php/sme8/php-5.3.3-CVE-2012-2336.patch


The first hunk of this patch is *mitigation* for use of bad wrappers
scripts which are vulnerable to CVE-2012-2335.

The second hunk of this patch fixes CVE-2012-2336:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2336

http://git.php.net/?p=php-src.git;a=commitdiff;h=7de4b75f74a817c3fead32710e04cd015bcc5360

--- php-5.3.3/sapi/cgi/cgi_main.c.cve2311
+++ php-5.3.3/sapi/cgi/cgi_main.c
@@ -1553,10 +1553,15 @@ int main(int argc, char *argv[])
                }
        }
 
-       if((query_string = getenv("QUERY_STRING")) != NULL) {
+       if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+               /* we've got query string that has no = - apache CGI will pass it to command line */
+               unsigned char *p;
                decoded_query_string = strdup(query_string);
                php_url_decode(decoded_query_string, strlen(decoded_query_string));
-               if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
+               for (p = decoded_query_string; *p &&  *p <= ' '; p++) {
+                       /* skip all leading spaces */
+               }
+               if(*p == '-') {
                        skip_getopt = 1;
                }
                free(decoded_query_string);
@@ -1811,7 +1816,7 @@ consult the installation file that came 
        }
 
        zend_first_try {
-               while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+               while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
                        switch (c) {
                                case 'T':
                                        benchmark = 1;
1	slords	1.2
2			The first hunk of this patch is mitigation for use of bad wrappers
3			scripts which are vulnerable to CVE-2012-2335.
4
5			The second hunk of this patch fixes CVE-2012-2336:
6
7			https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2336
8
9			http://git.php.net/?p=php-src.git;a=commitdiff;h=7de4b75f74a817c3fead32710e04cd015bcc5360
10
11			--- php-5.3.3/sapi/cgi/cgi_main.c.cve2311
12			+++ php-5.3.3/sapi/cgi/cgi_main.c
13			@@ -1553,10 +1553,15 @@ int main(int argc, char *argv[])
14			}
15			}
16
17			- if((query_string = getenv("QUERY_STRING")) != NULL) {
18			+ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
19			+ /* we've got query string that has no = - apache CGI will pass it to command line */
20			+ unsigned char *p;
21			decoded_query_string = strdup(query_string);
22			php_url_decode(decoded_query_string, strlen(decoded_query_string));
23			- if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
24			+ for (p = decoded_query_string; p && p <= ' '; p++) {
25			+ /* skip all leading spaces */
26			+ }
27			+ if(*p == '-') {
28			skip_getopt = 1;
29			}
30			free(decoded_query_string);
31			@@ -1811,7 +1816,7 @@ consult the installation file that came
32			}
33
34			zend_first_try {
35			- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
36			+ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
37			switch (c) {
38			case 'T':
39			benchmark = 1;