From d3af620af497f17b9ac2723e7ff895689ae7a8c9 Mon Sep 17 00:00:00 2001 From: Thiruvadi Rajaraman Date: Thu, 15 Jun 2017 15:44:02 +0530 Subject: php: CVE-2016-9934 fix Source: http://git.php.net/repository/php-src.git MR: 70048 Type: Security Fix Disposition: Backport from Backport from php-5.6.29RC1 ChangeID: ebcd0ab0790fb0c70877e12aa0a76ae478bb204f Description: Fixed bug #73331 - NULL Pointer Dereference in WDDX Packet Deserialization with PDORow. Author: Stanislav Malyshev Signed-off-by: Thiruvadi Rajaraman Reviewed-by: Armin Kuster Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- .../php/php-5.6.26/CVE-2016-9934.patch | 181 +++++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch (limited to 'meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch') diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch new file mode 100644 index 0000000000..d6d77c363a --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch @@ -0,0 +1,181 @@ +commit 6045de69c7dedcba3eadf7c4bba424b19c81d00d +Author: Stanislav Malyshev +Date: Sun Oct 23 20:07:47 2016 -0700 + + Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle + + Proper soltion would be to call serialize/unserialize and deal with the result, + but this requires more work that should be done by wddx maintainer (not me). + +Upstream-status: Backport + +CVE: CVE-2016-9934 +Signed-off-by: Thiruvadi Rajaraman + +Index: php-5.6.26/ext/pdo/pdo_stmt.c +=================================================================== +--- php-5.6.26.orig/ext/pdo/pdo_stmt.c 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/pdo/pdo_stmt.c 2017-06-15 14:48:28.590259874 +0530 +@@ -2338,6 +2338,7 @@ + pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ + pdo_row_ce->create_object = pdo_row_new; + pdo_row_ce->serialize = pdo_row_serialize; ++ pdo_row_ce->unserialize = zend_class_unserialize_deny; + } + + static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) +Index: php-5.6.26/ext/wddx/tests/bug45901.phpt +=================================================================== +--- php-5.6.26.orig/ext/wddx/tests/bug45901.phpt 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/wddx/tests/bug45901.phpt 2017-06-15 14:48:28.590259874 +0530 +@@ -14,5 +14,6 @@ + echo "DONE"; + ?> + --EXPECTF-- +-
Variables
SimpleXMLElementSimpleXMLElement +-DONE +\ No newline at end of file ++Warning: wddx_serialize_value(): Class SimpleXMLElement can not be serialized in %sbug45901.php on line %d ++
Variables
 ++DONE +Index: php-5.6.26/ext/wddx/tests/bug73331.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php-5.6.26/ext/wddx/tests/bug73331.phpt 2017-06-15 14:48:28.590259874 +0530 +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow) ++--SKIPIF-- ++ ++--FILE-- ++
PDORow ++--EXPECTF-- ++ ++Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d ++NULL +Index: php-5.6.26/ext/wddx/wddx.c +=================================================================== +--- php-5.6.26.orig/ext/wddx/wddx.c 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/wddx/wddx.c 2017-06-15 14:48:28.590259874 +0530 +@@ -471,8 +471,18 @@ + ulong idx; + char tmp_buf[WDDX_BUF_LEN]; + HashTable *objhash, *sleephash; ++ zend_class_entry *ce; ++ PHP_CLASS_ATTRIBUTES; + TSRMLS_FETCH(); + ++ PHP_SET_CLASS_ATTRIBUTES(obj); ++ ce = Z_OBJCE_P(obj); ++ if (!ce || ce->serialize || ce->unserialize) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name); ++ PHP_CLEANUP_CLASS_ATTRIBUTES(); ++ return; ++ } ++ + MAKE_STD_ZVAL(fname); + ZVAL_STRING(fname, "__sleep", 1); + +@@ -482,10 +492,6 @@ + */ + if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) { + if (retval && (sleephash = HASH_OF(retval))) { +- PHP_CLASS_ATTRIBUTES; +- +- PHP_SET_CLASS_ATTRIBUTES(obj); +- + php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); + snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); + php_wddx_add_chunk(packet, tmp_buf); +@@ -494,8 +500,6 @@ + php_wddx_add_chunk_static(packet, WDDX_STRING_E); + php_wddx_add_chunk_static(packet, WDDX_VAR_E); + +- PHP_CLEANUP_CLASS_ATTRIBUTES(); +- + objhash = HASH_OF(obj); + + for (zend_hash_internal_pointer_reset(sleephash); +@@ -516,10 +520,6 @@ + } else { + uint key_len; + +- PHP_CLASS_ATTRIBUTES; +- +- PHP_SET_CLASS_ATTRIBUTES(obj); +- + php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); + snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); + php_wddx_add_chunk(packet, tmp_buf); +@@ -528,8 +528,6 @@ + php_wddx_add_chunk_static(packet, WDDX_STRING_E); + php_wddx_add_chunk_static(packet, WDDX_VAR_E); + +- PHP_CLEANUP_CLASS_ATTRIBUTES(); +- + objhash = HASH_OF(obj); + for (zend_hash_internal_pointer_reset(objhash); + zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS; +@@ -550,6 +548,8 @@ + } + php_wddx_add_chunk_static(packet, WDDX_STRUCT_E); + } ++ ++ PHP_CLEANUP_CLASS_ATTRIBUTES(); + + zval_dtor(fname); + FREE_ZVAL(fname); +@@ -1012,25 +1012,30 @@ + pce = &PHP_IC_ENTRY; + } + +- /* Initialize target object */ +- MAKE_STD_ZVAL(obj); +- object_init_ex(obj, *pce); +- +- /* Merge current hashtable with object's default properties */ +- zend_hash_merge(Z_OBJPROP_P(obj), +- Z_ARRVAL_P(ent2->data), +- (void (*)(void *)) zval_add_ref, +- (void *) &tmp, sizeof(zval *), 0); +- +- if (incomplete_class) { +- php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); +- } +- +- /* Clean up old array entry */ +- zval_ptr_dtor(&ent2->data); +- +- /* Set stack entry to point to the newly created object */ +- ent2->data = obj; ++ if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) { ++ ent2->data = NULL; ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data)); ++ } else { ++ /* Initialize target object */ ++ MAKE_STD_ZVAL(obj); ++ object_init_ex(obj, *pce); ++ ++ /* Merge current hashtable with object's default properties */ ++ zend_hash_merge(Z_OBJPROP_P(obj), ++ Z_ARRVAL_P(ent2->data), ++ (void (*)(void *)) zval_add_ref, ++ (void *) &tmp, sizeof(zval *), 0); ++ ++ if (incomplete_class) { ++ php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); ++ } ++ ++ /* Clean up old array entry */ ++ zval_ptr_dtor(&ent2->data); ++ ++ /* Set stack entry to point to the newly created object */ ++ ent2->data = obj; ++ } + + /* Clean up class name var entry */ + zval_ptr_dtor(&ent1->data); -- cgit 1.2.3-korg