[Pkg-php-commits] r877 - in php4/branches/sarge/debian: . patches

Wed Sep 19 20:52:36 UTC 2007

Author: seanius
Date: 2007-09-19 20:52:36 +0000 (Wed, 19 Sep 2007)
New Revision: 877

Added:
   php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch
Modified:
   php4/branches/sarge/debian/changelog
Log:
fix for CVE-2007-4657

Modified: php4/branches/sarge/debian/changelog
===================================================================

--- php4/branches/sarge/debian/changelog	2007-09-19 01:31:52 UTC (rev 876)
+++ php4/branches/sarge/debian/changelog	2007-09-19 20:52:36 UTC (rev 877)
@@ -1,8 +1,11 @@
-php4 (4:4.3.10-22) UNRELEASED; urgency=low
+php4 (4:4.3.10-23) UNRELEASED; urgency=low
 
   * Not yet released.
+  * NMU prepared for the security team by the package maintainer.
+  * The following security issues are addressed with this update:
+    - CVE-2007-4657: integer overflows in strspn/strcspn
 
- -- sean finney <seanius at debian.org>  Sat, 30 Jun 2007 17:59:37 +0200
+ -- sean finney <seanius at debian.org>  Wed, 19 Sep 2007 22:53:30 +0200
 
 php4 (4:4.3.10-22) oldstable-security; urgency=low
 

Added: php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch
===================================================================
--- php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch	                        (rev 0)
+++ php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch	2007-09-19 20:52:36 UTC (rev 877)
@@ -0,0 +1,74 @@
+--- string.c	2007/05/24 21:31:05	1.333.2.52.2.13
++++ string.c	2007/06/06 18:38:47	1.333.2.52.2.16
+@@ -234,10 +234,14 @@
+ 		}
+ 	}
+ 	
+-	if (((unsigned) start + (unsigned) len) > len1) {
++	if (len > len1 - start) {
+ 		len = len1 - start;
+ 	}
+ 
++	if(len == 0) {
++		RETURN_LONG(0);
++	}
++
+ 	s = s22;
+ 	e = s22 + len2;
+ 	while (s < e) {
+@@ -1511,11 +1515,25 @@
+ 	char *p, *q;
+ 	int chunks; /* complete chunks! */
+ 	int restlen;
++	int out_len;
+ 
+ 	chunks = srclen / chunklen;
+ 	restlen = srclen - chunks * chunklen; /* srclen % chunklen */
+ 
+-	dest = safe_emalloc(sizeof(char), (srclen + (chunks + 1) * endlen + 1), 0);
++	if(chunks > INT_MAX - 1) {
++		return NULL;
++	}
++	out_len = chunks + 1;
++	if(endlen != 0 && out_len > INT_MAX/endlen) {
++		return NULL;
++	}
++	out_len *= endlen;
++	if(out_len > INT_MAX - srclen - 1) {
++		return NULL;
++	}
++	out_len += srclen + 1;
++
++	dest = safe_emalloc(out_len, sizeof(char), 0);
+ 
+ 	for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
+ 		memcpy(q, p, chunklen);
+@@ -4088,12 +4106,27 @@
+ 
+ PHP_FUNCTION(money_format) {
+ 	int format_len = 0, str_len;
+-	char *format, *str;
++	char *format, *str, *p, *e;
+ 	double value;
++	zend_bool check = 0;
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd",
+ 							  &format, &format_len, &value) == FAILURE) {
+ 		return;
++	}
++
++	p = format;
++	e = p + format_len;
++	while ((p = memchr(p, '%', (e - p)))) {
++		if (*(p + 1) == '%') {
++			p += 2;	
++		} else if (!check) {
++			check = 1;
++			p++;
++		} else {
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used");
++			RETURN_FALSE;
++		}
+ 	}
+ 
+ 	str_len = format_len + 1024;


