summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-01-11 14:14:31 +0100
committerRemi Collet <remi@remirepo.net>2019-01-11 14:14:31 +0100
commit3ba80f05620ff05dc3835de45f7d22eba11cca67 (patch)
tree37f47c3844f97bdc2ec8cbee8af6cbcf619c19db
parent14af75a3038eff8af244db294486a1561729233c (diff)
Backport xmlrpc security fix from 5.6.40HEADmaster
- Fix #77242 heap out of bounds read in xmlrpc_decode - Fix #77380 Global out of bounds read in xmlrpc base64 code
-rw-r--r--bug77242.patch42
-rw-r--r--bug77380.patch52
-rw-r--r--php54.spec12
3 files changed, 104 insertions, 2 deletions
diff --git a/bug77242.patch b/bug77242.patch
new file mode 100644
index 0000000..485ed8a
--- /dev/null
+++ b/bug77242.patch
@@ -0,0 +1,42 @@
+From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 17:56:36 -0800
+Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
+
+---
+ ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++
+ ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 ext/xmlrpc/tests/bug77242.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
+index 56642d46142e..eeec5379bf68 100644
+--- a/ext/xmlrpc/libxmlrpc/xml_element.c
++++ b/ext/xmlrpc/libxmlrpc/xml_element.c
+@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
+ long byte_idx = XML_GetCurrentByteIndex(parser);
+ /* int byte_total = XML_GetCurrentByteCount(parser); */
+ const char * error_str = XML_ErrorString(err_code);
++ if(byte_idx > len) {
++ byte_idx = len;
++ }
+ if(byte_idx >= 0) {
+ snprintf(buf,
+ sizeof(buf),
+diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
+new file mode 100644
+index 000000000000..542c06311f74
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77242.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77242 (heap out of bounds read in xmlrpc_decode())
++--SKIPIF--
++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
++?>
++--EXPECT--
++NULL
+\ No newline at end of file
diff --git a/bug77380.patch b/bug77380.patch
new file mode 100644
index 0000000..d3db7db
--- /dev/null
+++ b/bug77380.patch
@@ -0,0 +1,52 @@
+Backported for 5.4 from:
+
+
+
+From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 1 Jan 2019 17:15:20 -0800
+Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64
+ code)
+
+---
+ ext/xmlrpc/libxmlrpc/base64.c | 4 ++--
+ ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug77380.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
+index 5ebdf31f7ade..a4fa19327b76 100644
+--- a/ext/xmlrpc/libxmlrpc/base64.c
++++ b/ext/xmlrpc/libxmlrpc/base64.c
+@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
+ return;
+ }
+
+- if (dtable[c] & 0x80) {
++ if (dtable[(unsigned char)c] & 0x80) {
+ /*
+ fprintf(stderr, "Offset %i length %i\n", offset, length);
+ fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
+diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt
+new file mode 100644
+index 000000000000..8559c07a5aea
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77380.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #77380 (Global out of bounds read in xmlrpc base64 code)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo=")));
++?>
++--EXPECT--
++object(stdClass)#1 (2) {
++ ["scalar"]=>
++ string(0) ""
++ ["xmlrpc_type"]=>
++ string(6) "base64"
++}
diff --git a/php54.spec b/php54.spec
index b0bb171..1e21033 100644
--- a/php54.spec
+++ b/php54.spec
@@ -99,7 +99,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.45
-Release: 16%{?dist}
+Release: 17%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -233,6 +233,8 @@ Patch271: bug76582.patch
Patch272: bug77153.patch
Patch273: bug77020.patch
Patch274: bug77231.patch
+Patch275: bug77242.patch
+Patch276: bug77380.patch
# Fixes for tests
# no_NO issue
@@ -1015,6 +1017,8 @@ rm -f ext/json/utf8_to_utf16.*
%patch272 -p1 -b .bug77153
%patch273 -p1 -b .bug77020
%patch274 -p1 -b .bug77231
+%patch275 -p1 -b .bug77242
+%patch276 -p1 -b .bug77380
# Fixes for tests
%patch301 -p1 -b .datetests2
@@ -1680,7 +1684,7 @@ cat << EOF
backported from 5.5 or 5.6,
The UPGRADE to a maintained version is very strongly RECOMMENDED.
-%if %{?fedora}%{!?fedora:99} < 26
+%if %{?fedora}%{!?fedora:99} < 28
WARNING : Fedora %{fedora} is now EOL :
You should consider upgrading to a supported release
%endif
@@ -1901,6 +1905,10 @@ fi
%changelog
+* Fri Jan 11 2019 Remi Collet <remi@remirepo.net> - 5.4.45-17
+- Fix #77242 heap out of bounds read in xmlrpc_decode
+- Fix #77380 Global out of bounds read in xmlrpc base64 code
+
* Mon Dec 10 2018 Remi Collet <remi@remirepo.net> - 5.4.45-16
- Fix #77231 Segfault when using convert.quoted-printable-encode filter
- Fix #77020 null pointer dereference in imap_mail