[Pkg-php-commits] r883 - in php4/branches/etch/debian: . patches

Sean Finney seanius at alioth.debian.org
Thu Sep 20 17:11:11 UTC 2007 

Author: seanius
Date: 2007-09-20 17:11:11 +0000 (Thu, 20 Sep 2007)
New Revision: 883

Added:
   php4/branches/etch/debian/patches/077-CVE-2007-3799_session.patch
   php4/branches/etch/debian/patches/078-CVE-2007-4657_strcspn.patch
Modified:
   php4/branches/etch/debian/changelog
Log:
two CVE fixes

Modified: php4/branches/etch/debian/changelog
===================================================================
--- php4/branches/etch/debian/changelog	2007-09-20 00:45:45 UTC (rev 882)
+++ php4/branches/etch/debian/changelog	2007-09-20 17:11:11 UTC (rev 883)
@@ -1,8 +1,12 @@
 php4 (6:4.4.4-8+etch5) UNRELEASED; urgency=low
 
   * NOT RELEASED YET
+  * NMU prepared for the security team by the package maintainer.
+  * The following security issues are addressed with this update:
+    - CVE-2007-3799: session insertion vulnerability
+    - CVE-2007-4657: integer overflows in strspn/strcspn
 
- -- sean finney <sean at rangda.stickybit.se>  Sat, 30 Jun 2007 16:59:46 +0200
+ -- sean finney <seanius at debian.org>  Thu, 20 Sep 2007 19:02:43 +0200
 
 php4 (6:4.4.4-8+etch4) stable-security; urgency=low
 

Added: php4/branches/etch/debian/patches/077-CVE-2007-3799_session.patch
===================================================================
--- php4/branches/etch/debian/patches/077-CVE-2007-3799_session.patch	                        (rev 0)
+++ php4/branches/etch/debian/patches/077-CVE-2007-3799_session.patch	2007-09-20 17:11:11 UTC (rev 883)
@@ -0,0 +1,31 @@
+--- old/ext/session/session.c	2007/06/15 22:45:25	1.336.2.53.2.19
++++ new/ext/session/session.c	2007/06/16 07:48:23	1.336.2.53.2.20
+@@ -918,6 +918,7 @@
+ {
+ 	smart_str ncookie = {0};
+ 	char *date_fmt = NULL;
++	char *e_session_name, *e_id;
+ 
+ 	if (SG(headers_sent)) {
+ 		char *output_start_filename = php_get_output_start_filename(TSRMLS_C);
+@@ -931,11 +932,18 @@
+ 		}	
+ 		return;
+ 	}
++	
++	/* URL encode session_name and id because they might be user supplied */
++	e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);
++	e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
+ 
+ 	smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
+-	smart_str_appends(&ncookie, PS(session_name));
++	smart_str_appends(&ncookie, e_session_name);
+ 	smart_str_appendc(&ncookie, '=');
+-	smart_str_appends(&ncookie, PS(id));
++	smart_str_appends(&ncookie, e_id);
++	
++	efree(e_session_name);
++	efree(e_id);
+ 	
+ 	if (PS(cookie_lifetime) > 0) {
+ 		struct timeval tv;

Added: php4/branches/etch/debian/patches/078-CVE-2007-4657_strcspn.patch
===================================================================
--- php4/branches/etch/debian/patches/078-CVE-2007-4657_strcspn.patch	                        (rev 0)
+++ php4/branches/etch/debian/patches/078-CVE-2007-4657_strcspn.patch	2007-09-20 17:11:11 UTC (rev 883)
@@ -0,0 +1,74 @@
+--- old/ext/standard/string.c	2007/05/24 21:31:05	1.333.2.52.2.13
++++ new/ext/standard/string.c	2007/06/06 18:38:47	1.333.2.52.2.16
+@@ -234,10 +234,14 @@
+ 		}
+ 	}
+ 	
+-	if (((unsigned) start + (unsigned) len) > len1) {
++	if (len > len1 - start) {
+ 		len = len1 - start;
+ 	}
+ 
++	if(len == 0) {
++		RETURN_LONG(0);
++	}
++
+ 	s = s22;
+ 	e = s22 + len2;
+ 	while (s < e) {
+@@ -1511,11 +1515,25 @@
+ 	char *p, *q;
+ 	int chunks; /* complete chunks! */
+ 	int restlen;
++	int out_len;
+ 
+ 	chunks = srclen / chunklen;
+ 	restlen = srclen - chunks * chunklen; /* srclen % chunklen */
+ 
+-	dest = safe_emalloc(sizeof(char), (srclen + (chunks + 1) * endlen + 1), 0);
++	if(chunks > INT_MAX - 1) {
++		return NULL;
++	}
++	out_len = chunks + 1;
++	if(endlen != 0 && out_len > INT_MAX/endlen) {
++		return NULL;
++	}
++	out_len *= endlen;
++	if(out_len > INT_MAX - srclen - 1) {
++		return NULL;
++	}
++	out_len += srclen + 1;
++
++	dest = safe_emalloc(out_len, sizeof(char), 0);
+ 
+ 	for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
+ 		memcpy(q, p, chunklen);
+@@ -4088,12 +4106,27 @@
+ 
+ PHP_FUNCTION(money_format) {
+ 	int format_len = 0, str_len;
+-	char *format, *str;
++	char *format, *str, *p, *e;
+ 	double value;
++	zend_bool check = 0;
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd",
+ 							  &format, &format_len, &value) == FAILURE) {
+ 		return;
++	}
++
++	p = format;
++	e = p + format_len;
++	while ((p = memchr(p, '%', (e - p)))) {
++		if (*(p + 1) == '%') {
++			p += 2;	
++		} else if (!check) {
++			check = 1;
++			p++;
++		} else {
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used");
++			RETURN_FALSE;
++		}
+ 	}
+ 
+ 	str_len = format_len + 1024;

More information about the Pkg-php-commits mailing list