[Pkg-php-commits] r1155 - in php5/trunk/debian: . patches
Sean Finney
seanius at alioth.debian.org
Sun Sep 14 13:38:40 UTC 2008
Author: seanius
Date: 2008-09-14 13:38:40 +0000 (Sun, 14 Sep 2008)
New Revision: 1155
Added:
php5/trunk/debian/patches/CVE-2008-3658.patch
php5/trunk/debian/patches/CVE-2008-3659.patch
Modified:
php5/trunk/debian/changelog
php5/trunk/debian/patches/series
Log:
forward-port two CVE fixes
Modified: php5/trunk/debian/changelog
===================================================================
--- php5/trunk/debian/changelog 2008-09-14 12:13:19 UTC (rev 1154)
+++ php5/trunk/debian/changelog 2008-09-14 13:38:40 UTC (rev 1155)
@@ -1,6 +1,12 @@
-php5 (5.2.6-4) UNRELEASED; urgency=low
+php5 (5.2.6-4) UNRELEASED; urgency=high
* NOT RELEASED YET
+ [ Sean Finney ]
+ * Take two unreleased fixes from upstream CVS:
+ - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+ Patch: CVE-2008-3658.patch
+ - CVE-2008-3659: Buffer overflow in the memnstr function.
+ Patch: CVE-2008-3659.patch
[ Raphael Geissert ]
* snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes: #423296)
@@ -8,7 +14,7 @@
- Thanks to Federico Cuello for the original patch
* php5-dev.lintian-override: fix it so it actually works
- -- Sean Finney <seanius at debian.org> Thu, 21 Aug 2008 19:17:21 +0200
+ -- Sean Finney <seanius at debian.org> Sun, 14 Sep 2008 14:25:11 +0200
php5 (5.2.6-3) unstable; urgency=high
Added: php5/trunk/debian/patches/CVE-2008-3658.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-3658.patch (rev 0)
+++ php5/trunk/debian/patches/CVE-2008-3658.patch 2008-09-14 13:38:40 UTC (rev 1155)
@@ -0,0 +1,27 @@
+CVE-2008-3658
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&view=patch
+--- old/ext/gd/gd.c 2008/05/04 21:19:17 1.312.2.20.2.35
++++ new/ext/gd/gd.c 2008/07/17 22:58:23 1.312.2.20.2.36
+@@ -1636,6 +1636,22 @@
+ font->nchars = FLIPWORD(font->nchars);
+ body_size = font->w * font->h * font->nchars;
+ }
++
++ if (overflow2(font->nchars, font->h)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++ efree(font);
++ php_stream_close(stream);
++ RETURN_FALSE;
++ }
++ if (overflow2(font->nchars * font->h, font->w )) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++ efree(font);
++ php_stream_close(stream);
++ RETURN_FALSE;
++ }
++
++
++
+
+ if (body_size != body_size_check) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");
Added: php5/trunk/debian/patches/CVE-2008-3659.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-3659.patch (rev 0)
+++ php5/trunk/debian/patches/CVE-2008-3659.patch 2008-09-14 13:38:40 UTC (rev 1155)
@@ -0,0 +1,14 @@
+fix for CVE-2008-3659
+http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+--- old/Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11
++++ new/Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12
+@@ -220,6 +220,9 @@
+ char *p = haystack;
+ char ne = needle[needle_len-1];
+
++ if(needle_len > end-haystack) {
++ return NULL;
++ }
+ end -= needle_len;
+
+ while (p <= end) {
Modified: php5/trunk/debian/patches/series
===================================================================
--- php5/trunk/debian/patches/series 2008-09-14 12:13:19 UTC (rev 1154)
+++ php5/trunk/debian/patches/series 2008-09-14 13:38:40 UTC (rev 1155)
@@ -36,3 +36,5 @@
bad_whatis_entries.patch
deprecated_freetds_check.patch
snmp_leaks.patch
+CVE-2008-3658.patch
+CVE-2008-3659.patch
More information about the Pkg-php-commits
mailing list