[Pkg-php-commits] r996 - in php5/branches/etch-proposed-updates/debian: . patches
Sean Finney
seanius at alioth.debian.org
Wed Feb 20 23:25:24 UTC 2008
Author: seanius
Date: 2008-02-20 23:25:23 +0000 (Wed, 20 Feb 2008)
New Revision: 996
Added:
php5/branches/etch-proposed-updates/debian/patches/123-CVE-2007-1399-MOPB-16.patch
php5/branches/etch-proposed-updates/debian/patches/124-CVE-2007-1864.patch
php5/branches/etch-proposed-updates/debian/patches/125-CVE-2007-3998.patch
php5/branches/etch-proposed-updates/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch
php5/branches/etch-proposed-updates/debian/patches/127-CVE-2007-4658.patch
php5/branches/etch-proposed-updates/debian/patches/128-CVE-2007-4659.patch
php5/branches/etch-proposed-updates/debian/patches/129-CVE-2007-3799.patch
php5/branches/etch-proposed-updates/debian/patches/130-CVE-2007-4662.patch
php5/branches/etch-proposed-updates/debian/patches/131-CVE-2007-5898.patch
php5/branches/etch-proposed-updates/debian/patches/132-CVE-2007-5899.patch
Modified:
php5/branches/etch-proposed-updates/debian/changelog
Log:
merge etch-p-u from etch (security)
Modified: php5/branches/etch-proposed-updates/debian/changelog
===================================================================
--- php5/branches/etch-proposed-updates/debian/changelog 2008-02-18 02:09:37 UTC (rev 995)
+++ php5/branches/etch-proposed-updates/debian/changelog 2008-02-20 23:25:23 UTC (rev 996)
@@ -1,9 +1,46 @@
-php5 (5.2.0-8+etch5~pu2) UNRELEASED; urgency=low
+php5 (5.2.0-8+etch9) UNRELEASED; urgency=low
* NOT RELEASED YET
+ * NMU prepared for the security team by the package maintainer.
+ * The following security issues are addressed with this update:
+ - CVE-2007-5898: partial multibyte sequences in htmlentities etc
+ - CVE-2007-5899: output_add_rewrite_var and non-local URL's
- -- sean finney <seanius at debian.org> Wed, 23 May 2007 22:14:06 +0200
+ -- sean finney <seanius at debian.org> Sun, 02 Dec 2007 14:26:36 +0100
+php5 (5.2.0-8+etch8) stable-security; urgency=low
+
+ * NMU prepared for the security team by the package maintainer.
+ * The following security issues are addressed with this update:
+ - CVE-2007-3799: vulnerabilities in session_start
+ - CVE-2007-3998: vulnerabilities in wordwrap
+ - CVE-2007-4657: vulnerabilities in strspn/strcspn
+ - CVE-2007-4658: vulnerability in money_format
+ - CVE-2007-4659: race condition in zend_alter_ini_entry
+ - CVE-2007-4660: vulnerability in chunk_split
+ - CVE-2007-4662: buffer overflow in php_openssl_make_REQ
+
+ -- sean finney <seanius at debian.org> Thu, 20 Sep 2007 20:44:22 +0200
+
+php5 (5.2.0-8+etch7) stable-security; urgency=low
+
+ * An addendum to the previous security NMU, the following vulnerability
+ is also fixed:
+ - CVE-2007-1864: Buffer overflow in the bundled libxmlrpc library.
+ * Thanks to Joe Orton from redhat for sharing the patch.
+
+ -- sean finney <seanius at debian.org> Mon, 02 Jul 2007 22:00:09 +0200
+
+php5 (5.2.0-8+etch6) stable-security; urgency=low
+
+ * NMU prepared for the security team by the package maintainer.
+ * The following security issue is addressed with this update:
+ - CVE-2007-1399/MOPB-16: zip stream stack overflow.
+ * also, this update contains a merge from the proposed-updates
+ branch to fix a regression from the previous security update.
+
+ -- sean finney <seanius at debian.org> Sat, 30 Jun 2007 20:54:33 +0200
+
php5 (5.2.0-8+etch5~pu1) proposed-updates; urgency=low
* fix for regression in single quote escaping (closes: #422567).
Copied: php5/branches/etch-proposed-updates/debian/patches/123-CVE-2007-1399-MOPB-16.patch (from rev 995, php5/branches/etch/debian/patches/123-CVE-2007-1399-MOPB-16.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/123-CVE-2007-1399-MOPB-16.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/123-CVE-2007-1399-MOPB-16.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,31 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/zip/zip_stream.c?r1=1.1.2.2&r2=1.1.2.3&pathrev=PHP_5_2&view=patch
+--- old/ext/zip/zip_stream.c 2006/11/12 00:41:16 1.1.2.2
++++ new/ext/zip/zip_stream.c 2006/12/23 23:28:39 1.1.2.3
+@@ -153,7 +153,7 @@
+
+ char *file_basename;
+ size_t file_basename_len;
+- char file_dirname[MAXPATHLEN+1];
++ char file_dirname[MAXPATHLEN];
+
+ struct zip *za;
+ struct zip_file *zf = NULL;
+@@ -179,15 +179,15 @@
+ return NULL;
+ }
+ path_len = strlen(path);
++ if (path_len >= MAXPATHLEN || mode[0] != 'r') {
++ return NULL;
++ }
+
+ memcpy(file_dirname, path, path_len - fragment_len);
+ file_dirname[path_len - fragment_len] = '\0';
+
+ php_basename(path, path_len - fragment_len, NULL, 0, &file_basename, &file_basename_len TSRMLS_CC);
+ fragment++;
+- if (mode[0] != 'r') {
+- return NULL;
+- }
+
+ za = zip_open(file_dirname, ZIP_CREATE, &err);
+ if (za) {
Copied: php5/branches/etch-proposed-updates/debian/patches/124-CVE-2007-1864.patch (from rev 995, php5/branches/etch/debian/patches/124-CVE-2007-1864.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/124-CVE-2007-1864.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/124-CVE-2007-1864.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,11 @@
+--- old/ext/xmlrpc/libxmlrpc/xml_to_soap.c 2007-06-30 14:37:52.000000000 +0200
++++ new/ext/xmlrpc/libxmlrpc/xml_to_soap.c 2007-06-30 14:38:38.000000000 +0200
+@@ -75,7 +75,7 @@
+ }
+
+ struct array_info {
+- char kids_type[30];
++ char kids_type[128];
+ unsigned long size;
+ /* ... ? */
+ };
Copied: php5/branches/etch-proposed-updates/debian/patches/125-CVE-2007-3998.patch (from rev 995, php5/branches/etch/debian/patches/125-CVE-2007-3998.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/125-CVE-2007-3998.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/125-CVE-2007-3998.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,14 @@
+--- old/ext/standard/string.c 2007/06/06 21:53:54 1.445.2.14.2.63
++++ new/ext/standard/string.c 2007/07/22 15:55:15 1.445.2.14.2.64
+@@ -651,6 +651,11 @@
+
+ if (textlen == 0) {
+ RETURN_EMPTY_STRING();
++ }
++
++ if (breakcharlen == 0) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Break string cannot be empty");
++ RETURN_FALSE;
+ }
+
+ if (linelength == 0 && docut) {
Copied: php5/branches/etch-proposed-updates/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch (from rev 995, php5/branches/etch/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/126-CVE-2007-4657_CVE-2007-4660.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,45 @@
+--- old/ext/standard/string.c 2007/05/24 21:29:27 1.445.2.14.2.57
++++ new/ext/standard/string.c 2007/06/06 18:15:41 1.445.2.14.2.62
+@@ -239,10 +239,14 @@
+ }
+ }
+
+- if ((start + len) > len1) {
++ if (len > len1 - start) {
+ len = len1 - start;
+ }
+
++ if(len == 0) {
++ RETURN_LONG(0);
++ }
++
+ if (behavior == STR_STRSPN) {
+ RETURN_LONG(php_strspn(s11 + start /*str1_start*/,
+ s22 /*str2_start*/,
+@@ -1956,11 +1960,25 @@
+ char *p, *q;
+ int chunks; /* complete chunks! */
+ int restlen;
++ int out_len;
+
+ chunks = srclen / chunklen;
+ restlen = srclen - chunks * chunklen; /* srclen % chunklen */
+
+- dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0);
++ if(chunks > INT_MAX - 1) {
++ return NULL;
++ }
++ out_len = chunks + 1;
++ if(endlen !=0 && out_len > INT_MAX/endlen) {
++ return NULL;
++ }
++ out_len *= endlen;
++ if(out_len > INT_MAX - srclen - 1) {
++ return NULL;
++ }
++ out_len += srclen + 1;
++
++ dest = safe_emalloc((int)out_len, sizeof(char), 0);
+
+ for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
+ memcpy(q, p, chunklen);
Copied: php5/branches/etch-proposed-updates/debian/patches/127-CVE-2007-4658.patch (from rev 995, php5/branches/etch/debian/patches/127-CVE-2007-4658.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/127-CVE-2007-4658.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/127-CVE-2007-4658.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,30 @@
+--- old/ext/standard/string.c 2007/06/05 13:35:26 1.445.2.14.2.60
++++ new/ext/standard/string.c 2007/06/06 18:15:41 1.445.2.14.2.62
+@@ -4985,11 +4994,26 @@
+ PHP_FUNCTION(money_format)
+ {
+ int format_len = 0, str_len;
+- char *format, *str;
++ char *format, *str, *p, *e;
+ double value;
++ zend_bool check = 0;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd", &format, &format_len, &value) == FAILURE) {
+ return;
++ }
++
++ p = format;
++ e = p + format_len;
++ while ((p = memchr(p, '%', (e - p)))) {
++ if (*(p + 1) == '%') {
++ p += 2;
++ } else if (!check) {
++ check = 1;
++ p++;
++ } else {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used");
++ RETURN_FALSE;
++ }
+ }
+
+ str_len = format_len + 1024;
Copied: php5/branches/etch-proposed-updates/debian/patches/128-CVE-2007-4659.patch (from rev 995, php5/branches/etch/debian/patches/128-CVE-2007-4659.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/128-CVE-2007-4659.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/128-CVE-2007-4659.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,64 @@
+--- old/Zend/zend_ini.c 2007/04/16 08:09:54 1.39.2.2.2.8
++++ new/Zend/zend_ini.c 2007/06/17 14:31:12 1.39.2.2.2.10
+@@ -55,7 +55,9 @@
+ ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC);
+ } zend_end_try();
+ }
+- efree(ini_entry->value);
++ if (ini_entry->value != ini_entry->orig_value) {
++ efree(ini_entry->value);
++ }
+ ini_entry->value = ini_entry->orig_value;
+ ini_entry->value_length = ini_entry->orig_value_length;
+ ini_entry->modified = 0;
+@@ -234,30 +236,39 @@
+ {
+ zend_ini_entry *ini_entry;
+ char *duplicate;
++ zend_bool modified;
+ TSRMLS_FETCH();
+
+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+ return FAILURE;
+ }
+
++ if (stage == ZEND_INI_STAGE_ACTIVATE && modify_type == ZEND_INI_SYSTEM) {
++ ini_entry->modifiable = ZEND_INI_SYSTEM;
++ }
++
+ if (!(ini_entry->modifiable & modify_type)) {
+ return FAILURE;
+ }
+
++ modified = ini_entry->modified;
++
++ if (!EG(modified_ini_directives)) {
++ ALLOC_HASHTABLE(EG(modified_ini_directives));
++ zend_hash_init(EG(modified_ini_directives), 8, NULL, NULL, 0);
++ }
++ if (!modified) {
++ ini_entry->orig_value = ini_entry->value;
++ ini_entry->orig_value_length = ini_entry->value_length;
++ ini_entry->modified = 1;
++ zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL);
++ }
++
+ duplicate = estrndup(new_value, new_value_length);
+-
++
+ if (!ini_entry->on_modify
+ || ini_entry->on_modify(ini_entry, duplicate, new_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC)==SUCCESS) {
+- if (!ini_entry->modified) {
+- ini_entry->orig_value = ini_entry->value;
+- ini_entry->orig_value_length = ini_entry->value_length;
+- ini_entry->modified = 1;
+- if (!EG(modified_ini_directives)) {
+- ALLOC_HASHTABLE(EG(modified_ini_directives));
+- zend_hash_init(EG(modified_ini_directives), 8, NULL, NULL, 0);
+- }
+- zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL);
+- } else { /* we already changed the value, free the changed value */
++ if (modified && ini_entry->orig_value != ini_entry->value) { /* we already changed the value, free the changed value */
+ efree(ini_entry->value);
+ }
+ ini_entry->value = duplicate;
Copied: php5/branches/etch-proposed-updates/debian/patches/129-CVE-2007-3799.patch (from rev 995, php5/branches/etch/debian/patches/129-CVE-2007-3799.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/129-CVE-2007-3799.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/129-CVE-2007-3799.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,31 @@
+--- old/ext/session/session.c 2007/06/15 22:40:00 1.417.2.8.2.36
++++ new/ext/session/session.c 2007/06/16 07:48:07 1.417.2.8.2.37
+@@ -1080,6 +1080,7 @@
+ {
+ smart_str ncookie = {0};
+ char *date_fmt = NULL;
++ char *e_session_name, *e_id;
+
+ if (SG(headers_sent)) {
+ char *output_start_filename = php_get_output_start_filename(TSRMLS_C);
+@@ -1093,11 +1094,18 @@
+ }
+ return;
+ }
++
++ /* URL encode session_name and id because they might be user supplied */
++ e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);
++ e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
+
+ smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
+- smart_str_appends(&ncookie, PS(session_name));
++ smart_str_appends(&ncookie, e_session_name);
+ smart_str_appendc(&ncookie, '=');
+- smart_str_appends(&ncookie, PS(id));
++ smart_str_appends(&ncookie, e_id);
++
++ efree(e_session_name);
++ efree(e_id);
+
+ if (PS(cookie_lifetime) > 0) {
+ struct timeval tv;
Copied: php5/branches/etch-proposed-updates/debian/patches/130-CVE-2007-4662.patch (from rev 995, php5/branches/etch/debian/patches/130-CVE-2007-4662.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/130-CVE-2007-4662.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/130-CVE-2007-4662.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,22 @@
+--- old/ext/openssl/openssl.c 2007/07/11 12:18:14 1.98.2.5.2.38
++++ new/ext/openssl/openssl.c 2007/08/08 06:29:46 1.98.2.5.2.41
+@@ -1726,7 +1726,7 @@
+ /* Finally apply defaults from config file */
+ for(i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
+ int len;
