Bug#702253: marked as done (unblock: php5/5.4.4-14)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 04 Mar 2013 16:39:40 +0000
with message-id <7712feff548bfae60849aafd498c51e7@mail.adsl.funky-badger.org>
and subject line Re: Bug#702253: unblock: php5/5.4.4-14
has caused the Debian Bug report #702253,
regarding unblock: php5/5.4.4-14
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
702253: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702253
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: php5/5.4.4-14
• From: Ondřej Surý <ondrej@debian.org>
• Date: Mon, 04 Mar 2013 15:47:07 +0100
• Message-id: <[🔎] 20130304144707.3083.1868.reportbug@localhost6.localdomain6>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package php5

Bug#702221: php5: CVE-2013-1635 CVE-2013-1643

Hi,
two issues have been reported in php5. CVE-2013-1635 doesn't classify as a security
issue per the Debian Security policy, but if the fix is non-intrusive we
could include it nonetheless:

CVE-2013-1643
http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36

CVE-2013-1635
http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74

$ diffstat php5_5.4.4-14.debdiff
 debian/patches/CVE-2013-1635.patch |   44 ++++++++++++
 debian/patches/CVE-2013-1643.patch |  135 +++++++++++++++++++++++++++++++++++++
 php5-5.4.4/debian/changelog        |    8 ++
 php5-5.4.4/debian/patches/series   |    2 
 4 files changed, 189 insertions(+)

Debdiff attached, squeeze version has been already uploaded to security-master.

unblock php5/5.4.4-14

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,11 @@
+php5 (5.4.4-14) unstable; urgency=high
+
+  * [CVE-2013-1635] Fixed external entity loading
+  * [CVE-2013-1643] Check if soap.wsdl_cache_dir confirms to open_basedir
+    (Closes: #702221)
+
+ -- Ondřej Surý <ondrej@debian.org>  Mon, 04 Mar 2013 14:30:16 +0100
+
 php5 (5.4.4-13) unstable; urgency=high
 
   * Add yet another patch to fix unlimited recursion in session extension
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -79,0 +80,2 @@
+CVE-2013-1635.patch
+CVE-2013-1643.patch
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/CVE-2013-1635.patch
+++ php5-5.4.4/debian/patches/CVE-2013-1635.patch
@@ -0,0 +1,44 @@
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -497,10 +497,40 @@ ZEND_INI_MH(OnUpdateCacheMode)
+ 	return SUCCESS;
+ }
+ 
++static PHP_INI_MH(OnUpdateCacheDir)
++{
++	/* Only do the open_basedir check at runtime */
++	if (stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) {
++		char *p;
++
++		if (memchr(new_value, '\0', new_value_length) != NULL) {
++			return FAILURE;
++		}
++
++		/* we do not use zend_memrchr() since path can contain ; itself */
++		if ((p = strchr(new_value, ';'))) {
++			char *p2;
++			p++;
++			if ((p2 = strchr(p, ';'))) {
++				p = p2 + 1;
++			}
++		} else {
++			p = new_value;
++		}
++
++		if (PG(open_basedir) && *p && php_check_open_basedir(p TSRMLS_CC)) {
++			return FAILURE;
++		}
++	}
++
++	OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
++	return SUCCESS;
++}
++
+ PHP_INI_BEGIN()
+ STD_PHP_INI_ENTRY("soap.wsdl_cache_enabled",     "1", PHP_INI_ALL, OnUpdateCacheEnabled,
+                   cache_enabled, zend_soap_globals, soap_globals)
+-STD_PHP_INI_ENTRY("soap.wsdl_cache_dir",         "/tmp", PHP_INI_ALL, OnUpdateString,
++STD_PHP_INI_ENTRY("soap.wsdl_cache_dir",         "/tmp", PHP_INI_ALL, OnUpdateCacheDir,
+                   cache_dir, zend_soap_globals, soap_globals)
+ STD_PHP_INI_ENTRY("soap.wsdl_cache_ttl",         "86400", PHP_INI_ALL, OnUpdateLong,
+                   cache_ttl, zend_soap_globals, soap_globals)
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/CVE-2013-1643.patch
+++ php5-5.4.4/debian/patches/CVE-2013-1643.patch
@@ -0,0 +1,135 @@
+--- a/ext/libxml/libxml.c
++++ b/ext/libxml/libxml.c
+@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml)
+ 	libxml_globals->error_buffer.c = NULL;
+ 	libxml_globals->error_list = NULL;
+ 	libxml_globals->entity_loader.fci.size = 0;
++	libxml_globals->entity_loader_disabled = 0;
+ }
+ 
+ static void _php_libxml_destroy_fci(zend_fcall_info *fci)
+@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v
+ }
+ 
+ static xmlParserInputBufferPtr
+-php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc)
+-{
+-	return NULL;
+-}
+-
+-static xmlParserInputBufferPtr
+ php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc)
+ {
+ 	xmlParserInputBufferPtr ret;
+ 	void *context = NULL;
++	TSRMLS_FETCH();
++
++	if (LIBXML(entity_loader_disabled)) {
++		return NULL;
++	}
+ 
+ 	if (URI == NULL)
+ 		return(NULL);
+@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors)
+ }
+ /* }}} */
+ 
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC)
++{
++	zend_bool old = LIBXML(entity_loader_disabled);
++
++	LIBXML(entity_loader_disabled) = disable;
++	return old;
++}
++
+ /* {{{ proto bool libxml_disable_entity_loader([boolean disable]) 
+    Disable/Enable ability to load external entities */
+ static PHP_FUNCTION(libxml_disable_entity_loader)
+ {
+ 	zend_bool disable = 1;
+-	xmlParserInputBufferCreateFilenameFunc old;
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) {
+ 		return;
+ 	}
+ 
+-	if (disable == 0) {
+-		old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename);
+-	} else {
+-		old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload);
+-	}
+-
+-	if (old == php_libxml_input_buffer_noload) {
+-		RETURN_TRUE;
+-	}
+-
+-	RETURN_FALSE;
++	RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC));
+ }
+ /* }}} */
+ 
+--- a/ext/libxml/php_libxml.h
++++ b/ext/libxml/php_libxml.h
+@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml)
+ 		zend_fcall_info			fci;
+ 		zend_fcall_info_cache	fcc;
+ 	} entity_loader;
++	zend_bool entity_loader_disabled;
+ ZEND_END_MODULE_GLOBALS(libxml)
+ 
+ typedef struct _libxml_doc_props {
+@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error
+ PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s);
+ PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC);
+ PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC);
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC);
+ 
+ /* Init/shutdown functions*/
+ PHP_LIBXML_API void php_libxml_initialize(void);
+--- a/ext/soap/php_xml.c
++++ b/ext/soap/php_xml.c
+@@ -20,6 +20,7 @@
+ /* $Id$ */
+ 
+ #include "php_soap.h"
++#include "ext/libxml/php_libxml.h"
+ #include "libxml/parser.h"
+ #include "libxml/parserInternals.h"
+ 
+@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char *
+ 	ctxt = xmlCreateFileParserCtxt(filename);
+ 	PG(allow_url_fopen) = old_allow_url_fopen;
+ 	if (ctxt) {
++		zend_bool old;
++
+ 		ctxt->keepBlanks = 0;
+ 		ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ 		ctxt->sax->comment = soap_Comment;
+ 		ctxt->sax->warning = NULL;
+ 		ctxt->sax->error = NULL;
+ 		/*ctxt->sax->fatalError = NULL;*/
++		old = php_libxml_disable_entity_loader(1);
+ 		xmlParseDocument(ctxt);
++		php_libxml_disable_entity_loader(old);
+ 		if (ctxt->wellFormed) {
+ 			ret = ctxt->myDoc;
+ 			if (ret->URL == NULL && ctxt->directory != NULL) {
+@@ -133,6 +138,8 @@ xmlDocPtr soap_xmlParseMemory(const void
+ */
+ 	ctxt = xmlCreateMemoryParserCtxt(buf, buf_size);
+ 	if (ctxt) {
++		zend_bool old;
++
+ 		ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ 		ctxt->sax->comment = soap_Comment;
+ 		ctxt->sax->warning = NULL;
+@@ -141,7 +148,9 @@ xmlDocPtr soap_xmlParseMemory(const void
+ #if LIBXML_VERSION >= 20703
+ 		ctxt->options |= XML_PARSE_HUGE;
+ #endif
++		old = php_libxml_disable_entity_loader(1);
+ 		xmlParseDocument(ctxt);
++		php_libxml_disable_entity_loader(old);
+ 		if (ctxt->wellFormed) {
+ 			ret = ctxt->myDoc;
+ 			if (ret->URL == NULL && ctxt->directory != NULL) {

--- End Message ---

--- Begin Message ---

• To: Ondřej Surý <ondrej@debian.org>, <702253-done@bugs.debian.org>
• Subject: Re: Bug#702253: unblock: php5/5.4.4-14
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Mon, 04 Mar 2013 16:39:40 +0000
• Message-id: <7712feff548bfae60849aafd498c51e7@mail.adsl.funky-badger.org>
• In-reply-to: <[🔎] 20130304144707.3083.1868.reportbug@localhost6.localdomain6>
• References: <[🔎] 20130304144707.3083.1868.reportbug@localhost6.localdomain6>

On 04.03.2013 14:47, Ondřej Surý wrote:

Bug#702221: php5: CVE-2013-1635 CVE-2013-1643

Hi,
two issues have been reported in php5. CVE-2013-1635 doesn't classify
as a security

issue per the Debian Security policy, but if the fix is non-intrusive we

could include it nonetheless:

Unblocked; thanks.

Regards,

Adam

--- End Message ---