Date: Sat, 6 Dec 2008 15:44:06 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/129459: [patch] [vuxml] databases/php5-dba, databases/php4-dba: fix dba_replace() file truncation Message-ID: <20081206124406.92582B8019@phoenix.codelabs.ru> Resent-Message-ID: <200812061250.mB6Co0og022353@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129459 >Category: ports >Synopsis: [patch] [vuxml] databases/php5-dba, databases/php4-dba: fix dba_replace() file truncation >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 06 12:50:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: It was discovered that function dba_replace() from dba extension of PHP 4.x/5.x will truncate INI file when it was asked to replace a non-existent key. >How-To-Repeat: http://securityreason.com/achievement_securityalert/58 >Fix: The following patch adds the fixes both for 4.x and 5.x. --- fix-dba_replace-file-truncation.diff begins here --- >From 77c3812cf5a6b8799c4d7a17d1aaad66b78b07d9 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 6 Dec 2008 15:19:48 +0300 Original advisory: http://www.securityfocus.com/archive/1/498746/30/0/threaded Please note that 4.x branch has no such fix, but it is vulnerable as well (I had tested it locally). Vendor will be notified about this. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- databases/php4-dba/Makefile | 1 + .../files/patch-fix-dba_replace-truncation | 17 +++++++++++++++++ databases/php5-dba/Makefile | 1 + .../files/patch-fix-dba_replace-truncation | 17 +++++++++++++++++ 4 files changed, 36 insertions(+), 0 deletions(-) create mode 100644 databases/php4-dba/files/patch-fix-dba_replace-truncation create mode 100644 databases/php5-dba/files/patch-fix-dba_replace-truncation diff --git a/databases/php4-dba/Makefile b/databases/php4-dba/Makefile index 9418475..6336c41 100644 --- a/databases/php4-dba/Makefile +++ b/databases/php4-dba/Makefile @@ -6,6 +6,7 @@ # CATEGORIES= databases +PORTREVISION= 1 MASTERDIR= ${.CURDIR}/../../lang/php4 diff --git a/databases/php4-dba/files/patch-fix-dba_replace-truncation b/databases/php4-dba/files/patch-fix-dba_replace-truncation new file mode 100644 index 0000000..0f6dab4 --- /dev/null +++ b/databases/php4-dba/files/patch-fix-dba_replace-truncation @@ -0,0 +1,17 @@ +Patch that fixes dba_replace() file truncation issue + +Adopted from: http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?r1=1.14.2.1.2.5&r2=1.14.2.1.2.4&view=patch + +--- libinifile/inifile.c 2007/12/31 07:20:05 1.14.2.1.2.4 ++++ libinifile/inifile.c 2008/11/13 18:22:23 1.14.2.1.2.5 +@@ -508,7 +508,9 @@ + + /* 5 */ + if (ret == SUCCESS) { +- ret = inifile_truncate(dba, append ? pos_grp_next : pos_grp_start TSRMLS_CC); /* writes error on fail */ ++ if (!value || (key->name && strlen(key->name))) { ++ ret = inifile_truncate(dba, append ? pos_grp_next : pos_grp_start TSRMLS_CC); /* writes error on fail */ ++ } + } + + if (ret == SUCCESS) { diff --git a/databases/php5-dba/Makefile b/databases/php5-dba/Makefile index 7e4300b..8dc3456 100644 --- a/databases/php5-dba/Makefile +++ b/databases/php5-dba/Makefile @@ -6,6 +6,7 @@ # CATEGORIES= databases +PORTREVISION= 1 MASTERDIR= ${.CURDIR}/../../lang/php5 diff --git a/databases/php5-dba/files/patch-fix-dba_replace-truncation b/databases/php5-dba/files/patch-fix-dba_replace-truncation new file mode 100644 index 0000000..0f6dab4 --- /dev/null +++ b/databases/php5-dba/files/patch-fix-dba_replace-truncation @@ -0,0 +1,17 @@ +Patch that fixes dba_replace() file truncation issue + +Adopted from: http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?r1=1.14.2.1.2.5&r2=1.14.2.1.2.4&view=patch + +--- libinifile/inifile.c 2007/12/31 07:20:05 1.14.2.1.2.4 ++++ libinifile/inifile.c 2008/11/13 18:22:23 1.14.2.1.2.5 +@@ -508,7 +508,9 @@ + + /* 5 */ + if (ret == SUCCESS) { +- ret = inifile_truncate(dba, append ? pos_grp_next : pos_grp_start TSRMLS_CC); /* writes error on fail */ ++ if (!value || (key->name && strlen(key->name))) { ++ ret = inifile_truncate(dba, append ? pos_grp_next : pos_grp_start TSRMLS_CC); /* writes error on fail */ ++ } + } + + if (ret == SUCCESS) { -- 1.6.0.4 --- fix-dba_replace-file-truncation.diff ends here --- This is the vulnerability checking bundle. Just extract and run 'make'. --- test.shar begins here --- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # test/Makefile # test/ham.php # test/test.ini # test/test.ini.orig # echo x - test/Makefile sed 's/^X//' >test/Makefile << '0d8f5a336dfc7f93d0f8ebb4026e4d46' Xall: test X Xtest: test.ini.orig ham.php X @cp -f test.ini.orig test.ini X @rm -f test.ini.lck X @php ham.php X @[ -s test.ini ] && \ X (echo "Not vulnerable: test.ini is not empty:"; cat test.ini) || \ X echo "Vulnerable: test.ini is empty." X @rm -f test.ini.lck 0d8f5a336dfc7f93d0f8ebb4026e4d46 echo x - test/ham.php sed 's/^X//' >test/ham.php << 'a7cabf122ec818d2261bc37c2f29880f' X<?php X$source=dba_open("test.ini", "wlt", "inifile"); Xdba_replace("\0","/www/",$source); X?> a7cabf122ec818d2261bc37c2f29880f echo x - test/test.ini sed 's/^X//' >test/test.ini << '0368deadfd01a6af1d47cb55f407fd28' XPATH=/ XCURR=. XHOME=/home/ 0368deadfd01a6af1d47cb55f407fd28 echo x - test/test.ini.orig sed 's/^X//' >test/test.ini.orig << 'd411974d83a21a1687635b704e038703' XPATH=/ XCURR=. XHOME=/home/ d411974d83a21a1687635b704e038703 exit --- test.shar ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="bfbed571-c390-11dd-b08d-001fc66e7203"> <topic>PHP -- INI database truncation inside dba_replace() function</topic> <affects> <package> <name>php4-dba</name> <range><lt>4.4.9_1</lt></range> </package> <package> <name>php5-dba</name> <range><lt>5.2.6_1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>A bug that leads to the emptying of the INI file contents if the database key was not found exists in PHP dba extension in versions 5.2.6, 4.4.9 and earlier.</p> <p>Maksymilian Arciemowicz from Security Reason reports:</p> <blockquote cite="http://www.securityfocus.com/archive/1/498746/30/0/threaded">; <p>Function dba_replace() are not filtering strings key and value. There is a possibility for the destruction of the file.</p> </blockquote> </body> </description> <references> <url>http://securityreason.com/achievement_securityalert/58</url>; <url>http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1314</url>; <url>http://www.securityfocus.com/archive/1/498746/30/0/threaded</url>; </references> <dates> <discovery>28-11-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081206124406.92582B8019>