Imported Debian patch 5.2.0-8+etch6debian/5.2.0-8+etch6

2 files changed, 41 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 40c4aeadf..d2bad8838 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+php5 (5.2.0-8+etch6) stable-security; urgency=low
+
+  * NMU prepared for the security team by the package maintainer.
+  * The following security issue is addressed with this update:
+    - CVE-2007-1399/MOPB-16: zip stream stack overflow.
+  * also, this update contains a merge from the proposed-updates
+    branch to fix a regression from the previous security update.
+
+ -- sean finney <seanius@debian.org>  Sat, 30 Jun 2007 20:54:33 +0200
+
 php5 (5.2.0-8+etch5~pu1) proposed-updates; urgency=low
 
   * fix for regression in single quote escaping (closes: #422567).
diff --git a/debian/patches/123-CVE-2007-1399-MOPB-16.patch b/debian/patches/123-CVE-2007-1399-MOPB-16.patch
new file mode 100644
index 000000000..bfcb96ece
--- /dev/null
+++ b/debian/patches/123-CVE-2007-1399-MOPB-16.patch
@@ -0,0 +1,31 @@
+http://cvs.php.net/viewvc.cgi/php-src/ext/zip/zip_stream.c?r1=1.1.2.2&r2=1.1.2.3&pathrev=PHP_5_2&view=patch
+--- old/ext/zip/zip_stream.c	2006/11/12 00:41:16	1.1.2.2
++++ new/ext/zip/zip_stream.c	2006/12/23 23:28:39	1.1.2.3
+@@ -153,7 +153,7 @@
+ 
+ 	char *file_basename;
+ 	size_t file_basename_len;
+-	char file_dirname[MAXPATHLEN+1];
++	char file_dirname[MAXPATHLEN];
+ 
+ 	struct zip *za;
+ 	struct zip_file *zf = NULL;
+@@ -179,15 +179,15 @@
+ 		return NULL;
+ 	}
+ 	path_len = strlen(path);
++	if (path_len >= MAXPATHLEN || mode[0] != 'r') {
++		return NULL;
++	}
+ 
+ 	memcpy(file_dirname, path, path_len - fragment_len);
+ 	file_dirname[path_len - fragment_len] = '\0';
+ 
+ 	php_basename(path, path_len - fragment_len, NULL, 0, &file_basename, &file_basename_len TSRMLS_CC);
+ 	fragment++;
+-	if (mode[0] != 'r') {
+-		return NULL;
+-	}
+ 
+ 	za = zip_open(file_dirname, ZIP_CREATE, &err);
+ 	if (za) {