* [PATCH 0/7][fido] Pull request
@ 2016-02-07 21:11 Armin Kuster
2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster
` (6 more replies)
0 siblings, 7 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
Please consider these few Security and build fixes for fido-next
The following changes since commit 220b31d536cf15e68c11980e0c721a7050313db1:
ntp: upgrade 4.2.8p2 -> 4.2.8p3 (2015-10-26 21:43:09 +0100)
are available in the git repository at:
git://github.com/akuster/meta-openembedded akuster/fido-next
https://github.com//tree/akuster/fido-next
Armin Kuster (5):
squid: serveral missing security fixes
php: Security fix CVE-2015-7803
php: Security fix CVE-2015-7804
php: Security fix CVE-2016-1903
krb5: Fix warning.
Qi.Chen@windriver.com (1):
ntp: fix rpath QA issue
Wenzong Fan (1):
ntp: upgrade 4.2.8p3 -> 4.2.8p4
.../squid/files/CVE-2014-6270.patch | 61 +++++
.../squid/files/CVE-2014-7141_CVE-2014-7142.patch | 282 ++++++++++++++++++++
.../squid/files/CVE-2015-3455.patch | 53 ++++
.../squid/files/CVE-2015-5400.patch | 292 +++++++++++++++++++++
.../recipes-daemons/squid/squid_3.4.7.bb | 4 +
.../ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} | 5 +-
meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
.../recipes-devtools/php/php/CVE-2015-7803.patch | 82 ++++++
.../recipes-devtools/php/php/CVE-2015-7804.patch | 62 +++++
.../recipes-devtools/php/php/CVE-2016-1903.patch | 28 ++
meta-oe/recipes-devtools/php/php_5.5.21.bb | 3 +
11 files changed, 871 insertions(+), 3 deletions(-)
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch
rename meta-networking/recipes-support/ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} (97%)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch
--
2.3.5
^ permalink raw reply [flat|nested] 12+ messages in thread* [PATCH 1/7] squid: serveral missing security fixes 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-07 21:11 ` [PATCH 2/7] ntp: fix rpath QA issue Armin Kuster ` (5 subsequent siblings) 6 siblings, 0 replies; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: Armin Kuster <akuster@mvista.com> SQUID-2015:2 - Does not affect Squid-3.4 and older versions are not vulnerable. CVE-2015-5400 CVE-2015-3455 CVE-2014-7142 CVE-2014-7141 CVE-2014-6270 see http://www.squid-cache.org/Advisories/ Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> --- .../squid/files/CVE-2014-6270.patch | 61 +++++ .../squid/files/CVE-2014-7141_CVE-2014-7142.patch | 282 ++++++++++++++++++++ .../squid/files/CVE-2015-3455.patch | 53 ++++ .../squid/files/CVE-2015-5400.patch | 292 +++++++++++++++++++++ .../recipes-daemons/squid/squid_3.4.7.bb | 4 + 5 files changed, 692 insertions(+) create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch b/meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch new file mode 100644 index 0000000..8f87634 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch @@ -0,0 +1,61 @@ +Fix: CVE-2014-3609 + +revno: 13172 +revision-id: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt +parent: squid3@treenet.co.nz-20140827142207-n6y0r0iuv4sq6hvg +author: Sebastian Krahmer <krahmer@suse.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Sun 2014-09-14 22:58:34 -0600 +message: + Fix off by one in SNMP subsystem +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: 72ffc18d9c25a0412efc813dc5cde1c63e8ebe46 +# timestamp: 2014-09-15 11:08:17 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20140827142207-\ +# n6y0r0iuv4sq6hvg +# +# Begin patch + +Upstream-Status: Backport + +http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13172.patch + +Signed-of-by: Armin Kuster <akuster@mvista.com> + +=== modified file 'src/snmp_core.cc' +--- a/src/snmp_core.cc 2014-02-18 08:46:49 +0000 ++++ b/src/snmp_core.cc 2014-09-15 04:58:34 +0000 +@@ -362,7 +362,7 @@ + void + snmpHandleUdp(int sock, void *not_used) + { +- LOCAL_ARRAY(char, buf, SNMP_REQUEST_SIZE); ++ static char buf[SNMP_REQUEST_SIZE]; + Ip::Address from; + SnmpRequest *snmp_rq; + int len; +@@ -371,16 +371,11 @@ + + Comm::SetSelect(sock, COMM_SELECT_READ, snmpHandleUdp, NULL, 0); + +- memset(buf, '\0', SNMP_REQUEST_SIZE); ++ memset(buf, '\0', sizeof(buf)); + +- len = comm_udp_recvfrom(sock, +- buf, +- SNMP_REQUEST_SIZE, +- 0, +- from); ++ len = comm_udp_recvfrom(sock, buf, sizeof(buf)-1, 0, from); + + if (len > 0) { +- buf[len] = '\0'; + debugs(49, 3, "snmpHandleUdp: FD " << sock << ": received " << len << " bytes from " << from << "."); + + snmp_rq = (SnmpRequest *)xcalloc(1, sizeof(SnmpRequest)); + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch new file mode 100644 index 0000000..5d4c620 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch @@ -0,0 +1,282 @@ +Fix: CVE-2014-7141 CVE-2014-7142 + +revno: 13173 +revision-id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw +parent: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt +author: Amos Jeffries <squid3@treenet.co.nz>, Sebastian Krahmer <krahmer@suse.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Sun 2014-09-14 23:06:14 -0600 +message: + Fix various ICMP handling issues in Squid pinger + + * ICMP code type logging display could over-read the registered type + string arrays. + + * Malformed ICMP packets were accepted into processing with undefined + and potentially nasty results. + + Both sets of flaws can result in pinger segmentation fault and halting + the Squid functionality relying on pinger for correct operation. + + Thanks to the OpenSUSE project for analysis and resolution of these. