[packages/php/PHP_5_2] fix for CVE-2015-0232
glen
glen at pld-linux.org
Mon Feb 23 11:55:19 CET 2015
commit b7b0e363252dcb1fc2b8fcfc7436459c28009259
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Mon Feb 23 12:54:45 2015 +0200
fix for CVE-2015-0232
CVE-2015-0232.patch | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++
php.spec | 4 ++-
2 files changed, 98 insertions(+), 1 deletion(-)
---
diff --git a/php.spec b/php.spec
index 5064004..7929418 100644
--- a/php.spec
+++ b/php.spec
@@ -112,7 +112,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
%define magic_mime /usr/share/misc/magic.mime
%endif
-%define rel 9
+%define rel 10
%define orgname php
%define ver_suffix 52
%define php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -217,6 +217,7 @@ Patch72: exif-crash-bug-36.patch
Patch73: CVE-2013-6420.patch
Patch74: CVE-2013-4073.patch
Patch75: php-secbug-67498.patch
+Patch76: CVE-2015-0232.patch
# CENTALT patches
# Backport from 5.3.6
Patch311: php-5.3.6-bug-47435.patch
@@ -1937,6 +1938,7 @@ done
%patch73 -p1
%patch74 -p1
%patch75 -p1
+%patch76 -p1
# Bugfix backport from 5.3.6
%patch311 -p1 -b .bug-47435
diff --git a/CVE-2015-0232.patch b/CVE-2015-0232.patch
new file mode 100644
index 0000000..e814eea
--- /dev/null
+++ b/CVE-2015-0232.patch
@@ -0,0 +1,95 @@
+Adjusted for PHP 5.2.17
+Author: Elan Ruusamäe <glen at pld-linux.org>
+
+From: Stanislav Malyshev <stas at php.net>
+Date: Sun, 11 Jan 2015 08:51:05 +0000 (-0800)
+Subject: Fix bug #68799: Free called on unitialized pointer
+X-Git-Tag: php-5.4.37~5^2
+X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=2fc178cf448d8e1b95d1314e47eeef610729e0df;hp=f9ad3086693fce680fbe246e4a45aa92edd2ac35
+
+Fix bug #68799: Free called on unitialized pointer
+---
+
+--- php-5.2.17/ext/exif/exif.c~ 2015-02-23 12:38:58.000000000 +0200
++++ php-5.2.17/ext/exif/exif.c 2015-02-23 12:41:41.138901305 +0200
+@@ -2721,6 +2721,7 @@
+ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
+ {
+ xp_field->tag = tag;
++ xp_field->value = NULL;
+
+ /* Copy the comment */
+ #if EXIF_USE_MBSTRING
+diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg
+new file mode 100644
+index 0000000..acc326d
+Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ
+diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
+new file mode 100644
+index 0000000..b09f21c
+--- /dev/null
++++ b/ext/exif/tests/bug68799.phpt
+@@ -0,0 +1,63 @@
++--TEST--
++Bug #68799 (Free called on unitialized pointer)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++/*
++* Pollute the heap. Helps trigger bug. Sometimes not needed.
++*/
++class A {
++ function __construct() {
++ $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
++ $this->a = $a . $a . $a . $a . $a . $a;
++ }
++};
++
++function doStuff ($limit) {
++
++ $a = new A;
++
++ $b = array();
++ for ($i = 0; $i < $limit; $i++) {
++ $b[$i] = clone $a;
++ }
++
++ unset($a);
++
++ gc_collect_cycles();
++}
++
++$iterations = 3;
++
++doStuff($iterations);
++doStuff($iterations);
++
++gc_collect_cycles();
++
++print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
++
++?>
++--EXPECTF--
++Array
++(
++ [FileName] => bug68799.jpg
++ [FileDateTime] => %d
++ [FileSize] => 735
++ [FileType] => 2
++ [MimeType] => image/jpeg
++ [SectionsFound] => ANY_TAG, IFD0, WINXP
++ [COMPUTED] => Array
++ (
++ [html] => width="1" height="1"
++ [Height] => 1
++ [Width] => 1
++ [IsColor] => 1
++ [ByteOrderMotorola] => 1
++ )
++
++ [XResolution] => 96/1
++ [YResolution] => 96/1
++ [ResolutionUnit] => 2
++ [Author] =>
++)
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/14ec4521563dc52ec750894ac0739ca739551723
More information about the pld-cvs-commit
mailing list