Author: pierre Date: Tue Mar 4 06:06:34 2014 New Revision: 2849 Log: Add patches to php and mitkrb to fix possible vulnerabilities
Added: trunk/mitkrb/ trunk/mitkrb/mitkrb-1.12.1-db2_fix-1.patch trunk/php/php-5.5.9-libmagic_fix-1.patch Added: trunk/mitkrb/mitkrb-1.12.1-db2_fix-1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/mitkrb/mitkrb-1.12.1-db2_fix-1.patch Tue Mar 4 06:06:34 2014 (r2849) @@ -0,0 +1,175 @@ +Submitted By: Pierre Labastie <pierre dot labastie at eamil dot fr> +Date: 2014-03-04 +Initial Package Version: 1.12.1 +Upstream Status: In upstream GIT +Origin: Upstream +Description: Fixes http://krbdev.mit.edu/rt/Ticket/Display.html?id=7860 + +--- a/src/plugins/kdb/db2/libdb2/mpool/mpool.c ++++ b/src/plugins/kdb/db2/libdb2/mpool/mpool.c +@@ -81,9 +81,9 @@ mpool_open(key, fd, pagesize, maxcache) + /* Allocate and initialize the MPOOL cookie. */ + if ((mp = (MPOOL *)calloc(1, sizeof(MPOOL))) == NULL) + return (NULL); +- CIRCLEQ_INIT(&mp->lqh); ++ TAILQ_INIT(&mp->lqh); + for (entry = 0; entry < HASHSIZE; ++entry) +- CIRCLEQ_INIT(&mp->hqh[entry]); ++ TAILQ_INIT(&mp->hqh[entry]); + mp->maxcache = maxcache; + mp->npages = sb.st_size / pagesize; + mp->pagesize = pagesize; +@@ -143,8 +143,8 @@ mpool_new(mp, pgnoaddr, flags) + bp->flags = MPOOL_PINNED | MPOOL_INUSE; + + head = &mp->hqh[HASHKEY(bp->pgno)]; +- CIRCLEQ_INSERT_HEAD(head, bp, hq); +- CIRCLEQ_INSERT_TAIL(&mp->lqh, bp, q); ++ TAILQ_INSERT_HEAD(head, bp, hq); ++ TAILQ_INSERT_TAIL(&mp->lqh, bp, q); + return (bp->page); + } + +@@ -168,8 +168,8 @@ mpool_delete(mp, page) + + /* Remove from the hash and lru queues. */ + head = &mp->hqh[HASHKEY(bp->pgno)]; +- CIRCLEQ_REMOVE(head, bp, hq); +- CIRCLEQ_REMOVE(&mp->lqh, bp, q); ++ TAILQ_REMOVE(head, bp, hq); ++ TAILQ_REMOVE(&mp->lqh, bp, q); + + free(bp); + return (RET_SUCCESS); +@@ -208,10 +208,10 @@ mpool_get(mp, pgno, flags) + * of the lru chain. + */ + head = &mp->hqh[HASHKEY(bp->pgno)]; +- CIRCLEQ_REMOVE(head, bp, hq); +- CIRCLEQ_INSERT_HEAD(head, bp, hq); +- CIRCLEQ_REMOVE(&mp->lqh, bp, q); +- CIRCLEQ_INSERT_TAIL(&mp->lqh, bp, q); ++ TAILQ_REMOVE(head, bp, hq); ++ TAILQ_INSERT_HEAD(head, bp, hq); ++ TAILQ_REMOVE(&mp->lqh, bp, q); ++ TAILQ_INSERT_TAIL(&mp->lqh, bp, q); + + /* Return a pinned page. */ + bp->flags |= MPOOL_PINNED; +@@ -261,8 +261,8 @@ mpool_get(mp, pgno, flags) + * of the lru chain. + */ + head = &mp->hqh[HASHKEY(bp->pgno)]; +- CIRCLEQ_INSERT_HEAD(head, bp, hq); +- CIRCLEQ_INSERT_TAIL(&mp->lqh, bp, q); ++ TAILQ_INSERT_HEAD(head, bp, hq); ++ TAILQ_INSERT_TAIL(&mp->lqh, bp, q); + + /* Run through the user's filter. */ + if (mp->pgin != NULL) +@@ -311,8 +311,8 @@ mpool_close(mp) + BKT *bp; + + /* Free up any space allocated to the lru pages. */ +- while ((bp = mp->lqh.cqh_first) != (void *)&mp->lqh) { +- CIRCLEQ_REMOVE(&mp->lqh, mp->lqh.cqh_first, q); ++ while ((bp = mp->lqh.tqh_first) != NULL) { ++ TAILQ_REMOVE(&mp->lqh, mp->lqh.tqh_first, q); + free(bp); + } + +@@ -332,8 +332,7 @@ mpool_sync(mp) + BKT *bp; + + /* Walk the lru chain, flushing any dirty pages to disk. */ +- for (bp = mp->lqh.cqh_first; +- bp != (void *)&mp->lqh; bp = bp->q.cqe_next) ++ for (bp = mp->lqh.tqh_first; bp != NULL; bp = bp->q.tqe_next) + if (bp->flags & MPOOL_DIRTY && + mpool_write(mp, bp) == RET_ERROR) + return (RET_ERROR); +@@ -363,8 +362,7 @@ mpool_bkt(mp) + * off any lists. If we don't find anything we grow the cache anyway. + * The cache never shrinks. + */ +- for (bp = mp->lqh.cqh_first; +- bp != (void *)&mp->lqh; bp = bp->q.cqe_next) ++ for (bp = mp->lqh.tqh_first; bp != NULL; bp = bp->q.tqe_next) + if (!