[Pkg-php-commits] r1154 - in php5/branches/etch/debian: . patches

Sun Sep 14 12:13:19 UTC 2008

Author: seanius
Date: 2008-09-14 12:13:19 +0000 (Sun, 14 Sep 2008)
New Revision: 1154

Added:
   php5/branches/etch/debian/patches/139-CVE-2008-3659.patch
   php5/branches/etch/debian/patches/140-CVE-2008-3658.patch
Modified:
   php5/branches/etch/debian/changelog
Log:
fix for a couple CVEs

Modified: php5/branches/etch/debian/changelog
===================================================================

--- php5/branches/etch/debian/changelog	2008-09-11 14:13:42 UTC (rev 1153)
+++ php5/branches/etch/debian/changelog	2008-09-14 12:13:19 UTC (rev 1154)
@@ -1,3 +1,15 @@
+php5 (5.2.0-8+etch13) stable-security; urgency=high
+
+  * NOT YET UPLOADED
+  * Upload to etch for security issues
+  * The following security issues are addressed with this update:
+     - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+       Patch: 140-CVE-2008-3658.patch
+     - CVE-2008-3659: Buffer overflow in the memnstr function.
+       Patch: 139-CVE-2008-3659.patch
+
+ -- Sean Finney <seanius at debian.org>  Sun, 14 Sep 2008 14:14:02 +0200
+
 php5 (5.2.0-8+etch12) stable-security; urgency=high
 
   * Upload to etch for security issues.

Added: php5/branches/etch/debian/patches/139-CVE-2008-3659.patch
===================================================================
--- php5/branches/etch/debian/patches/139-CVE-2008-3659.patch	                        (rev 0)
+++ php5/branches/etch/debian/patches/139-CVE-2008-3659.patch	2008-09-14 12:13:19 UTC (rev 1154)
@@ -0,0 +1,14 @@
+fix for CVE-2008-3659
+http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+--- old/Zend/zend_operators.h	2007/12/31 07:20:03	1.94.2.4.2.11
++++ new/Zend/zend_operators.h	2008/08/05 20:11:17	1.94.2.4.2.12
+@@ -220,6 +220,9 @@
+ 	char *p = haystack;
+ 	char ne = needle[needle_len-1];
+ 
++	if(needle_len > end-haystack) {
++		return NULL;
++	}
+ 	end -= needle_len;
+ 
+ 	while (p <= end) {

Added: php5/branches/etch/debian/patches/140-CVE-2008-3658.patch
===================================================================
--- php5/branches/etch/debian/patches/140-CVE-2008-3658.patch	                        (rev 0)
+++ php5/branches/etch/debian/patches/140-CVE-2008-3658.patch	2008-09-14 12:13:19 UTC (rev 1154)
@@ -0,0 +1,27 @@
+CVE-2008-3658
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&view=patch
+--- old/ext/gd/gd.c	2008/05/04 21:19:17	1.312.2.20.2.35
++++ new/ext/gd/gd.c	2008/07/17 22:58:23	1.312.2.20.2.36
+@@ -1636,6 +1636,22 @@
+ 		font->nchars = FLIPWORD(font->nchars);
+ 		body_size = font->w * font->h * font->nchars;
+ 	}
++		 
++	if (overflow2(font->nchars, font->h)) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++	if (overflow2(font->nchars * font->h, font->w )) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++
++
++
+ 
+ 	if (body_size != body_size_check) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");


