/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-1943.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2014-1943.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 3 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 diff --git a/src/ascmagic.c b/src/ascmagic.c
2 index 9236fb4..5a531ae 100644
3 --- a/ext/fileinfo/libmagic/ascmagic.c
4 +++ b/ext/fileinfo/libmagic/ascmagic.c
5 @@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
6 if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
7 goto done;
8 if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
9 - TEXTTEST)) != 0)
10 + 0, TEXTTEST)) != 0)
11 goto done;
12 else
13 rv = -1;
14 diff --git a/src/file.h b/src/file.h
15 index c07f2d4..2a6cf02 100644
16 --- a/ext/fileinfo/libmagic/file.h
17 +++ b/ext/fileinfo/libmagic/file.h
18 @@ -373,8 +373,8 @@ protected int file_ascmagic_with_encoding(struct magic_set *,
19 protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
20 unichar **, size_t *, const char **, const char **, const char **);
21 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
22 -protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
23 - int);
24 +protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
25 + size_t, int);
26 protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
27 protected uint64_t file_signextend(struct magic_set *, struct magic *,
28 uint64_t);
29 diff --git a/src/funcs.c b/src/funcs.c
30 index 2397417..11d257f 100644
31 --- a/ext/fileinfo/libmagic/funcs.c
32 +++ b/ext/fileinfo/libmagic/funcs.c
33 @@ -227,7 +227,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname, const void *buf,
34
35 /* try soft magic tests */
36 if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
37 - if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
38 + if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
39 if ((ms->flags & MAGIC_DEBUG) != 0)
40 (void)fprintf(stderr, "softmagic %d\n", m);
41 #ifdef BUILTIN_ELF
42 diff --git a/src/softmagic.c b/src/softmagic.c
43 index 58a1cf7..107876c 100644
44 --- a/ext/fileinfo/libmagic/softmagic.c
45 +++ b/ext/fileinfo/libmagic/softmagic.c
46 @@ -70,9 +70,9 @@ file_pstring_length_size(const struct magic *m)
47
48
49 private int match(struct magic_set *, struct magic *, uint32_t,
50 - const unsigned char *, size_t, int);
51 + const unsigned char *, size_t, int, int);
52 private int mget(struct magic_set *, const unsigned char *,
53 - struct magic *, size_t, unsigned int);
54 + struct magic *, size_t, unsigned int, int);
55 private int magiccheck(struct magic_set *, struct magic *);
56 private int32_t mprint(struct magic_set *, struct magic *);
57 private int32_t moffset(struct magic_set *, struct magic *);
58 @@ -94,12 +94,12 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
59 */
60 /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
61 protected int
62 -file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode)
63 +file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, size_t level, int mode)
64 {
65 struct mlist *ml;
66 int rv;
67 for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
68 - if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
69 + if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
70 return rv;
71
72 return 0;
73 @@ -134,7 +134,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, in
74 */
75 private int
76 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
77 - const unsigned char *s, size_t nbytes, int mode)
78 + const unsigned char *s, size_t nbytes, int mode, int recursion_level)
79 {
80 uint32_t magindex = 0;
81 unsigned int cont_level = 0;
82 @@ -163,7 +163,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
83 ms->line = m->lineno;
84
85 /* if main entry matches, print it... */
86 - switch (mget(ms, s, m, nbytes, cont_level)) {
87 + switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
88 case -1:
89 return -1;
90 case 0:
91 @@ -246,7 +246,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
92 continue;
93 }
94 #endif
95 - switch (mget(ms, s, m, nbytes, cont_level)) {
96 + switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
97 case -1:
98 return -1;
99 case 0:
100 @@ -1062,13 +1062,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
101
102 private int
103 mget(struct magic_set *ms, const unsigned char *s,
104 - struct magic *m, size_t nbytes, unsigned int cont_level)
105 + struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
106 {
107 uint32_t offset = ms->offset;
108 uint32_t count = m->str_range;
109 uint32_t lhs;
110 union VALUETYPE *p = &ms->ms_value;
111
112 + if (recursion_level >= 20) {
113 + file_error(ms, 0, "recursion nesting exceeded");
114 + return -1;
115 + }
116 +
117 if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
118 return -1;
119
120 @@ -1486,17 +1491,19 @@ mget(struct magic_set *ms, const unsigned char *s,
121 break;
122
123 case FILE_REGEX:
124 - if (nbytes < offset)
125 + if (nbytes < offset)
126 return 0;
127 break;
128
129 case FILE_INDIRECT:
130 + if (offset == 0)
131 + return 0;
132 if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
133 file_printf(ms, m->desc) == -1)
134 return -1;
135 - if (nbytes < offset)
136 + if (nbytes < offset)
137 return 0;
138 - return file_softmagic(ms, s + offset, nbytes - offset,
139 + return file_softmagic(ms, s + offset, nbytes - offset, recursion_level,
140 BINTEST);
141
142 case FILE_DEFAULT: /* nothing to check */
143 diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
144 new file mode 100644
145 index 0000000..b2e9c17
146 --- /dev/null
147 +++ b/ext/fileinfo/tests/cve-2014-1943.phpt
148 @@ -0,0 +1,39 @@
149 +--TEST--
150 +Bug #66731: file: infinite recursion
151 +--SKIPIF--
152 +<?php
153 +if (!class_exists('finfo'))
154 + die('skip no fileinfo extension');
155 +--FILE--
156 +<?php
157 +$fd = __DIR__.'/cve-2014-1943.data';
158 +$fm = __DIR__.'/cve-2014-1943.magic';
159 +
160 +$a = "\105\122\000\000\000\000\000";
161 +$b = str_repeat("\001", 250000);
162 +$m = "0 byte x\n".
163 + ">(1.b) indirect x\n";
164 +
165 +file_put_contents($fd, $a);
166 +$fi = finfo_open(FILEINFO_NONE);
167 +var_dump(finfo_file($fi, $fd));
168 +finfo_close($fi);
169 +
170 +file_put_contents($fd, $b);
171 +file_put_contents($fm, $m);
172 +$fi = finfo_open(FILEINFO_NONE, $fm);
173 +var_dump(finfo_file($fi, $fd));
174 +finfo_close($fi);
175 +?>
176 +Done
177 +--CLEAN--
178 +<?php
179 +@unlink(__DIR__.'/cve-2014-1943.data');
180 +@unlink(__DIR__.'/cve-2014-1943.magic');
181 +?>
182 +--EXPECTF--
183 +string(%d) "%s"
184 +
185 +Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
186 +bool(false)
187 +Done

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed