* [PATCH][meta-oe] php: uninitialized pointer in phar_make_dirstream()
@ 2015-12-17 3:18 Jian Liu
2015-12-23 10:57 ` Martin Jansa
0 siblings, 1 reply; 2+ messages in thread
From: Jian Liu @ 2015-12-17 3:18 UTC (permalink / raw)
To: openembedded-devel
CVE-2015-7804:
Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c
in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
to cause a denial of service (uninitialized pointer dereference and
application crash) by including the / filename in a .zip PHAR archive.
This patch is from
http://git.php.net/?p=php-src.git;a=commitdiff;\
h=1ddf72180a52d247db88ea42a3e35f824a8fbda1;hp=f98ab19dc0c978e3caaa2614579e4a61f2c317f5
Signed-off-by: Jian Liu <jian.liu@windriver.com>
---
.../php/php-5.6.12/php-CVE-2015-7804.patch | 35 ++++++++++++++++++++++
meta-oe/recipes-devtools/php/php.inc | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch
diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch
new file mode 100644
index 0000000..248d1d1
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch
@@ -0,0 +1,35 @@
+FIx bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"
+
+Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c
+in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
+to cause a denial of service (uninitialized pointer dereference and
+application crash) by including the / filename in a .zip PHAR archive.
+
+Written-by: Stanislav Malyshev <stas@php.net>
+
+diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c
+--- php-5.6.12.orig/ext/phar/util.c 2015-12-16 18:51:51.603455462 +0800
++++ php-5.6.12/ext/phar/util.c 2015-12-16 18:53:43.483456242 +0800
+@@ -1969,7 +1969,7 @@
+
+ while ((s = zend_memrchr(filename, '/', filename_len))) {
+ filename_len = s - filename;
+- if (FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) {
++ if (!filename_len || FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) {
+ break;
+ }
+ }
+diff -Nur php-5.6.12.orig/ext/phar/zip.c php-5.6.12/ext/phar/zip.c
+--- php-5.6.12.orig/ext/phar/zip.c 2015-12-16 18:51:51.603455462 +0800
++++ php-5.6.12/ext/phar/zip.c 2015-12-16 18:54:39.667456634 +0800
+@@ -396,7 +396,9 @@
+
+ if (entry.filename[entry.filename_len - 1] == '/') {
+ entry.is_dir = 1;
+- entry.filename_len--;
++ if(entry.filename_len > 1) {
++ entry.filename_len--;
++ }
+ entry.flags |= PHAR_ENT_PERM_DEF_DIR;
+ } else {
+ entry.is_dir = 0;
diff --git a/meta-oe/recipes-devtools/php/php.inc b/meta-oe/recipes-devtools/php/php.inc
index 4aa9c3f..d0c596c 100644
--- a/meta-oe/recipes-devtools/php/php.inc
+++ b/meta-oe/recipes-devtools/php/php.inc
@@ -15,6 +15,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
file://php-CVE-2015-7803.patch \
+ file://php-CVE-2015-7804.patch \
"
SRC_URI_append_class-target += " \
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH][meta-oe] php: uninitialized pointer in phar_make_dirstream()
2015-12-17 3:18 [PATCH][meta-oe] php: uninitialized pointer in phar_make_dirstream() Jian Liu
@ 2015-12-23 10:57 ` Martin Jansa
0 siblings, 0 replies; 2+ messages in thread
From: Martin Jansa @ 2015-12-23 10:57 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 3814 bytes --]
On Thu, Dec 17, 2015 at 11:18:46AM +0800, Jian Liu wrote:
> CVE-2015-7804:
> Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c
> in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
> to cause a denial of service (uninitialized pointer dereference and
> application crash) by including the / filename in a .zip PHAR archive.
Upgrade to 5.6.16 was already merged in master, I've dropped this change
from master-next now.
Maybe you wanted to get it merged in jethro branch?
>
> This patch is from
> http://git.php.net/?p=php-src.git;a=commitdiff;\
> h=1ddf72180a52d247db88ea42a3e35f824a8fbda1;hp=f98ab19dc0c978e3caaa2614579e4a61f2c317f5
>
> Signed-off-by: Jian Liu <jian.liu@windriver.com>
> ---
> .../php/php-5.6.12/php-CVE-2015-7804.patch | 35 ++++++++++++++++++++++
> meta-oe/recipes-devtools/php/php.inc | 1 +
> 2 files changed, 36 insertions(+)
> create mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch
>
> diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch
> new file mode 100644
> index 0000000..248d1d1
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch
> @@ -0,0 +1,35 @@
> +FIx bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"
> +
> +Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c
> +in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
> +to cause a denial of service (uninitialized pointer dereference and
> +application crash) by including the / filename in a .zip PHAR archive.
> +
> +Written-by: Stanislav Malyshev <stas@php.net>
> +
> +diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c
> +--- php-5.6.12.orig/ext/phar/util.c 2015-12-16 18:51:51.603455462 +0800
> ++++ php-5.6.12/ext/phar/util.c 2015-12-16 18:53:43.483456242 +0800
> +@@ -1969,7 +1969,7 @@
> +
> + while ((s = zend_memrchr(filename, '/', filename_len))) {
> + filename_len = s - filename;
> +- if (FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) {
> ++ if (!filename_len || FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) {
> + break;
> + }
> + }
> +diff -Nur php-5.6.12.orig/ext/phar/zip.c php-5.6.12/ext/phar/zip.c
> +--- php-5.6.12.orig/ext/phar/zip.c 2015-12-16 18:51:51.603455462 +0800
> ++++ php-5.6.12/ext/phar/zip.c 2015-12-16 18:54:39.667456634 +0800
> +@@ -396,7 +396,9 @@
> +
> + if (entry.filename[entry.filename_len - 1] == '/') {
> + entry.is_dir = 1;
> +- entry.filename_len--;
> ++ if(entry.filename_len > 1) {
> ++ entry.filename_len--;
> ++ }
> + entry.flags |= PHAR_ENT_PERM_DEF_DIR;
> + } else {
> + entry.is_dir = 0;
> diff --git a/meta-oe/recipes-devtools/php/php.inc b/meta-oe/recipes-devtools/php/php.inc
> index 4aa9c3f..d0c596c 100644
> --- a/meta-oe/recipes-devtools/php/php.inc
> +++ b/meta-oe/recipes-devtools/php/php.inc
> @@ -15,6 +15,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
> file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
> file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
> file://php-CVE-2015-7803.patch \
> + file://php-CVE-2015-7804.patch \
> "
>
> SRC_URI_append_class-target += " \
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-12-23 10:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-17 3:18 [PATCH][meta-oe] php: uninitialized pointer in phar_make_dirstream() Jian Liu
2015-12-23 10:57 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.