postponing php5 issue

To: debian-lts@lists.debian.org
Subject: postponing php5 issue
From: anarcat@orangeseeds.org (Antoine Beaupré)
Date: Mon, 20 Feb 2017 17:19:22 -0500
Message-id: <[🔎] 87efysy07p.fsf@curie.anarc.at>

It seems a bit too much to do a DLA for a single issue in the php5
package (CVE-2016-7478, namely):

https://security-tracker.debian.org/tracker/source-package/php5

I looked at the issue and the patch is easily ported, but i suggest we
postpone this DLA until we have piled up more important
issues...

I attached the backported patch for future reference. I'll update the
security tracker with details as well.

A.

PS: has someone notified the maintainer before triaging this issue? i
didn't see a mail go through...

>From 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 3 Oct 2016 00:09:02 -0700
Subject: [PATCH] Fix bug #73190: memcpy negative parameter _bc_new_num_ex

---
 Zend/zend_exceptions.c              | 32 ++++++++++++++++++++++++--------
 ext/bcmath/libbcmath/src/init.c     |  5 ++++-
 ext/bcmath/libbcmath/src/outofmem.c |  3 +--
 main/php_version.h                  |  6 +++---
 4 files changed, 32 insertions(+), 14 deletions(-)

--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -221,13 +221,9 @@ ZEND_METHOD(exception, __construct)
 /* {{{ proto Exception::__wakeup()
    Exception unserialize checks */
 #define CHECK_EXC_TYPE(name, type) \
-	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
+	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
 	if(value && Z_TYPE_P(value) != type) { \
-		zval *tmp; \
-		MAKE_STD_ZVAL(tmp); \
-		ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
-		Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
-		zval_ptr_dtor(&tmp); \
+		zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
 	}
 
 ZEND_METHOD(exception, __wakeup)
@@ -241,7 +237,12 @@ ZEND_METHOD(exception, __wakeup)
 	CHECK_EXC_TYPE("file", IS_STRING);
 	CHECK_EXC_TYPE("line", IS_LONG);
 	CHECK_EXC_TYPE("trace", IS_ARRAY);
-	CHECK_EXC_TYPE("previous", IS_OBJECT);
+	value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+	if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT ||
+			!instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) ||
+			value == object)) {
+		zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
+	}
 }
 /* }}} */
 
@@ -719,7 +720,11 @@ ZEND_METHOD(exception, __toString)
 		zval_dtor(&file);
 		zval_dtor(&line);
 
-		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
+		Z_OBJPROP_P(exception)->nApplyCount++;
+		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+		if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
+			exception = NULL;
+		}
 
 		if (trace) {
 			zval_ptr_dtor(&trace);
@@ -728,6 +733,17 @@ ZEND_METHOD(exception, __toString)
 	}
 	zval_dtor(&fname);
 
+	/* Reset apply counts */
+	exception = getThis();
+	while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
+		if(Z_OBJPROP_P(exception)->nApplyCount) {
+			Z_OBJPROP_P(exception)->nApplyCount--;
+		} else {
+			break;
+		}
+		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+	}
+
 	/* We store the result in the private property string so we can access
 	 * the result in uncaught exception handlers without memleaks. */
 	zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persisten
      int length, scale, persistent;
 {
   bc_num temp;
-
+  /* PHP Change:  add length check */
+  if ((size_t)length+(size_t)scale > INT_MAX) {
+   zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+  }
   /* PHP Change:  malloc() -> pemalloc(), removed free_list code */
   temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
 #if 0
--- a/ext/bcmath/libbcmath/src/outofmem.c
+++ b/ext/bcmath/libbcmath/src/outofmem.c
@@ -41,6 +41,5 @@
 
 void bc_out_of_memory (void)
 {
-  (void) fprintf (stderr, "bcmath: out of memory!\n");
-  exit (1);
+  zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
 }

Reply to:

Follow-Ups:
- Re: postponing php5 issue
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: testing and review requested for Wheezy update of apache2
Next by Date: Re: testing and review requested for Wheezy update of apache2
Previous by thread: Re: Wheezy update of wireshark?
Next by thread: Re: postponing php5 issue
Index(es):
- Date
- Thread