Imported Debian patch 5.2.0-8+etch13debian/5.2.0-8+etch13

8 files changed, 211 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index ba0ecf155..1313e799b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,40 @@
+php5 (5.2.0-8+etch13) stable-security; urgency=high
+
+  * Upload to etch for security issues
+  * The following security issues are addressed with this update:
+    - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+      Patch: 140-CVE-2008-3658.patch (closes: #499989)
+    - CVE-2008-3659: Buffer overflow in the memnstr function.
+      Patch: 139-CVE-2008-3659.patch (closes: #499988)
+    - CVE-2008-3660: Remote DoS in fastcgi module
+      Patch: CVE-2008-3660.patch (closes: #499987)
+  * Revert previous security patch for CVE-2008-2829.  A fix for this
+    will not be possible without an updated version of the UW c-client 
+    libraries.
+
+ -- Sean Finney <seanius@debian.org>  Tue, 30 Sep 2008 20:19:42 +0200
+
+php5 (5.2.0-8+etch12) stable-security; urgency=high
+
+  * Upload to etch for security issues.
+  * The following security issues are addressed with this update:
+    - CVE-2008-2829: unsafe usage of deprecated imap functions.
+      Patch: 138-CVE-2008-2829.patch
+
+ -- Sean Finney <seanius@debian.org>  Mon, 30 Jun 2008 22:09:53 +0200
+
+php5 (5.2.0-8+etch11) stable-security; urgency=high
+
+  * Upload to etch for security issues.
+  * The following security issues are addressed with this update:
+    - CVE-2007-3806: glob denial of service
+    - CVE-2008-1384: integer overflow in printf() 
+    - CVE-2008-2050: possible stack buffer overflow in the FastCGI SAPI
+    - CVE-2008-2051: incomplete multibyte chars inside escapeshellcmd()
+    closes: #479723
+
+ -- sean finney <seanius@debian.org>  Thu, 21 Feb 2008 07:09:01 +0100
+
 php5 (5.2.0-8+etch11~p1) stable; urgency=high
 
   * zend_parse_parameters does not handle size_t's, causing issues with
diff --git a/debian/patches/134-CVE-2008-1384.patch b/debian/patches/134-CVE-2008-1384.patch
new file mode 100644
index 000000000..a70b01a8f
--- /dev/null
+++ b/debian/patches/134-CVE-2008-1384.patch
@@ -0,0 +1,32 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.104&r2=1.105&view=patch
+--- old/ext/standard/formatted_print.c	2007/12/31 07:12:15	1.104
++++ new/ext/standard/formatted_print.c	2008/03/17 23:07:55	1.105
+@@ -94,6 +94,7 @@
+ 	register int npad;
+ 	int req_size;
+ 	int copy_len;
++	int m_width;
+ 
+ 	copy_len = (expprec ? MIN(max_width, len) : len);
+ 	npad = min_width - copy_len;
+@@ -104,11 +105,19 @@
+ 	
+ 	PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n",
+ 				  *buffer, *pos, *size, add, min_width, padding, alignment));
++	m_width = MAX(min_width, copy_len);
+ 
+-	req_size = *pos + MAX(min_width, copy_len) + 1;
++	if(m_width > INT_MAX - *pos - 1) {
++		zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width);
++	}
++
++	req_size = *pos + m_width + 1;
+ 
+ 	if (req_size > *size) {
+ 		while (req_size > *size) {
++			if(*size > INT_MAX/2) {
++				zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); 
++			}
+ 			*size <<= 1;
+ 		}
+ 		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
diff --git a/debian/patches/135-CVE-2008-2050.patch b/debian/patches/135-CVE-2008-2050.patch
new file mode 100644
index 000000000..5009f36ec
--- /dev/null
+++ b/debian/patches/135-CVE-2008-2050.patch
@@ -0,0 +1,22 @@
+http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.44&r2=1.45&view=patch
+--- old/sapi/cgi/fastcgi.c	2008/02/15 14:51:52	1.44
++++ new/sapi/cgi/fastcgi.c	2008/04/03 10:25:08	1.45
+@@ -593,6 +593,9 @@
+ 	hdr->reserved = 0;
+ 	hdr->type = type;
+ 	hdr->version = FCGI_VERSION_1;
++	if (pad) {
++		memset(((unsigned char*)hdr) + sizeof(fcgi_header) + len, 0, pad);
++	}
+ 	return pad;
+ }
+ 
+@@ -777,7 +780,7 @@
+ {
+ 	int ret, n, rest;
+ 	fcgi_header hdr;
+-	unsigned char buf[8];
++	unsigned char buf[255];
+ 
+ 	n = 0;
+ 	rest = len;
diff --git a/debian/patches/136-CVE-2008-2051.patch b/debian/patches/136-CVE-2008-2051.patch
new file mode 100644
index 000000000..2f8c7c738
--- /dev/null
+++ b/debian/patches/136-CVE-2008-2051.patch
@@ -0,0 +1,15 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.113.2.3.2.1.2.3&r2=1.113.2.3.2.1.2.4&view=patch
