HP Tru64 UNIX - SSRT080132 Buffer overflow in the imageloadfont 

Copyright (c) Hewlett-Packard Company 2008.  All rights reserved.


PRODUCT:    HP Internet Express for Tru64 UNIX
SOURCE:     Hewlett-Packard Company

ECO INFORMATION:

     ECO Name:   SWS-681.tar.gz 
     ECO Kit Approximate Size:  108MB
     Kit Applies To:  HP Internet Express for Tru64 UNIX 6.6, 6.7 and 6.8

     ECO Kit CHECKSUMS:
        /usr/bin/sum results:
        29532 105752 

        /usr/bin/cksum results:
        705273346 108289825 

        MD5 results:
        e246c29f305cfdb526e20672b6c3b05f 

        SHA1 results:
        50a894ed8d8fd0e038ea569d787a9268dbb0e88a


ECO KIT SUMMARY:

A setld-based patch kit exists for HP Internet Express for Tru64 UNIX 6.6, 6.7 and 6.8
(IX) that contains solutions to the following problems:

A potential security vulnerability has been reported on the HP Tru64 UNIX Operating
System or Internet Express (IX) whereby a buffer overflow in the imageloadfont
function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows
context-dependent attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted font file.

The patches in this kit will also be available in the next mainstream
patch kit - IX 6.9.


Special Installation Instructions

The kit "SWS-681.tar.gz" when untarred contains the following directories:
- doc (sws documentation)
- kit (installable kit)
- sources

Installing the kit


1. gunzip SWS-681.tar.gz

2. tar xvf SWS-681.tar

3. cd sws-681/kit

4. ls -R
        IAE.image     IAEAPAD681    IAEAPCH681    IAEAPDOC681   IAEHTTPD681   IAETOMCAT681  INSTCTRL      instctrl

        ./instctrl:
        IAE.image          IAEAPAD681.ctrl    IAEAPAD681.scp     IAEAPCH681.inv     IAEAPDOC681.ctrl   IAEAPDOC681.scp    IAEHTTPD681.inv    IAETOMCAT681.ctrl  
	IAETOMCAT681.scp   IAE681.comp        IAEAPAD681.inv     IAEAPCH681.ctrl    IAEAPCH681.scp     IAEAPDOC681.inv    IAEHTTPD681.ctrl   IAEHTTPD681.scp    IAETOMCAT681.inv

5. # setld -l .



SUPERSEDE INFORMATION:

  None


KNOWN PROBLEMS WITH THE PATCH KIT:

None.

This patch delivers the following files:

IAE.image     
IAEAPAD681    
IAEAPCH681    
IAEAPDOC681   
IAEHTTPD681   
IAETOMCAT681  
INSTCTRL

./instctrl/IAE.image          
./instctrl/IAEAPAD681.ctrl    
./instctrl/IAEAPAD681.scp     
./instctrl/IAEAPCH681.inv     
./instctrl/IAEAPDOC681.ctrl   
./instctrl/IAEAPDOC681.scp    
./instctrl/IAEHTTPD681.inv    
./instctrl/IAETOMCAT681.ctr
./instctrl/IAETOMCAT681.scp
./instctrl/IAE681.comp       
./instctrl/IAEAPAD681.inv     
./instctrl/IAEAPCH681.ctrl    
./instctrl/IAEAPCH681.scp     
./instctrl/IAEAPDOC681.inv    
./instctrl/IAEHTTPD681.ctrl   
./instctrl/IAEHTTPD681.scp    
./instctrl/IAETOMCAT681.inv

apache-tomcat-5.5.26, apache_1.3.39, httpd-2.2.6, php-4.4.9 sources and licenses


[R] UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Limited.

Copyright Hewlett-Packard Company 2008.  All Rights reserved.