diff -u php5-5.3.2/debian/changelog php5-5.3.2/debian/changelog --- php5-5.3.2/debian/changelog +++ php5-5.3.2/debian/changelog @@ -1,3 +1,18 @@ +php5 (5.3.2-1ubuntu4.20) lucid-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via xml + parser heap overflow + - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in + ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt. + - CVE-2013-4113 + * SECURITY UPDATE: denial of service via overflow in SdnToJewish + - debian/patches/CVE-2013-4635.patch: check value in + ext/calendar/jewish.c, add test to + ext/calendar/tests/jdtojewish64.phpt. + - CVE-2013-4635 + + -- Marc Deslauriers Mon, 15 Jul 2013 09:50:48 -0400 + php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low * SECURITY UPDATE: arbitrary file disclosure via XML External Entity diff -u php5-5.3.2/debian/patches/series php5-5.3.2/debian/patches/series --- php5-5.3.2/debian/patches/series +++ php5-5.3.2/debian/patches/series @@ -112,0 +113,2 @@ +CVE-2013-4113.patch +CVE-2013-4635.patch only in patch2: unchanged: --- php5-5.3.2.orig/debian/patches/CVE-2013-4635.patch +++ php5-5.3.2/debian/patches/CVE-2013-4635.patch @@ -0,0 +1,50 @@ +Description: fix denial of service via overflow in SdnToJewish +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=4828f7343b3f31d914f4d4a5545865b8a19f7fb6 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=fc2a9d6e47ae23adb28122539b56df0d6195bdce +Bug: https://bugs.php.net/bug.php?id=64895 + +Index: php5-5.4.15/ext/calendar/jewish.c +=================================================================== +--- php5-5.4.15.orig/ext/calendar/jewish.c 2013-05-08 01:41:20.000000000 -0400 ++++ php5-5.4.15/ext/calendar/jewish.c 2013-06-28 08:19:27.885381358 -0400 +@@ -272,6 +272,7 @@ + #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7)) + + #define JEWISH_SDN_OFFSET 347997 ++#define JEWISH_SDN_MAX 324542846L /* 12/13/887605, greater value raises interger overflow */ + #define NEW_MOON_OF_CREATION 31524 + + #define SUNDAY 0 +@@ -519,7 +520,7 @@ + int tishri1After; + int yearLength; + +- if (sdn <= JEWISH_SDN_OFFSET) { ++ if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) { + *pYear = 0; + *pMonth = 0; + *pDay = 0; +Index: php5-5.4.15/ext/calendar/tests/jdtojewish64.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.4.15/ext/calendar/tests/jdtojewish64.phpt 2013-06-28 08:19:27.885381358 -0400 +@@ -0,0 +1,19 @@ ++--TEST-- ++Bug #64895: Integer overflow in SndToJewish ++--SKIPIF-- ++ ++--FILE-- ++ ++--FILE-- ++", 1000), $a); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated in %s on line %d ++Done +Index: php5-5.3.10/ext/xml/xml.c +=================================================================== +--- php5-5.3.10.orig/ext/xml/xml.c 2013-07-15 09:49:18.038820125 -0400 ++++ php5-5.3.10/ext/xml/xml.c 2013-07-15 09:49:18.034820124 -0400 +@@ -427,7 +427,7 @@ + } + if (parser->ltags) { + int inx; +- for (inx = 0; inx < parser->level; inx++) ++ for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++) + efree(parser->ltags[ inx ]); + efree(parser->ltags); + } +@@ -905,45 +905,50 @@ + } + + if (parser->data) { +- zval *tag, *atr; +- int atcnt = 0; ++ if (parser->level <= XML_MAXLEVEL) { ++ zval *tag, *atr; ++ int atcnt = 0; + +- MAKE_STD_ZVAL(tag); +- MAKE_STD_ZVAL(atr); ++ MAKE_STD_ZVAL(tag); ++ MAKE_STD_ZVAL(atr); + +- array_init(tag); +- array_init(atr); ++ array_init(tag); ++ array_init(atr); + +- _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); ++ _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); + +- add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ +- add_assoc_string(tag,"type","open",1); +- add_assoc_long(tag,"level",parser->level); ++ add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ ++ add_assoc_string(tag,"type","open",1); ++ add_assoc_long(tag,"level",parser->level); + +- parser->ltags[parser->level-1] = estrdup(tag_name); +- parser->lastwasopen = 1; ++ parser->ltags[parser->level-1] = estrdup(tag_name); ++ parser->lastwasopen = 1; + +- attributes = (const XML_Char **) attrs; ++ attributes = (const XML_Char **) attrs; + +- while (attributes && *attributes) { +- att = _xml_decode_tag(parser, attributes[0]); +- val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding); +- +- add_assoc_stringl(atr,att,val,val_len,0); ++ while (attributes && *attributes) { ++ att = _xml_decode_tag(parser, attributes[0]); ++ val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding); + +- atcnt++; +- attributes += 2; ++ add_assoc_stringl(atr,att,val,val_len,0); + +- efree(att); +- } ++ atcnt++; ++ attributes += 2; + +- if (atcnt) { +- zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL); +- } else { +- zval_ptr_dtor(&atr); +- } ++ efree(att); ++ } ++ ++ if (atcnt) { ++ zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL); ++ } else { ++ zval_ptr_dtor(&atr); ++ } + +- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag); ++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag); ++ } else if (parser->level == (XML_MAXLEVEL + 1)) { ++ TSRMLS_FETCH(); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated"); ++ } + } + + efree(tag_name); +@@ -995,7 +1000,7 @@ + + efree(tag_name); + +- if (parser->ltags) { ++ if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) { + efree(parser->ltags[parser->level-1]); + } + +@@ -1079,18 +1084,23 @@ + } + } + +- MAKE_STD_ZVAL(tag); +- +- array_init(tag); +- +- _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); ++ if (parser->level <= XML_MAXLEVEL) { ++ MAKE_STD_ZVAL(tag); + +- add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1); +- add_assoc_string(tag,"value",decoded_value,0); +- add_assoc_string(tag,"type","cdata",1); +- add_assoc_long(tag,"level",parser->level); ++ array_init(tag); + +- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); ++ _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); ++ ++ add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1); ++ add_assoc_string(tag,"value",decoded_value,0); ++ add_assoc_string(tag,"type","cdata",1); ++ add_assoc_long(tag,"level",parser->level); ++ ++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); ++ } else if (parser->level == (XML_MAXLEVEL + 1)) { ++ TSRMLS_FETCH(); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated"); ++ } + } + } else { + efree(decoded_value);