[Pkg-php-commits] r875 - in php5/branches/etch/debian: . patches
Sean Finney
seanius at alioth.debian.org
Mon Sep 17 22:55:13 UTC 2007
Author: seanius
Date: 2007-09-17 22:55:13 +0000 (Mon, 17 Sep 2007)
New Revision: 875
Added:
php5/branches/etch/debian/patches/125-CVE-2007-3998.patch
php5/branches/etch/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch
php5/branches/etch/debian/patches/127-CVE-2007-4658.patch
php5/branches/etch/debian/patches/128-CVE-2007-4659.patch
php5/branches/etch/debian/patches/129-CVE-2007-3799.patch
php5/branches/etch/debian/patches/130-CVE-2007-4662.patch
Modified:
php5/branches/etch/debian/changelog
Log:
batch of security updates
Modified: php5/branches/etch/debian/changelog
===================================================================
--- php5/branches/etch/debian/changelog 2007-09-17 01:32:18 UTC (rev 874)
+++ php5/branches/etch/debian/changelog 2007-09-17 22:55:13 UTC (rev 875)
@@ -1,8 +1,17 @@
php5 (5.2.0-8+etch8) UNRELEASED; urgency=low
* NOT RELEASED YET
+ * NMU prepared for the security team by the package maintainer.
+ * The following security issues are addressed with this update:
+ - CVE-2007-3799: vulnerabilities in session_start
+ - CVE-2007-3998: vulnerabilities in wordwrap
+ - CVE-2007-4657: vulnerabilities in strspn/strcspn
+ - CVE-2007-4658: vulnerability in money_format
+ - CVE-2007-4659: race condition in zend_alter_ini_entry
+ - CVE-2007-4660: vulnerability in chunk_split
+ - CVE-2007-4662: buffer overflow in php_openssl_make_REQ
- -- sean finney <sean at rangda.stickybit.se> Mon, 02 Jul 2007 22:44:31 +0200
+ -- sean finney <seanius at debian.org> Tue, 18 Sep 2007 00:54:10 +0200
php5 (5.2.0-8+etch7) stable-security; urgency=low
Added: php5/branches/etch/debian/patches/125-CVE-2007-3998.patch
===================================================================
--- php5/branches/etch/debian/patches/125-CVE-2007-3998.patch (rev 0)
+++ php5/branches/etch/debian/patches/125-CVE-2007-3998.patch 2007-09-17 22:55:13 UTC (rev 875)
@@ -0,0 +1,14 @@
+--- old/ext/standard/string.c 2007/06/06 21:53:54 1.445.2.14.2.63
++++ new/ext/standard/string.c 2007/07/22 15:55:15 1.445.2.14.2.64
+@@ -651,6 +651,11 @@
+
+ if (textlen == 0) {
+ RETURN_EMPTY_STRING();
++ }
++
++ if (breakcharlen == 0) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Break string cannot be empty");
++ RETURN_FALSE;
+ }
+
+ if (linelength == 0 && docut) {
Added: php5/branches/etch/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch
===================================================================
--- php5/branches/etch/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch (rev 0)
+++ php5/branches/etch/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch 2007-09-17 22:55:13 UTC (rev 875)
@@ -0,0 +1,45 @@
+--- old/ext/standard/string.c 2007/05/24 21:29:27 1.445.2.14.2.57
++++ new/ext/standard/string.c 2007/06/06 18:15:41 1.445.2.14.2.62
+@@ -239,10 +239,14 @@
+ }
+ }
+
+- if ((start + len) > len1) {
++ if (len > len1 - start) {
+ len = len1 - start;
+ }
+
++ if(len == 0) {
++ RETURN_LONG(0);
++ }
++
+ if (behavior == STR_STRSPN) {
+ RETURN_LONG(php_strspn(s11 + start /*str1_start*/,
+ s22 /*str2_start*/,
+@@ -1956,11 +1960,25 @@
+ char *p, *q;
+ int chunks; /* complete chunks! */
+ int restlen;
++ int out_len;
+
+ chunks = srclen / chunklen;
+ restlen = srclen - chunks * chunklen; /* srclen % chunklen */
+
+- dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0);
++ if(chunks > INT_MAX - 1) {
++ return NULL;
++ }
++ out_len = chunks + 1;
++ if(endlen !=0 && out_len > INT_MAX/endlen) {
++ return NULL;
++ }
++ out_len *= endlen;
++ if(out_len > INT_MAX - srclen - 1) {
++ return NULL;
++ }
++ out_len += srclen + 1;
++
++ dest = safe_emalloc((int)out_len, sizeof(char), 0);
+
+ for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
+ memcpy(q, p, chunklen);
Added: php5/branches/etch/debian/patches/127-CVE-2007-4658.patch
===================================================================
--- php5/branches/etch/debian/patches/127-CVE-2007-4658.patch (rev 0)
+++ php5/branches/etch/debian/patches/127-CVE-2007-4658.patch 2007-09-17 22:55:13 UTC (rev 875)
@@ -0,0 +1,30 @@
+--- old/ext/standard/string.c 2007/06/05 13:35:26 1.445.2.14.2.60
++++ new/ext/standard/string.c 2007/06/06 18:15:41 1.445.2.14.2.62
+@@ -4985,11 +4994,26 @@
+ PHP_FUNCTION(money_format)
+ {
+ int format_len = 0, str_len;
+- char *format, *str;
++ char *format, *str, *p, *e;
+ double value;
++ zend_bool check = 0;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd", &format, &format_len, &value) == FAILURE) {
+ return;
++ }
++
++ p = format;
++ e = p + format_len;
++ while ((p = memchr(p, '%', (e - p)))) {
++ if (*(p + 1) == '%') {
++ p += 2;
++ } else if (!check) {
++ check = 1;
++ p++;
