# HG changeset patch # User Craig Mohrman # Date 1436504080 25200 # Node ID 1a4cf9f7011ebb514473001ec9cf0fcd8fbb15a6 # Parent 0949962e86d73127af9c3d139fb7a769fbe86145 20803826 problem in UTILITY/PHP 21296988 problem in UTILITY/PHP diff -r 0949962e86d7 -r 1a4cf9f7011e components/php-5_3/php-sapi/patches/370_php_20803826.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/370_php_20803826.patch Thu Jul 09 21:54:40 2015 -0700 @@ -0,0 +1,32 @@ +CVE-2013-6501 +Community has no fix. +This patch was developed internally. +Will be offered upstream. + + +--- php-5.3.29/ext/soap/php_sdl.c_orig 2015-07-06 14:07:57.231116620 -0700 ++++ php-5.3.29/ext/soap/php_sdl.c 2015-07-06 14:10:38.341928952 -0700 +@@ -1544,6 +1544,7 @@ + int f; + struct stat st; + char *in, *buf; ++ uid_t euid; + + f = open(fn, O_RDONLY|O_BINARY); + if (f < 0) { +@@ -1553,6 +1554,15 @@ + close(f); + return NULL; + } ++ /* ++ * If I'm not the owner of this file then someone might be ++ * trying to spoof me. ++ */ ++ euid = geteuid(); ++ if (st.st_uid != euid) { ++ close(f); ++ return NULL; ++ } + buf = in = emalloc(st.st_size); + if (read(f, in, st.st_size) != st.st_size) { + close(f); diff -r 0949962e86d7 -r 1a4cf9f7011e components/php-5_3/php-sapi/patches/380_php_21296988.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/380_php_21296988.patch Thu Jul 09 21:54:40 2015 -0700 @@ -0,0 +1,38 @@ +Community BUG: +https://bugs.php.net/bug.php?id=69364 +Patch from another source: +https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff + + +### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg + +--- php-5.3.29/main/rfc1867.c_orig ++++ php-5.3.29/main/rfc1867.c +@@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T + char *line; + mime_header_entry prev_entry, entry; + int prev_len, cur_len; ++ int newlines = 0; ++ long upload_max_newlines = 100; + + /* didn't find boundary, abort */ + if (!find_boundary(self, self->boundary TSRMLS_CC)) { +@@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T + + entry.value = estrdup(value); + entry.key = estrdup(key); ++ newlines = 0; + + } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ + +@@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T + entry.value[cur_len + prev_len] = '\0'; + + entry.key = estrdup(prev_entry.key); ++ newlines++; ++ if (newlines > upload_max_newlines) { ++ return 0; ++ } + + zend_llist_remove_tail(header); + } else { diff -r 0949962e86d7 -r 1a4cf9f7011e components/php/php56/patches/CVE-2013-6501.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php/php56/patches/CVE-2013-6501.patch Thu Jul 09 21:54:40 2015 -0700 @@ -0,0 +1,32 @@ +CVE-2013-6501 +Community has no fix. +This patch was developed internally. +Will be offered upstream. + + +--- php-5.6.8/ext/soap/php_sdl.c_orig 2015-07-06 20:50:10.103937460 -0700 ++++ php-5.6.8/ext/soap/php_sdl.c 2015-07-06 20:52:57.479973793 -0700 +@@ -1544,6 +1544,7 @@ + int f; + struct stat st; + char *in, *buf; ++ uid_t euid; + + f = open(fn, O_RDONLY|O_BINARY); + if (f < 0) { +@@ -1553,6 +1554,15 @@ + close(f); + return NULL; + } ++ /* ++ * If I'm not the owner of this file then someone might be ++ * trying to spoof me. ++ */ ++ euid = geteuid(); ++ if (st.st_uid != euid) { ++ close(f); ++ return NULL; ++ } + buf = in = emalloc(st.st_size); + if (read(f, in, st.st_size) != st.st_size) { + close(f);