[Pkg-php-commits] r1069 - in php4/branches/etch/debian: . patches

Sean Finney seanius at alioth.debian.org
Tue May 13 19:22:51 UTC 2008 

Author: seanius
Date: 2008-05-13 19:22:50 +0000 (Tue, 13 May 2008)
New Revision: 1069

Added:
   php4/branches/etch/debian/patches/134-CVE-2008-1384.patch
   php4/branches/etch/debian/patches/136-CVE-2008-2051.patch
   php4/branches/etch/debian/patches/137-CVE-2007-3806.patch
Modified:
   php4/branches/etch/debian/changelog
Log:
first stab at backporting relevant patches

Modified: php4/branches/etch/debian/changelog
===================================================================
--- php4/branches/etch/debian/changelog	2008-05-10 08:09:24 UTC (rev 1068)
+++ php4/branches/etch/debian/changelog	2008-05-13 19:22:50 UTC (rev 1069)
@@ -1,8 +1,13 @@
 php4 (6:4.4.4-8+etch6) UNRELEASED; urgency=low
 
   * NOT RELEASED YET
+  * NMU prepared for the security team by the package maintainer.
+  * The following security issues are addressed with this update:
+    - CVE-2007-3806: glob denial of service
+    - CVE-2008-1384: integer overflow in printf() 
+    - CVE-2008-2051: incomplete multibyte chars inside escapeshellcmd()
 
- -- sean finney <sean at rangda.stickybit.se>  Thu, 20 Sep 2007 20:43:44 +0200
+ -- Sean Finney <seanius at debian.org>  Tue, 13 May 2008 20:37:20 +0200
 
 php4 (6:4.4.4-8+etch5) stable-security; urgency=low
 

Added: php4/branches/etch/debian/patches/134-CVE-2008-1384.patch
===================================================================
--- php4/branches/etch/debian/patches/134-CVE-2008-1384.patch	                        (rev 0)
+++ php4/branches/etch/debian/patches/134-CVE-2008-1384.patch	2008-05-13 19:22:50 UTC (rev 1069)
@@ -0,0 +1,32 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.104&r2=1.105&view=patch
+--- old/ext/standard/formatted_print.c	2007/12/31 07:12:15	1.104
++++ new/ext/standard/formatted_print.c	2008/03/17 23:07:55	1.105
+@@ -94,6 +94,7 @@
+ 	register int npad;
+ 	int req_size;
+ 	int copy_len;
++	int m_width;
+ 
+ 	copy_len = (expprec ? MIN(max_width, len) : len);
+ 	npad = min_width - copy_len;
+@@ -104,11 +105,19 @@
+ 	
+ 	PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n",
+ 				  *buffer, *pos, *size, add, min_width, padding, alignment));
++	m_width = MAX(min_width, copy_len);
+ 
+-	req_size = *pos + MAX(min_width, copy_len) + 1;
++	if(m_width > INT_MAX - *pos - 1) {
++		zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width);
++	}
++
++	req_size = *pos + m_width + 1;
+ 
+ 	if (req_size > *size) {
+ 		while (req_size > *size) {
++			if(*size > INT_MAX/2) {
++				zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); 
++			}
+ 			*size <<= 1;
+ 		}
+ 		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));

Added: php4/branches/etch/debian/patches/136-CVE-2008-2051.patch
===================================================================
--- php4/branches/etch/debian/patches/136-CVE-2008-2051.patch	                        (rev 0)
+++ php4/branches/etch/debian/patches/136-CVE-2008-2051.patch	2008-05-13 19:22:50 UTC (rev 1069)
@@ -0,0 +1,16 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.113.2.3.2.1.2.3&r2=1.113.2.3.2.1.2.4&view=patch
+local massaging done to get it to apply to php4
+--- old/ext/standard/exec.c	2007/12/31 07:17:14	1.113.2.3.2.1.2.3
++++ new/ext/standard/exec.c	2008/03/17 23:01:27	1.113.2.3.2.1.2.4
+@@ -271,6 +271,11 @@
+ 	cmd = emalloc(2 * l + 1);
+ 	
+ 	for (x = 0, y = 0; x < l; x++) {
++		/* skip non-valid multibyte characters */
++		if (mblen(str + x, (l - x)) < 0) {
++			continue;
++		}
++
+ 		switch (str[x]) {
+ 			case '"':
+ 			case '\'':

Added: php4/branches/etch/debian/patches/137-CVE-2007-3806.patch
===================================================================
--- php4/branches/etch/debian/patches/137-CVE-2007-3806.patch	                        (rev 0)
+++ php4/branches/etch/debian/patches/137-CVE-2007-3806.patch	2008-05-13 19:22:50 UTC (rev 1069)
@@ -0,0 +1,11 @@
+diff -Nurad php5-5.2.3~/ext/standard/dir.c php5-5.2.3.new/ext/standard/dir.c
+--- php5-5.2.3~/ext/standard/dir.c	2007-09-28 23:37:59.000000000 +0200
++++ php5-5.2.3.new/ext/standard/dir.c	2007-09-28 23:59:48.000000000 +0200
+@@ -395,6 +395,7 @@
+ 	} 
+ #endif
+ 
++	memset(&globbuf, 0, sizeof(glob_t));
+ 	globbuf.gl_offs = 0;
+ 	if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) {
+ #ifdef GLOB_NOMATCH

More information about the Pkg-php-commits mailing list