+- char buffer[200];
++ char buffer[200 + 1]; /*200 + \0 !*/
+
+ v = sk_CONF_VALUE_value(dn_sk, i);
+ type = v->name;
+@@ -1739,7 +1739,9 @@
+ if (strcmp("_default", type + len) != 0) {
+ continue;
+ }
+-
++ if (len > 200) {
++ len = 200;
++ }
+ memcpy(buffer, type, len);
+ buffer[len] = '\0';
+ type = buffer;
Copied: php5/branches/etch-proposed-updates/debian/patches/131-CVE-2007-5898.patch (from rev 995, php5/branches/etch/debian/patches/131-CVE-2007-5898.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/131-CVE-2007-5898.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/131-CVE-2007-5898.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,159 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1.111.2.2.2.14&r2=1.111.2.2.2.15&view=patch
+--- old/ext/standard/html.c 2007/05/27 15:57:11 1.111.2.2.2.14
++++ new/ext/standard/html.c 2007/10/03 04:53:05 1.111.2.2.2.15
+@@ -484,18 +484,29 @@
+ } \
+ mbseq[mbpos++] = (mbchar); }
+
++#define CHECK_LEN(pos, chars_need) \
++ if((str_len - (pos)) < chars_need) { \
++ *status = FAILURE; \
++ return 0; \
++ }
++
+ /* {{{ get_next_char
+ */
+ inline static unsigned short get_next_char(enum entity_charset charset,
+ unsigned char * str,
++ int str_len,
+ int * newpos,
+ unsigned char * mbseq,
+- int * mbseqlen)
++ int * mbseqlen,
++ int *status)
+ {
+ int pos = *newpos;
+ int mbpos = 0;
+ int mbspace = *mbseqlen;
+ unsigned short this_char = str[pos++];
++ unsigned char next_char;
++
++ *status = SUCCESS;
+
+ if (mbspace <= 0) {
+ *mbseqlen = 0;
+@@ -517,6 +528,10 @@
+ do {
+ if (this_char < 0x80) {
+ more = 0;
++ if(stat) {
++ /* we didn't finish the UTF sequence correctly */
++ *status = FAILURE;
++ }
+ break;
+ } else if (this_char < 0xc0) {
+ switch (stat) {
+@@ -555,6 +570,7 @@
+ break;
+ default:
+ /* invalid */
++ *status = FAILURE;
+ more = 0;
+ }
+ }
+@@ -562,21 +578,27 @@
+ else if (this_char < 0xe0) {
+ stat = 0x10; /* 2 byte */
+ utf = (this_char & 0x1f) << 6;
++ CHECK_LEN(pos, 1);
+ } else if (this_char < 0xf0) {
+ stat = 0x20; /* 3 byte */
+ utf = (this_char & 0xf) << 12;
++ CHECK_LEN(pos, 2);
+ } else if (this_char < 0xf8) {
+ stat = 0x30; /* 4 byte */
+ utf = (this_char & 0x7) << 18;
++ CHECK_LEN(pos, 3);
+ } else if (this_char < 0xfc) {
+ stat = 0x40; /* 5 byte */
+ utf = (this_char & 0x3) << 24;
++ CHECK_LEN(pos, 4);
+ } else if (this_char < 0xfe) {
+ stat = 0x50; /* 6 byte */
+ utf = (this_char & 0x1) << 30;
++ CHECK_LEN(pos, 5);
+ } else {
+ /* invalid; bail */
+ more = 0;
++ *status = FAILURE;
+ break;
+ }
+
+@@ -594,7 +616,8 @@
+ /* check if this is the first of a 2-byte sequence */
+ if (this_char >= 0xa1 && this_char <= 0xfe) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if ((next_char >= 0x40 && next_char <= 0x7e) ||
+ (next_char >= 0xa1 && next_char <= 0xfe)) {
+ /* yes, this a wide char */
+@@ -614,7 +637,8 @@
+ (this_char >= 0xe0 && this_char <= 0xef)
+ ) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if ((next_char >= 0x40 && next_char <= 0x7e) ||
+ (next_char >= 0x80 && next_char <= 0xfc))
+ {
+@@ -633,7 +657,8 @@
+ /* check if this is the first of a multi-byte sequence */
+ if (this_char >= 0xa1 && this_char <= 0xfe) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if (next_char >= 0xa1 && next_char <= 0xfe) {
