/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-4049.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-4049.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 2 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD 
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238
1 vip-ire 1.1 From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
2     From: Sara Golemon <pollita@php.net>
3     Date: Tue, 10 Jun 2014 11:18:02 -0700
4     Subject: [PATCH] Fix potential segfault in dns_get_record()
5    
6     If the remote sends us a packet with a malformed TXT record,
7     we could end up trying to over-consume the packet and wander
8     off into overruns.
9     ---
10     ext/standard/dns.c | 4 ++++
11     1 file changed, 4 insertions(+)
12    
13     diff --git a/ext/standard/dns.c b/ext/standard/dns.c
14     index 6a89446..214a7dc 100644
15     --- a/ext/standard/dns.c
16     +++ b/ext/standard/dns.c
17     @@ -497,6 +497,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
18    
19     while (ll < dlen) {
20     n = cp[ll];
21     + if ((ll + n) >= dlen) {
22     + // Invalid chunk length, truncate
23     + n = dlen - (ll + 1);
24     + }
25     memcpy(tp + ll , cp + ll + 1, n);
26     add_next_index_stringl(entries, cp + ll + 1, n, 1);
27     ll = ll + n + 1;
28     --
29     1.9.3
30    
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed