/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3515.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-3515.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 2 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 vip-ire 1.1 From a374dfab567ff7f0ab0dc150f14cc891b0340b47 Mon Sep 17 00:00:00 2001
2     From: Stanislav Malyshev <stas@php.net>
3     Date: Sat, 21 Jun 2014 19:46:16 -0700
4     Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject /
5     SPLObjectStorage Type Confusion
6    
7     ---
8     ext/spl/spl_array.c | 2 +-
9     ext/spl/spl_observer.c | 2 +-
10     ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++-
11     3 files changed, 6 insertions(+), 3 deletions(-)
12    
13     diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
14     index c4b237b..c38065f 100644
15     --- a/ext/spl/spl_array.c
16     +++ b/ext/spl/spl_array.c
17     @@ -1714,7 +1714,7 @@ SPL_METHOD(Array, unserialize)
18     ++p;
19    
20     ALLOC_INIT_ZVAL(pmembers);
21     - if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
22     + if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
23     zval_ptr_dtor(&pmembers);
24     goto outexcept;
25     }
26     diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
27     index 57ddf49..f493154 100644
28     --- a/ext/spl/spl_observer.c
29     +++ b/ext/spl/spl_observer.c
30     @@ -686,7 +686,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
31     ++p;
32    
33     ALLOC_INIT_ZVAL(pmembers);
34     - if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
35     + if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
36     zval_ptr_dtor(&pmembers);
37     goto outexcept;
38     }
39     diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
40     index a525317..8f0676d 100644
41     --- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
42     +++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
43     @@ -7,6 +7,7 @@
44     'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
45     'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
46     'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
47     +'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
48     );
49     foreach($badblobs as $blob) {
50     try {
51     @@ -17,6 +18,7 @@
52     echo $e->getMessage()."\n";
53     }
54     }
55     +echo "DONE\n";
56     --EXPECTF--
57     Error at offset 6 of 34 bytes
58     Error at offset 46 of 89 bytes
59     @@ -42,4 +44,5 @@
60     }
61     }
62     }
63     -
64     +Error at offset 79 of 78 bytes
65     +DONE
66    
67     --
68     1.9.2
69    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed