diff options
Diffstat (limited to 'php-5.5.6-CVE-2014-1943.patch')
-rw-r--r-- | php-5.5.6-CVE-2014-1943.patch | 193 |
1 files changed, 0 insertions, 193 deletions
diff --git a/php-5.5.6-CVE-2014-1943.patch b/php-5.5.6-CVE-2014-1943.patch deleted file mode 100644 index 3bee3c8..0000000 --- a/php-5.5.6-CVE-2014-1943.patch +++ /dev/null @@ -1,193 +0,0 @@ -From 89f864c547014646e71862df3664e3ff33d7143d Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 18 Feb 2014 13:54:33 +0100 -Subject: [PATCH] Fixed Bug #66731 file: infinite recursion - -Upstream commit (available in file-5.17) - -https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f -https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 ---- - ext/fileinfo/libmagic/ascmagic.c | 2 +- - ext/fileinfo/libmagic/file.h | 2 +- - ext/fileinfo/libmagic/funcs.c | 2 +- - ext/fileinfo/libmagic/softmagic.c | 8 ++++--- - ext/fileinfo/tests/cve-2014-1943.phpt | 39 +++++++++++++++++++++++++++++++++++ - 5 files changed, 47 insertions(+), 6 deletions(-) - create mode 100644 ext/fileinfo/tests/cve-2014-1943.phpt - -diff --git a/ext/fileinfo/libmagic/ascmagic.c b/ext/fileinfo/libmagic/ascmagic.c -index 2090097..c0041df 100644 ---- a/ext/fileinfo/libmagic/ascmagic.c -+++ b/ext/fileinfo/libmagic/ascmagic.c -@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf, - == NULL) - goto done; - if ((rv = file_softmagic(ms, utf8_buf, -- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) -+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) - rv = -1; - } - -diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h -index 19b6872..ab5082d 100644 ---- a/ext/fileinfo/libmagic/file.h -+++ b/ext/fileinfo/libmagic/file.h -@@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t, - unichar **, size_t *, const char **, const char **, const char **); - protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); - protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, -- int, int); -+ size_t, int, int); - protected int file_apprentice(struct magic_set *, const char *, int); - protected int file_magicfind(struct magic_set *, const char *, struct mlist *); - protected uint64_t file_signextend(struct magic_set *, struct magic *, -diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c -index 9c0d2bd..011ca42 100644 ---- a/ext/fileinfo/libmagic/funcs.c -+++ b/ext/fileinfo/libmagic/funcs.c -@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const - - /* try soft magic tests */ - if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) -- if ((m = file_softmagic(ms, ubuf, nb, BINTEST, -+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, - looks_text)) != 0) { - if ((ms->flags & MAGIC_DEBUG) != 0) - (void)fprintf(stderr, "softmagic %d\n", m); -diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c -index 0671fa9..7c5f628 100644 ---- a/ext/fileinfo/libmagic/softmagic.c -+++ b/ext/fileinfo/libmagic/softmagic.c -@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *); - /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ - protected int - file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, -- int mode, int text) -+ size_t level, int mode, int text) - { - struct mlist *ml; - int rv, printed_something = 0, need_separator = 0; - for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next) - if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode, -- text, 0, 0, &printed_something, &need_separator, -+ text, 0, level, &printed_something, &need_separator, - NULL)) != 0) - return rv; - -@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, - break; - - case FILE_INDIRECT: -+ if (offset == 0) -+ return 0; - if (nbytes < offset) - return 0; - sbuf = ms->o.buf; -@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, - ms->o.buf = NULL; - ms->offset = 0; - rv = file_softmagic(ms, s + offset, nbytes - offset, -- BINTEST, text); -+ recursion_level, BINTEST, text); - if ((ms->flags & MAGIC_DEBUG) != 0) - fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); - rbuf = ms->o.buf; -diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt -new file mode 100644 -index 0000000..b2e9c17 ---- /dev/null -+++ b/ext/fileinfo/tests/cve-2014-1943.phpt -@@ -0,0 +1,39 @@ -+--TEST-- -+Bug #66731: file: infinite recursion -+--SKIPIF-- -+<?php -+if (!class_exists('finfo')) -+ die('skip no fileinfo extension'); -+--FILE-- -+<?php -+$fd = __DIR__.'/cve-2014-1943.data'; -+$fm = __DIR__.'/cve-2014-1943.magic'; -+ -+$a = "\105\122\000\000\000\000\000"; -+$b = str_repeat("\001", 250000); -+$m = "0 byte x\n". -+ ">(1.b) indirect x\n"; -+ -+file_put_contents($fd, $a); -+$fi = finfo_open(FILEINFO_NONE); -+var_dump(finfo_file($fi, $fd)); -+finfo_close($fi); -+ -+file_put_contents($fd, $b); -+file_put_contents($fm, $m); -+$fi = finfo_open(FILEINFO_NONE, $fm); -+var_dump(finfo_file($fi, $fd)); -+finfo_close($fi); -+?> -+Done -+--CLEAN-- -+<?php -+@unlink(__DIR__.'/cve-2014-1943.data'); -+@unlink(__DIR__.'/cve-2014-1943.magic'); -+?> -+--EXPECTF-- -+string(%d) "%s" -+ -+Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d -+bool(false) -+Done --- -1.8.4.3 - -From bd8cd98d6d70ac50dc1de350970ed9ea479895db Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 18 Feb 2014 13:57:53 +0100 -Subject: [PATCH] Set fileinfo version to 1.0.5 (as in php 5.4, no diff) - ---- - ext/fileinfo/php_fileinfo.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/fileinfo/php_fileinfo.h b/ext/fileinfo/php_fileinfo.h -index d8dec12..354ec7b 100644 ---- a/ext/fileinfo/php_fileinfo.h -+++ b/ext/fileinfo/php_fileinfo.h -@@ -24,7 +24,7 @@ - extern zend_module_entry fileinfo_module_entry; - #define phpext_fileinfo_ptr &fileinfo_module_entry - --#define PHP_FILEINFO_VERSION "1.0.5-dev" -+#define PHP_FILEINFO_VERSION "1.0.5" - - #ifdef PHP_WIN32 - #define PHP_FILEINFO_API __declspec(dllexport) --- -1.8.4.3 - -From 10eb0070700382f966bf260e44135e1f724a15d2 Mon Sep 17 00:00:00 2001 -From: Anatol Belski <ab@php.net> -Date: Thu, 20 Feb 2014 18:53:53 +0100 -Subject: [PATCH] fixed leak introduced after CVE/upgrade - ---- - ext/fileinfo/libmagic/softmagic.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c -index 7c5f628..33970e5 100644 ---- a/ext/fileinfo/libmagic/softmagic.c -+++ b/ext/fileinfo/libmagic/softmagic.c -@@ -1701,6 +1701,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, - return -1; - if (file_printf(ms, "%s", rbuf) == -1) - return -1; -+ } -+ if (rbuf) { - efree(rbuf); - } - return rv; --- -1.8.4.3 - |