[Secure-testing-commits] r5679 - in data/patches/MOPB: . php4-etch
php4-sarge
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Thu Apr 19 20:25:57 UTC 2007
Author: jmm-guest
Date: 2007-04-19 20:25:56 +0000 (Thu, 19 Apr 2007)
New Revision: 5679
Added:
data/patches/MOPB/php4-etch/
data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch
data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch
data/patches/MOPB/php4-sarge/
data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch
Log:
Sarge and Etch patches for php4
Added: data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch
===================================================================
--- data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch 2007-04-19 07:10:05 UTC (rev 5678)
+++ data/patches/MOPB/php4-etch/071-CVE-2007-1380-MOPB-10.patch 2007-04-19 20:25:56 UTC (rev 5679)
@@ -0,0 +1,14 @@
+--- php4-4.4.4/ext/session/session.c 2006/12/26 16:53:47 1.417.2.8.2.22
++++ php4-4.4.4/ext/session/session.c 2006/12/31 22:25:55 1.417.2.8.2.23
+@@ -471,6 +471,11 @@
+ for (p = val; p < endptr; ) {
+ zval **tmp;
+ namelen = *p & (~PS_BIN_UNDEF);
++
++ if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
++ return FAILURE;
++ }
++
+ has_value = *p & PS_BIN_UNDEF ? 0 : 1;
+
+ name = estrndup(p + 1, namelen);
Added: data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch
===================================================================
--- data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch 2007-04-19 07:10:05 UTC (rev 5678)
+++ data/patches/MOPB/php4-etch/072-CVE-2007-1718-MOPB-34.patch 2007-04-19 20:25:56 UTC (rev 5679)
@@ -0,0 +1,26 @@
+--- php4-4.4.4.orig/ext/mbstring/mbstring.c 2006-04-03 15:04:13.000000000 +0200
++++ php4-4.4.4/ext/mbstring/mbstring.c 2007-04-19 22:16:46.000000000 +0200
+@@ -3499,8 +3499,8 @@
+ #if HAVE_SENDMAIL
+ #define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) \
+ if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \
+- pos += 3; \
+- while (str[pos] == ' ' || str[pos] == '\t') { \
++ pos += 2; \
++ while (str[pos + 1] == ' ' || str[pos + 1] == '\t') { \
+ pos++; \
+ } \
+ continue; \
+--- php4-4.4.4.orig/ext/standard/mail.c 2006-01-01 14:46:57.000000000 +0100
++++ php4-4.4.4/ext/standard/mail.c 2007-04-19 22:15:48.000000000 +0200
+@@ -48,8 +48,8 @@
+
+ #define SKIP_LONG_HEADER_SEP(str, pos) \
+ if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \
+- pos += 3; \
+- while (str[pos] == ' ' || str[pos] == '\t') { \
++ pos += 2; \
++ while (str[pos + 1] == ' ' || str[pos + 1] == '\t') { \
+ pos++; \
+ } \
+ continue; \
Added: data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch
===================================================================
--- data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch 2007-04-19 07:10:05 UTC (rev 5678)
+++ data/patches/MOPB/php4-sarge/CVE-2007-1380-MOPB-10.patch 2007-04-19 20:25:56 UTC (rev 5679)
@@ -0,0 +1,14 @@
+--- php4-4.3.10/ext/session/session.c 2006/12/26 16:53:47 1.417.2.8.2.22
++++ php4-4.3.10/ext/session/session.c 2006/12/31 22:25:55 1.417.2.8.2.23
+@@ -471,6 +471,11 @@
+ for (p = val; p < endptr; ) {
+ zval **tmp;
+ namelen = *p & (~PS_BIN_UNDEF);
++
++ if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
++ return FAILURE;
++ }
++
+ has_value = *p & PS_BIN_UNDEF ? 0 : 1;
+
+ name = estrndup(p + 1, namelen);
More information about the Secure-testing-commits
mailing list