/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-1398.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2011-1398.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Mon Dec 16 10:46:46 2013 UTC (10 years, 11 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-14_el5_sme, php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Mon Dec 16 2013 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-14.sme
- Resync with upstream php53, which include:
- add security fix for CVE-2013-6420
- add security fix for CVE-2013-4248
- add upstream reproducer for error_handler (#951075)
- add security fixes for CVE-2006-7243
- add security fixes for CVE-2012-2688, CVE-2012-0831,
  CVE-2011-1398, CVE-2013-1643
- fix segfault in error_handler with
  allow_call_time_pass_reference = Off (#951075)
- fix double free when destroy_zend_class fails (#951076)
- fix possible buffer overflow in pdo_odbc (#869694)
- php script hangs when it exceeds max_execution_time
  when inside an ODBC call (#864954)
- fix zend garbage collector (#892695)
- fix transposed memset arguments in libzip (#953818)
- fix possible segfault in pdo_mysql (#869693)
- fix imap_open DISABLE_AUTHENTICATOR param ignores array (#859369)
- fix stream support in fileinfo (#869697)
- fix setDate when DateTime created from timestamp (#869691)
- fix permission on source files (#869688)
- add php(language) and missing provides (#837044)
-
- fix copy doesn't report failure on partial copy (#951413)

1
2 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1398
3 https://bugs.php.net/bug.php?id=60227
4
5 http://git.php.net/?p=php-src.git;a=commitdiff;h=61088ce7296f2a3b4b53e60bdf413455b870664d
6 http://git.php.net/?p=php-src.git;a=commitdiff;h=8e82bda330264d290a5e55580eea2eb875d4cb69
7 http://git.php.net/?p=php-src.git;a=commitdiff;h=ca58cd01fc329f907a13b82370427715d9c5bf70
8
9 diff -up php-5.3.3/main/SAPI.c.cve1398 php-5.3.3/main/SAPI.c
10 --- php-5.3.3/main/SAPI.c.cve1398 2012-10-16 14:30:26.758985400 +0200
11 +++ php-5.3.3/main/SAPI.c 2012-10-16 14:34:03.096505458 +0200
12 @@ -587,16 +587,26 @@ SAPI_API int sapi_header_op(sapi_header_
13 return FAILURE;
14 }
15 } else {
16 - /* new line safety check */
17 - char *s = header_line, *e = header_line + header_line_len, *p;
18 - while (s < e && (p = memchr(s, '\n', (e - s)))) {
19 - if (*(p + 1) == ' ' || *(p + 1) == '\t') {
20 - s = p + 1;
21 - continue;
22 + /* new line/NUL character safety check */
23 + int i;
24 + for (i = 0; i < header_line_len; i++) {
25 + /* RFC 2616 allows new lines if followed by SP or HT */
26 + int illegal_break =
27 + (header_line[i+1] != ' ' && header_line[i+1] != '\t')
28 + && (
29 + header_line[i] == '\n'
30 + || (header_line[i] == '\r' && header_line[i+1] != '\n'));
31 + if (illegal_break) {
32 + efree(header_line);
33 + sapi_module.sapi_error(E_WARNING, "Header may not contain "
34 + "more than a single header, new line detected");
35 + return FAILURE;
36 + }
37 + if (header_line[i] == '\0') {
38 + efree(header_line);
39 + sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes");
40 + return FAILURE;
41 }
42 - efree(header_line);
43 - sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected.");
44 - return FAILURE;
45 }
46 }
47

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed