[Pkg-php-commits] r1155 - in php5/trunk/debian: . patches

Sean Finney seanius at alioth.debian.org
Sun Sep 14 13:38:40 UTC 2008 

Author: seanius
Date: 2008-09-14 13:38:40 +0000 (Sun, 14 Sep 2008)
New Revision: 1155

Added:
   php5/trunk/debian/patches/CVE-2008-3658.patch
   php5/trunk/debian/patches/CVE-2008-3659.patch
Modified:
   php5/trunk/debian/changelog
   php5/trunk/debian/patches/series
Log:
forward-port two CVE fixes

Modified: php5/trunk/debian/changelog
===================================================================
--- php5/trunk/debian/changelog	2008-09-14 12:13:19 UTC (rev 1154)
+++ php5/trunk/debian/changelog	2008-09-14 13:38:40 UTC (rev 1155)
@@ -1,6 +1,12 @@
-php5 (5.2.6-4) UNRELEASED; urgency=low
+php5 (5.2.6-4) UNRELEASED; urgency=high
 
   * NOT RELEASED YET
+  [ Sean Finney ]
+  * Take two unreleased fixes from upstream CVS:
+    - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+      Patch: CVE-2008-3658.patch
+    - CVE-2008-3659: Buffer overflow in the memnstr function.
+      Patch: CVE-2008-3659.patch
 
   [ Raphael Geissert ]
   * snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes: #423296)
@@ -8,7 +14,7 @@
     - Thanks to Federico Cuello for the original patch
   * php5-dev.lintian-override: fix it so it actually works
 
- -- Sean Finney <seanius at debian.org>  Thu, 21 Aug 2008 19:17:21 +0200
+ -- Sean Finney <seanius at debian.org>  Sun, 14 Sep 2008 14:25:11 +0200
 
 php5 (5.2.6-3) unstable; urgency=high
 

Added: php5/trunk/debian/patches/CVE-2008-3658.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-3658.patch	                        (rev 0)
+++ php5/trunk/debian/patches/CVE-2008-3658.patch	2008-09-14 13:38:40 UTC (rev 1155)
@@ -0,0 +1,27 @@
+CVE-2008-3658
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&view=patch
+--- old/ext/gd/gd.c	2008/05/04 21:19:17	1.312.2.20.2.35
++++ new/ext/gd/gd.c	2008/07/17 22:58:23	1.312.2.20.2.36
+@@ -1636,6 +1636,22 @@
+ 		font->nchars = FLIPWORD(font->nchars);
+ 		body_size = font->w * font->h * font->nchars;
+ 	}
++		 
++	if (overflow2(font->nchars, font->h)) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++	if (overflow2(font->nchars * font->h, font->w )) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++
++
++
+ 
+ 	if (body_size != body_size_check) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");

Added: php5/trunk/debian/patches/CVE-2008-3659.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-3659.patch	                        (rev 0)
+++ php5/trunk/debian/patches/CVE-2008-3659.patch	2008-09-14 13:38:40 UTC (rev 1155)
@@ -0,0 +1,14 @@
+fix for CVE-2008-3659
+http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+--- old/Zend/zend_operators.h	2007/12/31 07:20:03	1.94.2.4.2.11
++++ new/Zend/zend_operators.h	2008/08/05 20:11:17	1.94.2.4.2.12
+@@ -220,6 +220,9 @@
+ 	char *p = haystack;
+ 	char ne = needle[needle_len-1];
+ 
++	if(needle_len > end-haystack) {
++		return NULL;
++	}
+ 	end -= needle_len;
+ 
+ 	while (p <= end) {

Modified: php5/trunk/debian/patches/series
===================================================================
--- php5/trunk/debian/patches/series	2008-09-14 12:13:19 UTC (rev 1154)
+++ php5/trunk/debian/patches/series	2008-09-14 13:38:40 UTC (rev 1155)
@@ -36,3 +36,5 @@
 bad_whatis_entries.patch
 deprecated_freetds_check.patch
 snmp_leaks.patch
+CVE-2008-3658.patch
+CVE-2008-3659.patch

More information about the Pkg-php-commits mailing list