Secure testing commits - Apr 2007 - r5699 - in data: . patches/MOPB

Author: seanius
Date: 2007-04-22 13:02:48 +0000 (Sun, 22 Apr 2007)
New Revision: 5699

Added:
   data/patches/MOPB/MOPB-35-php4.diff
Modified:
   data/mopb.txt
Log:
fix for mopb 35

Modified: data/mopb.txt
==================================================================---
data/mopb.txt	2007-04-22 12:40:30 UTC (rev 5698)
+++ data/mopb.txt	2007-04-22 13:02:48 UTC (rev 5699)
@@ -1,7 +1,7 @@
 Issues affecting PHP 4 and PHP 5:
 
 41  PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
-#TODO(medium) -> for PHP5, not activated in the PHP4 build, CVE-2007-1887.
(php4 & php5, remote code execution)
+#TODO(medium) -> for PHP5, php4 uses a seperate php4-sqlite package.
 [MOPB-41-php5.diff]
 
 34  PHP mail() Header Injection Through Subject and To Parameters
@@ -32,6 +32,7 @@
 
 35  PHP 4 zip_entry_read() Integer Overflow Vulnerability
 #TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code
execution)
+[MOPB-35-php4.diff]
 
 32  PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) 
 TODO(medium) -> needs to be fixed in php/etch, sarge not affected (php4
4.4.5/4.4.6, remote code execution)
@@ -177,7 +178,7 @@
 
    Sarge Etch
 41   ?    x
-35   ?    x
+35   ?    a
 34   /    t
 32   a    T 
 30        n

Added: data/patches/MOPB/MOPB-35-php4.diff
==================================================================---
data/patches/MOPB/MOPB-35-php4.diff	2007-04-22 12:40:30 UTC (rev 5698)
+++ data/patches/MOPB/MOPB-35-php4.diff	2007-04-22 13:02:48 UTC (rev 5699)
@@ -0,0 +1,31 @@
+--- zip.c	2007/01/01 09:46:50	1.33.2.3.2.2
++++ zip.c	2007/01/02 14:40:32	1.33.2.3.2.3
+@@ -16,7 +16,7 @@
+    +----------------------------------------------------------------------+
+  */
+ 
+-/* $Id: zip.c,v 1.33.2.3.2.2 2007/01/01 09:46:50 sebastian Exp $ */
++/* $Id: zip.c,v 1.33.2.3.2.3 2007/01/02 14:40:32 iliaa Exp $ */
+ 
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -283,7 +283,7 @@
+ }
+ /* }}} */
+ 
+-/* {{{ proto string zip_entry_read(resource zip_ent)
++/* {{{ proto string zip_entry_read(resource zip_ent [, int nbytes])
+    Read X bytes from an opened zip entry */
+ PHP_FUNCTION(zip_entry_read)
+ {
+@@ -295,6 +295,10 @@
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|l",
&zzip_ent, &len) == FAILURE) {
+ 		return;
++	}
++	if (len <= 0) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The bytes parameter must
greater then zero");
++		RETURN_FALSE;
+ 	}
+ 	ZEND_FETCH_RESOURCE(entry, php_zzip_dirent *, &zzip_ent, -1,
le_zip_entry_name, le_zip_entry);
+