main/php: fix CVE-2014-4721

fixes #3165

2 files changed, 65 insertions, 2 deletions

diff --git a/main/php/APKBUILD b/main/php/APKBUILD
index 04edfb3332..0f549196fb 100644
--- a/main/php/APKBUILD
+++ b/main/php/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=php
 pkgver=5.3.28
 _suhosinver=5.3.9-0.9.10
-pkgrel=5
+pkgrel=6
 pkgdesc="The PHP language runtime engine"
 url="http://www.php.net/"
 arch="all"
@@ -83,6 +83,7 @@ source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2
 	CVE-2014-0237.patch
 	CVE-2014-0238.patch
 	CVE-2014-4049.patch
+	CVE-2014-4721.patch
 	"
 
 _apiver="20090626"
@@ -459,4 +460,5 @@ f2836636790a78ec058d3fe84045997a  CVE-2013-7345.patch
 66333db458742a20dda0b8a9be1900e5  CVE-2014-0185.patch
 77a99e602cc93ec04b7c6995bba7748b  CVE-2014-0237.patch
 a038c00930d7021e1f485043deec65fc  CVE-2014-0238.patch
-bd763609e1a4cd15ba0142cb7e5bc7a4  CVE-2014-4049.patch"
+bd763609e1a4cd15ba0142cb7e5bc7a4  CVE-2014-4049.patch
+11f0c6e5db9416a1f8bbba8be8fd1c89  CVE-2014-4721.patch"
diff --git a/main/php/CVE-2014-4721.patch b/main/php/CVE-2014-4721.patch
new file mode 100644
index 0000000000..47fd4d0423
--- /dev/null
+++ b/main/php/CVE-2014-4721.patch
@@ -0,0 +1,61 @@
+From 84f9fe0fdcc660d7f2b479b4cd5dd4216e3bc5ff Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 23 Jun 2014 00:19:37 -0700
+Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak
+ Vulnerability
+
+---
+ ext/standard/info.c                                |  8 ++++----
+ ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/general_functions/bug67498.phpt
+
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 03ced35..0626a70 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
+@@ -866,16 +866,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
+ 
+ 		php_info_print_table_start();
+ 		php_info_print_table_header(2, "Variable", "Value");
+-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
+ 		}
+ 		php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
+diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
+new file mode 100644
+index 0000000..5b5951b
+--- /dev/null
++++ b/ext/standard/tests/general_functions/bug67498.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
+-- 
+1.9.2
+