cellog Thu Jun 4 19:59:09 2009 UTC
Added files: (Branch: PHP_5_3)
/php-src/ext/phar/tests/tar bignames_overflow.phpt
/php-src/ext/phar/tests/tar/files make.dangerous.tar.php.inc
Modified files:
/php-src NEWS
/php-src/ext/phar tar.c
Log:
MFPECL: fix security vulnerability in phar's handling of long tar filenames
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.614&r2=1.2027.2.547.2.965.2.615&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.965.2.614
php-src/NEWS:1.2027.2.547.2.965.2.615
--- php-src/NEWS:1.2027.2.547.2.965.2.614 Thu Jun 4 07:01:47 2009
+++ php-src/NEWS Thu Jun 4 19:59:09 2009
@@ -23,8 +23,9 @@
PDO_PGSQL). (Matteo)
- Fixed bug #38802 (max_redirects and ignore_errors).
(patch by datib...@php.net)
+- Fixed security vulnerability in phar's handling of long tar filenames. (Greg)
- Fixed potential segfault with converting phars containing metadata to other
- formats (Greg).
+ formats. (Greg)
07 May 2009, PHP 5.3.0 RC 2
http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tar.c?r1=1.55.2.28&r2=1.55.2.29&diff_format=u
Index: php-src/ext/phar/tar.c
diff -u php-src/ext/phar/tar.c:1.55.2.28 php-src/ext/phar/tar.c:1.55.2.29
--- php-src/ext/phar/tar.c:1.55.2.28 Wed May 13 20:25:43 2009
+++ php-src/ext/phar/tar.c Thu Jun 4 19:59:09 2009
@@ -330,16 +330,19 @@
if (!old && hdr->prefix[0] != 0) {
char name[256];
+ int i, j;
- strcpy(name, hdr->prefix);
- /* remove potential buffer overflow */
- if (hdr->name[99]) {
- strncat(name, hdr->name, 100);
- } else {
- strcat(name, hdr->name);
+ for (i = 0; i < 155; i++) {
+ name[i] = hdr->prefix[i];
+ if (name[i] == '\0') {
+ break;
+ }
+ }
+ for (j = 0; j < 100; j++) {
+ name[i+j] = hdr->name[j];
}
- entry.filename_len = strlen(hdr->prefix) + 100;
+ entry.filename_len = i+j;
if (name[entry.filename_len - 1] == '/') {
/* some tar programs store directories with
trailing slash */
@@ -347,8 +350,16 @@
}
entry.filename = pestrndup(name, entry.filename_len,
myphar->is_persistent);
} else {
- entry.filename = pestrdup(hdr->name,
myphar->is_persistent);
- entry.filename_len = strlen(entry.filename);
+ int i;
+
+ /* calculate strlen, which can be no longer than 100 */
+ for (i = 0; i < 100; i++) {
+ if (hdr->name[i] == '\0') {
+ break;
+ }
+ }
+ entry.filename_len = i;
+ entry.filename = pestrndup(hdr->name, i,
myphar->is_persistent);
if (entry.filename[entry.filename_len - 1] == '/') {
/* some tar programs store directories with
trailing slash */
http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tests/tar/bignames_overflow.phpt?view=markup&rev=1.1
Index: php-src/ext/phar/tests/tar/bignames_overflow.phpt
+++ php-src/ext/phar/tests/tar/bignames_overflow.phpt
http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tests/tar/files/make.dangerous.tar.php.inc?view=markup&rev=1.1
Index: php-src/ext/phar/tests/tar/files/make.dangerous.tar.php.inc
+++ php-src/ext/phar/tests/tar/files/make.dangerous.tar.php.inc
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
