/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-4721.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-4721.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Aug 7 07:05:52 2014 UTC (10 years, 2 months ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Thu Aug 7 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-15.sme
- Resync with upstream php53, which include (see [SME: 8515])
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
  CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
  confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
  rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
  DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
  loop. CVE-2014-0238

1 vip-ire 1.1 From fb0128af2a95ec0d1a0360be49776c5b056d1f33 Mon Sep 17 00:00:00 2001
2     From: Stanislav Malyshev <stas@php.net>
3     Date: Mon, 23 Jun 2014 00:19:37 -0700
4     Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak
5     Vulnerability
6    
7     ---
8     NEWS | 2 ++
9     ext/standard/info.c | 8 ++++----
10     ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++
11     3 files changed, 21 insertions(+), 4 deletions(-)
12     create mode 100644 ext/standard/tests/general_functions/bug67498.phpt
13    
14     diff --git a/ext/standard/info.c b/ext/standard/info.c
15     index 70b2e2f..0f15bbe 100644
16     --- a/ext/standard/info.c
17     +++ b/ext/standard/info.c
18     @@ -972,16 +972,16 @@
19    
20     php_info_print_table_start();
21     php_info_print_table_header(2, "Variable", "Value");
22     - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
23     + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
24     php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
25     }
26     - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
27     + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
28     php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
29     }
30     - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
31     + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
32     php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
33     }
34     - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
35     + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
36     php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
37     }
38     php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
39     diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
40     new file mode 100644
41     index 0000000..5b5951b
42     --- /dev/null
43     +++ b/ext/standard/tests/general_functions/bug67498.phpt
44     @@ -0,0 +1,15 @@
45     +--TEST--
46     +phpinfo() Type Confusion Information Leak Vulnerability
47     +--FILE--
48     +<?php
49     +$PHP_SELF = 1;
50     +phpinfo(INFO_VARIABLES);
51     +
52     +?>
53     +==DONE==
54     +--EXPECTF--
55     +phpinfo()
56     +
57     +PHP Variables
58     +%A
59     +==DONE==
60     --
61     1.9.2
62    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed