[packages/php/PHP_5_3] apply security fixes from webtatic php-5.3.29-4.w5.src - fixes for: CVE-2014-3597, CVE-2014-8142,
glen
glen at pld-linux.org
Thu Feb 5 11:39:56 CET 2015
commit 9fd1776059da19ded4eb8a8563adfd44a7155a26
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Thu Feb 5 12:31:56 2015 +0200
apply security fixes from webtatic php-5.3.29-4.w5.src
- fixes for:
CVE-2014-3597, CVE-2014-8142, CVE-2015-0231, CVE-2015-0232,
CVE-2014-2497, CVE-2014-3587, CVE-2014-3668, CVE-2014-3669,
CVE-2014-3670 CVE-2014-3710, CVE-2014-4670, CVE-2014-4698
php-5.3.29-CVE-2014-3597.patch | 256 +++++++++++++++++++++++++++++++++++++++++
php-5.3.29-CVE-2014-8142.patch | 53 +++++++++
php-5.3.29-CVE-2015-0231.patch | 53 +++++++++
php-5.3.29-CVE-2015-0232.patch | Bin 0 -> 3127 bytes
php-5.3.3-CVE-2014-2497.patch | 40 +++++++
php-5.3.3-CVE-2014-3587.patch | 27 +++++
php-5.3.3-CVE-2014-3668.patch | 118 +++++++++++++++++++
php-5.3.3-CVE-2014-3669.patch | 63 ++++++++++
php-5.3.3-CVE-2014-3670.patch | 38 ++++++
php-5.3.3-CVE-2014-3710.patch | 35 ++++++
php-5.3.3-CVE-2014-4670.patch | 70 +++++++++++
php-5.3.3-CVE-2014-4698.patch | 60 ++++++++++
php.spec | 29 ++++-
13 files changed, 841 insertions(+), 1 deletion(-)
---
diff --git a/php.spec b/php.spec
index 151e91a..1ef99e6 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
%endif
%endif
-%define rel 8
+%define rel 9
%define orgname php
%define ver_suffix 53
%define php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -209,6 +209,20 @@ Patch66: %{orgname}-db.patch
Patch67: php-litespeed.patch
Patch68: mysql-lib-ver-mismatch.patch
Patch69: fpm-conf-split.patch
+# Fixes for security bugs
+# https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html
+Patch247: php-5.3.3-CVE-2014-2497.patch
+Patch248: php-5.3.3-CVE-2014-3587.patch
+Patch249: php-5.3.29-CVE-2014-3597.patch
+Patch250: php-5.3.3-CVE-2014-4698.patch
+Patch251: php-5.3.3-CVE-2014-4670.patch
+Patch252: php-5.3.3-CVE-2014-3668.patch
+Patch253: php-5.3.3-CVE-2014-3669.patch
+Patch254: php-5.3.3-CVE-2014-3670.patch
+Patch255: php-5.3.3-CVE-2014-3710.patch
+Patch256: php-5.3.29-CVE-2014-8142.patch
+Patch257: php-5.3.29-CVE-2015-0231.patch
+Patch258: php-5.3.29-CVE-2015-0232.patch
URL: http://www.php.net/
%{?with_interbase:%{!?with_interbase_inst:BuildRequires: Firebird-devel >= 1.0.2.908-2}}
%{?with_pspell:BuildRequires: aspell-devel >= 2:0.50.0}
@@ -2056,6 +2070,19 @@ gzip -dc %{SOURCE15} | tar xf - -C sapi/
%patch67 -p1
%patch68 -p1
+%patch247 -p1
+%patch248 -p1
+%patch249 -p1
+%patch250 -p1
+%patch251 -p1
+%patch252 -p1
+%patch253 -p1
+%patch254 -p1
+%patch255 -p1
+%patch256 -p1
+%patch257 -p1
+%patch258 -p1
+
sed -i -e '/PHP_ADD_LIBRARY_WITH_PATH/s#xmlrpc,#xmlrpc-epi,#' ext/xmlrpc/config.m4
# cleanup backups after patching
diff --git a/php-5.3.29-CVE-2014-3597.patch b/php-5.3.29-CVE-2014-3597.patch
new file mode 100644
index 0000000..faaece3
--- /dev/null
+++ b/php-5.3.29-CVE-2014-3597.patch
@@ -0,0 +1,256 @@
+--- a/ext/standard/dns.c 2014-08-13 19:22:50.000000000 +0000
++++ b/ext/standard/dns.c 2014-10-12 20:00:54.000000000 +0000
+@@ -412,8 +412,14 @@
+
+ #if HAVE_FULL_DNS_FUNCS
+
++#define CHECKCP(n) do { \
++ if (cp + n > end) { \
++ return NULL; \
++ } \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+ {
+ u_short type, class, dlen;
+ u_long ttl;
+@@ -425,16 +431,18 @@
+
+ *subarray = NULL;
+
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+
++ CHECKCP(10);
+ GETSHORT(type, cp);
+ GETSHORT(class, cp);
+ GETLONG(ttl, cp);
+ GETSHORT(dlen, cp);
++ CHECKCP(dlen);
+ if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ cp += dlen;
+ return cp;
+@@ -451,12 +459,14 @@
+ add_assoc_string(*subarray, "host", name, 1);
+ switch (type) {
+ case DNS_T_A:
++ CHECKCP(4);
+ add_assoc_string(*subarray, "type", "A", 1);
+ snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ add_assoc_string(*subarray, "ip", name, 1);
+ cp += dlen;
+ break;
+ case DNS_T_MX:
++ CHECKCP(2);
+ add_assoc_string(*subarray, "type", "MX", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -475,7 +485,7 @@
+ if (type == DNS_T_PTR) {
+ add_assoc_string(*subarray, "type", "PTR", 1);
+ }
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -485,18 +495,22 @@
+ case DNS_T_HINFO:
+ /* See RFC 1010 for values */
+ add_assoc_string(*subarray, "type", "HINFO", 1);
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
+ cp += n;
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
+ cp += n;
+ break;
+ case DNS_T_TXT:
+ {
+- int ll = 0;
++ int l1 = 0, l2 = 0;
+ zval *entries = NULL;
+
+ add_assoc_string(*subarray, "type", "TXT", 1);
+@@ -505,37 +519,42 @@
+ MAKE_STD_ZVAL(entries);
+ array_init(entries);
+
+- while (ll < dlen) {
+- n = cp[ll];
+- if ((ll + n) >= dlen) {
++ while (l1 < dlen) {
++ n = cp[l1];
++ if ((l1 + n) >= dlen) {
+ // Invalid chunk length, truncate
+- n = dlen - (ll + 1);
++ n = dlen - (l1 + 1);
++ }
++ if (n) {
++ memcpy(tp + l2 , cp + l1 + 1, n);
++ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
+ }
+- memcpy(tp + ll , cp + ll + 1, n);
+- add_next_index_stringl(entries, cp + ll + 1, n, 1);
+- ll = ll + n + 1;
++ l1 = l1 + n + 1;
++ l2 = l2 + n;
+ }
+ tp[dlen] = '\0';
++ tp[l2] = '\0';
+ cp += dlen;
+
+- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
++ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ add_assoc_zval(*subarray, "entries", entries);
+ }
+ break;
+ case DNS_T_SOA:
+ add_assoc_string(*subarray, "type", "SOA", 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "mname", name, 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "rname", name, 1);
++ CHECKCP(5*4);
+ GETLONG(n, cp);
+ add_assoc_long(*subarray, "serial", n);
+ GETLONG(n, cp);
+@@ -549,6 +568,7 @@
+ break;
+ case DNS_T_AAAA:
+ tp = (u_char*)name;
++ CHECKCP(8*2);
+ for(i=0; i < 8; i++) {
+ GETSHORT(s, cp);
+ if (s != 0) {
+@@ -583,6 +603,7 @@
+ case DNS_T_A6:
+ p = cp;
+ add_assoc_string(*subarray, "type", "A6", 1);
++ CHECKCP(1);
+ n = ((int)cp[0]) & 0xFF;
+ cp++;
+ add_assoc_long(*subarray, "masklen", n);
+@@ -618,6 +639,7 @@
+ cp++;
+ }
+ for (i = (n + 8) / 16; i < 8; i++) {
++ CHECKCP(2);
+ GETSHORT(s, cp);
+ if (s != 0) {
+ if (tp > (u_char *)name) {
+@@ -647,7 +669,7 @@
+ tp[0] = '\0';
+ add_assoc_string(*subarray, "ipv6", name, 1);
+ if (cp < p + dlen) {
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -656,6 +678,7 @@
+ }
+ break;
+ case DNS_T_SRV:
++ CHECKCP(3*2);
+ add_assoc_string(*subarray, "type", "SRV", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -663,7 +686,7 @@
+ add_assoc_long(*subarray, "weight", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "port", n);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -671,21 +694,35 @@
+ add_assoc_string(*subarray, "target", name, 1);
+ break;
+ case DNS_T_NAPTR:
++ CHECKCP(2*2);
+ add_assoc_string(*subarray, "type", "NAPTR", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "order", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pref", n);
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
+ cp += n;
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -852,7 +889,7 @@
+ while (an-- && cp && cp < end) {
+ zval *retval;
+
+- cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
+ if (retval != NULL && store_results) {
+ add_next_index_zval(return_value, retval);
+ }
+@@ -865,7 +902,7 @@
+ while (ns-- > 0 && cp && cp < end) {
+ zval *retval = NULL;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(authns, retval);
+ }
+@@ -877,7 +914,7 @@
+ while (ar-- > 0 && cp && cp < end) {
+ zval *retval = NULL;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(addtl, retval);
+ }
diff --git a/php-5.3.29-CVE-2014-8142.patch b/php-5.3.29-CVE-2014-8142.patch
new file mode 100644
index 0000000..c5efe43
--- /dev/null
+++ b/php-5.3.29-CVE-2014-8142.patch