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: 234c1592673c5317e1b323018226e04941cc61a8 +# timestamp: 2014-09-15 11:08:18 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20140915045834-\ +# qo85nnsinp9wu4gt +# +# Begin patch + +Upstream-Status: Backport + +http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13173.patch + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +=== modified file 'src/icmp/Icmp4.cc' +--- a/src/icmp/Icmp4.cc 2013-06-03 14:05:16 +0000 ++++ b/src/icmp/Icmp4.cc 2014-09-15 05:06:14 +0000 +@@ -41,26 +41,38 @@ + #include "IcmpPinger.h" + #include "Debug.h" + +-const char *icmpPktStr[] = { +- "Echo Reply", +- "ICMP 1", +- "ICMP 2", +- "Destination Unreachable", +- "Source Quench", +- "Redirect", +- "ICMP 6", +- "ICMP 7", +- "Echo", +- "ICMP 9", +- "ICMP 10", +- "Time Exceeded", +- "Parameter Problem", +- "Timestamp", +- "Timestamp Reply", +- "Info Request", +- "Info Reply", +- "Out of Range Type" +-}; ++static const char * ++IcmpPacketType(uint8_t v) ++{ ++ static const char *icmpPktStr[] = { ++ "Echo Reply", ++ "ICMP 1", ++ "ICMP 2", ++ "Destination Unreachable", ++ "Source Quench", ++ "Redirect", ++ "ICMP 6", ++ "ICMP 7", ++ "Echo", ++ "ICMP 9", ++ "ICMP 10", ++ "Time Exceeded", ++ "Parameter Problem", ++ "Timestamp", ++ "Timestamp Reply", ++ "Info Request", ++ "Info Reply", ++ "Out of Range Type" ++ }; ++ ++ if (v > 17) { ++ static char buf[50]; ++ snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v); ++ return buf; ++ } ++ ++ return icmpPktStr[v]; ++} + + Icmp4::Icmp4() : Icmp() + { +@@ -187,6 +199,12 @@ + from->ai_addr, + &from->ai_addrlen); + ++ if (n <= 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + preply.from = *from; + + #if GETTIMEOFDAY_NO_TZP +@@ -243,9 +261,15 @@ + + preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ); + ++ if (preply.psize < 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) ); + +- Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops); ++ Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops); + Ip::Address::FreeAddrInfo(from); + } + + +=== modified file 'src/icmp/Icmp6.cc' +--- a/src/icmp/Icmp6.cc 2013-06-03 14:05:16 +0000 ++++ b/src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000 +@@ -50,57 +50,61 @@ + + // Icmp6 OP-Codes + // see http://www.iana.org/assignments/icmpv6-parameters +-// NP: LowPktStr is for codes 0-127 +-static const char *icmp6LowPktStr[] = { +- "ICMP 0", // 0 +- "Destination Unreachable", // 1 - RFC2463 +- "Packet Too Big", // 2 - RFC2463 +- "Time Exceeded", // 3 - RFC2463 +- "Parameter Problem", // 4 - RFC2463 +- "ICMP 5", // 5 +- "ICMP 6", // 6 +- "ICMP 7", // 7 +- "ICMP 8", // 8 +- "ICMP 9", // 9 +- "ICMP 10" // 10 +-}; +- +-// NP: HighPktStr is for codes 128-255 +-static const char *icmp6HighPktStr[] = { +- "Echo Request", // 128 - RFC2463 +- "Echo Reply", // 129 - RFC2463 +- "Multicast Listener Query", // 130 - RFC2710 +- "Multicast Listener Report", // 131 - RFC2710 +- "Multicast Listener Done", // 132 - RFC2710 +- "Router Solicitation", // 133 - RFC4861 +- "Router Advertisement", // 134 - RFC4861 +- "Neighbor Solicitation", // 135 - RFC4861 +- "Neighbor Advertisement", // 136 - RFC4861 +- "Redirect Message", // 137 - RFC4861 +- "Router Renumbering", // 138 - Crawford +- "ICMP Node Information Query", // 139 - RFC4620 +- "ICMP Node Information Response", // 140 - RFC4620 +- "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 +- "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 +- "Version 2 Multicast Listener Report", // 143 - RFC3810 +- "Home Agent Address Discovery Request", // 144 - RFC3775 +- "Home Agent Address Discovery Reply", // 145 - RFC3775 +- "Mobile Prefix Solicitation", // 146 - RFC3775 +- "Mobile Prefix Advertisement", // 147 - RFC3775 +- "Certification Path Solicitation", // 148 - RFC3971 +- "Certification Path Advertisement", // 149 - RFC3971 +- "ICMP Experimental (150)", // 150 - RFC4065 +- "Multicast Router Advertisement", // 151 - RFC4286 +- "Multicast Router Solicitation", // 152 - RFC4286 +- "Multicast Router Termination", // 153 - [RFC4286] +- "ICMP 154", +- "ICMP 155", +- "ICMP 156", +- "ICMP 157", +- "ICMP 158", +- "ICMP 159", +- "ICMP 160" +-}; ++static const char * ++IcmpPacketType(uint8_t v) ++{ ++ // NP: LowPktStr is for codes 0-127 ++ static const char *icmp6LowPktStr[] = { ++ "ICMPv6 0", // 0 ++ "Destination Unreachable", // 1 - RFC2463 ++ "Packet Too Big", // 2 - RFC2463 ++ "Time Exceeded", // 3 - RFC2463 ++ "Parameter Problem", // 4 - RFC2463 ++ }; ++ ++ // low codes 1-4 registered ++ if (0 < v && v < 5) ++ return icmp6LowPktStr[(int)(v&0x7f)]; ++ ++ // NP: HighPktStr is for codes 128-255 ++ static const char *icmp6HighPktStr[] = { ++ "Echo Request", // 128 - RFC2463 ++ "Echo Reply", // 129 - RFC2463 ++ "Multicast Listener Query", // 130 - RFC2710 ++ "Multicast Listener Report", // 131 - RFC2710 ++ "Multicast Listener Done", // 132 - RFC2710 ++ "Router Solicitation", // 133 - RFC4861 ++ "Router Advertisement", // 134 - RFC4861 ++ "Neighbor Solicitation", // 135 - RFC4861 ++ "Neighbor Advertisement", // 136 - RFC4861 ++ "Redirect Message", // 137 - RFC4861 ++ "Router Renumbering", // 138 - Crawford ++ "ICMP Node Information Query", // 139 - RFC4620 ++ "ICMP Node Information Response", // 140 - RFC4620 ++ "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 ++ "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 ++ "Version 2 Multicast Listener Report", // 143 - RFC3810 ++ "Home Agent Address Discovery Request", // 144 - RFC3775 ++ "Home Agent Address Discovery Reply", // 145 - RFC3775 ++ "Mobile Prefix Solicitation", // 146 - RFC3775 ++ "Mobile Prefix Advertisement", // 147 - RFC3775 ++ "Certification Path Solicitation", // 148 - RFC3971 ++ "Certification Path Advertisement", // 149 - RFC3971 ++ "ICMP Experimental (150)", // 150 - RFC4065 ++ "Multicast Router Advertisement", // 151 - RFC4286 ++ "Multicast Router Solicitation", // 152 - RFC4286 ++ "Multicast Router Termination", // 153 - [RFC4286] ++ }; ++ ++ // high codes 127-153 registered ++ if (127 < v && v < 154) ++ return icmp6HighPktStr[(int)(v&0x7f)]; ++ ++ // give all others a generic display ++ static char buf[50]; ++ snprintf(buf, sizeof(buf), "ICMPv6 %u", v); ++ return buf; ++} + + Icmp6::Icmp6() : Icmp() + { +@@ -236,6 +240,12 @@ + from->ai_addr, + &from->ai_addrlen); + ++ if (n <= 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + preply.from = *from; + + #if GETTIMEOFDAY_NO_TZP +@@ -291,8 +301,7 @@ + + default: + debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " << +- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ) +- ); ++ IcmpPacketType(icmp6header->icmp6_type)); + } + Ip::Address::FreeAddrInfo(from); + return; +@@ -331,7 +340,7 @@ + + Log(preply.from, + icmp6header->icmp6_type, +- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ), ++ IcmpPacketType(icmp6header->icmp6_type), + preply.rtt, + preply.hops); + + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch b/meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch new file mode 100644 index 0000000..409f9a7 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch @@ -0,0 +1,53 @@ +Fix: CVE-2015-3455 + +------------------------------------------------------------ +revno: 13222 +revision-id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz +parent: squid3@treenet.co.nz-20150501071104-vd21fu43lvmqoqwa +author: Amos Jeffries <amosjeffries@squid-cache.org>, Christos Tsantilas <chtsanti@users.sourceforge.net> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Fri 2015-05-01 00:16:51 -0700 +message: + Fix X509 server certificate domain matching + + The X509 certificate domain fields may contain non-ASCII encodings. + Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible + strings. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: e38694c3e222c506740510557d2a7a122786225c +# timestamp: 2015-05-01 07:17:25 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20150501071104-\ +# vd21fu43lvmqoqwa +# +# Begin patch + +Upstream-Status: Backport + +http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13222.patch + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +=== modified file 'src/ssl/support.cc' +--- a/src/ssl/support.cc 2015-01-24 05:07:58 +0000 ++++ b/src/ssl/support.cc 2015-05-01 07:16:51 +0000 +@@ -209,7 +209,13 @@ + if (cn_data->length > (int)sizeof(cn) - 1) { + return 1; //if does not fit our buffer just ignore + } +- memcpy(cn, cn_data->data, cn_data->length); ++ char *s = reinterpret_cast<char*>(cn_data->data); ++ char *d = cn; ++ for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { ++ if (*s == '\0') ++ return 1; // always a domain mismatch. contains 0x00 ++ *d = *s; ++ } + cn[cn_data->length] = '\0'; + debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); + return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn); + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch b/meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch new file mode 100644 index 0000000..41af2b1 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch @@ -0,0 +1,292 @@ +Fix: CVE-2015-5400 + +------------------------------------------------------------ +revno: 13225 +revision-id: squid3@treenet.co.nz-20150709032133-qg1patn5zngt4o4h +parent: squid3@treenet.co.nz-20150501100500-3utkhrao1yrd8ig6 +author: Alex Rousskov <rousskov@measurement-factory.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Wed 2015-07-08 20:21:33 -0700 +message: + Do not blindly forward cache peer CONNECT responses. + + Squid blindly forwards cache peer CONNECT responses to clients. This + may break things if the peer responds with something like HTTP 403 + (Forbidden) and keeps the connection with Squid open: + - The client application issues a CONNECT request. + - Squid forwards this request to a cache peer. + - Cache peer correctly responds back with a "403 Forbidden". + - Squid does not parse cache peer response and + just forwards it as if it was a Squid response to the client. + - The TCP connections are not closed. + + At this stage, Squid is unaware that the CONNECT request has failed. All + subsequent requests on the user agent TCP connection are treated as + tunnelled traffic. Squid is forwarding these requests to the peer on the + TCP connection previously used for the 403-ed CONNECT request, without + proper processing. The additional headers which should have been applied + by Squid to these requests are not applied, and the requests are being + forwarded to the cache peer even though the Squid configuration may + state that these requests must go directly to the origin server. + + This fixes Squid to parse cache peer responses, and if an error response + found, respond with "502 Bad Gateway" to the client and close the + connections. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20150709032133-qg1patn5zngt4o4h +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: 6cbce093f30c8a09173eb610eaa423c7c305ff23 +# timestamp: 2015-07-09 03:40:35 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20150501100500-\ +# 3utkhrao1yrd8ig6 +# +# Begin patch + +Upstream-Status: Backport +http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +=== modified file 'src/tunnel.cc' +--- a/src/tunnel.cc 2014-04-26 10:58:22 +0000 ++++ b/src/tunnel.cc 2015-07-09 03:21:33 +0000 +@@ -122,6 +122,10 @@ + (request->flags.interceptTproxy || request->flags.intercepted)); + } + ++ /// Sends "502 Bad Gateway" error response to the client, ++ /// if it is waiting for Squid CONNECT response, closing connections. ++ void informUserOfPeerError(const char *errMsg); ++ + class Connection + { + +@@ -139,13 +143,14 @@ + + void error(int const xerrno); + int debugLevelForError(int const xerrno) const; +- /// handles a non-I/O error associated with this Connection +- void logicError(const char *errMsg); + void closeIfOpen(); + void