From 83a52f89975f6e61dfe5353916acfd4da3085fc9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Mon, 7 Jul 2014 07:07:52 +0200 Subject: [PATCH] - rel 12; fixes SECURITY bug; phpinfo leak; https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html --- php-secbug-67498.patch | 52 ++++++++++++++++++++++++++++++++++++++++++ php.spec | 4 +++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 php-secbug-67498.patch diff --git a/php-secbug-67498.patch b/php-secbug-67498.patch new file mode 100644 index 0000000..2ee2721 --- /dev/null +++ b/php-secbug-67498.patch @@ -0,0 +1,52 @@ +commit fb0128af2a95ec0d1a0360be49776c5b056d1f33 +Author: Stanislav Malyshev +Date: Mon Jun 23 00:19:37 2014 -0700 + + Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability + +diff --git a/ext/standard/info.c b/ext/standard/info.c +index 70b2e2f..0f15bbe 100644 +--- a/ext/standard/info.c ++++ b/ext/standard/info.c +@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC) + + php_info_print_table_start(); + php_info_print_table_header(2, "Variable", "Value"); +- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); + } + php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC); +diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt +new file mode 100644 +index 0000000..5b5951b +--- /dev/null ++++ b/ext/standard/tests/general_functions/bug67498.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++phpinfo() Type Confusion Information Leak Vulnerability ++--FILE-- ++ ++==DONE== ++--EXPECTF-- ++phpinfo() ++ ++PHP Variables ++%A ++==DONE== diff --git a/php.spec b/php.spec index 9f116ba..9bf7312 100644 --- a/php.spec +++ b/php.spec @@ -119,7 +119,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules. %endif %endif -%define rel 11 +%define rel 12 %define orgname php %define ver_suffix 53 %define php_suffix %{!?with_default_php:%{ver_suffix}} @@ -165,6 +165,7 @@ Patch11: embed.patch %if %{with type_hints} Patch12: http://ilia.ws/patch/type_hint_53_v2.txt %endif +Patch13: php-secbug-67498.patch Patch14: %{orgname}-no_pear_install.patch Patch15: %{orgname}-zlib.patch Patch17: %{orgname}-readline.patch @@ -1999,6 +2000,7 @@ cp -p php.ini-production php.ini %if %{with type_hints} %patch12 -p0 %endif +%patch13 -p1 %patch14 -p1 %patch15 -p1 %patch17 -p1 -- 2.44.0