rpms/php/FC-6 php-5.1.6-CVE-2007-2756.patch, NONE, 1.1 php-5.1.6-CVE-2007-2872.patch, NONE, 1.1 php-5.1.6-CVE-2007-3799.patch, NONE, 1.1 php-5.1.6-CVE-2007-3996.patch, NONE, 1.1 php-5.1.6-CVE-2007-3998.patch, NONE, 1.1 php-5.1.6-CVE-2007-4658.patch, NONE, 1.1 php-5.1.6-CVE-2007-4670.patch, NONE, 1.1 php.spec, 1.127, 1.128
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Sep 18 12:59:02 UTC 2007
- Previous message (by thread): rpms/sendmail/FC-6 sendmail.init,1.16,1.17 sendmail.spec,1.78,1.79
- Next message (by thread): rpms/httpd/FC-6 httpd-2.2.4-oldflush.patch, NONE, 1.1 httpd-2.2.6-ssllibver.patch, NONE, 1.1 httpd-2.2.6.tar.gz.asc, NONE, 1.1 .cvsignore, 1.18, 1.19 httpd.spec, 1.103, 1.104 sources, 1.15, 1.16 upstream, 1.7, 1.8 httpd-2.0.54.tar.gz.asc, 1.1, NONE httpd-2.2.3-CVE-2006-5752.patch, 1.1, NONE httpd-2.2.3-CVE-2007-1863.patch, 1.1, NONE httpd-2.2.3-CVE-2007-3304.patch, 1.1, NONE httpd-2.2.3.tar.gz.asc, 1.1, NONE httpd-2.2.4-CVE-2007-1862.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jorton
Update of /cvs/dist/rpms/php/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv10748
Modified Files:
php.spec
Added Files:
php-5.1.6-CVE-2007-2756.patch php-5.1.6-CVE-2007-2872.patch
php-5.1.6-CVE-2007-3799.patch php-5.1.6-CVE-2007-3996.patch
php-5.1.6-CVE-2007-3998.patch php-5.1.6-CVE-2007-4658.patch
php-5.1.6-CVE-2007-4670.patch
Log Message:
* Tue Sep 18 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.7.fc6
- add security fixes for CVE-2007-2756, CVE-2007-2872,
CVE-2007-3799, CVE-2007-3996, CVE-2007-3998, CVE-2007-4658,
CVE-2007-4670
- fix mime_content_type (Kir Kolyshkin, #177926)
php-5.1.6-CVE-2007-2756.patch:
gd_png.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletion(-)
--- NEW FILE php-5.1.6-CVE-2007-2756.patch ---
--- php-5.1.6/ext/gd/libgd/gd_png.c.cve2756
+++ php-5.1.6/ext/gd/libgd/gd_png.c
@@ -71,7 +71,11 @@ static void gdPngErrorHandler (png_struc
static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
{
- gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+ int check;
+ check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+ if (check != length) {
+ png_error(png_ptr, "Read Error: truncated data");
+ }
}
static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t length)
php-5.1.6-CVE-2007-2872.patch:
string.c | 16 +++++++++++++++-
1 files changed, 15 insertions(+), 1 deletion(-)
--- NEW FILE php-5.1.6-CVE-2007-2872.patch ---
--- php-5.1.6/ext/standard/string.c.cve2872
+++ php-5.1.6/ext/standard/string.c
@@ -1856,11 +1856,25 @@ static char *php_chunk_split(char *src,
char *p, *q;
int chunks; /* complete chunks! */
int restlen;
+ int out_len;
chunks = srclen / chunklen;
restlen = srclen - chunks * chunklen; /* srclen % chunklen */
- dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0);
+ if(chunks > INT_MAX - 1) {
+ return NULL;
+ }
+ out_len = chunks + 1;
+ if(endlen !=0 && out_len > INT_MAX/endlen) {
+ return NULL;
+ }
+ out_len *= endlen;
+ if(out_len > INT_MAX - srclen - 1) {
+ return NULL;
+ }
+ out_len += srclen + 1;
+
+ dest = safe_emalloc((int)out_len, sizeof(char), 0);
for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
memcpy(q, p, chunklen);
php-5.1.6-CVE-2007-3799.patch:
session.c | 18 +++++++++++++++---
1 files changed, 15 insertions(+), 3 deletions(-)
--- NEW FILE php-5.1.6-CVE-2007-3799.patch ---
--- php-5.1.6/ext/session/session.c.cve3799
+++ php-5.1.6/ext/session/session.c
@@ -46,6 +46,7 @@
#include "ext/standard/php_rand.h" /* for RAND_MAX */
#include "ext/standard/info.h"
#include "ext/standard/php_smart_str.h"
+#include "ext/standard/url.h"
#include "mod_files.h"
#include "mod_user.h"
@@ -1028,6 +1029,7 @@ static void php_session_send_cookie(TSRM
{
smart_str ncookie = {0};
char *date_fmt = NULL;
+ char *e_session_name, *e_id;
if (SG(headers_sent)) {
char *output_start_filename = php_get_output_start_filename(TSRMLS_C);
@@ -1041,11 +1043,18 @@ static void php_session_send_cookie(TSRM
}
return;
}
+
+ /* URL encode session_name and id because they might be user supplied */
+ e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);
+ e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
- smart_str_appends(&ncookie, PS(session_name));
+ smart_str_appends(&ncookie, e_session_name);
smart_str_appendc(&ncookie, '=');
- smart_str_appends(&ncookie, PS(id));
+ smart_str_appends(&ncookie, e_id);
+
+ efree(e_session_name);
+ efree(e_id);
if (PS(cookie_lifetime) > 0) {
struct timeval tv;
@@ -1230,8 +1239,11 @@ PHPAPI void php_session_start(TSRMLS_D)
char *q;
p += lensess + 1;
- if ((q = strpbrk(p, "/?\\")))
+ if ((q = strpbrk(p, "/?\\"))) {
PS(id) = estrndup(p, q - p);
+ PS(send_cookie) = 0;
+ }
+
}
/* check whether the current request was referred to by
php-5.1.6-CVE-2007-3996.patch:
gd.c | 8 ++++++++
libgd/gd.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
libgd/gd_gd.c | 2 +-
3 files changed, 61 insertions(+), 1 deletion(-)
--- NEW FILE php-5.1.6-CVE-2007-3996.patch ---
--- php-5.1.6/ext/gd/libgd/gd.c.cve3996
+++ php-5.1.6/ext/gd/libgd/gd.c
@@ -116,10 +116,34 @@ void php_gd_error(const char *format, ..
va_end(args);
}
+static int overflow2(int a, int b)
+{
+ if(a < 0 || b < 0) {
+ php_gd_error("gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+ return 1;
+ }
+ if(b == 0)
+ return 0;
+ if(a > INT_MAX / b) {
+ php_gd_error("gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+ return 1;
+ }
+ return 0;
+}
+
gdImagePtr gdImageCreate (int sx, int sy)
{
int i;
gdImagePtr im;
+
+ if (overflow2(sx, sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof(unsigned char *), sy)) {
+ return NULL;
+ }
+
im = (gdImage *) gdMalloc(sizeof(gdImage));
memset(im, 0, sizeof(gdImage));
/* Row-major ever since gd 1.3 */
@@ -162,6 +186,19 @@ gdImagePtr gdImageCreateTrueColor (int s
{
int i;
gdImagePtr im;
+
+ if (overflow2(sx, sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof(unsigned char *), sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof(int), sx)) {
+ return NULL;
+ }
+
im = (gdImage *) gdMalloc(sizeof(gdImage));
memset(im, 0, sizeof(gdImage));
im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@@ -2340,6 +2377,14 @@ void gdImageCopyResized (gdImagePtr dst,
int *stx, *sty;
/* We only need to use floating point to determine the correct stretch vector for one line's worth. */
double accum;
+
+ if (overflow2(sizeof(int), srcW)) {
+ return;
+ }
+ if (overflow2(sizeof(int), srcH)) {
+ return;
+ }
+
stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH);
accum = 0;
@@ -3119,6 +3164,10 @@ void gdImageFilledPolygon (gdImagePtr im
return;
}
+ if (overflow2(sizeof(int), n)) {
+ return;
+ }
+
if (c == gdAntiAliased) {
fill_color = im->AA_color;
} else {
@@ -3133,6 +3182,9 @@ void gdImageFilledPolygon (gdImagePtr im
while (im->polyAllocated < n) {
im->polyAllocated *= 2;
}
+ if (overflow2(sizeof(int), im->polyAllocated)) {
+ return;
+ }
im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);
}
miny = p[0].y;
--- php-5.1.6/ext/gd/libgd/gd_gd.c.cve3996
+++ php-5.1.6/ext/gd/libgd/gd_gd.c
@@ -122,7 +122,7 @@ static gdImagePtr _gdCreateFromFile (gdI
} else {
im = gdImageCreate(*sx, *sy);
}
- if (!_gdGetColors(in, im, gd2xFlag)) {
+ if (im && !_gdGetColors(in, im, gd2xFlag)) {
goto fail2;
}
--- php-5.1.6/ext/gd/gd.c.cve3996
+++ php-5.1.6/ext/gd/gd.c
@@ -883,6 +883,10 @@ PHP_FUNCTION(imagecreatetruecolor)
im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
+ if (!im) {
+ RETURN_FALSE;
+ }
+
ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
}
/* }}} */
@@ -1342,6 +1346,10 @@ PHP_FUNCTION(imagecreate)
im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
+ if (!im) {
+ RETURN_FALSE;
+ }
+
ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
}
/* }}} */
php-5.1.6-CVE-2007-3998.patch:
string.c | 5 +++++
1 files changed, 5 insertions(+)
--- NEW FILE php-5.1.6-CVE-2007-3998.patch ---
--- php-5.1.6/ext/standard/string.c.cve3998
+++ php-5.1.6/ext/standard/string.c
@@ -646,6 +646,11 @@ PHP_FUNCTION(wordwrap)
RETURN_EMPTY_STRING();
}
+ if (breakcharlen == 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Break string cannot be empty");
+ RETURN_FALSE;
+ }
+
if (linelength == 0 && docut) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't force cut when width is zero.");
RETURN_FALSE;
php-5.1.6-CVE-2007-4658.patch:
string.c | 17 ++++++++++++++++-
1 files changed, 16 insertions(+), 1 deletion(-)
--- NEW FILE php-5.1.6-CVE-2007-4658.patch ---
--- php-5.1.6/ext/standard/string.c.cve4658
+++ php-5.1.6/ext/standard/string.c
@@ -4804,13 +4804,28 @@ PHP_FUNCTION(str_word_count)
PHP_FUNCTION(money_format)
{
int format_len = 0, str_len;
- char *format, *str;
+ char *format, *str, *p, *e;
double value;
+ zend_bool check = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd", &format, &format_len, &value) == FAILURE) {
return;
}
+ p = format;
+ e = p + format_len;
+ while ((p = memchr(p, '%', (e - p)))) {
+ if (*(p + 1) == '%') {
+ p += 2;
+ } else if (!check) {
+ check = 1;
+ p++;
+ } else {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used");
+ RETURN_FALSE;
+ }
+ }
+
str_len = format_len + 1024;
str = emalloc(str_len);
if ((str_len = strfmon(str, str_len, format, value)) < 0) {
php-5.1.6-CVE-2007-4670.patch:
php_variables.c | 23 ++++++++++++++++++-----
1 files changed, 18 insertions(+), 5 deletions(-)
--- NEW FILE php-5.1.6-CVE-2007-4670.patch ---
--- php-5.1.6/main/php_variables.c.cve4670
+++ php-5.1.6/main/php_variables.c
@@ -125,10 +125,23 @@ PHPAPI void php_register_variable_ex(cha
int new_idx_len = 0;
if (++nest_level > PG(max_input_nesting_level)) {
- /* too many levels of nesting */
- php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
- }
+ HashTable *ht;
+ /* too many levels of nesting */
+
+ if (track_vars_array) {
