/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3479.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-3479.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 2 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 vip-ire 1.1 diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
2     index 1034937..59af8da 100644
3     --- a/ext/fileinfo/libmagic/cdf.c
4     +++ b/ext/fileinfo/libmagic/cdf.c
5     @@ -238,14 +238,17 @@ cdf_unpack_dir(cdf_directory_t *d, char *buf)
6     }
7    
8     static int
9     -cdf_check_stream_offset(const cdf_stream_t *sst, const void *p, size_t tail)
10     +cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
11     + const void *p, size_t tail)
12     {
13     const char *b = (const char *)sst->sst_tab;
14     const char *e = ((const char *)p) + tail;
15     - if (e >= b && (size_t)(e - b) < sst->sst_dirlen * sst->sst_len)
16     + size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
17     + CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
18     + if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
19     return 0;
20     DPRINTF((stderr, "offset begin %p end %p %zu >= %zu\n", b, e,
21     - (size_t)(e - b), sst->sst_dirlen * sst->sst_len));
22     + (size_t)(e - b), ss * sst->sst_len));
23     errno = EFTYPE;
24     return -1;
25     }
26     @@ -695,7 +698,7 @@ cdf_read_summary_info(const cdf_info_t *info, const cdf_header_t *h,
27     }
28    
29     int
30     -cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs,
31     +cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, uint32_t offs,
32     cdf_property_info_t **info, size_t *count, size_t *maxcount)
33     {
34     const cdf_section_header_t *shp;
35     @@ -715,7 +718,7 @@ cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs,
36     goto out;
37     }
38     shp = (const void *)((const char *)sst->sst_tab + offs);
39     - if (cdf_check_stream_offset(sst, shp, sizeof(*shp)) == -1)
40     + if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp)) == -1)
41     goto out;
42     sh.sh_len = CDF_TOLE4(shp->sh_len);
43     #define CDF_SHLEN_LIMIT (UINT32_MAX / 8)
44     @@ -745,7 +748,7 @@ cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs,
45     *count += sh.sh_properties;
46     p = (const void *)((const char *)sst->sst_tab + offs + sizeof(sh));
47     e = (const void *)(((const char *)shp) + sh.sh_len);
48     - if (cdf_check_stream_offset(sst, e, 0) == -1)
49     + if (cdf_check_stream_offset(sst, h, e, 0) == -1)
50     goto out;
51     for (i = 0; i < sh.sh_properties; i++) {
52     q = (const uint32_t *)((const char *)p +
53     @@ -856,7 +859,7 @@ out:
54     }
55    
56     int
57     -cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
58     +cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, cdf_summary_info_header_t *ssi,
59     cdf_property_info_t **info, size_t *count)
60     {
61     size_t maxcount;
62     @@ -864,8 +867,8 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
63     const cdf_section_declaration_t *sd = (const void *)
64     ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET);
65    
66     - if (cdf_check_stream_offset(sst, si, sizeof(*si)) == -1 ||
67     - cdf_check_stream_offset(sst, sd, sizeof(*sd)) == -1)
68     + if (cdf_check_stream_offset(sst, h, si, sizeof(*si)) == -1 ||
69     + cdf_check_stream_offset(sst, h, sd, sizeof(*sd)) == -1)
70     return -1;
71     ssi->si_byte_order = CDF_TOLE2(si->si_byte_order);
72     ssi->si_os_version = CDF_TOLE2(si->si_os_version);
73     @@ -876,7 +879,7 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
74     *count = 0;
75     maxcount = 0;
76     *info = NULL;
77     - if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset),
78     + if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
79     info, count, &maxcount) == -1)
80     return -1;
81     return 0;
82     @@ -1163,7 +1166,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const cdf_stream_t *sst)
83     size_t count;
84    
85     (void)&h;
86     - if (cdf_unpack_summary_info(sst, &ssi, &info, &count) == -1)
87     + if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1)
88     return;
89     (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order);
90     (void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff,
91     diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h
92     index c056a82..c27d1ea 100644
93     --- a/ext/fileinfo/libmagic/cdf.h
94     +++ b/ext/fileinfo/libmagic/cdf.h
95     @@ -280,12 +280,12 @@ int cdf_read_ssat(const cdf_info_t *, const cdf_header_t *, const cdf_sat_t *,
96     cdf_sat_t *);
97     int cdf_read_short_stream(const cdf_info_t *, const cdf_header_t *,
98     const cdf_sat_t *, const cdf_dir_t *, cdf_stream_t *);
99     -int cdf_read_property_info(const cdf_stream_t *, uint32_t,
100     +int cdf_read_property_info(const cdf_stream_t *, const cdf_header_t *, uint32_t,
101     cdf_property_info_t **, size_t *, size_t *);
102     int cdf_read_summary_info(const cdf_info_t *, const cdf_header_t *,
103     const cdf_sat_t *, const cdf_sat_t *, const cdf_stream_t *,
104     const cdf_dir_t *, cdf_stream_t *);
105     -int cdf_unpack_summary_info(const cdf_stream_t *, cdf_summary_info_header_t *,
106     +int cdf_unpack_summary_info(const cdf_stream_t *, const cdf_header_t *, cdf_summary_info_header_t *,
107     cdf_property_info_t **, size_t *);
108     int cdf_print_classid(char *, size_t, const cdf_classid_t *);
109     int cdf_print_property_name(char *, size_t, uint32_t);
110     diff --git a/ext/fileinfo/libmagic/readcdf.c b/ext/fileinfo/libmagic/readcdf.c
111     index 117dc78..d26054e 100644
112     --- a/ext/fileinfo/libmagic/readcdf.c
113     +++ b/ext/fileinfo/libmagic/readcdf.c
114     @@ -151,14 +151,14 @@ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info,
115     }
116    
117     private int
118     -cdf_file_summary_info(struct magic_set *ms, const cdf_stream_t *sst)
119     +cdf_file_summary_info(struct magic_set *ms, const cdf_header_t *h, const cdf_stream_t *sst)
120     {
121     cdf_summary_info_header_t si;
122     cdf_property_info_t *info;
123     size_t count;
124     int m;
125    
126     - if (cdf_unpack_summary_info(sst, &si, &info, &count) == -1)
127     + if (cdf_unpack_summary_info(sst, h, &si, &info, &count) == -1)
128     return -1;
129    
130     if (NOTMIME(ms)) {
131     @@ -256,7 +256,7 @@ file_trycdf(struct magic_set *ms, int fd, const unsigned char *buf,
132     #ifdef CDF_DEBUG
133     cdf_dump_summary_info(&h, &scn);
134     #endif
135     - if ((i = cdf_file_summary_info(ms, &scn)) == -1)
136     + if ((i = cdf_file_summary_info(ms, &h, &scn)) == -1)
137     expn = "Can't expand summary_info";
138     free(scn.sst_tab);
139     out4:

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed