php: Security fix CVE-2015-7803

CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset()

Signed-off-by: Armin Kuster <akuster@mvista.com>

2 files changed, 88 insertions, 1 deletions

diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch
new file mode 100644
index 000000000..223b9958b
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch
@@ -0,0 +1,85 @@
+From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Sep 2015 15:51:59 -0700
+Subject: [PATCH] Fix bug #69720: Null pointer dereference in
+ phar_get_fp_offset()
+
+Upstream-Status: Backport
+
+https://git.php.net/?p=php-src.git;a=patch;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
+
+excluded the binary part of the test 
+
+CVE:  CVE-2015-7803
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes
+ ext/phar/tests/bug69720.phpt |  40 ++++++++++++++++++++++++++++++++++++++++
+ ext/phar/util.c              |   6 +++++-
+ 3 files changed, 45 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug69720.phar
+ create mode 100644 ext/phar/tests/bug69720.phpt
+
+Index: php-5.6.12/ext/phar/tests/bug69720.phpt
+===================================================================
+--- /dev/null
++++ php-5.6.12/ext/phar/tests/bug69720.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset()
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++    // open an existing phar
++    $p = new Phar(__DIR__."/bug69720.phar",0);
++    // Phar extends SPL's DirectoryIterator class
++       echo $p->getMetadata();
++    foreach (new RecursiveIteratorIterator($p) as $file) {
++        // $file is a PharFileInfo class, and inherits from SplFileInfo
++       $temp="";
++        $temp= $file->getFileName() . "\n";
++        $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
++       var_dump($file->getMetadata());
++    }
++}
++ catch (Exception $e) {
++    echo 'Could not open Phar: ', $e;
++}
++?>
++--EXPECTF--
++
++MY_METADATA_NULL
++
++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d
++array(1) {
++  ["whatever"]=>
++  int(123)
++}
++object(DateTime)#2 (3) {
++  ["date"]=>
++  string(26) "2000-01-01 00:00:00.000000"
++  ["timezone_type"]=>
++  int(3)
++  ["timezone"]=>
++  string(3) "UTC"
++}
+Index: php-5.6.12/ext/phar/util.c
+===================================================================
+--- php-5.6.12.orig/ext/phar/util.c
++++ php-5.6.12/ext/phar/util.c
+@@ -494,7 +494,11 @@ really_get_entry:
+        (*ret)->is_tar = entry->is_tar;
+        (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC);
+        if (entry->link) {
+-               (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);
++               phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC);
++               if(!link) {
++                       return FAILURE;
++               }
++               (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC);
+        } else {
+                (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC);
+        }
diff --git a/meta-oe/recipes-devtools/php/php_5.6.12.bb b/meta-oe/recipes-devtools/php/php_5.6.12.bb
index ba78c3225..b25e812fc 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.12.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.12.bb
@@ -1,5 +1,7 @@
 require php.inc
 
-SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch"
+SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
+            file://CVE-2015-7803.patch \
+"
 SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b"
 SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a"