From 20017b3ee78782deb1e9ff021d3254609fe1df24 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 23 2015 06:07:22 +0000 Subject: import php-5.4.16-36.el7_1 --- diff --git a/SOURCES/php-5.4.16-CVE-2014-8142.patch b/SOURCES/php-5.4.16-CVE-2014-8142.patch new file mode 100644 index 0000000..5d46502 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-8142.patch @@ -0,0 +1,74 @@ +From 630f9c33c23639de85c3fd306b209b538b73b4c9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 11 Dec 2014 19:28:32 -0800 +Subject: [PATCH] Fix bug #68594 - Use after free vulnerability in + unserialize() + +--- + NEWS | 2 + + ext/standard/tests/serialize/bug68594.phpt | 23 ++++++++++ + ext/standard/var_unserializer.c | 68 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 3 ++ + 4 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug68594.phpt + +diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt +new file mode 100644 +index 0000000..60fc7a7 +--- /dev/null ++++ b/ext/standard/tests/serialize/bug68594.phpt +@@ -0,0 +1,23 @@ ++--TEST-- ++Bug #68545 Use after free vulnerability in unserialize() ++--FILE-- ++aaa = array(1,2,&$u,4,5); ++ $m->bbb = 1; ++ $m->ccc = &$u; ++ $m->ddd = str_repeat("A", $i); ++ ++ $z = serialize($m); ++ $z = str_replace("bbb", "aaa", $z); ++ $y = unserialize($z); ++ $z = serialize($y); ++} ++?> ++===DONE=== ++--EXPECTF-- ++===DONE=== +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index f6f31bd..a12d2fa 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -309,6 +309,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + } else { + /* object properties should include no integers */ + convert_to_string(key); ++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ var_push_dtor(var_hash, old_data); ++ } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 7afef6a..4cf1d10 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -315,6 +315,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + } else { + /* object properties should include no integers */ + convert_to_string(key); ++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ var_push_dtor(var_hash, old_data); ++ } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2014-9652.patch b/SOURCES/php-5.4.16-CVE-2014-9652.patch new file mode 100644 index 0000000..3fc8d66 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-9652.patch @@ -0,0 +1,41 @@ +Upstream test patch dropped (binary patch not supported) + + +From ede59c8feb4b80e1b94e4abdaa0711051e2912ab Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Sun, 4 Jan 2015 14:20:21 +0100 +Subject: [PATCH] Fixed bug #68735 fileinfo out-of-bounds memory access + +--- + NEWS | 7 +++++++ + ext/fileinfo/libmagic/softmagic.c | 7 +++++-- + ext/fileinfo/tests/bug68735.jpg | Bin 0 -> 24 bytes + ext/fileinfo/tests/bug68735.phpt | 16 ++++++++++++++++ + 4 files changed, 28 insertions(+), 2 deletions(-) + create mode 100644 ext/fileinfo/tests/bug68735.jpg + create mode 100644 ext/fileinfo/tests/bug68735.phpt + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 7e0c856..e7b7855 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) + size_t sz = file_pstring_length_size(m); + char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) { ++ sz = sizeof(p->s) - sz; /* maximum length of string */ ++ if (len >= sz) { + /* + * The size of the pascal string length (sz) + * is 1, 2, or 4. We need at least 1 byte for NUL + * termination, but we've already truncated the + * string by p->s, so we need to deduct sz. ++ * Because we can use one of the bytes of the length ++ * after we shifted as NUL termination. + */ +- len = sizeof(p->s) - sz; ++ len = sz; + } + while (len--) + *ptr1++ = *ptr2++; diff --git a/SOURCES/php-5.4.16-CVE-2014-9705.patch b/SOURCES/php-5.4.16-CVE-2014-9705.patch new file mode 100644 index 0000000..5ce115d --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-9705.patch @@ -0,0 +1,49 @@ +From bdfe457a2c1b47209e32783b3a6447e81baf179a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 16 Feb 2015 06:50:10 +0100 +Subject: [PATCH] Port for for bug #68552 + +--- + NEWS | 6 ++++++ + ext/enchant/enchant.c | 7 +++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c +index 6de2fea..0eb8144 100644 +--- a/ext/enchant/enchant.c ++++ b/ext/enchant/enchant.c +@@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict) + + d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag); + if (d) { ++ pos = pbroker->dictcnt++; + if (pbroker->dictcnt) { + pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); +- pos = pbroker->dictcnt++; + } else { + pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); + pos = 0; +- pbroker->dictcnt++; + } + + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); +@@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict) + + d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl); + if (d) { ++ pos = pbroker->dictcnt++; + if (pbroker->dictcnt) { +- pos = pbroker->dictcnt++; + pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); + } else { + pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); + pos = 0; +- pbroker->dictcnt++; + } ++ + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); + dict->id = pos; + dict->pbroker = pbroker; +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2014-9709.patch b/SOURCES/php-5.4.16-CVE-2014-9709.patch new file mode 100644 index 0000000..b70387e --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-9709.patch @@ -0,0 +1,81 @@ +From afbf725e7380dfb3ff43a993e43abd9759a66c2b Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Sat, 13 Dec 2014 09:03:44 +0100 +Subject: [PATCH] Fix bug #68601 buffer read overflow in gd_gif_in.c + +--- + NEWS | 3 +++ + ext/gd/libgd/gd_gif_in.c | 11 +++++++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index ee88a2f..491e942 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -72,8 +72,10 @@ static struct { + + #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) + ++#define CSD_BUF_SIZE 280 ++ + typedef struct { +- unsigned char buf[280]; ++ unsigned char buf[CSD_BUF_SIZE]; + int curbit, lastbit, done, last_byte; + } CODE_STATIC_DATA; + +@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD + + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) +- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j; ++ if (i < CSD_BUF_SIZE * 8) { ++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; ++ } else { ++ ret = -1; ++ break; ++ } + + scd->curbit += code_size; + return ret; +-- +2.1.4 + +From bd31cb756399101234258c5491443531099957c3 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 17 Dec 2014 10:59:36 +0100 +Subject: [PATCH] Better fix for #68601 for perf + https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467 + +--- + ext/gd/libgd/gd_gif_in.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index 491e942..f41ec84 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -400,14 +400,14 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD + scd->lastbit = (2+count)*8 ; + } + +- ret = 0; +- for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) +- if (i < CSD_BUF_SIZE * 8) { ++ if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) { ++ ret = -1; ++ } else { ++ ret = 0; ++ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; +- } else { +- ret = -1; +- break; + } ++ } + + scd->curbit += code_size; + return ret; +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-0231.patch b/SOURCES/php-5.4.16-CVE-2015-0231.patch new file mode 100644 index 0000000..d7863fc --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-0231.patch @@ -0,0 +1,74 @@ +From b585a3aed7880a5fa5c18e2b838fc96f40e075bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 1 Jan 2015 16:19:05 -0800 +Subject: [PATCH] Fix for bug #68710 (Use After Free Vulnerability in PHP's + unserialize()) + +--- + NEWS | 4 ++++ + ext/standard/tests/strings/bug68710.phpt | 25 +++++++++++++++++++++++++ + ext/standard/var_unserializer.c | 4 ++-- + ext/standard/var_unserializer.re | 2 +- + 4 files changed, 32 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/strings/bug68710.phpt + +diff --git a/ext/standard/tests/strings/bug68710.phpt b/ext/standard/tests/strings/bug68710.phpt +new file mode 100644 +index 0000000..729a120 +--- /dev/null ++++ b/ext/standard/tests/strings/bug68710.phpt +@@ -0,0 +1,25 @@ ++--TEST-- ++Bug #68710 Use after free vulnerability in unserialize() (bypassing the ++CVE-2014-8142 fix) ++--FILE-- ++aaa = array(1,2,&$u,4,5); ++ $m->bbb = 1; ++ $m->ccc = &$u; ++ $m->ddd = str_repeat("A", $i); ++ ++ $z = serialize($m); ++ $z = str_replace("aaa", "123", $z); ++ $z = str_replace("bbb", "123", $z); ++ $y = unserialize($z); ++ $z = serialize($y); ++} ++?> ++===DONE=== ++--EXPECTF-- ++===DONE=== +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index a12d2fa..f114080 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -309,7 +309,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + } else { + /* object properties should include no integers */ + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 4cf1d10..f04fc74 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -315,7 +315,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + } else { + /* object properties should include no integers */ + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-0232.patch b/SOURCES/php-5.4.16-CVE-2015-0232.patch new file mode 100644 index 0000000..5ce3507 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-0232.patch @@ -0,0 +1,32 @@ +Adapted for 5.4.16 +Upstream test dropped as binary patch not supported + +From 2fc178cf448d8e1b95d1314e47eeef610729e0df Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 11 Jan 2015 00:51:05 -0800 +Subject: [PATCH] Fix bug #68799: Free called on unitialized pointer + +--- + ext/exif/exif.c | 2 +- + ext/exif/tests/bug68799.jpg | Bin 0 -> 735 bytes + ext/exif/tests/bug68799.phpt | 63 +++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 64 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug68799.jpg + create mode 100644 ext/exif/tests/bug68799.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 637ebf9..7f95ff4 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2700,7 +2700,7 @@ + static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) + { + xp_field->tag = tag; +- ++ xp_field->value = NULL; + /* Copy the comment */ + if (zend_multibyte_encoding_converter( + (unsigned char**)&xp_field->value, +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-0273.patch b/SOURCES/php-5.4.16-CVE-2015-0273.patch new file mode 100644 index 0000000..498569e --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-0273.patch @@ -0,0 +1,60 @@ +From 7b1898183032eeabc64a086ff040af991cebcd93 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 31 Jan 2015 22:40:08 -0800 +Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize() + with DateTimeZone) + +Conflicts: + ext/date/php_date.c +--- + ext/date/php_date.c | 10 +++------- + ext/date/tests/bug68942_2.phpt | 9 +++++++++ + 2 files changed, 12 insertions(+), 7 deletions(-) + create mode 100644 ext/date/tests/bug68942_2.phpt + +diff --git a/ext/date/php_date.c b/ext/date/php_date.c +index 92e9480..08bfd08 100644 +--- a/ext/date/php_date.c ++++ b/ext/date/php_date.c +@@ -2521,12 +2521,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht + timelib_tzinfo *tzi; + php_timezone_obj *tzobj; + +- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { +- convert_to_string(*z_date); +- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { +- convert_to_long(*z_timezone_type); +- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { +- convert_to_string(*z_timezone); ++ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { ++ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { ++ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { + + switch (Z_LVAL_PP(z_timezone_type)) { + case TIMELIB_ZONETYPE_OFFSET: +@@ -2541,7 +2538,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht + + case TIMELIB_ZONETYPE_ID: { + int ret; +- convert_to_string(*z_timezone); + + tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); + +diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt +new file mode 100644 +index 0000000..5b02567 +--- /dev/null ++++ b/ext/date/tests/bug68942_2.phpt +@@ -0,0 +1,9 @@ ++--TEST-- ++Bug #68942 (Use after free vulnerability in unserialize() with DateTime). ++--FILE-- ++ ++--EXPECTF-- ++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-2301.patch b/SOURCES/php-5.4.16-CVE-2015-2301.patch new file mode 100644 index 0000000..c065647 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-2301.patch @@ -0,0 +1,27 @@ +From b2cf3f064b8f5efef89bb084521b61318c71781b Mon Sep 17 00:00:00 2001 +From: Xinchen Hui +Date: Thu, 29 Jan 2015 00:00:09 +0800 +Subject: [PATCH] Fixed bug #68901 (use after free) + +--- + NEWS | 3 +++ + ext/phar/phar_object.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 3671054..712795b 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -2210,8 +2210,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c + } + its_ok: + if (SUCCESS == php_stream_stat_path(newpath, &ssb)) { +- efree(oldpath); + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath); ++ efree(oldpath); + return NULL; + } + if (!phar->is_data) { +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-2348.patch b/SOURCES/php-5.4.16-CVE-2015-2348.patch new file mode 100644 index 0000000..c2cedea --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-2348.patch @@ -0,0 +1,26 @@ +From 1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 17 Mar 2015 12:47:58 -0700 +Subject: [PATCH] Fix bug #69207 - move_uploaded_file allows nulls in path + +--- + NEWS | 3 +++ + ext/standard/basic_functions.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c +index 9a9df30..c3e2230 100644 +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -5771,7 +5771,7 @@ PHP_FUNCTION(move_uploaded_file) + RETURN_FALSE; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) { + return; + } + +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-2783.patch b/SOURCES/php-5.4.16-CVE-2015-2783.patch new file mode 100644 index 0000000..d8b978d --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-2783.patch @@ -0,0 +1,257 @@ +Test case removed as binary patches are not supported + +From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 15:07:36 -0700 +Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when + parsing Phar) + +--- + ext/phar/phar.c | 65 ++++++++++++++++++++----------------------- + ext/phar/phar_internal.h | 2 +- + ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes + ext/phar/tests/bug69324.phpt | 17 +++++++++++ + 4 files changed, 48 insertions(+), 36 deletions(-) + create mode 100644 ext/phar/tests/bug69324.phar + create mode 100644 ext/phar/tests/bug69324.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index ec82351..bf0c985 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len + * + * data is the serialized zval + */ +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ + { + const unsigned char *p; +- php_uint32 buf_len; + php_unserialize_data_t var_hash; + +- if (!zip_metadata_len) { +- PHAR_GET_32(*buffer, buf_len); +- } else { +- buf_len = zip_metadata_len; +- } +- +- if (buf_len) { ++ if (zip_metadata_len) { + ALLOC_ZVAL(*metadata); + INIT_ZVAL(**metadata); + p = (const unsigned char*) *buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + *metadata = NULL; +@@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR + if (PHAR_G(persist)) { + /* lazy init metadata */ + zval_ptr_dtor(metadata); +- *metadata = (zval *) pemalloc(buf_len, 1); +- memcpy(*metadata, *buffer, buf_len); +- *buffer += buf_len; ++ *metadata = (zval *) pemalloc(zip_metadata_len, 1); ++ memcpy(*metadata, *buffer, zip_metadata_len); + return SUCCESS; + } + } else { + *metadata = NULL; + } + +- if (!zip_metadata_len) { +- *buffer += buf_len; +- } +- + return SUCCESS; + } + /* }}}*/ +@@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + phar_entry_info entry; + php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; + php_uint16 manifest_ver; ++ php_uint32 len; + long offset; + int sig_len, register_alias = 0, temp_alias = 0; + char *signature = NULL; +@@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + mydata->is_persistent = PHAR_G(persist); + + /* check whether we have meta data, zero check works regardless of byte order */ ++ PHAR_GET_32(buffer, len); + if (mydata->is_persistent) { +- PHAR_GET_32(buffer, mydata->metadata_len); +- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); +- } +- } else { +- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ mydata->metadata_len = len; ++ if(!len) { ++ /* FIXME: not sure why this is needed but removing it breaks tests */ ++ PHAR_GET_32(buffer, len); + } + } ++ if(len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); ++ } ++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { ++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ } ++ buffer += len; + + /* set up our manifest */ + zend_hash_init(&mydata->manifest, manifest_count, +@@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (buffer + entry.filename_len + 20 > endbuffer) { ++ if (entry.filename_len + 20 > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +@@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.flags |= PHAR_ENT_PERM_DEF_DIR; + } + ++ PHAR_GET_32(buffer, len); + if (entry.is_persistent) { +- PHAR_GET_32(buffer, entry.metadata_len); +- if (!entry.metadata_len) buffer -= 4; +- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = len; + } else { +- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = 0; ++ } ++ if (len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); ++ } ++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { ++ pefree(entry.filename, entry.is_persistent); ++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); + } ++ buffer += len; + + entry.offset = entry.offset_abs = offset; + offset += entry.compressed_filesize; +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index c9306c1..fcfc864 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len, + char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); + char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); + phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); + void destroy_phar_manifest_entry(void *pDest); + int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); + php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); +-- +2.1.4 + +From 12d3bdee3dfa6605024a72080d8a17c165c5ed24 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 11 Apr 2015 16:42:16 -0700 +Subject: [PATCH] Additional fix for bug #69324 + +Not so happy about duplication but needed due to bug #69429 +--- + ext/phar/phar.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index bf0c985..c5c8b46 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -600,27 +600,28 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len + * + * Meta-data is in this format: + * [len32][data...] +- * ++ * + * data is the serialized zval + */ + int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ + { +- const unsigned char *p; + php_unserialize_data_t var_hash; + + if (zip_metadata_len) { ++ const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); ++ p = p_buff; + ALLOC_ZVAL(*metadata); + INIT_ZVAL(**metadata); +- p = (const unsigned char*) *buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + + if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { ++ efree(p_buff); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + *metadata = NULL; + return FAILURE; + } +- ++ efree(p_buff); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + + if (PHAR_G(persist)) { +@@ -643,7 +644,7 @@ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_ + * + * Parse a new one and add it to the cache, returning either SUCCESS or + * FAILURE, and setting pphar to the pointer to the manifest entry +- * ++ * + * This is used by phar_open_from_filename to process the manifest, but can be called + * directly. + */ +@@ -2236,7 +2237,7 @@ last_time: + + /** + * Process a phar stream name, ensuring we can handle any of: +- * ++ * + * - whatever.phar + * - whatever.phar.gz + * - whatever.phar.bz2 +-- +2.1.4 + +From cee97220285fd7b955a58617b3e0300ec104ed87 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Tue, 14 Apr 2015 15:47:26 +0300 +Subject: [PATCH] Fixed recently introduced memory leak + +--- + ext/phar/phar.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index c5c8b46..223bfe8 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1113,6 +1113,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.metadata_len = 0; + } + if (len > endbuffer - buffer) { ++ pefree(entry.filename, entry.is_persistent); + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-2787.patch b/SOURCES/php-5.4.16-CVE-2015-2787.patch new file mode 100644 index 0000000..7beadb6 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-2787.patch @@ -0,0 +1,95 @@ +From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 17 Mar 2015 13:20:22 -0700 +Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in + unserialize() + +--- + NEWS | 3 +- + ext/standard/var_unserializer.c | 63 ++++++++++++++++++++-------------------- + ext/standard/var_unserializer.re | 1 + + 3 files changed, 35 insertions(+), 32 deletions(-) + +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index f114080..ee0cac4 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -315,6 +315,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index f04fc74..abac77c 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -321,6 +321,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); +-- +2.1.4 + +From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 17 Mar 2015 17:03:46 -0700 +Subject: [PATCH] add test for bug #68976 + +--- + ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + create mode 100644 ext/standard/tests/serialize/bug68976.phpt + +diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt +new file mode 100644 +index 0000000..a79a953 +--- /dev/null ++++ b/ext/standard/tests/serialize/bug68976.phpt +@@ -0,0 +1,37 @@ ++--TEST-- ++Bug #68976 Use After Free Vulnerability in unserialize() ++--FILE-- ++name); ++ } ++} ++ ++$fakezval = pack( ++ 'IIII', ++ 0x00100000, ++ 0x00000400, ++ 0x00000000, ++ 0x00000006 ++); ++ ++$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); ++ ++for($i = 0; $i < 5; $i++) { ++ $v[$i] = $fakezval.$i; ++} ++ ++var_dump($data); ++?> ++===DONE=== ++--EXPECTF-- ++array(2) { ++ [0]=> ++ object(evilClass)#1 (0) { ++ } ++ [1]=> ++ int(1) ++} ++===DONE=== +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-3329.patch b/SOURCES/php-5.4.16-CVE-2015-3329.patch new file mode 100644 index 0000000..0f19112 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-3329.patch @@ -0,0 +1,41 @@ +Test case removed as binary patches are not supported + + +From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 14 Apr 2015 00:03:50 -0700 +Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode) + +--- + ext/phar/phar_internal.h | 9 ++++++--- + ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes + ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ + 3 files changed, 27 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug69441.phar + create mode 100644 ext/phar/tests/bug69441.phpt + +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index fcfc864..84282d2 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */ + { + char tmp[MAXPATHLEN]; + int tmp_len; ++ size_t len; + +- tmp_len = entry->filename_len + entry->phar->fname_len; +- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); +- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); ++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); ++ len = MIN(entry->phar->fname_len, tmp_len); ++ memcpy(tmp, entry->phar->fname, len); ++ len = MIN(tmp_len - len, entry->filename_len); ++ memcpy(tmp + entry->phar->fname_len, entry->filename, len); + entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); + } + /* }}} */ +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-3330.patch b/SOURCES/php-5.4.16-CVE-2015-3330.patch new file mode 100644 index 0000000..4e5b963 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-3330.patch @@ -0,0 +1,25 @@ +From 809610f5ea38a83b284e1125d1fff129bdd615e7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 4 Apr 2015 15:03:46 -0700 +Subject: [PATCH] Fix bug #68486 and bug #69218 (segfault in apache2handler + with apache 2.4) + +--- + sapi/apache2handler/sapi_apache2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c +index e97f11c..cfebc5f 100644 +--- a/sapi/apache2handler/sapi_apache2.c ++++ b/sapi/apache2handler/sapi_apache2.c +@@ -688,6 +688,7 @@ zend_first_try { + } zend_end_try(); + } + apr_brigade_cleanup(brigade); ++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); + } else { + ctx->r = parent_req; + } +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-4021.patch b/SOURCES/php-5.4.16-CVE-2015-4021.patch new file mode 100644 index 0000000..4c4b680 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-4021.patch @@ -0,0 +1,30 @@ +Test case removed as binary patches are not supported + + +From c27f012b7a447e59d4a704688971cbfa7dddaa74 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 29 Apr 2015 22:04:20 -0700 +Subject: [PATCH] Fix bug #69453 - don't try to cut empty string + +--- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug69453.phpt | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug69453.phpt + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index ca8eafc..d6d63e6 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -425,7 +425,7 @@ bail: + entry.filename_len = i; + entry.filename = pestrndup(hdr->name, i, myphar->is_persistent); + +- if (entry.filename[entry.filename_len - 1] == '/') { ++ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') { + /* some tar programs store directories with trailing slash */ + entry.filename[entry.filename_len - 1] = '\0'; + entry.filename_len--; +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-4022.patch b/SOURCES/php-5.4.16-CVE-2015-4022.patch new file mode 100644 index 0000000..81df556 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-4022.patch @@ -0,0 +1,129 @@ +Adapted for 5.4.16 from + + +From 1494298231072d5991e76db5ef25f20e81018106 Mon Sep 17 00:00:00 2001 +From: Rasmus Lerdorf +Date: Sun, 20 Oct 2013 08:55:48 -0700 +Subject: [PATCH] Minor Coverity tweaks + +--- + ext/ftp/ftp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c +index 58d3c2e..4da8d60 100644 +--- a/ext/ftp/ftp.c ++++ b/ext/ftp/ftp.c +@@ -1635,7 +1635,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + if (ftp->resp == 226) { + ftp->data = data_close(ftp, data); + php_stream_close(tmpstream); +- return ecalloc(1, sizeof(char**)); ++ return ecalloc(1, sizeof(char*)); + } + + /* pull data buffer into tmpfile */ +@@ -1663,11 +1663,11 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + } + } + +- ftp->data = data = data_close(ftp, data); ++ ftp->data = data_close(ftp, data); + + php_stream_rewind(tmpstream); + +- ret = safe_emalloc((lines + 1), sizeof(char**), size * sizeof(char*)); ++ ret = safe_emalloc((lines + 1), sizeof(char*), size * sizeof(char*)); + + entry = ret; + text = (char*) (ret + lines + 1); +-- +2.1.4 + +From 8f4a6d6e1b6c36259a5dc865d16f0dad76f2f2c9 Mon Sep 17 00:00:00 2001 +From: Rasmus Lerdorf +Date: Sun, 20 Oct 2013 09:36:50 -0700 +Subject: [PATCH] Clean up this weird safe_emalloc() call + +--- + ext/ftp/ftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c +index 4da8d60..b82017e 100644 +--- a/ext/ftp/ftp.c ++++ b/ext/ftp/ftp.c +@@ -1667,7 +1667,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + + php_stream_rewind(tmpstream); + +- ret = safe_emalloc((lines + 1), sizeof(char*), size * sizeof(char*)); ++ ret = safe_emalloc((lines + 1), sizeof(char*), size); + + entry = ret; + text = (char*) (ret + lines + 1); +-- +2.1.4 + +From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 29 Apr 2015 21:57:33 -0700 +Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list + +--- + ext/ftp/ftp.c | 82 +++++++++++++++++++++++++++++------------------------------ + 1 file changed, 41 insertions(+), 41 deletions(-) + +diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c +index 3ff54ff..53560eb 100644 +--- a/ext/ftp/ftp.c ++++ b/ext/ftp/ftp.c +@@ -1603,8 +1603,8 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + databuf_t *data = NULL; + char *ptr; + int ch, lastch; +- int size, rcvd; +- int lines; ++ size_t size, rcvd; ++ size_t lines; + char **ret = NULL; + char **entry; + char *text; +@@ -1646,7 +1646,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + lines = 0; + lastch = 0; + while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) { +- if (rcvd == -1) { ++ if (rcvd == -1 || rcvd > ((size_t)(-1))-size) { + goto bail; + } + +-- +2.1.4 + +From 0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 May 2015 17:23:06 -0700 +Subject: [PATCH] improve fix for Bug #69545 + +--- + NEWS | 4 ++++ + ext/ftp/ftp.c | 2 -- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c +index 53560eb..50d8def 100644 +--- a/ext/ftp/ftp.c ++++ b/ext/ftp/ftp.c +@@ -1656,8 +1656,6 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + for (ptr = data->buf; rcvd; rcvd--, ptr++) { + if (*ptr == '\n' && lastch == '\r') { + lines++; +- } else { +- size++; + } + lastch = *ptr; + } +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-4024.patch b/SOURCES/php-5.4.16-CVE-2015-4024.patch new file mode 100644 index 0000000..eaff551 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-4024.patch @@ -0,0 +1,111 @@ +From 4605d536d23b00813d11cc906bb48d39bdcf5f25 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 9 May 2015 23:04:25 -0700 +Subject: [PATCH] Fixed bug #69364 - use smart_str to assemble strings + +--- + main/rfc1867.c | 51 +++++++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 24 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index fab199b..9e2fbd5 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -33,6 +33,7 @@ + #include "php_variables.h" + #include "rfc1867.h" + #include "ext/standard/php_string.h" ++#include "ext/standard/php_smart_str.h" + + #define DEBUG_FILE_UPLOAD ZEND_DEBUG + +@@ -398,8 +399,9 @@ static int find_boundary(multipart_buffe + static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC) + { + char *line; +- mime_header_entry prev_entry, entry; +- int prev_len, cur_len; ++ mime_header_entry entry = {0}; ++ smart_str buf_value = {0}; ++ char *key = NULL; + + /* didn't find boundary, abort */ + if (!find_boundary(self, self->boundary TSRMLS_CC)) { +@@ -411,11 +413,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T + while( (line = get_line(self TSRMLS_CC)) && strlen(line) > 0 ) + { + /* add header to table */ +- char *key = line; + char *value = NULL; + + if (php_rfc1867_encoding_translation(TSRMLS_C)) { +- self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); ++ self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); + } + + /* space in the beginning means same header */ +@@ -424,31 +425,33 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T + } + + if (value) { +- *value = 0; +- do { value++; } while(isspace(*value)); +- +- entry.value = estrdup(value); +- entry.key = estrdup(key); +- +- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ +- +- prev_len = strlen(prev_entry.value); +- cur_len = strlen(line); +- +- entry.value = emalloc(prev_len + cur_len + 1); +- memcpy(entry.value, prev_entry.value, prev_len); +- memcpy(entry.value + prev_len, line, cur_len); +- entry.value[cur_len + prev_len] = '\0'; ++ if(buf_value.c && key) { ++ /* new entry, add the old one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; ++ zend_llist_add_element(header, &entry); ++ buf_value.c = NULL; ++ key = NULL; ++ } + +- entry.key = estrdup(prev_entry.key); ++ *value = '\0'; ++ do { value++; } while(isspace(*value)); + +- zend_llist_remove_tail(header); ++ key = estrdup(line); ++ smart_str_appends(&buf_value, value); ++ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */ ++ smart_str_appends(&buf_value, line); + } else { + continue; + } +- ++ } ++ if(buf_value.c && key) { ++ /* add the last one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; + zend_llist_add_element(header, &entry); +- prev_entry = entry; + } + + return 1; +@@ -884,7 +887,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + if (count == PG(max_input_vars) + 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } +- ++ + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; + +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-CVE-2015-4025.patch b/SOURCES/php-5.4.16-CVE-2015-4025.patch new file mode 100644 index 0000000..50efc8c --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2015-4025.patch @@ -0,0 +1,490 @@ +Adapted for 5.4.16 from + +From be9b2a95adb504abd5acdc092d770444ad6f6854 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 9 May 2015 23:13:06 -0700 +Subject: [PATCH] Fixed bug #69418 - more s->p fixes for filenames + +--- + ext/pcntl/pcntl.c | 74 +++++++++++++++++++++--------------------- + ext/standard/basic_functions.c | 24 +++++++------- + ext/standard/dir.c | 62 +++++++++++++++++------------------ + ext/standard/file.c | 10 +++--- + 4 files changed, 85 insertions(+), 85 deletions(-) + +diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c +index 7a8acaf..6189bdf 100644 +--- a/ext/pcntl/pcntl.c ++++ b/ext/pcntl/pcntl.c +@@ -754,19 +754,19 @@ PHP_FUNCTION(pcntl_exec) + char *path; + int path_len; + ulong key_num; +- +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|aa", &path, &path_len, &args, &envs) == FAILURE) { ++ ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|aa", &path, &path_len, &args, &envs) == FAILURE) { + return; + } +- ++ + if (ZEND_NUM_ARGS() > 1) { + /* Build argument list */ + args_hash = HASH_OF(args); + argc = zend_hash_num_elements(args_hash); +- ++ + argv = safe_emalloc((argc + 