/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-0237.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-0237.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 2 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 vip-ire 1.1 Patch for PHP 5.3.3 adapted from:
2    
3     From 68ce2d0ea6da79b12a365e375e1c2ce882c77480 Mon Sep 17 00:00:00 2001
4     From: Stanislav Malyshev <stas@php.net>
5     Date: Mon, 26 May 2014 17:50:14 -0700
6     Subject: [PATCH] Fix bug #67328 (fileinfo: numerous file_printf calls
7     resulting in performance degradation)
8    
9     Upstream patch: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d
10     ---
11     ext/fileinfo/libmagic/cdf.c | 16 ++++------------
12     1 file changed, 4 insertions(+), 12 deletions(-)
13    
14     diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
15     index dd7177e..8dacd2f 100644
16     --- a/ext/fileinfo/libmagic/cdf.c
17     +++ b/ext/fileinfo/libmagic/cdf.c
18     @@ -854,7 +854,7 @@ int
19     cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
20     cdf_property_info_t **info, size_t *count)
21     {
22     - size_t i, maxcount;
23     + size_t maxcount;
24     const cdf_summary_info_header_t *si = sst->sst_tab;
25     const cdf_section_declaration_t *sd = (const void *)
26     ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET);
27     @@ -867,20 +867,13 @@ cdf_unpack_summary_info(const cdf_stream
28     ssi->si_os = CDF_TOLE2(si->si_os);
29     ssi->si_class = si->si_class;
30     cdf_swap_class(&ssi->si_class);
31     - ssi->si_count = CDF_TOLE2(si->si_count);
32     + ssi->si_count = CDF_TOLE4(si->si_count);
33     *count = 0;
34     maxcount = 0;
35     *info = NULL;
36     - for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
37     - if (i >= CDF_LOOP_LIMIT) {
38     - DPRINTF(("Unpack summary info loop limit"));
39     - errno = EFTYPE;
40     - return -1;
41     - }
42     - if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset),
43     - info, count, &maxcount) == -1)
44     - return -1;
45     - }
46     + if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset),
47     + info, count, &maxcount) == -1)
48     + return -1;
49     return 0;
50     }
51    
52     --
53     1.9.2
54    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed