php5 for LTS

To: debian-lts@lists.debian.org
Subject: php5 for LTS
From: Thorsten Alteholz <alteholz@debian.org>
Date: Fri, 18 Jul 2014 16:01:36 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1407181556270.3146@jupiter.server.alteholz.net>

Hi,

this is my debdiff for fixing CVE-2014-3515, CVE-2014-0207, CVE-2014-3480and CVE-2014-4721 in php5.

Please give the packages from [1] some real-world testing before I uploadthem to squeeze-lts.


Thanks!
 Thorsten


[1] http://people.debian.org/~alteholz/packages/php5/



diff -u php5-5.3.3/debian/changelog php5-5.3.3/debian/changelog
--- php5-5.3.3/debian/changelog
+++ php5-5.3.3/debian/changelog
@@ -1,3 +1,24 @@
+php5 (5.3.3-7+squeeze20) squeeze-lts; urgency=low
+

+ * [CVE-2014-3515]: fix unserialize() SPL ArrayObject / SPLObjectStorage+ Type Confusion+ * [CVE-2014-0207]: fileinfo: cdf_read_short_sector insufficient+ boundary check

+  * [CVE-2014-3480]: fileinfo: cdf_count_chain insufficient boundary check

+ * [CVE-2014-4721]: The phpinfo implementation in ext/standard/info.c in+ PHP before 5.4.30 and 5.5.x before 5.5.14 does not+ ensure use of the string data type for the PHP_AUTH_PW,+ PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables,+ which might allow context-dependent attackers to obtain+ sensitive information from process memory by using the+ integer data type with crafted values, related to a+ "type confusion" vulnerability, as demonstrated by+ reading a private SSL key in an Apache HTTP Server+ web-hosting environment with mod_ssl and a+ PHP 5.3.x mod_php.+

+ -- Thorsten Alteholz <debian@alteholz.de>  Thu, 17 Jul 2014 19:00:00 +0200
+
 php5 (5.3.3-7+squeeze19) squeeze-security; urgency=low

   * [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012)
diff -u php5-5.3.3/debian/patches/series php5-5.3.3/debian/patches/series
--- php5-5.3.3/debian/patches/series
+++ php5-5.3.3/debian/patches/series
@@ -135,0 +136,4 @@
+CVE-2014-3480.patch
+CVE-2014-0207.patch
+CVE-2014-3515.patch
+CVE-2014-4271.patch
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-0207.patch
+++ php5-5.3.3/debian/patches/CVE-2014-0207.patch
@@ -0,0 +1,24 @@
+Index: php5-5.3.3/ext/fileinfo/libmagic/cdf.c
+===================================================================
+--- php5-5.3.3.orig/ext/fileinfo/libmagic/cdf.c	2014-07-18 11:05:27.000000000 +0200
++++ php5-5.3.3/ext/fileinfo/libmagic/cdf.c	2014-07-18 11:05:27.000000000 +0200
+@@ -322,9 +322,17 @@
+ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+     size_t len, const cdf_header_t *h, cdf_secid_t id)
+ {
+-	assert((size_t)CDF_SHORT_SEC_SIZE(h) == len);
++	size_t ss = CDF_SHORT_SEC_SIZE(h);
++	size_t pos = CDF_SHORT_SEC_POS(h, id);
++	assert(ss == len);
++	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
++		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
++		    SIZE_T_FORMAT "u\n",
++		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
++		return -1;
++	}
+ 	(void)memcpy(((char *)buf) + offs,
+-	    ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len);
++	    ((const char *)sst->sst_tab) + pos, len);
+ 	return len;
+ }

+only in patch2:

unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-3480.patch
+++ php5-5.3.3/debian/patches/CVE-2014-3480.patch
@@ -0,0 +1,23 @@
+--- php5.orig/ext/fileinfo/libmagic/cdf.c
++++ php5/ext/fileinfo/libmagic/cdf.c
+@@ -470,7 +470,8 @@ size_t
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ 	size_t i, j;
+-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++	    / sizeof(maxsector));

++ DPRINTF(("Chain:"));

+ 	for (j = i = 0; sid >= 0; i++, j++) {
+@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cd
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}
+-		if (sid > maxsector) {
+-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
++		if (sid >= maxsector) {
++			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-3515.patch
+++ php5-5.3.3/debian/patches/CVE-2014-3515.patch
@@ -0,0 +1,53 @@
+Index: php5-5.3.3/ext/spl/spl_array.c
+===================================================================
+--- php5-5.3.3.orig/ext/spl/spl_array.c	2014-07-17 22:46:55.000000000 +0200
++++ php5-5.3.3/ext/spl/spl_array.c	2014-07-17 22:47:57.000000000 +0200
+@@ -1714,7 +1714,7 @@
+ 	++p;

++ ALLOC_INIT_ZVAL(pmembers);

+-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
++	if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
+ 		zval_ptr_dtor(&pmembers);
+ 		goto outexcept;
+ 	}
+Index: php5-5.3.3/ext/spl/spl_observer.c
+===================================================================
+--- php5-5.3.3.orig/ext/spl/spl_observer.c	2014-07-17 22:46:55.000000000 +0200
++++ php5-5.3.3/ext/spl/spl_observer.c	2014-07-17 22:46:55.000000000 +0200
+@@ -686,7 +686,7 @@
+ 	++p;

++ ALLOC_INIT_ZVAL(pmembers);

+-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
++	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
+ 		zval_ptr_dtor(&pmembers);
+ 		goto outexcept;
+ 	}
+Index: php5-5.3.3/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+===================================================================
+--- php5-5.3.3.orig/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt	2014-07-17 22:46:55.000000000 +0200
++++ php5-5.3.3/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt	2014-07-17 22:51:01.000000000 +0200
+@@ -7,6 +7,7 @@
+ 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
+ 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+ 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
++'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
+ );
+ foreach($badblobs as $blob) {
+ try {
+@@ -17,6 +18,7 @@
+ 	echo $e->getMessage()."\n";
+ }
+ }
++echo "DONE\n";
+ --EXPECTF--
+ Error at offset 6 of 34 bytes
+ Error at offset 46 of 89 bytes
+@@ -42,4 +44,5 @@
+     }
+   }
+ }
+-
++Error at offset 79 of 78 bytes
++DONE
only in patch2:
unchanged:
--- php5-5.3.3.orig/debian/patches/CVE-2014-4271.patch
+++ php5-5.3.3/debian/patches/CVE-2014-4271.patch
@@ -0,0 +1,51 @@
+commit ac509498a547324c900a25909dc3ccb35c481db7
+Author: Stanislav Malyshev <stas@php.net>
+Date:   Mon Jun 23 00:19:37 2014 -0700
+
+    Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
+
+Index: php5-5.3.3/ext/standard/info.c
+===================================================================
+--- php5-5.3.3.orig/ext/standard/info.c	2014-07-18 08:28:55.000000000 +0200
++++ php5-5.3.3/ext/standard/info.c	2014-07-18 08:28:55.000000000 +0200
+@@ -999,16 +999,16 @@

++ php_info_print_table_start();

+ 		php_info_print_table_header(2, "Variable", "Value");
+-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
+ 		}
+ 		php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
+Index: php5-5.3.3/ext/standard/tests/general_functions/bug67498.phpt
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ php5-5.3.3/ext/standard/tests/general_functions/bug67498.phpt	2014-07-18 08:28:55.000000000 +0200
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==

Reply to:

Prev by Date: Re: Collecting notes for preparing security updates for selected packages
Next by Date: Re: [SECURITY] [DSA 2974-1] php5 security update
Previous by thread: Re: Collecting notes for preparing security updates for selected packages
Next by thread: Re: [SECURITY] [DSA 2974-1] php5 security update
Index(es):
- Date
- Thread