Giuseppe Lavagetto has uploaded a new change for review.
https://gerrit.wikimedia.org/r/218132
Change subject: Patch for CVE-2015-4024
......................................................................
Patch for CVE-2015-4024
---
M debian/changelog
A debian/patches/CVE-2015-4024.patch
M debian/patches/series
3 files changed, 67 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/debs/hhvm
refs/changes/32/218132/1
diff --git a/debian/changelog b/debian/changelog
index 425ec0c..da263e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
+hhvm (3.6.1+dfsg1-1+wm3) trusty-wikimedia; urgency=high
+
+ * Patch for CVE-2015-4024
+
+ -- Giuseppe Lavagetto <glavage...@wikimedia.org> Thu, 04 Jun 2015 06:54:47
+0000
+
hhvm (3.6.1+dfsg1-1+wm2) trusty-wikimedia; urgency=medium
- * Patch for CVE-2015-3413
+ * Patch for CVE-2015-3413
-- Giuseppe Lavagetto <glavage...@wikimedia.org> Thu, 04 Jun 2015 08:35:46
+0200
@@ -8,7 +14,7 @@
[ Giuseppe Lavagetto ]
* New upstream release (3.6.1)
- * Added WMF patch to support streaming output in FastCGI
+ * Added WMF patch to support streaming output in FastCGI
* Added patches to build correctly
[ Alexandros Kosiaris ]
diff --git a/debian/patches/CVE-2015-4024.patch
b/debian/patches/CVE-2015-4024.patch
new file mode 100644
index 0000000..ae9ec0e
--- /dev/null
+++ b/debian/patches/CVE-2015-4024.patch
@@ -0,0 +1,58 @@
+diff --git a/hphp/runtime/server/upload.cpp b/hphp/runtime/server/upload.cpp
+--- a/hphp/runtime/server/upload.cpp
++++ b/hphp/runtime/server/upload.cpp
+@@ -424,7 +424,8 @@
+ static int multipart_buffer_headers(multipart_buffer *self,
+ header_list &header) {
+ char *line;
+- std::pair<std::string, std::string> prev_entry;
++ std::string key;
++ std::string buf_value;
+ std::pair<std::string, std::string> entry;
+
+ /* didn't find boundary, abort */
+@@ -437,29 +438,35 @@
+ while( (line = get_line(self)) && strlen(line) > 0 )
+ {
+ /* add header to table */
+-
+- char *key = line;
+ char *value = nullptr;
+
+ /* space in the beginning means same header */
+ if (!isspace(line[0])) {
+ value = strchr(line, ':');
+ }
+
+ if (value) {
+- *value = 0;
++ if (!buf_value.empty() && !key.empty() ) {
++ entry = std::make_pair(key, buf_value);
++ header.push_back(entry);
++ buf_value.erase();
++ key.erase();
++ }
++ *value = '\0';
+ do { value++; } while(isspace(*value));
+- entry = std::make_pair(key, value);
+- } else if (!header.empty()) {
++ key.assign(line);
++ buf_value.append(value);
++ } else if (!buf_value.empty() ) {
+ /* If no ':' on the line, add to previous line */
+- entry = std::make_pair(prev_entry.first, prev_entry.second + line);
+- header.pop_back();
++ buf_value.append(line);
+ } else {
+ continue;
+ }
++ }
+
++ if (!buf_value.empty() && !key.empty()) {
++ entry = std::make_pair(key, buf_value);
+ header.push_back(entry);
+- prev_entry = entry;
+ }
+
+ return 1;
+
diff --git a/debian/patches/series b/debian/patches/series
index e03f16a..561b95a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,6 +5,7 @@
fix-webscalesql.patch
fix-mysql-libraries.patch
CVE-2015-3413.patch
+CVE-2015-4024.patch
# WMF specific patches go here
add-jemalloc-prof-status.patch
--
To view, visit https://gerrit.wikimedia.org/r/218132
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iaa5c6380afc28cf3f1b9f4bd8cc1233cee103937
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/hhvm
Gerrit-Branch: master
Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
