[Pkg-php-commits] [php/debian-lenny] CVE-2009-2626: remote memory disclosure via ini_* functions

Sat Nov 28 23:52:51 UTC 2009

---
 debian/patches/CVE-2009-2626.patch |   55 ++++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 56 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2009-2626.patch

diff --git a/debian/patches/CVE-2009-2626.patch b/debian/patches/CVE-2009-2626.patch
new file mode 100644
index 0000000..4056b4c
--- /dev/null
+++ b/debian/patches/CVE-2009-2626.patch
@@ -0,0 +1,55 @@
+Index: php/main/main.c
+===================================================================
+--- php.orig/main/main.c
++++ php/main/main.c
+@@ -311,8 +311,7 @@ static PHP_INI_DISP(display_errors_mode)
+ static PHP_INI_MH(OnUpdateErrorLog)
+ {
+ 	/* Only do the safemode/open_basedir check at runtime */
+-	if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) &&
+-		strcmp(new_value, "syslog")) {
++	if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) && new_value && strcmp(new_value, "syslog")) {
+ 		if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ 			return FAILURE;
+ 		}
+Index: php/tests/func/null-new_val.phpt
+===================================================================
+--- /dev/null
++++ php/tests/func/null-new_val.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++ini_restore strcmp NULL new_val
++--FILE--
++<?php
++
++ini_set('error_log','ini_set_works');
++ini_restore('error_log');
++
++?>
++--EXPECT--
+Index: php/Zend/zend_ini.c
+===================================================================
+--- php.orig/Zend/zend_ini.c
++++ php/Zend/zend_ini.c
+@@ -46,15 +46,20 @@ static int zend_remove_ini_entries(zend_
+ 
+ static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage TSRMLS_DC) /* {{{ */
+ {
++	int result = FAILURE;
+ 	if (ini_entry->modified) {
+ 		if (ini_entry->on_modify) {
+ 			zend_try {
+ 			/* even if on_modify bails out, we have to continue on with restoring,
+ 				since there can be allocated variables that would be freed on MM shutdown
+ 				and would lead to memory corruption later ini entry is modified again */
+-				ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC);
++				result = ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC);
+ 			} zend_end_try();
+ 		}
++		if(stage == ZEND_INI_STAGE_RUNTIME && result == FAILURE) {
++			/* runtime failure is OK */
++			return 1;
++		}
+ 		if (ini_entry->value != ini_entry->orig_value) {
+ 			efree(ini_entry->value);
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index d1924b0..c14a636 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -56,3 +56,4 @@ CVE-2008-5814.patch
 CVE-2009-0754.patch
 CVE-2009-1271.patch
 CVE-2009-2687.patch
+CVE-2009-2626.patch
-- 
1.6.3.3



