diff options
| author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-03-21 11:00:48 +0800 |
|---|---|---|
| committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-03-21 11:00:48 +0800 |
| commit | 30c7c2f4a647216d58a6e4599d73356e0249a2b5 (patch) | |
| tree | 4dbd31fff5c50da067e0f851e339184dc31ad509 /recipes/php/php-5.2.13/CVE-2010-0397.patch | |
| parent | cb1278efa38d7791b6ca9e9e3e61d4f1b7ee1a2e (diff) | |
php: 5.2.13 and 5.3.2 both have flaws in the handling of xmlrpc
This is addressing CVE-2010-0397.patch.
Diffstat (limited to 'recipes/php/php-5.2.13/CVE-2010-0397.patch')
| -rw-r--r-- | recipes/php/php-5.2.13/CVE-2010-0397.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/recipes/php/php-5.2.13/CVE-2010-0397.patch b/recipes/php/php-5.2.13/CVE-2010-0397.patch new file mode 100644 index 0000000000..8f70d40a46 --- /dev/null +++ b/recipes/php/php-5.2.13/CVE-2010-0397.patch @@ -0,0 +1,58 @@ +Description: Fix a null pointer dereference when processing invalid + XML-RPC requests. +Origin: vendor +Forwarded: http://bugs.php.net/51288 +Last-Update: 2010-03-12 + +Index: php/ext/xmlrpc/tests/bug51288.phpt +=================================================================== +--- /dev/null ++++ php/ext/xmlrpc/tests/bug51288.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request) ++--FILE-- ++<?php ++$method = NULL; ++$req = '<?xml version="1.0"?><methodCall></methodCall>'; ++var_dump(xmlrpc_decode_request($req, $method)); ++var_dump($method); ++echo "Done\n"; ++?> ++--EXPECT-- ++NULL ++NULL ++Done +Index: php/ext/xmlrpc/xmlrpc-epi-php.c +=================================================================== +--- php.orig/ext/xmlrpc/xmlrpc-epi-php.c ++++ php/ext/xmlrpc/xmlrpc-epi-php.c +@@ -701,6 +701,7 @@ zval* decode_request_worker (zval* xml_i + zval* retval = NULL; + XMLRPC_REQUEST response; + STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; ++ const char *method_name; + opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT; + + /* generate XMLRPC_REQUEST from raw xml */ +@@ -711,10 +712,16 @@ zval* decode_request_worker (zval* xml_i + + if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { + if(method_name_out) { +- zval_dtor(method_name_out); +- Z_TYPE_P(method_name_out) = IS_STRING; +- Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); +- Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); ++ method_name = XMLRPC_RequestGetMethodName(response); ++ if (method_name) { ++ zval_dtor(method_name_out); ++ Z_TYPE_P(method_name_out) = IS_STRING; ++ Z_STRVAL_P(method_name_out) = estrdup(method_name); ++ Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); ++ } else if (retval) { ++ zval_ptr_dtor(&retval); ++ retval = NULL; ++ } + } + } + |