/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3668.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2014-3668.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sat Nov 1 13:01:51 2014 UTC (10 years, 1 month ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, HEAD
* Sat Nov 1 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-17.sme
- Resync with upstream php53, which include (see [SME: 8633])
- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
- core: fix integer overflow in unserialize() CVE-2014-3669
- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670

1 From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
2 From: Stanislav Malyshev <stas@php.net>
3 Date: Sun, 28 Sep 2014 17:33:44 -0700
4 Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
5
6 ---
7 NEWS | 5 ++++-
8 ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++-----
9 ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
10 3 files changed, 56 insertions(+), 6 deletions(-)
11 create mode 100644 ext/xmlrpc/tests/bug68027.phpt
12
13 diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
14 index ce70c2a..b766a54 100644
15 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
16 +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
17 @@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
18 n = 10;
19 tm.tm_mon = 0;
20 for(i = 0; i < 2; i++) {
21 - XMLRPC_IS_NUMBER(text[i])
22 + XMLRPC_IS_NUMBER(text[i+4])
23 tm.tm_mon += (text[i+4]-'0')*n;
24 n /= 10;
25 }
26 tm.tm_mon --;
27 + if(tm.tm_mon < 0 || tm.tm_mon > 11) {
28 + return -1;
29 + }
30
31 n = 10;
32 tm.tm_mday = 0;
33 for(i = 0; i < 2; i++) {
34 - XMLRPC_IS_NUMBER(text[i])
35 + XMLRPC_IS_NUMBER(text[i+6])
36 tm.tm_mday += (text[i+6]-'0')*n;
37 n /= 10;
38 }
39 @@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
40 n = 10;
41 tm.tm_hour = 0;
42 for(i = 0; i < 2; i++) {
43 - XMLRPC_IS_NUMBER(text[i])
44 + XMLRPC_IS_NUMBER(text[i+9])
45 tm.tm_hour += (text[i+9]-'0')*n;
46 n /= 10;
47 }
48 @@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
49 n = 10;
50 tm.tm_min = 0;
51 for(i = 0; i < 2; i++) {
52 - XMLRPC_IS_NUMBER(text[i])
53 + XMLRPC_IS_NUMBER(text[i+12])
54 tm.tm_min += (text[i+12]-'0')*n;
55 n /= 10;
56 }
57 @@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
58 n = 10;
59 tm.tm_sec = 0;
60 for(i = 0; i < 2; i++) {
61 - XMLRPC_IS_NUMBER(text[i])
62 + XMLRPC_IS_NUMBER(text[i+15])
63 tm.tm_sec += (text[i+15]-'0')*n;
64 n /= 10;
65 }
66 diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
67 new file mode 100644
68 index 0000000..a5c96f1
69 --- /dev/null
70 +++ b/ext/xmlrpc/tests/bug68027.phpt
71 @@ -0,0 +1,44 @@
72 +--TEST--
73 +Bug #68027 (buffer overflow in mkgmtime() function)
74 +--SKIPIF--
75 +<?php
76 +if (!extension_loaded("xmlrpc")) print "skip";
77 +?>
78 +--FILE--
79 +<?php
80 +
81 +$d = '6-01-01 20:00:00';
82 +xmlrpc_set_type($d, 'datetime');
83 +var_dump($d);
84 +$datetime = "2001-0-08T21:46:40-0400";
85 +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
86 +print_r($obj);
87 +
88 +$datetime = "34770-0-08T21:46:40-0400";
89 +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
90 +print_r($obj);
91 +
92 +echo "Done\n";
93 +?>
94 +--EXPECTF--
95 +object(stdClass)#1 (3) {
96 + ["scalar"]=>
97 + string(16) "6-01-01 20:00:00"
98 + ["xmlrpc_type"]=>
99 + string(8) "datetime"
100 + ["timestamp"]=>
101 + int(%d)
102 +}
103 +stdClass Object
104 +(
105 + [scalar] => 2001-0-08T21:46:40-0400
106 + [xmlrpc_type] => datetime
107 + [timestamp] => %s
108 +)
109 +stdClass Object
110 +(
111 + [scalar] => 34770-0-08T21:46:40-0400
112 + [xmlrpc_type] => datetime
113 + [timestamp] => %d
114 +)
115 +Done
116 --
117 2.1.0
118

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed