My Alpine packages repository.
https://dryabzhinsky.noip.me/packages/en/alpinelinux-support/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
75 lines
2.3 KiB
75 lines
2.3 KiB
From: Markus Koschany <apo@debian.org> |
|
Date: Wed, 9 May 2018 15:20:34 +0200 |
|
Subject: CVE-2018-10548 |
|
|
|
Bug-Upstream: https://bugs.php.net/bug.php?id=76248 |
|
--- |
|
ext/ldap/ldap.c | 6 +++++- |
|
ext/ldap/tests/bug76248.phpt | 40 ++++++++++++++++++++++++++++++++++++++++ |
|
2 files changed, 45 insertions(+), 1 deletion(-) |
|
create mode 100644 ext/ldap/tests/bug76248.phpt |
|
|
|
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c |
|
index 2092b5e..a3c604b 100644 |
|
--- a/ext/ldap/ldap.c |
|
+++ b/ext/ldap/ldap.c |
|
@@ -1026,7 +1026,11 @@ PHP_FUNCTION(ldap_get_entries) |
|
|
|
add_assoc_long(tmp1, "count", num_attrib); |
|
dn = ldap_get_dn(ldap, ldap_result_entry); |
|
- add_assoc_string(tmp1, "dn", dn, 1); |
|
+ if (dn) { |
|
+ add_assoc_string(tmp1, "dn", dn, 1); |
|
+ } else { |
|
+ add_assoc_null(tmp1, "dn"); |
|
+ } |
|
#if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP_10 || WINDOWS |
|
ldap_memfree(dn); |
|
#else |
|
diff --git a/ext/ldap/tests/bug76248.phpt b/ext/ldap/tests/bug76248.phpt |
|
new file mode 100644 |
|
index 0000000..45a7f83 |
|
--- /dev/null |
|
+++ b/ext/ldap/tests/bug76248.phpt |
|
@@ -0,0 +1,40 @@ |
|
+--TEST-- |
|
+Bug #76248 (Malicious LDAP-Server Response causes Crash) |
|
+--SKIPIF-- |
|
+<?php |
|
+require_once('skipif.inc'); |
|
+if (!function_exists('pcntl_fork')) die('skip fork not available'); |
|
+?> |
|
+--FILE-- |
|
+<?php |
|
+$pid = pcntl_fork(); |
|
+const PORT = 12345; |
|
+if ($pid == 0) { |
|
+ // child |
|
+ $server = stream_socket_server("tcp://127.0.0.1:12345"); |
|
+ $socket = stream_socket_accept($server, 3); |
|
+ fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA")); |
|
+ fflush($socket); |
|
+} else { |
|
+ // parent |
|
+ $ds = ldap_connect("127.0.0.1", PORT); |
|
+ ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); |
|
+ $b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret"); |
|
+ |
|
+ $s = ldap_search($ds, "dc=example,dc=com", "(cn=root)"); |
|
+ $tt = ldap_get_entries($ds, $s); |
|
+ var_dump($tt); |
|
+} |
|
+?> |
|
+--EXPECT-- |
|
+array(2) { |
|
+ ["count"]=> |
|
+ int(1) |
|
+ [0]=> |
|
+ array(2) { |
|
+ ["count"]=> |
|
+ int(0) |
|
+ ["dn"]=> |
|
+ NULL |
|
+ } |
|
+} |
|
\ No newline at end of file
|
|
|