CVE-2015-7804: Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.
This patch is from http://git.php.net/?p=php-src.git;a=commitdiff;\ h=1ddf72180a52d247db88ea42a3e35f824a8fbda1;hp=f98ab19dc0c978e3caaa2614579e4a61f2c317f5 Signed-off-by: Jian Liu <[email protected]> --- .../php/php-5.6.12/php-CVE-2015-7804.patch | 35 ++++++++++++++++++++++ meta-oe/recipes-devtools/php/php.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch new file mode 100644 index 0000000..248d1d1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch @@ -0,0 +1,35 @@ +FIx bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" + +Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c +in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers +to cause a denial of service (uninitialized pointer dereference and +application crash) by including the / filename in a .zip PHAR archive. + +Written-by: Stanislav Malyshev <[email protected]> + +diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c +--- php-5.6.12.orig/ext/phar/util.c 2015-12-16 18:51:51.603455462 +0800 ++++ php-5.6.12/ext/phar/util.c 2015-12-16 18:53:43.483456242 +0800 +@@ -1969,7 +1969,7 @@ + + while ((s = zend_memrchr(filename, '/', filename_len))) { + filename_len = s - filename; +- if (FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { ++ if (!filename_len || FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { + break; + } + } +diff -Nur php-5.6.12.orig/ext/phar/zip.c php-5.6.12/ext/phar/zip.c +--- php-5.6.12.orig/ext/phar/zip.c 2015-12-16 18:51:51.603455462 +0800 ++++ php-5.6.12/ext/phar/zip.c 2015-12-16 18:54:39.667456634 +0800 +@@ -396,7 +396,9 @@ + + if (entry.filename[entry.filename_len - 1] == '/') { + entry.is_dir = 1; +- entry.filename_len--; ++ if(entry.filename_len > 1) { ++ entry.filename_len--; ++ } + entry.flags |= PHAR_ENT_PERM_DEF_DIR; + } else { + entry.is_dir = 0; diff --git a/meta-oe/recipes-devtools/php/php.inc b/meta-oe/recipes-devtools/php/php.inc index 4aa9c3f..d0c596c 100644 --- a/meta-oe/recipes-devtools/php/php.inc +++ b/meta-oe/recipes-devtools/php/php.inc @@ -15,6 +15,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \ file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \ file://php-CVE-2015-7803.patch \ + file://php-CVE-2015-7804.patch \ " SRC_URI_append_class-target += " \ -- 1.9.1 -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
