[Pkg-php-commits] [php/debian-lenny] Cherry pick for CVE-2010-1128, CVE-2010-2531, CVE-2010-3709, CVE-2010-3710, CVE-2010-3870, CVE-2010-4150 and ZIP NULL vulnerability
Ondřej Surý
ondrej at sury.org
Tue Dec 7 12:19:45 UTC 2010
---
debian/patches/php-5.2-CVE-2010-1128.patch | 23 +++
debian/patches/php-5.2-CVE-2010-2531.patch | 226 ++++++++++++++++++++++++++++
debian/patches/php-5.2-CVE-2010-3709.patch | 12 ++
debian/patches/php-5.2-CVE-2010-3710.patch | 35 +++++
debian/patches/php-5.2-CVE-2010-3870.patch | 187 +++++++++++++++++++++++
debian/patches/php-5.2-CVE-2010-4150.patch | 15 ++
debian/patches/php-5.2-CWE-170.patch | 12 ++
debian/patches/series | 7 +
8 files changed, 517 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/php-5.2-CVE-2010-1128.patch
create mode 100644 debian/patches/php-5.2-CVE-2010-2531.patch
create mode 100644 debian/patches/php-5.2-CVE-2010-3709.patch
create mode 100644 debian/patches/php-5.2-CVE-2010-3710.patch
create mode 100644 debian/patches/php-5.2-CVE-2010-3870.patch
create mode 100644 debian/patches/php-5.2-CVE-2010-4150.patch
create mode 100644 debian/patches/php-5.2-CWE-170.patch
diff --git a/debian/patches/php-5.2-CVE-2010-1128.patch b/debian/patches/php-5.2-CVE-2010-1128.patch
new file mode 100644
index 0000000..f28aeb9
--- /dev/null
+++ b/debian/patches/php-5.2-CVE-2010-1128.patch
@@ -0,0 +1,23 @@
+--- a/ext/standard/lcg.c
++++ b/ext/standard/lcg.c
+@@ -78,7 +78,7 @@ static void lcg_seed(TSRMLS_D)
+ struct timeval tv;
+
+ if (gettimeofday(&tv, NULL) == 0) {
+- LCG(s1) = tv.tv_sec ^ (~tv.tv_usec);
++ LCG(s1) = tv.tv_sec ^ (tv.tv_usec<<11);
+ } else {
+ LCG(s1) = 1;
+ }
+@@ -88,6 +88,11 @@ static void lcg_seed(TSRMLS_D)
+ LCG(s2) = (long) getpid();
+ #endif
+
++ /* Add entropy to s2 by calling gettimeofday() again */
++ if (gettimeofday(&tv, NULL) == 0) {
++ LCG(s2) ^= (tv.tv_usec<<11);
++ }
++
+ LCG(seeded) = 1;
+ }
+
diff --git a/debian/patches/php-5.2-CVE-2010-2531.patch b/debian/patches/php-5.2-CVE-2010-2531.patch
new file mode 100644
index 0000000..00651a9
--- /dev/null
+++ b/debian/patches/php-5.2-CVE-2010-2531.patch
@@ -0,0 +1,226 @@
+--- a/ext/standard/php_var.h
++++ b/ext/standard/php_var.h
+@@ -33,6 +33,8 @@ PHP_FUNCTION(memory_get_peak_usage);
+
+ PHPAPI void php_var_dump(zval **struc, int level TSRMLS_DC);
+ PHPAPI void php_var_export(zval **struc, int level TSRMLS_DC);
++PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC);
++
+ PHPAPI void php_debug_zval_dump(zval **struc, int level TSRMLS_DC);
+
+ /* typdef HashTable php_serialize_data_t; */
+--- a/ext/standard/var.c
++++ b/ext/standard/var.c
+@@ -343,48 +343,72 @@ PHP_FUNCTION(debug_zval_dump)
+ }
+ /* }}} */
+
++#define buffer_append_spaces(buf, num_spaces) \
++ do { \
++ char *tmp_spaces; \
++ int tmp_spaces_len; \
++ tmp_spaces_len = spprintf(&tmp_spaces, 0,"%*c", num_spaces, ' '); \
++ smart_str_appendl(buf, tmp_spaces, tmp_spaces_len); \
++ efree(tmp_spaces); \
++ } while(0);
+ /* {{{ php_var_export */
+
+ static int php_array_element_export(zval **zv, int num_args, va_list args, zend_hash_key *hash_key)
+ {
+ int level;
++ smart_str *buf;
+ TSRMLS_FETCH();
+
+ level = va_arg(args, int);
++ buf = va_arg(args, smart_str *);
+
+- if (hash_key->nKeyLength==0) { /* numeric key */
+- php_printf("%*c%ld => ", level + 1, ' ', hash_key->h);
++ if (hash_key->nKeyLength == 0) { /* numeric key */
++ buffer_append_spaces(buf, level+1);
++ smart_str_append_long(buf, hash_key->h);
++ smart_str_appendl(buf, " => ", 4);
+ } else { /* string key */
+ char *key, *tmp_str;
+ int key_len, tmp_len;
+ key = php_addcslashes(hash_key->arKey, hash_key->nKeyLength - 1, &key_len, 0, "'\\", 2 TSRMLS_CC);
+ tmp_str = php_str_to_str_ex(key, key_len, "\0", 1, "' . \"\\0\" . '", 12, &tmp_len, 0, NULL);
+- php_printf("%*c'", level + 1, ' ');
+- PHPWRITE(tmp_str, tmp_len);
+- php_printf("' => ");
++ buffer_append_spaces(buf, level + 1);
++ smart_str_appendc(buf, '\'');
++ smart_str_appendl(buf, tmp_str, tmp_len);
++ smart_str_appendl(buf, "' => ", 5);
+ efree(key);
+ efree(tmp_str);
+ }
+- php_var_export(zv, level + 2 TSRMLS_CC);
+- PUTS (",\n");
++ php_var_export_ex(zv, level + 2, buf TSRMLS_CC);
++
++ smart_str_appendc(buf, ',');
++ smart_str_appendc(buf, '\n');
++
+ return 0;
+ }
+
+ static int php_object_element_export(zval **zv, int num_args, va_list args, zend_hash_key *hash_key)
+ {
+ int level;
++ smart_str *buf;
+ char *prop_name, *class_name;
+ TSRMLS_FETCH();
+
+ level = va_arg(args, int);
++ buf = va_arg(args, smart_str *);
+
++ buffer_append_spaces(buf, level + 2);
+ if (hash_key->nKeyLength != 0) {
+- php_printf("%*c", level + 1, ' ');
+ zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength-1, &class_name, &prop_name);
+- php_printf(" '%s' => ", prop_name);
+- php_var_export(zv, level + 2 TSRMLS_CC);
+- PUTS (",\n");
+- }
++ smart_str_appendc(buf, '\'');
++ smart_str_appends(buf, prop_name);
++ smart_str_appendc(buf, '\'');
++ } else {
++ smart_str_append_long(buf, hash_key->h);
++ }
++ smart_str_appendl(buf, " => ", 4);
++ php_var_export_ex(zv, level + 2, buf TSRMLS_CC);
++ smart_str_appendc(buf, ',');
++ smart_str_appendc(buf, '\n');
+ return 0;
+ }
+
+@@ -398,60 +422,78 @@ PHPAPI void php_var_export(zval **struc,
+
+ switch (Z_TYPE_PP(struc)) {
+ case IS_BOOL:
+- php_printf("%s", Z_LVAL_PP(struc) ? "true" : "false");
++ if (Z_LVAL_PP(struc)) {
++ smart_str_appendl(buf, "true", 4);
++ } else {
++ smart_str_appendl(buf, "false", 5);
++ }
+ break;
+ case IS_NULL:
+- php_printf("NULL");
++ smart_str_appendl(buf, "NULL", 4);
+ break;
+ case IS_LONG:
+- php_printf("%ld", Z_LVAL_PP(struc));
++ smart_str_append_long(buf, Z_LVAL_PP(struc));
+ break;
+ case IS_DOUBLE:
+- php_printf("%.*H", (int) EG(precision), Z_DVAL_PP(struc));
++ tmp_len = spprintf(&tmp_str, 0,"%.*H", (int) EG(precision), Z_DVAL_PP(struc));
++ smart_str_appendl(buf, tmp_str, tmp_len);
++ efree(tmp_str);
+ break;
+ case IS_STRING:
+ tmp_str = php_addcslashes(Z_STRVAL_PP(struc), Z_STRLEN_PP(struc), &tmp_len, 0, "'\\", 2 TSRMLS_CC);
+ tmp_str2 = php_str_to_str_ex(tmp_str, tmp_len, "\0", 1, "' . \"\\0\" . '", 12, &tmp_len2, 0, NULL);
+- PUTS ("'");
+- PHPWRITE(tmp_str2, tmp_len2);
+- PUTS ("'");
++ smart_str_appendc(buf, '\'');
++ smart_str_appendl(buf, tmp_str2, tmp_len2);
++ smart_str_appendc(buf, '\'');
+ efree(tmp_str2);
+ efree(tmp_str);
+ break;
+ case IS_ARRAY:
+ myht = Z_ARRVAL_PP(struc);
+ if (level > 1) {
+- php_printf("\n%*c", level - 1, ' ');
++ smart_str_appendc(buf, '\n');
++ buffer_append_spaces(buf, level - 1);
+ }
+- PUTS ("array (\n");
+- zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_array_element_export, 1, level, (Z_TYPE_PP(struc) == IS_ARRAY ? 0 : 1));
++ smart_str_appendl(buf, "array (\n", 8);
++ zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_array_element_export, 2, level, buf);
+ if (level > 1) {
+- php_printf("%*c", level - 1, ' ');
++ buffer_append_spaces(buf, level - 1);
+ }
+- PUTS(")");
++ smart_str_appendc(buf, ')');
+ break;
+ case IS_OBJECT:
+ myht = Z_OBJPROP_PP(struc);
+ if (level > 1) {
+- php_printf("\n%*c", level - 1, ' ');
++ smart_str_appendc(buf, '\n');
++ buffer_append_spaces(buf, level - 1);
+ }
+ Z_OBJ_HANDLER(**struc, get_class_name)(*struc, &class_name, &class_name_len, 0 TSRMLS_CC);
+- php_printf ("%s::__set_state(array(\n", class_name);
++ smart_str_appendl(buf, class_name, class_name_len);
++ smart_str_appendl(buf, "::__set_state(array(\n", 21);
+ efree(class_name);
+ if (myht) {
+- zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_object_element_export, 1, level);
++ zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_object_element_export, 2, level, buf);
+ }
+ if (level > 1) {
+- php_printf("%*c", level - 1, ' ');
++ buffer_append_spaces(buf, level - 1);
+ }
+- php_printf ("))");
++ smart_str_appendl(buf, "))", 2);
+ break;
+ default:
+- PUTS ("NULL");
++ smart_str_appendl(buf, "NULL", 4);
+ break;
+ }
+ }
+
++/* FOR BC reasons, this will always perform and then print */
++PHPAPI void php_var_export(zval **struc, int level TSRMLS_DC) /* {{{ */
++{
++ smart_str buf = {0};
++ php_var_export_ex(struc, level, &buf TSRMLS_CC);
++ smart_str_0 (&buf);
++ PHPWRITE(buf.c, buf.len);
++ smart_str_free(&buf);
++}
+ /* }}} */
+
+ /* {{{ proto mixed var_export(mixed var [, bool return])
+@@ -460,21 +502,21 @@ PHP_FUNCTION(var_export)
+ {
+ zval *var;
+ zend_bool return_output = 0;
+-
++ smart_str buf = {0};
++
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|b", &var, &return_output) == FAILURE) {
+ return;
+ }
+-
+- if (return_output) {
+- php_start_ob_buffer (NULL, 0, 1 TSRMLS_CC);
+- }
+-
+- php_var_export(&var, 1 TSRMLS_CC);
++
++ php_var_export_ex(&var, 1, &buf TSRMLS_CC);
++ smart_str_0 (&buf);
+
+ if (return_output) {
+- php_ob_get_buffer (return_value TSRMLS_CC);
+- php_end_ob_buffer (0, 0 TSRMLS_CC);
++ RETVAL_STRINGL(buf.c, buf.len, 1);
++ } else {
++ PHPWRITE(buf.c, buf.len);
+ }
++ smart_str_free(&buf);
+ }
+ /* }}} */
+
diff --git a/debian/patches/php-5.2-CVE-2010-3709.patch b/debian/patches/php-5.2-CVE-2010-3709.patch
new file mode 100644
index 0000000..ba3e229
--- /dev/null
+++ b/debian/patches/php-5.2-CVE-2010-3709.patch
@@ -0,0 +1,12 @@
+--- a/ext/zip/php_zip.c
++++ b/ext/zip/php_zip.c
+@@ -1776,6 +1776,9 @@ static ZIPARCHIVE_METHOD(getCommentIndex
+
+ PHP_ZIP_STAT_INDEX(intern, index, 0, sb);
+ comment = zip_get_file_comment(intern, index, &comment_len, (int)flags);
++ if(comment==NULL) {
++ RETURN_FALSE;
++ }
+ RETURN_STRINGL((char *)comment, (long)comment_len, 1);
+ }
+ /* }}} */
diff --git a/debian/patches/php-5.2-CVE-2010-3710.patch b/debian/patches/php-5.2-CVE-2010-3710.patch
new file mode 100644
index 0000000..3cb4ee4
--- /dev/null
+++ b/debian/patches/php-5.2-CVE-2010-3710.patch
@@ -0,0 +1,35 @@
+--- /dev/null
++++ b/ext/filter/tests/bug52929.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data)
++--SKIPIF--
++<?php if (!extension_loaded("filter")) die("skip"); ?>
++--FILE--
++<?php
++var_dump(filter_var('valid at email.address', FILTER_VALIDATE_EMAIL));
++
++// Beyond the allowable limit for an e-mail address.
++var_dump(filter_var('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx at yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.zz', FILTER_VALIDATE_EMAIL));
++
++// An invalid address likely to crash PHP due to stack exhaustion if it goes to
++// the validation regex.
++var_dump(filter_var(str_repeat('x', 8000), FILTER_VALIDATE_EMAIL));
++--EXPECT--
++string(19) "valid at email.address"
++bool(false)
++bool(false)
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -478,6 +478,11 @@ void php_filter_validate_email(PHP_INPUT
+ int matches;
+
+
++ /* The maximum length of an e-mail address is 320 octets, per RFC 2821. */
++ if (Z_STRLEN_P(value) > 320) {
++ RETURN_VALIDATION_FAILED
++ }
++
+ re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC);
+ if (!re) {
+ RETURN_VALIDATION_FAILED
diff --git a/debian/patches/php-5.2-CVE-2010-3870.patch b/debian/patches/php-5.2-CVE-2010-3870.patch
new file mode 100644
index 0000000..d420f55
--- /dev/null
+++ b/debian/patches/php-5.2-CVE-2010-3870.patch
@@ -0,0 +1,187 @@
+--- a/ext/xml/xml.c
++++ b/ext/xml/xml.c
+@@ -554,10 +554,111 @@ PHPAPI char *xml_utf8_encode(const char
+ }
+ /* }}} */
+
++/* copied from trunk's implementation of get_next_char in a/ext/standard/html.c */
++#define MB_FAILURE(pos, advance) do { \
++ *cursor = pos + (advance); \
++ *status = FAILURE; \
++ return 0; \
++} while (0)
++
++#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
++#define utf8_lead(c) ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
++#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
++
++/* {{{ php_next_utf8_char
++ */
++static inline unsigned int php_next_utf8_char(
++ const unsigned char *str,
++ size_t str_len,
++ size_t *cursor,
++ int *status)
++{
++ size_t pos = *cursor;
++ unsigned int this_char = 0;
++ unsigned char c;
++
++ *status = SUCCESS;
++
++ if (!CHECK_LEN(pos, 1))
++ MB_FAILURE(pos, 1);
++
++ /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
++ * "In a reported illegal byte sequence, do not include any
++ * non-initial byte that encodes a valid character or is a leading
++ * byte for a valid sequence. */
++ c = str[pos];
++ if (c < 0x80) {
++ this_char = c;
++ pos++;
++ } else if (c < 0xc2) {
++ MB_FAILURE(pos, 1);
++ } else if (c < 0xe0) {
++ if (!CHECK_LEN(pos, 2))
++ MB_FAILURE(pos, 1);
++
++ if (!utf8_trail(str[pos + 1])) {
++ MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
++ }
++ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
++ if (this_char < 0x80) { /* non-shortest form */
++ MB_FAILURE(pos, 2);
++ }
++ pos += 2;
++ } else if (c < 0xf0) {
++ size_t avail = str_len - pos;
++
++ if (avail < 3 ||
++ !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
++ if (avail < 2 || utf8_lead(str[pos + 1]))
++ MB_FAILURE(pos, 1);
++ else if (avail < 3 || utf8_lead(str[pos + 2]))
++ MB_FAILURE(pos, 2);
++ else
++ MB_FAILURE(pos, 3);
++ }
++
++ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
++ if (this_char < 0x800) { /* non-shortest form */
++ MB_FAILURE(pos, 3);
++ } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
++ MB_FAILURE(pos, 3);
++ }
++ pos += 3;
++ } else if (c < 0xf5) {
++ size_t avail = str_len - pos;
++
++ if (avail < 4 ||
++ !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
++ !utf8_trail(str[pos + 3])) {
++ if (avail < 2 || utf8_lead(str[pos + 1]))
++ MB_FAILURE(pos, 1);
++ else if (avail < 3 || utf8_lead(str[pos + 2]))
++ MB_FAILURE(pos, 2);
++ else if (avail < 4 || utf8_lead(str[pos + 3]))
++ MB_FAILURE(pos, 3);
++ else
++ MB_FAILURE(pos, 4);
++ }
++
++ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
++ if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
++ MB_FAILURE(pos, 4);
++ }
++ pos += 4;
++ } else {
++ MB_FAILURE(pos, 1);
++ }
++
++ *cursor = pos;
++ return this_char;
++}
++/* }}} */
++
++
+ /* {{{ xml_utf8_decode */
+ PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding)
+ {
+- int pos = len;
++ size_t pos = 0;
+ char *newbuf = emalloc(len + 1);
+ unsigned short c;
+ char (*decoder)(unsigned short) = NULL;
+@@ -576,36 +677,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
+ newbuf[*newlen] = '\0';
+ return newbuf;
+ }
+- while (pos > 0) {
+- c = (unsigned char)(*s);
+- if (c >= 0xf0) { /* four bytes encoded, 21 bits */
+- if(pos-4 >= 0) {
+- c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
+- } else {
+- c = '?';
+- }
+- s += 4;
+- pos -= 4;
+- } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
+- if(pos-3 >= 0) {
+- c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
+- } else {
+- c = '?';
+- }
+- s += 3;
+- pos -= 3;
+- } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
+- if(pos-2 >= 0) {
+- c = ((s[0]&63)<<6) | (s[1]&63);
+- } else {
+- c = '?';
+- }
+- s += 2;
+- pos -= 2;
+- } else {
+- s++;
+- pos--;
++
++ while (pos < (size_t)len) {
++ int status = FAILURE;
++ c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
++
++ if (status == FAILURE || c > 0xFFU) {
++ c = '?';
+ }
++
+ newbuf[*newlen] = decoder ? decoder(c) : c;
+ ++*newlen;
+ }
+--- /dev/null
++++ b/ext/xml/tests/bug49687.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++Bug #49687 Several utf8_decode deficiencies and vulnerabilities
++--SKIPIF--
++<?php
++require_once("skipif.inc");
++if (!extension_loaded('xml')) die ("skip xml extension not available");
++?>
++--FILE--
++<?php
++
++$tests = array(
++ "\x41\xC2\x3E\x42",
++ "\xE3\x80\x22",
++ "\x41\x98\xBA\x42\xE2\x98\x43\xE2\x98\xBA\xE2\x98",
++);
++foreach ($tests as $t) {
++ echo bin2hex(utf8_decode($t)), "\n";
++}
++echo "Done.\n";
++--EXPECT--
++413f3e42
++3f22
++413f3f423f433f3f
++Done.
diff --git a/debian/patches/php-5.2-CVE-2010-4150.patch b/debian/patches/php-5.2-CVE-2010-4150.patch
new file mode 100644
index 0000000..0330c79
--- /dev/null
+++ b/debian/patches/php-5.2-CVE-2010-4150.patch
@@ -0,0 +1,15 @@
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -774,10 +774,12 @@ static void php_imap_do_open(INTERNAL_FU
+
+ if (IMAPG(imap_user)) {
+ efree(IMAPG(imap_user));
++ IMAPG(imap_user) = 0;
+ }
+
+ if (IMAPG(imap_password)) {
+ efree(IMAPG(imap_password));
++ IMAPG(imap_password) = 0;
+ }
+
+ /* local filename, need to perform open_basedir and safe_mode checks */
diff --git a/debian/patches/php-5.2-CWE-170.patch b/debian/patches/php-5.2-CWE-170.patch
new file mode 100644
index 0000000..4bc59ce
--- /dev/null
+++ b/debian/patches/php-5.2-CWE-170.patch
@@ -0,0 +1,12 @@
+--- a/ext/zip/php_zip.c
++++ b/ext/zip/php_zip.c
+@@ -343,6 +343,9 @@ static int php_zip_extract_file(struct z
+ return 0;
+ }
+ path_cleaned = php_zip_make_relative_path(new_state.cwd, new_state.cwd_length);
++ if(!path_cleaned) {
++ return 0;
++ }
+ path_cleaned_len = strlen(path_cleaned);
+
+ if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
diff --git a/debian/patches/series b/debian/patches/series
index 09d9c9b..b581d99 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -70,3 +70,10 @@ CVE-2010-0397.patch
CVE-2010-1917.patch
CVE-2010-2225.patch
MOPS-60.patch
+php-5.2-CVE-2010-1128.patch
+php-5.2-CVE-2010-2531.patch
+php-5.2-CVE-2010-3709.patch
+php-5.2-CVE-2010-3710.patch
+php-5.2-CVE-2010-3870.patch
+php-5.2-CVE-2010-4150.patch
+php-5.2-CWE-170.patch
--
1.7.1
More information about the Pkg-php-commits
mailing list