Hi,
this is my debdiff for fixing CVE-2014-3515, CVE-2014-0207, CVE-2014-3480
and CVE-2014-4721 in php5.
Please give the packages from [1] some real-world testing before I upload
them to squeeze-lts.
Thanks!
Thorsten
[1] http://people.debian.org/~alteholz/packages/php5/
diff -u php5-5.3.3/debian/changelog php5-5.3.3/debian/changelog
--- php5-5.3.3/debian/changelog
+++ php5-5.3.3/debian/changelog
@@ -1,3 +1,24 @@
+php5 (5.3.3-7+squeeze20) squeeze-lts; urgency=low
+
+ * [CVE-2014-3515]: fix unserialize() SPL ArrayObject / SPLObjectStorage
+ Type Confusion
+ * [CVE-2014-0207]: fileinfo: cdf_read_short_sector insufficient
+ boundary check
+ * [CVE-2014-3480]: fileinfo: cdf_count_chain insufficient boundary check
+ * [CVE-2014-4721]: The phpinfo implementation in ext/standard/info.c in
+ PHP before 5.4.30 and 5.5.x before 5.5.14 does not
+ ensure use of the string data type for the PHP_AUTH_PW,
+ PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables,
+ which might allow context-dependent attackers to obtain
+ sensitive information from process memory by using the
+ integer data type with crafted values, related to a
+ "type confusion" vulnerability, as demonstrated by
+ reading a private SSL key in an Apache HTTP Server
+ web-hosting environment with mod_ssl and a
+ PHP 5.3.x mod_php.
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Thu, 17 Jul 2014 19:00:00 +0200
+
php5 (5.3.3-7+squeeze19) squeeze-security; urgency=low
* [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012)
diff -u php5-5.3.3/debian/patches/series php5-5.3.3/debian/patches/series
--- php5-5.3.3/debian/patches/series
+++ php5-5.3.3/debian/patches/series
@@ -135,0 +136,4 @@
+CVE-2014-3480.patch
+CVE-2014-0207.patch
+CVE-2014-3515.patch
+CVE-2014-4271.patch
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-0207.patch
+++ php5-5.3.3/debian/patches/CVE-2014-0207.patch
@@ -0,0 +1,24 @@
+Index: php5-5.3.3/ext/fileinfo/libmagic/cdf.c
+===================================================================
+--- php5-5.3.3.orig/ext/fileinfo/libmagic/cdf.c 2014-07-18
11:05:27.000000000 +0200
++++ php5-5.3.3/ext/fileinfo/libmagic/cdf.c 2014-07-18 11:05:27.000000000
+0200
+@@ -322,9 +322,17 @@
+ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+ size_t len, const cdf_header_t *h, cdf_secid_t id)
+ {
+- assert((size_t)CDF_SHORT_SEC_SIZE(h) == len);
++ size_t ss = CDF_SHORT_SEC_SIZE(h);
++ size_t pos = CDF_SHORT_SEC_POS(h, id);
++ assert(ss == len);
++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
++ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
++ SIZE_T_FORMAT "u\n",
++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
++ return -1;
++ }
+ (void)memcpy(((char *)buf) + offs,
+- ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len);
++ ((const char *)sst->sst_tab) + pos, len);
+ return len;
+ }
+
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-3480.patch
+++ php5-5.3.3/debian/patches/CVE-2014-3480.patch
@@ -0,0 +1,23 @@
+--- php5.orig/ext/fileinfo/libmagic/cdf.c
++++ php5/ext/fileinfo/libmagic/cdf.c
+@@ -470,7 +470,8 @@ size_t
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ size_t i, j;
+- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++ / sizeof(maxsector));
+
+ DPRINTF(("Chain:"));
+ for (j = i = 0; sid >= 0; i++, j++) {
+@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cd
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+- if (sid > maxsector) {
+- DPRINTF(("Sector %d > %d\n", sid, maxsector));
++ if (sid >= maxsector) {
++ DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-3515.patch
+++ php5-5.3.3/debian/patches/CVE-2014-3515.patch
@@ -0,0 +1,53 @@
+Index: php5-5.3.3/ext/spl/spl_array.c
+===================================================================
+--- php5-5.3.3.orig/ext/spl/spl_array.c 2014-07-17 22:46:55.000000000
+0200
++++ php5-5.3.3/ext/spl/spl_array.c 2014-07-17 22:47:57.000000000 +0200
+@@ -1714,7 +1714,7 @@
+ ++p;
+
+ ALLOC_INIT_ZVAL(pmembers);
+- if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p
TSRMLS_CC)) {
++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p
TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
+ zval_ptr_dtor(&pmembers);
+ goto outexcept;
+ }
+Index: php5-5.3.3/ext/spl/spl_observer.c
+===================================================================
+--- php5-5.3.3.orig/ext/spl/spl_observer.c 2014-07-17 22:46:55.000000000
+0200
++++ php5-5.3.3/ext/spl/spl_observer.c 2014-07-17 22:46:55.000000000 +0200
+@@ -686,7 +686,7 @@
+ ++p;
+
+ ALLOC_INIT_ZVAL(pmembers);
+- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash
TSRMLS_CC)) {
++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash
TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
+ zval_ptr_dtor(&pmembers);
+ goto outexcept;
+ }
+Index: php5-5.3.3/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+===================================================================
+--- php5-5.3.3.orig/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
2014-07-17 22:46:55.000000000 +0200
++++ php5-5.3.3/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
2014-07-17 22:51:01.000000000 +0200
+@@ -7,6 +7,7 @@
+ 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
+
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
++'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
+ );
+ foreach($badblobs as $blob) {
+ try {
+@@ -17,6 +18,7 @@
+ echo $e->getMessage()."\n";
+ }
+ }
++echo "DONE\n";
+ --EXPECTF--
+ Error at offset 6 of 34 bytes
+ Error at offset 46 of 89 bytes
+@@ -42,4 +44,5 @@
+ }
+ }
+ }
+-
++Error at offset 79 of 78 bytes
++DONE
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-4271.patch
+++ php5-5.3.3/debian/patches/CVE-2014-4271.patch
@@ -0,0 +1,51 @@
+commit ac509498a547324c900a25909dc3ccb35c481db7
+Author: Stanislav Malyshev <s...@php.net>
+Date: Mon Jun 23 00:19:37 2014 -0700
+
+ Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
+
+Index: php5-5.3.3/ext/standard/info.c
+===================================================================
+--- php5-5.3.3.orig/ext/standard/info.c 2014-07-18 08:28:55.000000000
+0200
++++ php5-5.3.3/ext/standard/info.c 2014-07-18 08:28:55.000000000 +0200
+@@ -999,16 +999,16 @@
+
+ php_info_print_table_start();
+ php_info_print_table_header(2, "Variable", "Value");
+- if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void
**) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_SELF",
Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_TYPE",
Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_USER",
Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"),
(void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_PW",
Z_STRVAL_PP(data));
+ }
+ php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1
TSRMLS_CC);
+Index: php5-5.3.3/ext/standard/tests/general_functions/bug67498.phpt
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ php5-5.3.3/ext/standard/tests/general_functions/bug67498.phpt
2014-07-18 08:28:55.000000000 +0200
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
--
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/alpine.deb.2.02.1407181556270.3...@jupiter.server.alteholz.net