@@ -0,0 +1,53 @@
+diff -Naur php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt php-5.3.29/ext/standard/tests/serialize/bug68594.phpt
+--- php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt 1970-01-01 00:00:00.000000000 +0000
++++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt 2015-01-24 13:14:16.222248839 +0000
+@@ -0,0 +1,23 @@
++--TEST--
++Bug #68545 Use after free vulnerability in unserialize()
++--FILE--
++<?php
++for ($i=4; $i<100; $i++) {
++ $m = new StdClass();
++
++ $u = array(1);
++
++ $m->aaa = array(1,2,&$u,4,5);
++ $m->bbb = 1;
++ $m->ccc = &$u;
++ $m->ddd = str_repeat("A", $i);
++
++ $z = serialize($m);
++ $z = str_replace("bbb", "aaa", $z);
++ $y = unserialize($z);
++ $z = serialize($y);
++}
++?>
++===DONE===
++--EXPECTF--
++===DONE===
+diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
+--- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 13:05:17.310236430 +0000
++++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 13:09:14.269241886 +0000
+@@ -298,6 +298,9 @@
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ var_push_dtor(var_hash, old_data);
++ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
+diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
+--- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 13:05:17.310236430 +0000
++++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 13:07:59.593240167 +0000
+@@ -304,6 +304,9 @@
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ var_push_dtor(var_hash, old_data);
++ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
diff --git a/php-5.3.29-CVE-2015-0231.patch b/php-5.3.29-CVE-2015-0231.patch
new file mode 100644
index 0000000..38d70fd
--- /dev/null
+++ b/php-5.3.29-CVE-2015-0231.patch
@@ -0,0 +1,53 @@
+diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt
+--- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt 1970-01-01 00:00:00.000000000 +0000
++++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-01-24 14:53:04.321385336 +0000
+@@ -0,0 +1,25 @@
++--TEST--
++Bug #68710 Use after free vulnerability in unserialize() (bypassing the
++CVE-2014-8142 fix)
++--FILE--
++<?php
++for ($i=4; $i<100; $i++) {
++ $m = new StdClass();
++
++ $u = array(1);
++
++ $m->aaa = array(1,2,&$u,4,5);
++ $m->bbb = 1;
++ $m->ccc = &$u;
++ $m->ddd = str_repeat("A", $i);
++
++ $z = serialize($m);
++ $z = str_replace("aaa", "123", $z);
++ $z = str_replace("bbb", "123", $z);
++ $y = unserialize($z);
++ $z = serialize($y);
++}
++?>
++===DONE===
++--EXPECTF--
++===DONE===
+diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
+--- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 14:50:14.682381430 +0000
++++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 14:51:47.623383570 +0000
+@@ -298,7 +298,7 @@
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
+- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
+--- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 14:50:14.685381430 +0000
++++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 14:52:13.191384159 +0000
+@@ -304,7 +304,7 @@
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
+- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
diff --git a/php-5.3.29-CVE-2015-0232.patch b/php-5.3.29-CVE-2015-0232.patch
new file mode 100644
index 0000000..9ba13bd
Binary files /dev/null and b/php-5.3.29-CVE-2015-0232.patch differ
diff --git a/php-5.3.3-CVE-2014-2497.patch b/php-5.3.3-CVE-2014-2497.patch
new file mode 100644
index 0000000..6b605e7
--- /dev/null
+++ b/php-5.3.3-CVE-2014-2497.patch
@@ -0,0 +1,40 @@
+From cf4753691dc55999373d1c576f62ecb298723420 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi at php.net>
+Date: Mon, 4 Aug 2014 10:42:39 +0200
+Subject: [PATCH] Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference
+
+Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704
+
+Notice: this fix don't manage monochrome/monovisual values
+but just fix the security issue CVE-2014-2497
+failing when trying to load such an image
+---
+ ext/gd/libgd/gdxpm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c
+index 73f86e5..b69414e 100644
+--- a/ext/gd/libgd/gdxpm.c
++++ b/ext/gd/libgd/gdxpm.c
+@@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename)
+ if (ret != XpmSuccess) {
+ return 0;
+ }
++ number = image.ncolors;
++ for(i = 0; i < number; i++) {
++ if (!image.colorTable[i].c_color) {
++ goto done;
++ }
++ }
+
+ if (!(im = gdImageCreate(image.width, image.height))) {
+ goto done;
+ }
+
+- number = image.ncolors;
+ colors = (int *) safe_emalloc(number, sizeof(int), 0);
+ for (i = 0; i < number; i++) {
+ switch (strlen (image.colorTable[i].c_color)) {
+--
+1.9.2
+
diff --git a/php-5.3.3-CVE-2014-3587.patch b/php-5.3.3-CVE-2014-3587.patch
new file mode 100644
index 0000000..209b57f
--- /dev/null
+++ b/php-5.3.3-CVE-2014-3587.patch
@@ -0,0 +1,27 @@
+From 0641e56be1af003aa02c7c6b0184466540637233 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos at zoulas.com>
+Date: Thu, 7 Aug 2014 09:38:35 +0000
+Subject: [PATCH] Prevent wrap around (Remi Collet at redhat)
+
+---
+ src/cdf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/cdf.c b/src/cdf.c
+index 5dbf3b1..3e691f4 100644
+--- a/ext/fileinfo/libmagic/cdf.c 2014-08-14 14:40:06.875720471 +0200
++++ b/ext/fileinfo/libmagic/cdf.c 2014-08-14 14:41:19.907273015 +0200
+@@ -768,6 +768,10 @@
+ q = (const uint32_t *)(const void *)
+ ((const char *)(const void *)p + ofs
+ - 2 * sizeof(uint32_t));
++ if (q < p) {
++ DPRINTF(("Wrapped around %p < %p\n", q, p));
++ goto out;
++ }
+ if (q > e) {
+ DPRINTF(("Ran of the end %p > %p\n", q, e));
+ goto out;
+--
+2.0.3
+
diff --git a/php-5.3.3-CVE-2014-3668.patch b/php-5.3.3-CVE-2014-3668.patch
new file mode 100644
index 0000000..a19991f
--- /dev/null
+++ b/php-5.3.3-CVE-2014-3668.patch
@@ -0,0 +1,118 @@
+From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas at php.net>
+Date: Sun, 28 Sep 2014 17:33:44 -0700
+Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
+
+---
+ NEWS | 5 ++++-
+ ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++-----
+ ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug68027.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+index ce70c2a..b766a54 100644
+--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_mon = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+4])
+ tm.tm_mon += (text[i+4]-'0')*n;
+ n /= 10;
+ }
+ tm.tm_mon --;
++ if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++ return -1;
++ }
+
+ n = 10;
+ tm.tm_mday = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+6])
+ tm.tm_mday += (text[i+6]-'0')*n;
+ n /= 10;
+ }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_hour = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+9])
+ tm.tm_hour += (text[i+9]-'0')*n;
+ n /= 10;
+ }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_min = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+12])
+ tm.tm_min += (text[i+12]-'0')*n;
+ n /= 10;
+ }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_sec = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+15])
+ tm.tm_sec += (text[i+15]-'0')*n;
+ n /= 10;
+ }
+diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
+new file mode 100644
+index 0000000..a5c96f1
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug68027.phpt
+@@ -0,0 +1,44 @@
++--TEST--
++Bug #68027 (buffer overflow in mkgmtime() function)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++
++$d = '6-01-01 20:00:00';
++xmlrpc_set_type($d, 'datetime');
++var_dump($d);
++$datetime = "2001-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++$datetime = "34770-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++echo "Done\n";
++?>
++--EXPECTF--
++object(stdClass)#1 (3) {
++ ["scalar"]=>
++ string(16) "6-01-01 20:00:00"
++ ["xmlrpc_type"]=>
++ string(8) "datetime"
++ ["timestamp"]=>
++ int(%d)
++}
++stdClass Object
++(
++ [scalar] => 2001-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %s
++)
++stdClass Object
++(
++ [scalar] => 34770-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %d
++)
++Done
+--
+2.1.0
+
diff --git a/php-5.3.3-CVE-2014-3669.patch b/php-5.3.3-CVE-2014-3669.patch
new file mode 100644
index 0000000..c71d084
--- /dev/null
+++ b/php-5.3.3-CVE-2014-3669.patch
@@ -0,0 +1,63 @@
+Adapted for PHP 5.4.16 from
+
+From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas at php.net>
+Date: Sun, 28 Sep 2014 14:19:31 -0700
+Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
+ only)
+
+---
+ NEWS | 5 ++++-
+ ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
+ ext/standard/var_unserializer.c | 4 ++--
+ ext/standard/var_unserializer.re | 2 +-
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug68044.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
+new file mode 100644
+index 0000000..031e44e
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68044.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #68044 Integer overflow in unserialize() (32-bits only)
++--FILE--
++<?php
++ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
++?>
++===DONE==
++--EXPECTF--
++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
++
++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
++===DONE==
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 657051f..8129da3 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -326,7 +326,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 1307508..6de1583 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -332,7 +332,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+--
+2.1.0
+
diff --git a/php-5.3.3-CVE-2014-3670.patch b/php-5.3.3-CVE-2014-3670.patch
new file mode 100644
index 0000000..ecb57e0
--- /dev/null
+++ b/php-5.3.3-CVE-2014-3670.patch
@@ -0,0 +1,38 @@
+bug68113.phpt removed as binary patch not supported
+
+
+From 287c91c1f060dc85a8bdb51488c50db8614448b7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas at php.net>
+Date: Sun, 28 Sep 2014 16:57:42 -0700
+Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail())
+
+---
+ NEWS | 6 +++++-
+ ext/exif/exif.c | 4 ++--
+ ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes
+ ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++
+ 4 files changed, 24 insertions(+), 3 deletions(-)
+ create mode 100755 ext/exif/tests/bug68113.jpg
+ create mode 100644 ext/exif/tests/bug68113.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 38907b4..637ebf9 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2446,11 +2446,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
+ data_ptr += 8;
+ break;
+ case TAG_FMT_SINGLE:
+- memmove(data_ptr, &info_data->value.f, byte_count);
++ memmove(data_ptr, &info_value->f, 4);
+ data_ptr += 4;
+ break;
+ case TAG_FMT_DOUBLE:
+- memmove(data_ptr, &info_data->value.d, byte_count);
++ memmove(data_ptr, &info_value->d, 8);
+ data_ptr += 8;
+ break;
+ }
+--
+2.1.0
+
diff --git a/php-5.3.3-CVE-2014-3710.patch b/php-5.3.3-CVE-2014-3710.patch
new file mode 100644
index 0000000..d1a9971
--- /dev/null
+++ b/php-5.3.3-CVE-2014-3710.patch
@@ -0,0 +1,35 @@
+From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi at php.net>
+Date: Wed, 22 Oct 2014 15:37:04 +0200
+Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
+ headers
+
+Upstream commit
+https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
+
+CVE -2014-3710
+---
+ ext/fileinfo/libmagic/readelf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
+index 1c3845f..bb6f70f 100644
+--- a/ext/fileinfo/libmagic/readelf.c
++++ b/ext/fileinfo/libmagic/readelf.c
+@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
+ #endif
+ uint32_t namesz, descsz;
+
++ if (xnh_sizeof + offset > size) {
++ /*
++ * We're out of note headers.
