packages (PHP_5_2): php/php.spec, php/php-5.2.17-CVE-2011-0708.patch (NEW), ...

glen glen at pld-linux.org
Mon Oct 10 21:36:45 CEST 2011


Author: glen                         Date: Mon Oct 10 19:36:45 2011 GMT
Module: packages                      Tag: PHP_5_2
---- Log message:
- add bunch of bug and cve backports from 5.3 by centalt (php-5.2.17-7.el5.src.rpm)

---- Files affected:
packages/php:
   php.spec (1.805.2.90 -> 1.805.2.91) , php-5.2.17-CVE-2011-0708.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-CVE-2011-1092.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-CVE-2011-1148.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-CVE-2011-1938.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-CVE-2011-2202.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-bug-39847.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-bug-48484.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-bug-49072.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-bug-52063.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.17-bug-55082.patch (NONE -> 1.1.2.1)  (NEW), php-5.2.19.tar.bz2 (NONE -> 1.1.2.1)  (NEW), php-5.2.20.tar.bz2 (NONE -> 1.1.2.1)  (NEW), php-5.3.6-39199.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-47435.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-48607.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-51336.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-52209.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-52290.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53150.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53377.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53515.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53568.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53574.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53577.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53579.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53603.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53630.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53854.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53903.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-53924.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-54055.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-54089.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.6-bug-54092.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-48465.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-50363.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-51958.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-51997.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-52104.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-52496.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-52935.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-53037.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-53782.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-53848.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54121.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54137.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54180.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54221.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54242.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54269.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54312.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54318.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54329.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54440.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54494.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54529.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54601.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-54946.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-55014.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-55323.patch (NONE -> 1.1.2.1)  (NEW), php-5.3.7-bug-55399.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: packages/php/php.spec
diff -u packages/php/php.spec:1.805.2.90 packages/php/php.spec:1.805.2.91
--- packages/php/php.spec:1.805.2.90	Mon Oct 10 20:54:38 2011
+++ packages/php/php.spec	Mon Oct 10 21:36:37 2011
@@ -113,7 +113,7 @@
 Summary(uk.UTF-8):	PHP Версії 5 - мова препроцесування HTML-файлів, виконувана на сервері
 Name:		php
 Version:	5.2.17
-Release:	6
+Release:	7
 Epoch:		4
 License:	PHP
 Group:		Libraries
@@ -193,6 +193,69 @@
 Patch57:	php-php_dl.patch
 # http://spot.fedorapeople.org/php-5.3.6-libzip.patch
 Patch65:	system-libzip.patch
+# CENTALT patches
+# CVE
+Patch201: php-5.2.17-CVE-2011-2202.patch
+Patch202: php-5.2.17-CVE-2011-1938.patch
+Patch203: php-5.2.17-CVE-2011-1148.patch
+Patch204: php-5.2.17-CVE-2011-0708.patch
+Patch205: php-5.2.17-CVE-2011-1092.patch
+# Backport from 5.3.6
+Patch301: php-5.3.6-bug-54055.patch
+Patch302: php-5.3.6-bug-53577.patch
+Patch303: php-5.2.17-bug-48484.patch
+Patch304: php-5.3.6-bug-48607.patch
+Patch305: php-5.3.6-bug-53574.patch
+Patch306: php-5.3.6-bug-52290.patch
+Patch307: php-5.2.17-bug-52063.patch
+Patch308: php-5.3.6-bug-53924.patch
+Patch309: php-5.3.6-bug-53150.patch
+Patch310: php-5.3.6-bug-52209.patch
+Patch311: php-5.3.6-bug-47435.patch
+Patch312: php-5.3.6-bug-53377.patch
+Patch313: php-5.2.17-bug-39847.patch
+Patch314: php-5.3.6-39199.patch
+Patch315: php-5.3.6-bug-53630.patch
+Patch316: php-5.3.6-bug-51336.patch
+Patch317: php-5.3.6-bug-53515.patch
+Patch318: php-5.3.6-bug-54092.patch
+Patch319: php-5.3.6-bug-53903.patch
+Patch320: php-5.3.6-bug-54089.patch
+Patch321: php-5.3.6-bug-53603.patch
+Patch322: php-5.3.6-bug-53854.patch
+Patch323: php-5.3.6-bug-53579.patch
+Patch324: php-5.3.6-bug-53568.patch
+Patch325: php-5.2.17-bug-49072.patch
+# 5.3.7
+Patch330: php-5.3.7-bug-55399.patch
+Patch331: php-5.2.17-bug-55082.patch
+Patch332: php-5.3.7-bug-55014.patch
+#Patch333: php-5.3.7-bug-54924.patch
+Patch334: php-5.3.7-bug-54180.patch
+Patch335: php-5.3.7-bug-54137.patch
+Patch336: php-5.3.7-bug-53848.patch
+Patch337: php-5.3.7-bug-52935.patch
+Patch338: php-5.3.7-bug-51997.patch
+Patch339: php-5.3.7-bug-50363.patch
+Patch340: php-5.3.7-bug-48465.patch
+Patch341: php-5.3.7-bug-54529.patch
+Patch342: php-5.3.7-bug-52496.patch
+Patch343: php-5.3.7-bug-54242.patch
+Patch344: php-5.3.7-bug-54121.patch
+Patch345: php-5.3.7-bug-53037.patch
+Patch346: php-5.3.7-bug-54269.patch
+Patch347: php-5.3.7-bug-54601.patch
+Patch348: php-5.3.7-bug-54440.patch
+Patch349: php-5.3.7-bug-54494.patch
+Patch350: php-5.3.7-bug-54221.patch
+Patch351: php-5.3.7-bug-52104.patch
+Patch352: php-5.3.7-bug-54329.patch
+Patch353: php-5.3.7-bug-53782.patch
+Patch354: php-5.3.7-bug-54318.patch
+Patch355: php-5.3.7-bug-55323.patch
+Patch356: php-5.3.7-bug-54312.patch
+Patch357: php-5.3.7-bug-51958.patch
+Patch358: php-5.3.7-bug-54946.patch
 URL:		http://www.php.net/
 %{?with_interbase:%{!?with_interbase_inst:BuildRequires:	Firebird-devel >= 1.0.2.908-2}}
 %{?with_pspell:BuildRequires:	aspell-devel >= 2:0.50.0}
@@ -1873,6 +1936,69 @@
 %patch57 -p1
 %patch65 -p1
 
+%patch201 -p1 -b .CVE-2011-2202
+%patch202 -p1 -b .CVE-2011-1938
+%patch203 -p1 -b .CVE-2011-1148
+%patch204 -p1 -b .CVE-2011-0708
+%patch205 -p1 -b .CVE-2011-1092
+
+# Bugfix backport from 5.3.6
+%patch301 -p1 -b .bug-54055
+%patch302 -p1 -b .bug-53577
+%patch303 -p1 -b .bug-48484
+%patch304 -p1 -b .bug-48607
+%patch305 -p1 -b .bug-53574
+%patch306 -p1 -b .bug-52290
+%patch307 -p1 -b .bug-52063
+%patch308 -p1 -b .bug-53924
+%patch309 -p1 -b .bug-53150
+%patch310 -p1 -b .bug-52209
+%patch311 -p1 -b .bug-47435
+%patch312 -p1 -b .bug-53377
+%patch313 -p1 -b .bug-39847
+%patch314 -p1 -b .bug-39199
+%patch315 -p1 -b .bug-53630
+%patch316 -p1 -b .bug-51336
+%patch317 -p1 -b .bug-53515
+%patch318 -p1 -b .bug-54092
+%patch319 -p1 -b .bug-53903
+%patch320 -p1 -b .bug-54089
+%patch321 -p1 -b .bug-53603
+%patch322 -p1 -b .bug-53854
+%patch323 -p1 -b .bug-53579
+%patch324 -p1 -b .bug-53568
+%patch325 -p1 -b .bug-49072
+# Bugfix backport from 5.3.7
+%patch330 -p1 -b .bug-55399
+%patch331 -p1 -b .bug-55082
+%patch332 -p1 -b .bug-55014
+#accert %patch333 -p1 -b .bug-54924
+%patch334 -p1 -b .bug-54180
+%patch335 -p1 -b .bug-54137
+%patch336 -p1 -b .bug-53848
+%patch337 -p1 -b .bug-52935
+%patch338 -p1 -b .bug-51997
+%patch339 -p1 -b .bug-50363
+%patch340 -p1 -b .bug-48465
+%patch341 -p1 -b .bug-54529
+%patch342 -p1 -b .bug-52496
+%patch343 -p1 -b .bug-54242
+%patch344 -p1 -b .bug-54121
+%patch345 -p1 -b .bug-53037
+%patch346 -p1 -b .bug-54269
+%patch347 -p1 -b .bug-54601
+%patch348 -p1 -b .bug-54440
+%patch349 -p1 -b .bug-54494
+%patch350 -p1 -b .bug-54221
+%patch351 -p1 -b .bug-52104
+%patch352 -p1 -b .bug-54329
+%patch353 -p1 -b .bug-53782
+%patch354 -p1 -b .bug-54318
+#soap %patch355 -p1 -b .bug-55323
+%patch356 -p1 -b .bug-54312
+%patch357 -p1 -b .bug-51958
+%patch358 -p1 -b .bug-54946
+
 # conflict seems to be resolved by recode patches
 rm -f ext/recode/config9.m4
 
