← Back to branch summary

~ubuntu-branches/ubuntu/natty/php5/natty-security

« back to all changes in this revision

Viewing changes to debian/patches/php5-CVE-2011-4885.patch

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2012-02-08 20:58:41 UTC
  • Revision ID: package-import@ubuntu.com-20120208205841-53e1ouv3m2sdcill
Tags: 5.3.5-1ubuntu7.6
https://launchpad.net/bugs/910296
https://launchpad.net/bugs/925772
* SECURITY UPDATE: memory allocation failure denial of service
  - debian/patches/php5-CVE-2011-4153.patch: check result of
    zend_strdup() and calloc() for failed allocations
  - CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
  (LP: #910296)
  - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
    directive with default limit of 1000
  - ATTENTION: this update changes previous php5 behavior by
    limiting the number of external input variables to 1000.
    This may be increased by adding a "max_input_vars"
    directive to the php.ini configuration file. See
    http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
    for more information.
  - CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
  the fix for CVE-2011-4885 (LP: #925772)
  - debian/patches/php5-CVE-2012-0830.patch: return rather than
    continuing if max_input_vars limit is reached
  - CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
  - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
    ini option to define forbidden operations within XSLT stylesheets
  - CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
  - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
    attempting to serialize PDORow instances
  - CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
  - debian/patches/php5-CVE-2012-0831.patch: always restore
    magic_quote_gpc on request shutdown
  - CVE-2012-0831

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/php5-CVE-2011-4885.patch
 
1
Origin: http://svn.php.net/viewvc?view=revision&revision=321038
 
2
  and http://svn.php.net/viewvc?view=revision&revision=321040
 
3
  and http://svn.php.net/viewvc?view=revision&revision=321335
 
4
Subject: Added max_input_vars directive to prevent attacks based on
 
5
  hash collisions
 
6
 
 
7
Fixes CVE-2011-4885; note that this introduces CVE-2012-0830
 
8
 
 
9
Ubuntu Note: this patch differs upstream in that we drop the changes to
 
10
the default php.ini configuration files, to eliminate prompting of the
 
11
admin when upgrading the package.
 
12
 
 
13
---
 
14
 main/main.c          |    1 +
 
15
 main/php_globals.h   |    2 ++
 
16
 main/php_variables.c |   20 ++++++++++++++++----
 
17
 3 files changed, 19 insertions(+), 4 deletions(-)
 
18
 
 
19
Index: b/main/php_globals.h
 
20
===================================================================
 
21
--- a/main/php_globals.h
 
22
+++ b/main/php_globals.h
 
23
@@ -170,6 +170,8 @@ struct _php_core_globals {
 
24
        char *mail_log;
 
25
 
 
26
        zend_bool in_error_log;
 
27
+
 
28
+       long max_input_vars;
 
29
 };
 
30
 
 
31
 
 
32
Index: b/main/php_variables.c
 
33
===================================================================
 
34
--- a/main/php_variables.c
 
35
+++ b/main/php_variables.c
 
36
@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(cha
 
37
                                }
 
38
                                if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 
39
                                        || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
 
40
-                                       MAKE_STD_ZVAL(gpc_element);
 
41
-                                       array_init(gpc_element);
 
42
-                                       zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 
43
+                                       if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
 
44
+                                               if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
 
45
+                                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
 
46
+                                               }
 
47
+                                               MAKE_STD_ZVAL(gpc_element);
 
48
+                                               array_init(gpc_element);
 
49
+                                               zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 
50
+                                       }
 
51
                                }
 
52
                                if (index != escaped_index) {
 
53
                                        efree(escaped_index);
 
54
@@ -236,7 +241,14 @@ plain_var:
 
55
                                zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
 
56
                                zval_ptr_dtor(&gpc_element);
 
57
                        } else {
 
58
-                               zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 
59
+                               if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
 
60
+                                       if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
 
61
+                                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
 
62
+                                       }
 
63
+                                       zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 
64
+                               } else {
 
65
+                                       zval_ptr_dtor(&gpc_element);
 
66
+                               }
 
67
                        }
 
68
                        if (escaped_index != index) {
 
69
                                efree(escaped_index);
 
70
Index: b/main/main.c
 
71
===================================================================
 
72
--- a/main/main.c
 
73
+++ b/main/main.c
 
74
@@ -503,6 +503,7 @@ PHP_INI_BEGIN()
 
75
        STD_PHP_INI_ENTRY("post_max_size",                      "8M",           PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateLong,                   post_max_size,                  sapi_globals_struct,sapi_globals)
 
76
        STD_PHP_INI_ENTRY("upload_tmp_dir",                     NULL,           PHP_INI_SYSTEM,         OnUpdateStringUnempty,  upload_tmp_dir,                 php_core_globals,       core_globals)
 
77
        STD_PHP_INI_ENTRY("max_input_nesting_level", "64",              PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateLongGEZero,     max_input_nesting_level,                        php_core_globals,       core_globals)
 
78
+       STD_PHP_INI_ENTRY("max_input_vars",                     "1000",         PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateLongGEZero,     max_input_vars,                                         php_core_globals,       core_globals)
 
79
 
 
80
        STD_PHP_INI_ENTRY("user_dir",                           NULL,           PHP_INI_SYSTEM,         OnUpdateString,                 user_dir,                               php_core_globals,       core_globals)
 
81
        STD_PHP_INI_ENTRY("variables_order",            "EGPCS",        PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateStringUnempty,  variables_order,                php_core_globals,       core_globals)