Imported Debian patch 5.2.6-4debian/5.2.6-4

8 files changed, 220 insertions, 53 deletions

diff --git a/debian/changelog b/debian/changelog
index 624cf0106..99d9e13c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+php5 (5.2.6-4) unstable; urgency=high
+
+  [ Sean Finney ]
+  * Take three unreleased fixes from upstream CVS:
+    - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+      Patch: CVE-2008-3658.patch (closes: #499989)
+    - CVE-2008-3659: Buffer overflow in the memnstr function.
+      Patch: CVE-2008-3659.patch (closes: #499988)
+    - CVE-2008-3660: Remote DoS in fastcgi module
+      Patch: CVE-2008-3660.patch (closes: #499987)
+
+  [ Raphael Geissert ]
+  * snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes: #423296)
+    - Thanks to Rodrigo Campos <rodrigocc@gmail.com> for the follow up
+    - Thanks to Federico Cuello for the original patch
+  * php5-dev.lintian-override: fix it so it actually works
+
+ -- Sean Finney <seanius@debian.org>  Sun, 14 Sep 2008 14:25:11 +0200
+
 php5 (5.2.6-3) unstable; urgency=high
 
   [ Thijs Kinkhorst ]
@@ -131,7 +150,7 @@ php5 (5.2.6-1) unstable; urgency=medium
     - adds notes (Debian-specific) of which security features applications 
       should not rely on
     - add more information of why some variables were enabled
-    - reorder the description of chagnes to suit the location in the config file
+    - reorder the description of changes to suit the location in the config file
     - add notes of deprecated features in PHP6
     - add more (suggested) changes to the session module to make a more secure
       use and storage of session IDs.
diff --git a/debian/patches/118-simplexml-segv.patch b/debian/patches/118-simplexml-segv.patch
deleted file mode 100644
index 939d87074..000000000
--- a/debian/patches/118-simplexml-segv.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Index: ext/simplexml/simplexml.c
-===================================================================
-RCS file: /repository/php-src/ext/simplexml/simplexml.c,v
-retrieving revision 1.151.2.22.2.21
-diff -u -p -d -r1.151.2.22.2.21 simplexml.c
---- old/ext/simplexml/simplexml.c	12 Feb 2007 21:06:29 -0000	1.151.2.22.2.21
-+++ new/ext/simplexml/simplexml.c	20 Feb 2007 12:47:46 -0000
-@@ -56,6 +56,7 @@ static php_sxe_object* php_sxe_object_ne
- static zend_object_value php_sxe_register_object(php_sxe_object * TSRMLS_DC);
- static xmlNodePtr php_sxe_reset_iterator(php_sxe_object *sxe, int use_data TSRMLS_DC);
- static xmlNodePtr php_sxe_iterator_fetch(php_sxe_object *sxe, xmlNodePtr node, int use_data TSRMLS_DC);
-+static zval *sxe_get_value(zval *z TSRMLS_DC);
- 
- /* {{{ _node_as_zval()
-  */
-@@ -427,6 +428,7 @@ static void sxe_prop_dim_write(zval *obj
- 	int             is_attr = 0;
- 	int				nodendx = 0;
- 	int             test = 0;
-+	int				new_value = 0;
- 	long            cnt;
- 	zval            tmp_zv, trim_zv, value_copy;
- 
-@@ -504,8 +506,17 @@ static void sxe_prop_dim_write(zval *obj
- 				break;
- 			case IS_STRING:
- 				break;
-+			case IS_OBJECT:
-+				if (Z_OBJCE_P(value) == sxe_class_entry) {
-+					value = sxe_get_value(value TSRMLS_CC);
-+					INIT_PZVAL(value);
-+					new_value = 1;
-+					break;
-+				}
-+				/* break is missing intentionally */
- 			default:
- 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "It is not yet possible to assign complex types to %s", attribs ? "attributes" : "properties");
-+				return;
- 		}
- 	}
- 
-@@ -594,6 +605,9 @@ next_iter:
- 	if (value && value == &value_copy) {
- 		zval_dtor(value);
- 	}
-+	if (new_value) {
-+		zval_ptr_dtor(&value);
-+	}
- }
- /* }}} */
- 
diff --git a/debian/patches/CVE-2008-3658.patch b/debian/patches/CVE-2008-3658.patch
new file mode 100644
index 000000000..23f1fa711
--- /dev/null
+++ b/debian/patches/CVE-2008-3658.patch
@@ -0,0 +1,27 @@
+CVE-2008-3658
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&view=patch
+--- old/ext/gd/gd.c	2008/05/04 21:19:17	1.312.2.20.2.35
++++ new/ext/gd/gd.c	2008/07/17 22:58:23	1.312.2.20.2.36
+@@ -1636,6 +1636,22 @@
+ 		font->nchars = FLIPWORD(font->nchars);
+ 		body_size = font->w * font->h * font->nchars;
+ 	}
++		 
++	if (overflow2(font->nchars, font->h)) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++	if (overflow2(font->nchars * font->h, font->w )) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
++		efree(font);
++		php_stream_close(stream);
++		RETURN_FALSE;
++	}
++
++
++
+ 
+ 	if (body_size != body_size_check) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");
diff --git a/debian/patches/CVE-2008-3659.patch b/debian/patches/CVE-2008-3659.patch
new file mode 100644
index 000000000..47d61284a
--- /dev/null
+++ b/debian/patches/CVE-2008-3659.patch
@@ -0,0 +1,14 @@
+fix for CVE-2008-3659
+http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+--- old/Zend/zend_operators.h	2007/12/31 07:20:03	1.94.2.4.2.11
++++ new/Zend/zend_operators.h	2008/08/05 20:11:17	1.94.2.4.2.12
+@@ -220,6 +220,9 @@
+ 	char *p = haystack;
+ 	char ne = needle[needle_len-1];
+ 
++	if(needle_len > end-haystack) {
++		return NULL;
++	}
+ 	end -= needle_len;
+ 
+ 	while (p <= end) {
diff --git a/debian/patches/CVE-2008-3660.patch b/debian/patches/CVE-2008-3660.patch
new file mode 100644
index 000000000..7fb1bced5
--- /dev/null
+++ b/debian/patches/CVE-2008-3660.patch
@@ -0,0 +1,75 @@
+--- php5-5.2.6.orig/sapi/cgi/cgi_main.c
++++ php5-5.2.6/sapi/cgi/cgi_main.c
+@@ -765,6 +765,39 @@ static void php_cgi_usage(char *argv0)
+ }
+ /* }}} */
+ 
++/* {{{ is_valid_path
++ *
++ * some server configurations allow '..' to slip through in the
++ * translated path.   We'll just refuse to handle such a path.
++ */
++static int is_valid_path(const char *path)
++{
++	const char *p;
++
++	if (!path) {
++		return 0;
++	}
++	p = strstr(path, "..");
++	if (p) {
++		if ((p == path || IS_SLASH(*(p-1))) &&
++		    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++			return 0;
++		}
++		while (1) {
++			p = strstr(p+1, "..");
++			if (!p) {
++				break;
++			}
++			if (IS_SLASH(*(p-1)) &&
++			    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++					return 0;
++			}
++		}
++	}
++	return 1;
++}
++/* }}} */
++
+ /* {{{ init_request_info
+ 
+   initializes request_info structure
+@@ -1061,9 +1094,7 @@ static void init_request_info(TSRMLS_D)
+ 				if (pt) {
+ 					efree(pt);
+ 				}
+-				/* some server configurations allow '..' to slip through in the
+-				   translated path.   We'll just refuse to handle such a path. */
+-				if (script_path_translated && !strstr(script_path_translated, "..")) {
++				if (is_valid_path(script_path_translated)) {
+ 					SG(request_info).path_translated = estrdup(script_path_translated);
+ 				}
+ 			} else {
+@@ -1094,9 +1125,7 @@ static void init_request_info(TSRMLS_D)
+ 				} else {
+ 					SG(request_info).request_uri = env_script_name;
+ 				}
+-				/* some server configurations allow '..' to slip through in the
+-				   translated path.   We'll just refuse to handle such a path. */
+-				if (script_path_translated && !strstr(script_path_translated, "..")) {
++				if (is_valid_path(script_path_translated)) {
+ 					SG(request_info).path_translated = estrdup(script_path_translated);
+ 				}
+ 				free(real_path);
+@@ -1114,9 +1143,7 @@ static void init_request_info(TSRMLS_D)
+ 				script_path_translated = env_path_translated;
+ 			}
+ #endif
+-			/* some server configurations allow '..' to slip through in the
+-			   translated path.   We'll just refuse to handle such a path. */
+-			if (script_path_translated && !strstr(script_path_translated, "..")) {
++			if (is_valid_path(script_path_translated)) {
+ 				SG(request_info).path_translated = estrdup(script_path_translated);
+ 			}
+ #if ENABLE_PATHINFO_CHECK
diff --git a/debian/patches/series b/debian/patches/series
index 8e52aa432..3878d45eb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -35,3 +35,7 @@ CVE-2008-2829.patch
 libedit_is_editline.patch
 bad_whatis_entries.patch
 deprecated_freetds_check.patch
+snmp_leaks.patch
+CVE-2008-3658.patch
+CVE-2008-3659.patch
+CVE-2008-3660.patch
diff --git a/debian/patches/snmp_leaks.patch b/debian/patches/snmp_leaks.patch
new file mode 100644
index 000000000..ba053fe27
--- /dev/null
+++ b/debian/patches/snmp_leaks.patch
@@ -0,0 +1,79 @@
+Index: php5-5.2.6/ext/snmp/snmp.c
+===================================================================
+--- php5-5.2.6.orig/ext/snmp/snmp.c
++++ php5-5.2.6/ext/snmp/snmp.c
+@@ -20,7 +20,7 @@
+    +----------------------------------------------------------------------+
+  */
+ 
+-/* $Id: snmp.c,v 1.106.2.2.2.6 2007/12/31 07:20:11 sebastian Exp $ */
++/* $Id: snmp.c,v 1.106.2.2.2.7 2008/09/06 08:18:38 indeyets Exp $ */
+ 
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -417,13 +417,13 @@ static void php_snmp_internal(INTERNAL_F
+ 	while (keepwalking) {
+ 		keepwalking = 0;
+ 		if ((st == SNMP_CMD_GET) || (st == SNMP_CMD_GETNEXT)) {
+-			pdu = snmp_pdu_create((st == SNMP_CMD_GET) ? SNMP_MSG_GET : SNMP_MSG_GETNEXT);
+ 			name_length = MAX_OID_LEN;
+ 			if (!snmp_parse_oid(objid, name, &name_length)) {
+ 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid object identifier: %s", objid);
+ 				snmp_close(ss);
+ 				RETURN_FALSE;
+ 			}
++			pdu = snmp_pdu_create((st == SNMP_CMD_GET) ? SNMP_MSG_GET : SNMP_MSG_GETNEXT);
+ 			snmp_add_null_var(pdu, name, name_length);
+ 		} else if (st == SNMP_CMD_SET) {
+ 			pdu = snmp_pdu_create(SNMP_MSG_SET);
+@@ -434,6 +434,7 @@ static void php_snmp_internal(INTERNAL_F
+ 				sprint_objid(buf, name, name_length);
+ #endif
+ 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not add variable: %s %c %s", buf, type, value);
++				snmp_free_pdu(pdu);
+ 				snmp_close(ss);
+ 				RETURN_FALSE;
+ 			}
+@@ -467,11 +468,13 @@ retry:
+ 						*return_value = *snmpval;
+ 						zval_copy_ctor(return_value);
+ 						zval_ptr_dtor(&snmpval);
++						snmp_free_pdu(response);
+ 						snmp_close(ss);
+ 						return;
+ 					} else if (st == SNMP_CMD_GETNEXT) {
+ 						*return_value = *snmpval;
+ 						zval_copy_ctor(return_value);
++						snmp_free_pdu(response);
+ 						snmp_close(ss);
+ 						return;
+ 					} else if (st == SNMP_CMD_WALK) {
+@@ -510,23 +513,28 @@ retry:
+ 					}
+ 					if (st == SNMP_CMD_GET) {
+ 						if ((pdu = snmp_fix_pdu(response, SNMP_MSG_GET)) != NULL) {
++							snmp_free_pdu(response);
+ 							goto retry;
+ 						}
+ 					} else if (st == SNMP_CMD_SET) {
+ 						if ((pdu = snmp_fix_pdu(response, SNMP_MSG_SET)) != NULL) {
++							snmp_free_pdu(response);
+ 							goto retry;
+ 						}
+ 					} else if (st == SNMP_CMD_GETNEXT) {
+ 						if ((pdu = snmp_fix_pdu(response, SNMP_MSG_GETNEXT)) != NULL) {
++							snmp_free_pdu(response);
+ 							goto retry;
+ 						}
+ 					} else if (st >= SNMP_CMD_WALK) { /* Here we do walks. */
+ 						if ((pdu = snmp_fix_pdu(response, ((session->version == SNMP_VERSION_1)
+ 										? SNMP_MSG_GETNEXT
+ 										: SNMP_MSG_GETBULK))) != NULL) {
++							snmp_free_pdu(response);
+ 							goto retry;
+ 						}
+ 					}
++					snmp_free_pdu(response);
+ 					snmp_close(ss);
+ 					if (st == SNMP_CMD_WALK || st == SNMP_CMD_REALWALK) {
+ 						zval_dtor(return_value);
diff --git a/debian/php5-dev.lintian-overrides b/debian/php5-dev.lintian-overrides
index 5890e1a11..b81278e6a 100644
--- a/debian/php5-dev.lintian-overrides
+++ b/debian/php5-dev.lintian-overrides
@@ -1 +1 @@
-W: php5-dev: script-not-executable ./usr/lib/php5/build/run-tests.php
+php5-dev: script-not-executable ./usr/lib/php5/build/run-tests.php