File php-5.2.5-CVE-2008-2050.patch of Package php5
Index: sapi/cgi/cgi_main.c
===================================================================
RCS file: /repository/php-src/sapi/cgi/cgi_main.c,v
retrieving revision 1.267.2.15.2.52
retrieving revision 1.267.2.15.2.56
diff -u -p -r1.267.2.15.2.52 -r1.267.2.15.2.56
--- sapi/cgi/cgi_main.c 1 Nov 2007 15:23:14 -0000 1.267.2.15.2.52
+++ sapi/cgi/cgi_main.c 9 Apr 2008 09:16:40 -0000 1.267.2.15.2.56
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
- | Copyright (c) 1997-2007 The PHP Group |
+ | Copyright (c) 1997-2008 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -21,7 +21,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: cgi_main.c,v 1.267.2.15.2.52 2007/11/01 15:23:14 dmitry Exp $ */
+/* $Id: cgi_main.c,v 1.267.2.15.2.56 2008/04/09 09:16:40 dmitry Exp $ */
#include "php.h"
#include "php_globals.h"
@@ -1017,7 +1017,7 @@ static void init_request_info(TSRMLS_D)
) {
/* PATH_TRANSLATED = PATH_TRANSLATED - SCRIPT_NAME + PATH_INFO */
int ptlen = strlen(pt) - strlen(env_script_name);
- int path_translated_len = ptlen + env_path_info ? strlen(env_path_info) : 0;
+ int path_translated_len = ptlen + (env_path_info ? strlen(env_path_info) : 0);
char *path_translated = NULL;
path_translated = (char *) emalloc(path_translated_len + 1);
@@ -1661,12 +1661,12 @@ consult the installation file that came
}
script_file = estrdup(php_optarg);
no_headers = 1;
- /* arguments after the file are considered script args */
- SG(request_info).argc = argc - (php_optind - 1);
- SG(request_info).argv = &argv[php_optind - 1];
break;
case 'i': /* php info & quit */
+ if (script_file) {
+ efree(script_file);
+ }
if (php_request_startup(TSRMLS_C) == FAILURE) {
SG(server_context) = NULL;
php_module_shutdown(TSRMLS_C);
@@ -1687,6 +1687,9 @@ consult the installation file that came
break;
case 'm': /* list compiled in modules */
+ if (script_file) {
+ efree(script_file);
+ }
php_output_startup();
php_output_activate(TSRMLS_C);
SG(headers_sent) = 1;
@@ -1710,6 +1713,9 @@ consult the installation file that came
break;
case 'v': /* show php version & quit */
+ if (script_file) {
+ efree(script_file);
+ }
no_headers = 1;
if (php_request_startup(TSRMLS_C) == FAILURE) {
SG(server_context) = NULL;
@@ -1721,9 +1727,9 @@ consult the installation file that came
SG(request_info).no_headers = 1;
}
#if ZEND_DEBUG
- php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2007 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+ php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2008 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
#else
- php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2007 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+ php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2008 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
#endif
php_request_shutdown((void *) 0);
exit_status = 0;
@@ -1746,6 +1752,18 @@ consult the installation file that came
/* override path_translated if -f on command line */
STR_FREE(SG(request_info).path_translated);
SG(request_info).path_translated = script_file;
+ /* before registering argv to module exchange the *new* argv[0] */
+ /* we can achieve this without allocating more memory */
+ SG(request_info).argc = argc - (php_optind - 1);
+ SG(request_info).argv = &argv[php_optind - 1];
+ SG(request_info).argv[0] = script_file;
+ } else if (argc > php_optind) {
+ /* file is on command line, but not in -f opt */
+ STR_FREE(SG(request_info).path_translated);
+ SG(request_info).path_translated = estrdup(argv[php_optind]);
+ /* arguments after the file are considered script args */
+ SG(request_info).argc = argc - php_optind;
+ SG(request_info).argv = &argv[php_optind];
}
if (no_headers) {
@@ -1753,14 +1771,6 @@ consult the installation file that came
SG(request_info).no_headers = 1;
}
- if (!SG(request_info).path_translated && argc > php_optind) {
- /* arguments after the file are considered script args */
- SG(request_info).argc = argc - php_optind;
- SG(request_info).argv = &argv[php_optind];
- /* file is on command line, but not in -f opt */
- SG(request_info).path_translated = estrdup(argv[php_optind++]);
- }
-
/* all remaining arguments are part of the query string
this section of code concatenates all remaining arguments
into a single string, seperating args with a &
Index: sapi/cgi/fastcgi.c
===================================================================
RCS file: /repository/php-src/sapi/cgi/fastcgi.c,v
retrieving revision 1.4.2.13.2.28
retrieving revision 1.4.2.13.2.30
diff -u -p -r1.4.2.13.2.28 -r1.4.2.13.2.30
--- sapi/cgi/fastcgi.c 7 Sep 2007 08:26:47 -0000 1.4.2.13.2.28
+++ sapi/cgi/fastcgi.c 3 Apr 2008 10:24:44 -0000 1.4.2.13.2.30
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
- | Copyright (c) 1997-2007 The PHP Group |
+ | Copyright (c) 1997-2008 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: fastcgi.c,v 1.4.2.13.2.28 2007/09/07 08:26:47 dmitry Exp $ */
+/* $Id: fastcgi.c,v 1.4.2.13.2.30 2008/04/03 10:24:44 dmitry Exp $ */
#include "php.h"
#include "fastcgi.h"
@@ -593,6 +593,9 @@ static inline int fcgi_make_header(fcgi_
hdr->reserved = 0;
hdr->type = type;
hdr->version = FCGI_VERSION_1;
+ if (pad) {
+ memset(((unsigned char*)hdr) + sizeof(fcgi_header) + len, 0, pad);
+ }
return pad;
}
@@ -777,7 +780,7 @@ int fcgi_read(fcgi_request *req, char *s
{
int ret, n, rest;
fcgi_header hdr;
- unsigned char buf[8];
+ unsigned char buf[255];
n = 0;
rest = len;
Index: sapi/cgi/fastcgi.h
===================================================================
RCS file: /repository/php-src/sapi/cgi/fastcgi.h,v
retrieving revision 1.2.2.4.2.5
retrieving revision 1.2.2.4.2.6
diff -u -p -r1.2.2.4.2.5 -r1.2.2.4.2.6
--- sapi/cgi/fastcgi.h 21 May 2007 09:08:13 -0000 1.2.2.4.2.5
+++ sapi/cgi/fastcgi.h 31 Dec 2007 07:20:16 -0000 1.2.2.4.2.6
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
- | Copyright (c) 1997-2007 The PHP Group |
+ | Copyright (c) 1997-2008 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: fastcgi.h,v 1.2.2.4.2.5 2007/05/21 09:08:13 dmitry Exp $ */
+/* $Id: fastcgi.h,v 1.2.2.4.2.6 2007/12/31 07:20:16 sebastian Exp $ */
/* FastCGI protocol */
Index: sapi/cgi/getopt.c
===================================================================
RCS file: /repository/php-src/sapi/cgi/Attic/getopt.c,v
retrieving revision 1.9.2.1.2.4
retrieving revision 1.9.2.1.2.5
diff -u -p -r1.9.2.1.2.4 -r1.9.2.1.2.5
--- sapi/cgi/getopt.c 23 Apr 2007 11:05:16 -0000 1.9.2.1.2.4
+++ sapi/cgi/getopt.c 31 Dec 2007 07:20:16 -0000 1.9.2.1.2.5
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
- | Copyright (c) 1997-2007 The PHP Group |
+ | Copyright (c) 1997-2008 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: getopt.c,v 1.9.2.1.2.4 2007/04/23 11:05:16 tony2001 Exp $ */
+/* $Id: getopt.c,v 1.9.2.1.2.5 2007/12/31 07:20:16 sebastian Exp $ */
#include <stdio.h>
#include <string.h>
Index: sapi/cgi/php_getopt.h
===================================================================
RCS file: /repository/php-src/sapi/cgi/Attic/php_getopt.h,v
retrieving revision 1.7.2.1.2.2
retrieving revision 1.7.2.1.2.3
diff -u -p -r1.7.2.1.2.2 -r1.7.2.1.2.3
--- sapi/cgi/php_getopt.h 15 Apr 2007 22:50:58 -0000 1.7.2.1.2.2
+++ sapi/cgi/php_getopt.h 31 Dec 2007 07:20:16 -0000 1.7.2.1.2.3
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
- | Copyright (c) 1997-2007 The PHP Group |
+ | Copyright (c) 1997-2008 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_getopt.h,v 1.7.2.1.2.2 2007/04/15 22:50:58 sniper Exp $ */
+/* $Id: php_getopt.h,v 1.7.2.1.2.3 2007/12/31 07:20:16 sebastian Exp $ */
#include "php.h"
