Author: keescook-guest
Date: 2007-04-19 00:43:40 +0000 (Thu, 19 Apr 2007)
New Revision: 5677
Added:
data/patches/MOPB/MOPB-22-php5.diff
data/patches/MOPB/MOPB-34-php5.diff
data/patches/MOPB/MOPB-41-php5.diff
data/patches/MOPB/MOPB-42-php5.diff
data/patches/MOPB/MOPB-45-php5.diff
Modified:
data/mopb.txt
data/patches/MOPB/MOPB-10-php5.diff
data/patches/MOPB/MOPB-14-php5.diff
data/patches/MOPB/MOPB-15-php5.diff
data/patches/MOPB/MOPB-24-php5.diff
data/patches/MOPB/MOPB-29-php5.diff
Log:
patches for MOPB 22, 34, 41, 42, 45
Modified: data/mopb.txt
==================================================================---
data/mopb.txt 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/mopb.txt 2007-04-19 00:43:40 UTC (rev 5677)
@@ -2,9 +2,11 @@
41 PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
#TODO(medium) -> for PHP5, not activated in the PHP4 build, CVE-2007-1887.
(php4 & php5, remote code execution)
+[MOPB-41-php5.diff]
34 PHP mail() Header Injection Through Subject and To Parameters
#TODO(medium) -> needs to be fixed, CVE-2007-1718 (php4 & php5, header
injection possible via some MTAs when set to process the headers for recipients)
+[MOPB-34-php5.diff]
30 PHP _SESSION unset() Vulnerability
#TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5,
code execution)
@@ -15,6 +17,11 @@
23 PHP 5 Rejected Session Identifier Double Free Vulnerability
#TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
+22 PHP session_regenerate_id() Double Free Vulnerability
+#TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1521 (php4 & php5, code execution)
+[MOPB-22-php4.diff]
+[MOPB-22-php5.diff]
+
10 PHP php_binary Session Deserialization Information Leak Vulnerability
#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 &
php5, heap leak)
Check, to which extent this was covered by our backports of 5.2.1 patches
@@ -31,10 +38,6 @@
TODO(medium) -> needs to be fixed in php/etch, sarge not affected (php4
4.4.5/4.4.6, remote code execution)
[MOPB-32-php4.diff]
-22 PHP session_regenerate_id() Double Free Vulnerability
-#TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1521 (php4 & php5, code execution)
-[MOPB-22-php4.diff]
-
04 PHP 4 unserialize() ZVAL Reference Counter Overflow
TODO (php4 only, gain execute control)
[MOPB-04-php4.diff]
@@ -45,12 +48,14 @@
45 PHP ext/filter Email Validation Vulnerability
TODO(low) -> possible email header injections when coupled with other
problems (php5 5.2.0, 5.2.1)
+[MOPB-45-php5.diff]
44 PHP 5.2.0 Memory Manager Signed Comparision Vulnerability
#TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889
(php5 5.2.0 only)
42 PHP 5 php_stream_filter_create() Off By One Vulnerablity
#TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code
execution, though haven''t reproduced it)
+[MOPB-42-php5.diff]
19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on
big endian)
@@ -164,3 +169,43 @@
(Comments starting with # indicate that information has been fed to the
tracker)
(Comments starting with TOFIX indicate that a patch has been created or
extracted)
+
+
+
+# PHP5 checklist....
+MOPB Sarge, Etch, Unstable Dapper, Edgy, Feisty PATCH
+10 X X X X X X *
+14 X X X X X X *
+15 i i i X X X *
+16 - X X - - -
+17 - X X - - -
+18 - X X - - -
+19 - X X - - -
+22 - X X X X X [1] *
+23 - X X X X X ?
+24 i i i X X X *
+26 - X X X X X ?
+29 - - - - - X *
+30 - X X X X X ?
+34 X X X X X X *
+41 - X X X X X [2] !
+42 X X X X X - *
+44 - X X - - -
+45 - X X - - X [3] !
+
+* = patch extracted from upstream
+? = no upstream patch found
+! = patch created
+
+X = fixed desired
+a = patch applied
+T = code tested
+- = fix n/a
+i = fix skipped
+
+[1] this is listed in mopb.txt as "PHP4 only", but I read it as
applying
+ to both PHP4 and PHP5.
