[Pkg-php-commits] r1160 - in php5/branches/etch/debian: . patches
Sean Finney
seanius at alioth.debian.org
Tue Sep 30 06:34:18 UTC 2008
tags 499987 pending
tags 499988 pending
tags 499989 pending
thanks
Author: seanius
Date: 2008-09-30 06:34:17 +0000 (Tue, 30 Sep 2008)
New Revision: 1160
Added:
php5/branches/etch/debian/patches/141-CVE-2008-3660.patch
Modified:
php5/branches/etch/debian/changelog
Log:
initial backport of third CVE, add bug references
Modified: php5/branches/etch/debian/changelog
===================================================================
--- php5/branches/etch/debian/changelog 2008-09-24 21:26:47 UTC (rev 1159)
+++ php5/branches/etch/debian/changelog 2008-09-30 06:34:17 UTC (rev 1160)
@@ -3,10 +3,12 @@
* NOT YET UPLOADED
* Upload to etch for security issues
* The following security issues are addressed with this update:
- - CVE-2008-3658: Buffer overflow in the imageloadfont function.
- Patch: 140-CVE-2008-3658.patch
- - CVE-2008-3659: Buffer overflow in the memnstr function.
- Patch: 139-CVE-2008-3659.patch
+ - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+ Patch: 140-CVE-2008-3658.patch (closes: #499989)
+ - CVE-2008-3659: Buffer overflow in the memnstr function.
+ Patch: 139-CVE-2008-3659.patch (closes: #499988)
+ - CVE-2008-3660: Remote DoS in fastcgi module
+ Patch: CVE-2008-3660.patch (closes: #499987)
-- Sean Finney <seanius at debian.org> Sun, 14 Sep 2008 14:14:02 +0200
Added: php5/branches/etch/debian/patches/141-CVE-2008-3660.patch
===================================================================
--- php5/branches/etch/debian/patches/141-CVE-2008-3660.patch (rev 0)
+++ php5/branches/etch/debian/patches/141-CVE-2008-3660.patch 2008-09-30 06:34:17 UTC (rev 1160)
@@ -0,0 +1,75 @@
+--- php5-5.2.6.orig/sapi/cgi/cgi_main.c
++++ php5-5.2.6/sapi/cgi/cgi_main.c
+@@ -765,6 +765,39 @@ static void php_cgi_usage(char *argv0)
+ }
+ /* }}} */
+
++/* {{{ is_valid_path
++ *
++ * some server configurations allow '..' to slip through in the
++ * translated path. We'll just refuse to handle such a path.
++ */
++static int is_valid_path(const char *path)
++{
++ const char *p;
++
++ if (!path) {
++ return 0;
++ }
++ p = strstr(path, "..");
++ if (p) {
++ if ((p == path || IS_SLASH(*(p-1))) &&
++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++ return 0;
++ }
++ while (1) {
++ p = strstr(p+1, "..");
++ if (!p) {
++ break;
++ }
++ if (IS_SLASH(*(p-1)) &&
++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++ return 0;
++ }
++ }
++ }
++ return 1;
++}
++/* }}} */
++
+ /* {{{ init_request_info
+
+ initializes request_info structure
+@@ -1061,9 +1094,7 @@ static void init_request_info(TSRMLS_D)
+ if (pt) {
+ efree(pt);
+ }
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ } else {
+@@ -1094,9 +1125,7 @@ static void init_request_info(TSRMLS_D)
+ } else {
+ SG(request_info).request_uri = env_script_name;
+ }
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ free(real_path);
+@@ -1114,9 +1143,7 @@ static void init_request_info(TSRMLS_D)
+ script_path_translated = env_path_translated;
+ }
+ #endif
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ #if ENABLE_PATHINFO_CHECK
More information about the Pkg-php-commits
mailing list