[php-maint] Bug#373236: diff for 4:4.4.2-1.1 NMU

Steinar H. Gunderson sesse at debian.org
Tue Jun 13 20:05:48 UTC 2006 

Package: php4
Version: 4:4.4.2-1
Severity: normal
Tags: patch

Hi,

Attached is the diff for my php4 4:4.4.2-1.1 NMU.
-------------- next part --------------
diff -Nru /tmp/lqhcFBVQep/php4-4.4.2/debian/changelog /tmp/965ba9IQOe/php4-4.4.2/debian/changelog
--- /tmp/lqhcFBVQep/php4-4.4.2/debian/changelog	2006-06-13 22:05:28.000000000 +0200
+++ /tmp/965ba9IQOe/php4-4.4.2/debian/changelog	2006-06-13 22:05:29.000000000 +0200
@@ -1,3 +1,15 @@
+php4 (4:4.4.2-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Backport patches from upstream CVS to fix security issues:
+    * 058-html_entity_decode_fix.patch: Fix information leak in
+      html_entity_decode() (CVE-2006-1490). (Closes: #359904)
+    * 059-wordwrap_fix.patch: Fix possible heap overflow in wordwrap()
+      (CVE-2006-1990). (Closes: #365311)
+  * Make sure patches are applied in correct order; patch from Sven Mueller.
+
+ -- Steinar H. Gunderson <sesse at debian.org>  Tue, 13 Jun 2006 21:09:20 +0200
+
 php4 (4:4.4.2-1) unstable; urgency=low
 
   * New upstream bugfix release, skipping the problematic 4.4.1 release:
diff -Nru /tmp/lqhcFBVQep/php4-4.4.2/debian/patches/058-html_entity_decode_fix.patch /tmp/965ba9IQOe/php4-4.4.2/debian/patches/058-html_entity_decode_fix.patch
--- /tmp/lqhcFBVQep/php4-4.4.2/debian/patches/058-html_entity_decode_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ /tmp/965ba9IQOe/php4-4.4.2/debian/patches/058-html_entity_decode_fix.patch	2006-06-13 22:05:29.000000000 +0200
@@ -0,0 +1,18 @@
+Fetched from upstream CVS, at
+
+  http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?r1=1.63.2.23.2.1&r2=1.63.2.23.2.2&view=patch
+
+Fixes CVE-2006-1490.
+
+diff -ur php4-4.3.10-orig/ext/standard/html.c php4-4.3.10/ext/standard/html.c
+--- php4-4.3.10-orig/ext/standard/html.c	2004-07-13 19:15:13.000000000 +0200
++++ php4-4.3.10/ext/standard/html.c	2006-03-31 17:15:33.000000000 +0200
+@@ -791,7 +791,7 @@
+ 	enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
+ 	unsigned char replacement[15];
+ 	
+-	ret = estrdup(old);
++	ret = estrndup(old,oldlen);
+ 	retlen = oldlen;
+ 	if (!retlen) {
+ 		goto empty_source;
diff -Nru /tmp/lqhcFBVQep/php4-4.4.2/debian/patches/059-wordwrap_fix.patch /tmp/965ba9IQOe/php4-4.4.2/debian/patches/059-wordwrap_fix.patch
--- /tmp/lqhcFBVQep/php4-4.4.2/debian/patches/059-wordwrap_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ /tmp/965ba9IQOe/php4-4.4.2/debian/patches/059-wordwrap_fix.patch	2006-06-13 22:05:29.000000000 +0200
@@ -0,0 +1,35 @@
+Fetched from upstream CVS, at
+
+   http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.333.2.52.2.3&r2=1.333.2.52.2.4&view=patch
+
+Fixes CVE-2006-1990.
+
+--- php4-4.3.10.orig/ext/standard/string.c	2006/01/01 13:46:58	1.333.2.52.2.3
++++ php4-4.3.10/ext/standard/string.c	2006/03/13 14:41:27	1.333.2.52.2.4
+@@ -18,7 +18,7 @@
+    +----------------------------------------------------------------------+
+  */
+ 
+-/* $Id: string.c,v 1.333.2.52.2.3 2006/01/01 13:46:58 sniper Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.4 2006/03/13 14:41:27 iliaa Exp $ */
+ 
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+ 
+@@ -672,15 +672,13 @@
+ 		/* Multiple character line break or forced cut */
+ 		if (linelength > 0) {
+ 			chk = (int)(textlen/linelength + 1);
++			newtext = safe_emalloc(chk, breakcharlen, textlen + 1);
+ 			alloced = textlen + chk * breakcharlen + 1;
+ 		} else {
+ 			chk = textlen;
++			newtext = safe_emalloc(textlen, (breakcharlen + 1), 1);
+ 			alloced = textlen * (breakcharlen + 1) + 1;
+ 		}
+-		if (alloced <= 0) {
+-			RETURN_FALSE;
+-		}
+-		newtext = emalloc(alloced);
+ 
+ 		/* now keep track of the actual new text length */
+ 		newtextlen = 0;
diff -Nru /tmp/lqhcFBVQep/php4-4.4.2/debian/rules /tmp/965ba9IQOe/php4-4.4.2/debian/rules
--- /tmp/lqhcFBVQep/php4-4.4.2/debian/rules	2006-06-13 22:05:28.000000000 +0200
+++ /tmp/965ba9IQOe/php4-4.4.2/debian/rules	2006-06-13 22:05:29.000000000 +0200
@@ -101,7 +101,7 @@
 patch: patch-stamp
 patch-stamp:
 	dh_testdir
-	for patch in debian/patches/*.patch; do \
+	for patch in `ls debian/patches/*.patch | sort`; do \
 	        echo '->'`basename $$patch`:; \
 		if ! patch -p1 --ignore-whitespace --dry-run < $$patch; \
 		then \

More information about the pkg-php-maint mailing list