+--- old/ext/standard/exec.c	2007/12/31 07:17:14	1.113.2.3.2.1.2.3
++++ new/ext/standard/exec.c	2008/03/17 23:01:27	1.113.2.3.2.1.2.4
+@@ -271,6 +271,11 @@
+ 	cmd = safe_emalloc(2, l, 1);
+ 
+ 	for (x = 0, y = 0; x < l; x++) {
++		/* skip non-valid multibyte characters */
++		if (php_mblen(str + x, (l - x)) < 0) {
++			continue;
++		}
++
+ 		switch (str[x]) {
+ 			case '"':
+ 			case '\'':
diff --git a/debian/patches/137-CVE-2007-3806.patch b/debian/patches/137-CVE-2007-3806.patch
new file mode 100644
index 000000000..6c3ac1ad9
--- /dev/null
+++ b/debian/patches/137-CVE-2007-3806.patch
@@ -0,0 +1,11 @@
+diff -Nurad php5-5.2.3~/ext/standard/dir.c php5-5.2.3.new/ext/standard/dir.c
+--- php5-5.2.3~/ext/standard/dir.c	2007-09-28 23:37:59.000000000 +0200
++++ php5-5.2.3.new/ext/standard/dir.c	2007-09-28 23:59:48.000000000 +0200
+@@ -395,6 +395,7 @@
+ 	} 
+ #endif
+ 
++	memset(&globbuf, 0, sizeof(glob_t));
+ 	globbuf.gl_offs = 0;
+ 	if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) {
+ #ifdef GLOB_NOMATCH
diff --git a/debian/patches/139-CVE-2008-3659.patch b/debian/patches/139-CVE-2008-3659.patch
new file mode 100644
index 000000000..47d61284a
--- /dev/null
+++ b/debian/patches/139-CVE-2008-3659.patch
@@ -0,0 +1,14 @@
+fix for CVE-2008-3659
+http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+--- old/Zend/zend_operators.h	2007/12/31 07:20:03	1.94.2.4.2.11
++++ new/Zend/zend_operators.h	2008/08/05 20:11:17	1.94.2.4.2.12
+@@ -220,6 +220,9 @@
+ 	char *p = haystack;
+ 	char ne = needle[needle_len-1];
+ 
++	if(needle_len > end-haystack) {
++		return NULL;
++	}
+ 	end -= needle_len;
+ 
+ 	while (p <= end) {
diff --git a/debian/patches/140-CVE-2008-3658.patch b/debian/patches/140-CVE-2008-3658.patch
new file mode 100644
index 000000000..23f1fa711
--- /dev/null
+++ b/debian/patches/140-CVE-2008-3658.patch
@@ -0,0 +1,27 @@
+CVE-2008-3658
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&view=patch
+--- old/ext/gd/gd.c	2008/05/04 21:19:17	1.312.2.20.2.35
++++ new/ext/gd/gd.c	2008/07/17 22:58:23	1.312.2.20.2.36
+@@ -1636,6 +1636,22 @@
+ 		font->nchars = FLIPWORD(font->nchars);
+ 		body_size = font->w * font->h * font->nchars;
+ 	}
++		 
++	if (overflow2(font->nchars, font->h)) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++	if (overflow2(font->nchars * font->h, font->w )) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++
++
++
+ 
+ 	if (body_size != body_size_check) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");
diff --git a/debian/patches/141-CVE-2008-3660.patch b/debian/patches/141-CVE-2008-3660.patch
new file mode 100644
index 000000000..069fb829e
--- /dev/null
+++ b/debian/patches/141-CVE-2008-3660.patch
@@ -0,0 +1,53 @@
+--- php5-5.2.6.orig/sapi/cgi/cgi_main.c
++++ php5-5.2.6/sapi/cgi/cgi_main.c
+@@ -765,6 +765,39 @@ static void php_cgi_usage(char *argv0)
+ }
+ /* }}} */
+ 
++/* {{{ is_valid_path
++ *
++ * some server configurations allow '..' to slip through in the
++ * translated path.   We'll just refuse to handle such a path.
++ */
++static int is_valid_path(const char *path)
++{
++	const char *p;
++
++	if (!path) {
++		return 0;
++	}
++	p = strstr(path, "..");
++	if (p) {
++		if ((p == path || IS_SLASH(*(p-1))) &&
++		    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++			return 0;
++		}
++		while (1) {
++			p = strstr(p+1, "..");
++			if (!p) {
++				break;
++			}
++			if (IS_SLASH(*(p-1)) &&
++			    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++					return 0;
++			}
++		}
++	}
++	return 1;
++}
++/* }}} */
++
+ /* {{{ init_request_info
+ 
+   initializes request_info structure
+@@ -1061,9 +1094,7 @@ static void init_request_info(TSRMLS_D)
+ 		SG(request_info).request_method = sapi_cgibin_getenv("REQUEST_METHOD", sizeof("REQUEST_METHOD")-1 TSRMLS_CC);
+ 		/* FIXME - Work out proto_num here */
+ 		SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING")-1 TSRMLS_CC);
+-		/* some server configurations allow '..' to slip through in the
+-		   translated path.   We'll just refuse to handle such a path. */
+-		if (script_path_translated && !strstr(script_path_translated, "..")) {
++		if (is_valid_path(script_path_translated)) {
+ 			SG(request_info).path_translated = estrdup(script_path_translated);
+ 		}
+ 		SG(request_info).content_type = (content_type ? content_type : "" );