2), sizeof(char *), 0); + *argv = path; +- for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; ++ for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; + (argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS)); + (argi++, current_arg++, zend_hash_move_forward(args_hash)) ) { + +diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c +index c3e2230..7d0bfed 100644 +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -5433,7 +5433,7 @@ PHP_FUNCTION(set_include_path) + int new_value_len; + char *old_value; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &new_value, &new_value_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &new_value, &new_value_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/dir.c b/ext/standard/dir.c +index c64f37c..27ffb9d 100644 +--- a/ext/standard/dir.c ++++ b/ext/standard/dir.c +@@ -219,12 +219,12 @@ static void _php_do_opendir(INTERNAL_FUNCTION_PARAMETERS, int createobject) + php_stream_context *context = NULL; + php_stream *dirp; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dirname, &dir_len, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dirname, &dir_len, &zcontext) == FAILURE) { + RETURN_NULL(); + } + + context = php_stream_context_from_zval(zcontext, 0); +- ++ + dirp = php_stream_opendir(dirname, REPORT_ERRORS, context); + + if (dirp == NULL) { +@@ -293,11 +293,11 @@ PHP_FUNCTION(chroot) + { + char *str; + int ret, str_len; +- +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { ++ ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &str, &str_len) == FAILURE) { + RETURN_FALSE; + } +- ++ + ret = chroot(str); + if (ret != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); +diff --git a/ext/standard/file.c b/ext/standard/file.c +index 708c3e2..21e1e53 100644 +--- a/ext/standard/file.c ++++ b/ext/standard/file.c +@@ -805,7 +805,7 @@ PHP_FUNCTION(tempnam) + char *p; + int fd; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { + return; + } + +@@ -1332,7 +1332,7 @@ PHP_FUNCTION(rmdir) + zval *zcontext = NULL; + php_stream_context *context; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dir, &dir_len, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dir, &dir_len, &zcontext) == FAILURE) { + RETURN_FALSE; + } + +-- +2.1.4 + +From 634aa0a2dbf8ec5e6fabb4ee01c6d1355ba7ee67 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 10 May 2015 23:33:44 -0700 +Subject: [PATCH] Update tests + +--- + ext/standard/tests/dir/dir_variation1.phpt | 22 +++++++++++----------- + .../tests/dir/opendir_variation1-win32.phpt | 12 ++++++------ + ext/standard/tests/dir/opendir_variation1.phpt | 12 ++++++------ + .../tests/file/mkdir_rmdir_variation2.phpt | 2 +- + .../tests/file/tempnam_variation3-win32.phpt | 18 +++++++++--------- + ext/standard/tests/file/tempnam_variation3.phpt | 22 ++++++++++++---------- + .../tests/general_functions/include_path.phpt | 4 ++-- + 7 files changed, 47 insertions(+), 45 deletions(-) + +diff --git a/ext/standard/tests/dir/dir_variation1.phpt b/ext/standard/tests/dir/dir_variation1.phpt +index abb4719..fff04ba 100644 +--- a/ext/standard/tests/dir/dir_variation1.phpt ++++ b/ext/standard/tests/dir/dir_variation1.phpt +@@ -8,7 +8,7 @@ if (substr(PHP_OS, 0, 3) == 'WIN') { + ?> + --FILE-- + path = $path; +@@ -73,7 +73,7 @@ $inputs = array( + false, + TRUE, + FALSE, +- ++ + // empty data + /*16*/ "", + '', +@@ -83,7 +83,7 @@ $inputs = array( + /*19*/ "$path", + 'string', + $heredoc, +- ++ + // object data + /*22*/ new classA($path), + +@@ -216,7 +216,7 @@ bool(false) + + -- Iteration 18 -- + +-Warning: opendir() expects parameter 1 to be string, array given in %s on line %d ++Warning: opendir() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + + -- Iteration 19 -- +@@ -243,6 +243,6 @@ bool(false) + + -- Iteration 25 -- + +-Warning: opendir() expects parameter 1 to be string, resource given in %s on line %d ++Warning: opendir() expects parameter 1 to be a valid path, resource given in %s on line %d + NULL + ===DONE=== +diff --git a/ext/standard/tests/dir/opendir_variation1.phpt b/ext/standard/tests/dir/opendir_variation1.phpt +index 8d195e1..cb4d543 100644 +--- a/ext/standard/tests/dir/opendir_variation1.phpt ++++ b/ext/standard/tests/dir/opendir_variation1.phpt +@@ -9,7 +9,7 @@ if (substr(PHP_OS, 0, 3) == 'WIN') { + --FILE-- + path = $path; +@@ -73,7 +73,7 @@ $inputs = array( + false, + TRUE, + FALSE, +- ++ + // empty data + /*16*/ "", + '', +@@ -83,7 +83,7 @@ $inputs = array( + /*19*/ "$path", + 'string', + $heredoc, +- ++ + // object data + /*22*/ new classA($path), + +@@ -194,7 +194,7 @@ bool(false) + + -- Iteration 18 -- + +-Warning: opendir() expects parameter 1 to be string, array given in %s on line %d ++Warning: opendir() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + + -- Iteration 19 -- +@@ -219,6 +219,6 @@ bool(false) + + -- Iteration 25 -- + +-Warning: opendir() expects parameter 1 to be string, resource given in %s on line %d ++Warning: opendir() expects parameter 1 to be a valid path, resource given in %s on line %d + NULL + ===DONE=== +diff --git a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt +index 14dd361..24dfc96 100644 +--- a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt ++++ b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt +@@ -68,7 +68,7 @@ bool(false) + Warning: mkdir() expects parameter 1 to be a valid path, string given in %s on line %d + bool(false) + +-Warning: rmdir(%s): No such file or directory in %s on line %d ++Warning: rmdir() expects parameter 1 to be a valid path, string given in %s on line %d + bool(false) + + *** Testing mkdir() with miscelleneous input *** +diff --git a/ext/standard/tests/file/tempnam_variation3-win32.phpt b/ext/standard/tests/file/tempnam_variation3-win32.phpt +index fb457cb..cc8194a 100644 +--- a/ext/standard/tests/file/tempnam_variation3-win32.phpt ++++ b/ext/standard/tests/file/tempnam_variation3-win32.phpt +@@ -22,9 +22,9 @@ if (!mkdir($file_path)) { + + $file_path = realpath($file_path); + +-/* An array of prefixes */ ++/* An array of prefixes */ + $names_arr = array( +- /* Valid args (casting)*/ ++ /* Valid args (casting)*/ + -1, + TRUE, + FALSE, +@@ -32,17 +32,17 @@ $names_arr = array( + "", + " ", + "\0", +- /* Invalid args */ ++ /* Invalid args */ + array(), + +- /* Valid args*/ ++ /* Valid args*/ + /* prefix with path separator of a non existing directory*/ +- "/no/such/file/dir", ++ "/no/such/file/dir", + "php/php" + ); + + $res_arr = array( +- /* Invalid args */ ++ /* Invalid args */ + true, + true, + true, +@@ -53,7 +53,7 @@ $res_arr = array( + false, + + /* prefix with path separator of a non existing directory*/ +- true, ++ true, + true + ); + +@@ -72,7 +72,7 @@ for( $i=0; $i "; + printf("%o", fileperms($file_name) ); + echo "\n"; +- ++ + echo "File created in => "; + $file_dir = dirname($file_name); +- ++ + if ($file_dir == sys_get_temp_dir()) { + echo "temp dir\n"; + } +@@ -61,7 +61,7 @@ for( $i=0; $i %s/%s + File permissions are => 100600 + File created in => directory specified + -- Iteration 6 -- +-File name is => %s/%s +-File permissions are => 100600 +-File created in => directory specified ++ ++Warning: tempnam() expects parameter 2 to be a valid path, string given in %s on line %d ++-- File is not created -- ++ ++Warning: unlink(): %s in %s on line %d + -- Iteration 7 -- + +-Warning: tempnam() expects parameter 2 to be string, array given in %s on line %d ++Warning: tempnam() expects parameter 2 to be a valid path, array given in %s on line %d + -- File is not created -- + + Warning: unlink(): %s in %s on line %d +diff --git a/ext/standard/tests/general_functions/include_path.phpt b/ext/standard/tests/general_functions/include_path.phpt +index 0392307..8b6626f 100644 +--- a/ext/standard/tests/general_functions/include_path.phpt ++++ b/ext/standard/tests/general_functions/include_path.phpt +@@ -41,7 +41,7 @@ var_dump(get_include_path()); + + echo "Done\n"; + ?> +---EXPECTF-- ++--EXPECTF-- + string(1) "." + + Warning: get_include_path() expects exactly 0 parameters, 1 given in %s on line %d +@@ -67,7 +67,7 @@ string(1) "." + NULL + string(1) "." + +-Warning: set_include_path() expects parameter 1 to be string, array given in %s on line %d ++Warning: set_include_path() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + string(1) "." + NULL +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-aarch64-select.patch b/SOURCES/php-5.4.16-aarch64-select.patch new file mode 100644 index 0000000..756ce69 --- /dev/null +++ b/SOURCES/php-5.4.16-aarch64-select.patch @@ -0,0 +1,44 @@ +From 58c6a08e00d4a8c99123cfb36f3a399a9b352d24 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 10 Jun 2014 10:28:34 +0200 +Subject: [PATCH] Fixed bug #67406 built-in web-server segfaults on startup + +Reproduce on aarch64. + +From select man page: + "select() may update the timeout argument to indicate how much time was left." +So "const" is not ok. +--- + sapi/cli/php_cli_server.