Bug#682192: unblock: php5/5.4.4-5
Package: release.debian.org
Severity: normal
Changing the request again (sorry) to include also next patch scheduled
for security update:
php5 (5.4.4-5) unstable; urgency=low
.
* CVE-2012-3450: parsing bug in PDO can lead to access violations
diffstat:
debian/patches/CVE-2012-3450.patch | 86 +++++++++++++++++++++++++++++++++++++
php5-5.4.4/debian/changelog | 6 ++
php5-5.4.4/debian/patches/series | 1
3 files changed, 93 insertions(+)
debdiff attached...
O.
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (300, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,9 @@
+php5 (5.4.4-5) unstable; urgency=low
+
+ * CVE-2012-3450: parsing bug in PDO can lead to access violations
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 07 Aug 2012 09:34:12 +0200
+
php5 (5.4.4-4) unstable; urgency=low
* Fix php5-fpm segfault (PHP#62205)
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -65,0 +66 @@
+CVE-2012-3450.patch
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/CVE-2012-3450.patch
+++ php5-5.4.4/debian/patches/CVE-2012-3450.patch
@@ -0,0 +1,86 @@
+--- a/ext/pdo/pdo_sql_parser.re
++++ b/ext/pdo/pdo_sql_parser.re
+@@ -32,12 +32,12 @@
+
+ #define YYCTYPE unsigned char
+ #define YYCURSOR cursor
+-#define YYLIMIT cursor
++#define YYLIMIT s->end
+ #define YYMARKER s->ptr
+-#define YYFILL(n)
++#define YYFILL(n) { RET(PDO_PARSER_EOI); }
+
+ typedef struct Scanner {
+- char *ptr, *cur, *tok;
++ char *ptr, *cur, *tok, *end;
+ } Scanner;
+
+ static int scan(Scanner *s)
+@@ -50,7 +50,6 @@ static int scan(Scanner *s)
+ QUESTION = [?];
+ SPECIALS = [:?"'];
+ MULTICHAR = [:?];
+- EOF = [\000];
+ ANYNOEOF = [\001-\377];
+ */
+
+@@ -62,7 +61,6 @@ static int scan(Scanner *s)
+ QUESTION { RET(PDO_PARSER_BIND_POS); }
+ SPECIALS { SKIP_ONE(PDO_PARSER_TEXT); }
+ (ANYNOEOF\SPECIALS)+ { RET(PDO_PARSER_TEXT); }
+- EOF { RET(PDO_PARSER_EOI); }
+ */
+ }
+
+@@ -92,6 +90,7 @@ PDO_API int pdo_parse_params(pdo_stmt_t
+
+ ptr = *outquery;
+ s.cur = inquery;
++ s.end = inquery + inquery_len + 1;
+
+ /* phase 1: look for args */
+ while((t = scan(&s)) != PDO_PARSER_EOI) {
+--- /dev/null
++++ b/ext/pdo_mysql/tests/bug_61755.phpt
+@@ -0,0 +1,41 @@
++--TEST--
++Bug #61755 (A parsing bug in the prepared statements can lead to access violations)
++--SKIPIF--
++<?php
++if (!extension_loaded('pdo') || !extension_loaded('pdo_mysql')) die('skip not loaded');
++require dirname(__FILE__) . '/config.inc';
++require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
++PDOTest::skip();
++?>
++--FILE--
++<?php
++require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
++$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
++
++$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
++
++echo "NULL-Byte before first placeholder:\n";
++$s = $db->prepare("SELECT \"a\0b\", ?");
++$s->bindValue(1,"c");
++$s->execute();
++$r = $s->fetch();
++echo "Length of item 0: ".strlen($r[0]).", Value of item 1: ".$r[1]."\n";
++
++echo "\nOpen comment:\n";
++try {
++ $s = $db->prepare("SELECT /*");
++ $s->execute();
++} catch (Exception $e) {
++ echo "Error code: ".$e->getCode()."\n";
++}
++
++echo "\ndone!\n";
++?>
++--EXPECTF--
++NULL-Byte before first placeholder:
++Length of item 0: 3, Value of item 1: c
++
++Open comment:
++Error code: 42000
++
++done!
Reply to: