aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2010-07-06 11:03:41 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2010-07-06 11:04:26 +0000
commit993176136f182c2feb91682b31f0a905167f418d (patch)
tree78357b1cb6c567e201c27513aa57fae342b62506
parenteed9f37161248c488e0ff923681dfa42907b2d7b (diff)
downloadaports-993176136f182c2feb91682b31f0a905167f418d.tar.bz2
aports-993176136f182c2feb91682b31f0a905167f418d.tar.xz
main/php: fix for CVE-2010-2225
based on http://svn.php.net/viewvc?view=revision&revision=300843
-rw-r--r--main/php/APKBUILD8
-rw-r--r--main/php/CVE-2010-2225.patch194
2 files changed, 200 insertions, 2 deletions
diff --git a/main/php/APKBUILD b/main/php/APKBUILD
index 7078294843..f933f01bd4 100644
--- a/main/php/APKBUILD
+++ b/main/php/APKBUILD
@@ -3,7 +3,7 @@
pkgname=php
pkgver=5.3.2
_suhosinver=${pkgver}-0.9.9.1
-pkgrel=7
+pkgrel=8
pkgdesc="The PHP language runtime engine"
url="http://www.php.net/"
license="PHP-3"
@@ -65,6 +65,7 @@ source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2
http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz
php-install-pear-xml.patch
zend_execute_API.c.patch
+ CVE-2010-2225.patch
"
_extdir="/usr/lib/php/20090626"
@@ -75,6 +76,8 @@ build() {
# beat the pear installer into using xml.so
patch -p1 -i "$srcdir"/php-install-pear-xml.patch || return 1
+ patch -p0 -i "$srcdir"/CVE-2010-2225.patch || return 1
+
# apply suhosin patch
gunzip -c ${srcdir}/suhosin-patch-${_suhosinver}.patch.gz \
| patch -p1 || return 1
@@ -259,4 +262,5 @@ dev() {
md5sums="46f500816125202c48a458d0133254a4 php-5.3.2.tar.bz2
4647b05330862d6a1fc4469245cc6ade suhosin-patch-5.3.2-0.9.9.1.patch.gz
5111e3be06d391f8772587c675240fab php-install-pear-xml.patch
-55f9d24316a57e0c0f6b4b84791a1a17 zend_execute_API.c.patch"
+55f9d24316a57e0c0f6b4b84791a1a17 zend_execute_API.c.patch
+373a2705d03a13b77b590026b0ae47aa CVE-2010-2225.patch"
diff --git a/main/php/CVE-2010-2225.patch b/main/php/CVE-2010-2225.patch
new file mode 100644
index 0000000000..08c71f26b0
--- /dev/null
+++ b/main/php/CVE-2010-2225.patch
@@ -0,0 +1,194 @@
+Index: ext/spl/tests/SplObjectStorage_unserialize_nested.phpt
+===================================================================
+--- ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 0)
++++ ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 300843)
+@@ -0,0 +1,47 @@
++--TEST--
++SPL: Test unserializing tested & linked storage
++--FILE--
++<?php
++$o = new StdClass();
++$a = new StdClass();
++
++$o->a = $a;
++
++$so = new SplObjectStorage();
++
++$so[$o] = 1;
++$so[$a] = 2;
++
++$s = serialize($so);
++echo $s."\n";
++
++$so1 = unserialize($s);
++var_dump($so1);
++
++--EXPECTF--
++C:16:"SplObjectStorage":76:{x:i:2;O:8:"stdClass":1:{s:1:"a";O:8:"stdClass":0:{}},i:1;;r:2;,i:2;;m:a:0:{}}
++object(SplObjectStorage)#4 (1) {
++ ["storage":"SplObjectStorage":private]=>
++ array(2) {
++ ["%s"]=>
++ array(2) {
++ ["obj"]=>
++ object(stdClass)#5 (1) {
++ ["a"]=>
++ object(stdClass)#6 (0) {
++ }
++ }
++ ["inf"]=>
++ int(1)
++ }
++ ["%s"]=>
++ array(2) {
++ ["obj"]=>
++ object(stdClass)#6 (0) {
++ }
++ ["inf"]=>
++ int(2)
++ }
++ }
++}
++
+Index: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+===================================================================
+--- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 0)
++++ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 300843)
+@@ -0,0 +1,45 @@
++--TEST--
++SPL: Test that serialized blob contains unique elements (CVE-2010-2225)
++--FILE--
++<?php
++
++$badblobs = array(
++'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
++'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
++'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
++);
++foreach($badblobs as $blob) {
++try {
++ $so = new SplObjectStorage();
++ $so->unserialize($blob);
++ var_dump($so);
++} catch(UnexpectedValueException $e) {
++ echo $e->getMessage()."\n";
++}
++}
++--EXPECTF--
++Error at offset 6 of 34 bytes
++Error at offset 46 of 89 bytes
++object(SplObjectStorage)#2 (1) {
++ ["storage":"SplObjectStorage":private]=>
++ array(2) {
++ ["%s"]=>
++ array(2) {
++ ["obj"]=>
++ object(stdClass)#3 (0) {
++ }
++ ["inf"]=>
++ int(1)
++ }
++ ["%s"]=>
++ array(2) {
++ ["obj"]=>
++ object(stdClass)#1 (0) {
++ }
++ ["inf"]=>
++ object(stdClass)#4 (0) {
++ }
++ }
++ }
++}
++
+Index: ext/spl/spl_observer.c
+===================================================================
+--- ext/spl/spl_observer.c (revision 300842)
++++ ext/spl/spl_observer.c (revision 300843)
+@@ -115,6 +115,7 @@
+ zval_ptr_dtor(&element->inf);
+ } /* }}} */
+
++
+ spl_SplObjectStorageElement* spl_object_storage_get(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */
+ {
+ spl_SplObjectStorageElement *element;
+@@ -632,15 +633,24 @@
+ zval_ptr_dtor(&pcount);
+
+ while(count-- > 0) {
++ spl_SplObjectStorageElement *pelement;
++
+ if (*p != ';') {
+ goto outexcept;
+ }
+ ++p;
++ if(*p != 'O' && *p != 'C' && *p != 'r') {
++ goto outexcept;
++ }
+ ALLOC_INIT_ZVAL(pentry);
+ if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ zval_ptr_dtor(&pentry);
+ goto outexcept;
+ }
++ if(Z_TYPE_P(pentry) != IS_OBJECT) {
++ zval_ptr_dtor(&pentry);
++ goto outexcept;
++ }
+ ALLOC_INIT_ZVAL(pinf);
+ if (*p == ',') { /* new version has inf */
+ ++p;
+@@ -649,6 +659,16 @@
+ goto outexcept;
+ }
+ }
++
++ pelement = spl_object_storage_get(intern, pentry TSRMLS_CC);
++ if(pelement) {
++ if(pelement->inf) {
++ var_push_dtor(&var_hash, &pelement->inf);
++ }
++ if(pelement->obj) {
++ var_push_dtor(&var_hash, &pelement->obj);
++ }
++ }
+ spl_object_storage_attach(intern, pentry, pinf TSRMLS_CC);
+ zval_ptr_dtor(&pentry);
+ zval_ptr_dtor(&pinf);
+Index: ext/standard/var_unserializer.c
+===================================================================
+--- ext/standard/var_unserializer.c (revision 300842)
++++ ext/standard/var_unserializer.c (revision 300843)
+@@ -56,7 +56,7 @@
+ var_hash->data[var_hash->used_slots++] = *rval;
+ }
+
+-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
+ {
+ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
+
+Index: ext/standard/php_var.h
+===================================================================
+--- ext/standard/php_var.h (revision 300842)
++++ ext/standard/php_var.h (revision 300843)
+@@ -60,6 +60,7 @@
+ var_destroy(&(var_hash))
+
+ PHPAPI void var_replace(php_unserialize_data_t *var_hash, zval *ozval, zval **nzval);
++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hash, zval **val);
+ PHPAPI void var_destroy(php_unserialize_data_t *var_hash);
+
+ #define PHP_VAR_UNSERIALIZE_ZVAL_CHANGED(var_hash, ozval, nzval) \
+Index: ext/standard/var_unserializer.re
+===================================================================
+--- ext/standard/var_unserializer.re (revision 300842)
++++ ext/standard/var_unserializer.re (revision 300843)
+@@ -54,7 +54,7 @@
+ var_hash->data[var_hash->used_slots++] = *rval;
+ }
+
+-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
+ {
+ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
+