packages (PHP_5_2): php/php.spec, php/php-5.2.17-CVE-2011-0708.patch (NEW), ...
glen
glen at pld-linux.org
Mon Oct 10 21:36:45 CEST 2011
Author: glen Date: Mon Oct 10 19:36:45 2011 GMT
Module: packages Tag: PHP_5_2
---- Log message:
- add bunch of bug and cve backports from 5.3 by centalt (php-5.2.17-7.el5.src.rpm)
---- Files affected:
packages/php:
php.spec (1.805.2.90 -> 1.805.2.91) , php-5.2.17-CVE-2011-0708.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-1092.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-1148.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-1938.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-2202.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-39847.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-48484.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-49072.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-52063.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-55082.patch (NONE -> 1.1.2.1) (NEW), php-5.2.19.tar.bz2 (NONE -> 1.1.2.1) (NEW), php-5.2.20.tar.bz2 (NONE -> 1.1.2.1) (NEW), php-5.3.6-39199.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-47435.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-48607.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-51336.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-52209.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-52290.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53150.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53377.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53515.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53568.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53574.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53577.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53579.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53603.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53630.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53854.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53903.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53924.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-54055.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-54089.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-54092.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-48465.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-50363.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-51958.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-51997.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-52104.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-52496.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-52935.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-53037.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-53782.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-53848.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54121.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54137.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54180.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54221.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54242.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54269.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54312.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54318.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54329.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54440.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54494.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54529.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54601.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54946.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-55014.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-55323.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-55399.patch (NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: packages/php/php.spec
diff -u packages/php/php.spec:1.805.2.90 packages/php/php.spec:1.805.2.91
--- packages/php/php.spec:1.805.2.90 Mon Oct 10 20:54:38 2011
+++ packages/php/php.spec Mon Oct 10 21:36:37 2011
@@ -113,7 +113,7 @@
Summary(uk.UTF-8): PHP Версії 5 - мова препроцесування HTML-файлів, виконувана на сервері
Name: php
Version: 5.2.17
-Release: 6
+Release: 7
Epoch: 4
License: PHP
Group: Libraries
@@ -193,6 +193,69 @@
Patch57: php-php_dl.patch
# http://spot.fedorapeople.org/php-5.3.6-libzip.patch
Patch65: system-libzip.patch
+# CENTALT patches
+# CVE
+Patch201: php-5.2.17-CVE-2011-2202.patch
+Patch202: php-5.2.17-CVE-2011-1938.patch
+Patch203: php-5.2.17-CVE-2011-1148.patch
+Patch204: php-5.2.17-CVE-2011-0708.patch
+Patch205: php-5.2.17-CVE-2011-1092.patch
+# Backport from 5.3.6
+Patch301: php-5.3.6-bug-54055.patch
+Patch302: php-5.3.6-bug-53577.patch
+Patch303: php-5.2.17-bug-48484.patch
+Patch304: php-5.3.6-bug-48607.patch
+Patch305: php-5.3.6-bug-53574.patch
+Patch306: php-5.3.6-bug-52290.patch
+Patch307: php-5.2.17-bug-52063.patch
+Patch308: php-5.3.6-bug-53924.patch
+Patch309: php-5.3.6-bug-53150.patch
+Patch310: php-5.3.6-bug-52209.patch
+Patch311: php-5.3.6-bug-47435.patch
+Patch312: php-5.3.6-bug-53377.patch
+Patch313: php-5.2.17-bug-39847.patch
+Patch314: php-5.3.6-39199.patch
+Patch315: php-5.3.6-bug-53630.patch
+Patch316: php-5.3.6-bug-51336.patch
+Patch317: php-5.3.6-bug-53515.patch
+Patch318: php-5.3.6-bug-54092.patch
+Patch319: php-5.3.6-bug-53903.patch
+Patch320: php-5.3.6-bug-54089.patch
+Patch321: php-5.3.6-bug-53603.patch
+Patch322: php-5.3.6-bug-53854.patch
+Patch323: php-5.3.6-bug-53579.patch
+Patch324: php-5.3.6-bug-53568.patch
+Patch325: php-5.2.17-bug-49072.patch
+# 5.3.7
+Patch330: php-5.3.7-bug-55399.patch
+Patch331: php-5.2.17-bug-55082.patch
+Patch332: php-5.3.7-bug-55014.patch
+#Patch333: php-5.3.7-bug-54924.patch
+Patch334: php-5.3.7-bug-54180.patch
+Patch335: php-5.3.7-bug-54137.patch
+Patch336: php-5.3.7-bug-53848.patch
+Patch337: php-5.3.7-bug-52935.patch
+Patch338: php-5.3.7-bug-51997.patch
+Patch339: php-5.3.7-bug-50363.patch
+Patch340: php-5.3.7-bug-48465.patch
+Patch341: php-5.3.7-bug-54529.patch
+Patch342: php-5.3.7-bug-52496.patch
+Patch343: php-5.3.7-bug-54242.patch
+Patch344: php-5.3.7-bug-54121.patch
+Patch345: php-5.3.7-bug-53037.patch
+Patch346: php-5.3.7-bug-54269.patch
+Patch347: php-5.3.7-bug-54601.patch
+Patch348: php-5.3.7-bug-54440.patch
+Patch349: php-5.3.7-bug-54494.patch
+Patch350: php-5.3.7-bug-54221.patch
+Patch351: php-5.3.7-bug-52104.patch
+Patch352: php-5.3.7-bug-54329.patch
+Patch353: php-5.3.7-bug-53782.patch
+Patch354: php-5.3.7-bug-54318.patch
+Patch355: php-5.3.7-bug-55323.patch
+Patch356: php-5.3.7-bug-54312.patch
+Patch357: php-5.3.7-bug-51958.patch
+Patch358: php-5.3.7-bug-54946.patch
URL: http://www.php.net/
%{?with_interbase:%{!?with_interbase_inst:BuildRequires: Firebird-devel >= 1.0.2.908-2}}
%{?with_pspell:BuildRequires: aspell-devel >= 2:0.50.0}
@@ -1873,6 +1936,69 @@
%patch57 -p1
%patch65 -p1
+%patch201 -p1 -b .CVE-2011-2202
+%patch202 -p1 -b .CVE-2011-1938
+%patch203 -p1 -b .CVE-2011-1148
+%patch204 -p1 -b .CVE-2011-0708
+%patch205 -p1 -b .CVE-2011-1092
+
+# Bugfix backport from 5.3.6
+%patch301 -p1 -b .bug-54055
+%patch302 -p1 -b .bug-53577
+%patch303 -p1 -b .bug-48484
+%patch304 -p1 -b .bug-48607
+%patch305 -p1 -b .bug-53574
+%patch306 -p1 -b .bug-52290
+%patch307 -p1 -b .bug-52063
+%patch308 -p1 -b .bug-53924
+%patch309 -p1 -b .bug-53150
+%patch310 -p1 -b .bug-52209
+%patch311 -p1 -b .bug-47435
+%patch312 -p1 -b .bug-53377
+%patch313 -p1 -b .bug-39847
+%patch314 -p1 -b .bug-39199
+%patch315 -p1 -b .bug-53630
+%patch316 -p1 -b .bug-51336
+%patch317 -p1 -b .bug-53515
+%patch318 -p1 -b .bug-54092
+%patch319 -p1 -b .bug-53903
+%patch320 -p1 -b .bug-54089
+%patch321 -p1 -b .bug-53603
+%patch322 -p1 -b .bug-53854
+%patch323 -p1 -b .bug-53579
+%patch324 -p1 -b .bug-53568
+%patch325 -p1 -b .bug-49072
+# Bugfix backport from 5.3.7
+%patch330 -p1 -b .bug-55399
+%patch331 -p1 -b .bug-55082
+%patch332 -p1 -b .bug-55014
+#accert %patch333 -p1 -b .bug-54924
+%patch334 -p1 -b .bug-54180
+%patch335 -p1 -b .bug-54137
+%patch336 -p1 -b .bug-53848
+%patch337 -p1 -b .bug-52935
+%patch338 -p1 -b .bug-51997
+%patch339 -p1 -b .bug-50363
+%patch340 -p1 -b .bug-48465
+%patch341 -p1 -b .bug-54529
+%patch342 -p1 -b .bug-52496
+%patch343 -p1 -b .bug-54242
+%patch344 -p1 -b .bug-54121
+%patch345 -p1 -b .bug-53037
+%patch346 -p1 -b .bug-54269
+%patch347 -p1 -b .bug-54601
+%patch348 -p1 -b .bug-54440
+%patch349 -p1 -b .bug-54494
+%patch350 -p1 -b .bug-54221
+%patch351 -p1 -b .bug-52104
+%patch352 -p1 -b .bug-54329
+%patch353 -p1 -b .bug-53782
+%patch354 -p1 -b .bug-54318
+#soap %patch355 -p1 -b .bug-55323
+%patch356 -p1 -b .bug-54312
+%patch357 -p1 -b .bug-51958
+%patch358 -p1 -b .bug-54946
+
# conflict seems to be resolved by recode patches
rm -f ext/recode/config9.m4
@@ -3178,6 +3304,9 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.805.2.91 2011/10/10 19:36:37 glen
+- add bunch of bug and cve backports from 5.3 by centalt (php-5.2.17-7.el5.src.rpm)
+
Revision 1.805.2.90 2011/10/10 18:54:38 glen
- use system libzip 0.10, resolves CVE-2011-0421
================================================================
Index: packages/php/php-5.2.17-CVE-2011-0708.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-0708.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-0708.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,52 @@
+--- PHP_5_3/ext/exif/exif.c 2011/02/14 08:46:53 308315
++++ PHP_5_3/ext/exif/exif.c 2011/02/14 09:08:44 308316
+@@ -40,6 +40,10 @@
+ #include "php.h"
+ #include "ext/standard/file.h"
+
++#ifdef PHP_WIN32
++include "win32/php_stdint.h"
++#endif
++
+ #if HAVE_EXIF
+
+ /* When EXIF_DEBUG is defined the module generates a lot of debug messages
+@@ -2821,6 +2825,7 @@
+ int tag, format, components;
+ char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ size_t byte_count, offset_val, fpos, fgot;
++ int64_t byte_count_signed;
+ xp_field_type *tmp_xp;
+ #ifdef EXIF_DEBUG
+ char *dump_data;
+@@ -2845,13 +2850,20 @@
+ /*return TRUE;*/
+ }
+
+- byte_count = components * php_tiff_bytes_per_format[format];
++ if (components < 0) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
++ return FALSE;
++ }
++
++ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
+
+- if ((ssize_t)byte_count < 0) {
++ if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
+ return FALSE;
+ }
+
++ byte_count = (size_t)byte_count_signed;
++
+ if (byte_count > 4) {
+ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ /* If its bigger than 4 bytes, the dir entry contains an offset. */
+@@ -2916,6 +2928,7 @@
+ efree(dump_data);
+ }
+ #endif
++
+ if (section_index==SECTION_THUMBNAIL) {
+ if (!ImageInfo->Thumbnail.data) {
+ switch(tag) {
================================================================
Index: packages/php/php-5.2.17-CVE-2011-1092.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1092.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-1092.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,11 @@
+--- PHP_5_3/ext/shmop/shmop.c 2011/01/01 02:19:59 306939
++++ PHP_5_3/ext/shmop/shmop.c 2011/03/08 13:11:14 309018
+@@ -256,7 +256,7 @@
+ RETURN_FALSE;
+ }
+
+- if (start + count > shmop->size || count < 0) {
++ if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
+ RETURN_FALSE;
+ }
================================================================
Index: packages/php/php-5.2.17-CVE-2011-1148.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1148.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-1148.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,159 @@
+--- PHP_5_3/ext/standard/string.c 2011/04/13 03:32:19 310193
++++ PHP_5_3/ext/standard/string.c 2011/04/13 06:32:41 310194
+@@ -2352,20 +2352,35 @@
+
+ zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
+ while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
+- convert_to_string_ex(tmp_str);
++ zval *orig_str;
++ zval dummy;
++ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++ dummy = **tmp_str;
++ orig_str = &dummy;
++ zval_copy_ctor(orig_str);
++ convert_to_string(orig_str);
++ } else {
++ orig_str = *tmp_str;
++ }
+
+ if (Z_TYPE_PP(from) == IS_ARRAY) {
+ if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
+- convert_to_long_ex(tmp_from);
++ if(Z_TYPE_PP(tmp_from) != IS_LONG) {
++ zval dummy = **tmp_from;
++ zval_copy_ctor(&dummy);
++ convert_to_long(&dummy);
++ f = Z_LVAL(dummy);
++ } else {
++ f = Z_LVAL_PP(tmp_from);
++ }
+
+- f = Z_LVAL_PP(tmp_from);
+ if (f < 0) {
+- f = Z_STRLEN_PP(tmp_str) + f;
++ f = Z_STRLEN_P(orig_str) + f;
+ if (f < 0) {
+ f = 0;
+ }
+- } else if (f > Z_STRLEN_PP(tmp_str)) {
+- f = Z_STRLEN_PP(tmp_str);
++ } else if (f > Z_STRLEN_P(orig_str)) {
++ f = Z_STRLEN_P(orig_str);
+ }
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
+ } else {
+@@ -2374,72 +2389,94 @@
+ } else {
+ f = Z_LVAL_PP(from);
+ if (f < 0) {
+- f = Z_STRLEN_PP(tmp_str) + f;
++ f = Z_STRLEN_P(orig_str) + f;
+ if (f < 0) {
+ f = 0;
+ }
+- } else if (f > Z_STRLEN_PP(tmp_str)) {
+- f = Z_STRLEN_PP(tmp_str);
++ } else if (f > Z_STRLEN_P(orig_str)) {
++ f = Z_STRLEN_P(orig_str);
+ }
+ }
+
+ if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
+ if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
+- convert_to_long_ex(tmp_len);
++ if(Z_TYPE_PP(tmp_len) != IS_LONG) {
++ zval dummy = **tmp_len;
++ zval_copy_ctor(&dummy);
++ convert_to_long(&dummy);
++ l = Z_LVAL(dummy);
++ } else {
++ l = Z_LVAL_PP(tmp_len);
++ }
+
+ l = Z_LVAL_PP(tmp_len);
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
+ } else {
+- l = Z_STRLEN_PP(tmp_str);
++ l = Z_STRLEN_P(orig_str);
+ }
+ } else if (argc > 3) {
+ l = Z_LVAL_PP(len);
+ } else {
+- l = Z_STRLEN_PP(tmp_str);
++ l = Z_STRLEN_P(orig_str);
+ }
+
+ if (l < 0) {
+- l = (Z_STRLEN_PP(tmp_str) - f) + l;
++ l = (Z_STRLEN_P(orig_str) - f) + l;
+ if (l < 0) {
+ l = 0;
+ }
+ }
+
+- if ((f + l) > Z_STRLEN_PP(tmp_str)) {
+- l = Z_STRLEN_PP(tmp_str) - f;
++ if ((f + l) > Z_STRLEN_P(orig_str)) {
++ l = Z_STRLEN_P(orig_str) - f;
+ }
+
+- result_len = Z_STRLEN_PP(tmp_str) - l;
++ result_len = Z_STRLEN_P(orig_str) - l;
+
+ if (Z_TYPE_PP(repl) == IS_ARRAY) {
+ if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
+- convert_to_string_ex(tmp_repl);
+- result_len += Z_STRLEN_PP(tmp_repl);
++ zval *repl_str;
++ zval zrepl;
++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++ zrepl = **tmp_repl;
++ repl_str = &zrepl;
++ zval_copy_ctor(repl_str);
++ convert_to_string(repl_str);
++ } else {
++ repl_str = *tmp_repl;
++ }
++
++ result_len += Z_STRLEN_P(repl_str);
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
+ result = emalloc(result_len + 1);
+
+- memcpy(result, Z_STRVAL_PP(tmp_str), f);
+- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
+- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++ memcpy(result, Z_STRVAL_P(orig_str), f);
++ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
++ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++ zval_dtor(repl_str);
++ }
+ } else {
+ result = emalloc(result_len + 1);
+
+- memcpy(result, Z_STRVAL_PP(tmp_str), f);
+- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++ memcpy(result, Z_STRVAL_P(orig_str), f);
++ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ }
+ } else {
+ result_len += Z_STRLEN_PP(repl);
+
+ result = emalloc(result_len + 1);
+
+- memcpy(result, Z_STRVAL_PP(tmp_str), f);
++ memcpy(result, Z_STRVAL_P(orig_str), f);
+ memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
+- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ }
+
+ result[result_len] = '\0';
+ add_next_index_stringl(return_value, result, result_len, 0);
+-
++ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++ zval_dtor(orig_str);
++ }
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
+ } /*while*/
+ } /* if */
================================================================
Index: packages/php/php-5.2.17-CVE-2011-1938.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1938.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-1938.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,14 @@
+diff -up php-5.2.17/ext/sockets/sockets.c.CVE-2011-1938 php-5.2.17/ext/sockets/sockets.c
+--- php-5.2.17/ext/sockets/sockets.c.CVE-2011-1938 2011-08-19 08:40:08.000000000 +0700
++++ php-5.2.17/ext/sockets/sockets.c 2011-08-19 08:41:11.000000000 +0700
+@@ -1176,6 +1176,10 @@ PHP_FUNCTION(socket_connect)
+ break;
+
+ case AF_UNIX:
++ if (addr_len >= sizeof(s_un.sun_path)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
++ RETURN_FALSE;
++ }
+ memset(&s_un, 0, sizeof(struct sockaddr_un));
+
+ s_un.sun_family = AF_UNIX;
================================================================
Index: packages/php/php-5.2.17-CVE-2011-2202.patch
diff -u /dev/null packages/php/php-5.2.17-CVE-2011-2202.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-CVE-2011-2202.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,21 @@
+diff -up php-5.2.17/main/rfc1867.c.orig php-5.2.17/main/rfc1867.c
+--- php-5.2.17/main/rfc1867.c.orig 2011-08-19 08:33:09.000000000 +0700
++++ php-5.2.17/main/rfc1867.c 2011-08-19 08:34:29.000000000 +0700
+@@ -1215,7 +1215,7 @@ filedone:
+ #endif
+
+ if (!is_anonymous) {
+- if (s && s > filename) {
++ if (s && s >= filename) {
+ safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
+ } else {
+ safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
+@@ -1228,7 +1228,7 @@ filedone:
+ } else {
+ snprintf(lbuf, llen, "%s[name]", param);
+ }
+- if (s && s > filename) {
++ if (s && s >= filename) {
+ register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
+ } else {
+ register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);
================================================================
Index: packages/php/php-5.2.17-bug-39847.patch
diff -u /dev/null packages/php/php-5.2.17-bug-39847.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-39847.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,21 @@
+diff -up php-5.2.17/ext/mysqli/mysqli_api.c.bug-39847 php-5.2.17/ext/mysqli/mysqli_api.c
+--- php-5.2.17/ext/mysqli/mysqli_api.c.bug-39847 2010-04-21 19:52:24.000000000 +0700
++++ php-5.2.17/ext/mysqli/mysqli_api.c 2011-08-28 11:33:15.000000000 +0700
+@@ -795,6 +795,8 @@ PHP_FUNCTION(mysqli_fetch_field)
+ add_property_string(return_value, "orgname",(field->org_name ? field->org_name : ""), 1);
+ add_property_string(return_value, "table",(field->table ? field->table : ""), 1);
+ add_property_string(return_value, "orgtable",(field->org_table ? field->org_table : ""), 1);
++ add_property_string(return_value, "db",(field->db ? field->db : ""), 1);
++ add_property_string(return_value, "catalog",(field->catalog ? field->catalog : ""), 1);
+ add_property_string(return_value, "def",(field->def ? field->def : ""), 1);
+ add_property_long(return_value, "max_length", field->max_length);
+ add_property_long(return_value, "length", field->length);
+@@ -878,6 +880,8 @@ PHP_FUNCTION(mysqli_fetch_field_direct)
+ add_property_string(return_value, "orgname",(field->org_name ? field->org_name : ""), 1);
+ add_property_string(return_value, "table",(field->table ? field->table : ""), 1);
+ add_property_string(return_value, "orgtable",(field->org_table ? field->org_table : ""), 1);
++ add_property_string(return_value, "db",(field->db ? field->db : ""), 1);
++ add_property_string(return_value, "catalog",(field->catalog ? field->catalog : ""), 1);
+ add_property_string(return_value, "def",(field->def ? field->def : ""), 1);
+ add_property_long(return_value, "max_length", field->max_length);
+ add_property_long(return_value, "length", field->length);
================================================================
Index: packages/php/php-5.2.17-bug-48484.patch
diff -u /dev/null packages/php/php-5.2.17-bug-48484.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-48484.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,18 @@
+diff -up php-5.2.17/ext/standard/array.c.bug-48484 php-5.2.17/ext/standard/array.c
+--- php-5.2.17/ext/standard/array.c.bug-48484 2010-11-20 04:06:44.000000000 +0600
++++ php-5.2.17/ext/standard/array.c 2011-08-28 00:21:52.000000000 +0700
+@@ -4368,11 +4368,11 @@ PHP_FUNCTION(array_product)
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array");
