[Pkg-php-commits] r1242 - in php5/branches/etch/debian: . patches

Tue Jan 27 22:32:00 UTC 2009

Author: seanius
Date: 2009-01-27 22:32:00 +0000 (Tue, 27 Jan 2009)
New Revision: 1242

Added:
   php5/branches/etch/debian/patches/144-CVE-2008-5557.patch
Modified:
   php5/branches/etch/debian/changelog
Log:
CVE-2008-5557

Modified: php5/branches/etch/debian/changelog
===================================================================

--- php5/branches/etch/debian/changelog	2009-01-27 22:25:51 UTC (rev 1241)
+++ php5/branches/etch/debian/changelog	2009-01-27 22:32:00 UTC (rev 1242)
@@ -4,6 +4,8 @@
   * The following security issues are addressed with this update:
     - CVE-2008-5624: proper initialization of uid/gid for apache2 sapi.
       Patch: 142-CVE-2008-5624.patch
+    - CVE-2008-5557: heap overflows in the mbstring extension.
+      Patch: 144-CVE-2008-5557.patch (closes: #511493).
   * Backport the patch from lenny/sid to use the system timezone database
     instead of the embedded php timezone database which is out of date.
     Patch: 143-use_embedded_timezonedb.patch (closes: #471104).

Added: php5/branches/etch/debian/patches/144-CVE-2008-5557.patch
===================================================================
--- php5/branches/etch/debian/patches/144-CVE-2008-5557.patch	                        (rev 0)
+++ php5/branches/etch/debian/patches/144-CVE-2008-5557.patch	2009-01-27 22:32:00 UTC (rev 1242)
@@ -0,0 +1,40 @@
+heap overflow fix in mbstring functions (CVE-2008-5557).  taken from
+http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?r1=1.7&r2=1.8&view=patch
+--- php5-5.2.6.dfsg.1.orig/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
++++ php5-5.2.6.dfsg.1/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+@@ -232,8 +232,7 @@ int mbfl_filt_conv_html_dec(int c, mbfl_
+ 				mbfl_filt_conv_html_dec_flush(filter);
+ 				if (c=='&')
+ 				{
+-					filter->status = 1;
+-					buffer[0] = '&';
++					buffer[filter->status++] = '&';
+ 				}
+ 			}
+ 		}
+@@ -244,17 +243,19 @@ int mbfl_filt_conv_html_dec(int c, mbfl_
+ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
+ {
+ 	int status, pos = 0;
+-	char *buffer;
++	unsigned char *buffer;
++	int err = 0;
+ 
+-	buffer = (char*)filter->opaque;
++	buffer = (unsigned char*)filter->opaque;
+ 	status = filter->status;
++	filter->status = 0;
+ 	/* flush fragments */
+ 	while (status--) {
+-		CK((*filter->output_function)(buffer[pos++], filter->data));
++		int e = (*filter->output_function)(buffer[pos++], filter->data);
++		if (e != 0)
++			err = e;
+ 	}
+-	filter->status = 0;
+-	/*filter->buffer = 0; of cause NOT*/
+-	return 0;
++	return err;
+ }
+ 
+ 