+[2] discussed below, but the fix is unclear: php5 or sqlite? Here''s
the
+ in-trunk "fix":
+
http://cvs.php.net/viewvc.cgi/php-src/ext/sqlite/libsqlite/src/encode.c?r1=1.5.4.1&r2=1.5.4.1.2.1&pathrev=PHP_5_2
+[3] this needs a CVE assigned
Modified: data/patches/MOPB/MOPB-10-php5.diff
==================================================================---
data/patches/MOPB/MOPB-10-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-10-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -1,21 +1,13 @@
#
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.22&r2=1.417.2.8.2.23&pathrev=PHP_5_2&view=patch
---- session.c 2006/12/26 16:53:47 1.417.2.8.2.22
-+++ session.c 2006/12/31 22:25:55 1.417.2.8.2.23
-@@ -17,7 +17,7 @@
- +----------------------------------------------------------------------+
- */
-
--/* $Id: session.c,v 1.417.2.8.2.22 2006/12/26 16:53:47 iliaa Exp $ */
-+/* $Id: session.c,v 1.417.2.8.2.23 2006/12/31 22:25:55 iliaa Exp $ */
-
- #ifdef HAVE_CONFIG_H
- #include "config.h"
+#
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.26&r2=1.417.2.8.2.27&pathrev=PHP_5_2&view=patch
+--- php-src/ext/session/session.c 2006/12/26 16:53:47 1.417.2.8.2.22
++++ php-src/ext/session/session.c 2006/12/31 22:25:55 1.417.2.8.2.23
@@ -471,6 +471,11 @@
for (p = val; p < endptr; ) {
zval **tmp;
namelen = *p & (~PS_BIN_UNDEF);
+
-+ if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
++ if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr)
{
+ return FAILURE;
+ }
+
Modified: data/patches/MOPB/MOPB-14-php5.diff
==================================================================---
data/patches/MOPB/MOPB-14-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-14-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -1,15 +1,6 @@
#
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.45&r2=1.445.2.14.2.49&pathrev=PHP_5_2&view=patch
---- string.c 2007/03/03 15:46:29 1.445.2.14.2.45
-+++ string.c 2007/03/08 00:47:04 1.445.2.14.2.49
-@@ -18,7 +18,7 @@
- +----------------------------------------------------------------------+
- */
-
--/* $Id: string.c,v 1.445.2.14.2.45 2007/03/03 15:46:29 iliaa Exp $ */
-+/* $Id: string.c,v 1.445.2.14.2.49 2007/03/08 00:47:04 stas Exp $ */
-
- /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
-
+--- php-src/ext/standard/string.c 2007/03/03 15:46:29 1.445.2.14.2.45
++++ php-src/ext/standard/string.c 2007/03/08 00:47:04 1.445.2.14.2.49
@@ -4642,18 +4642,20 @@
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset should be greater
than or equal to 0.");
RETURN_FALSE;
Modified: data/patches/MOPB/MOPB-15-php5.diff
==================================================================---
data/patches/MOPB/MOPB-15-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-15-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -1,15 +1,6 @@
#
http://cvs.php.net/viewvc.cgi/php-src/ext/shmop/shmop.c?r1=1.31.2.2.2.1&r2=1.31.2.2.2.2&pathrev=PHP_5_2&view=patch
---- shmop.c 2006/11/03 14:46:48 1.31.2.2.2.1
-+++ shmop.c 2006/12/30 20:21:25 1.31.2.2.2.2
-@@ -16,7 +16,7 @@
- | Ilia Alshanetsky <ilia@prohost.org>
|
- +----------------------------------------------------------------------+
- */
--/* $Id: shmop.c,v 1.31.2.2.2.1 2006/11/03 14:46:48 bjori Exp $ */
-+/* $Id: shmop.c,v 1.31.2.2.2.2 2006/12/30 20:21:25 iliaa Exp $ */
-
- #ifdef HAVE_CONFIG_H
- #include "config.h"
+--- php-src/ext/shmop/shmop.c 2006/11/03 14:46:48 1.31.2.2.2.1
++++ php-src/ext/shmop/shmop.c 2006/12/30 20:21:25 1.31.2.2.2.2
@@ -78,6 +78,16 @@
ZEND_GET_MODULE(shmop)
#endif
Added: data/patches/MOPB/MOPB-22-php5.diff
==================================================================---
data/patches/MOPB/MOPB-22-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-22-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -0,0 +1,19 @@
+#
