# Portaudit not detecting php 5.3 problem



## frijsdijk (Jul 24, 2012)

I just noticed the newest PHP 5.3 portaudit:


```
Affected package: php53-5.3.13
Type of problem: php -- potential overflow in _php_stream_scandir.
Reference: http://portaudit.FreeBSD.org/bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89.html
```

According to FreeBSD portaudit URL:


```
Affects:
    php5 >5.4 <5.4.5
    php53 <5.3.15
    php52 <=5.2.17_10
```

But then on a system that's still running PHP from lang/php5, version 5.3.13:


```
# portaudit php5-5.3.13
0 problem(s) found.
```

On the same machine:


```
# portaudit php53-5.3.13
Affected package: php53-5.3.13
Type of problem: php -- potential overflow in _php_stream_scandir.
Reference: http://portaudit.FreeBSD.org/bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89.html

1 problem(s) found.
```

Is this a bug?

PHP 5.3.13 was not vulnerable untill this latest portaudit came out, before that, I'd never see the need to just recompile stuff because PHP changed it's origin from lang/php5 to lang/php53. But now I miss important portaudit info.


----------



## SirDice (Jul 24, 2012)

frijsdijk said:
			
		

> I'd never see the need to just recompile stuff because PHP changed it's origin from lang/php5 to lang/php53. But now I miss important portaudit info.


You also missed the previous update for 5.3 to 5.3.14. Current version of lang/php53 is 5.3.15. All the more reason to keep track of these things.


----------



## frijsdijk (Jul 25, 2012)

SirDice said:
			
		

> You also missed the previous update for 5.3 to 5.3.14. Current version of lang/php53 is 5.3.15. All the more reason to keep track of these things.



With all respect, but I don't think that's something that customers are waiting for, as long as there is no reason to upgrade (no vulns), and the customer isn't looking for new features, why upgrade? You're answer is predictable as usual, and you're not answering my initial question again. Why answer at all?


----------



## SirDice (Jul 25, 2012)

PHP 5.3.14 actually fixed a rather serious bug. 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143


----------



## knarf (Jul 26, 2012)

I have the same problem, running php5 (not php53) with 5.3.13 and waiting for customer's ok to update and now portaudit does not show a problem, because a line like "php5 <5.3.14" is missing. It was safe to keep 5.3.13 from 2012-05-16 (php5-5.4-Update) until 2012-07-18 (php53-5.3.14-Update).


----------

