cellog Thu Jun 4 19:59:09 2009 UTC Added files: (Branch: PHP_5_3) /php-src/ext/phar/tests/tar bignames_overflow.phpt /php-src/ext/phar/tests/tar/files make.dangerous.tar.php.inc
Modified files: /php-src NEWS /php-src/ext/phar tar.c Log: MFPECL: fix security vulnerability in phar's handling of long tar filenames http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.614&r2=1.2027.2.547.2.965.2.615&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.965.2.614 php-src/NEWS:1.2027.2.547.2.965.2.615 --- php-src/NEWS:1.2027.2.547.2.965.2.614 Thu Jun 4 07:01:47 2009 +++ php-src/NEWS Thu Jun 4 19:59:09 2009 @@ -23,8 +23,9 @@ PDO_PGSQL). (Matteo) - Fixed bug #38802 (max_redirects and ignore_errors). (patch by datib...@php.net) +- Fixed security vulnerability in phar's handling of long tar filenames. (Greg) - Fixed potential segfault with converting phars containing metadata to other - formats (Greg). + formats. (Greg) 07 May 2009, PHP 5.3.0 RC 2 http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tar.c?r1=1.55.2.28&r2=1.55.2.29&diff_format=u Index: php-src/ext/phar/tar.c diff -u php-src/ext/phar/tar.c:1.55.2.28 php-src/ext/phar/tar.c:1.55.2.29 --- php-src/ext/phar/tar.c:1.55.2.28 Wed May 13 20:25:43 2009 +++ php-src/ext/phar/tar.c Thu Jun 4 19:59:09 2009 @@ -330,16 +330,19 @@ if (!old && hdr->prefix[0] != 0) { char name[256]; + int i, j; - strcpy(name, hdr->prefix); - /* remove potential buffer overflow */ - if (hdr->name[99]) { - strncat(name, hdr->name, 100); - } else { - strcat(name, hdr->name); + for (i = 0; i < 155; i++) { + name[i] = hdr->prefix[i]; + if (name[i] == '\0') { + break; + } + } + for (j = 0; j < 100; j++) { + name[i+j] = hdr->name[j]; } - entry.filename_len = strlen(hdr->prefix) + 100; + entry.filename_len = i+j; if (name[entry.filename_len - 1] == '/') { /* some tar programs store directories with trailing slash */ @@ -347,8 +350,16 @@ } entry.filename = pestrndup(name, entry.filename_len, myphar->is_persistent); } else { - entry.filename = pestrdup(hdr->name, myphar->is_persistent); - entry.filename_len = strlen(entry.filename); + int i; + + /* calculate strlen, which can be no longer than 100 */ + for (i = 0; i < 100; i++) { + if (hdr->name[i] == '\0') { + break; + } + } + entry.filename_len = i; + entry.filename = pestrndup(hdr->name, i, myphar->is_persistent); if (entry.filename[entry.filename_len - 1] == '/') { /* some tar programs store directories with trailing slash */ http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tests/tar/bignames_overflow.phpt?view=markup&rev=1.1 Index: php-src/ext/phar/tests/tar/bignames_overflow.phpt +++ php-src/ext/phar/tests/tar/bignames_overflow.phpt http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tests/tar/files/make.dangerous.tar.php.inc?view=markup&rev=1.1 Index: php-src/ext/phar/tests/tar/files/make.dangerous.tar.php.inc +++ php-src/ext/phar/tests/tar/files/make.dangerous.tar.php.inc -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php