Giuseppe Lavagetto has uploaded a new change for review. https://gerrit.wikimedia.org/r/218132
Change subject: Patch for CVE-2015-4024 ...................................................................... Patch for CVE-2015-4024 --- M debian/changelog A debian/patches/CVE-2015-4024.patch M debian/patches/series 3 files changed, 67 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/hhvm refs/changes/32/218132/1 diff --git a/debian/changelog b/debian/changelog index 425ec0c..da263e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,12 @@ +hhvm (3.6.1+dfsg1-1+wm3) trusty-wikimedia; urgency=high + + * Patch for CVE-2015-4024 + + -- Giuseppe Lavagetto <glavage...@wikimedia.org> Thu, 04 Jun 2015 06:54:47 +0000 + hhvm (3.6.1+dfsg1-1+wm2) trusty-wikimedia; urgency=medium - * Patch for CVE-2015-3413 + * Patch for CVE-2015-3413 -- Giuseppe Lavagetto <glavage...@wikimedia.org> Thu, 04 Jun 2015 08:35:46 +0200 @@ -8,7 +14,7 @@ [ Giuseppe Lavagetto ] * New upstream release (3.6.1) - * Added WMF patch to support streaming output in FastCGI + * Added WMF patch to support streaming output in FastCGI * Added patches to build correctly [ Alexandros Kosiaris ] diff --git a/debian/patches/CVE-2015-4024.patch b/debian/patches/CVE-2015-4024.patch new file mode 100644 index 0000000..ae9ec0e --- /dev/null +++ b/debian/patches/CVE-2015-4024.patch @@ -0,0 +1,58 @@ +diff --git a/hphp/runtime/server/upload.cpp b/hphp/runtime/server/upload.cpp +--- a/hphp/runtime/server/upload.cpp ++++ b/hphp/runtime/server/upload.cpp +@@ -424,7 +424,8 @@ + static int multipart_buffer_headers(multipart_buffer *self, + header_list &header) { + char *line; +- std::pair<std::string, std::string> prev_entry; ++ std::string key; ++ std::string buf_value; + std::pair<std::string, std::string> entry; + + /* didn't find boundary, abort */ +@@ -437,29 +438,35 @@ + while( (line = get_line(self)) && strlen(line) > 0 ) + { + /* add header to table */ +- +- char *key = line; + char *value = nullptr; + + /* space in the beginning means same header */ + if (!isspace(line[0])) { + value = strchr(line, ':'); + } + + if (value) { +- *value = 0; ++ if (!buf_value.empty() && !key.empty() ) { ++ entry = std::make_pair(key, buf_value); ++ header.push_back(entry); ++ buf_value.erase(); ++ key.erase(); ++ } ++ *value = '\0'; + do { value++; } while(isspace(*value)); +- entry = std::make_pair(key, value); +- } else if (!header.empty()) { ++ key.assign(line); ++ buf_value.append(value); ++ } else if (!buf_value.empty() ) { + /* If no ':' on the line, add to previous line */ +- entry = std::make_pair(prev_entry.first, prev_entry.second + line); +- header.pop_back(); ++ buf_value.append(line); + } else { + continue; + } ++ } + ++ if (!buf_value.empty() && !key.empty()) { ++ entry = std::make_pair(key, buf_value); + header.push_back(entry); +- prev_entry = entry; + } + + return 1; + diff --git a/debian/patches/series b/debian/patches/series index e03f16a..561b95a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,6 +5,7 @@ fix-webscalesql.patch fix-mysql-libraries.patch CVE-2015-3413.patch +CVE-2015-4024.patch # WMF specific patches go here add-jemalloc-prof-status.patch -- To view, visit https://gerrit.wikimedia.org/r/218132 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaa5c6380afc28cf3f1b9f4bd8cc1233cee103937 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/hhvm Gerrit-Branch: master Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits