← Back to branch summary

~ubuntu-branches/ubuntu/natty/php5/natty-security

« back to all changes in this revision

Viewing changes to debian/patches/php5-CVE-2011-4153.patch

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2012-02-08 20:58:41 UTC
  • Revision ID: package-import@ubuntu.com-20120208205841-53e1ouv3m2sdcill
Tags: 5.3.5-1ubuntu7.6
https://launchpad.net/bugs/910296
https://launchpad.net/bugs/925772
* SECURITY UPDATE: memory allocation failure denial of service
  - debian/patches/php5-CVE-2011-4153.patch: check result of
    zend_strdup() and calloc() for failed allocations
  - CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
  (LP: #910296)
  - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
    directive with default limit of 1000
  - ATTENTION: this update changes previous php5 behavior by
    limiting the number of external input variables to 1000.
    This may be increased by adding a "max_input_vars"
    directive to the php.ini configuration file. See
    http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
    for more information.
  - CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
  the fix for CVE-2011-4885 (LP: #925772)
  - debian/patches/php5-CVE-2012-0830.patch: return rather than
    continuing if max_input_vars limit is reached
  - CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
  - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
    ini option to define forbidden operations within XSLT stylesheets
  - CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
  - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
    attempting to serialize PDORow instances
  - CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
  - debian/patches/php5-CVE-2012-0831.patch: always restore
    magic_quote_gpc on request shutdown
  - CVE-2012-0831

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/php5-CVE-2011-4153.patch
 
1
Origin: http://svn.php.net/viewvc?view=revision&revision=319457
 
2
    and http://svn.php.net/viewvc?view=revision&revision=319442
 
3
    and http://svn.php.net/viewvc?view=revision&revision=314527
 
4
Subject: fixes for bug #55748 (fail to check zend_strndup for failures)
 
5
 
 
6
fixes for bug #55748
 
7
Sync to 5.3 and check additional cases for #55748
 
8
Fix typo
 
9
 
 
10
CVE-2011-4153
 
11
 
 
12
---
 
13
 Zend/zend_builtin_functions.c |    3 +++
 
14
 ext/com_dotnet/com_typeinfo.c |    4 ++++
 
15
 ext/oci8/oci8.c               |   17 ++++++++++++++++-
 
16
 ext/standard/syslog.c         |    3 +++
 
17
 4 files changed, 26 insertions(+), 1 deletion(-)
 
18
 
 
19
Index: b/ext/oci8/oci8.c
 
20
===================================================================
 
21
--- a/ext/oci8/oci8.c
 
22
+++ b/ext/oci8/oci8.c
 
23
@@ -2003,7 +2003,14 @@ php_oci_connection *php_oci_do_connect_e
 
24
                        connection->is_persistent = 0;
 
25
                } else {
 
26
                        connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection));
 
27
+                       if (connection == NULL) {
 
28
+                               return NULL;
 
29
+                       }
 
30
                        connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len);
 
31
+                       if (connection->hash_key == NULL) {
 
32
+                               free(connection);
 
33
+                               return NULL;
 
34
+                       }
 
35
                        connection->is_persistent = 1;
 
36
                }
 
37
        } else {
 
38
@@ -2617,12 +2624,20 @@ static php_oci_spool *php_oci_create_spo
 
39
        ub4 poolmode = OCI_DEFAULT;     /* Mode to be passed to OCISessionPoolCreate */
 
40
        OCIAuthInfo *spoolAuth = NULL;
 
41
 
 
42
-       /*Allocate sessionpool out of persistent memory */
 
43
+       /* Allocate sessionpool out of persistent memory */
 
44
        session_pool = (php_oci_spool *) calloc(1, sizeof(php_oci_spool));
 
45
+       if (session_pool == NULL) {
 
46
+               iserror = 1;
 
47
+               goto exit_create_spool;
 
48
+       }
 
49
 
 
50
        /* Populate key if passed */
 
51
        if (hash_key_len) {
 
52
                session_pool->spool_hash_key = zend_strndup(hash_key, hash_key_len);
 
53
+               if (session_pool->spool_hash_key == NULL) {
 
54
+                       iserror = 1;
 
55
+                       goto exit_create_spool;
 
56
+               }
 
57
        }
 
58
 
 
59
        /* Create the session pool's env */
 
60
Index: b/ext/standard/syslog.c
 
61
===================================================================
 
62
--- a/ext/standard/syslog.c
 
63
+++ b/ext/standard/syslog.c
 
64
@@ -236,6 +236,9 @@ PHP_FUNCTION(openlog)
 
65
                free(BG(syslog_device));
 
66
        }
 
67
        BG(syslog_device) = zend_strndup(ident, ident_len);
 
68
+       if(BG(syslog_device) == NULL) {
 
69
+               RETURN_FALSE;
 
70
+       }
 
71
        openlog(BG(syslog_device), option, facility);
 
72
        RETURN_TRUE;
 
73
 }
 
74
Index: b/ext/com_dotnet/com_typeinfo.c
 
75
===================================================================
 
76
--- a/ext/com_dotnet/com_typeinfo.c
 
77
+++ b/ext/com_dotnet/com_typeinfo.c
 
78
@@ -187,6 +187,10 @@ PHPAPI int php_com_import_typelib(ITypeL
 
79
                                const_name = php_com_olestring_to_string(bstr_ids, &c.name_len, codepage TSRMLS_CC);
 
80
                                c.name = zend_strndup(const_name, c.name_len);
 
81
                                efree(const_name);
 
82
+                               if(c.name == NULL) {
 
83
+                                       ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc);
 
84
+                                       continue;
 
85
+                               }
 
86
                                c.name_len++; /* include NUL */
 
87
                                SysFreeString(bstr_ids);
 
88
 
 
89
Index: b/Zend/zend_builtin_functions.c
 
90
===================================================================
 
91
--- a/Zend/zend_builtin_functions.c
 
92
+++ b/Zend/zend_builtin_functions.c
 
93
@@ -683,6 +683,9 @@ repeat:
 
94
        }
 
95
        c.flags = case_sensitive; /* non persistent */
 
96
        c.name = zend_strndup(name, name_len);
 
97
+       if(c.name == NULL) {
 
98
+               RETURN_FALSE;
 
99
+       }
 
100
        c.name_len = name_len+1;
 
101
        c.module_number = PHP_USER_CONSTANT;
 
102
        if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) {