rpms/php/FC-3 php-4.3.9-CVE-2005-3353.patch, NONE, 1.1 php-4.3.9-CVE-2005-3388.patch, NONE, 1.1 php-4.3.9-CVE-2005-3389.patch, NONE, 1.1 php-4.3.9-CVE-2005-3390.patch, NONE, 1.1 php.spec, 1.63, 1.64
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Nov 8 11:14:24 UTC 2005
Author: jorton
Update of /cvs/dist/rpms/php/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv14779
Modified Files:
php.spec
Added Files:
php-4.3.9-CVE-2005-3353.patch php-4.3.9-CVE-2005-3388.patch
php-4.3.9-CVE-2005-3389.patch php-4.3.9-CVE-2005-3390.patch
Log Message:
* Fri Nov 4 2005 Joe Orton <jorton at redhat.com> 4.3.11-2.8
- add security fixes from upstream:
* XSS issues in phpinfo() (CVE-2005-3388, #172212)
* GLOBALS handling (CVE-2005-3390, #172207)
* parse_str() enabling register_globals (CVE-2005-3389, #172209)
* exif: infinite recursion on corrupt JPEG (CVE-2005-3353)
php-4.3.9-CVE-2005-3353.patch:
exif.c | 6 ++++++
1 files changed, 6 insertions(+)
--- NEW FILE php-4.3.9-CVE-2005-3353.patch ---
http://viewcvs.php.net/viewcvs.cgi/php-src/ext/exif/exif.c.diff?r1=1.118.2.37.2.3&r2=1.118.2.37.2.1&only_with_tag=PHP_4_4
--- php-4.3.9/ext/exif/exif.c.cve3353
+++ php-4.3.9/ext/exif/exif.c
@@ -3008,6 +3008,12 @@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
php-4.3.9-CVE-2005-3388.patch:
info.c | 32 +++++++++++++++++++++++++-------
1 files changed, 25 insertions(+), 7 deletions(-)
--- NEW FILE php-4.3.9-CVE-2005-3388.patch ---
- upstream fixes for phpinfo() escaping
- also ensure that the request_uri is escaped wherever used
--- php-4.3.9/ext/standard/info.c.cve3388
+++ php-4.3.9/ext/standard/info.c
@@ -133,10 +133,21 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("</pre>");
}
@@ -196,7 +207,7 @@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
@@ -385,6 +396,7 @@
int expose_php = INI_INT("expose_php");
time_t the_time;
struct tm *ta, tmbuf;
+ char *req_uri;
the_time = time(NULL);
ta = php_localtime_r(&the_time, &tmbuf);
@@ -395,6 +407,12 @@
PUTS("phpinfo()\n");
}
+ if (SG(request_info).request_uri) {
+ req_uri = php_info_html_esc(SG(request_info).request_uri);
+ } else {
+ req_uri = NULL;
+ }
+
if (flag & PHP_INFO_GENERAL) {
char *zend_version = get_zend_version();
char temp_api[9];
@@ -407,8 +425,8 @@
if (expose_php && !sapi_module.phpinfo_as_text) {
PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\"");
- if (SG(request_info).request_uri) {
- PUTS(SG(request_info).request_uri);
+ if (req_uri) {
+ PUTS(req_uri);
}
{
PUTS("?="PHP_LOGO_GUID"\" alt=\"PHP Logo\" /></a>");
@@ -507,8 +525,8 @@
php_info_print_box_start(0);
if (expose_php && !sapi_module.phpinfo_as_text) {
PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\"");
- if (SG(request_info).request_uri) {
- PUTS(SG(request_info).request_uri);
+ if (req_uri) {
+ PUTS(req_uri);
}
PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n");
}
@@ -522,8 +540,8 @@
if ((flag & PHP_INFO_CREDITS) && expose_php && !sapi_module.phpinfo_as_text) {
php_info_print_hr();
PUTS("<h1><a href=\"");
- if (SG(request_info).request_uri) {
- PUTS(SG(request_info).request_uri);
+ if (req_uri) {
+ PUTS(req_uri);
}
PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">");
PUTS("PHP Credits");
php-4.3.9-CVE-2005-3389.patch:
string.c | 10 ++++------
1 files changed, 4 insertions(+), 6 deletions(-)
--- NEW FILE php-4.3.9-CVE-2005-3389.patch ---
http://cvs.php.net/diff.php/php-src/ext/standard/string.c?r1=1.333.2.52&r2=1.333.2.52.2.1&ty=u
--- php-4.3.9/ext/standard/string.c.cve3389
+++ php-4.3.9/ext/standard/string.c
@@ -3171,7 +3171,6 @@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@ -3184,19 +3183,18 @@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
php-4.3.9-CVE-2005-3390.patch:
ext/standard/array.c | 4 ++++
ext/standard/basic_functions.c | 22 ++++++++++++++++++----
main/php_variables.c | 11 +++++++++++
3 files changed, 33 insertions(+), 4 deletions(-)
--- NEW FILE php-4.3.9-CVE-2005-3390.patch ---
http://cvs.php.net/diff.php/php-src/main/php_variables.c?r1=1.45.2.13.2.2&r2=1.45.2.13.2.3&ty=u
http://cvs.php.net/diff.php/php-src/ext/standard/array.c?r1=1.199.2.44.2.8&r2=1.199.2.44.2.9&ty=u
http://cvs.php.net/diff.php/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.2&r2=1.543.2.51.2.3&ty=u
http://viewcvs.php.net/viewcvs.cgi/php-src/main/main.c.diff?r1=1.512.2.58&r2=1.512.2.59&only_with_tag=PHP_4_3
--- php-4.3.9/ext/standard/array.c.cve3390
+++ php-4.3.9/ext/standard/array.c
@@ -1243,6 +1243,10 @@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
--- php-4.3.9/ext/standard/basic_functions.c.cve3390
+++ php-4.3.9/ext/standard/basic_functions.c
@@ -3001,11 +3001,25 @@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
--- php-4.3.9/main/php_variables.c.cve3390
+++ php-4.3.9/main/php_variables.c
@@ -73,6 +73,10 @@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@ -99,6 +103,13 @@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
Index: php.spec
===================================================================
RCS file: /cvs/dist/rpms/php/FC-3/php.spec,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -r1.63 -r1.64
--- php.spec 25 Aug 2005 09:16:52 -0000 1.63
+++ php.spec 8 Nov 2005 11:14:20 -0000 1.64
@@ -6,7 +6,7 @@
Summary: The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor)
Name: php
Version: 4.3.11
-Release: 2.7
+Release: 2.8
License: The PHP License
Group: Development/Languages
URL: http://www.php.net/
@@ -45,6 +45,10 @@
# Security fixes
Patch50: php-4.3.11-shtool.patch
+Patch51: php-4.3.9-CVE-2005-3389.patch
+Patch52: php-4.3.9-CVE-2005-3390.patch
+Patch53: php-4.3.9-CVE-2005-3388.patch
+Patch54: php-4.3.9-CVE-2005-3353.patch
BuildRoot: %{_tmppath}/%{name}-root
@@ -294,6 +298,10 @@
%patch31 -p1 -b .easter
%patch50 -p1 -b .shtool
+%patch51 -p1 -b .cve3389
+%patch52 -p1 -b .cve3390
+%patch53 -p1 -b .cve3388
+%patch54 -p1 -b .cve3353
# Prevent %%doc confusion over LICENSE files
cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -562,6 +570,13 @@
%endif
%changelog
+* Fri Nov 4 2005 Joe Orton <jorton at redhat.com> 4.3.11-2.8
+- add security fixes from upstream:
+ * XSS issues in phpinfo() (CVE-2005-3388, #172212)
+ * GLOBALS handling (CVE-2005-3390, #172207)
+ * parse_str() enabling register_globals (CVE-2005-3389, #172209)
+ * exif: infinite recursion on corrupt JPEG (CVE-2005-3353)
+
* Wed Aug 17 2005 Joe Orton <jorton at redhat.com> 4.3.11-2.7
- pear: update to XML_RPC 1.4.0 (CAN-2005-2498, #165847)
More information about the fedora-cvs-commits
mailing list