On Thu, Dec 17, 2015 at 11:18:20AM +0800, Jian Liu wrote: > CVE-2015-7803: > The phar_get_entry_data function in ext/phar/util.c in PHP > before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers > to cause a denial of service (NULL pointer dereference and > application crash) via a .phar file with a crafted TAR archive > entry in which the Link indicator references a file that does > not exist.
Upgrade to 5.6.16 was already merged in master, I've dropped this change from master-next now. Maybe you wanted to get it merged in jethro branch? > > This patch is from > http://git.php.net/?p=php-src.git;a=commitdiff;\ > h=d698f0ae51f67c9cce870b09c59df3d6ba959244;hp=bb98ed600ab6787d9d367927d49439be9a83441e > > Signed-off-by: Jian Liu <[email protected]> > --- > .../php/php-5.6.12/php-CVE-2015-7803.patch | 72 > ++++++++++++++++++++++ > meta-oe/recipes-devtools/php/php.inc | 1 + > 2 files changed, 73 insertions(+) > create mode 100644 > meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch > > diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch > b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch > new file mode 100644 > index 0000000..77ff44f > --- /dev/null > +++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch > @@ -0,0 +1,72 @@ > +Fix bug #69720: Null pointer dereference in phar_get_fp_offset() > + > +The phar_get_entry_data function in ext/phar/util.c in PHP > +before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers > +to cause a denial of service (NULL pointer dereference and > +application crash) via a .phar file with a crafted TAR archive > +entry in which the Link indicator references a file that does > +not exist. > + > +Written-by: Stanislav Malyshev <[email protected]> > + > +Binary files php-5.6.12.orig/ext/phar/tests/bug69720.phar and > php-5.6.12/ext/phar/tests/bug69720.phar differ > +diff -Nur php-5.6.12.orig/ext/phar/tests/bug69720.phpt > php-5.6.12/ext/phar/tests/bug69720.phpt > +--- php-5.6.12.orig/ext/phar/tests/bug69720.phpt 1970-01-01 > 08:00:00.000000000 +0800 > ++++ php-5.6.12/ext/phar/tests/bug69720.phpt 2015-12-16 17:15:56.703415339 > +0800 > +@@ -0,0 +1,40 @@ > ++--TEST-- > ++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset() > ++--SKIPIF-- > ++<?php if (!extension_loaded("phar")) die("skip"); ?> > ++--FILE-- > ++<?php > ++try { > ++ // open an existing phar > ++ $p = new Phar(__DIR__."/bug69720.phar",0); > ++ // Phar extends SPL's DirectoryIterator class > ++ echo $p->getMetadata(); > ++ foreach (new RecursiveIteratorIterator($p) as $file) { > ++ // $file is a PharFileInfo class, and inherits from SplFileInfo > ++ $temp=""; > ++ $temp= $file->getFileName() . "\n"; > ++ $temp.=file_get_contents($file->getPathName()) . "\n"; // display > contents > ++ var_dump($file->getMetadata()); > ++ } > ++} > ++ catch (Exception $e) { > ++ echo 'Could not open Phar: ', $e; > ++} > ++?> > ++--EXPECTF-- > ++ > ++MY_METADATA_NULL > ++ > ++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: > "test.php" is not a file in phar "%s.phar" in %s.php on line %d > ++array(1) { > ++ ["whatever"]=> > ++ int(123) > ++} > ++object(DateTime)#2 (3) { > ++ ["date"]=> > ++ string(26) "2000-01-01 00:00:00.000000" > ++ ["timezone_type"]=> > ++ int(3) > ++ ["timezone"]=> > ++ string(3) "UTC" > ++} > +diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c > +--- php-5.6.12.orig/ext/phar/util.c 2015-12-16 17:06:04.011411206 +0800 > ++++ php-5.6.12/ext/phar/util.c 2015-12-16 17:18:08.683416259 +0800 > +@@ -494,7 +494,11 @@ > + (*ret)->is_tar = entry->is_tar; > + (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC); > + if (entry->link) { > +- (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry > TSRMLS_CC) TSRMLS_CC); > ++ phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC); > ++ if(!link) { > ++ return FAILURE; > ++ } > ++ (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC); > + } else { > + (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC); > + } > diff --git a/meta-oe/recipes-devtools/php/php.inc > b/meta-oe/recipes-devtools/php/php.inc > index 67d2362..4aa9c3f 100644 > --- a/meta-oe/recipes-devtools/php/php.inc > +++ b/meta-oe/recipes-devtools/php/php.inc > @@ -14,6 +14,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ > file://acinclude-xml2-config.patch \ > file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \ > file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \ > + file://php-CVE-2015-7803.patch \ > " > > SRC_URI_append_class-target += " \ > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-devel mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-devel -- Martin 'JaMa' Jansa jabber: [email protected]
signature.asc
Description: Digital signature
-- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
