[oe-commits] Yue Tao : modphp: Security Advisory - php - CVE-2014-5120
git at git.openembedded.org
git at git.openembedded.org
Thu Oct 30 08:04:18 UTC 2014
Module: meta-openembedded.git
Branch: master-next
Commit: 81aecee0eda7600e6a6ae3f8264b2a1bc7a57f04
URL: http://git.openembedded.org/?p=meta-openembedded.git&a=commit;h=81aecee0eda7600e6a6ae3f8264b2a1bc7a57f04
Author: Yue Tao <Yue.Tao at windriver.com>
Date: Thu Oct 23 16:29:13 2014 +0800
modphp: Security Advisory - php - CVE-2014-5120
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
5.5.16 does not ensure that pathnames lack %00 sequences, which might
allow remote attackers to overwrite arbitrary files via crafted input to
an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif,
(4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120
Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
---
.../modphp/files/php-CVE-2014-5120.patch | 35 ++++++++++++++++++++++
meta-webserver/recipes-php/modphp/modphp5.inc | 1 +
2 files changed, 36 insertions(+)
diff --git a/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch
new file mode 100644
index 0000000..f2e23b3
--- /dev/null
+++ b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch
@@ -0,0 +1,35 @@
+modphp: Security Advisory - php - CVE-2014-5120
+
+Upstream-Status: Backport
+
+Signed-off-by Yue Tao <yue.tao at windriver.com>
+
+From 706aefb78112a44d4932d4c9430c6a898696f51f Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas at php.net>
+Date: Mon, 18 Aug 2014 22:49:10 -0700
+Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
+ functions
+
+---
+ ext/gd/gd_ctx.c | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index bff691f..eafbab5 100644
+--- a/ext/gd/gd_ctx.c
++++ b/ext/gd/gd_ctx.c
+@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ RETURN_FALSE;
+ }
+ } else if (Z_TYPE_P(to_zval) == IS_STRING) {
++ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
++ RETURN_FALSE;
++ }
++
+ stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
+ if (stream == NULL) {
+ RETURN_FALSE;
+--
+1.7.9.5
+
diff --git a/meta-webserver/recipes-php/modphp/modphp5.inc b/meta-webserver/recipes-php/modphp/modphp5.inc
index 0d7bb7a..6a2a61f 100644
--- a/meta-webserver/recipes-php/modphp/modphp5.inc
+++ b/meta-webserver/recipes-php/modphp/modphp5.inc
@@ -9,6 +9,7 @@ SRC_URI = "http://www.php.net/distributions/php-${PV}.tar.bz2 \
file://pthread-check-threads-m4.patch \
file://70_mod_php5.conf \
file://0001-using-pkgconfig-to-check-libxml.patch \
+ file://php-CVE-2014-5120.patch \
"
S = "${WORKDIR}/php-${PV}"
More information about the Openembedded-commits
mailing list