(bp->flags & MPOOL_PINNED)) { + /* Flush if dirty. */ + if (bp->flags & MPOOL_DIRTY && +@@ -375,8 +373,8 @@ mpool_bkt(mp) + #endif + /* Remove from the hash and lru queues. */ + head = &mp->hqh[HASHKEY(bp->pgno)]; +- CIRCLEQ_REMOVE(head, bp, hq); +- CIRCLEQ_REMOVE(&mp->lqh, bp, q); ++ TAILQ_REMOVE(head, bp, hq); ++ TAILQ_REMOVE(&mp->lqh, bp, q); + #if defined(DEBUG) && !defined(DEBUG_IDX0SPLIT) + { void *spage; + spage = bp->page; +@@ -450,7 +448,7 @@ mpool_look(mp, pgno) + BKT *bp; + + head = &mp->hqh[HASHKEY(pgno)]; +- for (bp = head->cqh_first; bp != (void *)head; bp = bp->hq.cqe_next) ++ for (bp = head->tqh_first; bp != NULL; bp = bp->hq.tqe_next) + if ((bp->pgno == pgno) && (bp->flags & MPOOL_INUSE)) { + #ifdef STATISTICS + ++mp->cachehit; +@@ -494,8 +492,7 @@ mpool_stat(mp) + + sep = ""; + cnt = 0; +- for (bp = mp->lqh.cqh_first; +- bp != (void *)&mp->lqh; bp = bp->q.cqe_next) { ++ for (bp = mp->lqh.tqh_first; bp != NULL; bp = bp->q.tqe_next) { + (void)fprintf(stderr, "%s%d", sep, bp->pgno); + if (bp->flags & MPOOL_DIRTY) + (void)fprintf(stderr, "d"); + +--- a/src/plugins/kdb/db2/libdb2/mpool/mpool.h ++++ b/src/plugins/kdb/db2/libdb2/mpool/mpool.h +@@ -47,8 +47,8 @@ + + /* The BKT structures are the elements of the queues. */ + typedef struct _bkt { +- CIRCLEQ_ENTRY(_bkt) hq; /* hash queue */ +- CIRCLEQ_ENTRY(_bkt) q; /* lru queue */ ++ TAILQ_ENTRY(_bkt) hq; /* hash queue */ ++ TAILQ_ENTRY(_bkt) q; /* lru queue */ + void *page; /* page */ + db_pgno_t pgno; /* page number */ + +@@ -59,9 +59,9 @@ typedef struct _bkt { + } BKT; + + typedef struct MPOOL { +- CIRCLEQ_HEAD(_lqh, _bkt) lqh; /* lru queue head */ ++ TAILQ_HEAD(_lqh, _bkt) lqh; /* lru queue head */ + /* hash queue array */ +- CIRCLEQ_HEAD(_hqh, _bkt) hqh[HASHSIZE]; ++ TAILQ_HEAD(_hqh, _bkt) hqh[HASHSIZE]; + db_pgno_t curcache; /* current number of cached pages */ + db_pgno_t maxcache; /* max number of cached pages */ + db_pgno_t npages; /* number of pages in the file */ + +--- a/src/plugins/kdb/db2/libdb2/test/run.test ++++ b/src/plugins/kdb/db2/libdb2/test/run.test +@@ -71,10 +71,11 @@ main() + } + + getnwords() { +- # Delete blank lines because the db code appears not to +- # like empty keys. On Debian Linux, $DICT appears to contain +- # some non-ASCII characters, and "rev" chokes on them. +- sed -e '/^$/d' < $DICT | cat -v | sed -e ${1}q ++ # Delete blank lines because the db code appears not to like ++ # empty keys. Omit lines with non-alphanumeric characters to ++ # avoid shell metacharacters and non-ASCII characters which ++ # could cause 'rev' to choke. ++ LC_ALL=C sed -e '/^$/d' -e '/[^A-Za-z]/d' < $DICT | sed -e ${1}q + } + + # Take the first hundred entries in the dictionary, and make them Added: trunk/php/php-5.5.9-libmagic_fix-1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/php/php-5.5.9-libmagic_fix-1.patch Tue Mar 4 06:06:34 2014 (r2849) @@ -0,0 +1,127 @@ +Submitted By: Pierre Labastie <pierre dot labastie at email dot fr> +Date: 2014-03-04 +Initial Package Version: 5.5.9 +Upstream Status: In upstream GIT +Origin: Upstream +Description: Fixes an infinite recursion in libmagic (fileinfo extension) + +--- a/ext/fileinfo/libmagic/ascmagic.c ++++ b/ext/fileinfo/libmagic/ascmagic.c +@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf, + == NULL) + goto done; + if ((rv = file_softmagic(ms, utf8_buf, +- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) ++ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) + rv = -1; + } + +diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h +index 19b6872..ab5082d 100644 +--- a/ext/fileinfo/libmagic/file.h ++++ b/ext/fileinfo/libmagic/file.h +@@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t, + unichar **, size_t *, const char **, const char **, const char **); + protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); + protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, +- int, int); ++ size_t, int, int); + protected int file_apprentice(struct magic_set *, const char *, int); + protected int file_magicfind(struct magic_set *, const char *, struct mlist *); + protected uint64_t file_signextend(struct magic_set *, struct magic *, +diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c +index 9c0d2bd..011ca42 100644 +--- a/ext/fileinfo/libmagic/funcs.c ++++ b/ext/fileinfo/libmagic/funcs.c +@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const + + /* try soft magic tests */ + if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) +- if ((m = file_softmagic(ms, ubuf, nb, BINTEST, ++ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, + looks_text)) != 0) { + if ((ms->flags & MAGIC_DEBUG) != 0) + (void)fprintf(stderr, "softmagic %d\n", m); +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 0671fa9..7c5f628 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *); + /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ + protected int + file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, +- int mode, int text) ++ size_t level, int mode, int text) + { + struct mlist *ml; + int rv, printed_something = 0, need_separator = 0; + for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next) + if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode, +- text, 0, 0, &printed_something, &need_separator, ++ text, 0, level, &printed_something, &need_separator, + NULL)) != 0) + return rv; + +@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + + case FILE_INDIRECT: ++ if (offset == 0) ++ return 0; + if (nbytes < offset) + return 0; + sbuf = ms->o.buf; +@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + ms->o.buf = NULL; + ms->offset = 0; + rv = file_softmagic(ms, s + offset, nbytes - offset, +- BINTEST, text); ++ recursion_level, BINTEST, text); + if ((ms->flags & MAGIC_DEBUG) != 0) + fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); + rbuf = ms->o.buf; +diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt +new file mode 100644 +index 0000000..b2e9c17 +--- /dev/null ++++ b/ext/fileinfo/tests/cve-2014-1943.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++Bug #66731: file: infinite recursion ++--SKIPIF-- ++<?php ++if (!class_exists('finfo')) ++ die('skip no fileinfo extension'); ++--FILE-- ++<?php ++$fd = __DIR__.'/cve-2014-1943.data'; ++$fm = __DIR__.'/cve-2014-1943.magic'; ++ ++$a = "\105\122\000\000\000\000\000"; ++$b = str_repeat("\001", 250000); ++$m = "0 byte x\n". ++ ">(1.b) indirect x\n"; ++ ++file_put_contents($fd, $a); ++$fi = finfo_open(FILEINFO_NONE); ++var_dump(finfo_file($fi, $fd)); ++finfo_close($fi); ++ ++file_put_contents($fd, $b); ++file_put_contents($fm, $m); ++$fi = finfo_open(FILEINFO_NONE, $fm); ++var_dump(finfo_file($fi, $fd)); ++finfo_close($fi); ++?> ++Done ++--CLEAN-- ++<?php ++@unlink(__DIR__.'/cve-2014-1943.data'); ++@unlink(__DIR__.'/cve-2014-1943.magic'); ++?> ++--EXPECTF-- ++string(%d) "%s" ++ ++Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d ++bool(false) ++Done -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
