Package: release.debian.org Severity: normal Changing the request again (sorry) to include also next patch scheduled for security update:
php5 (5.4.4-5) unstable; urgency=low . * CVE-2012-3450: parsing bug in PDO can lead to access violations diffstat: debian/patches/CVE-2012-3450.patch | 86 +++++++++++++++++++++++++++++++++++++ php5-5.4.4/debian/changelog | 6 ++ php5-5.4.4/debian/patches/series | 1 3 files changed, 93 insertions(+) debdiff attached... O. -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (300, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog --- php5-5.4.4/debian/changelog +++ php5-5.4.4/debian/changelog @@ -1,3 +1,9 @@ +php5 (5.4.4-5) unstable; urgency=low + + * CVE-2012-3450: parsing bug in PDO can lead to access violations + + -- Ondřej Surý <[email protected]> Tue, 07 Aug 2012 09:34:12 +0200 + php5 (5.4.4-4) unstable; urgency=low * Fix php5-fpm segfault (PHP#62205) diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series --- php5-5.4.4/debian/patches/series +++ php5-5.4.4/debian/patches/series @@ -65,0 +66 @@ +CVE-2012-3450.patch only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/CVE-2012-3450.patch +++ php5-5.4.4/debian/patches/CVE-2012-3450.patch @@ -0,0 +1,86 @@ +--- a/ext/pdo/pdo_sql_parser.re ++++ b/ext/pdo/pdo_sql_parser.re +@@ -32,12 +32,12 @@ + + #define YYCTYPE unsigned char + #define YYCURSOR cursor +-#define YYLIMIT cursor ++#define YYLIMIT s->end + #define YYMARKER s->ptr +-#define YYFILL(n) ++#define YYFILL(n) { RET(PDO_PARSER_EOI); } + + typedef struct Scanner { +- char *ptr, *cur, *tok; ++ char *ptr, *cur, *tok, *end; + } Scanner; + + static int scan(Scanner *s) +@@ -50,7 +50,6 @@ static int scan(Scanner *s) + QUESTION = [?]; + SPECIALS = [:?"']; + MULTICHAR = [:?]; +- EOF = [\000]; + ANYNOEOF = [\001-\377]; + */ + +@@ -62,7 +61,6 @@ static int scan(Scanner *s) + QUESTION { RET(PDO_PARSER_BIND_POS); } + SPECIALS { SKIP_ONE(PDO_PARSER_TEXT); } + (ANYNOEOF\SPECIALS)+ { RET(PDO_PARSER_TEXT); } +- EOF { RET(PDO_PARSER_EOI); } + */ + } + +@@ -92,6 +90,7 @@ PDO_API int pdo_parse_params(pdo_stmt_t + + ptr = *outquery; + s.cur = inquery; ++ s.end = inquery + inquery_len + 1; + + /* phase 1: look for args */ + while((t = scan(&s)) != PDO_PARSER_EOI) { +--- /dev/null ++++ b/ext/pdo_mysql/tests/bug_61755.phpt +@@ -0,0 +1,41 @@ ++--TEST-- ++Bug #61755 (A parsing bug in the prepared statements can lead to access violations) ++--SKIPIF-- ++<?php ++if (!extension_loaded('pdo') || !extension_loaded('pdo_mysql')) die('skip not loaded'); ++require dirname(__FILE__) . '/config.inc'; ++require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; ++PDOTest::skip(); ++?> ++--FILE-- ++<?php ++require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; ++$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt'); ++ ++$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); ++ ++echo "NULL-Byte before first placeholder:\n"; ++$s = $db->prepare("SELECT \"a\0b\", ?"); ++$s->bindValue(1,"c"); ++$s->execute(); ++$r = $s->fetch(); ++echo "Length of item 0: ".strlen($r[0]).", Value of item 1: ".$r[1]."\n"; ++ ++echo "\nOpen comment:\n"; ++try { ++ $s = $db->prepare("SELECT /*"); ++ $s->execute(); ++} catch (Exception $e) { ++ echo "Error code: ".$e->getCode()."\n"; ++} ++ ++echo "\ndone!\n"; ++?> ++--EXPECTF-- ++NULL-Byte before first placeholder: ++Length of item 0: 3, Value of item 1: c ++ ++Open comment: ++Error code: 42000 ++ ++done!
