From eb6361698e878ab5473a395d5056cf682e14e704 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 12 Jul 2013 18:19:23 +0200 Subject: php 5.5.0 with fix for CVE-2013-4113 --- php-5.5.0-CVE-2013-4013.patch | 181 ++++++++++++++++++++++++++++++++++++++++++ php55.spec | 22 +++-- 2 files changed, 197 insertions(+), 6 deletions(-) create mode 100644 php-5.5.0-CVE-2013-4013.patch diff --git a/php-5.5.0-CVE-2013-4013.patch b/php-5.5.0-CVE-2013-4013.patch new file mode 100644 index 0000000..dfa2c86 --- /dev/null +++ b/php-5.5.0-CVE-2013-4013.patch @@ -0,0 +1,181 @@ +From 7d163e8a0880ae8af2dd869071393e5dc07ef271 Mon Sep 17 00:00:00 2001 +From: Rob Richards +Date: Sat, 6 Jul 2013 07:53:07 -0400 +Subject: [PATCH] truncate results at depth of 255 to prevent corruption + +--- + ext/xml/xml.c | 90 +++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 50 insertions(+), 40 deletions(-) + +diff --git a/ext/xml/xml.c b/ext/xml/xml.c +index 1f0480b..9f0bc30 100644 +--- a/ext/xml/xml.c ++++ b/ext/xml/xml.c +@@ -428,7 +428,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) + } + if (parser->ltags) { + int inx; +- for (inx = 0; inx < parser->level; inx++) ++ for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++) + efree(parser->ltags[ inx ]); + efree(parser->ltags); + } +@@ -805,45 +805,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch + } + + if (parser->data) { +- zval *tag, *atr; +- int atcnt = 0; ++ if (parser->level <= XML_MAXLEVEL) { ++ zval *tag, *atr; ++ int atcnt = 0; + +- MAKE_STD_ZVAL(tag); +- MAKE_STD_ZVAL(atr); ++ MAKE_STD_ZVAL(tag); ++ MAKE_STD_ZVAL(atr); + +- array_init(tag); +- array_init(atr); ++ array_init(tag); ++ array_init(atr); + +- _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); ++ _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); + +- add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ +- add_assoc_string(tag,"type","open",1); +- add_assoc_long(tag,"level",parser->level); ++ add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ ++ add_assoc_string(tag,"type","open",1); ++ add_assoc_long(tag,"level",parser->level); + +- parser->ltags[parser->level-1] = estrdup(tag_name); +- parser->lastwasopen = 1; ++ parser->ltags[parser->level-1] = estrdup(tag_name); ++ parser->lastwasopen = 1; + +- attributes = (const XML_Char **) attrs; ++ attributes = (const XML_Char **) attrs; + +- while (attributes && *attributes) { +- att = _xml_decode_tag(parser, attributes[0]); +- val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding); +- +- add_assoc_stringl(atr,att,val,val_len,0); ++ while (attributes && *attributes) { ++ att = _xml_decode_tag(parser, attributes[0]); ++ val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding); + +- atcnt++; +- attributes += 2; ++ add_assoc_stringl(atr,att,val,val_len,0); + +- efree(att); +- } ++ atcnt++; ++ attributes += 2; + +- if (atcnt) { +- zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL); +- } else { +- zval_ptr_dtor(&atr); +- } ++ efree(att); ++ } ++ ++ if (atcnt) { ++ zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL); ++ } else { ++ zval_ptr_dtor(&atr); ++ } + +- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag); ++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag); ++ } else if (parser->level == (XML_MAXLEVEL + 1)) { ++ TSRMLS_FETCH(); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated"); ++ } + } + + efree(tag_name); +@@ -895,7 +900,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name) + + efree(tag_name); + +- if (parser->ltags) { ++ if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) { + efree(parser->ltags[parser->level-1]); + } + +@@ -979,18 +984,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) + } + } + +- MAKE_STD_ZVAL(tag); +- +- array_init(tag); +- +- _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); ++ if (parser->level <= XML_MAXLEVEL) { ++ MAKE_STD_ZVAL(tag); + +- add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1); +- add_assoc_string(tag,"value",decoded_value,0); +- add_assoc_string(tag,"type","cdata",1); +- add_assoc_long(tag,"level",parser->level); ++ array_init(tag); + +- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); ++ _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); ++ ++ add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1); ++ add_assoc_string(tag,"value",decoded_value,0); ++ add_assoc_string(tag,"type","cdata",1); ++ add_assoc_long(tag,"level",parser->level); ++ ++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); ++ } else if (parser->level == (XML_MAXLEVEL + 1)) { ++ TSRMLS_FETCH(); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated"); ++ } + } + } else { + efree(decoded_value); +-- +1.7.11.5 + +From 710eee5555bc5c95692bd3c84f5d2b5d687349b6 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Johannes=20Schl=C3=BCter?= +Date: Wed, 10 Jul 2013 19:35:18 +0200 +Subject: [PATCH] add test for bug #65236 + +--- + ext/xml/tests/bug65236.phpt | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + create mode 100644 ext/xml/tests/bug65236.phpt + +diff --git a/ext/xml/tests/bug65236.phpt b/ext/xml/tests/bug65236.phpt +new file mode 100644 +index 0000000..67b26d6 +--- /dev/null ++++ b/ext/xml/tests/bug65236.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #65236 (heap corruption in xml parser) ++--SKIPIF-- ++ ++--FILE-- ++", 1000), $a); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated in %s on line %d ++Done +-- +1.7.11.5 + diff --git a/php55.spec b/php55.spec index f4107e1..baa63fb 100644 --- a/php55.spec +++ b/php55.spec @@ -61,7 +61,7 @@ %else %global with_dtrace 0 %endif -%if 0%{?fedora} < 20 && 0%{?rhel} < 5 +%if 0%{?fedora} < 17 && 0%{?rhel} < 5 %global with_libgd 0 %else %global with_libgd 1 @@ -80,16 +80,16 @@ %global db_devel libdb-devel %endif -%global snapdate 201306240630 +#global snapdate 201306240630 #global rcver RC3 Summary: PHP scripting language for creating dynamic web sites Name: php -Version: 5.5.1 +Version: 5.5.0 %if 0%{?snapdate:1}%{?rcver:1} Release: 0.1.%{?snapdate}%{?rcver}%{?dist} %else -Release: 1%{?dist} +Release: 2%{?dist} %endif # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -146,6 +146,9 @@ Patch46: php-5.4.9-fixheader.patch # drop "Configure command" from phpinfo output Patch47: php-5.4.9-phpinfo.patch +# Security fixes +Patch60: php-5.5.0-CVE-2013-4013.patch + # Fixes for tests # RC Patch @@ -847,6 +850,8 @@ httpd -V | grep -q 'threaded:.*yes' && exit 1 %patch46 -p1 -b .fixheader %patch47 -p1 -b .phpinfo +%patch60 -p1 -b .cve4113 + %patch91 -p1 -b .remi-oci8 # wip patches @@ -1301,7 +1306,7 @@ popd %if %runselftest cd build-apache -# Double stack size (required by bug54268.phpt) +# Increase stack size (required by bug54268.phpt) ulimit -s 32712 # Run tests, using the CLI SAPI @@ -1802,7 +1807,12 @@ fi %changelog -* Mon Jun 24 2013 Remi Collet 5.5.0-0.1.201306240630 +* Fri Jul 12 2013 Remi Collet - 5.5.0-2 +- add security fix for CVE-2013-4113 +- add missing ASL 1.0 license +- 32k stack size seems ok for tests on both 32/64bits build + +* Mon Jun 24 2013 Remi Collet 5.5.1-0.1.201306240630 - test build (bundled libgd) * Thu Jun 20 2013 Remi Collet 5.5.0-1 -- cgit