rpms/php/FC-6 php-5.1.6-CVE-2007-0455.patch, NONE, 1.1 php-5.1.6-CVE-2007-1001.patch, NONE, 1.1 php-5.1.6-CVE-2007-1285.patch, NONE, 1.1 php-5.1.6-CVE-2007-1583.patch, NONE, 1.1 php-5.1.6-CVE-2007-1718.patch, NONE, 1.1 php.spec, 1.123, 1.124

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Apr 5 13:25:51 UTC 2007


Author: jorton

Update of /cvs/dist/rpms/php/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv21858

Modified Files:
	php.spec 
Added Files:
	php-5.1.6-CVE-2007-0455.patch php-5.1.6-CVE-2007-1001.patch 
	php-5.1.6-CVE-2007-1285.patch php-5.1.6-CVE-2007-1583.patch 
	php-5.1.6-CVE-2007-1718.patch 
Log Message:
* Thu Apr  5 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.5.fc6
- add security fixes for CVE-2007-0455, CVE-2007-1001, 
  CVE-2007-1285, CVE-2007-1583, CVE-2007-1718 (#235354)
- package /usr/share/php (#225434)


php-5.1.6-CVE-2007-0455.patch:
 gdft.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE php-5.1.6-CVE-2007-0455.patch ---

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235028

--- php-5.1.6/ext/gd/libgd/gdft.c.cve0455
+++ php-5.1.6/ext/gd/libgd/gdft.c
@@ -967,7 +967,7 @@
 					} else {
 						ch = c & 0xFF;	/* don't extend sign */
 					}
-					next++;
+					if (*next) next++;
 				}
 				break;
 			case gdFTEX_Big5: {

php-5.1.6-CVE-2007-1001.patch:
 wbmp.c |   15 +++++++++++++++
 1 files changed, 15 insertions(+)

--- NEW FILE php-5.1.6-CVE-2007-1001.patch ---
--- php-5.1.6/ext/gd/libgd/wbmp.c.cve1001
+++ php-5.1.6/ext/gd/libgd/wbmp.c
@@ -102,6 +102,8 @@
   return (0);
 }
 
+#define SAFE_MULTIPLE(x,y) (x == 0 || y == 0 || (x > 0 && y > 0 && (x < INT_MAX / y)))
+
 /* create wbmp
    ** -----------
    ** create an empty wbmp
@@ -116,6 +118,12 @@
   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
     return (NULL);
 
+  if (!SAFE_MULTIPLE(width, height)) {
+      php_gd_error("createwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", width, height);
+      gdFree(wbmp);
+      return NULL;
+  }
+
   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
     {
       gdFree (wbmp);
@@ -176,6 +184,13 @@
   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
 #endif
 
+  if (!SAFE_MULTIPLE(wbmp->width, wbmp->height)) {
+      php_gd_error("readwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", 
+                   wbmp->width, wbmp->height);
+      gdFree(wbmp);
+      return (-1);
+  }
+
   if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
     {
       gdFree (wbmp);

php-5.1.6-CVE-2007-1285.patch:
 main.c          |    1 +
 php_globals.h   |    2 ++
 php_variables.c |    6 ++++++
 3 files changed, 9 insertions(+)

--- NEW FILE php-5.1.6-CVE-2007-1285.patch ---
--- php-5.1.6/main/php_variables.c.cve1285
+++ php-5.1.6/main/php_variables.c
@@ -119,10 +119,16 @@
 	index_len = var_len;
 
 	if (is_array) {
+		int nest_level = 0;
 		while (1) {
 			char *index_s;
 			int new_idx_len = 0;
 
+			if (++nest_level > PG(max_input_nesting_level)) {
+				/* too many levels of nesting */
+				php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
+			}
+
 			ip++;
 			index_s = ip;
 			if (isspace(*ip)) {
--- php-5.1.6/main/php_globals.h.cve1285
+++ php-5.1.6/main/php_globals.h
@@ -150,6 +150,8 @@
 
 	char *disable_functions;
 	char *disable_classes;
+
+	long max_input_nesting_level;
 };
 
 
--- php-5.1.6/main/main.c.cve1285
+++ php-5.1.6/main/main.c
@@ -300,6 +300,7 @@
 	STD_PHP_INI_ENTRY("upload_max_filesize",	"2M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			upload_max_filesize,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
+	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,	max_input_nesting_level,			php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)

php-5.1.6-CVE-2007-1583.patch:
 mb_gpc.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

--- NEW FILE php-5.1.6-CVE-2007-1583.patch ---
--- php-5.1.6/ext/mbstring/mb_gpc.c.cve1286
+++ php-5.1.6/ext/mbstring/mb_gpc.c
@@ -206,9 +206,8 @@
 	/* register_globals stuff
 	 * XXX: this feature is going to be deprecated? */
 
-	if (info->force_register_globals) {
-		prev_rg_state = PG(register_globals);
-		PG(register_globals) = 1;
+	if (info->force_register_globals && !(prev_rg_state = PG(register_globals))) {
+		zend_alter_ini_entry("register_globals", sizeof("register_globals"), "1", sizeof("1")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
 	}
 
 	if (!res || *res == '\0') {
@@ -341,8 +340,8 @@
 
 out:
 	/* register_global stuff */
-	if (info->force_register_globals) {
-		PG(register_globals) = prev_rg_state;
+	if (info->force_register_globals && !prev_rg_state) {
+		zend_alter_ini_entry("register_globals", sizeof("register_globals"), "0", sizeof("0")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
 	}
 
 	if (convd != NULL) {

php-5.1.6-CVE-2007-1718.patch:
 mail.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE php-5.1.6-CVE-2007-1718.patch ---
--- php-5.1.6/ext/standard/mail.c.cve1718
+++ php-5.1.6/ext/standard/mail.c
@@ -48,8 +48,8 @@
 
 #define SKIP_LONG_HEADER_SEP(str, pos)										\
 	if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) {	\
-		pos += 3;											\
-		while (str[pos] == ' ' || str[pos] == '\t') {							\
+		pos += 2;											\
+		while (str[pos + 1] == ' ' || str[pos + 1] == '\t') {							\
 			pos++;											\
 		}												\
 		continue;											\


Index: php.spec
===================================================================
RCS file: /cvs/dist/rpms/php/FC-6/php.spec,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -r1.123 -r1.124
--- php.spec	16 Feb 2007 16:10:59 -0000	1.123
+++ php.spec	5 Apr 2007 13:25:48 -0000	1.124
@@ -6,7 +6,7 @@
 Summary: The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor)
 Name: php
 Version: 5.1.6
-Release: 3.4%{?dist}
+Release: 3.5%{?dist}
 License: The PHP License v3.01
 Group: Development/Languages
 URL: http://www.php.net/
@@ -47,6 +47,11 @@
 Patch76: php-4.3.9-CVE-2007-0909-printf.patch
 Patch77: php-5.1.6-CVE-2007-0910.patch
 Patch78: php-4.3.9-CVE-2007-0988.patch
+Patch79: php-5.1.6-CVE-2007-1285.patch
+Patch80: php-5.1.6-CVE-2007-1583.patch
+Patch81: php-5.1.6-CVE-2007-0455.patch
+Patch82: php-5.1.6-CVE-2007-1001.patch
+Patch83: php-5.1.6-CVE-2007-1718.patch
 
 BuildRoot: %{_tmppath}/%{name}-root
 
@@ -331,6 +336,11 @@
 %patch76 -p1 -b .cve0909-printf
 %patch77 -p1 -b .cve0910
 %patch78 -p1 -b .cve0988
+%patch79 -p1 -b .cve1285
+%patch80 -p1 -b .cve1583
+%patch81 -p1 -b .cve0455
+%patch82 -p1 -b .cve1001
+%patch83 -p1 -b .cve1718
 
 # Prevent %%doc confusion over LICENSE files
 cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -619,6 +629,7 @@
 %dir %{_libdir}/php/modules
 %dir %{_localstatedir}/lib/php
 %dir %{_libdir}/php/pear
+%dir %{_datadir}/php
 
 %files cli
 %defattr(-,root,root)
@@ -653,6 +664,11 @@
 %files pdo -f files.pdo
 
 %changelog
+* Thu Apr  5 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.5.fc6
+- add security fixes for CVE-2007-0455, CVE-2007-1001, 
+  CVE-2007-1285, CVE-2007-1583, CVE-2007-1718 (#235354)
+- package /usr/share/php (#225434)
+
 * Fri Feb 16 2007 Joe Orton <jorton at redhat.com> 5.1.6-3.4.fc6
 - add security fixes for: CVE-2007-0906, CVE-2007-0907, 
   CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988 (#228011)




More information about the fedora-cvs-commits mailing list