[Pkg-php-commits] [php/refs/tags/debian/5.3.6-1] Add complete fix for CVE-2011-1072 + CVE-2011-1144
Ondřej Surý
ondrej at sury.org
Fri Mar 18 16:28:41 UTC 2011
---
debian/patches/CVE-2011-1144.patch | 115 ++++++++++++++++++++++++++++++++++++
debian/rules | 1 +
2 files changed, 116 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/CVE-2011-1144.patch
diff --git a/debian/patches/CVE-2011-1144.patch b/debian/patches/CVE-2011-1144.patch
new file mode 100644
index 0000000..a3ab7cb
--- /dev/null
+++ b/debian/patches/CVE-2011-1144.patch
@@ -0,0 +1,115 @@
+--- a/PEAR/REST.php 2011/03/08 22:46:27 309041
++++ b/PEAR/REST.php 2011/03/08 23:16:30 309042
+@@ -228,59 +228,75 @@
+ $cacheidfile = $d . 'rest.cacheid';
+ $cachefile = $d . 'rest.cachefile';
+
++ if (!is_dir($cache_dir)) {
++ if (System::mkdir(array('-p', $cache_dir) === false)) {
++ return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory and attempts to create the directory failed.");
++ }
++ }
++
+ if ($cacheid === null && $nochange) {
+ $cacheid = unserialize(implode('', file($cacheidfile)));
+ }
+
+- if (is_link($cacheidfile)) {
+- return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack');
+- }
++ $idData = serialize(array(
++ 'age' => time(),
++ 'lastChange' => ($nochange ? $cacheid['lastChange'] : $lastmodified),
++ ));
+
+- if (is_link($cachefile)) {
+- return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack');
++ $result = $this->saveCacheFile($cacheidfile, $idData);
++ if (PEAR::isError($result)) {
++ return $result;
++ } elseif ($nochange) {
++ return true;
+ }
+
+- $cacheidfile_fp = @fopen($cacheidfile, 'wb');
+- if (!$cacheidfile_fp) {
+- if (is_dir($cache_dir)) {
+- return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory. ");
++ $result = $this->saveCacheFile($cachefile, serialize($contents));
++ if (PEAR::isError($result)) {
++ if (file_exists($cacheidfile)) {
++ @unlink($cacheidfile);
+ }
+
+- System::mkdir(array('-p', $cache_dir));
+- $cacheidfile_fp = @fopen($cacheidfile, 'wb');
+- if (!$cacheidfile_fp) {
+- return PEAR::raiseError("Could not open $cacheidfile for writing.");
+- }
++ return $result;
+ }
+
+- if ($nochange) {
+- fwrite($cacheidfile_fp, serialize(array(
+- 'age' => time(),
+- 'lastChange' => $cacheid['lastChange'],
+- ))
+- );
+-
+- fclose($cacheidfile_fp);
+- return true;
+- }
++ return true;
++ }
+
+- fwrite($cacheidfile_fp, serialize(array(
+- 'age' => time(),
+- 'lastChange' => $lastmodified,
+- ))
+- );
+- fclose($cacheidfile_fp);
++ function saveCacheFile($file, $contents)
++ {
++ $len = strlen($contents);
+
+- $cachefile_fp = @fopen($cachefile, 'wb');
+- if (!$cachefile_fp) {
+- if (file_exists($cacheidfile)) {
+- @unlink($cacheidfile);
++ $cachefile_fp = @fopen($file, 'xb'); // x is the O_CREAT|O_EXCL mode
++ if ($cachefile_fp !== false) { // create file
++ if (fwrite($cachefile_fp, $contents, $len) < $len) {
++ fclose($cachefile_fp);
++ return PEAR::raiseError("Could not write $file.");
++ }
++ } else { // update file
++ $cachefile_lstat = lstat($file);
++ $cachefile_fp = @fopen($file, 'wb');
++ if (!$cachefile_fp) {
++ return PEAR::raiseError("Could not open $file for writing.");
++ }
++
++ $cachefile_fstat = fstat($cachefile_fp);
++ if (
++ $cachefile_lstat['mode'] == $cachefile_fstat['mode'] &&
++ $cachefile_lstat['ino'] == $cachefile_fstat['ino'] &&
++ $cachefile_lstat['dev'] == $cachefile_fstat['dev'] &&
++ $cachefile_fstat['nlink'] === 1
++ ) {
++ if (fwrite($cachefile_fp, $contents, $len) < $len) {
++ fclose($cachefile_fp);
++ return PEAR::raiseError("Could not write $file.");
++ }
++ } else {
++ fclose($cachefile_fp);
++ $link = function_exists('readlink') ? readlink($file) : $file;
++ return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $file . ' as it is symlinked to ' . $link . ' - Possible symlink attack');
+ }
+-
+- return PEAR::raiseError("Could not open $cacheidfile for writing.");
+ }
+
+- fwrite($cachefile_fp, serialize($contents));
+ fclose($cachefile_fp);
+ return true;
+ }
diff --git a/debian/rules b/debian/rules
index 3cbe53d..11b6e64 100755
--- a/debian/rules
+++ b/debian/rules
@@ -246,6 +246,7 @@ build-pear-stamp: build-cgi-stamp
-e 's/-d output_buffering=1 -d open_basedir="" -d safe_mode=0/-d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1"/' \
$(CURDIR)/pear-build/usr/bin/peardev
sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" $(CURDIR)/pear-build/usr/share/php/PEAR/Config.php
+ patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/patches/CVE-2011-1144.patch
touch build-pear-stamp
configure: configure-apache2-stamp configure-apache2filter-stamp configure-cli-stamp configure-fpm-stamp configure-cgi-stamp
--
1.7.1
More information about the Pkg-php-commits
mailing list