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.31&r2=1.417.2.8.2.32&pathrev=PHP_5_2&view=patch
+--- php-src/ext/session/session.c 2007/03/03 15:07:31 1.417.2.8.2.31
++++ php-src/ext/session/session.c 2007/03/14 19:37:07 1.417.2.8.2.32
+@@ -846,6 +846,7 @@
+ } else if (PS(invalid_session_id)) { /* address instances where the session
read fails due to an invalid id */
+ PS(invalid_session_id) = 0;
+ efree(PS(id));
++ PS(id) = NULL;
+ goto new_session;
+ }
+ }
+@@ -1575,6 +1576,7 @@
+ RETURN_FALSE;
+ }
+ efree(PS(id));
++ PS(id) = NULL;
+ }
+
+ PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
Modified: data/patches/MOPB/MOPB-24-php5.diff
==================================================================---
data/patches/MOPB/MOPB-24-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-24-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -1,15 +1,6 @@
#
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.24&r2=1.308.2.21.2.25&pathrev=PHP_5_2&view=patch
---- array.c 2007/03/04 17:21:16 1.308.2.21.2.24
-+++ array.c 2007/03/16 19:38:58 1.308.2.21.2.25
-@@ -21,7 +21,7 @@
- +----------------------------------------------------------------------+
- */
-
--/* $Id: array.c,v 1.308.2.21.2.24 2007/03/04 17:21:16 iliaa Exp $ */
-+/* $Id: array.c,v 1.308.2.21.2.25 2007/03/16 19:38:58 stas Exp $ */
-
- #include "php.h"
- #include "php_ini.h"
+--- php-src/ext/standard/array.c 2007/03/04 17:21:16 1.308.2.21.2.24
++++ php-src/ext/standard/array.c 2007/03/16 19:38:58 1.308.2.21.2.25
@@ -703,40 +703,40 @@
{
Bucket *f;
Modified: data/patches/MOPB/MOPB-29-php5.diff
==================================================================---
data/patches/MOPB/MOPB-29-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-29-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -1,15 +1,6 @@
#
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.re?r1=1.52.2.2.2.1&r2=1.52.2.2.2.2&pathrev=PHP_5_2&view=patch
---- var_unserializer.re 2006/12/15 00:58:08 1.52.2.2.2.1
-+++ var_unserializer.re 2007/03/23 20:15:21 1.52.2.2.2.2
-@@ -16,7 +16,7 @@
- +----------------------------------------------------------------------+
- */
-
--/* $Id: var_unserializer.re,v 1.52.2.2.2.1 2006/12/15 00:58:08 andrei Exp $ */
-+/* $Id: var_unserializer.re,v 1.52.2.2.2.2 2007/03/23 20:15:21 stas Exp $ */
-
- #include "php.h"
- #include "ext/standard/php_var.h"
+--- php-src/ext/standard/var_unserializer.re 2006/12/15 00:58:08 1.52.2.2.2.1
++++ php-src/ext/standard/var_unserializer.re 2007/03/23 20:15:21 1.52.2.2.2.2
@@ -138,12 +138,18 @@
/* }}} */
Added: data/patches/MOPB/MOPB-34-php5.diff
==================================================================---
data/patches/MOPB/MOPB-34-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-34-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -0,0 +1,28 @@
+#
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/mail.c?r1=1.87.2.1.2.4&r2=1.87.2.1.2.5&pathrev=PHP_5_2&view=patch
+#
http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.224.2.22.2.21&r2=1.224.2.22.2.22&pathrev=PHP_5_2&view=patch
+--- php-src/ext/standard/mail.c 2007/03/27 09:20:27 1.87.2.1.2.4
++++ php-src/ext/standard/mail.c 2007/03/30 00:28:58 1.87.2.1.2.5
+@@ -48,8 +48,8 @@
+
+ #define SKIP_LONG_HEADER_SEP(str, pos) \
+ if (str[pos] == ''\r'' && str[pos + 1] ==
''\n'' && (str[pos + 2] == '' '' ||
str[pos + 2] == ''\t'')) { \
+- pos += 3; \
+- while (str[pos] == '' '' || str[pos] ==
''\t'') { \
++ pos += 2; \
++ while (str[pos + 1] == '' '' || str[pos + 1] ==
''\t'') { \
+ pos++; \
+ } \
+ continue; \
+--- php-src/ext/mbstring/mbstring.c 2007/02/24 02:17:24 1.224.2.22.2.21
++++ php-src/ext/mbstring/mbstring.c 2007/04/04 15:25:41 1.224.2.22.2.22
+@@ -3301,8 +3301,8 @@
+
+ #define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) \
+ if (str[pos] == ''\r'' && str[pos + 1] ==
''\n'' && (str[pos + 2] == '' '' ||
str[pos + 2] == ''\t'')) { \
+- pos += 3; \
+- while (str[pos] == '' '' || str[pos] ==
''\t'') { \
++ pos += 2; \
++ while (str[pos + 1] == '' '' || str[pos + 1] ==
''\t'') { \
+ pos++; \
+ } \
+ continue; \
Added: data/patches/MOPB/MOPB-41-php5.diff
==================================================================---
data/patches/MOPB/MOPB-41-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-41-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -0,0 +1,39 @@
+diff -uNrp php5-5.2.1/ext/sqlite/sess_sqlite.c
php5-5.2.1-kees/ext/sqlite/sess_sqlite.c
+--- php5-5.2.1/ext/sqlite/sess_sqlite.c 2007-01-01 01:36:07.000000000 -0800
++++ php5-5.2.1-kees/ext/sqlite/sess_sqlite.c 2007-04-18 17:05:57.000000000
-0700
+@@ -31,6 +31,11 @@
+ extern int sqlite_encode_binary(const unsigned char *in, int n, unsigned char
*out);
+ extern int sqlite_decode_binary(const unsigned char *in, unsigned char *out);
+
++#define php_sqlite_decode_binary(in, out) ( \
++ (!in || !*in) ? 0 : \
++ sqlite_decode_binary((const unsigned char *)in, (unsigned char *)out) \
++)
++
+ PS_FUNCS(sqlite);
+
+ ps_module ps_mod_sqlite = {
+@@ -111,7 +116,7 @@ PS_READ_FUNC(sqlite)
+ if (rowdata[0] != NULL) {
+ *vallen = strlen(rowdata[0]);
+ *val = emalloc(*vallen);
+- *vallen = sqlite_decode_binary(rowdata[0], *val);
++ *vallen = php_sqlite_decode_binary(rowdata[0], *val);
+ (*val)[*vallen] = ''\0'';
+ }
+ break;
+diff -uNrp php5-5.2.1/ext/sqlite/sqlite.c php5-5.2.1-kees/ext/sqlite/sqlite.c
+--- php5-5.2.1/ext/sqlite/sqlite.c 2007-01-01 01:36:07.000000000 -0800
++++ php5-5.2.1-kees/ext/sqlite/sqlite.c 2007-04-18 17:04:43.000000000 -0700
+@@ -73,7 +73,10 @@ extern int sqlite_encode_binary(const un
+ extern int sqlite_decode_binary(const unsigned char *in, unsigned char *out);
+
+ #define php_sqlite_encode_binary(in, n, out) sqlite_encode_binary((const
unsigned char *)in, n, (unsigned char *)out)
+-#define php_sqlite_decode_binary(in, out) sqlite_decode_binary((const
unsigned char *)in, (unsigned char *)out)
++#define php_sqlite_decode_binary(in, out) ( \
++ (!in || !*in) ? 0 : \
++ sqlite_decode_binary((const unsigned char *)in, (unsigned char *)out) \
++)
+
+ static int sqlite_count_elements(zval *object, long *count TSRMLS_DC);
+
Added: data/patches/MOPB/MOPB-42-php5.diff
==================================================================---
data/patches/MOPB/MOPB-42-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-42-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -0,0 +1,13 @@
+#
http://cvs.php.net/viewvc.cgi/php-src/main/streams/filter.c?r1=1.17.2.3.2.4&r2=1.17.2.3.2.5&pathrev=PHP_5_2&view=patch
+--- filter.c 2006/11/21 20:58:17 1.17.2.3.2.4
++++ filter.c 2006/12/25 13:11:23 1.17.2.3.2.5
+@@ -265,7 +265,8 @@
+ /* try a wildcard */
+ char *wildname;
+
+- wildname = estrdup(filtername);
++ wildname = emalloc(n+3);
++ memcpy(wildname, filtername, n+1);
+ period = wildname + (period - filtername);
+ while (period && !filter) {
+ *period = ''\0'';
Added: data/patches/MOPB/MOPB-45-php5.diff
==================================================================---
data/patches/MOPB/MOPB-45-php5.diff 2007-04-18 23:25:16 UTC (rev 5676)
+++ data/patches/MOPB/MOPB-45-php5.diff 2007-04-19 00:43:40 UTC (rev 5677)
@@ -0,0 +1,12 @@
+diff -uNrp php5-5.2.1/ext/filter/logical_filters.c
php5-5.2.1-kees/ext/filter/logical_filters.c
+--- php5-5.2.1/ext/filter/logical_filters.c 2007-01-01 01:36:00.000000000 -0800
++++ php5-5.2.1-kees/ext/filter/logical_filters.c 2007-04-18 17:27:58.000000000
-0700
+@@ -473,7 +473,7 @@ void php_filter_validate_email(PHP_INPUT
+
+ pcre *re = NULL;
+ pcre_extra *pcre_extra = NULL;
+- int preg_options = 0;
++ int preg_options = PCRE_DOLLAR_ENDONLY;
+ int ovector[150]; /* Needs to be a multiple of 3 */
+ int matches;
+