[packages/php/PHP_5_3] - rel 14; update libmagic from php5.6 (as our old 5.3 bundled libmagic segfaults easily)
arekm
arekm at pld-linux.org
Tue Mar 24 12:28:12 CET 2015
commit 2f139b72597b02df51f1f0005b9300f0955bf9cd
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Tue Mar 24 12:26:10 2015 +0100
- rel 14; update libmagic from php5.6 (as our old 5.3 bundled libmagic segfaults easily)
php-5.3.3-CVE-2014-2270.patch | 477 ------------------------------------------
php-5.3.3-CVE-2014-3587.patch | 27 ---
php-5.3.3-CVE-2014-3710.patch | 35 ----
php.spec | 22 +-
4 files changed, 15 insertions(+), 546 deletions(-)
---
diff --git a/php.spec b/php.spec
index 08f7f58..a35862d 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
%endif
%endif
-%define rel 13
+%define rel 14
%define orgname php
%define ver_suffix 53
%define php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -210,20 +210,27 @@ Patch67: php-litespeed.patch
Patch68: x32.patch
Patch69: fpm-conf-split.patch
Patch70: mysql-lib-ver-mismatch.patch
+# git clone git://github.com/php/php-src.git && git checkout PHP_5_6
+# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/libmagic > ~/rpm/packages/php/php-fileinfo.patch
+# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/config.m4 >> ~/rpm/packages/php/php-fileinfo.patch
+# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/Makefile.frag >> ~/rpm/packages/php/php-fileinfo.patch
+# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/data_file.c >> ~/rpm/packages/php/php-fileinfo.patch
+Patch71: php-fileinfo.patch
+# Patch71-md5: 771e4934132c5f5c968248c954d1ef6e
# Fixes for security bugs
# https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html
# also from RHEL6/CentOS7
Patch220: php-5.3.3-CVE-2011-4153.patch
-Patch238: php-5.3.3-CVE-2014-2270.patch
+
Patch247: php-5.3.3-CVE-2014-2497.patch
-Patch248: php-5.3.3-CVE-2014-3587.patch
+
Patch249: php-5.3.29-CVE-2014-3597.patch
Patch250: php-5.3.3-CVE-2014-4698.patch
Patch251: php-5.3.3-CVE-2014-4670.patch
Patch252: php-5.3.3-CVE-2014-3668.patch
Patch253: php-5.3.3-CVE-2014-3669.patch
Patch254: php-5.3.3-CVE-2014-3670.patch
-Patch255: php-5.3.3-CVE-2014-3710.patch
+
Patch256: php-5.3.29-CVE-2014-8142.patch
Patch257: php-5.3.29-CVE-2015-0231.patch
Patch258: php-5.3.29-CVE-2015-0232.patch
@@ -2074,18 +2081,19 @@ cp -p php.ini-production php.ini
gzip -dc %{SOURCE15} | tar xf - -C sapi/
%patch67 -p1
%patch70 -p1
+%patch71 -p1
%patch220 -p1
-%patch238 -p1
+
%patch247 -p1
-%patch248 -p1
+
%patch249 -p1
%patch250 -p1
%patch251 -p1
%patch252 -p1
%patch253 -p1
%patch254 -p1
-%patch255 -p1
+
%patch256 -p1
%patch257 -p1
%patch258 -p1
diff --git a/php-5.3.3-CVE-2014-2270.patch b/php-5.3.3-CVE-2014-2270.patch
deleted file mode 100644
index 0990853..0000000
--- a/php-5.3.3-CVE-2014-2270.patch
+++ /dev/null
@@ -1,477 +0,0 @@
-diff --git a/src/softmagic.c b/src/softmagic.c
-index 1f02fec..58a1cf7 100644
---- a/ext/fileinfo/libmagic/softmagic.c
-+++ b/ext/fileinfo/libmagic/softmagic.c
-@@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
- private void cvt_32(union VALUETYPE *, const struct magic *);
- private void cvt_64(union VALUETYPE *, const struct magic *);
-
-+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
- /*
- * softmagic - lookup one file in parsed, in-memory copy of database
- * Passed the name and FILE * of one file to be typed.
-@@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s,
- {
- uint32_t offset = ms->offset;
- uint32_t count = m->str_range;
-+ uint32_t lhs;
- union VALUETYPE *p = &ms->ms_value;
-
- if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
-@@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s,
- }
- switch (m->in_type) {
- case FILE_BYTE:
-- if (nbytes < (offset + 1))
-+ if (OFFSET_OOB(nbytes, offset, 1))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s,
- offset = ~offset;
- break;
- case FILE_BESHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
-+ lhs = (p->hs[0] << 8) | p->hs[1];
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
- case FILE_OPAND:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) &
-- off;
-+ offset = lhs & off;
- break;
- case FILE_OPOR:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) |
-- off;
-+ offset = lhs | off;
- break;
- case FILE_OPXOR:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) ^
-- off;
-+ offset = lhs ^ off;
- break;
- case FILE_OPADD:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) +
-- off;
-+ offset = lhs + off;
- break;
- case FILE_OPMINUS:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) -
-- off;
-+ offset = lhs - off;
- break;
- case FILE_OPMULTIPLY:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) *
-- off;
-+ offset = lhs * off;
- break;
- case FILE_OPDIVIDE:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) /
-- off;
-+ offset = lhs / off;
- break;
- case FILE_OPMODULO:
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1])) %
-- off;
-+ offset = lhs % off;
- break;
- }
- } else
-- offset = (short)((p->hs[0]<<8)|
-- (p->hs[1]));
-+ offset = lhs;
- if (m->in_op & FILE_OPINVERSE)
- offset = ~offset;
- break;
- case FILE_LESHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
-+ lhs = (p->hs[1] << 8) | p->hs[0];
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
- case FILE_OPAND:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) &
-- off;
-+ offset = lhs & off;
- break;
- case FILE_OPOR:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) |
-- off;
-+ offset = lhs | off;
- break;
- case FILE_OPXOR:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) ^
-- off;
-+ offset = lhs ^ off;
- break;
- case FILE_OPADD:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) +
-- off;
-+ offset = lhs + off;
- break;
- case FILE_OPMINUS:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) -
-- off;
-+ offset = lhs - off;
- break;
- case FILE_OPMULTIPLY:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) *
-- off;
-+ offset = lhs * off;
- break;
- case FILE_OPDIVIDE:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) /
-- off;
-+ offset = lhs / off;
- break;
- case FILE_OPMODULO:
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0])) %
-- off;
-+ offset = lhs % off;
- break;
- }
- } else
-- offset = (short)((p->hs[1]<<8)|
-- (p->hs[0]));
-+ offset = lhs;
- if (m->in_op & FILE_OPINVERSE)
- offset = ~offset;
- break;
- case FILE_SHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s,
- break;
- case FILE_BELONG:
- case FILE_BEID3:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
-+ lhs = (p->hl[0] << 24) | (p->hl[1] << 16) |
-+ (p->hl[2] << 8) | p->hl[3];
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
- case FILE_OPAND:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) &
-- off;
-+ offset = lhs & off;
- break;
- case FILE_OPOR:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) |
-- off;
-+ offset = lhs | off;
- break;
- case FILE_OPXOR:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) ^
-- off;
-+ offset = lhs ^ off;
- break;
- case FILE_OPADD:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) +
-- off;
-+ offset = lhs + off;
- break;
- case FILE_OPMINUS:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) -
-- off;
-+ offset = lhs - off;
- break;
- case FILE_OPMULTIPLY:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) *
-- off;
-+ offset = lhs * off;
- break;
- case FILE_OPDIVIDE:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) /
-- off;
-+ offset = lhs / off;
- break;
- case FILE_OPMODULO:
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3])) %
-- off;
-+ offset = lhs % off;
- break;
- }
- } else
-- offset = (int32_t)((p->hl[0]<<24)|
-- (p->hl[1]<<16)|
-- (p->hl[2]<<8)|
-- (p->hl[3]));
-+ offset = lhs;
- if (m->in_op & FILE_OPINVERSE)
- offset = ~offset;
- break;
- case FILE_LELONG:
- case FILE_LEID3:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
-+ lhs = (p->hl[3] << 24) | (p->hl[2] << 16) |
-+ (p->hl[1] << 8) | p->hl[0];
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
- case FILE_OPAND:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) &
-- off;
-+ offset = lhs & off;
- break;
- case FILE_OPOR:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) |
-- off;
-+ offset = lhs | off;
- break;
- case FILE_OPXOR:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) ^
-- off;
-+ offset = lhs ^ off;
- break;
- case FILE_OPADD:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) +
-- off;
-+ offset = lhs + off;
- break;
- case FILE_OPMINUS:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) -
-- off;
-+ offset = lhs - off;
- break;
- case FILE_OPMULTIPLY:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) *
-- off;
-+ offset = lhs * off;
- break;
- case FILE_OPDIVIDE:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) /
-- off;
-+ offset = lhs / off;
- break;
- case FILE_OPMODULO:
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0])) %
-- off;
-+ offset = lhs % off;
- break;
- }
- } else
-- offset = (int32_t)((p->hl[3]<<24)|
-- (p->hl[2]<<16)|
-- (p->hl[1]<<8)|
-- (p->hl[0]));
-+ offset = lhs;
- if (m->in_op & FILE_OPINVERSE)
- offset = ~offset;
- break;
- case FILE_MELONG:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
-+ lhs = (p->hl[1] << 24) | (p->hl[0] << 16) |
-+ (p->hl[3] << 8) | p->hl[2];
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
- case FILE_OPAND:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) &
-- off;
-+ offset = lhs & off;
- break;
- case FILE_OPOR:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) |
-- off;
-+ offset = lhs | off;
- break;
- case FILE_OPXOR:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) ^
-- off;
-+ offset = lhs ^ off;
- break;
- case FILE_OPADD:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) +
-- off;
-+ offset = lhs + off;
- break;
- case FILE_OPMINUS:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) -
-- off;
-+ offset = lhs - off;
- break;
- case FILE_OPMULTIPLY:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) *
-- off;
-+ offset = lhs * off;
- break;
- case FILE_OPDIVIDE:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) /
-- off;
-+ offset = lhs / off;
- break;
- case FILE_OPMODULO:
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2])) %
-- off;
-+ offset = lhs % off;
- break;
- }
- } else
-- offset = (int32_t)((p->hl[1]<<24)|
-- (p->hl[0]<<16)|
-- (p->hl[3]<<8)|
-- (p->hl[2]));
-+ offset = lhs;
- if (m->in_op & FILE_OPINVERSE)
- offset = ~offset;
- break;
- case FILE_LONG:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- if (off) {
- switch (m->in_op & FILE_OPS_MASK) {
-@@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s,
- /* Verify we have enough data to match magic type */
- switch (m->type) {
- case FILE_BYTE:
-- if (nbytes < (offset + 1)) /* should alway be true */
-+ if (OFFSET_OOB(nbytes, offset, 1))
- return 0;
- break;
-
- case FILE_SHORT:
- case FILE_BESHORT:
- case FILE_LESHORT:
-- if (nbytes < (offset + 2))
-+ if (OFFSET_OOB(nbytes, offset, 2))
- return 0;
- break;
-
-@@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s,
- case FILE_FLOAT:
- case FILE_BEFLOAT:
- case FILE_LEFLOAT:
-- if (nbytes < (offset + 4))
-+ if (OFFSET_OOB(nbytes, offset, 4))
- return 0;
- break;
-
- case FILE_DOUBLE:
- case FILE_BEDOUBLE:
- case FILE_LEDOUBLE:
-- if (nbytes < (offset + 8))
-+ if (OFFSET_OOB(nbytes, offset, 8))
- return 0;
- break;
-
- case FILE_STRING:
- case FILE_PSTRING:
- case FILE_SEARCH:
-- if (nbytes < (offset + m->vallen))
-+ if (OFFSET_OOB(nbytes, offset, m->vallen))
- return 0;
- break;
-
- case FILE_REGEX:
-- if (nbytes < offset)
-+ if (nbytes < offset)
- return 0;
- break;
-
-@@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s,
- if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
- file_printf(ms, m->desc) == -1)
- return -1;
-- if (nbytes < offset)
-+ if (nbytes < offset)
- return 0;
- return file_softmagic(ms, s + offset, nbytes - offset,
- BINTEST);
diff --git a/php-5.3.3-CVE-2014-3587.patch b/php-5.3.3-CVE-2014-3587.patch
deleted file mode 100644
index 209b57f..0000000
--- a/php-5.3.3-CVE-2014-3587.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 0641e56be1af003aa02c7c6b0184466540637233 Mon Sep 17 00:00:00 2001
-From: Christos Zoulas <christos at zoulas.com>
-Date: Thu, 7 Aug 2014 09:38:35 +0000
-Subject: [PATCH] Prevent wrap around (Remi Collet at redhat)
-
----
- src/cdf.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/cdf.c b/src/cdf.c
-index 5dbf3b1..3e691f4 100644
---- a/ext/fileinfo/libmagic/cdf.c 2014-08-14 14:40:06.875720471 +0200
-+++ b/ext/fileinfo/libmagic/cdf.c 2014-08-14 14:41:19.907273015 +0200
-@@ -768,6 +768,10 @@
- q = (const uint32_t *)(const void *)
- ((const char *)(const void *)p + ofs
- - 2 * sizeof(uint32_t));
-+ if (q < p) {
-+ DPRINTF(("Wrapped around %p < %p\n", q, p));
-+ goto out;
-+ }
- if (q > e) {
- DPRINTF(("Ran of the end %p > %p\n", q, e));
- goto out;
---
-2.0.3
-
diff --git a/php-5.3.3-CVE-2014-3710.patch b/php-5.3.3-CVE-2014-3710.patch
deleted file mode 100644
index d1a9971..0000000
--- a/php-5.3.3-CVE-2014-3710.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi at php.net>
-Date: Wed, 22 Oct 2014 15:37:04 +0200
-Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
- headers
-
-Upstream commit
-https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
-
-CVE -2014-3710
----
- ext/fileinfo/libmagic/readelf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
-index 1c3845f..bb6f70f 100644
---- a/ext/fileinfo/libmagic/readelf.c
-+++ b/ext/fileinfo/libmagic/readelf.c
-@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
- #endif
- uint32_t namesz, descsz;
-
-+ if (xnh_sizeof + offset > size) {
-+ /*
-+ * We're out of note headers.
-+ */
-+ return xnh_sizeof + offset;
-+ }
-+
- (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
- offset += xnh_sizeof;
-
---
-2.1.0
-
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/2f139b72597b02df51f1f0005b9300f0955bf9cd
More information about the pld-cvs-commit
mailing list