commit ebe9f60fd1b657c839cf32da77aa1d72900ca7d8
Author: Arkadiusz MiĆkiewicz <[email protected]>
Date: Mon Jul 7 07:16:49 2014 +0200
- rel 8; fixes SECURITY bug; phpinfo leak;
https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html
php-secbug-67498.patch | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
php.spec | 4 +++-
2 files changed, 55 insertions(+), 1 deletion(-)
---
diff --git a/php.spec b/php.spec
index d01296b..30c79f4 100644
--- a/php.spec
+++ b/php.spec
@@ -112,7 +112,7 @@ ERROR: You need to select at least one Apache SAPI to build
shared modules.
%define magic_mime /usr/share/misc/magic.mime
%endif
-%define rel 7
+%define rel 8
%define orgname php
%define ver_suffix 52
%define php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -218,6 +218,7 @@ Patch71: php-apache24.patch
Patch72: exif-crash-bug-36.patch
Patch73: CVE-2013-6420.patch
Patch74: CVE-2013-4073.patch
+Patch75: php-secbug-67498.patch
# CENTALT patches
# Backport from 5.3.6
Patch311: php-5.3.6-bug-47435.patch
@@ -1936,6 +1937,7 @@ done
%patch72 -p1
%patch73 -p1
%patch74 -p1
+%patch75 -p1
# Bugfix backport from 5.3.6
%patch311 -p1 -b .bug-47435
diff --git a/php-secbug-67498.patch b/php-secbug-67498.patch
new file mode 100644
index 0000000..2ee2721
--- /dev/null
+++ b/php-secbug-67498.patch
@@ -0,0 +1,52 @@
+commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
+Author: Stanislav Malyshev <[email protected]>
+Date: Mon Jun 23 00:19:37 2014 -0700
+
+ Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
+
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 70b2e2f..0f15bbe 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
+@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
+
+ php_info_print_table_start();
+ php_info_print_table_header(2, "Variable", "Value");
+- if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF",
sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) ==
IS_STRING) {
+ php_info_print_table_row(2, "PHP_SELF",
Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE",
sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) ==
IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_TYPE",
Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER",
sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) ==
IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_USER",
Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW",
sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) ==
IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_PW",
Z_STRVAL_PP(data));
+ }
+ php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
+diff --git a/ext/standard/tests/general_functions/bug67498.phpt
b/ext/standard/tests/general_functions/bug67498.phpt
+new file mode 100644
+index 0000000..5b5951b
+--- /dev/null
++++ b/ext/standard/tests/general_functions/bug67498.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/ebe9f60fd1b657c839cf32da77aa1d72900ca7d8
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
