[Pkg-php-commits] [php/debian-sid] Add complete fix for CVE-2011-1072 + CVE-2011-1144

Fri Mar 18 16:28:18 UTC 2011

---
 debian/patches/CVE-2011-1144.patch |  115 ++++++++++++++++++++++++++++++++++++
 debian/rules                       |    1 +
 2 files changed, 116 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2011-1144.patch

diff --git a/debian/patches/CVE-2011-1144.patch b/debian/patches/CVE-2011-1144.patch
new file mode 100644
index 0000000..a3ab7cb
--- /dev/null
+++ b/debian/patches/CVE-2011-1144.patch
@@ -0,0 +1,115 @@
+--- a/PEAR/REST.php	2011/03/08 22:46:27	309041
++++ b/PEAR/REST.php	2011/03/08 23:16:30	309042
+@@ -228,59 +228,75 @@
+         $cacheidfile = $d . 'rest.cacheid';
+         $cachefile   = $d . 'rest.cachefile';
+ 
++        if (!is_dir($cache_dir)) {
++            if (System::mkdir(array('-p', $cache_dir) === false)) {
++              return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory and attempts to create the directory failed.");
++            }
++        }
++
+         if ($cacheid === null && $nochange) {
+             $cacheid = unserialize(implode('', file($cacheidfile)));
+         }
+ 
+-        if (is_link($cacheidfile)) {
+-            return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack');
+-        }
++        $idData = serialize(array(
++            'age'        => time(),
++            'lastChange' => ($nochange ? $cacheid['lastChange'] : $lastmodified),
++        ));
+ 
+-        if (is_link($cachefile)) {
+-            return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack');
++        $result = $this->saveCacheFile($cacheidfile, $idData);
++        if (PEAR::isError($result)) {
++            return $result;
++        } elseif ($nochange) {
++            return true;
+         }
+ 
+-        $cacheidfile_fp = @fopen($cacheidfile, 'wb');
+-        if (!$cacheidfile_fp) {
+-            if (is_dir($cache_dir)) {
+-                return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory. ");
++        $result = $this->saveCacheFile($cachefile, serialize($contents));
++        if (PEAR::isError($result)) {
++            if (file_exists($cacheidfile)) {
++              @unlink($cacheidfile);
+             }
+ 
+-            System::mkdir(array('-p', $cache_dir));
+-            $cacheidfile_fp = @fopen($cacheidfile, 'wb');
+-            if (!$cacheidfile_fp) {
+-                return PEAR::raiseError("Could not open $cacheidfile for writing.");
+-            }
++            return $result;
+         }
+ 
+-        if ($nochange) {
+-            fwrite($cacheidfile_fp, serialize(array(
+-                'age'        => time(),
+-                'lastChange' => $cacheid['lastChange'],
+-                ))
+-            );
+-
+-            fclose($cacheidfile_fp);
+-            return true;
+-        }
++        return true;
++    }
+ 
+-        fwrite($cacheidfile_fp, serialize(array(
+-            'age'        => time(),
+-            'lastChange' => $lastmodified,
+-            ))
+-        );
+-        fclose($cacheidfile_fp);
++    function saveCacheFile($file, $contents)
++    {
++        $len = strlen($contents);
+ 
+-        $cachefile_fp = @fopen($cachefile, 'wb');
+-        if (!$cachefile_fp) {
+-            if (file_exists($cacheidfile)) {
+-                @unlink($cacheidfile);
++        $cachefile_fp = @fopen($file, 'xb'); // x is the O_CREAT|O_EXCL mode
++        if ($cachefile_fp !== false) { // create file
++            if (fwrite($cachefile_fp, $contents, $len) < $len) {
++                fclose($cachefile_fp);
++                return PEAR::raiseError("Could not write $file.");
++            }
++        } else { // update file
++            $cachefile_lstat = lstat($file);
++            $cachefile_fp = @fopen($file, 'wb');
++            if (!$cachefile_fp) {
++                return PEAR::raiseError("Could not open $file for writing.");
++            }
++
++            $cachefile_fstat = fstat($cachefile_fp);
++            if (
++              $cachefile_lstat['mode'] == $cachefile_fstat['mode'] &&
++              $cachefile_lstat['ino']  == $cachefile_fstat['ino'] &&
++              $cachefile_lstat['dev']  == $cachefile_fstat['dev'] &&
++              $cachefile_fstat['nlink'] === 1
++            ) {
++                if (fwrite($cachefile_fp, $contents, $len) < $len) {
++                    fclose($cachefile_fp);
++                    return PEAR::raiseError("Could not write $file.");
++                }
++            } else {
++                fclose($cachefile_fp);
++                $link = function_exists('readlink') ? readlink($file) : $file;
++                return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $file . ' as it is symlinked to ' . $link . ' - Possible symlink attack');
+             }
+-
+-            return PEAR::raiseError("Could not open $cacheidfile for writing.");
+         }
+ 
+-        fwrite($cachefile_fp, serialize($contents));
+         fclose($cachefile_fp);
+         return true;
+     }
diff --git a/debian/rules b/debian/rules
index 3cbe53d..11b6e64 100755
--- a/debian/rules
+++ b/debian/rules
@@ -246,6 +246,7 @@ build-pear-stamp: build-cgi-stamp
 	       -e 's/-d output_buffering=1 -d open_basedir="" -d safe_mode=0/-d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1"/' \
 	       $(CURDIR)/pear-build/usr/bin/peardev
 	sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" $(CURDIR)/pear-build/usr/share/php/PEAR/Config.php
+	patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/patches/CVE-2011-1144.patch
 	touch build-pear-stamp
 
 configure: configure-apache2-stamp configure-apache2filter-stamp configure-cli-stamp configure-fpm-stamp configure-cgi-stamp
-- 
1.7.1



