Bug 1053982
Summary: | php: CVE-2006-7243 patch issues in oci8 and odbc | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | John Vandenberg <jayvdb> | ||||||
Component: | php | Assignee: | Remi Collet <rcollet> | ||||||
Status: | CLOSED ERRATA | QA Contact: | David Kutálek <dkutalek> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 6.6 | CC: | jorton, martin.kalen, rcollet, thoger | ||||||
Target Milestone: | rc | Keywords: | Regression | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
Cause: patch for referenced CVE includes fix for not provided extensions (oci8...)
Consequence: these part of the patch are not needed and not tested and breaks those extensions
Fix: unneeded part have been removed
Result: unchanged source code for oci8 extension
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-10-14 06:37:29 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1056252 | ||||||||
Attachments: |
|
Description
John Vandenberg
2014-01-16 04:56:14 UTC
Thanks John, your analysis looks correct there; sorry about that. But note that we do not build the oci8 extension in the Red Hat Enterprise Linux binary RPMs, so we can not support this code as such. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution. For information on how to contact the Red Hat production support team, please visit: https://www.redhat.com/support/process/production/#howto Thanks Joe. It is not critical or time-sensitive on my part, as I have rectified the patch for my purposes. I do appreciate OCI is not a supported extension in Red Hat EL; I raised the bug in case Red Hat wants to rectify the faulty CVE patch when the package is next updated due to a 'real' bug. Created attachment 861145 [details] Patch to the CVE-2006-7243 patch Patch to perform the suggested changes. Only changes the part of php-5.3.3-CVE-2006-7243.patch regarding ext/oci8/oci8_interface.c, according to previous comments in this bug. Tested on RHEL6.5 x86_64 with Oracle 11gR2 Instant Client Basic 11.2.0.4.0 x86_64. Comment on attachment 861145 [details] Patch to the CVE-2006-7243 patch Incorrect whitespace. Created attachment 861168 [details] Patch to the CVE-2006-7243 patch Patch to perform the suggested changes. Only changes the part of php-5.3.3-CVE-2006-7243.patch regarding ext/oci8/oci8_interface.c, according to previous comments in this bug. Tested on RHEL6.5 x86_64 with Oracle 11gR2 Instant Client Basic 11.2.0.4.0 x86_64. Fixed whitespace in patch (sorry about that). I understand that OCI8 is not supported by Red Hat and that it probably never will be due to the Oracle [Instant]Client dependency, but by applying the attached patch to your distributed version of php-5.3.3-CVE-2006-7243.patch it would be a big convenience to your users that do include OCI8 in a RHEL6 rebuild of PHP since it now compiles cleanly. There is another problem with the patch in the odbc extension. The change applied to RHEL-6 php packages is identical to what was applied upstream: http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6#patch10 Added check does: if (strlen(tmp) != Z_STRLEN_PP(tmp)) { while it should be: if (strlen(Z_STRVAL_PP(tmp)) != Z_STRLEN_PP(tmp)) { Leading to a compile warning: /builddir/build/BUILD/php-5.3.3/ext/odbc/php_odbc.c: In function 'zif_odbc_execute': /builddir/build/BUILD/php-5.3.3/ext/odbc/php_odbc.c:1303: warning: passing argument 1 of 'strlen' from incompatible pointer type /usr/include/string.h:399: note: expected 'const char *' but argument is of type 'struct zval **' This issue was never fixed upstream in 5.3 branch. 5.4 and later has different check, using CHECK_ZVAL_NULL_PATH(): http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a#patch19 (In reply to Tomas Hoger from comment #7) > There is another problem with the patch in the odbc extension. The change > applied to RHEL-6 php packages is identical to what was applied upstream: > > http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6#patch10 > > Added check does: > > if (strlen(tmp) != Z_STRLEN_PP(tmp)) { > > while it should be: > > if (strlen(Z_STRVAL_PP(tmp)) != Z_STRLEN_PP(tmp)) { > Fix also applied upstream http://git.php.net/?p=php-src.git;a=commit;h=adc070ca995384e4de83fa3446c6dfcf946a3f50 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1465.html |