diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2010-07-06 11:03:41 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2010-07-06 11:04:26 +0000 |
commit | 993176136f182c2feb91682b31f0a905167f418d (patch) | |
tree | 78357b1cb6c567e201c27513aa57fae342b62506 | |
parent | eed9f37161248c488e0ff923681dfa42907b2d7b (diff) | |
download | aports-993176136f182c2feb91682b31f0a905167f418d.tar.bz2 aports-993176136f182c2feb91682b31f0a905167f418d.tar.xz |
main/php: fix for CVE-2010-2225
based on http://svn.php.net/viewvc?view=revision&revision=300843
-rw-r--r-- | main/php/APKBUILD | 8 | ||||
-rw-r--r-- | main/php/CVE-2010-2225.patch | 194 |
2 files changed, 200 insertions, 2 deletions
diff --git a/main/php/APKBUILD b/main/php/APKBUILD index 7078294843..f933f01bd4 100644 --- a/main/php/APKBUILD +++ b/main/php/APKBUILD @@ -3,7 +3,7 @@ pkgname=php pkgver=5.3.2 _suhosinver=${pkgver}-0.9.9.1 -pkgrel=7 +pkgrel=8 pkgdesc="The PHP language runtime engine" url="http://www.php.net/" license="PHP-3" @@ -65,6 +65,7 @@ source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2 http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz php-install-pear-xml.patch zend_execute_API.c.patch + CVE-2010-2225.patch " _extdir="/usr/lib/php/20090626" @@ -75,6 +76,8 @@ build() { # beat the pear installer into using xml.so patch -p1 -i "$srcdir"/php-install-pear-xml.patch || return 1 + patch -p0 -i "$srcdir"/CVE-2010-2225.patch || return 1 + # apply suhosin patch gunzip -c ${srcdir}/suhosin-patch-${_suhosinver}.patch.gz \ | patch -p1 || return 1 @@ -259,4 +262,5 @@ dev() { md5sums="46f500816125202c48a458d0133254a4 php-5.3.2.tar.bz2 4647b05330862d6a1fc4469245cc6ade suhosin-patch-5.3.2-0.9.9.1.patch.gz 5111e3be06d391f8772587c675240fab php-install-pear-xml.patch -55f9d24316a57e0c0f6b4b84791a1a17 zend_execute_API.c.patch" +55f9d24316a57e0c0f6b4b84791a1a17 zend_execute_API.c.patch +373a2705d03a13b77b590026b0ae47aa CVE-2010-2225.patch" diff --git a/main/php/CVE-2010-2225.patch b/main/php/CVE-2010-2225.patch new file mode 100644 index 0000000000..08c71f26b0 --- /dev/null +++ b/main/php/CVE-2010-2225.patch @@ -0,0 +1,194 @@ +Index: ext/spl/tests/SplObjectStorage_unserialize_nested.phpt +=================================================================== +--- ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 0) ++++ ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 300843) +@@ -0,0 +1,47 @@ ++--TEST-- ++SPL: Test unserializing tested & linked storage ++--FILE-- ++<?php ++$o = new StdClass(); ++$a = new StdClass(); ++ ++$o->a = $a; ++ ++$so = new SplObjectStorage(); ++ ++$so[$o] = 1; ++$so[$a] = 2; ++ ++$s = serialize($so); ++echo $s."\n"; ++ ++$so1 = unserialize($s); ++var_dump($so1); ++ ++--EXPECTF-- ++C:16:"SplObjectStorage":76:{x:i:2;O:8:"stdClass":1:{s:1:"a";O:8:"stdClass":0:{}},i:1;;r:2;,i:2;;m:a:0:{}} ++object(SplObjectStorage)#4 (1) { ++ ["storage":"SplObjectStorage":private]=> ++ array(2) { ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#5 (1) { ++ ["a"]=> ++ object(stdClass)#6 (0) { ++ } ++ } ++ ["inf"]=> ++ int(1) ++ } ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#6 (0) { ++ } ++ ["inf"]=> ++ int(2) ++ } ++ } ++} ++ +Index: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +=================================================================== +--- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 0) ++++ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 300843) +@@ -0,0 +1,45 @@ ++--TEST-- ++SPL: Test that serialized blob contains unique elements (CVE-2010-2225) ++--FILE-- ++<?php ++ ++$badblobs = array( ++'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', ++'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++); ++foreach($badblobs as $blob) { ++try { ++ $so = new SplObjectStorage(); ++ $so->unserialize($blob); ++ var_dump($so); ++} catch(UnexpectedValueException $e) { ++ echo $e->getMessage()."\n"; ++} ++} ++--EXPECTF-- ++Error at offset 6 of 34 bytes ++Error at offset 46 of 89 bytes ++object(SplObjectStorage)#2 (1) { ++ ["storage":"SplObjectStorage":private]=> ++ array(2) { ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#3 (0) { ++ } ++ ["inf"]=> ++ int(1) ++ } ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#1 (0) { ++ } ++ ["inf"]=> ++ object(stdClass)#4 (0) { ++ } ++ } ++ } ++} ++ +Index: ext/spl/spl_observer.c +=================================================================== +--- ext/spl/spl_observer.c (revision 300842) ++++ ext/spl/spl_observer.c (revision 300843) +@@ -115,6 +115,7 @@ + zval_ptr_dtor(&element->inf); + } /* }}} */ + ++ + spl_SplObjectStorageElement* spl_object_storage_get(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */ + { + spl_SplObjectStorageElement *element; +@@ -632,15 +633,24 @@ + zval_ptr_dtor(&pcount); + + while(count-- > 0) { ++ spl_SplObjectStorageElement *pelement; ++ + if (*p != ';') { + goto outexcept; + } + ++p; ++ if(*p != 'O' && *p != 'C' && *p != 'r') { ++ goto outexcept; ++ } + ALLOC_INIT_ZVAL(pentry); + if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) { + zval_ptr_dtor(&pentry); + goto outexcept; + } ++ if(Z_TYPE_P(pentry) != IS_OBJECT) { ++ zval_ptr_dtor(&pentry); ++ goto outexcept; ++ } + ALLOC_INIT_ZVAL(pinf); + if (*p == ',') { /* new version has inf */ + ++p; +@@ -649,6 +659,16 @@ + goto outexcept; + } + } ++ ++ pelement = spl_object_storage_get(intern, pentry TSRMLS_CC); ++ if(pelement) { ++ if(pelement->inf) { ++ var_push_dtor(&var_hash, &pelement->inf); ++ } ++ if(pelement->obj) { ++ var_push_dtor(&var_hash, &pelement->obj); ++ } ++ } + spl_object_storage_attach(intern, pentry, pinf TSRMLS_CC); + zval_ptr_dtor(&pentry); + zval_ptr_dtor(&pinf); +Index: ext/standard/var_unserializer.c +=================================================================== +--- ext/standard/var_unserializer.c (revision 300842) ++++ ext/standard/var_unserializer.c (revision 300843) +@@ -56,7 +56,7 @@ + var_hash->data[var_hash->used_slots++] = *rval; + } + +-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) ++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) + { + var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; + +Index: ext/standard/php_var.h +=================================================================== +--- ext/standard/php_var.h (revision 300842) ++++ ext/standard/php_var.h (revision 300843) +@@ -60,6 +60,7 @@ + var_destroy(&(var_hash)) + + PHPAPI void var_replace(php_unserialize_data_t *var_hash, zval *ozval, zval **nzval); ++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hash, zval **val); + PHPAPI void var_destroy(php_unserialize_data_t *var_hash); + + #define PHP_VAR_UNSERIALIZE_ZVAL_CHANGED(var_hash, ozval, nzval) \ +Index: ext/standard/var_unserializer.re +=================================================================== +--- ext/standard/var_unserializer.re (revision 300842) ++++ ext/standard/var_unserializer.re (revision 300843) +@@ -54,7 +54,7 @@ + var_hash->data[var_hash->used_slots++] = *rval; + } + +-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) ++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) + { + var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; + |