[Pkg-php-commits] [php/debian-squeeze] Fix multiple format string vulnerabilities in phar_object.c (CVE-2011-1153)
Ondřej Surý
ondrej at sury.org
Sat May 14 09:35:41 UTC 2011
---
debian/patches/CVE-2011-1153.patch | 245 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 246 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/CVE-2011-1153.patch
diff --git a/debian/patches/CVE-2011-1153.patch b/debian/patches/CVE-2011-1153.patch
new file mode 100644
index 0000000..1984b15
--- /dev/null
+++ b/debian/patches/CVE-2011-1153.patch
@@ -0,0 +1,245 @@
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -1141,7 +1141,7 @@ PHP_METHOD(Phar, loadPhar)
+ RETVAL_BOOL(phar_open_from_filename(fname, fname_len, alias, alias_len, REPORT_ERRORS, NULL, &error TSRMLS_CC) == SUCCESS);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ } /* }}} */
+@@ -2003,7 +2003,7 @@ PHP_METHOD(Phar, buildFromDirectory)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -2066,7 +2066,7 @@ PHP_METHOD(Phar, buildFromIterator)
+ phar_obj->arc.archive->ufp = pass.fp;
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ } else {
+@@ -2323,7 +2323,7 @@ its_ok:
+ phar_flush(phar, 0, 0, 1, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ efree(oldpath);
+ return NULL;
+@@ -2783,7 +2783,7 @@ PHP_METHOD(Phar, delete)
+
+ phar_flush(phar_obj->arc.archive, NULL, 0, 0, &error TSRMLS_CC);
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -2858,7 +2858,7 @@ PHP_METHOD(Phar, setAlias)
+ efree(error);
+ goto valid_alias;
+ }
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ RETURN_FALSE;
+ }
+@@ -2895,7 +2895,7 @@ valid_alias:
+ phar_obj->arc.archive->alias = oldalias;
+ phar_obj->arc.archive->alias_len = oldalias_len;
+ phar_obj->arc.archive->is_temporary_alias = old_temp;
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ if (readd) {
+ zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), oldalias, oldalias_len, (void*)&(phar_obj->arc.archive), sizeof(phar_archive_data*), NULL);
+ }
+@@ -2968,7 +2968,7 @@ PHP_METHOD(Phar, stopBuffering)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -3017,7 +3017,7 @@ PHP_METHOD(Phar, setStub)
+ }
+ phar_flush(phar_obj->arc.archive, (char *) &zstub, len, 0, &error TSRMLS_CC);
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ RETURN_TRUE;
+@@ -3033,7 +3033,7 @@ PHP_METHOD(Phar, setStub)
+ phar_flush(phar_obj->arc.archive, stub, stub_len, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -3094,7 +3094,7 @@ PHP_METHOD(Phar, setDefaultStub)
+ stub = phar_create_default_stub(index, webindex, &stub_len, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ if (stub) {
+ efree(stub);
+@@ -3116,7 +3116,7 @@ PHP_METHOD(Phar, setDefaultStub)
+ }
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ RETURN_FALSE;
+ }
+@@ -3171,7 +3171,7 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
+
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ break;
+@@ -3473,7 +3473,7 @@ PHP_METHOD(Phar, compressFiles)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -3513,7 +3513,7 @@ PHP_METHOD(Phar, decompressFiles)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -3613,7 +3613,7 @@ PHP_METHOD(Phar, copy)
+ if (FAILURE == phar_copy_entry_fp(oldentry, &newentry, &error TSRMLS_CC)) {
+ efree(newentry.filename);
+ php_stream_close(newentry.fp);
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ return;
+ }
+@@ -3624,7 +3624,7 @@ PHP_METHOD(Phar, copy)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -3770,7 +3770,7 @@ static void phar_add_file(phar_archive_d
+ phar_flush(*pphar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -3806,7 +3806,7 @@ static void phar_mkdir(phar_archive_data
+ phar_flush(*pphar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -3892,7 +3892,7 @@ PHP_METHOD(Phar, offsetUnset)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -4148,7 +4148,7 @@ PHP_METHOD(Phar, setMetadata)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -4175,7 +4175,7 @@ PHP_METHOD(Phar, delMetadata)
+ phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ RETURN_FALSE;
+ } else {
+@@ -4723,7 +4723,7 @@ PHP_METHOD(PharFileInfo, chmod)
+ phar_flush(entry_obj->ent.entry->phar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -4809,7 +4809,7 @@ PHP_METHOD(PharFileInfo, setMetadata)
+ phar_flush(entry_obj->ent.entry->phar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ }
+@@ -4854,7 +4854,7 @@ PHP_METHOD(PharFileInfo, delMetadata)
+ phar_flush(entry_obj->ent.entry->phar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ RETURN_FALSE;
+ } else {
+@@ -5036,7 +5036,7 @@ PHP_METHOD(PharFileInfo, compress)
+ phar_flush(entry_obj->ent.entry->phar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+
+@@ -5111,7 +5111,7 @@ PHP_METHOD(PharFileInfo, decompress)
+ phar_flush(entry_obj->ent.entry->phar, 0, 0, 0, &error TSRMLS_CC);
+
+ if (error) {
+- zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, error);
++ zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ }
+ RETURN_TRUE;
diff --git a/debian/patches/series b/debian/patches/series
index 7a6f7bc..e5ae765 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -89,3 +89,4 @@ fix-segfault-when-extending-SplFixedArray.patch
fix-segfault-when-node-is-NULL-in-simplexml.patch
fix-sqlite3-columnName-segfaults-on-bad-column_number.patch
CVE-2011-0421.patch
+CVE-2011-1153.patch
--
1.7.1
More information about the Pkg-php-commits
mailing list