← Back to branch summary

~ubuntu-branches/ubuntu/karmic/php5/karmic-security

« back to all changes in this revision

Viewing changes to debian/patches/php5-CVE-2010-4697.patch

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2011-04-28 05:37:29 UTC
  • Revision ID: package-import@ubuntu.com-20110428053729-7n7ruvuk1rrd7jqg
Tags: 5.2.10.dfsg.1-2ubuntu6.9
* SECURITY UPDATE: arbitrary files removal via cronjob
  - debian/php5-common.php5.cron.d: take greater care when removing
    session files.
  - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
  - CVE-2011-0441
* SECURITY UPDATE: symlink tmp races in pear install
  - debian/patches/php5-pear-CVE-2011-1072.patch: improved
    tempfile handling.
  - debian/rules: apply patch manually after unpacking PEAR phar
    archive.
  - CVE-2011-1072
* SECURITY UPDATE: more symlink races in pear install
  - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
    file handler.
  - debian/rules: apply patch manually after unpacking PEAR phar
    archive.
  - CVE-2011-1144
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2010-4697.patch: retain reference to
    object until getter/setter are done.
  - CVE-2010-4697
* SECURITY UPDATE: denial of service through application crash with
  invalid images
  - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
    steps are either 4 or 16.
  - CVE-2010-4698
* SECURITY UPDATE: denial of service through application crash
  - debian/patches/php5-CVE-2011-0421.patch: fail operation gracefully
    when handling zero sized zipfile with the FL_UNCHANGED argument
  - CVE-2011-0421
* SECURITY UPDATE: denial of service through application crash when
  handling images with invalid exif tags
  - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking
  - CVE-2011-0708
* SECURITY UPDATE: denial of service and possible data disclosure
  through integer overflow
  - debian/patches/php5-CVE-2011-1092.patch: better boundary
    condition checks in shmop_read()
  - CVE-2011-1092
* SECURITY UPDATE: use-after-free vulnerability
  - debian/patches/php5-CVE-2011-1148.patch: improve reference
    counting
  - CVE-2011-1148
* SECURITY UPDATE: denial of service through buffer overflow crash
  (code execution mitigated by compilation with Fortify Source)
  - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision
    to ensure fitting within MAX_BUF_SIZE
  - CVE-2011-1464
* SECURITY UPDATE: denial of service through application crash via
  integer overflow.
  - debian/patches/php5-CVE-2011-1466.patch: improve boundary
    condition checking in SdnToJulian()
  - CVE-2011-1466
* SECURITY UPDATE: denial of service through application crash
  when using HTTP proxy with the FTP wrapper
  - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling
  - CVE-2011-1469
* SECURITY UPDATE: denial of service through application crash when
  handling ziparchive streams
  - debian/patches/php5-CVE-2011-1470.patch: set necessary elements of
    the meta data structure
  - CVE-2011-1470
* SECURITY UPDATE: denial of service through application crash when
  handling malformed zip files
  - debian/patches/php5-CVE-2011-1471.patch: correct integer
    signedness error when handling zip_fread() return value.
  - CVE-2011-1471

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/php5-CVE-2010-4697.patch
 
1
Subject: Fixed bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early).
 
2
Author: mail_ben_schmidt at yahoo dot com dot au
 
3
Origin: http://svn.php.net/viewvc?view=revision&revision=303913
 
4
Bug: http://bugs.php.net/52879
 
5
 
 
6
CVE-2010-4697
 
7
 
 
8
Patch is modified from upstream commit to remove edits to the NEWS file,
 
9
to reduce conflicts when applying patches and backported to apply to
 
10
earlier releases of php.
 
11
 
 
12
Index: Zend/zend_object_handlers.c
 
13
===================================================================
 
14
--- Zend/zend_object_handlers.c (revision 303912)
 
15
+++ Zend/zend_object_handlers.c (revision 303913)
 
16
@@ -329,6 +329,9 @@
 
17
                    !guard->in_get) {
 
18
                        /* have getter - try with it! */
 
19
                        ZVAL_ADDREF(object);
 
20
+                       if (PZVAL_IS_REF(object)) {
 
21
+                               SEPARATE_ZVAL(&object);
 
22
+                       }
 
23
                        guard->in_get = 1; /* prevent circular getting */
 
24
                        rv = zend_std_call_getter(object, member TSRMLS_CC);
 
25
                        guard->in_get = 0;
 
26
@@ -418,22 +421,22 @@
 
27
                        }
 
28
                }
 
29
        } else {
 
30
-               int setter_done = 0;
 
31
                zend_guard *guard;
 
32
 
 
33
                if (zobj->ce->__set &&
 
34
                    zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS &&
 
35
                    !guard->in_set) {
 
36
                        ZVAL_ADDREF(object);
 
37
+                       if (PZVAL_IS_REF(object)) {
 
38
+                               SEPARATE_ZVAL(&object);
 
39
+                       }
 
40
                        guard->in_set = 1; /* prevent circular setting */
 
41
                        if (zend_std_call_setter(object, member, value TSRMLS_CC) != SUCCESS) {
 
42
                                /* for now, just ignore it - __set should take care of warnings, etc. */
 
43
                        }
 
44
-                       setter_done = 1;
 
45
                        guard->in_set = 0;
 
46
                        zval_ptr_dtor(&object);
 
47
-               }
 
48
-               if (!setter_done && property_info) {
 
49
+               } else if (property_info) {
 
50
                        zval **foo;
 
51
 
 
52
                        /* if we assign referenced variable, we should separate it */
 
53
@@ -611,6 +614,9 @@
 
54
                    !guard->in_unset) {
 
55
                        /* have unseter - try with it! */
 
56
                        ZVAL_ADDREF(object);
 
57
+                       if (PZVAL_IS_REF(object)) {
 
58
+                               SEPARATE_ZVAL(&object);
 
59
+                       }
 
60
                        guard->in_unset = 1; /* prevent circular unsetting */
 
61
                        zend_std_call_unsetter(object, member TSRMLS_CC);
 
62
                        guard->in_unset = 0;
 
63
@@ -1042,6 +1048,9 @@
 
64
 
 
65
                        /* have issetter - try with it! */
 
66
                        ZVAL_ADDREF(object);
 
67
+                       if (PZVAL_IS_REF(object)) {
 
68
+                               SEPARATE_ZVAL(&object);
 
69
+                       }
 
70
                        guard->in_isset = 1; /* prevent circular getting */
 
71
                        rv = zend_std_call_issetter(object, member TSRMLS_CC);
 
72
                        if (rv) {
 
73
Index: Zend/tests/bug52879.phpt
 
74
===================================================================
 
75
--- Zend/tests/bug52879.phpt    (revision 0)
 
76
+++ Zend/tests/bug52879.phpt    (revision 303913)
 
77
@@ -0,0 +1,16 @@
 
78
+--TEST--
 
79
+Bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early)
 
80
+--FILE--
 
81
+<?php
 
82
+class MyClass {
 
83
+       public $myRef;
 
84
+       public function __set($property,$value) {
 
85
+               $this->myRef = $value;
 
86
+       }
 
87
+}
 
88
+$myGlobal=new MyClass($myGlobal);
 
89
+$myGlobal->myRef=&$myGlobal;
 
90
+$myGlobal->myNonExistentProperty="ok\n";
 
91
+echo $myGlobal;
 
92
+--EXPECT--
 
93
+ok