[oe-commits] [meta-openembedded] 25/27: php: Security fix CVE-2015-7803

git at git.openembedded.org git at git.openembedded.org
Mon Feb 8 13:12:59 UTC 2016 

martin_jansa pushed a commit to branch jethro-next
in repository meta-openembedded.

commit b3f9892e059afe4d58ed53ab0fa8cbb310d26160
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Mon Feb 1 08:28:38 2016 -0800

    php: Security fix CVE-2015-7803
    
    CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset()
    
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../php/php-5.6.12/CVE-2015-7803.patch             | 85 ++++++++++++++++++++++
 meta-oe/recipes-devtools/php/php_5.6.12.bb         |  4 +-
 2 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch
new file mode 100644
index 0000000..223b995
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch
@@ -0,0 +1,85 @@
+From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas at php.net>
+Date: Mon, 28 Sep 2015 15:51:59 -0700
+Subject: [PATCH] Fix bug #69720: Null pointer dereference in
+ phar_get_fp_offset()
+
+Upstream-Status: Backport
+
+https://git.php.net/?p=php-src.git;a=patch;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
+
+excluded the binary part of the test 
+
+CVE:  CVE-2015-7803
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes
+ ext/phar/tests/bug69720.phpt |  40 ++++++++++++++++++++++++++++++++++++++++
+ ext/phar/util.c              |   6 +++++-
+ 3 files changed, 45 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug69720.phar
+ create mode 100644 ext/phar/tests/bug69720.phpt
+
+Index: php-5.6.12/ext/phar/tests/bug69720.phpt
+===================================================================
+--- /dev/null
++++ php-5.6.12/ext/phar/tests/bug69720.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset()
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++    // open an existing phar
++    $p = new Phar(__DIR__."/bug69720.phar",0);
++    // Phar extends SPL's DirectoryIterator class
++	echo $p->getMetadata();
++    foreach (new RecursiveIteratorIterator($p) as $file) {
++        // $file is a PharFileInfo class, and inherits from SplFileInfo
++	$temp="";
++        $temp= $file->getFileName() . "\n";
++        $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
++	var_dump($file->getMetadata());
++    }
++}
++ catch (Exception $e) {
++    echo 'Could not open Phar: ', $e;
++}
++?>
++--EXPECTF--
++
++MY_METADATA_NULL
++
++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d
++array(1) {
++  ["whatever"]=>
++  int(123)
++}
++object(DateTime)#2 (3) {
++  ["date"]=>
++  string(26) "2000-01-01 00:00:00.000000"
++  ["timezone_type"]=>
++  int(3)
++  ["timezone"]=>
++  string(3) "UTC"
++}
+Index: php-5.6.12/ext/phar/util.c
+===================================================================
+--- php-5.6.12.orig/ext/phar/util.c
++++ php-5.6.12/ext/phar/util.c
+@@ -494,7 +494,11 @@ really_get_entry:
+ 	(*ret)->is_tar = entry->is_tar;
+ 	(*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC);
+ 	if (entry->link) {
+-		(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);
++		phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC);
++		if(!link) {
++			return FAILURE;
++		}
++		(*ret)->zero = phar_get_fp_offset(link TSRMLS_CC);
+ 	} else {
+ 		(*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC);
+ 	}
diff --git a/meta-oe/recipes-devtools/php/php_5.6.12.bb b/meta-oe/recipes-devtools/php/php_5.6.12.bb
index ba78c32..b25e812 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.12.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.12.bb
@@ -1,5 +1,7 @@
 require php.inc
 
-SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch"
+SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
+            file://CVE-2015-7803.patch \
+"
 SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b"
 SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list