[-]
[+]
|
Changed |
php.changes
|
|
[-]
[+]
|
Changed |
php.spec
^
|
|
[-]
[+]
|
Added |
CVE-2014-0207.patch
^
|
@@ -0,0 +1,32 @@
+From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 3 Jun 2014 11:05:00 +0200
+Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient
+ boundary check
+
+Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
+Only revelant part applied
+---
+ ext/fileinfo/libmagic/cdf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 4712e84..16649f1 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+ size_t ss = CDF_SHORT_SEC_SIZE(h);
+ size_t pos = CDF_SHORT_SEC_POS(h, id);
+ assert(ss == len);
+- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
+ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
+ SIZE_T_FORMAT "u\n",
+- pos, CDF_SEC_SIZE(h) * sst->sst_len));
++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
+ return -1;
+ }
+ (void)memcpy(((char *)buf) + offs,
+--
+1.9.3
+
|
[-]
[+]
|
Added |
CVE-2014-3478.patch
^
|
@@ -0,0 +1,41 @@
+From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:02:36 +0200
+Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of
+ truncated pascal string size
+
+Upstream
+https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08
+---
+ ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 21fea6b..01e4977 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ return 1;
+ }
+ case FILE_PSTRING: {
+- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
++ size_t sz = file_pstring_length_size(m);
++ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ size_t len = file_pstring_get_length(m, ptr1);
+- if (len >= sizeof(p->s))
+- len = sizeof(p->s) - 1;
++ if (len >= sizeof(p->s)) {
++ /*
++ * The size of the pascal string length (sz)
++ * is 1, 2, or 4. We need at least 1 byte for NUL
++ * termination, but we've already truncated the
++ * string by p->s, so we need to deduct sz.
++ */
++ len = sizeof(p->s) - sz;
++ }
+ while (len--)
+ *ptr1++ = *ptr2++;
+ *ptr1 = '\0';
+--
+1.9.3
+
|
[-]
[+]
|
Added |
CVE-2014-3479.patch
^
|
@@ -0,0 +1,20 @@
+--- php-5.3.28/ext/fileinfo/libmagic/cdf.c.orig 2014-06-27 22:20:14.827472051 +0200
++++ php-5.3.28/ext/fileinfo/libmagic/cdf.c 2014-06-27 22:26:26.350829626 +0200
+@@ -277,13 +277,15 @@
+ {
+ const char *b = (const char *)sst->sst_tab;
+ const char *e = ((const char *)p) + tail;
++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
+ (void)&line;
+- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
+ return 0;
+ DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
+ " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
+ SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
+- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
++ ss * sst->sst_len, ss, sst->sst_len));
+ errno = EFTYPE;
+ return -1;
+ }
|
[-]
[+]
|
Added |
CVE-2014-3480.patch
^
|
@@ -0,0 +1,40 @@
+From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:22:04 +0200
+Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient
+ boundary check
+
+Upstream:
+https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+---
+ ext/fileinfo/libmagic/cdf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index c9a5d50..ee467a6 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -470,7 +470,8 @@ size_t
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ size_t i, j;
+- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++ / sizeof(maxsector));
+
+ DPRINTF(("Chain:"));
+ for (j = i = 0; sid >= 0; i++, j++) {
+@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+- if (sid > maxsector) {
+- DPRINTF(("Sector %d > %d\n", sid, maxsector));
++ if (sid >= maxsector) {
++ DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+--
+1.9.3
+
|
[-]
[+]
|
Added |
CVE-2014-3487.patch
^
|
@@ -0,0 +1,34 @@
+From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:33:37 +0200
+Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info
+ insufficient boundary chec
+
+Upstream:
+https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
+
+Adapted for C standard.
+---
+ ext/fileinfo/libmagic/cdf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index ee467a6..429f3b9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+ goto out;
+ for (i = 0; i < sh.sh_properties; i++) {
+- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
++ size_t ofs, tail = (i << 1) + 1;
++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
++ __LINE__) == -1)
++ goto out;
++ ofs = CDF_GETUINT32(p, tail);
+ q = (const uint8_t *)(const void *)
+ ((const char *)(const void *)p + ofs
+ - 2 * sizeof(uint32_t));
+--
+1.9.3
+
|
[-]
[+]
|
Added |
CVE-2014-3981.patch
^
|
@@ -0,0 +1,26 @@
+From 91bcadd85e20e50d3f8c2e9721327681640e6f16 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Fri, 6 Jun 2014 14:16:04 +0200
+Subject: [PATCH] Fix bug #67390 insecure temporary file use in the configure
+ script
+
+---
+ acinclude.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index 448659f..25f3655 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -1711,7 +1711,7 @@ int main(int argc, char *argv[])
+ {
+ FILE *fp;
+ long position;
+- char *filename = "/tmp/phpglibccheck";
++ char *filename = tmpnam(NULL);
+
+ fp = fopen(filename, "w");
+ if (fp == NULL) {
+--
+1.9.3
+
|