Moritz Muehlenhoff
2007-Apr-19 20:43 UTC
[Secure-testing-commits] r5681 - in data/patches/MOPB: . php4-etch php4-sarge
Author: jmm-guest
Date: 2007-04-19 20:43:48 +0000 (Thu, 19 Apr 2007)
New Revision: 5681
Added:
data/patches/MOPB/php4-etch/069-CVE-2007-0910-updated-for-MOPB-32.patch
data/patches/MOPB/php4-etch/073-CVE-2007-1521-MOPB-22.patch
data/patches/MOPB/php4-sarge/CVE-2007-0910-updated-for-MOPB-32.patch
data/patches/MOPB/php4-sarge/CVE-2007-1521-MOPB-22.patch
Removed:
data/patches/MOPB/MOPB-22-php4.diff
Log:
more php4 patches for Etch and Sarge
Deleted: data/patches/MOPB/MOPB-22-php4.diff
==================================================================---
data/patches/MOPB/MOPB-22-php4.diff 2007-04-19 20:26:21 UTC (rev 5680)
+++ data/patches/MOPB/MOPB-22-php4.diff 2007-04-19 20:43:48 UTC (rev 5681)
@@ -1,25 +0,0 @@
-# Double check
-
-diff -aur php-4.4.6/ext/session/session.c php-4.4.7RC1/ext/session/session.c
---- php-4.4.6/ext/session/session.c 2007-02-15 10:41:30.000000000 +0100
-+++ php-4.4.7RC1/ext/session/session.c 2007-04-04 21:52:26.000000000 +0200
-@@ -1396,7 +1395,10 @@
- RETURN_FALSE;
- }
- if (PS(session_status) == php_session_active) {
-- if (PS(id)) efree(PS(id));
-+ if (PS(id)) {
-+ efree(PS(id));
-+ PS(id) = NULL;
-+ }
-
- PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
-
-@@ -1688,6 +1690,7 @@
- }
- if (PS(id)) {
- efree(PS(id));
-+ PS(id) = NULL;
- }
- PS(session_status)=php_session_none;
- }
Added: data/patches/MOPB/php4-etch/069-CVE-2007-0910-updated-for-MOPB-32.patch
==================================================================---
data/patches/MOPB/php4-etch/069-CVE-2007-0910-updated-for-MOPB-32.patch
2007-04-19 20:26:21 UTC (rev 5680)
+++ data/patches/MOPB/php4-etch/069-CVE-2007-0910-updated-for-MOPB-32.patch
2007-04-19 20:43:48 UTC (rev 5681)
@@ -0,0 +1,140 @@
+
+Fix possible super-global clobbers; CVE-2007-0910
+
+Fix possible overflows and stack corruptions covered by CVE-2007-0906.
+
+--- php-4.3.9/ext/session/session.c.cve0910
++++ php-4.3.9/ext/session/session.c
+@@ -267,8 +267,12 @@
+ {
+ zval **sym_track = NULL;
+
+- zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1,
+- (void *) &sym_track);
++ IF_SESSION_VARS() {
++ zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1,
++ (void *) &sym_track);
++ } else {
++ return;
++ }
+
+ /*
+ * Set up a proper reference between $_SESSION["x"] and $x.
+@@ -277,9 +271,12 @@
+ if (PG(register_globals)) {
+ zval **sym_global = NULL;
+
+- zend_hash_find(&EG(symbol_table), name, namelen + 1,
+- (void *) &sym_global);
+-
++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void *)
&sym_global) == SUCCESS) {
++ if ((Z_TYPE_PP(sym_global) == IS_ARRAY && Z_ARRVAL_PP(sym_global)
== &EG(symbol_table)) || *sym_global == PS(http_session_vars)) {
++ return;
++ }
++ }
++
+ if (sym_global == NULL && sym_track == NULL) {
+ zval *empty_var;
+
+@@ -309,7 +298,10 @@
+ if (PG(register_globals)) {
+ zval **old_symbol;
+ if (zend_hash_find(&EG(symbol_table),name,namelen+1,(void
*)&old_symbol) == SUCCESS) {
+-
++ if ((Z_TYPE_PP(old_symbol) == IS_ARRAY && Z_ARRVAL_PP(old_symbol)
== &EG(symbol_table)) || *old_symbol == PS(http_session_vars)) {
++ return;
++ }
++
+ /*
+ * A global symbol with the same name exists already. That
+ * symbol might have been created by other means (e.g. $_GET).
+@@ -418,13 +410,26 @@
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+ for (p = val; p < endptr; ) {
++ zval **tmp;
+ namelen = *p & (~PS_BIN_UNDEF);
++
++ if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
++ return FAILURE;
++ }
++
+ has_value = *p & PS_BIN_UNDEF ? 0 : 1;
+
+ name = estrndup(p + 1, namelen);
+
+ p += namelen + 1;
+-
++
++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **)
&tmp) == SUCCESS) {
++ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) ==
&EG(symbol_table)) || *tmp == PS(http_session_vars)) {
++ efree(name);
++ continue;
++ }
++ }
++
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(¤t, (const unsigned char **)&p,
endptr, &var_hash TSRMLS_CC)) {
+@@ -490,6 +495,7 @@
+ p = val;
+
+ while (p < endptr) {
++ zval **tmp;
+ q = p;
+ while (*q != PS_DELIMITER)
+ if (++q >= endptr) goto break_outer_loop;
+@@ -504,7 +510,14 @@
+ namelen = q - p;
+ name = estrndup(p, namelen);
+ q++;
+-
++
++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **)
&tmp) == SUCCESS) {
++ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) ==
&EG(symbol_table)) || *tmp == PS(http_session_vars)) {
++
++ goto skip;
++ }
++ }
++
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(¤t, (const unsigned char **)&q,
endptr, &var_hash TSRMLS_CC)) {
+@@ -513,6 +526,7 @@
+ zval_ptr_dtor(¤t);
+ }
+ PS_ADD_VARL(name, namelen);
++skip:
+ efree(name);
+
+ p = q;
+@@ -532,12 +547,16 @@
+ zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
+ zend_hash_del(&EG(symbol_table), "_SESSION",
sizeof("_SESSION"));
+
++ if (PS(http_session_vars)) {
++ zval_ptr_dtor(&PS(http_session_vars));
++ }
++
+ MAKE_STD_ZVAL(session_vars);
+ array_init(session_vars);
+ PS(http_session_vars) = session_vars;
+
+- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
+- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION",
sizeof("_SESSION"), PS(http_session_vars), 2, 1);
++ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 3, 1);
++ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION",
sizeof("_SESSION"), PS(http_session_vars), 3, 1);
+ }
+
+ static char *php_session_encode(int *newlen TSRMLS_DC)
+@@ -1637,6 +1605,10 @@
+
+ static void php_rshutdown_session_globals(TSRMLS_D)
+ {
++ if (PS(http_session_vars)) {
++ zval_ptr_dtor(&PS(http_session_vars));
++ PS(http_session_vars) = NULL;
++ }
+ if (PS(mod_data)) {
+ zend_try {
+ PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
Added: data/patches/MOPB/php4-etch/073-CVE-2007-1521-MOPB-22.patch
==================================================================---
data/patches/MOPB/php4-etch/073-CVE-2007-1521-MOPB-22.patch 2007-04-19 20:26:21
UTC (rev 5680)
+++ data/patches/MOPB/php4-etch/073-CVE-2007-1521-MOPB-22.patch 2007-04-19
20:43:48 UTC (rev 5681)
@@ -0,0 +1,23 @@
+diff -aur php-4.4.6/ext/session/session.c php-4.4.7RC1/ext/session/session.c
+--- php/ext/session/session.c 2007-02-15 10:41:30.000000000 +0100
++++ php4-4.4.4/ext/session/session.c 2007-04-04 21:52:26.000000000 +0200
+@@ -1396,7 +1395,10 @@
+ RETURN_FALSE;
+ }
+ if (PS(session_status) == php_session_active) {
+- if (PS(id)) efree(PS(id));
++ if (PS(id)) {
++ efree(PS(id));
++ PS(id) = NULL;
++ }
+
+ PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
+
+@@ -1688,6 +1690,7 @@
+ }
+ if (PS(id)) {
+ efree(PS(id));
++ PS(id) = NULL;
+ }
+ PS(session_status)=php_session_none;
+ }
Added: data/patches/MOPB/php4-sarge/CVE-2007-0910-updated-for-MOPB-32.patch
==================================================================---
data/patches/MOPB/php4-sarge/CVE-2007-0910-updated-for-MOPB-32.patch 2007-04-19
20:26:21 UTC (rev 5680)
+++ data/patches/MOPB/php4-sarge/CVE-2007-0910-updated-for-MOPB-32.patch
2007-04-19 20:43:48 UTC (rev 5681)
@@ -0,0 +1,151 @@
+
+Fix possible super-global clobbers; CVE-2007-0910
+
+Fix possible overflows and stack corruptions covered by CVE-2007-0906.
+
+Fix double free introduced by former security fix, MOPB-32.
+
+--- php-4.3.9/ext/session/session.c.cve0910
++++ php-4.3.9/ext/session/session.c
+@@ -252,8 +249,12 @@
+ {
+ zval **sym_track = NULL;
+
+- zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1,
+- (void *) &sym_track);
++ IF_SESSION_VARS() {
++ zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1,
++ (void *) &sym_track);
++ } else {
++ return;
++ }
+
+ /*
+ * Set up a proper reference between $_SESSION["x"] and $x.
+@@ -262,9 +263,12 @@
+ if (PG(register_globals)) {
+ zval **sym_global = NULL;
+
+- zend_hash_find(&EG(symbol_table), name, namelen + 1,
+- (void *) &sym_global);
+-
++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void *)
&sym_global) == SUCCESS) {
++ if ((Z_TYPE_PP(sym_global) == IS_ARRAY && Z_ARRVAL_PP(sym_global)
== &EG(symbol_table)) || *sym_global == PS(http_session_vars)) {
++ return;
++ }
++ }
++
+ if (sym_global == NULL && sym_track == NULL) {
+ zval *empty_var;
+
+@@ -294,7 +298,10 @@
+ if (PG(register_globals)) {
+ zval **old_symbol;
+ if (zend_hash_find(&EG(symbol_table),name,namelen+1,(void
*)&old_symbol) == SUCCESS) {
+-
++ if ((Z_TYPE_PP(old_symbol) == IS_ARRAY && Z_ARRVAL_PP(old_symbol)
== &EG(symbol_table)) || *old_symbol == PS(http_session_vars)) {
++ return;
++ }
++
+ /*
+ * A global symbol with the same name exists already. That
+ * symbol might have been created by other means (e.g. $_GET).
+@@ -403,13 +410,26 @@
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+ for (p = val; p < endptr; ) {
++ zval **tmp;
+ namelen = *p & (~PS_BIN_UNDEF);
++
++ if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
++ return FAILURE;
++ }
++
+ has_value = *p & PS_BIN_UNDEF ? 0 : 1;
+
+ name = estrndup(p + 1, namelen);
+
+ p += namelen + 1;
+-
++
++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **)
&tmp) == SUCCESS) {
++ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) ==
&EG(symbol_table)) || *tmp == PS(http_session_vars)) {
++ efree(name);
++ continue;
++ }
++ }
++
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(¤t, (const unsigned char **)&p,
endptr, &var_hash TSRMLS_CC)) {
+@@ -475,6 +495,7 @@
+ p = val;
+
+ while (p < endptr) {
++ zval **tmp;
+ q = p;
+ while (*q != PS_DELIMITER)
+ if (++q >= endptr) goto break_outer_loop;
+@@ -489,7 +510,14 @@
+ namelen = q - p;
+ name = estrndup(p, namelen);
+ q++;
+-
++
++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **)
&tmp) == SUCCESS) {
++ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) ==
&EG(symbol_table)) || *tmp == PS(http_session_vars)) {
++
++ goto skip;
++ }
++ }
++
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(¤t, (const unsigned char **)&q,
endptr, &var_hash TSRMLS_CC)) {
+@@ -498,6 +526,7 @@
+ zval_ptr_dtor(¤t);
+ }
+ PS_ADD_VARL(name, namelen);
++skip:
+ efree(name);
+
+ p = q;
+@@ -517,12 +547,16 @@
+ zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
+ zend_hash_del(&EG(symbol_table), "_SESSION",
sizeof("_SESSION"));
+
++ if (PS(http_session_vars)) {
++ zval_ptr_dtor(&PS(http_session_vars));
++ }
++
+ MAKE_STD_ZVAL(session_vars);
+ array_init(session_vars);
+ PS(http_session_vars) = session_vars;
+
+- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
+- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION",
sizeof("_SESSION"), PS(http_session_vars), 2, 1);
++ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 3, 1);
++ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION",
sizeof("_SESSION"), PS(http_session_vars), 3, 1);
+ }
+
+ static char *php_session_encode(int *newlen TSRMLS_DC)
+@@ -1612,6 +1605,10 @@
+
+ static void php_rshutdown_session_globals(TSRMLS_D)
+ {
++ if (PS(http_session_vars)) {
++ zval_ptr_dtor(&PS(http_session_vars));
++ PS(http_session_vars) = NULL;
++ }
+ if (PS(mod_data)) {
+ PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
+ }
+
+
+
+
+
+
+
+
+
Added: data/patches/MOPB/php4-sarge/CVE-2007-1521-MOPB-22.patch
==================================================================---
data/patches/MOPB/php4-sarge/CVE-2007-1521-MOPB-22.patch 2007-04-19 20:26:21 UTC
(rev 5680)
+++ data/patches/MOPB/php4-sarge/CVE-2007-1521-MOPB-22.patch 2007-04-19 20:43:48
UTC (rev 5681)
@@ -0,0 +1,23 @@
+diff -aur php-4.4.6/ext/session/session.c php-4.4.7RC1/ext/session/session.c
+--- php/ext/session/session.c 2007-02-15 10:41:30.000000000 +0100
++++ php4-4.3.10/ext/session/session.c 2007-04-04 21:52:26.000000000 +0200
+@@ -1396,7 +1395,10 @@
+ RETURN_FALSE;
+ }
+ if (PS(session_status) == php_session_active) {
+- if (PS(id)) efree(PS(id));
++ if (PS(id)) {
++ efree(PS(id));
++ PS(id) = NULL;
++ }
+
+ PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
+
+@@ -1688,6 +1690,7 @@
+ }
+ if (PS(id)) {
+ efree(PS(id));
++ PS(id) = NULL;
+ }
+ PS(session_status)=php_session_none;
+ }