+ ht = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ ht = EG(active_symbol_table);
+ }
+ zend_hash_del(ht, var, var_len + 1);
+ zval_dtor(val);
+
+ if (!PG(display_errors)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
+ }
+ return;
+ }
ip++;
index_s = ip;
if (isspace(*ip)) {
@@ -142,9 +155,9 @@ PHPAPI void php_register_variable_ex(cha
/* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
*(index_s - 1) = '_';
- index_len = var_len = 0;
+ index_len = 0;
if (index) {
- index_len = var_len = strlen(index);
+ index_len = strlen(index);
}
goto plain_var;
return;
Index: php.spec
===================================================================
RCS file: /cvs/dist/rpms/php/FC-6/php.spec,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- php.spec 9 May 2007 15:39:46 -0000 1.127
+++ php.spec 18 Sep 2007 12:59:00 -0000 1.128
@@ -6,7 +6,7 @@
Summary: The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor)
Name: php
Version: 5.1.6
-Release: 3.6%{?dist}
+Release: 3.7%{?dist}
License: The PHP License v3.01
Group: Development/Languages
URL: http://www.php.net/
@@ -55,6 +55,13 @@
Patch84: php-5.1.6-CVE-2007-1864.patch
Patch85: php-5.1.6-soapredir.patch
Patch86: php-5.1.6-ftpcrlf.patch
+Patch87: php-5.1.6-CVE-2007-2756.patch
+Patch88: php-5.1.6-CVE-2007-2872.patch
+Patch89: php-5.1.6-CVE-2007-3799.patch
+Patch90: php-5.1.6-CVE-2007-3996.patch
+Patch91: php-5.1.6-CVE-2007-3998.patch
+Patch92: php-5.1.6-CVE-2007-4658.patch
+Patch93: php-5.1.6-CVE-2007-4670.patch
BuildRoot: %{_tmppath}/%{name}-root
@@ -347,6 +354,13 @@
%patch84 -p1 -b .cve1864
%patch85 -p1 -b .soapredir
%patch86 -p1 -b .ftpcrlf
+%patch87 -p1 -b .cve2756
+%patch88 -p1 -b .cve2872
+%patch89 -p1 -b .cve3799
+%patch90 -p1 -b .cve3996
+%patch91 -p1 -b .cve3998
+%patch92 -p1 -b .cve4658
+%patch93 -p1 -b .cve4670
# Prevent %%doc confusion over LICENSE files
cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -458,7 +472,7 @@
--enable-calendar \
--enable-dbx \
--enable-dio \
- --with-mime-magic=%{_datadir}/file/magic \
+ --with-mime-magic=%{_datadir}/file/magic.mime \
--without-sqlite \
--with-libxml-dir=%{_prefix} \
--with-xml \
@@ -671,6 +685,12 @@
%files pdo -f files.pdo
%changelog
+* Tue Sep 18 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.7.fc6
+- add security fixes for CVE-2007-2756, CVE-2007-2872,
+ CVE-2007-3799, CVE-2007-3996, CVE-2007-3998, CVE-2007-4658,
+ CVE-2007-4670
+- fix mime_content_type (Kir Kolyshkin, #177926)
+
* Wed May 9 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.6.fc6
- add security fixes for CVE-2007-1864, CVE-2007-2509, CVE-2007-2510 (#235016)
- add README.FastCGI to -cli subpackage (#236555)
- Previous message (by thread): rpms/sendmail/FC-6 sendmail.init,1.16,1.17 sendmail.spec,1.78,1.79
- Next message (by thread): rpms/httpd/FC-6 httpd-2.2.4-oldflush.patch, NONE, 1.1 httpd-2.2.6-ssllibver.patch, NONE, 1.1 httpd-2.2.6.tar.gz.asc, NONE, 1.1 .cvsignore, 1.18, 1.19 httpd.spec, 1.103, 1.104 sources, 1.15, 1.16 upstream, 1.7, 1.8 httpd-2.0.54.tar.gz.asc, 1.1, NONE httpd-2.2.3-CVE-2006-5752.patch, 1.1, NONE httpd-2.2.3-CVE-2007-1863.patch, 1.1, NONE httpd-2.2.3-CVE-2007-3304.patch, 1.1, NONE httpd-2.2.3.tar.gz.asc, 1.1, NONE httpd-2.2.4-CVE-2007-1862.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list