SOURCES: php-5.1.6-CVE-2007-0455.patch (NEW), php-5.1.6-CVE-2007-1...

blues blues at pld-linux.org
Mon Apr 23 10:39:33 CEST 2007 

Author: blues                        Date: Mon Apr 23 08:39:33 2007 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- set of security patches from RH

---- Files affected:
SOURCES:
   php-5.1.6-CVE-2007-0455.patch (NONE -> 1.1)  (NEW), php-5.1.6-CVE-2007-1001.patch (NONE -> 1.1)  (NEW), php-5.1.6-CVE-2007-1583.patch (NONE -> 1.1)  (NEW), php-5.1.6-CVE-2007-1718.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/php-5.1.6-CVE-2007-0455.patch
diff -u /dev/null SOURCES/php-5.1.6-CVE-2007-0455.patch:1.1
--- /dev/null	Mon Apr 23 10:39:33 2007
+++ SOURCES/php-5.1.6-CVE-2007-0455.patch	Mon Apr 23 10:39:28 2007
@@ -0,0 +1,14 @@
+
+https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235028
+
+--- php-5.1.6/ext/gd/libgd/gdft.c.cve0455
++++ php-5.1.6/ext/gd/libgd/gdft.c
+@@ -967,7 +967,7 @@
+ 					} else {
+ 						ch = c & 0xFF;	/* don't extend sign */
+ 					}
+-					next++;
++					if (*next) next++;
+ 				}
+ 				break;
+ 			case gdFTEX_Big5: {

================================================================
Index: SOURCES/php-5.1.6-CVE-2007-1001.patch
diff -u /dev/null SOURCES/php-5.1.6-CVE-2007-1001.patch:1.1
--- /dev/null	Mon Apr 23 10:39:33 2007
+++ SOURCES/php-5.1.6-CVE-2007-1001.patch	Mon Apr 23 10:39:28 2007
@@ -0,0 +1,38 @@
+--- php-5.1.6/ext/gd/libgd/wbmp.c.cve1001
++++ php-5.1.6/ext/gd/libgd/wbmp.c
+@@ -102,6 +102,8 @@
+   return (0);
+ }
+ 
++#define SAFE_MULTIPLE(x,y) (x == 0 || y == 0 || (x > 0 && y > 0 && (x < INT_MAX / y)))
++
+ /* create wbmp
+    ** -----------
+    ** create an empty wbmp
+@@ -116,6 +118,12 @@
+   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
+     return (NULL);
+ 
++  if (!SAFE_MULTIPLE(width, height)) {
++      php_gd_error("createwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", width, height);
++      gdFree(wbmp);
++      return NULL;
++  }
++
+   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
+     {
+       gdFree (wbmp);
+@@ -176,6 +184,13 @@
+   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
+ #endif
+ 
++  if (!SAFE_MULTIPLE(wbmp->width, wbmp->height)) {
++      php_gd_error("readwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", 
++                   wbmp->width, wbmp->height);
++      gdFree(wbmp);
++      return (-1);
++  }
++
+   if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
+     {
+       gdFree (wbmp);

================================================================
Index: SOURCES/php-5.1.6-CVE-2007-1583.patch
diff -u /dev/null SOURCES/php-5.1.6-CVE-2007-1583.patch:1.1
--- /dev/null	Mon Apr 23 10:39:33 2007
+++ SOURCES/php-5.1.6-CVE-2007-1583.patch	Mon Apr 23 10:39:28 2007
@@ -0,0 +1,25 @@
+--- php-5.1.6/ext/mbstring/mb_gpc.c.cve1286
++++ php-5.1.6/ext/mbstring/mb_gpc.c
+@@ -206,9 +206,8 @@
+ 	/* register_globals stuff
+ 	 * XXX: this feature is going to be deprecated? */
+ 
+-	if (info->force_register_globals) {
+-		prev_rg_state = PG(register_globals);
+-		PG(register_globals) = 1;
++	if (info->force_register_globals && !(prev_rg_state = PG(register_globals))) {
++		zend_alter_ini_entry("register_globals", sizeof("register_globals"), "1", sizeof("1")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
+ 	}
+ 
+ 	if (!res || *res == '\0') {
+@@ -341,8 +340,8 @@
+ 
+ out:
+ 	/* register_global stuff */
+-	if (info->force_register_globals) {
+-		PG(register_globals) = prev_rg_state;
++	if (info->force_register_globals && !prev_rg_state) {
++		zend_alter_ini_entry("register_globals", sizeof("register_globals"), "0", sizeof("0")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
+ 	}
+ 
+ 	if (convd != NULL) {

================================================================
Index: SOURCES/php-5.1.6-CVE-2007-1718.patch
diff -u /dev/null SOURCES/php-5.1.6-CVE-2007-1718.patch:1.1
--- /dev/null	Mon Apr 23 10:39:33 2007
+++ SOURCES/php-5.1.6-CVE-2007-1718.patch	Mon Apr 23 10:39:28 2007
@@ -0,0 +1,13 @@
+--- php-5.1.6/ext/standard/mail.c.cve1718
++++ php-5.1.6/ext/standard/mail.c
+@@ -48,8 +48,8 @@
+ 
+ #define SKIP_LONG_HEADER_SEP(str, pos)										\
+ 	if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) {	\
+-		pos += 3;											\
+-		while (str[pos] == ' ' || str[pos] == '\t') {							\
++		pos += 2;											\
++		while (str[pos + 1] == ' ' || str[pos + 1] == '\t') {							\
+ 			pos++;											\
+ 		}												\
+ 		continue;											\
================================================================

More information about the pld-cvs-commit mailing list