[Secure-testing-commits] r5683 - in data: . CVE patches/MOPB/php4-etch patches/MOPB/php4-sarge

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Thu Apr 19 20:58:00 UTC 2007 

Author: jmm-guest
Date: 2007-04-19 20:57:57 +0000 (Thu, 19 Apr 2007)
New Revision: 5683

Added:
   data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch
   data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch
Modified:
   data/CVE/list
   data/mopb.txt
Log:
more php4 updates


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-04-19 20:50:22 UTC (rev 5682)
+++ data/CVE/list	2007-04-19 20:57:57 UTC (rev 5683)
@@ -847,6 +847,7 @@
 	NOT-FOR-US: mcweject
 CVE-2007-1718 (CRLF injection vulnerability in the mail function in PHP 4.0.0 through ...)
 	- php4 <unfixed> (medium)
+	[sarge] - php4 <not-affected> (Vulnerable code not present)
 	- php5 <unfixed> (medium)
 CVE-2007-1717 (The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 ...)
 	- php4 <unfixed> (unimportant)

Modified: data/mopb.txt
===================================================================
--- data/mopb.txt	2007-04-19 20:50:22 UTC (rev 5682)
+++ data/mopb.txt	2007-04-19 20:57:57 UTC (rev 5683)
@@ -16,12 +16,8 @@
 26  PHP mb_parse_str() register_globals Activation Vulnerability
 #TODO(medium) -> functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process)
 
-23  PHP 5 Rejected Session Identifier Double Free Vulnerability
-#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
-
 22  PHP session_regenerate_id() Double Free Vulnerability
 #TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution)
-[MOPB-22-php4.diff]
 [MOPB-22-php5.diff]
 
 10  PHP php_binary Session Deserialization Information Leak  Vulnerability
@@ -59,6 +55,9 @@
 #TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code execution, though haven't reproduced it)
 [MOPB-42-php5.diff]
 
+23  PHP 5 Rejected Session Identifier Double Free Vulnerability
+#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
+
 19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
 #TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian)
 
@@ -176,16 +175,15 @@
 # php4 checklist
 
    Sarge Etch
-41
-35
-32
+41   ?    ?
+35   ?    ?
 34   /    a
-30
+32   a    a 
+30   
 26
-23
-22
+22   a    a
 10   a    a
-04
+04   a    a
 
 ? = more info
 x = fix needed

Added: data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch
===================================================================
--- data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch	2007-04-19 20:50:22 UTC (rev 5682)
+++ data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch	2007-04-19 20:57:57 UTC (rev 5683)
@@ -0,0 +1,24 @@
+--- php4/ext/standard/var_unserializer.c	2006/08/09 23:29:17	1.18.4.24.2.7
++++ php4-4.4.4/ext/standard/var_unserializer.c	2006/10/27 08:35:25	1.18.4.24.2.8
+@@ -958,6 +958,10 @@
+ 	
+ 	if (*rval == *rval_ref) return 0;
+ 
++	if ((*rval_ref)->refcount > 65500) {
++		return 0;
++	}
++
+ 	if (*rval != NULL) {
+ 	zval_ptr_dtor(rval);
+ 	}
+@@ -999,6 +1003,10 @@
+ 
+ 	id = parse_iv(start + 2) - 1;
+ 	if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
++		return 0;
++	}
++
++	if ((*rval_ref)->refcount > 65500) {
+ 		return 0;
+ 	}
+ 

Added: data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch
===================================================================
--- data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch	2007-04-19 20:50:22 UTC (rev 5682)
+++ data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch	2007-04-19 20:57:57 UTC (rev 5683)
@@ -0,0 +1,24 @@
+--- php4/ext/standard/var_unserializer.c	2006/08/09 23:29:17	1.18.4.24.2.7
++++ php4-4.3.10/ext/standard/var_unserializer.c	2006/10/27 08:35:25	1.18.4.24.2.8
+@@ -958,6 +958,10 @@
+ 	
+ 	if (*rval == *rval_ref) return 0;
+ 
++	if ((*rval_ref)->refcount > 65500) {
++		return 0;
++	}
++
+ 	if (*rval != NULL) {
+ 	zval_ptr_dtor(rval);
+ 	}
+@@ -999,6 +1003,10 @@
+ 
+ 	id = parse_iv(start + 2) - 1;
+ 	if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
++		return 0;
++	}
++
++	if ((*rval_ref)->refcount > 65500) {
+ 		return 0;
+ 	}
+

More information about the Secure-testing-commits mailing list