[packages/php/PHP_5_3] - rel 12; fixes SECURITY bug; phpinfo leak; https://www.sektioneins.de/en/blog/14-07-04-phpinfo-info

Mon Jul 7 07:07:55 CEST 2014

commit 83a52f89975f6e61dfe5353916acfd4da3085fc9
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Mon Jul 7 07:07:52 2014 +0200

    - rel 12; fixes SECURITY bug; phpinfo leak; https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

 php-secbug-67498.patch | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
 php.spec               |  4 +++-
 2 files changed, 55 insertions(+), 1 deletion(-)
---

diff --git a/php.spec b/php.spec
index 9f116ba..9bf7312 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
 %endif
 %endif
 
-%define		rel	11
+%define		rel	12
 %define		orgname	php
 %define		ver_suffix 53
 %define		php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -165,6 +165,7 @@ Patch11:	embed.patch
 %if %{with type_hints}
 Patch12:	http://ilia.ws/patch/type_hint_53_v2.txt
 %endif
+Patch13:	php-secbug-67498.patch
 Patch14:	%{orgname}-no_pear_install.patch
 Patch15:	%{orgname}-zlib.patch
 Patch17:	%{orgname}-readline.patch
@@ -1999,6 +2000,7 @@ cp -p php.ini-production php.ini
 %if %{with type_hints}
 %patch12 -p0
 %endif
+%patch13 -p1
 %patch14 -p1
 %patch15 -p1
 %patch17 -p1
diff --git a/php-secbug-67498.patch b/php-secbug-67498.patch
new file mode 100644
index 0000000..2ee2721
--- /dev/null
+++ b/php-secbug-67498.patch
@@ -0,0 +1,52 @@
+commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
+Author: Stanislav Malyshev <stas at php.net>
+Date:   Mon Jun 23 00:19:37 2014 -0700
+
+    Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
+
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 70b2e2f..0f15bbe 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
+@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
+ 
+ 		php_info_print_table_start();
+ 		php_info_print_table_header(2, "Variable", "Value");
+-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
+ 		}
+ 		php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
+diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
+new file mode 100644
+index 0000000..5b5951b
+--- /dev/null
++++ b/ext/standard/tests/general_functions/bug67498.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/83a52f89975f6e61dfe5353916acfd4da3085fc9

