Secure testing commits - Apr 2007 - r5679 - in data/patches/MOPB: . php4-etch php4-sarge

Author: jmm-guest
Date: 2007-04-19 20:25:56 +0000 (Thu, 19 Apr 2007)
New Revision: 5679

Added:
   data/patches/MOPB/php4-etch/
   data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch
   data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch
   data/patches/MOPB/php4-sarge/
   data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch
Log:
Sarge and Etch patches for php4


Added: data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch
==================================================================---
data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch	2007-04-19 07:10:05
UTC (rev 5678)
+++ data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch	2007-04-19
20:25:56 UTC (rev 5679)
@@ -0,0 +1,14 @@
+--- php4-4.4.4/ext/session/session.c	2006/12/26 16:53:47	1.417.2.8.2.22
++++ php4-4.4.4/ext/session/session.c	2006/12/31 22:25:55	1.417.2.8.2.23
+@@ -471,6 +471,11 @@
+ 	for (p = val; p < endptr; ) {
+ 		zval **tmp;
+ 		namelen = *p & (~PS_BIN_UNDEF);
++
++		if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr)
{
++			return FAILURE;
++		}
++
+ 		has_value = *p & PS_BIN_UNDEF ? 0 : 1;
+ 
+ 		name = estrndup(p + 1, namelen);

Added: data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch
==================================================================---
data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch	2007-04-19 07:10:05
UTC (rev 5678)
+++ data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch	2007-04-19
20:25:56 UTC (rev 5679)
@@ -0,0 +1,26 @@
+--- php4-4.4.4.orig/ext/mbstring/mbstring.c	2006-04-03 15:04:13.000000000 +0200
++++ php4-4.4.4/ext/mbstring/mbstring.c	2007-04-19 22:16:46.000000000 +0200
+@@ -3499,8 +3499,8 @@
+ #if HAVE_SENDMAIL
+ #define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos)						\
+ 	if (str[pos] == ''\r'' && str[pos + 1] ==
''\n'' && (str[pos + 2] == '' '' ||
str[pos + 2] == ''\t'')) {	\
+-		pos += 3;											\
+-		while (str[pos] == '' '' || str[pos] ==
''\t'') {		\
++        	pos += 2;                                                            
\
++        	while (str[pos + 1] == '' '' || str[pos + 1] ==
''\t'') {                                                   \
+ 			pos++;											\
+ 		}                                               \
+ 		continue;											\
+--- php4-4.4.4.orig/ext/standard/mail.c	2006-01-01 14:46:57.000000000 +0100
++++ php4-4.4.4/ext/standard/mail.c	2007-04-19 22:15:48.000000000 +0200
+@@ -48,8 +48,8 @@
+ 
+ #define SKIP_LONG_HEADER_SEP(str, pos)										\
+ 	if (str[pos] == ''\r'' && str[pos + 1] ==
''\n'' && (str[pos + 2] == '' '' ||
str[pos + 2] == ''\t'')) {	\
+-		pos += 3;											\
+-		while (str[pos] == '' '' || str[pos] ==
''\t'') {							\
++		pos += 2;											\
++		while (str[pos + 1] == '' '' || str[pos + 1] ==
''\t'') {							\
+ 			pos++;											\
+ 		}												\
+ 		continue;											\

Added: data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch
==================================================================---
data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch	2007-04-19 07:10:05 UTC
(rev 5678)
+++ data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch	2007-04-19 20:25:56
UTC (rev 5679)
@@ -0,0 +1,14 @@
+--- php4-4.3.10/ext/session/session.c	2006/12/26 16:53:47	1.417.2.8.2.22
++++ php4-4.3.10/ext/session/session.c	2006/12/31 22:25:55	1.417.2.8.2.23
+@@ -471,6 +471,11 @@
+ 	for (p = val; p < endptr; ) {
+ 		zval **tmp;
+ 		namelen = *p & (~PS_BIN_UNDEF);
++
++		if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr)
{
++			return FAILURE;
++		}
++
+ 		has_value = *p & PS_BIN_UNDEF ? 0 : 1;
+ 
+ 		name = estrndup(p + 1, namelen);