[Pkg-php-commits] [php/debian-etch] fix for CVE-2008-5557: Heap based overflow in mbstring extension

Sean Finney seanius at debian.org
Tue Apr 28 18:00:42 UTC 2009 

this was imported from the dapper 5.1.2-1ubuntu3.13 security update

Closes: #511493
---
 debian/patches/224_SECURITY_CVE-2008-5557.patch |   47 +++++++++++++++++++++++
 1 files changed, 47 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/224_SECURITY_CVE-2008-5557.patch

diff --git a/debian/patches/224_SECURITY_CVE-2008-5557.patch b/debian/patches/224_SECURITY_CVE-2008-5557.patch
new file mode 100644
index 0000000..160684b
--- /dev/null
+++ b/debian/patches/224_SECURITY_CVE-2008-5557.patch
@@ -0,0 +1,47 @@
+#
+# Description: fix mbstring extension arbitrary code execution via crafted
+#              string containing HTML entity.
+# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/317672
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511493
+# Upstream: http://bugs.php.net/bug.php?id=45722 
+# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?hideattic=0&r1=1.7&r2=1.8
+#
+diff -Naur php5-5.1.2.ori/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c php5-5.1.2/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+--- php5-5.1.2.ori/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c	2005-02-21 05:12:43.000000000 -0500
++++ php5-5.1.2/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c	2009-01-28 10:16:32.000000000 -0500
+@@ -232,8 +232,7 @@
+ 				mbfl_filt_conv_html_dec_flush(filter);
+ 				if (c=='&')
+ 				{
+-					filter->status = 1;
+-					buffer[0] = '&';
++					buffer[filter->status++] = '&';
+ 				}
+ 			}
+ 		}
+@@ -244,17 +243,19 @@
+ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
+ {
+ 	int status, pos = 0;
+-	char *buffer;
++	unsigned char *buffer;
++	int err = 0;
+ 
+-	buffer = (char*)filter->opaque;
++	buffer = (unsigned char*)filter->opaque;
+ 	status = filter->status;
++	filter->status = 0;
+ 	/* flush fragments */
+ 	while (status--) {
+-		CK((*filter->output_function)(buffer[pos++], filter->data));
++		int e = (*filter->output_function)(buffer[pos++], filter->data);
++		if (e != 0)
++			err = e;
+ 	}
+-	filter->status = 0;
+-	/*filter->buffer = 0; of cause NOT*/
+-	return 0;
++	return err;
+ }
+ 
+ 
-- 
1.5.6.5

More information about the Pkg-php-commits mailing list