diff options
-rw-r--r-- | meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch | 181 | ||||
-rw-r--r-- | meta-oe/recipes-devtools/php/php_5.6.26.bb | 1 |
2 files changed, 182 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch new file mode 100644 index 00000000000..d6d77c363ab --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch @@ -0,0 +1,181 @@ +commit 6045de69c7dedcba3eadf7c4bba424b19c81d00d +Author: Stanislav Malyshev <stas@php.net> +Date: Sun Oct 23 20:07:47 2016 -0700 + + Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle + + Proper soltion would be to call serialize/unserialize and deal with the result, + but this requires more work that should be done by wddx maintainer (not me). + +Upstream-status: Backport + +CVE: CVE-2016-9934 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: php-5.6.26/ext/pdo/pdo_stmt.c +=================================================================== +--- php-5.6.26.orig/ext/pdo/pdo_stmt.c 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/pdo/pdo_stmt.c 2017-06-15 14:48:28.590259874 +0530 +@@ -2338,6 +2338,7 @@ + pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ + pdo_row_ce->create_object = pdo_row_new; + pdo_row_ce->serialize = pdo_row_serialize; ++ pdo_row_ce->unserialize = zend_class_unserialize_deny; + } + + static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) +Index: php-5.6.26/ext/wddx/tests/bug45901.phpt +=================================================================== +--- php-5.6.26.orig/ext/wddx/tests/bug45901.phpt 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/wddx/tests/bug45901.phpt 2017-06-15 14:48:28.590259874 +0530 +@@ -14,5 +14,6 @@ + echo "DONE"; + ?> + --EXPECTF-- +-<wddxPacket version='1.0'><header><comment>Variables</comment></header><data><struct><var name='php_class_name'><string>SimpleXMLElement</string></var><var name='test'><struct><var name='php_class_name'><string>SimpleXMLElement</string></var></struct></var></struct></data></wddxPacket> +-DONE +\ No newline at end of file ++Warning: wddx_serialize_value(): Class SimpleXMLElement can not be serialized in %sbug45901.php on line %d ++<wddxPacket version='1.0'><header><comment>Variables</comment></header><data></data></wddxPacket> ++DONE +Index: php-5.6.26/ext/wddx/tests/bug73331.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php-5.6.26/ext/wddx/tests/bug73331.phpt 2017-06-15 14:48:28.590259874 +0530 +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow) ++--SKIPIF-- ++<?php if (!extension_loaded("wddx") || !extension_loaded("pdo")) print "skip"; ?> ++--FILE-- ++<?php ++ ++$wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>PDORow</string></var></struct></data></wddxPacket ++var_dump(wddx_deserialize($wddx)); ++?> ++--EXPECTF-- ++ ++Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d ++NULL +Index: php-5.6.26/ext/wddx/wddx.c +=================================================================== +--- php-5.6.26.orig/ext/wddx/wddx.c 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/wddx/wddx.c 2017-06-15 14:48:28.590259874 +0530 +@@ -471,8 +471,18 @@ + ulong idx; + char tmp_buf[WDDX_BUF_LEN]; + HashTable *objhash, *sleephash; ++ zend_class_entry *ce; ++ PHP_CLASS_ATTRIBUTES; + TSRMLS_FETCH(); + ++ PHP_SET_CLASS_ATTRIBUTES(obj); ++ ce = Z_OBJCE_P(obj); ++ if (!ce || ce->serialize || ce->unserialize) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name); ++ PHP_CLEANUP_CLASS_ATTRIBUTES(); ++ return; ++ } ++ + MAKE_STD_ZVAL(fname); + ZVAL_STRING(fname, "__sleep", 1); + +@@ -482,10 +492,6 @@ + */ + if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) { + if (retval && (sleephash = HASH_OF(retval))) { +- PHP_CLASS_ATTRIBUTES; +- +- PHP_SET_CLASS_ATTRIBUTES(obj); +- + php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); + snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); + php_wddx_add_chunk(packet, tmp_buf); +@@ -494,8 +500,6 @@ + php_wddx_add_chunk_static(packet, WDDX_STRING_E); + php_wddx_add_chunk_static(packet, WDDX_VAR_E); + +- PHP_CLEANUP_CLASS_ATTRIBUTES(); +- + objhash = HASH_OF(obj); + + for (zend_hash_internal_pointer_reset(sleephash); +@@ -516,10 +520,6 @@ + } else { + uint key_len; + +- PHP_CLASS_ATTRIBUTES; +- +- PHP_SET_CLASS_ATTRIBUTES(obj); +- + php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); + snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); + php_wddx_add_chunk(packet, tmp_buf); +@@ -528,8 +528,6 @@ + php_wddx_add_chunk_static(packet, WDDX_STRING_E); + php_wddx_add_chunk_static(packet, WDDX_VAR_E); + +- PHP_CLEANUP_CLASS_ATTRIBUTES(); +- + objhash = HASH_OF(obj); + for (zend_hash_internal_pointer_reset(objhash); + zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS; +@@ -550,6 +548,8 @@ + } + php_wddx_add_chunk_static(packet, WDDX_STRUCT_E); + } ++ ++ PHP_CLEANUP_CLASS_ATTRIBUTES(); + + zval_dtor(fname); + FREE_ZVAL(fname); +@@ -1012,25 +1012,30 @@ + pce = &PHP_IC_ENTRY; + } + +- /* Initialize target object */ +- MAKE_STD_ZVAL(obj); +- object_init_ex(obj, *pce); +- +- /* Merge current hashtable with object's default properties */ +- zend_hash_merge(Z_OBJPROP_P(obj), +- Z_ARRVAL_P(ent2->data), +- (void (*)(void *)) zval_add_ref, +- (void *) &tmp, sizeof(zval *), 0); +- +- if (incomplete_class) { +- php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); +- } +- +- /* Clean up old array entry */ +- zval_ptr_dtor(&ent2->data); +- +- /* Set stack entry to point to the newly created object */ +- ent2->data = obj; ++ if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) { ++ ent2->data = NULL; ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data)); ++ } else { ++ /* Initialize target object */ ++ MAKE_STD_ZVAL(obj); ++ object_init_ex(obj, *pce); ++ ++ /* Merge current hashtable with object's default properties */ ++ zend_hash_merge(Z_OBJPROP_P(obj), ++ Z_ARRVAL_P(ent2->data), ++ (void (*)(void *)) zval_add_ref, ++ (void *) &tmp, sizeof(zval *), 0); ++ ++ if (incomplete_class) { ++ php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); ++ } ++ ++ /* Clean up old array entry */ ++ zval_ptr_dtor(&ent2->data); ++ ++ /* Set stack entry to point to the newly created object */ ++ ent2->data = obj; ++ } + + /* Clean up class name var entry */ + zval_ptr_dtor(&ent1->data); diff --git a/meta-oe/recipes-devtools/php/php_5.6.26.bb b/meta-oe/recipes-devtools/php/php_5.6.26.bb index cf104803da0..073d873bd87 100644 --- a/meta-oe/recipes-devtools/php/php_5.6.26.bb +++ b/meta-oe/recipes-devtools/php/php_5.6.26.bb @@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b602636d46a61c0ac0432bbf5c078fe4" SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \ file://CVE-2016-9137.patch \ + file://CVE-2016-9934.patch \ " SRC_URI[md5sum] = "cb424b705cfb715fc04f499f8a8cf52e" SRC_URI[sha256sum] = "d47aab8083a4284b905777e1b45dd7735adc53be827b29f896684750ac8b6236" |