/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3515.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2014-3515.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 3 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 From a374dfab567ff7f0ab0dc150f14cc891b0340b47 Mon Sep 17 00:00:00 2001
2 From: Stanislav Malyshev <stas@php.net>
3 Date: Sat, 21 Jun 2014 19:46:16 -0700
4 Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject /
5 SPLObjectStorage Type Confusion
6
7 ---
8 ext/spl/spl_array.c | 2 +-
9 ext/spl/spl_observer.c | 2 +-
10 ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++-
11 3 files changed, 6 insertions(+), 3 deletions(-)
12
13 diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
14 index c4b237b..c38065f 100644
15 --- a/ext/spl/spl_array.c
16 +++ b/ext/spl/spl_array.c
17 @@ -1714,7 +1714,7 @@ SPL_METHOD(Array, unserialize)
18 ++p;
19
20 ALLOC_INIT_ZVAL(pmembers);
21 - if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
22 + if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
23 zval_ptr_dtor(&pmembers);
24 goto outexcept;
25 }
26 diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
27 index 57ddf49..f493154 100644
28 --- a/ext/spl/spl_observer.c
29 +++ b/ext/spl/spl_observer.c
30 @@ -686,7 +686,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
31 ++p;
32
33 ALLOC_INIT_ZVAL(pmembers);
34 - if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
35 + if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
36 zval_ptr_dtor(&pmembers);
37 goto outexcept;
38 }
39 diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
40 index a525317..8f0676d 100644
41 --- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
42 +++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
43 @@ -7,6 +7,7 @@
44 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
45 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
46 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
47 +'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
48 );
49 foreach($badblobs as $blob) {
50 try {
51 @@ -17,6 +18,7 @@
52 echo $e->getMessage()."\n";
53 }
54 }
55 +echo "DONE\n";
56 --EXPECTF--
57 Error at offset 6 of 34 bytes
58 Error at offset 46 of 89 bytes
59 @@ -42,4 +44,5 @@
60 }
61 }
62 }
63 -
64 +Error at offset 79 of 78 bytes
65 +DONE
66
67 --
68 1.9.2
69

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed