Commit 2bcd5617 authored by Natanael Copa's avatar Natanael Copa

main/php: fix for CVE-2010-2225

based on http://svn.php.net/viewvc?view=revision&revision=300843
parent d9cd5927
......@@ -3,7 +3,7 @@
pkgname=php
pkgver=5.3.2
_suhosinver=${pkgver}-0.9.9.1
pkgrel=4
pkgrel=8
pkgdesc="The PHP language runtime engine"
url="http://www.php.net/"
license="PHP-3"
......@@ -65,6 +65,7 @@ source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2
http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz
php-install-pear-xml.patch
zend_execute_API.c.patch
CVE-2010-2225.patch
"
_extdir="/usr/lib/php/20090626"
......@@ -75,6 +76,8 @@ build() {
# beat the pear installer into using xml.so
patch -p1 -i "$srcdir"/php-install-pear-xml.patch || return 1
patch -p0 -i "$srcdir"/CVE-2010-2225.patch || return 1
# apply suhosin patch
gunzip -c ${srcdir}/suhosin-patch-${_suhosinver}.patch.gz \
| patch -p1 || return 1
......@@ -259,4 +262,5 @@ dev() {
md5sums="46f500816125202c48a458d0133254a4 php-5.3.2.tar.bz2
4647b05330862d6a1fc4469245cc6ade suhosin-patch-5.3.2-0.9.9.1.patch.gz
5111e3be06d391f8772587c675240fab php-install-pear-xml.patch
55f9d24316a57e0c0f6b4b84791a1a17 zend_execute_API.c.patch"
55f9d24316a57e0c0f6b4b84791a1a17 zend_execute_API.c.patch
373a2705d03a13b77b590026b0ae47aa CVE-2010-2225.patch"
Index: ext/spl/tests/SplObjectStorage_unserialize_nested.phpt
===================================================================
--- ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 0)
+++ ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 300843)
@@ -0,0 +1,47 @@
+--TEST--
+SPL: Test unserializing tested & linked storage
+--FILE--
+<?php
+$o = new StdClass();
+$a = new StdClass();
+
+$o->a = $a;
+
+$so = new SplObjectStorage();
+
+$so[$o] = 1;
+$so[$a] = 2;
+
+$s = serialize($so);
+echo $s."\n";
+
+$so1 = unserialize($s);
+var_dump($so1);
+
+--EXPECTF--
+C:16:"SplObjectStorage":76:{x:i:2;O:8:"stdClass":1:{s:1:"a";O:8:"stdClass":0:{}},i:1;;r:2;,i:2;;m:a:0:{}}
+object(SplObjectStorage)#4 (1) {
+ ["storage":"SplObjectStorage":private]=>
+ array(2) {
+ ["%s"]=>
+ array(2) {
+ ["obj"]=>
+ object(stdClass)#5 (1) {
+ ["a"]=>
+ object(stdClass)#6 (0) {
+ }
+ }
+ ["inf"]=>
+ int(1)
+ }
+ ["%s"]=>
+ array(2) {
+ ["obj"]=>
+ object(stdClass)#6 (0) {
+ }
+ ["inf"]=>
+ int(2)
+ }
+ }
+}
+
Index: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
===================================================================
--- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 0)
+++ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 300843)
@@ -0,0 +1,45 @@
+--TEST--
+SPL: Test that serialized blob contains unique elements (CVE-2010-2225)
+--FILE--
+<?php
+
+$badblobs = array(
+'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+);
+foreach($badblobs as $blob) {
+try {
+ $so = new SplObjectStorage();
+ $so->unserialize($blob);
+ var_dump($so);
+} catch(UnexpectedValueException $e) {
+ echo $e->getMessage()."\n";
+}
+}
+--EXPECTF--
+Error at offset 6 of 34 bytes
+Error at offset 46 of 89 bytes
+object(SplObjectStorage)#2 (1) {
+ ["storage":"SplObjectStorage":private]=>
+ array(2) {
+ ["%s"]=>
+ array(2) {
+ ["obj"]=>
+ object(stdClass)#3 (0) {
+ }
+ ["inf"]=>
+ int(1)
+ }
+ ["%s"]=>
+ array(2) {
+ ["obj"]=>
+ object(stdClass)#1 (0) {
+ }
+ ["inf"]=>
+ object(stdClass)#4 (0) {
+ }
+ }
+ }
+}
+
Index: ext/spl/spl_observer.c
===================================================================
--- ext/spl/spl_observer.c (revision 300842)
+++ ext/spl/spl_observer.c (revision 300843)
@@ -115,6 +115,7 @@
zval_ptr_dtor(&element->inf);
} /* }}} */
+
spl_SplObjectStorageElement* spl_object_storage_get(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */
{
spl_SplObjectStorageElement *element;
@@ -632,15 +633,24 @@
zval_ptr_dtor(&pcount);
while(count-- > 0) {
+ spl_SplObjectStorageElement *pelement;
+
if (*p != ';') {
goto outexcept;
}
++p;
+ if(*p != 'O' && *p != 'C' && *p != 'r') {
+ goto outexcept;
+ }
ALLOC_INIT_ZVAL(pentry);
if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&pentry);
goto outexcept;
}
+ if(Z_TYPE_P(pentry) != IS_OBJECT) {
+ zval_ptr_dtor(&pentry);
+ goto outexcept;
+ }
ALLOC_INIT_ZVAL(pinf);
if (*p == ',') { /* new version has inf */
++p;
@@ -649,6 +659,16 @@
goto outexcept;
}
}
+
+ pelement = spl_object_storage_get(intern, pentry TSRMLS_CC);
+ if(pelement) {
+ if(pelement->inf) {
+ var_push_dtor(&var_hash, &pelement->inf);
+ }
+ if(pelement->obj) {
+ var_push_dtor(&var_hash, &pelement->obj);
+ }
+ }
spl_object_storage_attach(intern, pentry, pinf TSRMLS_CC);
zval_ptr_dtor(&pentry);
zval_ptr_dtor(&pinf);
Index: ext/standard/var_unserializer.c
===================================================================
--- ext/standard/var_unserializer.c (revision 300842)
+++ ext/standard/var_unserializer.c (revision 300843)
@@ -56,7 +56,7 @@
var_hash->data[var_hash->used_slots++] = *rval;
}
-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
+PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
{
var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
Index: ext/standard/php_var.h
===================================================================
--- ext/standard/php_var.h (revision 300842)
+++ ext/standard/php_var.h (revision 300843)
@@ -60,6 +60,7 @@
var_destroy(&(var_hash))
PHPAPI void var_replace(php_unserialize_data_t *var_hash, zval *ozval, zval **nzval);
+PHPAPI void var_push_dtor(php_unserialize_data_t *var_hash, zval **val);
PHPAPI void var_destroy(php_unserialize_data_t *var_hash);
#define PHP_VAR_UNSERIALIZE_ZVAL_CHANGED(var_hash, ozval, nzval) \
Index: ext/standard/var_unserializer.re
===================================================================
--- ext/standard/var_unserializer.re (revision 300842)
+++ ext/standard/var_unserializer.re (revision 300843)
@@ -54,7 +54,7 @@
var_hash->data[var_hash->used_slots++] = *rval;
}
-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
+PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
{
var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment