.6. It was related to an
incorrect use of is_a() function. Since PHP 5.3.8, is_a() function would
trigger autoload when the first argument is a string. Roundcube prior to
0.6 is affected but 0.6 is not. However, you hit the bug because MDB2 is
affected by it too (we don't use the shipped copy).
More info about this change in this bug report:
https://bugs.php.net/bug.php?id=55475
It has been assigned CVE ID 2011-3379 and it has been decided by the PHP
project to revert the change:
http://svn.php.net/viewvc/?view=revision&revision=317183
This fix has not been applied to Debian package yet.
There are two possible outcomes :
1. Patch a lot of PHP stuff to handle this new behaviour of is_a() (and
the old behaviour too) by testing if the first argument is an object
first. This means that this bug should be cloned for MDB2.
2. Consider this bug as a PHP bug and apply the mentioned patch to PHP
5.3.8 in Debian.
I think that the most reasonable outcome is the second one since the fix
has been commited to land in PHP 5.3.9. Therefore, I reassign this bug
to src:php5. Tell me if you disagree.
--
Vincent Bernat ☯ http://vincent.bernat.im
Write and test a big program in small pieces.
- The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20111026/93cf931a/attachment-0001.pgp>
More information about the Pkg-roundcube-maintainers
mailing list