Your message dated Fri, 22 Mar 2013 16:07:32 +0100 with message-id <CALjhHG9p0CsuhyO5L++z3RBLvSGy9+r8U35NSgp7oSqrsLUZgQ@mail.gmail.com> and subject line Re: Bug#703707: Acknowledgement (unblock: php5/5.4.4-15) has caused the Debian Bug report #703707, regarding unblock: php5/5.4.4-15 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 703707: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703707 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: php5/5.4.4-15
- From: Ondřej Surý <ondrej@debian.org>
- Date: Fri, 22 Mar 2013 15:39:18 +0100
- Message-id: <[🔎] 20130322143918.15488.63603.reportbug@localhost6.localdomain6>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package php5 The previous fix was CVE-2013-1643 was incomplete and it had been issued an additional CVE-2013-1824 which should be complete now. $ diffstat php5_5.4.4-15.debdiff debian/patches/CVE-2013-1643.patch | 135 ----------------------------------- debian/patches/CVE-2013-1824.patch | 142 +++++++++++++++++++++++++++++++++++++ php5-5.4.4/debian/changelog | 7 + php5-5.4.4/debian/patches/series | 2 4 files changed, 150 insertions(+), 136 deletions(-) unblock php5/5.4.4-15 -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog --- php5-5.4.4/debian/changelog +++ php5-5.4.4/debian/changelog @@ -1,3 +1,10 @@ +php5 (5.4.4-15) unstable; urgency=high + + * [CVE-2013-1824]: CVE-2013-1643 had incomplete fix for external entity + loading + + -- Ondřej Surý <ondrej@debian.org> Fri, 22 Mar 2013 13:51:47 +0100 + php5 (5.4.4-14) unstable; urgency=high * [CVE-2013-1635] Fixed external entity loading diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series --- php5-5.4.4/debian/patches/series +++ php5-5.4.4/debian/patches/series @@ -81 +81 @@ -CVE-2013-1643.patch +CVE-2013-1824.patch reverted: --- php5-5.4.4/debian/patches/CVE-2013-1643.patch +++ php5-5.4.4.orig/debian/patches/CVE-2013-1643.patch @@ -1,135 +0,0 @@ ---- a/ext/libxml/libxml.c -+++ b/ext/libxml/libxml.c -@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml) - libxml_globals->error_buffer.c = NULL; - libxml_globals->error_list = NULL; - libxml_globals->entity_loader.fci.size = 0; -+ libxml_globals->entity_loader_disabled = 0; - } - - static void _php_libxml_destroy_fci(zend_fcall_info *fci) -@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v - } - - static xmlParserInputBufferPtr --php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc) --{ -- return NULL; --} -- --static xmlParserInputBufferPtr - php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc) - { - xmlParserInputBufferPtr ret; - void *context = NULL; -+ TSRMLS_FETCH(); -+ -+ if (LIBXML(entity_loader_disabled)) { -+ return NULL; -+ } - - if (URI == NULL) - return(NULL); -@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors) - } - /* }}} */ - -+PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC) -+{ -+ zend_bool old = LIBXML(entity_loader_disabled); -+ -+ LIBXML(entity_loader_disabled) = disable; -+ return old; -+} -+ - /* {{{ proto bool libxml_disable_entity_loader([boolean disable]) - Disable/Enable ability to load external entities */ - static PHP_FUNCTION(libxml_disable_entity_loader) - { - zend_bool disable = 1; -- xmlParserInputBufferCreateFilenameFunc old; - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) { - return; - } - -- if (disable == 0) { -- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename); -- } else { -- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload); -- } -- -- if (old == php_libxml_input_buffer_noload) { -- RETURN_TRUE; -- } -- -- RETURN_FALSE; -+ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC)); - } - /* }}} */ - ---- a/ext/libxml/php_libxml.h -+++ b/ext/libxml/php_libxml.h -@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml) - zend_fcall_info fci; - zend_fcall_info_cache fcc; - } entity_loader; -+ zend_bool entity_loader_disabled; - ZEND_END_MODULE_GLOBALS(libxml) - - typedef struct _libxml_doc_props { -@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error - PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s); - PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC); - PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC); -+PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC); - - /* Init/shutdown functions*/ - PHP_LIBXML_API void php_libxml_initialize(void); ---- a/ext/soap/php_xml.c -+++ b/ext/soap/php_xml.c -@@ -20,6 +20,7 @@ - /* $Id$ */ - - #include "php_soap.h" -+#include "ext/libxml/php_libxml.h" - #include "libxml/parser.h" - #include "libxml/parserInternals.h" - -@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char * - ctxt = xmlCreateFileParserCtxt(filename); - PG(allow_url_fopen) = old_allow_url_fopen; - if (ctxt) { -+ zend_bool old; -+ - ctxt->keepBlanks = 0; - ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; - ctxt->sax->comment = soap_Comment; - ctxt->sax->warning = NULL; - ctxt->sax->error = NULL; - /*ctxt->sax->fatalError = NULL;*/ -+ old = php_libxml_disable_entity_loader(1); - xmlParseDocument(ctxt); -+ php_libxml_disable_entity_loader(old); - if (ctxt->wellFormed) { - ret = ctxt->myDoc; - if (ret->URL == NULL && ctxt->directory != NULL) { -@@ -133,6 +138,8 @@ xmlDocPtr soap_xmlParseMemory(const void - */ - ctxt = xmlCreateMemoryParserCtxt(buf, buf_size); - if (ctxt) { -+ zend_bool old; -+ - ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; - ctxt->sax->comment = soap_Comment; - ctxt->sax->warning = NULL; -@@ -141,7 +148,9 @@ xmlDocPtr soap_xmlParseMemory(const void - #if LIBXML_VERSION >= 20703 - ctxt->options |= XML_PARSE_HUGE; - #endif -+ old = php_libxml_disable_entity_loader(1); - xmlParseDocument(ctxt); -+ php_libxml_disable_entity_loader(old); - if (ctxt->wellFormed) { - ret = ctxt->myDoc; - if (ret->URL == NULL && ctxt->directory != NULL) { only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/CVE-2013-1824.patch +++ php5-5.4.4/debian/patches/CVE-2013-1824.patch @@ -0,0 +1,142 @@ +--- a/ext/soap/php_xml.c ++++ b/ext/soap/php_xml.c +@@ -20,6 +20,7 @@ + /* $Id$ */ + + #include "php_soap.h" ++#include "ext/libxml/php_libxml.h" + #include "libxml/parser.h" + #include "libxml/parserInternals.h" + +@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char * + ctxt = xmlCreateFileParserCtxt(filename); + PG(allow_url_fopen) = old_allow_url_fopen; + if (ctxt) { ++ zend_bool old; ++ + ctxt->keepBlanks = 0; + ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; + ctxt->sax->comment = soap_Comment; + ctxt->sax->warning = NULL; + ctxt->sax->error = NULL; + /*ctxt->sax->fatalError = NULL;*/ ++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC); + xmlParseDocument(ctxt); ++ php_libxml_disable_entity_loader(old TSRMLS_CC); + if (ctxt->wellFormed) { + ret = ctxt->myDoc; + if (ret->URL == NULL && ctxt->directory != NULL) { +@@ -128,11 +133,15 @@ xmlDocPtr soap_xmlParseMemory(const void + xmlParserCtxtPtr ctxt = NULL; + xmlDocPtr ret; + ++ TSRMLS_FETCH(); ++ + /* + xmlInitParser(); + */ + ctxt = xmlCreateMemoryParserCtxt(buf, buf_size); + if (ctxt) { ++ zend_bool old; ++ + ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; + ctxt->sax->comment = soap_Comment; + ctxt->sax->warning = NULL; +@@ -141,7 +150,9 @@ xmlDocPtr soap_xmlParseMemory(const void + #if LIBXML_VERSION >= 20703 + ctxt->options |= XML_PARSE_HUGE; + #endif ++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC); + xmlParseDocument(ctxt); ++ php_libxml_disable_entity_loader(old TSRMLS_CC); + if (ctxt->wellFormed) { + ret = ctxt->myDoc; + if (ret->URL == NULL && ctxt->directory != NULL) { +--- a/ext/libxml/libxml.c ++++ b/ext/libxml/libxml.c +@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml) + libxml_globals->error_buffer.c = NULL; + libxml_globals->error_list = NULL; + libxml_globals->entity_loader.fci.size = 0; ++ libxml_globals->entity_loader_disabled = 0; + } + + static void _php_libxml_destroy_fci(zend_fcall_info *fci) +@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v + } + + static xmlParserInputBufferPtr +-php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc) +-{ +- return NULL; +-} +- +-static xmlParserInputBufferPtr + php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc) + { + xmlParserInputBufferPtr ret; + void *context = NULL; ++ TSRMLS_FETCH(); ++ ++ if (LIBXML(entity_loader_disabled)) { ++ return NULL; ++ } + + if (URI == NULL) + return(NULL); +@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors) + } + /* }}} */ + ++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC) ++{ ++ zend_bool old = LIBXML(entity_loader_disabled); ++ ++ LIBXML(entity_loader_disabled) = disable; ++ return old; ++} ++ + /* {{{ proto bool libxml_disable_entity_loader([boolean disable]) + Disable/Enable ability to load external entities */ + static PHP_FUNCTION(libxml_disable_entity_loader) + { + zend_bool disable = 1; +- xmlParserInputBufferCreateFilenameFunc old; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) { + return; + } + +- if (disable == 0) { +- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename); +- } else { +- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload); +- } +- +- if (old == php_libxml_input_buffer_noload) { +- RETURN_TRUE; +- } +- +- RETURN_FALSE; ++ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC)); + } + /* }}} */ + +--- a/ext/libxml/php_libxml.h ++++ b/ext/libxml/php_libxml.h +@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml) + zend_fcall_info fci; + zend_fcall_info_cache fcc; + } entity_loader; ++ zend_bool entity_loader_disabled; + ZEND_END_MODULE_GLOBALS(libxml) + + typedef struct _libxml_doc_props { +@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error + PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s); + PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC); + PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC); ++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC); + + /* Init/shutdown functions*/ + PHP_LIBXML_API void php_libxml_initialize(void);
--- End Message ---
--- Begin Message ---
- To: 703707-done@bugs.debian.org
- Subject: Re: Bug#703707: Acknowledgement (unblock: php5/5.4.4-15)
- From: Ondřej Surý <ondrej@debian.org>
- Date: Fri, 22 Mar 2013 16:07:32 +0100
- Message-id: <CALjhHG9p0CsuhyO5L++z3RBLvSGy9+r8U35NSgp7oSqrsLUZgQ@mail.gmail.com>
- In-reply-to: <handler.703707.B.13639631636070.ack@bugs.debian.org>
- References: <[🔎] 20130322143918.15488.63603.reportbug@localhost6.localdomain6> <handler.703707.B.13639631636070.ack@bugs.debian.org>
I have discovered after some patch mangling, that only thing missing is the ZTS compatibility which we don't use in Debian.So I think it's not worth the trouble.
O.On Fri, Mar 22, 2013 at 3:42 PM, Debian Bug Tracking System <owner@bugs.debian.org> wrote:
Thank you for filing a new Bug report with Debian.
This is an automatically generated reply to let you know your message
has been received.
Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.
Your message has been sent to the package maintainer(s):
Debian Release Team <debian-release@lists.debian.org>
If you wish to submit further information on this problem, please
send it to 703707@bugs.debian.org.
Please do not send mail to owner@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.
--
703707: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703707
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--
Ondřej Surý <ondrej@sury.org>Attachment: CVE-2013-1643-CVE-2013-1824.diff
Description: Binary data
--- End Message ---