rpms/php/FC-6 php-5.1.6-CVE-2007-0455.patch, NONE, 1.1 php-5.1.6-CVE-2007-1001.patch, NONE, 1.1 php-5.1.6-CVE-2007-1285.patch, NONE, 1.1 php-5.1.6-CVE-2007-1583.patch, NONE, 1.1 php-5.1.6-CVE-2007-1718.patch, NONE, 1.1 php.spec, 1.123, 1.124
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Apr 5 13:25:51 UTC 2007
Author: jorton
Update of /cvs/dist/rpms/php/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv21858
Modified Files:
php.spec
Added Files:
php-5.1.6-CVE-2007-0455.patch php-5.1.6-CVE-2007-1001.patch
php-5.1.6-CVE-2007-1285.patch php-5.1.6-CVE-2007-1583.patch
php-5.1.6-CVE-2007-1718.patch
Log Message:
* Thu Apr 5 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.5.fc6
- add security fixes for CVE-2007-0455, CVE-2007-1001,
CVE-2007-1285, CVE-2007-1583, CVE-2007-1718 (#235354)
- package /usr/share/php (#225434)
php-5.1.6-CVE-2007-0455.patch:
gdft.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE php-5.1.6-CVE-2007-0455.patch ---
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235028
--- php-5.1.6/ext/gd/libgd/gdft.c.cve0455
+++ php-5.1.6/ext/gd/libgd/gdft.c
@@ -967,7 +967,7 @@
} else {
ch = c & 0xFF; /* don't extend sign */
}
- next++;
+ if (*next) next++;
}
break;
case gdFTEX_Big5: {
php-5.1.6-CVE-2007-1001.patch:
wbmp.c | 15 +++++++++++++++
1 files changed, 15 insertions(+)
--- NEW FILE php-5.1.6-CVE-2007-1001.patch ---
--- php-5.1.6/ext/gd/libgd/wbmp.c.cve1001
+++ php-5.1.6/ext/gd/libgd/wbmp.c
@@ -102,6 +102,8 @@
return (0);
}
+#define SAFE_MULTIPLE(x,y) (x == 0 || y == 0 || (x > 0 && y > 0 && (x < INT_MAX / y)))
+
/* create wbmp
** -----------
** create an empty wbmp
@@ -116,6 +118,12 @@
if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
return (NULL);
+ if (!SAFE_MULTIPLE(width, height)) {
+ php_gd_error("createwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", width, height);
+ gdFree(wbmp);
+ return NULL;
+ }
+
if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
{
gdFree (wbmp);
@@ -176,6 +184,13 @@
printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
#endif
+ if (!SAFE_MULTIPLE(wbmp->width, wbmp->height)) {
+ php_gd_error("readwbmp: Integer overflow from WBMP image height/width (%d x %d)\n",
+ wbmp->width, wbmp->height);
+ gdFree(wbmp);
+ return (-1);
+ }
+
if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
{
gdFree (wbmp);
php-5.1.6-CVE-2007-1285.patch:
main.c | 1 +
php_globals.h | 2 ++
php_variables.c | 6 ++++++
3 files changed, 9 insertions(+)
--- NEW FILE php-5.1.6-CVE-2007-1285.patch ---
--- php-5.1.6/main/php_variables.c.cve1285
+++ php-5.1.6/main/php_variables.c
@@ -119,10 +119,16 @@
index_len = var_len;
if (is_array) {
+ int nest_level = 0;
while (1) {
char *index_s;
int new_idx_len = 0;
+ if (++nest_level > PG(max_input_nesting_level)) {
+ /* too many levels of nesting */
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
+ }
+
ip++;
index_s = ip;
if (isspace(*ip)) {
--- php-5.1.6/main/php_globals.h.cve1285
+++ php-5.1.6/main/php_globals.h
@@ -150,6 +150,8 @@
char *disable_functions;
char *disable_classes;
+
+ long max_input_nesting_level;
};
--- php-5.1.6/main/main.c.cve1285
+++ php-5.1.6/main/main.c
@@ -300,6 +300,7 @@
STD_PHP_INI_ENTRY("upload_max_filesize", "2M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, upload_max_filesize, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, max_input_nesting_level, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
php-5.1.6-CVE-2007-1583.patch:
mb_gpc.c | 9 ++++-----
1 files changed, 4 insertions(+), 5 deletions(-)
--- NEW FILE php-5.1.6-CVE-2007-1583.patch ---
--- php-5.1.6/ext/mbstring/mb_gpc.c.cve1286
+++ php-5.1.6/ext/mbstring/mb_gpc.c
@@ -206,9 +206,8 @@
/* register_globals stuff
* XXX: this feature is going to be deprecated? */
- if (info->force_register_globals) {
- prev_rg_state = PG(register_globals);
- PG(register_globals) = 1;
+ if (info->force_register_globals && !(prev_rg_state = PG(register_globals))) {
+ zend_alter_ini_entry("register_globals", sizeof("register_globals"), "1", sizeof("1")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
}
if (!res || *res == '\0') {
@@ -341,8 +340,8 @@
out:
/* register_global stuff */
- if (info->force_register_globals) {
- PG(register_globals) = prev_rg_state;
+ if (info->force_register_globals && !prev_rg_state) {
+ zend_alter_ini_entry("register_globals", sizeof("register_globals"), "0", sizeof("0")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
}
if (convd != NULL) {
php-5.1.6-CVE-2007-1718.patch:
mail.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE php-5.1.6-CVE-2007-1718.patch ---
--- php-5.1.6/ext/standard/mail.c.cve1718
+++ php-5.1.6/ext/standard/mail.c
@@ -48,8 +48,8 @@
#define SKIP_LONG_HEADER_SEP(str, pos) \
if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \
- pos += 3; \
- while (str[pos] == ' ' || str[pos] == '\t') { \
+ pos += 2; \
+ while (str[pos + 1] == ' ' || str[pos + 1] == '\t') { \
pos++; \
} \
continue; \
Index: php.spec
===================================================================
RCS file: /cvs/dist/rpms/php/FC-6/php.spec,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -r1.123 -r1.124
--- php.spec 16 Feb 2007 16:10:59 -0000 1.123
+++ php.spec 5 Apr 2007 13:25:48 -0000 1.124
@@ -6,7 +6,7 @@
Summary: The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor)
Name: php
Version: 5.1.6
-Release: 3.4%{?dist}
+Release: 3.5%{?dist}
License: The PHP License v3.01
Group: Development/Languages
URL: http://www.php.net/
@@ -47,6 +47,11 @@
Patch76: php-4.3.9-CVE-2007-0909-printf.patch
Patch77: php-5.1.6-CVE-2007-0910.patch
Patch78: php-4.3.9-CVE-2007-0988.patch
+Patch79: php-5.1.6-CVE-2007-1285.patch
+Patch80: php-5.1.6-CVE-2007-1583.patch
+Patch81: php-5.1.6-CVE-2007-0455.patch
+Patch82: php-5.1.6-CVE-2007-1001.patch
+Patch83: php-5.1.6-CVE-2007-1718.patch
BuildRoot: %{_tmppath}/%{name}-root
@@ -331,6 +336,11 @@
%patch76 -p1 -b .cve0909-printf
%patch77 -p1 -b .cve0910
%patch78 -p1 -b .cve0988
+%patch79 -p1 -b .cve1285
+%patch80 -p1 -b .cve1583
+%patch81 -p1 -b .cve0455
+%patch82 -p1 -b .cve1001
+%patch83 -p1 -b .cve1718
# Prevent %%doc confusion over LICENSE files
cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -619,6 +629,7 @@
%dir %{_libdir}/php/modules
%dir %{_localstatedir}/lib/php
%dir %{_libdir}/php/pear
+%dir %{_datadir}/php
%files cli
%defattr(-,root,root)
@@ -653,6 +664,11 @@
%files pdo -f files.pdo
%changelog
+* Thu Apr 5 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.5.fc6
+- add security fixes for CVE-2007-0455, CVE-2007-1001,
+ CVE-2007-1285, CVE-2007-1583, CVE-2007-1718 (#235354)
+- package /usr/share/php (#225434)
+
* Fri Feb 16 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.4.fc6
- add security fixes for: CVE-2007-0906, CVE-2007-0907,
CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988 (#228011)
More information about the fedora-cvs-commits
mailing list