[Pkg-php-commits] r1193 - in php5/trunk/debian: . patches

Sun Jan 11 19:19:36 UTC 2009

tags 511493 pending
thanks

Author: seanius
Date: 2009-01-11 19:19:36 +0000 (Sun, 11 Jan 2009)
New Revision: 1193

Added:
   php5/trunk/debian/patches/CVE-2008-5557.patch
Modified:
   php5/trunk/debian/changelog
   php5/trunk/debian/patches/series
Log:
fix for CVE-2008-5557

Modified: php5/trunk/debian/changelog
===================================================================

--- php5/trunk/debian/changelog	2009-01-09 20:17:08 UTC (rev 1192)
+++ php5/trunk/debian/changelog	2009-01-11 19:19:36 UTC (rev 1193)
@@ -6,9 +6,11 @@
   * Updated system tzdata patch from Joe Orton.
   * Removed tzdb-nofree_ents_ifnotzdata.patch, which is now incorporated
     into Joe's patch.
-  * Incorporate fix from 5.3 for proper initialization of uid/gid for
-    apache2 sapi.  This has security implications and therefore bumps
-    the severity.
+  * Security related fixes:
+    - Incorporate fix from 5.3 for proper initialization of uid/gid for
+      apache2 sapi.
+    - CVE-2008-5557: heap overflows in the mbstring extension.
+      Patch: CVE-2008-5557.patch (closes: #511493).
 
   [ Thijs Kinkhorst ]
   * Correct description typo, thanks Mathias Brodala (Closes: #508989).

Added: php5/trunk/debian/patches/CVE-2008-5557.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-5557.patch	                        (rev 0)
+++ php5/trunk/debian/patches/CVE-2008-5557.patch	2009-01-11 19:19:36 UTC (rev 1193)
@@ -0,0 +1,40 @@
+heap overflow fix in mbstring functions (CVE-2008-5557).  taken from
+http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?r1=1.7&r2=1.8&view=patch
+--- php5-5.2.6.dfsg.1.orig/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
++++ php5-5.2.6.dfsg.1/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+@@ -232,8 +232,7 @@ int mbfl_filt_conv_html_dec(int c, mbfl_
+ 				mbfl_filt_conv_html_dec_flush(filter);
+ 				if (c=='&')
+ 				{
+-					filter->status = 1;
+-					buffer[0] = '&';
++					buffer[filter->status++] = '&';
+ 				}
+ 			}
+ 		}
+@@ -244,17 +243,19 @@ int mbfl_filt_conv_html_dec(int c, mbfl_
+ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
+ {
+ 	int status, pos = 0;
+-	char *buffer;
++	unsigned char *buffer;
++	int err = 0;
+ 
+-	buffer = (char*)filter->opaque;
++	buffer = (unsigned char*)filter->opaque;
+ 	status = filter->status;
++	filter->status = 0;
+ 	/* flush fragments */
+ 	while (status--) {
+-		CK((*filter->output_function)(buffer[pos++], filter->data));
++		int e = (*filter->output_function)(buffer[pos++], filter->data);
++		if (e != 0)
++			err = e;
+ 	}
+-	filter->status = 0;
+-	/*filter->buffer = 0; of cause NOT*/
+-	return 0;
++	return err;
+ }
+ 
+ 

Modified: php5/trunk/debian/patches/series
===================================================================
--- php5/trunk/debian/patches/series	2009-01-09 20:17:08 UTC (rev 1192)
+++ php5/trunk/debian/patches/series	2009-01-11 19:19:36 UTC (rev 1193)
@@ -39,3 +39,4 @@
 CVE-2008-3659.patch
 CVE-2008-3660.patch
 BG-initializing-fix.patch
+CVE-2008-5557.patch


