php: Security fix CVE-2015-7803

CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset() Signed-off-by: Armin Kuster <akuster@mvista.com>
2026-01-01 13:58:06 +00:00 · 2016-02-07 11:26:47 -08:00 · 2016-02-07 11:26:47 -08:00 · 40eed80072
commit 40eed80072
parent c2107a12ab
2 changed files with 83 additions and 0 deletions
--- a/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
+++ b/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
@ -0,0 +1,82 @@
+From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Sep 2015 15:51:59 -0700
+Subject: [PATCH] Fix bug #69720: Null pointer dereference in
+ phar_get_fp_offset()
+
+Upsteam-Status: Backport
+https://git.php.net/?p=php-src.git;a=patch;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
+
+CVE: CVE-2015-7803
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes
+ ext/phar/tests/bug69720.phpt |  40 ++++++++++++++++++++++++++++++++++++++++
+ ext/phar/util.c              |   6 +++++-
+ 3 files changed, 45 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug69720.phar
+ create mode 100644 ext/phar/tests/bug69720.phpt
+
+Index: php-5.5.21/ext/phar/tests/bug69720.phpt
+===================================================================
+--- /dev/null
+++ php-5.5.21/ext/phar/tests/bug69720.phpt
+@@ -0,0 +1,40 @@
+--TEST--
+Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+    // open an existing phar
+    $p = new Phar(__DIR__."/bug69720.phar",0);
+    // Phar extends SPL's DirectoryIterator class
+	echo $p->getMetadata();
+    foreach (new RecursiveIteratorIterator($p) as $file) {
+        // $file is a PharFileInfo class, and inherits from SplFileInfo
+	$temp="";
+        $temp= $file->getFileName() . "\n";
+        $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
+	var_dump($file->getMetadata());
+    }
+}
+ catch (Exception $e) {
+    echo 'Could not open Phar: ', $e;
+}
+?>
+--EXPECTF--
+
+MY_METADATA_NULL
+
+Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d
+array(1) {
+  ["whatever"]=>
+  int(123)
+}
+object(DateTime)#2 (3) {
+  ["date"]=>
+  string(26) "2000-01-01 00:00:00.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+Index: php-5.5.21/ext/phar/util.c
+===================================================================
+--- php-5.5.21.orig/ext/phar/util.c
+++ php-5.5.21/ext/phar/util.c
+@@ -494,7 +494,11 @@ really_get_entry:
+ 	(*ret)->is_tar = entry->is_tar;
+ 	(*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC);
+ 	if (entry->link) {
+-		(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);
+		phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC);
+		if(!link) {
+			return FAILURE;
+		}
+		(*ret)->zero = phar_get_fp_offset(link TSRMLS_CC);
+ 	} else {
+ 		(*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC);
+ 	}
--- a/meta-oe/recipes-devtools/php/php_5.5.21.bb
+++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb
@ -14,6 +14,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
           file://acinclude-xml2-config.patch \
           file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
           file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
+           file://CVE-2015-7803.patch \
          "

 SRC_URI_append_class-target += " \