/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-0238.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-0238.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 3 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD 
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238
1 vip-ire 1.1 Patch for PHP 5.3.3 adapted from:
2    
3     From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001
4     From: Stanislav Malyshev <stas@php.net>
5     Date: Mon, 26 May 2014 17:42:18 -0700
6     Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
7    
8     Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
9     ---
10     ext/fileinfo/libmagic/cdf.c | 8 +++++++-
11     1 file changed, 7 insertions(+), 1 deletion(-)
12    
13     diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
14     index 8dacd2f..4712e84 100644
15     --- a/ext/fileinfo/libmagic/cdf.c
16     +++ b/ext/fileinfo/libmagic/cdf.c
17     @@ -760,6 +760,10 @@ cdf_read_property_info(const cdf_stream_
18     inp[i].pi_type, (const char *)q - (const char *)p));
19     if (inp[i].pi_type & CDF_VECTOR) {
20     nelements = CDF_TOLE4(q[1]);
21     + if (nelements == 0) {
22     + DPRINTF(("CDF_VECTOR with nelements == 0\n"));
23     + goto out;
24     + }
25     o = 2;
26     } else {
27     nelements = 1;
28     @@ -815,7 +819,8 @@ cdf_read_property_info(const cdf_stream_
29     inp = *info + nelem;
30     }
31     DPRINTF(("nelements = %d\n", nelements));
32     - for (j = 0; j < nelements; j++, i++) {
33     + for (j = 0; j < nelements && i < sh.sh_properties;
34     + j++, i++) {
35     uint32_t l = CDF_TOLE4(q[o]);
36     inp[i].pi_str.s_len = l;
37     inp[i].pi_str.s_buf = (const char *)(&q[o+1]);
38     --
39     1.9.2
40    
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed