Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package php5
Bug#702221: php5: CVE-2013-1635 CVE-2013-1643
Hi,
two issues have been reported in php5. CVE-2013-1635 doesn't classify as a
security
issue per the Debian Security policy, but if the fix is non-intrusive we
could include it nonetheless:
CVE-2013-1643
http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
CVE-2013-1635
http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74
$ diffstat php5_5.4.4-14.debdiff
debian/patches/CVE-2013-1635.patch | 44 ++++++++++++
debian/patches/CVE-2013-1643.patch | 135 +++++++++++++++++++++++++++++++++++++
php5-5.4.4/debian/changelog | 8 ++
php5-5.4.4/debian/patches/series | 2
4 files changed, 189 insertions(+)
Debdiff attached, squeeze version has been already uploaded to security-master.
unblock php5/5.4.4-14
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,11 @@
+php5 (5.4.4-14) unstable; urgency=high
+
+ * [CVE-2013-1635] Fixed external entity loading
+ * [CVE-2013-1643] Check if soap.wsdl_cache_dir confirms to open_basedir
+ (Closes: #702221)
+
+ -- Ondřej Surý <ond...@debian.org> Mon, 04 Mar 2013 14:30:16 +0100
+
php5 (5.4.4-13) unstable; urgency=high
* Add yet another patch to fix unlimited recursion in session extension
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -79,0 +80,2 @@
+CVE-2013-1635.patch
+CVE-2013-1643.patch
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/CVE-2013-1635.patch
+++ php5-5.4.4/debian/patches/CVE-2013-1635.patch
@@ -0,0 +1,44 @@
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -497,10 +497,40 @@ ZEND_INI_MH(OnUpdateCacheMode)
+ return SUCCESS;
+ }
+
++static PHP_INI_MH(OnUpdateCacheDir)
++{
++ /* Only do the open_basedir check at runtime */
++ if (stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) {
++ char *p;
++
++ if (memchr(new_value, '\0', new_value_length) != NULL) {
++ return FAILURE;
++ }
++
++ /* we do not use zend_memrchr() since path can contain ; itself */
++ if ((p = strchr(new_value, ';'))) {
++ char *p2;
++ p++;
++ if ((p2 = strchr(p, ';'))) {
++ p = p2 + 1;
++ }
++ } else {
++ p = new_value;
++ }
++
++ if (PG(open_basedir) && *p && php_check_open_basedir(p TSRMLS_CC)) {
++ return FAILURE;
++ }
++ }
++
++ OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
++ return SUCCESS;
++}
++
+ PHP_INI_BEGIN()
+ STD_PHP_INI_ENTRY("soap.wsdl_cache_enabled", "1", PHP_INI_ALL, OnUpdateCacheEnabled,
+ cache_enabled, zend_soap_globals, soap_globals)
+-STD_PHP_INI_ENTRY("soap.wsdl_cache_dir", "/tmp", PHP_INI_ALL, OnUpdateString,
++STD_PHP_INI_ENTRY("soap.wsdl_cache_dir", "/tmp", PHP_INI_ALL, OnUpdateCacheDir,
+ cache_dir, zend_soap_globals, soap_globals)
+ STD_PHP_INI_ENTRY("soap.wsdl_cache_ttl", "86400", PHP_INI_ALL, OnUpdateLong,
+ cache_ttl, zend_soap_globals, soap_globals)
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/CVE-2013-1643.patch
+++ php5-5.4.4/debian/patches/CVE-2013-1643.patch
@@ -0,0 +1,135 @@
+--- a/ext/libxml/libxml.c
++++ b/ext/libxml/libxml.c
+@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml)
+ libxml_globals->error_buffer.c = NULL;
+ libxml_globals->error_list = NULL;
+ libxml_globals->entity_loader.fci.size = 0;
++ libxml_globals->entity_loader_disabled = 0;
+ }
+
+ static void _php_libxml_destroy_fci(zend_fcall_info *fci)
+@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v
+ }
+
+ static xmlParserInputBufferPtr
+-php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc)
+-{
+- return NULL;
+-}
+-
+-static xmlParserInputBufferPtr
+ php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc)
+ {
+ xmlParserInputBufferPtr ret;
+ void *context = NULL;
++ TSRMLS_FETCH();
++
++ if (LIBXML(entity_loader_disabled)) {
++ return NULL;
++ }
+
+ if (URI == NULL)
+ return(NULL);
+@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors)
+ }
+ /* }}} */
+
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC)
++{
++ zend_bool old = LIBXML(entity_loader_disabled);
++
++ LIBXML(entity_loader_disabled) = disable;
++ return old;
++}
++
+ /* {{{ proto bool libxml_disable_entity_loader([boolean disable])
+ Disable/Enable ability to load external entities */
+ static PHP_FUNCTION(libxml_disable_entity_loader)
+ {
+ zend_bool disable = 1;
+- xmlParserInputBufferCreateFilenameFunc old;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) {
+ return;
+ }
+
+- if (disable == 0) {
+- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename);
+- } else {
+- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload);
+- }
+-
+- if (old == php_libxml_input_buffer_noload) {
+- RETURN_TRUE;
+- }
+-
+- RETURN_FALSE;
++ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC));
+ }
+ /* }}} */
+
+--- a/ext/libxml/php_libxml.h
++++ b/ext/libxml/php_libxml.h
+@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml)
+ zend_fcall_info fci;
+ zend_fcall_info_cache fcc;
+ } entity_loader;
++ zend_bool entity_loader_disabled;
+ ZEND_END_MODULE_GLOBALS(libxml)
+
+ typedef struct _libxml_doc_props {
+@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error
+ PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s);
+ PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC);
+ PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC);
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC);
+
+ /* Init/shutdown functions*/
+ PHP_LIBXML_API void php_libxml_initialize(void);
+--- a/ext/soap/php_xml.c
++++ b/ext/soap/php_xml.c
+@@ -20,6 +20,7 @@
+ /* $Id$ */
+
+ #include "php_soap.h"
++#include "ext/libxml/php_libxml.h"
+ #include "libxml/parser.h"
+ #include "libxml/parserInternals.h"
+
+@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char *
+ ctxt = xmlCreateFileParserCtxt(filename);
+ PG(allow_url_fopen) = old_allow_url_fopen;
+ if (ctxt) {
++ zend_bool old;
++
+ ctxt->keepBlanks = 0;
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+ ctxt->sax->error = NULL;
+ /*ctxt->sax->fatalError = NULL;*/
++ old = php_libxml_disable_entity_loader(1);
+ xmlParseDocument(ctxt);
++ php_libxml_disable_entity_loader(old);
+ if (ctxt->wellFormed) {
+ ret = ctxt->myDoc;
+ if (ret->URL == NULL && ctxt->directory != NULL) {
+@@ -133,6 +138,8 @@ xmlDocPtr soap_xmlParseMemory(const void
+ */
+ ctxt = xmlCreateMemoryParserCtxt(buf, buf_size);
+ if (ctxt) {
++ zend_bool old;
++
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+@@ -141,7 +148,9 @@ xmlDocPtr soap_xmlParseMemory(const void
+ #if LIBXML_VERSION >= 20703
+ ctxt->options |= XML_PARSE_HUGE;
+ #endif
++ old = php_libxml_disable_entity_loader(1);
+ xmlParseDocument(ctxt);
++ php_libxml_disable_entity_loader(old);
+ if (ctxt->wellFormed) {
+ ret = ctxt->myDoc;
+ if (ret->URL == NULL && ctxt->directory != NULL) {
