aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>2017-03-12 20:48:15 -0700
committerArmin Kuster <akuster808@gmail.com>2017-11-16 15:27:16 -0800
commitb286598b43c38c7bfe6679b59ddd60058276cc53 (patch)
treec079217b725e0798ba267f2790e608d4caba8d83
parent4b26421af6456436cfd2cb491d8857a833c4aa44 (diff)
downloadmeta-openembedded-contrib-b286598b43c38c7bfe6679b59ddd60058276cc53.tar.gz
php: CVE-2016-9137
Source: meta-openembedded MR: 68765, 00000 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 1aed8604e5757f9805d98348e78b1f2f09c6bc86 Description: Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137 https://bugs.php.net/bug.php?id=73147 Upstream patch: http://git.php.net/?p=php-src.git;a=commitdiff;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f Reviewed-by: Jeremy Puhlman <jpuhlman@mvista.com> Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9137.patch108
-rw-r--r--meta-oe/recipes-devtools/php/php_5.6.26.bb4
2 files changed, 111 insertions, 1 deletions
diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9137.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9137.patch
new file mode 100644
index 0000000000..572f7efa15
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9137.patch
@@ -0,0 +1,108 @@
+From 0e6fe3a4c96be2d3e88389a5776f878021b4c59f Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 25 Sep 2016 19:53:59 -0700
+Subject: [PATCH] Fix bug #73147: Use After Free in PHP7 unserialize()
+
+CVE: CVE-2016-9137
+Upstream-Status: Backport
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ Zend/zend_API.c | 24 ++++++++++++++++++++++++
+ Zend/zend_API.h | 1 +
+ ext/curl/curl_file.c | 5 ++++-
+ ext/curl/tests/bug73147.phpt | 20 ++++++++++++++++++++
+ 4 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 ext/curl/tests/bug73147.phpt
+
+diff --git a/Zend/zend_API.c b/Zend/zend_API.c
+index 8202b9a..0757cc9 100644
+--- a/Zend/zend_API.c
++++ b/Zend/zend_API.c
+@@ -3776,6 +3776,30 @@ ZEND_API void zend_update_property(zend_class_entry *scope, zval *object, const
+ }
+ /* }}} */
+
++ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
++{
++ zval *property;
++ zend_class_entry *old_scope = EG(scope);
++
++ EG(scope) = scope;
++
++ if (!Z_OBJ_HT_P(object)->unset_property) {
++ const char *class_name;
++ zend_uint class_name_len;
++
++ zend_get_object_classname(object, &class_name, &class_name_len TSRMLS_CC);
++
++ zend_error(E_CORE_ERROR, "Property %s of class %s cannot be unset", name, class_name);
++ }
++ MAKE_STD_ZVAL(property);
++ ZVAL_STRINGL(property, name, name_length, 1);
++ Z_OBJ_HT_P(object)->unset_property(object, property, 0 TSRMLS_CC);
++ zval_ptr_dtor(&property);
++
++ EG(scope) = old_scope;
++}
++/* }}} */
++
+ ZEND_API void zend_update_property_null(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
+ {
+ zval *tmp;
+diff --git a/Zend/zend_API.h b/Zend/zend_API.h
+index 53c1a4c..c57c003 100644
+--- a/Zend/zend_API.h
++++ b/Zend/zend_API.h
+@@ -330,6 +330,7 @@ ZEND_API void zend_update_property_long(zend_class_entry *scope, zval *object, c
+ ZEND_API void zend_update_property_double(zend_class_entry *scope, zval *object, const char *name, int name_length, double value TSRMLS_DC);
+ ZEND_API void zend_update_property_string(zend_class_entry *scope, zval *object, const char *name, int name_length, const char *value TSRMLS_DC);
+ ZEND_API void zend_update_property_stringl(zend_class_entry *scope, zval *object, const char *name, int name_length, const char *value, int value_length TSRMLS_DC);
++ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC);
+
+ ZEND_API int zend_update_static_property(zend_class_entry *scope, const char *name, int name_length, zval *value TSRMLS_DC);
+ ZEND_API int zend_update_static_property_null(zend_class_entry *scope, const char *name, int name_length TSRMLS_DC);
+diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c
+index 56c1bbe..029a58a 100644
+--- a/ext/curl/curl_file.c
++++ b/ext/curl/curl_file.c
+@@ -137,7 +137,10 @@ ZEND_METHOD(CURLFile, setPostFilename)
+ Unserialization handler */
+ ZEND_METHOD(CURLFile, __wakeup)
+ {
+- zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, "" TSRMLS_CC);
++ zval *_this = getThis();
++
++ zend_unset_property(curl_CURLFile_class, _this, "name", sizeof("name")-1 TSRMLS_CC);
++ zend_update_property_string(curl_CURLFile_class, _this, "name", sizeof("name")-1, "" TSRMLS_CC);
+ zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0 TSRMLS_CC);
+ }
+ /* }}} */
+diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt
+new file mode 100644
+index 0000000..118177d
+--- /dev/null
++++ b/ext/curl/tests/bug73147.phpt
+@@ -0,0 +1,20 @@
++--TEST--
++Bug #73147: Use After Free in PHP7 unserialize()
++--SKIPIF--
++<?php
++if (!extension_loaded("curl")) {
++ exit("skip curl extension not loaded");
++}
++?>
++--FILE--
++<?php
++
++$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
++try {
++var_dump(unserialize($poc));
++} catch(Exception $e) {
++ echo $e->getMessage();
++}
++?>
++--EXPECT--
++Unserialization of CURLFile instances is not allowed
+--
+2.1.4
diff --git a/meta-oe/recipes-devtools/php/php_5.6.26.bb b/meta-oe/recipes-devtools/php/php_5.6.26.bb
index cbd0615d68..cf104803da 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.26.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.26.bb
@@ -2,6 +2,8 @@ require php.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=b602636d46a61c0ac0432bbf5c078fe4"
-SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch"
+SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
+ file://CVE-2016-9137.patch \
+"
SRC_URI[md5sum] = "cb424b705cfb715fc04f499f8a8cf52e"
SRC_URI[sha256sum] = "d47aab8083a4284b905777e1b45dd7735adc53be827b29f896684750ac8b6236"