+ return;
+ }
+-
++
++ ZVAL_LONG(return_value, 1);
+ if (!zend_hash_num_elements(Z_ARRVAL_PP(input))) {
+- RETURN_LONG(0);
++ return;
+ }
+- ZVAL_LONG(return_value, 1);
+
+ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+ zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&entry, &pos) == SUCCESS;
================================================================
Index: packages/php/php-5.2.17-bug-49072.patch
diff -u /dev/null packages/php/php-5.2.17-bug-49072.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-49072.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,28 @@
+diff -up php-5.2.17/ext/zip/zip_stream.c.bug-49072 php-5.2.17/ext/zip/zip_stream.c
+--- php-5.2.17/ext/zip/zip_stream.c.bug-49072 2011-08-28 14:06:52.000000000 +0700
++++ php-5.2.17/ext/zip/zip_stream.c 2011-08-28 14:09:41.000000000 +0700
+@@ -34,7 +34,7 @@ static size_t php_zip_ops_read(php_strea
+ STREAM_DATA_FROM_STREAM();
+
+ if (self->za && self->zf) {
+- n = (size_t)zip_fread(self->zf, buf, (int)count);
++ n = zip_fread(self->zf, buf, count);
+ if (n < 0) {
+ int ze, se;
+ zip_file_error_get(self->zf, &ze, &se);
+@@ -42,13 +42,13 @@ static size_t php_zip_ops_read(php_strea
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf));
+ return 0;
+ }
+- if (n == 0 || n < count) {
++ if (n == 0 || n < (ssize_t)count) {
+ stream->eof = 1;
+ } else {
+ self->cursor += n;
+ }
+ }
+- return n<1 ? 0 : n;
++ return (n < 1 ? 0 : (size_t)n);
+ }
+ /* }}} */
+
================================================================
Index: packages/php/php-5.2.17-bug-52063.patch
diff -u /dev/null packages/php/php-5.2.17-bug-52063.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-52063.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,21 @@
+diff -up php-5.2.17/ext/date/php_date.c.bug-52063 php-5.2.17/ext/date/php_date.c
+--- php-5.2.17/ext/date/php_date.c.bug-52063 2011-08-28 09:44:11.000000000 +0700
++++ php-5.2.17/ext/date/php_date.c 2011-08-28 09:45:09.000000000 +0700
+@@ -1778,7 +1778,7 @@ PHP_FUNCTION(date_create)
+ char *time_str = NULL;
+ int time_str_len = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+@@ -1799,7 +1799,7 @@ PHP_METHOD(DateTime, __construct)
+ int time_str_len = 0;
+
+ php_set_error_handling(EH_THROW, NULL TSRMLS_CC);
+- if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO", &time_str, &time_str_len, &timezone_object, date_ce_timezone)) {
++ if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone)) {
+ date_initialize(zend_object_store_get_object(getThis() TSRMLS_CC), time_str, time_str_len, timezone_object, 1 TSRMLS_CC);
+ }
+ php_set_error_handling(EH_NORMAL, NULL TSRMLS_CC);
================================================================
Index: packages/php/php-5.2.17-bug-55082.patch
diff -u /dev/null packages/php/php-5.2.17-bug-55082.patch:1.1.2.1
--- /dev/null Mon Oct 10 21:36:45 2011
+++ packages/php/php-5.2.17-bug-55082.patch Mon Oct 10 21:36:37 2011
@@ -0,0 +1,35 @@
+diff -up php-5.2.17/ext/standard/var.c.bug-55082 php-5.2.17/ext/standard/var.c
+--- php-5.2.17/ext/standard/var.c.bug-55082 2010-09-14 03:14:18.000000000 +0700
++++ php-5.2.17/ext/standard/var.c 2011-08-28 15:18:52.000000000 +0700
+@@ -401,7 +401,7 @@ static int php_object_element_export(zva
+ {
+ int level;
+ smart_str *buf;
+- char *prop_name, *class_name;
++
+ TSRMLS_FETCH();
+
+ level = va_arg(args, int);
+@@ -409,11 +409,20 @@ static int php_object_element_export(zva
+
+ buffer_append_spaces(buf, level + 2);
+ if (hash_key->nKeyLength != 0) {
+- zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, &class_name, &prop_name);
++ char *class_name, /* ignored, but must be passed to unmangle */
++ *pname,
++ *pname_esc;
++ int pname_esc_len;
++
++ zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1,
++ &class_name, &pname);
++ pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0,
++ "'\\", 2 TSRMLS_CC);
+
+ smart_str_appendc(buf, '\'');
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/php/php.spec?r1=1.805.2.90&r2=1.805.2.91&f=u
More information about the pld-cvs-commit
mailing list