/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3669.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-3669.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sat Nov 1 13:01:52 2014 UTC (10 years, 1 month ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, HEAD
* Sat Nov 1 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-17.sme
- Resync with upstream php53, which include (see [SME: 8633])
- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
- core: fix integer overflow in unserialize() CVE-2014-3669
- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670

1 vip-ire 1.1 Adapted for PHP 5.4.16 from
2    
3     From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
4     From: Stanislav Malyshev <stas@php.net>
5     Date: Sun, 28 Sep 2014 14:19:31 -0700
6     Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
7     only)
8    
9     ---
10     NEWS | 5 ++++-
11     ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
12     ext/standard/var_unserializer.c | 4 ++--
13     ext/standard/var_unserializer.re | 2 +-
14     4 files changed, 19 insertions(+), 4 deletions(-)
15     create mode 100644 ext/standard/tests/serialize/bug68044.phpt
16    
17     diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
18     new file mode 100644
19     index 0000000..031e44e
20     --- /dev/null
21     +++ b/ext/standard/tests/serialize/bug68044.phpt
22     @@ -0,0 +1,12 @@
23     +--TEST--
24     +Bug #68044 Integer overflow in unserialize() (32-bits only)
25     +--FILE--
26     +<?php
27     + echo unserialize('C:3:"XYZ":18446744075857035259:{}');
28     +?>
29     +===DONE==
30     +--EXPECTF--
31     +Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
32     +
33     +Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
34     +===DONE==
35     diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
36     index 657051f..8129da3 100644
37     --- a/ext/standard/var_unserializer.c
38     +++ b/ext/standard/var_unserializer.c
39     @@ -326,7 +326,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
40    
41     (*p) += 2;
42    
43     - if (datalen < 0 || (*p) + datalen >= max) {
44     + if (datalen < 0 || (max - (*p)) <= datalen) {
45     zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
46     return 0;
47     }
48     diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
49     index 1307508..6de1583 100644
50     --- a/ext/standard/var_unserializer.re
51     +++ b/ext/standard/var_unserializer.re
52     @@ -332,7 +332,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
53    
54     (*p) += 2;
55    
56     - if (datalen < 0 || (*p) + datalen >= max) {
57     + if (datalen < 0 || (max - (*p)) <= datalen) {
58     zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
59     return 0;
60     }
61     --
62     2.1.0
63    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed