[Pkg-php-commits] [php/debian-etch] fix for CVE-2008-5557: Heap based overflow in mbstring extension
Sean Finney
seanius at debian.org
Tue Apr 28 18:00:42 UTC 2009
this was imported from the dapper 5.1.2-1ubuntu3.13 security update
Closes: #511493
---
debian/patches/224_SECURITY_CVE-2008-5557.patch | 47 +++++++++++++++++++++++
1 files changed, 47 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/224_SECURITY_CVE-2008-5557.patch
diff --git a/debian/patches/224_SECURITY_CVE-2008-5557.patch b/debian/patches/224_SECURITY_CVE-2008-5557.patch
new file mode 100644
index 0000000..160684b
--- /dev/null
+++ b/debian/patches/224_SECURITY_CVE-2008-5557.patch
@@ -0,0 +1,47 @@
+#
+# Description: fix mbstring extension arbitrary code execution via crafted
+# string containing HTML entity.
+# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/317672
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511493
+# Upstream: http://bugs.php.net/bug.php?id=45722
+# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?hideattic=0&r1=1.7&r2=1.8
+#
+diff -Naur php5-5.1.2.ori/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c php5-5.1.2/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+--- php5-5.1.2.ori/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 2005-02-21 05:12:43.000000000 -0500
++++ php5-5.1.2/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 2009-01-28 10:16:32.000000000 -0500
+@@ -232,8 +232,7 @@
+ mbfl_filt_conv_html_dec_flush(filter);
+ if (c=='&')
+ {
+- filter->status = 1;
+- buffer[0] = '&';
++ buffer[filter->status++] = '&';
+ }
+ }
+ }
+@@ -244,17 +243,19 @@
+ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
+ {
+ int status, pos = 0;
+- char *buffer;
++ unsigned char *buffer;
++ int err = 0;
+
+- buffer = (char*)filter->opaque;
++ buffer = (unsigned char*)filter->opaque;
+ status = filter->status;
++ filter->status = 0;
+ /* flush fragments */
+ while (status--) {
+- CK((*filter->output_function)(buffer[pos++], filter->data));
++ int e = (*filter->output_function)(buffer[pos++], filter->data);
++ if (e != 0)
++ err = e;
+ }
+- filter->status = 0;
+- /*filter->buffer = 0; of cause NOT*/
+- return 0;
++ return err;
+ }
+
+
--
1.5.6.5
More information about the Pkg-php-commits
mailing list