php: 5.2.13 and 5.3.2 both have flaws in the handling of xmlrpc

This is addressing CVE-2010-0397.patch.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-03-21 11:00:48 +0800
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-03-21 11:00:48 +0800
commit: 30c7c2f4a647216d58a6e4599d73356e0249a2b5 (patch)
tree: 4dbd31fff5c50da067e0f851e339184dc31ad509 /recipes/php/php-5.3.2
parent: cb1278efa38d7791b6ca9e9e3e61d4f1b7ee1a2e (diff)
download: openembedded-30c7c2f4a647216d58a6e4599d73356e0249a2b5.tar.gz
1 files changed, 57 insertions, 0 deletions
diff --git a/recipes/php/php-5.3.2/CVE-2010-0397.patch b/recipes/php/php-5.3.2/CVE-2010-0397.patch
new file mode 100644
index 0000000000..0d9c23d049
--- /dev/null
+++ b/recipes/php/php-5.3.2/CVE-2010-0397.patch
@@ -0,0 +1,57 @@
+Description: Fix a null pointer dereference when processing invalid
+ XML-RPC requests.
+Origin: vendor
+Forwarded: http://bugs.php.net/51288
+Last-Update: 2010-03-12
+
+Index: php/ext/xmlrpc/tests/bug51288.phpt
+===================================================================
+--- /dev/null
++++ php/ext/xmlrpc/tests/bug51288.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
++--FILE--
++<?php
++$method = NULL;
++$req = '<?xml version="1.0"?><methodCall></methodCall>';
++var_dump(xmlrpc_decode_request($req, $method));
++var_dump($method);
++echo "Done\n";
++?>
++--EXPECT--
++NULL
++NULL
++Done
+Index: php/ext/xmlrpc/xmlrpc-epi-php.c
+===================================================================
+--- php.orig/ext/xmlrpc/xmlrpc-epi-php.c
++++ php/ext/xmlrpc/xmlrpc-epi-php.c
+@@ -778,6 +778,7 @@
+ 	zval* retval = NULL;
+ 	XMLRPC_REQUEST response;
+ 	STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
++	const char *method_name;
+ 	opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT;
+ 
+ 	/* generate XMLRPC_REQUEST from raw xml */
+@@ -788,10 +789,15 @@
+ 
+ 		if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
+ 			if (method_name_out) {
+-				zval_dtor(method_name_out);
+-				Z_TYPE_P(method_name_out) = IS_STRING;
+-				Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
+-				Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
++				method_name = XMLRPC_RequestGetMethodName(response);
++				if (method_name) {
++					zval_dtor(method_name_out);
++					Z_TYPE_P(method_name_out) = IS_STRING;
++					Z_STRVAL_P(method_name_out) = estrdup(method_name);
++					Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
++				} else {
++					retval = NULL;
++				}
+ 			}
+ 		}
+
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-03-21 11:00:48 +0800
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-03-21 11:00:48 +0800
commit	30c7c2f4a647216d58a6e4599d73356e0249a2b5 (patch)
tree	4dbd31fff5c50da067e0f851e339184dc31ad509 /recipes/php/php-5.3.2
parent	cb1278efa38d7791b6ca9e9e3e61d4f1b7ee1a2e (diff)
download	openembedded-30c7c2f4a647216d58a6e4599d73356e0249a2b5.tar.gz