[Pkg-php-commits] r1156 - in php5/trunk/debian: . patches
Sean Finney
seanius at alioth.debian.org
Wed Sep 24 19:47:58 UTC 2008
tags 499987 pending
tags 499988 pending
tags 499989 pending
thanks
Author: seanius
Date: 2008-09-24 19:47:57 +0000 (Wed, 24 Sep 2008)
New Revision: 1156
Added:
php5/trunk/debian/patches/CVE-2008-3660.patch
Modified:
php5/trunk/debian/changelog
php5/trunk/debian/patches/series
Log:
add one more CVE fix, and add bug references
Modified: php5/trunk/debian/changelog
===================================================================
--- php5/trunk/debian/changelog 2008-09-14 13:38:40 UTC (rev 1155)
+++ php5/trunk/debian/changelog 2008-09-24 19:47:57 UTC (rev 1156)
@@ -4,9 +4,11 @@
[ Sean Finney ]
* Take two unreleased fixes from upstream CVS:
- CVE-2008-3658: Buffer overflow in the imageloadfont function.
- Patch: CVE-2008-3658.patch
+ Patch: CVE-2008-3658.patch (closes: #499989)
- CVE-2008-3659: Buffer overflow in the memnstr function.
- Patch: CVE-2008-3659.patch
+ Patch: CVE-2008-3659.patch (closes: #499988)
+ - CVE-2008-3660: Remote DoS in fastcgi module
+ Patch: CVE-2008-3660.patch (closes: #499987)
[ Raphael Geissert ]
* snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes: #423296)
Added: php5/trunk/debian/patches/CVE-2008-3660.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-3660.patch (rev 0)
+++ php5/trunk/debian/patches/CVE-2008-3660.patch 2008-09-24 19:47:57 UTC (rev 1156)
@@ -0,0 +1,75 @@
+--- php5-5.2.6.orig/sapi/cgi/cgi_main.c
++++ php5-5.2.6/sapi/cgi/cgi_main.c
+@@ -765,6 +765,39 @@ static void php_cgi_usage(char *argv0)
+ }
+ /* }}} */
+
++/* {{{ is_valid_path
++ *
++ * some server configurations allow '..' to slip through in the
++ * translated path. We'll just refuse to handle such a path.
++ */
++static int is_valid_path(const char *path)
++{
++ const char *p;
++
++ if (!path) {
++ return 0;
++ }
++ p = strstr(path, "..");
++ if (p) {
++ if ((p == path || IS_SLASH(*(p-1))) &&
++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++ return 0;
++ }
++ while (1) {
++ p = strstr(p+1, "..");
++ if (!p) {
++ break;
++ }
++ if (IS_SLASH(*(p-1)) &&
++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++ return 0;
++ }
++ }
++ }
++ return 1;
++}
++/* }}} */
++
+ /* {{{ init_request_info
+
+ initializes request_info structure
+@@ -1061,9 +1094,7 @@ static void init_request_info(TSRMLS_D)
+ if (pt) {
+ efree(pt);
+ }
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ } else {
+@@ -1094,9 +1125,7 @@ static void init_request_info(TSRMLS_D)
+ } else {
+ SG(request_info).request_uri = env_script_name;
+ }
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ free(real_path);
+@@ -1114,9 +1143,7 @@ static void init_request_info(TSRMLS_D)
+ script_path_translated = env_path_translated;
+ }
+ #endif
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ #if ENABLE_PATHINFO_CHECK
Modified: php5/trunk/debian/patches/series
===================================================================
--- php5/trunk/debian/patches/series 2008-09-14 13:38:40 UTC (rev 1155)
+++ php5/trunk/debian/patches/series 2008-09-24 19:47:57 UTC (rev 1156)
@@ -38,3 +38,4 @@
snmp_leaks.patch
CVE-2008-3658.patch
CVE-2008-3659.patch
+CVE-2008-3660.patch
More information about the Pkg-php-commits
mailing list