+ /* yes, this a jis kanji char */
+ this_char <<= 8;
+@@ -644,7 +669,8 @@
+
+ } else if (this_char == 0x8e) {
+ /* peek at the next char */
+- unsigned char next_char = str[pos];
++ CHECK_LEN(pos, 1);
++ next_char = str[pos];
+ if (next_char >= 0xa1 && next_char <= 0xdf) {
+ /* JIS X 0201 kana */
+ this_char <<= 8;
+@@ -655,8 +681,10 @@
+
+ } else if (this_char == 0x8f) {
+ /* peek at the next two char */
+- unsigned char next_char = str[pos];
+- unsigned char next2_char = str[pos+1];
++ unsigned char next2_char;
++ CHECK_LEN(pos, 2);
++ next_char = str[pos];
++ next2_char = str[pos+1];
+ if ((next_char >= 0xa1 && next_char <= 0xfe) &&
+ (next2_char >= 0xa1 && next2_char <= 0xfe)) {
+ /* JIS X 0212 hojo-kanji */
+@@ -1098,13 +1126,22 @@
+ maxlen = 128;
+ replaced = emalloc (maxlen);
+ len = 0;
+-
+ i = 0;
+ while (i < oldlen) {
+ unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */
+ int mbseqlen = sizeof(mbsequence);
+- unsigned short this_char = get_next_char(charset, old, &i, mbsequence, &mbseqlen);
++ int status = SUCCESS;
++ unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status);
+
++ if(status == FAILURE) {
++ /* invalid MB sequence */
++ efree(replaced);
++ if(!PG(display_errors)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid multibyte sequence in argument");
++ }
++ *newlen = 0;
++ return STR_EMPTY_ALLOC();
++ }
+ matches_map = 0;
+
+ if (len + 16 > maxlen)
Copied: php5/branches/etch-proposed-updates/debian/patches/132-CVE-2007-5899.patch (from rev 995, php5/branches/etch/debian/patches/132-CVE-2007-5899.patch)
===================================================================
--- php5/branches/etch-proposed-updates/debian/patches/132-CVE-2007-5899.patch (rev 0)
+++ php5/branches/etch-proposed-updates/debian/patches/132-CVE-2007-5899.patch 2008-02-20 23:25:23 UTC (rev 996)
@@ -0,0 +1,51 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/url_scanner_ex.re?r1=1.76.2.2.2.1&r2=1.76.2.2.2.2&view=patch
+--- old/ext/standard/url_scanner_ex.re 2007/06/06 00:00:27 1.76.2.2.2.1
++++ new/ext/standard/url_scanner_ex.re 2007/10/10 00:35:52 1.76.2.2.2.2
+@@ -205,24 +205,35 @@
+
+ if (ctx->form_app.len > 0) {
+ switch (ctx->tag.len) {
+-
+-#define RECOGNIZE(x) do { \
+- case sizeof(x)-1: \
+- if (strncasecmp(ctx->tag.c, x, sizeof(x)-1) == 0) \
+- doit = 1; \
+- break; \
+-} while (0)
+-
+- RECOGNIZE("form");
+- RECOGNIZE("fieldset");
++ case sizeof("form") - 1:
++ if (!strncasecmp(ctx->tag.c, "form", sizeof("form") - 1)) {
++ doit = 1;
++ }
++ if (doit && ctx->val.c && ctx->lookup_data && *ctx->lookup_data) {
++ char *e, *p = zend_memnstr(ctx->val.c, "://", sizeof("://") - 1, ctx->val.c + ctx->val.len);
++ if (p) {
++ e = memchr(p, '/', (ctx->val.c + ctx->val.len) - p);
++ if (!e) {
++ e = ctx->val.c + ctx->val.len;
++ }
++ if ((e - p) && strncasecmp(p, ctx->lookup_data, (e - p))) {
++ doit = 0;
++ }
++ }
++ }
++ break;
++
++ case sizeof("fieldset") - 1:
++ if (!strncasecmp(ctx->tag.c, "fieldset", sizeof("fieldset") - 1)) {
++ doit = 1;
++ }
++ break;
+ }
+
+ if (doit)
+ smart_str_append(&ctx->result, &ctx->form_app);
+ }
+ }
+-
+-
+
+ /*
+ * HANDLE_TAG copies the HTML Tag and checks whether we
More information about the Pkg-php-commits
mailing list