[Pkg-php-commits] r925 - in php5/branches/etch/debian: . patches
Sean Finney
seanius at alioth.debian.org
Sun Dec 2 15:51:28 UTC 2007
Author: seanius
Date: 2007-12-02 15:51:28 +0000 (Sun, 02 Dec 2007)
New Revision: 925
Added:
php5/branches/etch/debian/patches/131-CVE-2007-5898.patch
php5/branches/etch/debian/patches/132-CVE-2007-5899.patch
Modified:
php5/branches/etch/debian/changelog
Log:
two new CVE patches
Modified: php5/branches/etch/debian/changelog
===================================================================
--- php5/branches/etch/debian/changelog 2007-12-01 22:37:33 UTC (rev 924)
+++ php5/branches/etch/debian/changelog 2007-12-02 15:51:28 UTC (rev 925)
@@ -1,8 +1,12 @@
php5 (5.2.0-8+etch9) UNRELEASED; urgency=low
* NOT RELEASED YET
+ * NMU prepared for the security team by the package maintainer.
+ * The following security issues are addressed with this update:
+ - CVE-2007-5898: partial multibyte sequences in htmlentities etc
+ - CVE-2007-5899: output_add_rewrite_var and non-local URL's
- -- sean finney <sean at rangda.stickybit.se> Thu, 20 Sep 2007 21:08:57 +0200
+ -- sean finney <seanius at debian.org> Sun, 02 Dec 2007 14:26:36 +0100
php5 (5.2.0-8+etch8) stable-security; urgency=low
Added: php5/branches/etch/debian/patches/131-CVE-2007-5898.patch
===================================================================
--- php5/branches/etch/debian/patches/131-CVE-2007-5898.patch (rev 0)
+++ php5/branches/etch/debian/patches/131-CVE-2007-5898.patch 2007-12-02 15:51:28 UTC (rev 925)
@@ -0,0 +1,159 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1.111.2.2.2.14&r2=1.111.2.2.2.15&view=patch
+--- old/ext/standard/html.c 2007/05/27 15:57:11 1.111.2.2.2.14
++++ new/ext/standard/html.c 2007/10/03 04:53:05 1.111.2.2.2.15
+@@ -484,18 +484,29 @@
+ } \
+ mbseq[mbpos++] = (mbchar); }
+
++#define CHECK_LEN(pos, chars_need) \
++ if((str_len - (pos)) < chars_need) { \
++ *status = FAILURE; \
++ return 0; \
++ }
++
+ /* {{{ get_next_char
+ */
+ inline static unsigned short get_next_char(enum entity_charset charset,
+ unsigned char * str,
++ int str_len,
+ int * newpos,
+ unsigned char * mbseq,
+- int * mbseqlen)
++ int * mbseqlen,
++ int *status)
+ {
+ int pos = *newpos;
+ int mbpos = 0;
+ int mbspace = *mbseqlen;
+ unsigned short this_char = str[pos++];
++ unsigned char next_char;
++
++ *status = SUCCESS;
+
+ if (mbspace <= 0) {
+ *mbseqlen = 0;
+@@ -517,6 +528,10 @@
+ do {
+ if (this_char < 0x80) {
+ more = 0;
++ if(stat) {
++ /* we didn't finish the UTF sequence correctly */
++ *status = FAILURE;
++ }
+ break;
+ } else if (this_char < 0xc0) {
+ switch (stat) {
+@@ -555,6 +570,7 @@
+ break;
+ default:
+ /* invalid */
++ *status = FAILURE;
+ more = 0;
+ }
+ }
+@@ -562,21 +578,27 @@
+ else if (this_char < 0xe0) {
+ stat = 0x10; /* 2 byte */
+ utf = (this_char & 0x1f) << 6;
++ CHECK_LEN(pos, 1);
+ } else if (this_char < 0xf0) {
+ stat = 0x20; /* 3 byte */
+ utf = (this_char & 0xf) << 12;
++ CHECK_LEN(pos, 2);
+ } else if (this_char < 0xf8) {
+ stat = 0x30; /* 4 byte */
+ utf = (this_char & 0x7) << 18;
++ CHECK_LEN(pos, 3);
+ } else if (this_char < 0xfc) {
+ stat = 0x40; /* 5 byte */
+ utf = (this_char & 0x3) << 24;
++ CHECK_LEN(pos, 4);
+ } else if (this_char < 0xfe) {
+ stat = 0x50; /* 6 byte */
+ utf = (this_char & 0x1) << 30;
++ CHECK_LEN(pos, 5);
+ } else {
+ /* invalid; bail */
+ more = 0;
++ *status = FAILURE;
+ break;
+ }
+
+@@ -594,7 +616,8 @@
+ /* check if this is the first of a 2-byte sequence */
+ if (this_char >= 0xa1 && this_char <= 0xfe) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if ((next_char >= 0x40 && next_char <= 0x7e) ||
+ (next_char >= 0xa1 && next_char <= 0xfe)) {
+ /* yes, this a wide char */
+@@ -614,7 +637,8 @@
+ (this_char >= 0xe0 && this_char <= 0xef)
+ ) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if ((next_char >= 0x40 && next_char <= 0x7e) ||
+ (next_char >= 0x80 && next_char <= 0xfc))
+ {
+@@ -633,7 +657,8 @@
+ /* check if this is the first of a multi-byte sequence */
+ if (this_char >= 0xa1 && this_char <= 0xfe) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if (next_char >= 0xa1 && next_char <= 0xfe) {
+ /* yes, this a jis kanji char */
+ this_char <<= 8;
+@@ -644,7 +669,8 @@
+
+ } else if (this_char == 0x8e) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if (next_char >= 0xa1 && next_char <= 0xdf) {
+ /* JIS X 0201 kana */
+ this_char <<= 8;
+@@ -655,8 +681,10 @@
+
+ } else if (this_char == 0x8f) {
+ /* peek at the next two char */
+- unsigned char next_char = str[pos];
+- unsigned char next2_char = str[pos+1];
++ unsigned char next2_char;
++ CHECK_LEN(pos, 2);
++ next_char = str[pos];
++ next2_char = str[pos+1];
+ if ((next_char >= 0xa1 && next_char <= 0xfe) &&
+ (next2_char >= 0xa1 && next2_char <= 0xfe)) {
+ /* JIS X 0212 hojo-kanji */
+@@ -1098,13 +1126,22 @@
+ maxlen = 128;
+ replaced = emalloc (maxlen);
+ len = 0;
+-
+ i = 0;
+ while (i < oldlen) {
+ unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */
+ int mbseqlen = sizeof(mbsequence);
+- unsigned short this_char = get_next_char(charset, old, &i, mbsequence, &mbseqlen);
++ int status = SUCCESS;
++ unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status);
+
++ if(status == FAILURE) {
++ /* invalid MB sequence */
++ efree(replaced);
++ if(!PG(display_errors)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid multibyte sequence in argument");
++ }
++ *newlen = 0;
++ return STR_EMPTY_ALLOC();
++ }
+ matches_map = 0;
+
+ if (len + 16 > maxlen)
Added: php5/branches/etch/debian/patches/132-CVE-2007-5899.patch
===================================================================
--- php5/branches/etch/debian/patches/132-CVE-2007-5899.patch (rev 0)
+++ php5/branches/etch/debian/patches/132-CVE-2007-5899.patch 2007-12-02 15:51:28 UTC (rev 925)
@@ -0,0 +1,51 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/url_scanner_ex.re?r1=1.76.2.2.2.1&r2=1.76.2.2.2.2&view=patch
+--- old/ext/standard/url_scanner_ex.re 2007/06/06 00:00:27 1.76.2.2.2.1
++++ new/ext/standard/url_scanner_ex.re 2007/10/10 00:35:52 1.76.2.2.2.2
+@@ -205,24 +205,35 @@
+
+ if (ctx->form_app.len > 0) {
+ switch (ctx->tag.len) {
+-
+-#define RECOGNIZE(x) do { \
+- case sizeof(x)-1: \
+- if (strncasecmp(ctx->tag.c, x, sizeof(x)-1) == 0) \
+- doit = 1; \
+- break; \
+-} while (0)
+-
+- RECOGNIZE("form");
+- RECOGNIZE("fieldset");
++ case sizeof("form") - 1:
++ if (!strncasecmp(ctx->tag.c, "form", sizeof("form") - 1)) {
++ doit = 1;
++ }
++ if (doit && ctx->val.c && ctx->lookup_data && *ctx->lookup_data) {
++ char *e, *p = zend_memnstr(ctx->val.c, "://", sizeof("://") - 1, ctx->val.c + ctx->val.len);
++ if (p) {
++ e = memchr(p, '/', (ctx->val.c + ctx->val.len) - p);
++ if (!e) {
++ e = ctx->val.c + ctx->val.len;
++ }
++ if ((e - p) && strncasecmp(p, ctx->lookup_data, (e - p))) {
++ doit = 0;
++ }
++ }
++ }
++ break;
++
++ case sizeof("fieldset") - 1:
++ if (!strncasecmp(ctx->tag.c, "fieldset", sizeof("fieldset") - 1)) {
++ doit = 1;
++ }
++ break;
+ }
+
+ if (doit)
+ smart_str_append(&ctx->result, &ctx->form_app);
+ }
+ }
+-
+-
+
+ /*
+ * HANDLE_TAG copies the HTML Tag and checks whether we
More information about the Pkg-php-commits
mailing list