/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-1943.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-1943.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 3 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 vip-ire 1.1 diff --git a/src/ascmagic.c b/src/ascmagic.c
2     index 9236fb4..5a531ae 100644
3     --- a/ext/fileinfo/libmagic/ascmagic.c
4     +++ b/ext/fileinfo/libmagic/ascmagic.c
5     @@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
6     if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
7     goto done;
8     if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
9     - TEXTTEST)) != 0)
10     + 0, TEXTTEST)) != 0)
11     goto done;
12     else
13     rv = -1;
14     diff --git a/src/file.h b/src/file.h
15     index c07f2d4..2a6cf02 100644
16     --- a/ext/fileinfo/libmagic/file.h
17     +++ b/ext/fileinfo/libmagic/file.h
18     @@ -373,8 +373,8 @@ protected int file_ascmagic_with_encoding(struct magic_set *,
19     protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
20     unichar **, size_t *, const char **, const char **, const char **);
21     protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
22     -protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
23     - int);
24     +protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
25     + size_t, int);
26     protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
27     protected uint64_t file_signextend(struct magic_set *, struct magic *,
28     uint64_t);
29     diff --git a/src/funcs.c b/src/funcs.c
30     index 2397417..11d257f 100644
31     --- a/ext/fileinfo/libmagic/funcs.c
32     +++ b/ext/fileinfo/libmagic/funcs.c
33     @@ -227,7 +227,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname, const void *buf,
34    
35     /* try soft magic tests */
36     if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
37     - if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
38     + if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
39     if ((ms->flags & MAGIC_DEBUG) != 0)
40     (void)fprintf(stderr, "softmagic %d\n", m);
41     #ifdef BUILTIN_ELF
42     diff --git a/src/softmagic.c b/src/softmagic.c
43     index 58a1cf7..107876c 100644
44     --- a/ext/fileinfo/libmagic/softmagic.c
45     +++ b/ext/fileinfo/libmagic/softmagic.c
46     @@ -70,9 +70,9 @@ file_pstring_length_size(const struct magic *m)
47    
48    
49     private int match(struct magic_set *, struct magic *, uint32_t,
50     - const unsigned char *, size_t, int);
51     + const unsigned char *, size_t, int, int);
52     private int mget(struct magic_set *, const unsigned char *,
53     - struct magic *, size_t, unsigned int);
54     + struct magic *, size_t, unsigned int, int);
55     private int magiccheck(struct magic_set *, struct magic *);
56     private int32_t mprint(struct magic_set *, struct magic *);
57     private int32_t moffset(struct magic_set *, struct magic *);
58     @@ -94,12 +94,12 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
59     */
60     /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
61     protected int
62     -file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode)
63     +file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, size_t level, int mode)
64     {
65     struct mlist *ml;
66     int rv;
67     for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
68     - if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
69     + if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
70     return rv;
71    
72     return 0;
73     @@ -134,7 +134,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, in
74     */
75     private int
76     match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
77     - const unsigned char *s, size_t nbytes, int mode)
78     + const unsigned char *s, size_t nbytes, int mode, int recursion_level)
79     {
80     uint32_t magindex = 0;
81     unsigned int cont_level = 0;
82     @@ -163,7 +163,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
83     ms->line = m->lineno;
84    
85     /* if main entry matches, print it... */
86     - switch (mget(ms, s, m, nbytes, cont_level)) {
87     + switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
88     case -1:
89     return -1;
90     case 0:
91     @@ -246,7 +246,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
92     continue;
93     }
94     #endif
95     - switch (mget(ms, s, m, nbytes, cont_level)) {
96     + switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
97     case -1:
98     return -1;
99     case 0:
100     @@ -1062,13 +1062,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
101    
102     private int
103     mget(struct magic_set *ms, const unsigned char *s,
104     - struct magic *m, size_t nbytes, unsigned int cont_level)
105     + struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
106     {
107     uint32_t offset = ms->offset;
108     uint32_t count = m->str_range;
109     uint32_t lhs;
110     union VALUETYPE *p = &ms->ms_value;
111    
112     + if (recursion_level >= 20) {
113     + file_error(ms, 0, "recursion nesting exceeded");
114     + return -1;
115     + }
116     +
117     if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
118     return -1;
119    
120     @@ -1486,17 +1491,19 @@ mget(struct magic_set *ms, const unsigned char *s,
121     break;
122    
123     case FILE_REGEX:
124     - if (nbytes < offset)
125     + if (nbytes < offset)
126     return 0;
127     break;
128    
129     case FILE_INDIRECT:
130     + if (offset == 0)
131     + return 0;
132     if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
133     file_printf(ms, m->desc) == -1)
134     return -1;
135     - if (nbytes < offset)
136     + if (nbytes < offset)
137     return 0;
138     - return file_softmagic(ms, s + offset, nbytes - offset,
139     + return file_softmagic(ms, s + offset, nbytes - offset, recursion_level,
140     BINTEST);
141    
142     case FILE_DEFAULT: /* nothing to check */
143     diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
144     new file mode 100644
145     index 0000000..b2e9c17
146     --- /dev/null
147     +++ b/ext/fileinfo/tests/cve-2014-1943.phpt
148     @@ -0,0 +1,39 @@
149     +--TEST--
150     +Bug #66731: file: infinite recursion
151     +--SKIPIF--
152     +<?php
153     +if (!class_exists('finfo'))
154     + die('skip no fileinfo extension');
155     +--FILE--
156     +<?php
157     +$fd = __DIR__.'/cve-2014-1943.data';
158     +$fm = __DIR__.'/cve-2014-1943.magic';
159     +
160     +$a = "\105\122\000\000\000\000\000";
161     +$b = str_repeat("\001", 250000);
162     +$m = "0 byte x\n".
163     + ">(1.b) indirect x\n";
164     +
165     +file_put_contents($fd, $a);
166     +$fi = finfo_open(FILEINFO_NONE);
167     +var_dump(finfo_file($fi, $fd));
168     +finfo_close($fi);
169     +
170     +file_put_contents($fd, $b);
171     +file_put_contents($fm, $m);
172     +$fi = finfo_open(FILEINFO_NONE, $fm);
173     +var_dump(finfo_file($fi, $fd));
174     +finfo_close($fi);
175     +?>
176     +Done
177     +--CLEAN--
178     +<?php
179     +@unlink(__DIR__.'/cve-2014-1943.data');
180     +@unlink(__DIR__.'/cve-2014-1943.magic');
181     +?>
182     +--EXPECTF--
183     +string(%d) "%s"
184     +
185     +Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
186     +bool(false)
187     +Done

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed