[Pkg-php-commits] r1058 - in php5/branches/etch/debian: . patches
Sean Finney
seanius at alioth.debian.org
Thu May 8 19:55:38 UTC 2008
Author: seanius
Date: 2008-05-08 19:55:38 +0000 (Thu, 08 May 2008)
New Revision: 1058
Added:
php5/branches/etch/debian/patches/134-CVE-2008-1384.patch
php5/branches/etch/debian/patches/135-CVE-2008-2050.patch
php5/branches/etch/debian/patches/136-CVE-2008-2051.patch
Modified:
php5/branches/etch/debian/changelog
Log:
merge some CVE patches
Modified: php5/branches/etch/debian/changelog
===================================================================
--- php5/branches/etch/debian/changelog 2008-05-08 19:32:53 UTC (rev 1057)
+++ php5/branches/etch/debian/changelog 2008-05-08 19:55:38 UTC (rev 1058)
@@ -1,6 +1,11 @@
php5 (5.2.0-8+etch11~p2) UNRELEASED; urgency=low
* NOT RELEASED YET
+ * NMU prepared for the security team by the package maintainer.
+ * The following security issues are addressed with this update:
+ - CVE-2008-1384: integer overflow in printf()
+ - CVE-2008-2050: possible stack buffer overflow in the FastCGI SAPI
+ - CVE-2008-2051: incomplete multibyte chars inside escapeshellcmd()
-- sean finney <seanius at debian.org> Thu, 21 Feb 2008 07:09:01 +0100
Added: php5/branches/etch/debian/patches/134-CVE-2008-1384.patch
===================================================================
--- php5/branches/etch/debian/patches/134-CVE-2008-1384.patch (rev 0)
+++ php5/branches/etch/debian/patches/134-CVE-2008-1384.patch 2008-05-08 19:55:38 UTC (rev 1058)
@@ -0,0 +1,32 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.104&r2=1.105&view=patch
+--- old/ext/standard/formatted_print.c 2007/12/31 07:12:15 1.104
++++ new/ext/standard/formatted_print.c 2008/03/17 23:07:55 1.105
+@@ -94,6 +94,7 @@
+ register int npad;
+ int req_size;
+ int copy_len;
++ int m_width;
+
+ copy_len = (expprec ? MIN(max_width, len) : len);
+ npad = min_width - copy_len;
+@@ -104,11 +105,19 @@
+
+ PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n",
+ *buffer, *pos, *size, add, min_width, padding, alignment));
++ m_width = MAX(min_width, copy_len);
+
+- req_size = *pos + MAX(min_width, copy_len) + 1;
++ if(m_width > INT_MAX - *pos - 1) {
++ zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width);
++ }
++
++ req_size = *pos + m_width + 1;
+
+ if (req_size > *size) {
+ while (req_size > *size) {
++ if(*size > INT_MAX/2) {
++ zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size);
++ }
+ *size <<= 1;
+ }
+ PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
Added: php5/branches/etch/debian/patches/135-CVE-2008-2050.patch
===================================================================
--- php5/branches/etch/debian/patches/135-CVE-2008-2050.patch (rev 0)
+++ php5/branches/etch/debian/patches/135-CVE-2008-2050.patch 2008-05-08 19:55:38 UTC (rev 1058)
@@ -0,0 +1,22 @@
+http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.44&r2=1.45&view=patch
+--- old/sapi/cgi/fastcgi.c 2008/02/15 14:51:52 1.44
++++ new/sapi/cgi/fastcgi.c 2008/04/03 10:25:08 1.45
+@@ -593,6 +593,9 @@
+ hdr->reserved = 0;
+ hdr->type = type;
+ hdr->version = FCGI_VERSION_1;
++ if (pad) {
++ memset(((unsigned char*)hdr) + sizeof(fcgi_header) + len, 0, pad);
++ }
+ return pad;
+ }
+
+@@ -777,7 +780,7 @@
+ {
+ int ret, n, rest;
+ fcgi_header hdr;
+- unsigned char buf[8];
++ unsigned char buf[255];
+
+ n = 0;
+ rest = len;
Added: php5/branches/etch/debian/patches/136-CVE-2008-2051.patch
===================================================================
--- php5/branches/etch/debian/patches/136-CVE-2008-2051.patch (rev 0)
+++ php5/branches/etch/debian/patches/136-CVE-2008-2051.patch 2008-05-08 19:55:38 UTC (rev 1058)
@@ -0,0 +1,15 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.113.2.3.2.1.2.3&r2=1.113.2.3.2.1.2.4&view=patch
+--- old/ext/standard/exec.c 2007/12/31 07:17:14 1.113.2.3.2.1.2.3
++++ new/ext/standard/exec.c 2008/03/17 23:01:27 1.113.2.3.2.1.2.4
+@@ -271,6 +271,11 @@
+ cmd = safe_emalloc(2, l, 1);
+
+ for (x = 0, y = 0; x < l; x++) {
++ /* skip non-valid multibyte characters */
++ if (php_mblen(str + x, (l - x)) < 0) {
++ continue;
++ }
++
+ switch (str[x]) {
+ case '"':
+ case '\'':
More information about the Pkg-php-commits
mailing list