dataSent (size_t amount); ++ /// writes 'b' buffer, setting the 'writer' member to 'callback'. ++ void write(const char *b, int size, AsyncCall::Pointer &callback, FREE * free_func); + int len; + char *buf; + int64_t *size_ptr; /* pointer to size in an ConnStateData for logging */ ++ AsyncCall::Pointer writer; ///< pending Comm::Write callback + + Comm::ConnectionPointer conn; ///< The currently connected connection. + +@@ -195,13 +200,14 @@ + TunnelStateData *tunnelState = (TunnelStateData *)params.data; + debugs(26, 3, HERE << tunnelState->server.conn); + tunnelState->server.conn = NULL; ++ tunnelState->server.writer = NULL; + + if (tunnelState->noConnections()) { + delete tunnelState; + return; + } + +- if (!tunnelState->server.len) { ++ if (!tunnelState->client.writer) { + tunnelState->client.conn->close(); + return; + } +@@ -213,13 +219,14 @@ + TunnelStateData *tunnelState = (TunnelStateData *)params.data; + debugs(26, 3, HERE << tunnelState->client.conn); + tunnelState->client.conn = NULL; ++ tunnelState->client.writer = NULL; + + if (tunnelState->noConnections()) { + delete tunnelState; + return; + } + +- if (!tunnelState->client.len) { ++ if (!tunnelState->server.writer) { + tunnelState->server.conn->close(); + return; + } +@@ -343,6 +350,23 @@ + handleConnectResponse(len); + } + ++void ++TunnelStateData::informUserOfPeerError(const char *errMsg) ++{ ++ server.len = 0; ++ if (!clientExpectsConnectResponse()) { ++ // closing the connection is the best we can do here ++ debugs(50, 3, server.conn << " closing on error: " << errMsg); ++ server.conn->close(); ++ return; ++ } ++ ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw()); ++ err->callback = tunnelErrorComplete; ++ err->callback_data = this; ++ *status_ptr = Http::scBadGateway; ++ errorSend(http->getConn()->clientConnection, err); ++} ++ + /* Read from client side and queue it for writing to the server */ + void + TunnelStateData::ReadConnectResponseDone(const Comm::ConnectionPointer &, char *buf, size_t len, comm_err_t errcode, int xerrno, void *data) +@@ -374,7 +398,7 @@ + const bool parsed = rep.parse(connectRespBuf, eof, &parseErr); + if (!parsed) { + if (parseErr > 0) { // unrecoverable parsing error +- server.logicError("malformed CONNECT response from peer"); ++ informUserOfPeerError("malformed CONNECT response from peer"); + return; + } + +@@ -383,7 +407,7 @@ + assert(!parseErr); + + if (!connectRespBuf->hasSpace()) { +- server.logicError("huge CONNECT response from peer"); ++ informUserOfPeerError("huge CONNECT response from peer"); + return; + } + +@@ -397,7 +421,8 @@ + + // bail if we did not get an HTTP 200 (Connection Established) response + if (rep.sline.status() != Http::scOkay) { +- server.logicError("unsupported CONNECT response status code"); ++ // if we ever decide to reuse the peer connection, we must extract the error response first ++ informUserOfPeerError("unsupported CONNECT response status code"); + return; + } + +@@ -416,13 +441,6 @@ + } + + void +-TunnelStateData::Connection::logicError(const char *errMsg) +-{ +- debugs(50, 3, conn << " closing on error: " << errMsg); +- conn->close(); +-} +- +-void + TunnelStateData::Connection::error(int const xerrno) + { + /* XXX fixme xstrerror and xerrno... */ +@@ -517,7 +535,7 @@ + debugs(26, 3, HERE << "Schedule Write"); + AsyncCall::Pointer call = commCbCall(5,5, "TunnelBlindCopyWriteHandler", + CommIoCbPtrFun(completion, this)); +- Comm::Write(to.conn, from.buf, len, call, NULL); ++ to.write(from.buf, len, call, NULL); + } + + /* Writes data from the client buffer to the server side */ +@@ -526,6 +544,7 @@ + { + TunnelStateData *tunnelState = (TunnelStateData *)data; + assert (cbdataReferenceValid (tunnelState)); ++ tunnelState->server.writer = NULL; + + tunnelState->writeServerDone(buf, len, flag, xerrno); + } +@@ -575,6 +594,7 @@ + { + TunnelStateData *tunnelState = (TunnelStateData *)data; + assert (cbdataReferenceValid (tunnelState)); ++ tunnelState->client.writer = NULL; + + tunnelState->writeClientDone(buf, len, flag, xerrno); + } +@@ -592,7 +612,14 @@ + } + + void +-TunnelStateData::writeClientDone(char *buf, size_t len, comm_err_t flag, int xerrno) ++TunnelStateData::Connection::write(const char *b, int size, AsyncCall::Pointer &callback, FREE * free_func) ++{ ++ writer = callback; ++ Comm::Write(conn, b, size, callback, free_func); ++} ++ ++void ++TunnelStateData::writeClientDone(char *, size_t len, comm_err_t flag, int xerrno) + { + debugs(26, 3, HERE << client.conn << ", " << len << " bytes written, flag=" << flag); + +@@ -712,6 +739,7 @@ + { + TunnelStateData *tunnelState = (TunnelStateData *)data; + debugs(26, 3, HERE << conn << ", flag=" << flag); ++ tunnelState->client.writer = NULL; + + if (flag != COMM_OK) { + *tunnelState->status_ptr = Http::scInternalServerError; +@@ -728,6 +756,7 @@ + { + TunnelStateData *tunnelState = (TunnelStateData *)data; + debugs(26, 3, conn << ", flag=" << flag); ++ tunnelState->server.writer = NULL; + assert(tunnelState->waitingForConnectRequest()); + + if (flag != COMM_OK) { +@@ -768,7 +797,7 @@ + else { + AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone", + CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState)); +- Comm::Write(tunnelState->client.conn, conn_established, strlen(conn_established), call, NULL); ++ tunnelState->client.write(conn_established, strlen(conn_established), call, NULL); + } + } + +@@ -955,29 +984,20 @@ + debugs(11, 2, "Tunnel Server REQUEST: " << tunnelState->server.conn << ":\n----------\n" << + Raw("tunnelRelayConnectRequest", mb.content(), mb.contentSize()) << "\n----------"); + +- if (tunnelState->clientExpectsConnectResponse()) { +- // hack: blindly tunnel peer response (to our CONNECT request) to the client as ours. +- AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectedWriteDone", +- CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState)); +- Comm::Write(srv, &mb, writeCall); +- } else { +- // we have to eat the connect response from the peer (so that the client +- // does not see it) and only then start shoveling data to the client +- AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectReqWriteDone", +- CommIoCbPtrFun(tunnelConnectReqWriteDone, +- tunnelState)); +- Comm::Write(srv, &mb, writeCall); +- tunnelState->connectReqWriting = true; +- +- tunnelState->connectRespBuf = new MemBuf; +- // SQUID_TCP_SO_RCVBUF: we should not accumulate more than regular I/O buffer +- // can hold since any CONNECT response leftovers have to fit into server.buf. +- // 2*SQUID_TCP_SO_RCVBUF: HttpMsg::parse() zero-terminates, which uses space. +- tunnelState->connectRespBuf->init(SQUID_TCP_SO_RCVBUF, 2*SQUID_TCP_SO_RCVBUF); +- tunnelState->readConnectResponse(); +- +- assert(tunnelState->waitingForConnectExchange()); +- } ++ AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectReqWriteDone", ++ CommIoCbPtrFun(tunnelConnectReqWriteDone, tunnelState)); ++ ++ tunnelState->server.write(mb.buf, mb.size, writeCall, mb.freeFunc()); ++ tunnelState->connectReqWriting = true; ++ ++ tunnelState->connectRespBuf = new MemBuf; ++ // SQUID_TCP_SO_RCVBUF: we should not accumulate more than regular I/O buffer ++ // can hold since any CONNECT response leftovers have to fit into server.buf. ++ // 2*SQUID_TCP_SO_RCVBUF: HttpMsg::parse() zero-terminates, which uses space. ++ tunnelState->connectRespBuf->init(SQUID_TCP_SO_RCVBUF, 2*SQUID_TCP_SO_RCVBUF); ++ tunnelState->readConnectResponse(); ++ ++ assert(tunnelState->waitingForConnectExchange()); + + AsyncCall::Pointer timeoutCall = commCbCall(5, 4, "tunnelTimeout", + CommTimeoutCbPtrFun(tunnelTimeout, tunnelState)); + diff --git a/meta-networking/recipes-daemons/squid/squid_3.4.7.bb b/meta-networking/recipes-daemons/squid/squid_3.4.7.bb index c5f616d..25940f7 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.4.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.4.7.bb @@ -20,6 +20,10 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P file://squid-use-serial-tests-config-needed-by-ptest.patch \ file://run-ptest \ file://volatiles.03_squid \ + file://CVE-2014-6270.patch \ + file://CVE-2014-7141_CVE-2014-7142.patch \ + file://CVE-2015-3455.patch \ + file://CVE-2015-5400.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/7] ntp: fix rpath QA issue 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster 2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-07 21:11 ` [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 Armin Kuster ` (4 subsequent siblings) 6 siblings, 0 replies; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: "Qi.Chen@windriver.com" <Qi.Chen@windriver.com> When ntp could be correctly built with openssh and libcrypto, we would meet the following QA issue. WARNING: QA Issue: package ntp contains bad RPATH ... [rpath] Fix this problem by adding '--disable-rpath' to EXTRA_OECONF. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> --- meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb index 2c1345a..0a7a39e 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb @@ -35,6 +35,7 @@ EXTRA_OECONF += "--with-net-snmp-config=no \ ac_cv_header_readline_history_h=no \ --with-yielding_select=yes \ --with-locfile=redhat \ + --without-rpath \ " CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED" -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster 2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster 2016-02-07 21:11 ` [PATCH 2/7] ntp: fix rpath QA issue Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-07 21:11 ` [PATCH 4/7] php: Security fix CVE-2015-7803 Armin Kuster ` (3 subsequent siblings) 6 siblings, 0 replies; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: Wenzong Fan <wenzong.fan@windriver.com> 4.2.8p4 fixed following 13 low- and medium-severity vulnerabilities: * Bug 2941 CVE-2015-7871 * Bug 2922 CVE-2015-7855 * Bug 2921 CVE-2015-7854 * Bug 2920 CVE-2015-7853 * Bug 2919 CVE-2015-7852 * Bug 2918 CVE-2015-7851 * Bug 2917 CVE-2015-7850 * Bug 2916 CVE-2015-7849 * Bug 2913 CVE-2015-7848 * Bug 2909 CVE-2015-7701 * Bug 2902 CVE-2015-7703 * Bug 2901 CVE-2015-7704, CVE-2015-7705 * Bug 2899 CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 And three bugs: Bug 2382, 1774, 1593 Details at: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> --- .../recipes-support/ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-networking/recipes-support/ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} (97%) diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p4.bb similarity index 97% rename from meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb rename to meta-networking/recipes-support/ntp/ntp_4.2.8p4.bb index 0a7a39e..4fe2ed5 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p4.bb @@ -23,8 +23,8 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://ntpd.list \ " -SRC_URI[md5sum] = "b98b0cbb72f6df04608e1dd5f313808b" -SRC_URI[sha256sum] = "818ca4f2ed6ca845b1c5ec43f5e6ad905eaa0fc0aab2d509ed6b962a37fbf38f" +SRC_URI[md5sum] = "6af96862b09324a8ef965ca76b759c8b" +SRC_URI[sha256sum] = "0d6961572548d2c4af96f58f763e22ac620f5afef717384ddc317a0e365cfdb9" inherit autotools update-rc.d useradd systemd pkgconfig -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/7] php: Security fix CVE-2015-7803 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster ` (2 preceding siblings ...) 2016-02-07 21:11 ` [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-07 21:11 ` [PATCH 5/7] php: Security fix CVE-2015-7804 Armin Kuster ` (2 subsequent siblings) 6 siblings, 0 replies; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: Armin Kuster <akuster@mvista.com> CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset() Signed-off-by: Armin Kuster <akuster@mvista.com> --- .../recipes-devtools/php/php/CVE-2015-7803.patch | 82 ++++++++++++++++++++++ meta-oe/recipes-devtools/php/php_5.5.21.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch new file mode 100644 index 0000000..5636f25 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch @@ -0,0 +1,82 @@ +From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 28 Sep 2015 15:51:59 -0700 +Subject: [PATCH] Fix bug #69720: Null pointer dereference in + phar_get_fp_offset() + +Upsteam-Status: Backport +https://git.php.net/?p=php-src.git;a=patch;h=d698f0ae51f67c9cce870b09c59df3d6ba959244 + +CVE: CVE-2015-7803 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes + ext/phar/tests/bug69720.phpt | 40 ++++++++++++++++++++++++++++++++++++++++ + ext/phar/util.c | 6 +++++- + 3 files changed, 45 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug69720.phar + create mode 100644 ext/phar/tests/bug69720.phpt + +Index: php-5.5.21/ext/phar/tests/bug69720.phpt +=================================================================== +--- /dev/null ++++ php-5.5.21/ext/phar/tests/bug69720.phpt +@@ -0,0 +1,40 @@ ++--TEST-- ++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset() ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--FILE-- ++<?php ++try { ++ // open an existing phar ++ $p = new Phar(__DIR__."/bug69720.phar",0); ++ // Phar extends SPL's DirectoryIterator class ++ echo $p->getMetadata(); ++ foreach (new RecursiveIteratorIterator($p) as $file) { ++ // $file is a PharFileInfo class, and inherits from SplFileInfo ++ $temp=""; ++ $temp= $file->getFileName() . "\n"; ++ $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents ++ var_dump($file->getMetadata()); ++ } ++} ++ catch (Exception $e) { ++ echo 'Could not open Phar: ', $e; ++} ++?> ++--EXPECTF-- ++ ++MY_METADATA_NULL ++ ++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d ++array(1) { ++ ["whatever"]=> ++ int(123) ++} ++object(DateTime)#2 (3) { ++ ["date"]=> ++ string(26) "2000-01-01 00:00:00.000000" ++ ["timezone_type"]=> ++ int(3) ++ ["timezone"]=> ++ string(3) "UTC" ++} +Index: php-5.5.21/ext/phar/util.c +=================================================================== +--- php-5.5.21.orig/ext/phar/util.c ++++ php-5.5.21/ext/phar/util.c +@@ -494,7 +494,11 @@ really_get_entry: + (*ret)->is_tar = entry->is_tar; + (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC); + if (entry->link) { +- (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC); ++ phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC); ++ if(!link) { ++ return FAILURE; ++ } ++ (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC); + } else { + (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC); + } diff --git a/meta-oe/recipes-devtools/php/php_5.5.21.bb b/meta-oe/recipes-devtools/php/php_5.5.21.bb index 4ad198a..3582b45 100644 --- a/meta-oe/recipes-devtools/php/php_5.5.21.bb +++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb @@ -14,6 +14,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://acinclude-xml2-config.patch \ file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \ file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \ + file://CVE-2015-7803.patch \ " SRC_URI_append_class-target += " \ -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 5/7] php: Security fix CVE-2015-7804 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster ` (3 preceding siblings ...) 2016-02-07 21:11 ` [PATCH 4/7] php: Security fix CVE-2015-7803 Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-07 21:11 ` [PATCH 6/7] php: Security fix CVE-2016-1903 Armin Kuster 2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster 6 siblings, 0 replies; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: Armin Kuster <akuster@mvista.com> CVE-2015-7804 php: uninitialized pointer in phar_make_dirstream() Signed-off-by: Armin Kuster <akuster@mvista.com> --- .../recipes-devtools/php/php/CVE-2015-7804.patch | 62 ++++++++++++++++++++++ meta-oe/recipes-devtools/php/php_5.5.21.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch b/meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch new file mode 100644 index 0000000..ad211a3 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch @@ -0,0 +1,62 @@ +From e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 28 Sep 2015 17:12:35 -0700 +Subject: [PATCH] FIx bug #70433 - Uninitialized pointer in phar_make_dirstream + when zip entry filename is "/" + +Upstream-status: Backport + +https://git.php.net/?p=php-src.git;a=patch;h=e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 + +CVE: CVE-2015-7804 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ext/phar/dirstream.c | 2 +- + ext/phar/tests/bug70433.phpt | 23 +++++++++++++++++++++++ + ext/phar/tests/bug70433.zip | Bin 0 -> 264 bytes + 3 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug70433.phpt + create mode 100755 ext/phar/tests/bug70433.zip + +Index: php-5.5.21/ext/phar/dirstream.c +=================================================================== +--- php-5.5.21.orig/ext/phar/dirstream.c ++++ php-5.5.21/ext/phar/dirstream.c +@@ -207,7 +207,7 @@ static php_stream *phar_make_dirstream(c + zend_hash_internal_pointer_reset(manifest); + + while (FAILURE != zend_hash_has_more_elements(manifest)) { +- if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) { ++ if (HASH_KEY_IS_STRING != zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) { + break; + } + +Index: php-5.5.21/ext/phar/tests/bug70433.phpt +=================================================================== +--- /dev/null ++++ php-5.5.21/ext/phar/tests/bug70433.phpt +@@ -0,0 +1,23 @@ ++--TEST-- ++Phar - bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--FILE-- ++<?php ++$phar = new PharData(__DIR__."/bug70433.zip"); ++var_dump($phar); ++$meta = $phar->getMetadata(); ++var_dump($meta); ++?> ++DONE ++--EXPECTF-- ++object(PharData)#1 (3) { ++ ["pathName":"SplFileInfo":private]=> ++ string(0) "" ++ ["glob":"DirectoryIterator":private]=> ++ bool(false) ++ ["subPathName":"RecursiveDirectoryIterator":private]=> ++ string(0) "" ++} ++NULL ++DONE diff --git a/meta-oe/recipes-devtools/php/php_5.5.21.bb b/meta-oe/recipes-devtools/php/php_5.5.21.bb index 3582b45..ed286d6 100644 --- a/meta-oe/recipes-devtools/php/php_5.5.21.bb +++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb @@ -15,6 +15,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \ file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \ file://CVE-2015-7803.patch \ + file://CVE-2015-7804.patch \ " SRC_URI_append_class-target += " \ -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 6/7] php: Security fix CVE-2016-1903 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster ` (4 preceding siblings ...) 2016-02-07 21:11 ` [PATCH 5/7] php: Security fix CVE-2015-7804 Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster 6 siblings, 0 replies; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: Armin Kuster <akuster@mvista.com> CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated Signed-off-by: Armin Kuster <akuster@mvista.com> --- .../recipes-devtools/php/php/CVE-2016-1903.patch | 28 ++++++++++++++++++++++ meta-oe/recipes-devtools/php/php_5.5.21.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch diff --git a/meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch b/meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch new file mode 100644 index 0000000..46c9a24 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch @@ -0,0 +1,28 @@ +From aa8d3a8cc612ba87c0497275f58a2317a90fb1c4 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 12 Jan 2016 13:52:27 +0100 +Subject: [PATCH] fix the fix for bug #70976 (imagerotate) + +Upstream-Status: Backport +https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4 + +CVE: CVE-2016-1903 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ext/gd/libgd/gd_interpolation.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +Index: php-5.5.21/ext/gd/libgd/gd_interpolation.c +=================================================================== +--- php-5.5.21.orig/ext/gd/libgd/gd_interpolation.c ++++ php-5.5.21/ext/gd/libgd/gd_interpolation.c +@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(con + images can be done at a later point. + */ + if (src->trueColor == 0) { +- if (bgcolor >= 0) { ++ if (bgcolor < gdMaxColors) { + bgcolor = gdTrueColorAlpha(src->red[bgcolor], src->green[bgcolor], src->blue[bgcolor], src->alpha[bgcolor]); + } + gdImagePaletteToTrueColor(src); diff --git a/meta-oe/recipes-devtools/php/php_5.5.21.bb b/meta-oe/recipes-devtools/php/php_5.5.21.bb index ed286d6..6bdd1c5 100644 --- a/meta-oe/recipes-devtools/php/php_5.5.21.bb +++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb @@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \ file://CVE-2015-7803.patch \ file://CVE-2015-7804.patch \ + file://CVE-2016-1903.patch \ " SRC_URI_append_class-target += " \ -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 7/7] krb5: Fix warning. 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster ` (5 preceding siblings ...) 2016-02-07 21:11 ` [PATCH 6/7] php: Security fix CVE-2016-1903 Armin Kuster @ 2016-02-07 21:11 ` Armin Kuster 2016-02-09 18:08 ` Martin Jansa 6 siblings, 1 reply; 12+ messages in thread From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw) To: otavio, openembedded-devel, akuster808 From: Armin Kuster <akuster@mvista.com> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value remove extra "/" Signed-off-by: Armin Kuster <akuster@mvista.com> --- meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb index c492496..c19fffb 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" -S = "${WORKDIR}/${BP}/src/" +S = "${WORKDIR}/${BP}/src" PACKAGECONFIG ??= "openssl" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" -- 2.3.5 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning. 2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster @ 2016-02-09 18:08 ` Martin Jansa 2016-02-09 20:27 ` akuster808 0 siblings, 1 reply; 12+ messages in thread From: Martin Jansa @ 2016-02-09 18:08 UTC (permalink / raw) To: openembedded-devel; +Cc: otavio [-- Attachment #1: Type: text/plain, Size: 1527 bytes --] On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote: > From: Armin Kuster <akuster@mvista.com> > > WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value > > remove extra "/" This patch isn't in master and master still has trailing /, why is this needed for fido only? > > Signed-off-by: Armin Kuster <akuster@mvista.com> > --- > meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb > index c492496..c19fffb 100644 > --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb > +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb > @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar > SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" > SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" > > -S = "${WORKDIR}/${BP}/src/" > +S = "${WORKDIR}/${BP}/src" > > PACKAGECONFIG ??= "openssl" > PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" > -- > 2.3.5 > > -- > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel -- Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 188 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning. 2016-02-09 18:08 ` Martin Jansa @ 2016-02-09 20:27 ` akuster808 2016-02-09 21:41 ` Khem Raj 0 siblings, 1 reply; 12+ messages in thread From: akuster808 @ 2016-02-09 20:27 UTC (permalink / raw) To: Martin Jansa, openembedded-devel; +Cc: otavio On 02/09/2016 10:08 AM, Martin Jansa wrote: > On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote: >> From: Armin Kuster <akuster@mvista.com> >> >> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value >> >> remove extra "/" > > This patch isn't in master and master still has trailing /, why is this > needed for fido only? I only saw it occur in fido. - armin > >> >> Signed-off-by: Armin Kuster <akuster@mvista.com> >> --- >> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >> index c492496..c19fffb 100644 >> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar >> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" >> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" >> >> -S = "${WORKDIR}/${BP}/src/" >> +S = "${WORKDIR}/${BP}/src" >> >> PACKAGECONFIG ??= "openssl" >> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" >> -- >> 2.3.5 >> >> -- >> _______________________________________________ >> Openembedded-devel mailing list >> Openembedded-devel@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-devel > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning. 2016-02-09 20:27 ` akuster808 @ 2016-02-09 21:41 ` Khem Raj 2016-02-09 23:33 ` akuster808 0 siblings, 1 reply; 12+ messages in thread From: Khem Raj @ 2016-02-09 21:41 UTC (permalink / raw) To: openembedded-devel; +Cc: otavio [-- Attachment #1: Type: text/plain, Size: 2071 bytes --] > On Feb 9, 2016, at 12:27 PM, akuster808 <akuster808@gmail.com> wrote: > > > > On 02/09/2016 10:08 AM, Martin Jansa wrote: >> On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote: >>> From: Armin Kuster <akuster@mvista.com> >>> >>> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value >>> >>> remove extra "/" >> >> This patch isn't in master and master still has trailing /, why is this >> needed for fido only? > > I only saw it occur in fido. it doesnt change any functionality if its included in master too moreover makes back port easier. so lets apply it to master as well. > > - armin >> >>> >>> Signed-off-by: Armin Kuster <akuster@mvista.com> >>> --- >>> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >>> index c492496..c19fffb 100644 >>> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >>> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >>> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar >>> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" >>> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" >>> >>> -S = "${WORKDIR}/${BP}/src/" >>> +S = "${WORKDIR}/${BP}/src" >>> >>> PACKAGECONFIG ??= "openssl" >>> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" >>> -- >>> 2.3.5 >>> >>> -- >>> _______________________________________________ >>> Openembedded-devel mailing list >>> Openembedded-devel@lists.openembedded.org >>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel >> > -- > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 211 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning. 2016-02-09 21:41 ` Khem Raj @ 2016-02-09 23:33 ` akuster808 0 siblings, 0 replies; 12+ messages in thread From: akuster808 @ 2016-02-09 23:33 UTC (permalink / raw) To: openembedded-devel; +Cc: otavio On 02/09/2016 01:41 PM, Khem Raj wrote: > >> On Feb 9, 2016, at 12:27 PM, akuster808 <akuster808@gmail.com> wrote: >> >> >> >> On 02/09/2016 10:08 AM, Martin Jansa wrote: >>> On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote: >>>> From: Armin Kuster <akuster@mvista.com> >>>> >>>> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value >>>> >>>> remove extra "/" >>> >>> This patch isn't in master and master still has trailing /, why is this >>> needed for fido only? >> >> I only saw it occur in fido. > > it doesnt change any functionality if its included in master too moreover makes back port easier. > so lets apply it to master as well. sending patches - armin > >> >> - armin >>> >>>> >>>> Signed-off-by: Armin Kuster <akuster@mvista.com> >>>> --- >>>> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >>>> index c492496..c19fffb 100644 >>>> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >>>> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb >>>> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar >>>> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" >>>> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" >>>> >>>> -S = "${WORKDIR}/${BP}/src/" >>>> +S = "${WORKDIR}/${BP}/src" >>>> >>>> PACKAGECONFIG ??= "openssl" >>>> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" >>>> -- >>>> 2.3.5 >>>> >>>> -- >>>> _______________________________________________ >>>> Openembedded-devel mailing list >>>> Openembedded-devel@lists.openembedded.org >>>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel >>> >> -- >> _______________________________________________ >> Openembedded-devel mailing list >> Openembedded-devel@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-devel > > > ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-02-09 23:33 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster 2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster 2016-02-07 21:11 ` [PATCH 2/7] ntp: fix rpath QA issue Armin Kuster 2016-02-07 21:11 ` [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 Armin Kuster 2016-02-07 21:11 ` [PATCH 4/7] php: Security fix CVE-2015-7803 Armin Kuster 2016-02-07 21:11 ` [PATCH 5/7] php: Security fix CVE-2015-7804 Armin Kuster 2016-02-07 21:11 ` [PATCH 6/7] php: Security fix CVE-2016-1903 Armin Kuster 2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster 2016-02-09 18:08 ` Martin Jansa 2016-02-09 20:27 ` akuster808 2016-02-09 21:41 ` Khem Raj 2016-02-09 23:33 ` akuster808
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.