modphp: Security Advisory - php - CVE-2014-5120

gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Yue Tao <Yue.Tao@windriver.com> 2014-10-23 16:29:13 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2014-10-30 09:00:07 +0100
commit: 81aecee0eda7600e6a6ae3f8264b2a1bc7a57f04 (patch)
tree: da2bf948a00213669203dfe4272c2826ad24613b /meta-webserver/recipes-php
parent: d47b4c7ca0f98071a6f33144630d6bf1b856ce18 (diff)
download: meta-openembedded-81aecee0eda7600e6a6ae3f8264b2a1bc7a57f04.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch
new file mode 100644
index 000000000..f2e23b3f0
--- /dev/null
+++ b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch
@@ -0,0 +1,35 @@
+modphp: Security Advisory - php - CVE-2014-5120
+Upstream-Status: Backport
+Signed-off-by Yue Tao <yue.tao@windriver.com>
+From 706aefb78112a44d4932d4c9430c6a898696f51f Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 18 Aug 2014 22:49:10 -0700
+Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
+ functions
+---
+ ext/gd/gd_ctx.c |    5 +++++
+ 2 files changed, 7 insertions(+)
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index bff691f..eafbab5 100644
+--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
+@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+                                RETURN_FALSE;
+                        }
+                } else if (Z_TYPE_P(to_zval) == IS_STRING) {
+                       if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+                               RETURN_FALSE;
+                       }
+
+                        stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
+                        if (stream == NULL) {
+                                RETURN_FALSE;
+-- 
+1.7.9.5
diff --git a/meta-webserver/recipes-php/modphp/modphp5.inc b/meta-webserver/recipes-php/modphp/modphp5.inc
index 0d7bb7a13..6a2a61f5f 100644
--- a/meta-webserver/recipes-php/modphp/modphp5.inc
+++ b/meta-webserver/recipes-php/modphp/modphp5.inc
@@ -9,6 +9,7 @@ SRC_URI = "http://www.php.net/distributions/php-${PV}.tar.bz2 \
           file://pthread-check-threads-m4.patch \
           file://70_mod_php5.conf \
           file://0001-using-pkgconfig-to-check-libxml.patch \
+           file://php-CVE-2014-5120.patch \
 "
 S = "${WORKDIR}/php-${PV}"
author	Yue Tao <Yue.Tao@windriver.com>	2014-10-23 16:29:13 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2014-10-30 09:00:07 +0100
commit	81aecee0eda7600e6a6ae3f8264b2a1bc7a57f04 (patch)
tree	da2bf948a00213669203dfe4272c2826ad24613b /meta-webserver/recipes-php
parent	d47b4c7ca0f98071a6f33144630d6bf1b856ce18 (diff)
download	meta-openembedded-81aecee0eda7600e6a6ae3f8264b2a1bc7a57f04.tar.gz

diff --git a/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch new file mode 100644 index 000000000..f2e23b3f0 --- /dev/null +++ b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-5120.patch
@@ -0,0 +1,35 @@
		1	modphp: Security Advisory - php - CVE-2014-5120
		2
		3	Upstream-Status: Backport
		4
		5	Signed-off-by Yue Tao <yue.tao@windriver.com>
		6
		7	From 706aefb78112a44d4932d4c9430c6a898696f51f Mon Sep 17 00:00:00 2001
		8	From: Stanislav Malyshev <stas@php.net>
		9	Date: Mon, 18 Aug 2014 22:49:10 -0700
		10	Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
		11	functions
		12
		13	---
		14	ext/gd/gd_ctx.c \| 5 +++++
		15	2 files changed, 7 insertions(+)
		16
		17	diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
		18	index bff691f..eafbab5 100644
		19	--- a/ext/gd/gd_ctx.c
		20	+++ b/ext/gd/gd_ctx.c
		21	@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
		22	RETURN_FALSE;
		23	}
		24	} else if (Z_TYPE_P(to_zval) == IS_STRING) {
		25	+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
		26	+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
		27	+ RETURN_FALSE;
		28	+ }
		29	+
		30	stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS\|IGNORE_PATH\|IGNORE_URL_WIN, NULL);
		31	if (stream == NULL) {
		32	RETURN_FALSE;
		33	--
		34	1.7.9.5
		35


diff --git a/meta-webserver/recipes-php/modphp/modphp5.inc b/meta-webserver/recipes-php/modphp/modphp5.inc index 0d7bb7a13..6a2a61f5f 100644 --- a/meta-webserver/recipes-php/modphp/modphp5.inc +++ b/meta-webserver/recipes-php/modphp/modphp5.inc
@@ -9,6 +9,7 @@ SRC_URI = "http://www.php.net/distributions/php-${PV}.tar.bz2 \
9	file://pthread-check-threads-m4.patch \	9	file://pthread-check-threads-m4.patch \
10	file://70_mod_php5.conf \	10	file://70_mod_php5.conf \
11	file://0001-using-pkgconfig-to-check-libxml.patch \	11	file://0001-using-pkgconfig-to-check-libxml.patch \
		12	file://php-CVE-2014-5120.patch \
12	"	13	"
13		14
14	S = "${WORKDIR}/php-${PV}"	15	S = "${WORKDIR}/php-${PV}"