On Thu, Dec 17, 2015 at 11:18:46AM +0800, Jian Liu wrote: > CVE-2015-7804: > Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c > in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers > to cause a denial of service (uninitialized pointer dereference and > application crash) by including the / filename in a .zip PHAR archive.
Upgrade to 5.6.16 was already merged in master, I've dropped this change from master-next now. Maybe you wanted to get it merged in jethro branch? > > This patch is from > http://git.php.net/?p=php-src.git;a=commitdiff;\ > h=1ddf72180a52d247db88ea42a3e35f824a8fbda1;hp=f98ab19dc0c978e3caaa2614579e4a61f2c317f5 > > Signed-off-by: Jian Liu <[email protected]> > --- > .../php/php-5.6.12/php-CVE-2015-7804.patch | 35 > ++++++++++++++++++++++ > meta-oe/recipes-devtools/php/php.inc | 1 + > 2 files changed, 36 insertions(+) > create mode 100644 > meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch > > diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch > b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch > new file mode 100644 > index 0000000..248d1d1 > --- /dev/null > +++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7804.patch > @@ -0,0 +1,35 @@ > +FIx bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry > filename is "/" > + > +Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c > +in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers > +to cause a denial of service (uninitialized pointer dereference and > +application crash) by including the / filename in a .zip PHAR archive. > + > +Written-by: Stanislav Malyshev <[email protected]> > + > +diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c > +--- php-5.6.12.orig/ext/phar/util.c 2015-12-16 18:51:51.603455462 +0800 > ++++ php-5.6.12/ext/phar/util.c 2015-12-16 18:53:43.483456242 +0800 > +@@ -1969,7 +1969,7 @@ > + > + while ((s = zend_memrchr(filename, '/', filename_len))) { > + filename_len = s - filename; > +- if (FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, > filename, filename_len)) { > ++ if (!filename_len || FAILURE == > zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { > + break; > + } > + } > +diff -Nur php-5.6.12.orig/ext/phar/zip.c php-5.6.12/ext/phar/zip.c > +--- php-5.6.12.orig/ext/phar/zip.c 2015-12-16 18:51:51.603455462 +0800 > ++++ php-5.6.12/ext/phar/zip.c 2015-12-16 18:54:39.667456634 +0800 > +@@ -396,7 +396,9 @@ > + > + if (entry.filename[entry.filename_len - 1] == '/') { > + entry.is_dir = 1; > +- entry.filename_len--; > ++ if(entry.filename_len > 1) { > ++ entry.filename_len--; > ++ } > + entry.flags |= PHAR_ENT_PERM_DEF_DIR; > + } else { > + entry.is_dir = 0; > diff --git a/meta-oe/recipes-devtools/php/php.inc > b/meta-oe/recipes-devtools/php/php.inc > index 4aa9c3f..d0c596c 100644 > --- a/meta-oe/recipes-devtools/php/php.inc > +++ b/meta-oe/recipes-devtools/php/php.inc > @@ -15,6 +15,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ > file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \ > file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \ > file://php-CVE-2015-7803.patch \ > + file://php-CVE-2015-7804.patch \ > " > > SRC_URI_append_class-target += " \ > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-devel mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-devel -- Martin 'JaMa' Jansa jabber: [email protected]
signature.asc
Description: Digital signature
-- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
