I'm +1 on adding it for several reasons, one of which is there are plenty of 
RHEL 5 (and OL 5) sites out there.

Chris

PS the testcase wasn't attached to your email.

On 12/18/2011 12:03 PM, Scott MacVicar wrote:
It's not worth adding a test for, it's never going to re-occur and it only 
affects 4 year old versions of OpenSSL. Basically RHEL 5 is the only thing with 
a problem.

I wrote one but don't want to add a somewhat useless test. Attached, but the 
extra second to test running isn't worth it.





- Scott


On 18 Dec 2011, at 03:49, Pierre Joye wrote:

hi,

do you have a test case for this crash?

Cheers,

On Sun, Dec 18, 2011 at 6:14 AM, Scott MacVicar<scott...@php.net>  wrote:
scottmac                                 Sun, 18 Dec 2011 05:14:32 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=321094

Log:
Fix segfault in older versions of OpenSSL (before 0.9.8i)

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
    U   php/php-src/branches/PHP_5_4/NEWS
    U   php/php-src/branches/PHP_5_4/ext/openssl/openssl.c
    U   php/php-src/trunk/ext/openssl/openssl.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2011-12-18 01:04:35 UTC (rev 321093)
+++ php/php-src/branches/PHP_5_3/NEWS   2011-12-18 05:14:32 UTC (rev 321094)
@@ -6,6 +6,9 @@
   . Added max_input_vars directive to prevent attacks based on hash collisions
     (Dmitry).

+- OpenSSL:
+  . Fix segfault with older versions of OpenSSL. (Scott)
+
  - Streams:
   . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected 
together
     with the last read). (Gustavo)

Modified: php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/openssl/openssl.c  2011-12-18 01:04:35 UTC 
(rev 321093)
+++ php/php-src/branches/PHP_5_3/ext/openssl/openssl.c  2011-12-18 05:14:32 UTC 
(rev 321094)
@@ -4713,7 +4713,9 @@
                EVP_CIPHER_CTX_set_key_length(&cipher_ctx, password_len);
        }
        EVP_EncryptInit_ex(&cipher_ctx, NULL, NULL, key, (unsigned char *)iv);
-       EVP_EncryptUpdate(&cipher_ctx, outbuf,&i, (unsigned char *)data, 
data_len);
+       if (data_len>  0) {
+               EVP_EncryptUpdate(&cipher_ctx, outbuf,&i, (unsigned char 
*)data, data_len);
+       }
        outlen = i;
        if (EVP_EncryptFinal(&cipher_ctx, (unsigned char *)outbuf + i,&i)) {
                outlen += i;

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS   2011-12-18 01:04:35 UTC (rev 321093)
+++ php/php-src/branches/PHP_5_4/NEWS   2011-12-18 05:14:32 UTC (rev 321094)
@@ -5,11 +5,16 @@
   . Added max_input_vars directive to prevent attacks based on hash collisions
     (Dmitry).
   . Fixed bug #60536 (Traits Segfault). (Laruence)
+
  - CLI SAPI:
   . Fixed bug #60477 (Segfault after two multipart/form-data POST requests,
     one 200 RQ and one 404). (Laruence)
   . Fixed bug #60523 (PHP Errors are not reported in browsers using built-in
     SAPI). (Laruence, Derick)
+
+- OpenSSL:
+  . Fix segfault with older versions of OpenSSL. (Scott)
+
  - Pdo Firebird:
   . Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO 
Firebird).
     (Mariuz)

Modified: php/php-src/branches/PHP_5_4/ext/openssl/openssl.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/openssl/openssl.c  2011-12-18 01:04:35 UTC 
(rev 321093)
+++ php/php-src/branches/PHP_5_4/ext/openssl/openssl.c  2011-12-18 05:14:32 UTC 
(rev 321094)
@@ -4740,7 +4740,9 @@
        if (options&  OPENSSL_ZERO_PADDING) {
                EVP_CIPHER_CTX_set_padding(&cipher_ctx, 0);
        }
-       EVP_EncryptUpdate(&cipher_ctx, outbuf,&i, (unsigned char *)data, 
data_len);
+       if (data_len>  0) {
+               EVP_EncryptUpdate(&cipher_ctx, outbuf,&i, (unsigned char 
*)data, data_len);
+       }
        outlen = i;
        if (EVP_EncryptFinal(&cipher_ctx, (unsigned char *)outbuf + i,&i)) {
                outlen += i;

Modified: php/php-src/trunk/ext/openssl/openssl.c
===================================================================
--- php/php-src/trunk/ext/openssl/openssl.c     2011-12-18 01:04:35 UTC (rev 
321093)
+++ php/php-src/trunk/ext/openssl/openssl.c     2011-12-18 05:14:32 UTC (rev 
321094)
@@ -4736,7 +4736,9 @@
        if (options&  OPENSSL_ZERO_PADDING) {
                EVP_CIPHER_CTX_set_padding(&cipher_ctx, 0);
        }
-       EVP_EncryptUpdate(&cipher_ctx, outbuf,&i, (unsigned char *)data, 
data_len);
+       if (data_len>  0) {
+               EVP_EncryptUpdate(&cipher_ctx, outbuf,&i, (unsigned char 
*)data, data_len);
+       }
        outlen = i;
        if (EVP_EncryptFinal(&cipher_ctx, (unsigned char *)outbuf + i,&i)) {
                outlen += i;


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org





--
Email: christopher.jo...@oracle.com
Tel:  +1 650 506 8630
Blog:  http://blogs.oracle.com/opal/

--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to