++ } else {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used");
++ RETURN_FALSE;
++ }
+ }
+
+ str_len = format_len + 1024;
Added: php5/branches/etch/debian/patches/128-CVE-2007-4659.patch
===================================================================
--- php5/branches/etch/debian/patches/128-CVE-2007-4659.patch (rev 0)
+++ php5/branches/etch/debian/patches/128-CVE-2007-4659.patch 2007-09-17 22:55:13 UTC (rev 875)
@@ -0,0 +1,64 @@
+--- old/Zend/zend_ini.c 2007/04/16 08:09:54 1.39.2.2.2.8
++++ new/Zend/zend_ini.c 2007/06/17 14:31:12 1.39.2.2.2.10
+@@ -55,7 +55,9 @@
+ ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC);
+ } zend_end_try();
+ }
+- efree(ini_entry->value);
++ if (ini_entry->value != ini_entry->orig_value) {
++ efree(ini_entry->value);
++ }
+ ini_entry->value = ini_entry->orig_value;
+ ini_entry->value_length = ini_entry->orig_value_length;
+ ini_entry->modified = 0;
+@@ -234,30 +236,39 @@
+ {
+ zend_ini_entry *ini_entry;
+ char *duplicate;
++ zend_bool modified;
+ TSRMLS_FETCH();
+
+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+ return FAILURE;
+ }
+
++ if (stage == ZEND_INI_STAGE_ACTIVATE && modify_type == ZEND_INI_SYSTEM) {
++ ini_entry->modifiable = ZEND_INI_SYSTEM;
++ }
++
+ if (!(ini_entry->modifiable & modify_type)) {
+ return FAILURE;
+ }
+
++ modified = ini_entry->modified;
++
++ if (!EG(modified_ini_directives)) {
++ ALLOC_HASHTABLE(EG(modified_ini_directives));
++ zend_hash_init(EG(modified_ini_directives), 8, NULL, NULL, 0);
++ }
++ if (!modified) {
++ ini_entry->orig_value = ini_entry->value;
++ ini_entry->orig_value_length = ini_entry->value_length;
++ ini_entry->modified = 1;
++ zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL);
++ }
++
+ duplicate = estrndup(new_value, new_value_length);
+-
++
+ if (!ini_entry->on_modify
+ || ini_entry->on_modify(ini_entry, duplicate, new_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC)==SUCCESS) {
+- if (!ini_entry->modified) {
+- ini_entry->orig_value = ini_entry->value;
+- ini_entry->orig_value_length = ini_entry->value_length;
+- ini_entry->modified = 1;
+- if (!EG(modified_ini_directives)) {
+- ALLOC_HASHTABLE(EG(modified_ini_directives));
+- zend_hash_init(EG(modified_ini_directives), 8, NULL, NULL, 0);
+- }
+- zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL);
+- } else { /* we already changed the value, free the changed value */
++ if (modified && ini_entry->orig_value != ini_entry->value) { /* we already changed the value, free the changed value */
+ efree(ini_entry->value);
+ }
+ ini_entry->value = duplicate;
Added: php5/branches/etch/debian/patches/129-CVE-2007-3799.patch
===================================================================
--- php5/branches/etch/debian/patches/129-CVE-2007-3799.patch (rev 0)
+++ php5/branches/etch/debian/patches/129-CVE-2007-3799.patch 2007-09-17 22:55:13 UTC (rev 875)
@@ -0,0 +1,31 @@
+--- old/ext/session/session.c 2007/06/15 22:40:00 1.417.2.8.2.36
++++ new/ext/session/session.c 2007/06/16 07:48:07 1.417.2.8.2.37
+@@ -1080,6 +1080,7 @@
+ {
+ smart_str ncookie = {0};
+ char *date_fmt = NULL;
++ char *e_session_name, *e_id;
+
+ if (SG(headers_sent)) {
+ char *output_start_filename = php_get_output_start_filename(TSRMLS_C);
+@@ -1093,11 +1094,18 @@
+ }
+ return;
+ }
++
++ /* URL encode session_name and id because they might be user supplied */
++ e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);
++ e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
+
+ smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
+- smart_str_appends(&ncookie, PS(session_name));
++ smart_str_appends(&ncookie, e_session_name);
+ smart_str_appendc(&ncookie, '=');
+- smart_str_appends(&ncookie, PS(id));
++ smart_str_appends(&ncookie, e_id);
++
++ efree(e_session_name);
++ efree(e_id);
+
+ if (PS(cookie_lifetime) > 0) {
+ struct timeval tv;
Added: php5/branches/etch/debian/patches/130-CVE-2007-4662.patch
===================================================================
--- php5/branches/etch/debian/patches/130-CVE-2007-4662.patch (rev 0)
+++ php5/branches/etch/debian/patches/130-CVE-2007-4662.patch 2007-09-17 22:55:13 UTC (rev 875)
@@ -0,0 +1,22 @@
+--- old/ext/openssl/openssl.c 2007/07/11 12:18:14 1.98.2.5.2.38
++++ new/ext/openssl/openssl.c 2007/08/08 06:29:46 1.98.2.5.2.41
+@@ -1726,7 +1726,7 @@
+ /* Finally apply defaults from config file */
+ for(i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
+ int len;
+- char buffer[200];
++ char buffer[200 + 1]; /*200 + \0 !*/
+
+ v = sk_CONF_VALUE_value(dn_sk, i);
+ type = v->name;
+@@ -1739,7 +1739,9 @@
+ if (strcmp("_default", type + len) != 0) {
+ continue;
+ }
+-
++ if (len > 200) {
++ len = 200;
++ }
+ memcpy(buffer, type, len);
+ buffer[len] = '\0';
+ type = buffer;
More information about the Pkg-php-commits
mailing list