20803826 problem in UTILITY/PHP s11u2-sru
authorCraig Mohrman <craig.mohrman@oracle.com>
Mon, 20 Jul 2015 09:11:32 -0700
branchs11u2-sru
changeset 4673 7ca7277ea064
parent 4672 b5cd74af63e5
child 4685 da890a7f6af0
20803826 problem in UTILITY/PHP 21296988 problem in UTILITY/PHP 21445788 CANONICAL_REPO no longer correct for s11.2sru since releasing FOSS Eval packages
components/php-5_2/php-sapi/patches/e0_php_20803826.patch
components/php-5_2/php-sapi/patches/f0_php_21296988.patch
components/php-5_3/php-sapi/patches/370_php_20803826.patch
components/php-5_3/php-sapi/patches/380_php_21296988.patch
make-rules/ips-buildinfo.mk
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/e0_php_20803826.patch	Mon Jul 20 09:11:32 2015 -0700
@@ -0,0 +1,32 @@
+CVE-2013-6501
+Community has no fix.
+This patch was developed internally.
+Will be offered upstream.
+
+
+--- php-5.3.29/ext/soap/php_sdl.c_orig	2015-07-06 14:07:57.231116620 -0700
++++ php-5.3.29/ext/soap/php_sdl.c	2015-07-06 14:10:38.341928952 -0700
[email protected]@ -1544,6 +1544,7 @@
+ 	int f;
+ 	struct stat st;
+ 	char *in, *buf;
++	uid_t euid;
+ 
+ 	f = open(fn, O_RDONLY|O_BINARY);
+ 	if (f < 0) {
[email protected]@ -1553,6 +1554,15 @@
+ 		close(f);
+ 		return NULL;
+ 	}
++	/*
++	 * If I'm not the owner of this file then someone might be
++	 * trying to spoof me.
++	 */
++	euid = geteuid();
++	if (st.st_uid != euid) {
++		close(f);
++		return NULL;
++	}
+ 	buf = in = emalloc(st.st_size);
+ 	if (read(f, in, st.st_size) != st.st_size) {
+ 		close(f);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/f0_php_21296988.patch	Mon Jul 20 09:11:32 2015 -0700
@@ -0,0 +1,38 @@
+Community BUG:
+https://bugs.php.net/bug.php?id=69364
+Patch from another source:
+https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff
+
+
+### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg
+
+--- php-5.3.29/main/rfc1867.c_orig
++++ php-5.3.29/main/rfc1867.c
[email protected]@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ 	char *line;
+ 	mime_header_entry prev_entry, entry;
+ 	int prev_len, cur_len;
++	int newlines = 0;
++	long upload_max_newlines = 100;
+ 
+ 	/* didn't find boundary, abort */
+ 	if (!find_boundary(self, self->boundary TSRMLS_CC)) {
[email protected]@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ 
+ 			entry.value = estrdup(value);
+ 			entry.key = estrdup(key);
++			newlines = 0;
+ 
+ 		} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
+ 
[email protected]@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ 			entry.value[cur_len + prev_len] = '\0';
+ 
+ 			entry.key = estrdup(prev_entry.key);
++			newlines++;
++			if (newlines > upload_max_newlines) {
++				return 0;
++			}
+ 
+ 			zend_llist_remove_tail(header);
+ 		} else {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/370_php_20803826.patch	Mon Jul 20 09:11:32 2015 -0700
@@ -0,0 +1,32 @@
+CVE-2013-6501
+Community has no fix.
+This patch was developed internally.
+Will be offered upstream.
+
+
+--- php-5.3.29/ext/soap/php_sdl.c_orig	2015-07-06 14:07:57.231116620 -0700
++++ php-5.3.29/ext/soap/php_sdl.c	2015-07-06 14:10:38.341928952 -0700
[email protected]@ -1544,6 +1544,7 @@
+ 	int f;
+ 	struct stat st;
+ 	char *in, *buf;
++	uid_t euid;
+ 
+ 	f = open(fn, O_RDONLY|O_BINARY);
+ 	if (f < 0) {
[email protected]@ -1553,6 +1554,15 @@
+ 		close(f);
+ 		return NULL;
+ 	}
++	/*
++	 * If I'm not the owner of this file then someone might be
++	 * trying to spoof me.
++	 */
++	euid = geteuid();
++	if (st.st_uid != euid) {
++		close(f);
++		return NULL;
++	}
+ 	buf = in = emalloc(st.st_size);
+ 	if (read(f, in, st.st_size) != st.st_size) {
+ 		close(f);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/380_php_21296988.patch	Mon Jul 20 09:11:32 2015 -0700
@@ -0,0 +1,38 @@
+Community BUG:
+https://bugs.php.net/bug.php?id=69364
+Patch from another source:
+https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff
+
+
+### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg
+
+--- php-5.3.29/main/rfc1867.c_orig
++++ php-5.3.29/main/rfc1867.c
[email protected]@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ 	char *line;
+ 	mime_header_entry prev_entry, entry;
+ 	int prev_len, cur_len;
++	int newlines = 0;
++	long upload_max_newlines = 100;
+ 
+ 	/* didn't find boundary, abort */
+ 	if (!find_boundary(self, self->boundary TSRMLS_CC)) {
[email protected]@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ 
+ 			entry.value = estrdup(value);
+ 			entry.key = estrdup(key);
++			newlines = 0;
+ 
+ 		} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
+ 
[email protected]@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ 			entry.value[cur_len + prev_len] = '\0';
+ 
+ 			entry.key = estrdup(prev_entry.key);
++			newlines++;
++			if (newlines > upload_max_newlines) {
++				return 0;
++			}
+ 
+ 			zend_llist_remove_tail(header);
+ 		} else {
--- a/make-rules/ips-buildinfo.mk	Mon Jul 13 14:34:13 2015 -0700
+++ b/make-rules/ips-buildinfo.mk	Mon Jul 20 09:11:32 2015 -0700
@@ -94,5 +94,5 @@
 
 # Set a default reference repository against which pkglint is run, in case it
 # hasn't been set in the environment.
-CANONICAL_REPO ?=		http://ipkg.us.oracle.com/solaris11/release/
+CANONICAL_REPO ?=		http://ipkg.us.oracle.com/solaris11/support/