← Back to branch summary

~ubuntu-branches/ubuntu/dapper/php5/dapper-security

« back to all changes in this revision

Viewing changes to debian/patches/php5-CVE-2011-1466.patch

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2011-04-28 10:17:34 UTC
  • Revision ID: package-import@ubuntu.com-20110428101734-ip45z5lqq3138pif
Tags: 5.1.2-1ubuntu3.22
* SECURITY UPDATE: arbitrary files removal via cronjob
  - debian/php5-common.php5.cron.d: take greater care when removing
    session files.
  - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
  - CVE-2011-0441
* SECURITY UPDATE: symlink tmp races in pear install
  - debian/patches/php5-pear-CVE-2011-1072.patch: improved
    tempfile handling.
  - debian/rules: apply patch manually after unpacking PEAR phar
    archive.
  - CVE-2011-1072
* SECURITY UPDATE: more symlink races in pear install
  - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
    file handler.
  - debian/rules: apply patch manually after unpacking PEAR phar
    archive.
  - CVE-2011-1144
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2010-4697.patch: retain reference to
    object until getter/setter are done.
  - CVE-2010-4697
* SECURITY UPDATE: denial of service through application crash with
  invalid images
  - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
    steps are either 4 or 16.
  - CVE-2010-4698
* SECURITY UPDATE: denial of service through application crash when
  handling images with invalid exif tags
  - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking
  - CVE-2011-0708
* SECURITY UPDATE: denial of service and possible data disclosure
  through integer overflow
  - debian/patches/php5-CVE-2011-1092.patch: better boundary
    condition checks in shmop_read()
  - CVE-2011-1092
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2011-1148.patch: improve reference
    counting
  - CVE-2011-1148
* SECURITY UPDATE: denial of service through buffer overflow crash
  (code execution mitigated by compilation with Fortify Source)
  - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision
    to ensure fitting within MAX_BUF_SIZE
  - CVE-2011-1464
* SECURITY UPDATE: denial of service through application crash via
  integer overflow.
  - debian/patches/php5-CVE-2011-1466.patch: improve boundary
    condition checking in SdnToJulian()
  - CVE-2011-1466
* SECURITY UPDATE: denial of service through application crash
  when using HTTP proxy with the FTP wrapper
  - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling
  - CVE-2011-1469

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/php5-CVE-2011-1466.patch
 
1
Subject: Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to segfault).
 
2
Origin: http://svn.php.net/viewvc?view=revision&revision=306475
 
3
 
 
4
CVE-2011-1466
 
5
 
 
6
Patch differs from upstream commit in that the edit to the NEWS file was
 
7
dropped to reduce patch conflicts.
 
8
 
 
9
---
 
10
 ext/calendar/julian.c            |   26 ++++++++++++++++++++------
 
11
 ext/calendar/tests/bug53574.phpt |   35 +++++++++++++++++++++++++++++++++++
 
12
 2 files changed, 55 insertions(+), 6 deletions(-)
 
13
 
 
14
Index: b/ext/calendar/tests/bug53574.phpt
 
15
===================================================================
 
16
--- /dev/null
 
17
+++ b/ext/calendar/tests/bug53574.phpt
 
18
@@ -0,0 +1,35 @@
 
19
+--TEST--
 
20
+Bug #53574 (Integer overflow in SdnToJulian; leads to segfault)
 
21
+--SKIPIF--
 
22
+<?php include 'skipif.inc'; ?>
 
23
+--FILE--
 
24
+<?php
 
25
+if (PHP_INT_MAX == 0x7FFFFFFF) {
 
26
+       $x = 882858043;
 
27
+} else {
 
28
+       $x = 3315881921229094912;
 
29
+}
 
30
+
 
31
+var_dump(cal_from_jd($x, CAL_JULIAN));
 
32
+--EXPECT--
 
33
+array(9) {
 
34
+  ["date"]=>
 
35
+  string(5) "0/0/0"
 
36
+  ["month"]=>
 
37
+  int(0)
 
38
+  ["day"]=>
 
39
+  int(0)
 
40
+  ["year"]=>
 
41
+  int(0)
 
42
+  ["dow"]=>
 
43
+  int(3)
 
44
+  ["abbrevdayname"]=>
 
45
+  string(3) "Wed"
 
46
+  ["dayname"]=>
 
47
+  string(9) "Wednesday"
 
48
+  ["abbrevmonth"]=>
 
49
+  string(0) ""
 
50
+  ["monthname"]=>
 
51
+  string(0) ""
 
52
+}
 
53
+
 
54
Index: b/ext/calendar/julian.c
 
55
===================================================================
 
56
--- a/ext/calendar/julian.c
 
57
+++ b/ext/calendar/julian.c
 
58
@@ -146,6 +146,7 @@
 
59
  **************************************************************************/
 
60
 
 
61
 #include "sdncal.h"
 
62
+#include <limits.h>
 
63
 
 
64
 #define JULIAN_SDN_OFFSET         32083
 
65
 #define DAYS_PER_5_MONTHS  153
 
66
@@ -164,15 +165,22 @@ void SdnToJulian(
 
67
        int dayOfYear;
 
68
 
 
69
        if (sdn <= 0) {
 
70
-               *pYear = 0;
 
71
-               *pMonth = 0;
 
72
-               *pDay = 0;
 
73
-               return;
 
74
+               goto fail;
 
75
        }
 
76
-       temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
 
77
+       /* Check for overflow */
 
78
+       if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
 
79
+               goto fail;
 
80
+       }
 
81
+       temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
 
82
 
 
83
        /* Calculate the year and day of year (1 <= dayOfYear <= 366). */
 
84
-       year = temp / DAYS_PER_4_YEARS;
 
85
+       {
 
86
+               long yearl = temp / DAYS_PER_4_YEARS;
 
87
+               if (yearl > INT_MAX || yearl < INT_MIN) {
 
88
+                       goto fail;
 
89
+               }
 
90
+               year = (int) yearl;
 
91
+       }
 
92
        dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
 
93
 
 
94
        /* Calculate the month and day of month. */
 
95
@@ -196,6 +204,12 @@ void SdnToJulian(
 
96
        *pYear = year;
 
97
        *pMonth = month;
 
98
        *pDay = day;
 
99
+       return;
 
100
+
 
101
+fail:
 
102
+       *pYear = 0;
 
103
+       *pMonth = 0;
 
104
+       *pDay = 0;
 
105
 }
 
106
 
 
107
 long int JulianToSdn(