@@ -3178,6 +3304,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.805.2.91  2011/10/10 19:36:37  glen
+- add bunch of bug and cve backports from 5.3 by centalt (php-5.2.17-7.el5.src.rpm)
+
 Revision 1.805.2.90  2011/10/10 18:54:38  glen
 - use system libzip 0.10, resolves CVE-2011-0421
 

================================================================
Index: packages/php/php-5.2.17-CVE-2011-0708.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-0708.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-0708.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,52 @@
+--- PHP_5_3/ext/exif/exif.c	2011/02/14 08:46:53	308315
++++ PHP_5_3/ext/exif/exif.c	2011/02/14 09:08:44	308316
+@@ -40,6 +40,10 @@
+ #include "php.h"
+ #include "ext/standard/file.h"
+ 
++#ifdef PHP_WIN32
++include "win32/php_stdint.h"
++#endif
++
+ #if HAVE_EXIF
+ 
+ /* When EXIF_DEBUG is defined the module generates a lot of debug messages
+@@ -2821,6 +2825,7 @@
+ 	int tag, format, components;
+ 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ 	size_t byte_count, offset_val, fpos, fgot;
++	int64_t byte_count_signed;
+ 	xp_field_type *tmp_xp;
+ #ifdef EXIF_DEBUG
+ 	char *dump_data;
+@@ -2845,13 +2850,20 @@
+ 		/*return TRUE;*/
+ 	}
+ 
+-	byte_count = components * php_tiff_bytes_per_format[format];
++	if (components < 0) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
++		return FALSE;
++	}
++
++	byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
+ 
+-	if ((ssize_t)byte_count < 0) {
++	if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+ 		return FALSE;
+ 	}
+ 
++	byte_count = (size_t)byte_count_signed;
++
+ 	if (byte_count > 4) {
+ 		offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ 		/* If its bigger than 4 bytes, the dir entry contains an offset. */
+@@ -2916,6 +2928,7 @@
+ 		efree(dump_data);
+ 	}
+ #endif
++
+ 	if (section_index==SECTION_THUMBNAIL) {
+ 		if (!ImageInfo->Thumbnail.data) {
+ 			switch(tag) {

================================================================
Index: packages/php/php-5.2.17-CVE-2011-1092.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1092.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-1092.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,11 @@
+--- PHP_5_3/ext/shmop/shmop.c	2011/01/01 02:19:59	306939
++++ PHP_5_3/ext/shmop/shmop.c	2011/03/08 13:11:14	309018
+@@ -256,7 +256,7 @@
+ 		RETURN_FALSE;
+ 	}
+ 
+-	if (start + count > shmop->size || count < 0) {
++	if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
+ 		RETURN_FALSE;
+ 	}

================================================================
Index: packages/php/php-5.2.17-CVE-2011-1148.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1148.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-1148.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,159 @@
+--- PHP_5_3/ext/standard/string.c	2011/04/13 03:32:19	310193
++++ PHP_5_3/ext/standard/string.c	2011/04/13 06:32:41	310194
+@@ -2352,20 +2352,35 @@
+ 
+ 		zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
+ 		while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
+-			convert_to_string_ex(tmp_str);
++			zval *orig_str;
++			zval dummy;
++			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++				dummy = **tmp_str;
++				orig_str = &dummy;
++				zval_copy_ctor(orig_str);
++				convert_to_string(orig_str);
++			} else {
++				orig_str = *tmp_str;
++			}
+ 
+ 			if (Z_TYPE_PP(from) == IS_ARRAY) {
+ 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
+-					convert_to_long_ex(tmp_from);
++					if(Z_TYPE_PP(tmp_from) != IS_LONG) {
++						zval dummy = **tmp_from;
++						zval_copy_ctor(&dummy);
++						convert_to_long(&dummy);
++						f = Z_LVAL(dummy);
++					} else {
++						f = Z_LVAL_PP(tmp_from);
++					}
+ 
+-					f = Z_LVAL_PP(tmp_from);
+ 					if (f < 0) {
+-						f = Z_STRLEN_PP(tmp_str) + f;
++						f = Z_STRLEN_P(orig_str) + f;
+ 						if (f < 0) {
+ 							f = 0;
+ 						}
+-					} else if (f > Z_STRLEN_PP(tmp_str)) {
+-						f = Z_STRLEN_PP(tmp_str);
++					} else if (f > Z_STRLEN_P(orig_str)) {
++						f = Z_STRLEN_P(orig_str);
+ 					}
+ 					zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
+ 				} else {
+@@ -2374,72 +2389,94 @@
+ 			} else {
+ 				f = Z_LVAL_PP(from);
+ 				if (f < 0) {
+-					f = Z_STRLEN_PP(tmp_str) + f;
++					f = Z_STRLEN_P(orig_str) + f;
+ 					if (f < 0) {
+ 						f = 0;
+ 					}
+-				} else if (f > Z_STRLEN_PP(tmp_str)) {
+-					f = Z_STRLEN_PP(tmp_str);
++				} else if (f > Z_STRLEN_P(orig_str)) {
++					f = Z_STRLEN_P(orig_str);
+ 				}
+ 			}
+ 
+ 			if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
+ 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
+-					convert_to_long_ex(tmp_len);
++					if(Z_TYPE_PP(tmp_len) != IS_LONG) {
++						zval dummy = **tmp_len;
++						zval_copy_ctor(&dummy);
++						convert_to_long(&dummy);
++						l = Z_LVAL(dummy);
++					} else {
++						l = Z_LVAL_PP(tmp_len);
++					}
+ 
+ 					l = Z_LVAL_PP(tmp_len);
+ 					zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
+ 				} else {
+-					l = Z_STRLEN_PP(tmp_str);
++					l = Z_STRLEN_P(orig_str);
+ 				}
+ 			} else if (argc > 3) { 
+ 				l = Z_LVAL_PP(len);
+ 			} else {
+-				l = Z_STRLEN_PP(tmp_str);
++				l = Z_STRLEN_P(orig_str);
+ 			}
+ 
+ 			if (l < 0) {
+-				l = (Z_STRLEN_PP(tmp_str) - f) + l;
++				l = (Z_STRLEN_P(orig_str) - f) + l;
+ 				if (l < 0) {
+ 					l = 0;
+ 				}
+ 			}
+ 
+-			if ((f + l) > Z_STRLEN_PP(tmp_str)) {
+-				l = Z_STRLEN_PP(tmp_str) - f;
++			if ((f + l) > Z_STRLEN_P(orig_str)) {
++				l = Z_STRLEN_P(orig_str) - f;
+ 			}
+ 
+-			result_len = Z_STRLEN_PP(tmp_str) - l;
++			result_len = Z_STRLEN_P(orig_str) - l;
+ 
+ 			if (Z_TYPE_PP(repl) == IS_ARRAY) {
+ 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
+-					convert_to_string_ex(tmp_repl);
+-					result_len += Z_STRLEN_PP(tmp_repl);
++					zval *repl_str;
++					zval zrepl;
++					if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++						zrepl = **tmp_repl;
++						repl_str = &zrepl;
++						zval_copy_ctor(repl_str);
++						convert_to_string(repl_str);
++					} else {
++						repl_str = *tmp_repl;
++					}
++
++					result_len += Z_STRLEN_P(repl_str);
+ 					zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);	
+ 					result = emalloc(result_len + 1);
+ 
+-					memcpy(result, Z_STRVAL_PP(tmp_str), f);
+-					memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
+-					memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++					memcpy(result, Z_STRVAL_P(orig_str), f);
++					memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
++					memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
++					if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++						zval_dtor(repl_str);
++					}
+ 				} else {
+ 					result = emalloc(result_len + 1);
+ 	
+-					memcpy(result, Z_STRVAL_PP(tmp_str), f);
+-					memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++					memcpy(result, Z_STRVAL_P(orig_str), f);
++					memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ 				}
+ 			} else {
+ 				result_len += Z_STRLEN_PP(repl);
+ 
+ 				result = emalloc(result_len + 1);
+ 
+-				memcpy(result, Z_STRVAL_PP(tmp_str), f);
++				memcpy(result, Z_STRVAL_P(orig_str), f);
+ 				memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
+-				memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++				memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ 			}
+ 
+ 			result[result_len] = '\0';
+ 			add_next_index_stringl(return_value, result, result_len, 0);
+-
++			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++				zval_dtor(orig_str);
++			}
+ 			zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
+ 		} /*while*/
+ 	} /* if */

================================================================
Index: packages/php/php-5.2.17-CVE-2011-1938.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1938.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-1938.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,14 @@
+diff -up php-5.2.17/ext/sockets/sockets.c.CVE-2011-1938 php-5.2.17/ext/sockets/sockets.c
+--- php-5.2.17/ext/sockets/sockets.c.CVE-2011-1938	2011-08-19 08:40:08.000000000 +0700
++++ php-5.2.17/ext/sockets/sockets.c	2011-08-19 08:41:11.000000000 +0700
+@@ -1176,6 +1176,10 @@ PHP_FUNCTION(socket_connect)
+ 			break;
+ 
+ 		case AF_UNIX:
++                    if (addr_len >= sizeof(s_un.sun_path)) {
++                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
++                        RETURN_FALSE;
++                    }
+ 			memset(&s_un, 0, sizeof(struct sockaddr_un));
+ 
+ 			s_un.sun_family = AF_UNIX;

================================================================
Index: packages/php/php-5.2.17-CVE-2011-2202.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-2202.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-2202.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,21 @@
+diff -up php-5.2.17/main/rfc1867.c.orig php-5.2.17/main/rfc1867.c
+--- php-5.2.17/main/rfc1867.c.orig	2011-08-19 08:33:09.000000000 +0700
++++ php-5.2.17/main/rfc1867.c	2011-08-19 08:34:29.000000000 +0700
+@@ -1215,7 +1215,7 @@ filedone:
+ #endif
+ 
+ 			if (!is_anonymous) {
+-				if (s && s > filename) {
++				if (s && s >= filename) {
+ 					safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
+ 				} else {
+ 					safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
+@@ -1228,7 +1228,7 @@ filedone:
+ 			} else {
+ 				snprintf(lbuf, llen, "%s[name]", param);
+ 			}
+-			if (s && s > filename) {
++			if (s && s >= filename) {
+ 				register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
+ 			} else {
+ 				register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);

================================================================
Index: packages/php/php-5.2.17-bug-39847.patch
diff -u /dev/null packages/php/php-5.2.17-bug-39847.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-39847.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,21 @@
+diff -up php-5.2.17/ext/mysqli/mysqli_api.c.bug-39847 php-5.2.17/ext/mysqli/mysqli_api.c
+--- php-5.2.17/ext/mysqli/mysqli_api.c.bug-39847	2010-04-21 19:52:24.000000000 +0700
++++ php-5.2.17/ext/mysqli/mysqli_api.c	2011-08-28 11:33:15.000000000 +0700
+@@ -795,6 +795,8 @@ PHP_FUNCTION(mysqli_fetch_field) 
+ 	add_property_string(return_value, "orgname",(field->org_name ? field->org_name : ""), 1);
+ 	add_property_string(return_value, "table",(field->table ? field->table : ""), 1);
+ 	add_property_string(return_value, "orgtable",(field->org_table ? field->org_table : ""), 1);
++	add_property_string(return_value, "db",(field->db ? field->db : ""), 1);
++	add_property_string(return_value, "catalog",(field->catalog ? field->catalog : ""), 1);
+ 	add_property_string(return_value, "def",(field->def ? field->def : ""), 1);
+ 	add_property_long(return_value, "max_length", field->max_length);
+ 	add_property_long(return_value, "length", field->length);
+@@ -878,6 +880,8 @@ PHP_FUNCTION(mysqli_fetch_field_direct) 
+ 	add_property_string(return_value, "orgname",(field->org_name ? field->org_name : ""), 1);
+ 	add_property_string(return_value, "table",(field->table ? field->table : ""), 1);
+ 	add_property_string(return_value, "orgtable",(field->org_table ? field->org_table : ""), 1);
++	add_property_string(return_value, "db",(field->db ? field->db : ""), 1);
++	add_property_string(return_value, "catalog",(field->catalog ? field->catalog : ""), 1);
+ 	add_property_string(return_value, "def",(field->def ? field->def : ""), 1);
+ 	add_property_long(return_value, "max_length", field->max_length);
+ 	add_property_long(return_value, "length", field->length);

================================================================
Index: packages/php/php-5.2.17-bug-48484.patch
diff -u /dev/null packages/php/php-5.2.17-bug-48484.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-48484.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,18 @@
+diff -up php-5.2.17/ext/standard/array.c.bug-48484 php-5.2.17/ext/standard/array.c
+--- php-5.2.17/ext/standard/array.c.bug-48484	2010-11-20 04:06:44.000000000 +0600
++++ php-5.2.17/ext/standard/array.c	2011-08-28 00:21:52.000000000 +0700
+@@ -4368,11 +4368,11 @@ PHP_FUNCTION(array_product)
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array");
+ 		return;
+ 	}
+-	
++
++	ZVAL_LONG(return_value, 1);
+ 	if (!zend_hash_num_elements(Z_ARRVAL_PP(input))) {
+-		RETURN_LONG(0);
++		return;
+ 	}
+-	ZVAL_LONG(return_value, 1);
+ 
+ 	for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+ 		 zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&entry, &pos) == SUCCESS;

================================================================
Index: packages/php/php-5.2.17-bug-49072.patch
diff -u /dev/null packages/php/php-5.2.17-bug-49072.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-49072.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,28 @@
+diff -up php-5.2.17/ext/zip/zip_stream.c.bug-49072 php-5.2.17/ext/zip/zip_stream.c
+--- php-5.2.17/ext/zip/zip_stream.c.bug-49072	2011-08-28 14:06:52.000000000 +0700
++++ php-5.2.17/ext/zip/zip_stream.c	2011-08-28 14:09:41.000000000 +0700
+@@ -34,7 +34,7 @@ static size_t php_zip_ops_read(php_strea
+ 	STREAM_DATA_FROM_STREAM();
+ 
+ 	if (self->za && self->zf) {
+-		n = (size_t)zip_fread(self->zf, buf, (int)count);
++		n = zip_fread(self->zf, buf, count);
+ 		if (n < 0) {
+ 			int ze, se;
+ 			zip_file_error_get(self->zf, &ze, &se);
+@@ -42,13 +42,13 @@ static size_t php_zip_ops_read(php_strea
+ 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf));
+ 			return 0;
+ 		}
+-		if (n == 0 || n < count) {
++		if (n == 0 || n < (ssize_t)count) {
+ 			stream->eof = 1;
+ 		} else {
+ 			self->cursor += n;
+ 		}
+ 	}
+-	return n<1 ? 0 : n;
++	return (n < 1 ? 0 : (size_t)n);
+ }
+ /* }}} */
+ 

================================================================
Index: packages/php/php-5.2.17-bug-52063.patch
diff -u /dev/null packages/php/php-5.2.17-bug-52063.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-52063.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,21 @@
+diff -up php-5.2.17/ext/date/php_date.c.bug-52063 php-5.2.17/ext/date/php_date.c
+--- php-5.2.17/ext/date/php_date.c.bug-52063	2011-08-28 09:44:11.000000000 +0700
++++ php-5.2.17/ext/date/php_date.c	2011-08-28 09:45:09.000000000 +0700
+@@ -1778,7 +1778,7 @@ PHP_FUNCTION(date_create)
+ 	char           *time_str = NULL;
+ 	int             time_str_len = 0;
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) {
+ 		RETURN_FALSE;
+ 	}
+ 
+@@ -1799,7 +1799,7 @@ PHP_METHOD(DateTime, __construct)
+ 	int time_str_len = 0;
+ 	
+ 	php_set_error_handling(EH_THROW, NULL TSRMLS_CC);
+-	if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO", &time_str, &time_str_len, &timezone_object, date_ce_timezone)) {
++	if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone)) {
+ 		date_initialize(zend_object_store_get_object(getThis() TSRMLS_CC), time_str, time_str_len, timezone_object, 1 TSRMLS_CC);
+ 	}
+ 	php_set_error_handling(EH_NORMAL, NULL TSRMLS_CC);

================================================================
Index: packages/php/php-5.2.17-bug-55082.patch
diff -u /dev/null packages/php/php-5.2.17-bug-55082.patch:1.1.2.1
--- /dev/null	Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-55082.patch	Mon Oct 10 21:36:37 2011
@@ -0,0 +1,35 @@
+diff -up php-5.2.17/ext/standard/var.c.bug-55082 php-5.2.17/ext/standard/var.c
+--- php-5.2.17/ext/standard/var.c.bug-55082	2010-09-14 03:14:18.000000000 +0700
++++ php-5.2.17/ext/standard/var.c	2011-08-28 15:18:52.000000000 +0700
+@@ -401,7 +401,7 @@ static int php_object_element_export(zva
+ {
+ 	int level;
+ 	smart_str *buf;
+-	char *prop_name, *class_name;
++	
+ 	TSRMLS_FETCH();
+ 
+ 	level = va_arg(args, int);
+@@ -409,11 +409,20 @@ static int php_object_element_export(zva
+ 
+ 	buffer_append_spaces(buf, level + 2);
+ 	if (hash_key->nKeyLength != 0) {
+-		zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, &class_name, &prop_name);
++                char *class_name, /* ignored, but must be passed to unmangle */
++                        *pname,
++                        *pname_esc;
++                int  pname_esc_len;
++
++                zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1,
++                            &class_name, &pname);
++                pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0,
++                        "'\\", 2 TSRMLS_CC);
+ 
+ 		smart_str_appendc(buf, '\'');
<<Diff was trimmed, longer than 597 lines>>

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/php/php.spec?r1=1.805.2.90&r2=1.805.2.91&f=u



More information about the pld-cvs-commit mailing list