Package: php5-curl Severity: normal Tags: security patch
Good day, CVE-2006-2563 : | The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to | bypass safe mode and read files via a | file:// request containing null characters. More info (and an exploit) is available from : http://www.securityfocus.com/archive/1/archive/1/435194/100/0/threaded This have been fixed in upstream CVS http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14&r2=1.62.2.15 patch is attached. Please mention the CVE number in changelog when fixing this bug. Regards -- Djoume SALVETTI -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-powerpc Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
--- interface.c 2006/04/13 11:26:10 1.62.2.14
+++ interface.c 2006/05/21 16:33:39 1.62.2.15
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: interface.c,v 1.62.2.14 2006/04/13 11:26:10 tony2001 Exp $ */
+/* $Id: interface.c,v 1.62.2.15 2006/05/21 16:33:39 iliaa Exp $ */
#define ZEND_INCLUDE_FULL_WINDOWS_HEADERS
@@ -161,11 +161,16 @@
strncasecmp(str, "file:", sizeof("file:") - 1) == 0)
\
{
\
php_url *tmp_url;
\
-
\
+
\
if (!(tmp_url = php_url_parse_ex(str, len))) {
\
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
url '%s'", str); \
RETURN_FALSE;
\
}
\
+
\
+ if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str
+ len)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s'
contains unencoded control characters.", str); \
+ RETURN_FALSE;
\
+ }
\
\
if (tmp_url->query || tmp_url->fragment ||
php_check_open_basedir(tmp_url->path TSRMLS_CC) ||
\
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+",
CHECKUID_CHECK_MODE_PARAM)) \