++ */
++ return xnh_sizeof + offset;
++ }
++
+ (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ offset += xnh_sizeof;
+
+--
+2.1.0
+
diff --git a/php-5.3.3-CVE-2014-4670.patch b/php-5.3.3-CVE-2014-4670.patch
new file mode 100644
index 0000000..3c494cf
--- /dev/null
+++ b/php-5.3.3-CVE-2014-4670.patch
@@ -0,0 +1,70 @@
+Patch adapted for PHP 5.3.3
+
+Orginal patch:
+From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence at php.net>
+Date: Wed, 2 Jul 2014 17:45:09 +0800
+Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
+
+---
+ NEWS | 3 +++
+ ext/spl/spl_dllist.c | 7 +++++--
+ ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug67538.phpt
+
+diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
+index 39a0733..0b44d41 100644
+--- a/ext/spl/spl_dllist.c
++++ b/ext/spl/spl_dllist.c
+@@ -40,12 +40,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
+
+ #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
+ efree(elem); \
+- elem = NULL; \
+ }
+
+ #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
+ efree(elem); \
+- elem = NULL; \
+ }
+
+ #define SPL_LLIST_ADDREF(elem) (elem)->rc++
+@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
+ llist->dtor(element TSRMLS_CC);
+ }
+
++ if (intern->traverse_pointer == element) {
++ SPL_LLIST_DELREF(element);
++ intern->traverse_pointer = NULL;
++ }
++
+ zval_ptr_dtor((zval **)&element->data);
+ element->data = NULL;
+
+diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
+new file mode 100644
+index 0000000..b6f3848
+--- /dev/null
++++ b/ext/spl/tests/bug67538.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #67538 (SPL Iterators use-after-free)
++--FILE--
++<?php
++$list = new SplDoublyLinkedList();
++$list->push('a');
++$list->push('b');
++
++$list->rewind();
++$list->offsetUnset(0);
++$list->push('b');
++$list->offsetUnset(0);
++$list->next();
++echo "okey";
++?>
++--EXPECTF--
++okey
+--
+1.9.2
+
diff --git a/php-5.3.3-CVE-2014-4698.patch b/php-5.3.3-CVE-2014-4698.patch
new file mode 100644
index 0000000..13e1113
--- /dev/null
+++ b/php-5.3.3-CVE-2014-4698.patch
@@ -0,0 +1,60 @@
+Patch adapted for PHP 5.3.3
+
+Orginal patch:
+From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence at php.net>
+Date: Wed, 2 Jul 2014 17:57:42 +0800
+Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
+ change during sorting)
+
+---
+ NEWS | 2 ++
+ ext/spl/spl_array.c | 7 +++++++
+ ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
+ 3 files changed, 24 insertions(+)
+ create mode 100644 ext/spl/tests/bug67539.phpt
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index 8392e72..0fe47b6 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -1661,8 +1661,15 @@
+ {
+ const unsigned char *p, *s;
+ zval *pmembers, *pflags = NULL;
++ HashTable *aht;
+ long flags;
+
++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
++ if (aht->nApplyCount > 0) {
++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
++ return;
++ }
++
+ /* storage */
+ s = p = buf;
+
+diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
+new file mode 100644
+index 0000000..8bab2a8
+--- /dev/null
++++ b/ext/spl/tests/bug67539.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
++--FILE--
++<?php
++
++$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
++
++function badsort($a, $b) {
++ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
++ return TRUE;
++}
++
++$it->uksort('badsort');
++--EXPECTF--
++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
+--
+1.9.2
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/9fd1776059da19ded4eb8a8563adfd44a7155a26
More information about the pld-cvs-commit
mailing list