/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2012-2688.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2012-2688.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Mon Dec 16 10:46:46 2013 UTC (10 years, 10 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-14_el5_sme, php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Mon Dec 16 2013 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-14.sme
- Resync with upstream php53, which include:
- add security fix for CVE-2013-6420
- add security fix for CVE-2013-4248
- add upstream reproducer for error_handler (#951075)
- add security fixes for CVE-2006-7243
- add security fixes for CVE-2012-2688, CVE-2012-0831,
  CVE-2011-1398, CVE-2013-1643
- fix segfault in error_handler with
  allow_call_time_pass_reference = Off (#951075)
- fix double free when destroy_zend_class fails (#951076)
- fix possible buffer overflow in pdo_odbc (#869694)
- php script hangs when it exceeds max_execution_time
  when inside an ODBC call (#864954)
- fix zend garbage collector (#892695)
- fix transposed memset arguments in libzip (#953818)
- fix possible segfault in pdo_mysql (#869693)
- fix imap_open DISABLE_AUTHENTICATOR param ignores array (#859369)
- fix stream support in fileinfo (#869697)
- fix setDate when DateTime created from timestamp (#869691)
- fix permission on source files (#869688)
- add php(language) and missing provides (#837044)
-
- fix copy doesn't report failure on partial copy (#951413)

1
2 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2688
3
4 http://git.php.net/?p=php-src.git;a=commitdiff;h=fc74503792b1ee92e4b813690890f3ed38fa3ad5
5
6 --- php-5.3.3/main/streams/streams.c.cve2688 2012-10-16 13:41:35.000000000 +0200
7 +++ php-5.3.3/main/streams/streams.c 2012-10-16 13:49:11.548079279 +0200
8 @@ -2160,6 +2160,11 @@
9 if (vector_size == 0) {
10 vector_size = 10;
11 } else {
12 + if (vector_size*2 < vector_size) {
13 + /* overflow */
14 + efree(vector);
15 + return FAILURE;
16 + }
17 vector_size *= 2;
18 }
19 vector = (char **) erealloc(vector, vector_size * sizeof(char *));

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed