[Pkg-php-commits] r878 - in php4/branches/sarge/debian: . patches

[Sean Finney]

Author: seanius
Date: 2007-09-19 21:17:14 +0000 (Wed, 19 Sep 2007)
New Revision: 878

Added:
   php4/branches/sarge/debian/patches/CVE-2007-3799_session.patch
Modified:
   php4/branches/sarge/debian/changelog
   php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch
Log:
new oldstable CVE fix, massage previous CVE fix


Modified: php4/branches/sarge/debian/changelog
===================================================================
--- php4/branches/sarge/debian/changelog	2007-09-19 20:52:36 UTC (rev 877)
+++ php4/branches/sarge/debian/changelog	2007-09-19 21:17:14 UTC (rev 878)
@@ -3,9 +3,10 @@
   * Not yet released.
   * NMU prepared for the security team by the package maintainer.
   * The following security issues are addressed with this update:
+    - CVE-2007-3799: session insertion vulnerability
     - CVE-2007-4657: integer overflows in strspn/strcspn
 
- -- sean finney <seanius at debian.org>  Wed, 19 Sep 2007 22:53:30 +0200
+ -- sean finney <seanius at debian.org>  Wed, 19 Sep 2007 23:18:17 +0200
 
 php4 (4:4.3.10-22) oldstable-security; urgency=low
 

Added: php4/branches/sarge/debian/patches/CVE-2007-3799_session.patch
===================================================================
--- php4/branches/sarge/debian/patches/CVE-2007-3799_session.patch	                        (rev 0)
+++ php4/branches/sarge/debian/patches/CVE-2007-3799_session.patch	2007-09-19 21:17:14 UTC (rev 878)
@@ -0,0 +1,44 @@
+--- old/ext/session/session.c	2007/06/15 22:45:25	1.336.2.53.2.19
++++ new/ext/session/session.c	2007/06/16 07:48:23	1.336.2.53.2.20
+@@ -666,6 +666,12 @@
+ {
+ 	char *val;
+ 	int vallen;
++ 
++ 	/* check session name for invalid characters */
++	if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
++ 		efree(PS(id));
++ 		PS(id) = NULL;
++ 	}
+
+ 	if (!PS(mod)) {
+ 		php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module chosen - failed to initialize session.");
+@@ -918,6 +918,7 @@
+ {
+ 	smart_str ncookie = {0};
+ 	char *date_fmt = NULL;
++	char *e_session_name, *e_id;
+ 
+ 	if (SG(headers_sent)) {
+ 		char *output_start_filename = php_get_output_start_filename(TSRMLS_C);
+@@ -931,11 +932,18 @@
+ 		}	
+ 		return;
+ 	}
++	
++	/* URL encode session_name and id because they might be user supplied */
++	e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);
++	e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
+ 
+ 	smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
+-	smart_str_appends(&ncookie, PS(session_name));
++	smart_str_appends(&ncookie, e_session_name);
+ 	smart_str_appendc(&ncookie, '=');
+-	smart_str_appends(&ncookie, PS(id));
++	smart_str_appends(&ncookie, e_id);
++	
++	efree(e_session_name);
++	efree(e_id);
+ 	
+ 	if (PS(cookie_lifetime) > 0) {
+ 		struct timeval tv;

Modified: php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch
===================================================================
--- php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch	2007-09-19 20:52:36 UTC (rev 877)
+++ php4/branches/sarge/debian/patches/CVE-2007-4657_strcspn.patch	2007-09-19 21:17:14 UTC (rev 878)
@@ -1,5 +1,5 @@
---- string.c	2007/05/24 21:31:05	1.333.2.52.2.13
-+++ string.c	2007/06/06 18:38:47	1.333.2.52.2.16
+--- old/ext/standard/string.c	2007/05/24 21:31:05	1.333.2.52.2.13
++++ new/ext/standard/string.c	2007/06/06 18:38:47	1.333.2.52.2.16
 @@ -234,10 +234,14 @@
  		}
  	}