tech-security: audit-package and php 4.1.2

Subject: audit-package and php 4.1.2
To: None <tech-security@netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 03/06/2003 15:50:51

Hi,
there is an entry in /pub/NetBSD/packages/distfiles/vulnerabilities
for php < 4.2.3nb2:
php<4.2.3nb2            remote-code-execution   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396

However, from this advisatory, 4.1.2 is safe, and this is also confirmed
by the commit message for this entry:
php4 < 4.2.3nb2 has a potential buffer overflow:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
(actually 4.1.3 ... 4.2.3nb2, but I didn't know how to express that)

I'd like to solve this, because 4.1.2 are the binary packages provided
for the 1.6 pkgsrc branch, and I think it's especially bad to give false
positive on them. Is there a better way than adding multiple entries ?
Is syntax like
php4-4.[1.[3-9],2.[0-3],2.3nb1]
allowed ?

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
     NetBSD: 24 ans d'experience feront toujours la difference
--