[oe-commits] Holger Hans Peter Freyther : php: 5.2.13 and 5.3. 2 both have flaws in the handling of xmlrpc
git version control
git at git.openembedded.org
Mon Mar 22 16:06:48 UTC 2010
Module: openembedded.git
Branch: shr/unstable
Commit: 30c7c2f4a647216d58a6e4599d73356e0249a2b5
URL: http://gitweb.openembedded.net/?p=openembedded.git&a=commit;h=30c7c2f4a647216d58a6e4599d73356e0249a2b5
Author: Holger Hans Peter Freyther <zecke at selfish.org>
Date: Sun Mar 21 11:00:48 2010 +0800
php: 5.2.13 and 5.3.2 both have flaws in the handling of xmlrpc
This is addressing CVE-2010-0397.patch.
---
recipes/php/php-5.2.13/CVE-2010-0397.patch | 58 ++++++++++++++++++++++++++++
recipes/php/php-5.3.2/CVE-2010-0397.patch | 57 +++++++++++++++++++++++++++
recipes/php/php-native_5.3.2.bb | 4 +-
recipes/php/php_5.2.13.bb | 3 +-
4 files changed, 120 insertions(+), 2 deletions(-)
diff --git a/recipes/php/php-5.2.13/CVE-2010-0397.patch b/recipes/php/php-5.2.13/CVE-2010-0397.patch
new file mode 100644
index 0000000..8f70d40
--- /dev/null
+++ b/recipes/php/php-5.2.13/CVE-2010-0397.patch
@@ -0,0 +1,58 @@
+Description: Fix a null pointer dereference when processing invalid
+ XML-RPC requests.
+Origin: vendor
+Forwarded: http://bugs.php.net/51288
+Last-Update: 2010-03-12
+
+Index: php/ext/xmlrpc/tests/bug51288.phpt
+===================================================================
+--- /dev/null
++++ php/ext/xmlrpc/tests/bug51288.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
++--FILE--
++<?php
++$method = NULL;
++$req = '<?xml version="1.0"?><methodCall></methodCall>';
++var_dump(xmlrpc_decode_request($req, $method));
++var_dump($method);
++echo "Done\n";
++?>
++--EXPECT--
++NULL
++NULL
++Done
+Index: php/ext/xmlrpc/xmlrpc-epi-php.c
+===================================================================
+--- php.orig/ext/xmlrpc/xmlrpc-epi-php.c
++++ php/ext/xmlrpc/xmlrpc-epi-php.c
+@@ -701,6 +701,7 @@ zval* decode_request_worker (zval* xml_i
+ zval* retval = NULL;
+ XMLRPC_REQUEST response;
+ STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
++ const char *method_name;
+ opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT;
+
+ /* generate XMLRPC_REQUEST from raw xml */
+@@ -711,10 +712,16 @@ zval* decode_request_worker (zval* xml_i
+
+ if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
+ if(method_name_out) {
+- zval_dtor(method_name_out);
+- Z_TYPE_P(method_name_out) = IS_STRING;
+- Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
+- Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
++ method_name = XMLRPC_RequestGetMethodName(response);
++ if (method_name) {
++ zval_dtor(method_name_out);
++ Z_TYPE_P(method_name_out) = IS_STRING;
++ Z_STRVAL_P(method_name_out) = estrdup(method_name);
++ Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
++ } else if (retval) {
++ zval_ptr_dtor(&retval);
++ retval = NULL;
++ }
+ }
+ }
+
diff --git a/recipes/php/php-5.3.2/CVE-2010-0397.patch b/recipes/php/php-5.3.2/CVE-2010-0397.patch
new file mode 100644
index 0000000..0d9c23d
--- /dev/null
+++ b/recipes/php/php-5.3.2/CVE-2010-0397.patch
@@ -0,0 +1,57 @@
+Description: Fix a null pointer dereference when processing invalid
+ XML-RPC requests.
+Origin: vendor
+Forwarded: http://bugs.php.net/51288
+Last-Update: 2010-03-12
+
+Index: php/ext/xmlrpc/tests/bug51288.phpt
+===================================================================
+--- /dev/null
++++ php/ext/xmlrpc/tests/bug51288.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
++--FILE--
++<?php
++$method = NULL;
++$req = '<?xml version="1.0"?><methodCall></methodCall>';
++var_dump(xmlrpc_decode_request($req, $method));
++var_dump($method);
++echo "Done\n";
++?>
++--EXPECT--
++NULL
++NULL
++Done
+Index: php/ext/xmlrpc/xmlrpc-epi-php.c
+===================================================================
+--- php.orig/ext/xmlrpc/xmlrpc-epi-php.c
++++ php/ext/xmlrpc/xmlrpc-epi-php.c
+@@ -778,6 +778,7 @@
+ zval* retval = NULL;
+ XMLRPC_REQUEST response;
+ STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
++ const char *method_name;
+ opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT;
+
+ /* generate XMLRPC_REQUEST from raw xml */
+@@ -788,10 +789,15 @@
+
+ if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
+ if (method_name_out) {
+- zval_dtor(method_name_out);
+- Z_TYPE_P(method_name_out) = IS_STRING;
+- Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
+- Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
++ method_name = XMLRPC_RequestGetMethodName(response);
++ if (method_name) {
++ zval_dtor(method_name_out);
++ Z_TYPE_P(method_name_out) = IS_STRING;
++ Z_STRVAL_P(method_name_out) = estrdup(method_name);
++ Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
++ } else {
++ retval = NULL;
++ }
+ }
+ }
+
diff --git a/recipes/php/php-native_5.3.2.bb b/recipes/php/php-native_5.3.2.bb
index 10c308a..9920088 100644
--- a/recipes/php/php-native_5.3.2.bb
+++ b/recipes/php/php-native_5.3.2.bb
@@ -1,6 +1,8 @@
require php-native.inc
-PR = "r0"
+PR = "r1"
+
+SRC_URI += "file://CVE-2010-0397.patch;patch=1"
SRC_URI[src.md5sum] = "46f500816125202c48a458d0133254a4"
SRC_URI[src.sha256sum] = "9a380a574adcb3a9abe3226e7c3a9bae619e8a1b90842ec2a7edf0ad92afdeda"
diff --git a/recipes/php/php_5.2.13.bb b/recipes/php/php_5.2.13.bb
index 5f446d4..dad6bcd 100644
--- a/recipes/php/php_5.2.13.bb
+++ b/recipes/php/php_5.2.13.bb
@@ -3,10 +3,11 @@ require php.inc
DEPENDS = "zlib libxml2 virtual/libiconv php-native lemon-native mysql5 \
libc-client openssl"
-PR = "r5"
+PR = "r6"
SRC_URI += "file://pear-makefile.patch;patch=1 \
file://imap-fix-autofoo.patch;patch=1 \
+ file://CVE-2010-0397.patch;patch=1 \
"
SRC_URI[src.md5sum] = "eb4d0766dc4fb9667f05a68b6041e7d1"
SRC_URI[src.sha256sum] = "2b50a2535e3bb9a98cd4d1633f9452d877276c40b385915261f040d535c7eadb"
More information about the Openembedded-commits
mailing list