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c +index e838d30..3fd24ea 100644 +--- a/sapi/cli/php_cli_server.c ++++ b/sapi/cli/php_cli_server.c +@@ -768,11 +768,11 @@ static void php_cli_server_poller_remove(php_cli_server_poller *poller, int mode + #endif + } /* }}} */ + +-static int php_cli_server_poller_poll(php_cli_server_poller *poller, const struct timeval *tv) /* {{{ */ ++static int php_cli_server_poller_poll(php_cli_server_poller *poller, struct timeval *tv) /* {{{ */ + { + memmove(&poller->active.rfds, &poller->rfds, sizeof(poller->rfds)); + memmove(&poller->active.wfds, &poller->wfds, sizeof(poller->wfds)); +- return php_select(poller->max_fd + 1, &poller->active.rfds, &poller->active.wfds, NULL, (struct timeval *)tv); ++ return php_select(poller->max_fd + 1, &poller->active.rfds, &poller->active.wfds, NULL, tv); + } /* }}} */ + + static int php_cli_server_poller_iter_on_active(php_cli_server_poller *poller, void *opaque, int(*callback)(void *, int fd, int events)) /* {{{ */ +@@ -2349,7 +2349,7 @@ static int php_cli_server_do_event_loop(php_cli_server *server TSRMLS_DC) /* {{{ + { + int retval = SUCCESS; + while (server->is_running) { +- static const struct timeval tv = { 1, 0 }; ++ struct timeval tv = { 1, 0 }; + int n = php_cli_server_poller_poll(&server->poller, &tv); + if (n > 0) { + php_cli_server_do_event_for_each_fd(server, +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-bug50444.patch b/SOURCES/php-5.4.16-bug50444.patch new file mode 100644 index 0000000..2328cb7 --- /dev/null +++ b/SOURCES/php-5.4.16-bug50444.patch @@ -0,0 +1,83 @@ +Backported from 5.5.14 +Adapted for PHP 5.4.16 from + +From a05611358606ca21672c49d26c77b7b0c81cab07 Mon Sep 17 00:00:00 2001 +From: Felipe Pena +Date: Sun, 22 Dec 2013 09:42:45 -0200 +Subject: [PATCH] - Fixed bug #66311 (Stack smashing protection kills PDO/ODBC + queries) patch by: michael at orlitzky dot com + +--- + ext/pdo_odbc/odbc_stmt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/pdo_odbc/odbc_stmt.c b/ext/pdo_odbc/odbc_stmt.c +index 89b6721..e0d7e62 100644 +--- a/ext/pdo_odbc/odbc_stmt.c ++++ b/ext/pdo_odbc/odbc_stmt.c +@@ -546,7 +546,8 @@ static int odbc_stmt_describe(pdo_stmt_t + zend_bool dyn = FALSE; + RETCODE rc; + SWORD colnamelen; +- SDWORD colsize, displaysize; ++ SDWORD colsize; ++ SQLLEN displaysize; + + rc = SQLDescribeCol(S->stmt, colno+1, S->cols[colno].colname, + sizeof(S->cols[colno].colname)-1, &colnamelen, + +From 186ffcb72c982b0235761bdd6388ff1c36d79568 Mon Sep 17 00:00:00 2001 +From: Andrew Kehrig +Date: Mon, 24 Feb 2014 12:01:58 -0500 +Subject: [PATCH] Fix #50444: PDO-ODBC changes for 64-bit + +This bug is also referenced in +[#61777](https://bugs.php.net/bug.php?id=61777) and is still present in +the latest stable release of the 5.5 branch. I see two tickets exist for +this problem already, and I'm just submitting these changes via github +as a reminder that this is a serious problem for anyone using PDO_ODBC +on the x64 builds. +--- + NEWS | 3 +++ + ext/pdo_odbc/odbc_stmt.c | 4 ++-- + ext/pdo_odbc/php_pdo_odbc_int.h | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ext/pdo_odbc/odbc_stmt.c b/ext/pdo_odbc/odbc_stmt.c +index 8b0ccf3..1d275cd 100644 +--- a/ext/pdo_odbc/odbc_stmt.c ++++ b/ext/pdo_odbc/odbc_stmt.c +@@ -279,7 +279,7 @@ static int odbc_stmt_param_hook(pdo_stmt_t *stmt, struct pdo_bound_param_data *p + pdo_odbc_stmt *S = (pdo_odbc_stmt*)stmt->driver_data; + RETCODE rc; + SWORD sqltype = 0, ctype = 0, scale = 0, nullable = 0; +- UDWORD precision = 0; ++ SQLULEN precision = 0; + pdo_odbc_param *P; + + /* we're only interested in parameters for prepared SQL right now */ +@@ -546,7 +546,7 @@ static int odbc_stmt_describe(pdo_stmt_t + zend_bool dyn = FALSE; + RETCODE rc; + SWORD colnamelen; +- SDWORD colsize; ++ SQLULEN colsize; + SQLLEN displaysize; + + rc = SQLDescribeCol(S->stmt, colno+1, S->cols[colno].colname, +diff --git a/ext/pdo_odbc/php_pdo_odbc_int.h b/ext/pdo_odbc/php_pdo_odbc_int.h +index 87b2f91..5e42951 100644 +--- a/ext/pdo_odbc/php_pdo_odbc_int.h ++++ b/ext/pdo_odbc/php_pdo_odbc_int.h +@@ -157,7 +157,7 @@ typedef struct { + } pdo_odbc_stmt; + + typedef struct { +- SQLINTEGER len; ++ SQLLEN len; + SQLSMALLINT paramtype; + char *outbuf; + unsigned is_unicode:1; +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug63595.patch b/SOURCES/php-5.4.16-bug63595.patch new file mode 100644 index 0000000..493fb3b --- /dev/null +++ b/SOURCES/php-5.4.16-bug63595.patch @@ -0,0 +1,72 @@ +From 3c925b18fa96043e5d7e86f9ce544b143c3c2079 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 27 Oct 2014 07:45:34 +0100 +Subject: [PATCH] Fix bug #63595 GMP memory management conflicts with other + libraries using GMP + +Drop use of php memory allocators as this raise various conflicts +with other extensions and libraries which use libgmp. + +No other solution found. +We cannot for ensure correct use of allocator with shared lib. + +Some memory can allocated before php init +Some memory can be freed after php shutdown + +Known broken run cases +- php + curl + gnutls + gmp +- mod_gnutls + mod_php + gnutls + gmp +- php + freetds + gnutls + gmp +- php + odbc + freetds + gnutls + gmp +- php + php-mapi (zarafa) + gnutls + gmp +--- + ext/gmp/gmp.c | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c +index f51bd8c..b1553fa 100644 +--- a/ext/gmp/gmp.c ++++ b/ext/gmp/gmp.c +@@ -324,30 +324,6 @@ static void _php_gmpnum_free(zend_rsrc_list_entry *rsrc TSRMLS_DC); + # define MAX_BASE 36 + #endif + +-/* {{{ gmp_emalloc +- */ +-static void *gmp_emalloc(size_t size) +-{ +- return emalloc(size); +-} +-/* }}} */ +- +-/* {{{ gmp_erealloc +- */ +-static void *gmp_erealloc(void *ptr, size_t old_size, size_t new_size) +-{ +- return erealloc(ptr, new_size); +-} +-/* }}} */ +- +-/* {{{ gmp_efree +- */ +-static void gmp_efree(void *ptr, size_t size) +-{ +- efree(ptr); +-} +-/* }}} */ +- + /* {{{ ZEND_GINIT_FUNCTION + */ + static ZEND_GINIT_FUNCTION(gmp) +@@ -369,8 +345,6 @@ ZEND_MODULE_STARTUP_D(gmp) + #endif + REGISTER_STRING_CONSTANT("GMP_VERSION", (char *)gmp_version, CONST_CS | CONST_PERSISTENT); + +- mp_set_memory_functions(gmp_emalloc, gmp_erealloc, gmp_efree); +- + return SUCCESS; + } + /* }}} */ +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug66987.patch b/SOURCES/php-5.4.16-bug66987.patch new file mode 100644 index 0000000..ff7f4be --- /dev/null +++ b/SOURCES/php-5.4.16-bug66987.patch @@ -0,0 +1,51 @@ +From 2c204a55af9b903b3db48dd5a75d492dbf1b387d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 31 Mar 2014 16:50:47 +0200 +Subject: [PATCH] Fixed Bug #66987 Memory corruption in fileinfo ext + (bigendian) + +On little endian: + map->p == php_magic_database + map->magic[i] = pointer into the map + + map->p == NULL + map->magic[i] = pointer to allocated memory + +On big endian (ppc64, s390x, ...): + map->p != php_magic_database and map->p != NULL + map->magic[i] = pointer into a copy of the map + +Trying to efree pointer in the later cause memory corruption +Thanks to dkatulek / Red Hat for the report. +--- + ext/fileinfo/libmagic/apprentice.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/ext/fileinfo/libmagic/apprentice.c b/ext/fileinfo/libmagic/apprentice.c +index 11920e6..fd82564 100644 +--- a/ext/fileinfo/libmagic/apprentice.c ++++ b/ext/fileinfo/libmagic/apprentice.c +@@ -493,12 +493,14 @@ apprentice_unmap(struct magic_map *map) + if (map == NULL) + return; + if (map->p != php_magic_database) { +- int j; +- for (j = 0; j < MAGIC_SETS; j++) { +- if (map->magic[j]) +- efree(map->magic[j]); +- } +- if (map->p != NULL) { ++ if (map->p == NULL) { ++ int j; ++ for (j = 0; j < MAGIC_SETS; j++) { ++ if (map->magic[j]) { ++ efree(map->magic[j]); ++ } ++ } ++ } else { + efree(map->p); + } + } +-- +2.1.0 + diff --git a/SOURCES/php-5.4.16-bug68819.patch b/SOURCES/php-5.4.16-bug68819.patch new file mode 100644 index 0000000..8111178 --- /dev/null +++ b/SOURCES/php-5.4.16-bug68819.patch @@ -0,0 +1,87 @@ +From f938112c495b0d26572435c0be73ac0bfe642ecd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 4 Apr 2015 15:01:37 -0700 +Subject: [PATCH] Fix bug #68819 (Fileinfo on specific file causes spurious OOM + and/or segfault) + +--- + ext/fileinfo/libmagic/softmagic.c | 3 +++ + ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++ + ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+) + create mode 100644 ext/fileinfo/tests/bug68819_001.phpt + create mode 100644 ext/fileinfo/tests/bug68819_002.phpt + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index e7b7855..54c1a03 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -1037,6 +1037,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, + if (bytecnt > nbytes) { + bytecnt = nbytes; + } ++ if (offset > bytecnt) { ++ offset = bytecnt; ++ } + if (s == NULL) { + ms->search.s_len = 0; + ms->search.s = NULL; +diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt +new file mode 100644 +index 0000000..ce39ee6 +--- /dev/null ++++ b/ext/fileinfo/tests/bug68819_001.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 ++--SKIPIF-- ++ ++--FILE-- ++buffer($string); ++ ++var_dump($type); ++?> ++--EXPECT-- ++string(60) "ASCII text, with very long lines, with CRLF line terminators" +diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt +new file mode 100644 +index 0000000..cec238d +--- /dev/null ++++ b/ext/fileinfo/tests/bug68819_002.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 ++--SKIPIF-- ++ ++--FILE-- ++ 8192 ++$string .= str_repeat(chr(rand(32, 127)), 8184); ++ ++// Ending in this string ++$string .= "say"; ++ ++$finfo = new finfo(); ++$type = $finfo->buffer($string); ++var_dump($type); ++ ++?> ++--EXPECT-- ++string(60) "ASCII text, with very long lines, with CRLF line terminators" +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug69085.patch b/SOURCES/php-5.4.16-bug69085.patch new file mode 100644 index 0000000..c4149e0 --- /dev/null +++ b/SOURCES/php-5.4.16-bug69085.patch @@ -0,0 +1,488 @@ +Adapted for 5.4.16 + +From d5248f67b58ac3107fec82c5b937fc3f4c89784a Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Mon, 2 Mar 2015 12:27:36 +0300 +Subject: [PATCH] Check variable type before its usage as IS_ARRAY. + +--- + ext/soap/soap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index eaa57d9..8790605 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -2879,7 +2879,8 @@ PHP_METHOD(SoapClient, __call) + } + + /* Add default headers */ +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS && ++ Z_TYPE_PP(tmp) == IS_ARRAY) { + HashTable *default_headers = Z_ARRVAL_P(*tmp); + if (soap_headers) { + if (!free_soap_headers) { +-- +2.1.4 + +From 0c136a2abd49298b66acb0cad504f0f972f5bfe8 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Tue, 3 Mar 2015 09:44:46 +0300 +Subject: [PATCH] Added type checks + +--- + ext/soap/php_encoding.c | 9 ++++++--- + ext/soap/php_http.c | 23 +++++++++++++++-------- + ext/soap/soap.c | 41 +++++++++++++++++++++++++---------------- + 3 files changed, 46 insertions(+), 27 deletions(-) + +diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c +index 5e93b8a..fd9e367 100644 +--- a/ext/soap/php_encoding.c ++++ b/ext/soap/php_encoding.c +@@ -3649,18 +3649,21 @@ static encodePtr get_array_type(xmlNodePtr node, zval *array, smart_str *type TS + Z_OBJCE_PP(tmp) == soap_var_class_entry) { + zval **ztype; + +- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || ++ Z_TYPE_PP(ztype) != IS_LONG) { + soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); + } + cur_type = Z_LVAL_PP(ztype); + +- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS && ++ Z_TYPE_PP(ztype) == IS_STRING) { + cur_stype = Z_STRVAL_PP(ztype); + } else { + cur_stype = NULL; + } + +- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS && ++ Z_TYPE_PP(ztype) == IS_STRING) { + cur_ns = Z_STRVAL_PP(ztype); + } else { + cur_ns = NULL; +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 9e74a7c..8c5082c 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -36,14 +36,16 @@ int proxy_authentication(zval* this_ptr, smart_str* soap_headers TSRMLS_DC) + { + zval **login, **password; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS && ++ Z_TYPE_PP(login) == IS_STRING) { + unsigned char* buf; + int len; + smart_str auth = {0}; + + smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); + smart_str_appendc(&auth, ':'); +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS && ++ Z_TYPE_PP(password) == IS_STRING) { + smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); + } + smart_str_0(&auth); +@@ -64,14 +66,16 @@ int basic_authentication(zval* this_ptr, smart_str* soap_headers TSRMLS_DC) + zval **login, **password; + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS && +- !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { ++ Z_TYPE_PP(login) == IS_STRING && ++ !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { + unsigned char* buf; + int len; + smart_str auth = {0}; + + smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); + smart_str_appendc(&auth, ':'); +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS && ++ Z_TYPE_PP(password) == IS_STRING) { + smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); + } + smart_str_0(&auth); +@@ -509,6 +513,7 @@ try_again: + } + if (!http_1_1 || + (zend_hash_find(Z_OBJPROP_P(this_ptr), "_keep_alive", sizeof("_keep_alive"), (void **)&tmp) == SUCCESS && ++ (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && + Z_LVAL_PP(tmp) == 0)) { + smart_str_append_const(&soap_headers, "\r\n" + "Connection: close\r\n"); +@@ -742,7 +747,8 @@ try_again: + } + + /* Send cookies along with request */ +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && ++ Z_TYPE_PP(cookies) == IS_ARRAY) { + zval **data; + char *key; + int i, n; +@@ -785,7 +791,7 @@ try_again: + smart_str_append_const(&soap_headers, "\r\n"); + smart_str_0(&soap_headers); + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1); + } + smart_str_appendl(&soap_headers, request, request_size); +@@ -830,7 +836,7 @@ try_again: + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1); + } + +@@ -879,7 +885,8 @@ try_again: + char *eqpos, *sempos; + zval **cookies; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || ++ Z_TYPE_PP(cookies) != IS_ARRAY) { + zval *tmp_cookies; + MAKE_STD_ZVAL(tmp_cookies); + array_init(tmp_cookies); +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index 8790605..9ec6347 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -2549,7 +2549,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); + } + +@@ -2589,7 +2589,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act + } + ret = FALSE; + } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); + } + xmlFree(buf); +@@ -2628,13 +2628,13 @@ static void do_soap_call(zval* this_ptr, + + SOAP_CLIENT_BEGIN_CODE(); + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS +- && Z_LVAL_PP(trace) > 0) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && ++ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); + zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); + } +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS +- && Z_LVAL_PP(tmp) == SOAP_1_2) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) { + soap_version = SOAP_1_2; + } else { + soap_version = SOAP_1_1; +@@ -2730,7 +2730,7 @@ static void do_soap_call(zval* this_ptr, + zval **uri; + smart_str action = {0}; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) { + add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC); + } else if (location == NULL) { + add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC); +@@ -3001,7 +3001,8 @@ PHP_METHOD(SoapClient, __getLastRequest) + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3019,7 +3020,8 @@ PHP_METHOD(SoapClient, __getLastResponse) + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3037,7 +3039,8 @@ PHP_METHOD(SoapClient, __getLastRequestHeaders) + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3055,7 +3058,8 @@ PHP_METHOD(SoapClient, __getLastResponseHeaders) + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3111,13 +3115,15 @@ PHP_METHOD(SoapClient, __setCookie) + } + + if (val == NULL) { +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && ++ Z_TYPE_PP(cookies) == IS_ARRAY) { + zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1); + } + } else { + zval *zcookie; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || ++ Z_TYPE_PP(cookies) != IS_ARRAY) { + zval *tmp_cookies; + + MAKE_STD_ZVAL(tmp_cookies); +@@ -4166,7 +4172,8 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function + } + } + } else { +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS && ++ Z_TYPE_PP(zstyle) == IS_LONG) { + style = Z_LVAL_PP(zstyle); + } else { + style = SOAP_RPC; +@@ -4189,7 +4196,7 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS && +- Z_LVAL_PP(zuse) == SOAP_LITERAL) { ++ Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) { + use = SOAP_LITERAL; + } else { + use = SOAP_ENCODED; +@@ -4350,6 +4357,7 @@ static xmlNodePtr serialize_parameter(sdlParamPtr param, zval *param_val, int in + zval **param_data; + + if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS && ++ Z_TYPE_PP(param_name) == IS_STRING && + zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) { + param_val = *param_data; + name = Z_STRVAL_PP(param_name); +-- +2.1.4 + +From c8eaca013a3922e8383def6158ece2b63f6ec483 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Tue, 3 Mar 2015 10:43:48 +0300 +Subject: [PATCH] Added type checks + +--- + ext/soap/php_encoding.c | 21 ++++++++++++++------- + ext/soap/soap.c | 6 ++++-- + 2 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c +index fd9e367..31f1f7c 100644 +--- a/ext/soap/php_encoding.c ++++ b/ext/soap/php_encoding.c +@@ -404,12 +404,15 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml + encodePtr enc = NULL; + HashTable *ht = Z_OBJPROP_P(data); + +- if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { ++ if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || ++ Z_TYPE_PP(ztype) != IS_LONG) { + soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); + } + +- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { +- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && ++ Z_TYPE_PP(zstype) == IS_STRING) { ++ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && ++ Z_TYPE_PP(zns) == IS_STRING) { + enc = get_encoder(SOAP_GLOBAL(sdl), Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); + } else { + zns = NULL; +@@ -445,8 +448,10 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml + } + + if (style == SOAP_ENCODED || (SOAP_GLOBAL(sdl) && encode != enc)) { +- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { +- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && ++ Z_TYPE_PP(zstype) == IS_STRING) { ++ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && ++ Z_TYPE_PP(zns) == IS_STRING) { + set_ns_and_type_ex(node, Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); + } else { + set_ns_and_type_ex(node, NULL, Z_STRVAL_PP(zstype)); +@@ -454,10 +459,12 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml + } + } + +- if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS && ++ Z_TYPE_PP(zname) == IS_STRING) { + xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname))); + } +- if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS && ++ Z_TYPE_PP(zname) == IS_STRING) { + xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens)); + xmlSetNs(node, nsp); + } +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index 9ec6347..d460c17 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -3915,7 +3915,8 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function + } + + if (version == SOAP_1_1) { +- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { ++ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + size_t new_len; + xmlNodePtr node = xmlNewNode(NULL, BAD_CAST("faultcode")); + char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); +@@ -3940,7 +3941,8 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function + } + detail_name = "detail"; + } else { +- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { ++ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + size_t new_len; + xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Code"), NULL); + char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); +-- +2.1.4 + +From 75f40ae1f3a7ca837d230f099627d121f9b3a32f Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Fri, 27 Mar 2015 18:40:58 +0300 +Subject: [PATCH] Fixed bug #69293 + +--- + ext/soap/php_encoding.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c +index 31f1f7c..13be2a5 100644 +--- a/ext/soap/php_encoding.c ++++ b/ext/soap/php_encoding.c +@@ -464,7 +464,7 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml + xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname))); + } + if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS && +- Z_TYPE_PP(zname) == IS_STRING) { ++ Z_TYPE_PP(znamens) == IS_STRING) { + xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens)); + xmlSetNs(node, nsp); + } +-- +2.1.4 + +From 997b7e56302710bb3db00b56d0629ac75d73a207 Mon Sep 17 00:00:00 2001 +From: Xinchen Hui +Date: Fri, 27 Feb 2015 23:32:32 +0800 +Subject: [PATCH] Fixed bug #69085 (SoapClient's __call() type confusion + through unserialize()). + +--- + NEWS | 4 ++++ + ext/soap/soap.c | 6 +++--- + ext/soap/tests/bugs/bug69085.phpt | 17 +++++++++++++++++ + 3 files changed, 24 insertions(+), 3 deletions(-) + create mode 100644 ext/soap/tests/bugs/bug69085.phpt + +diff --git a/ext/soap/tests/bugs/bug69085.phpt b/ext/soap/tests/bugs/bug69085.phpt +new file mode 100644 +index 0000000..cb27cfd +--- /dev/null ++++ b/ext/soap/tests/bugs/bug69085.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #69085 (SoapClient's __call() type confusion through unserialize()) ++--SKIPIF-- ++ ++--INI-- ++soap.wsdl_cache_enabled=0 ++--FILE-- ++whatever(); ++} catch (Exception $e) { ++ echo "okey"; ++} ++--EXPECT-- ++okey +-- +2.1.4 + +From ff70b40dc978f3f4c457f72a71bb43fd17ee360b Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 13 Apr 2015 14:39:11 +0200 +Subject: [PATCH] fix type in fix for #69085 + +--- + ext/soap/soap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index 41aa1ad..1b8f545 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -2549,7 +2549,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); + } + +@@ -2589,7 +2589,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act + } + ret = FALSE; + } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); + } + xmlFree(buf); +@@ -2629,7 +2629,7 @@ static void do_soap_call(zval* this_ptr, + SOAP_CLIENT_BEGIN_CODE(); + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); + zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); + } +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug69152.patch b/SOURCES/php-5.4.16-bug69152.patch new file mode 100644 index 0000000..e7a14a0 --- /dev/null +++ b/SOURCES/php-5.4.16-bug69152.patch @@ -0,0 +1,104 @@ +From 51856a76f87ecb24fe1385342be43610fb6c86e4 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Thu, 19 Mar 2015 11:36:01 +0300 +Subject: [PATCH] Fixed bug #69152 + +--- + ext/soap/soap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ext/soap/soap.c b/ext/soap/soap.c +index d460c17..41aa1ad 100644 +--- a/ext/soap/soap.c ++++ b/ext/soap/soap.c +@@ -919,6 +919,12 @@ PHP_METHOD(SoapFault, __toString) + + zend_call_function(&fci, NULL TSRMLS_CC); + ++ convert_to_string(faultcode); ++ convert_to_string(faultstring); ++ convert_to_string(file); ++ convert_to_long(line); ++ convert_to_string(trace); ++ + len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", + Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), + Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); +-- +2.1.4 + +From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 22 Mar 2015 18:17:47 -0700 +Subject: [PATCH] Check that the type is correct + +--- + ext/standard/incomplete_class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c +index 1816ac4..30c82e6 100644 +--- a/ext/standard/incomplete_class.c ++++ b/ext/standard/incomplete_class.c +@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) + + object_properties = Z_OBJPROP_P(object); + +- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { ++ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { + retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); + + if (nlen) { +-- +2.1.4 + +From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 17:30:59 -0700 +Subject: [PATCH] More fixes for bug #69152 + +--- + Zend/zend_exceptions.c | 3 +++ + ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 ext/standard/tests/serialize/bug69152.phpt + +diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c +index bf90ae7..1ca2ead 100644 +--- a/Zend/zend_exceptions.c ++++ b/Zend/zend_exceptions.c +@@ -536,6 +536,9 @@ ZEND_METHOD(exception, getTraceAsString) + str = &res; + + trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); ++ if(Z_TYPE_P(trace) != IS_ARRAY) { ++ RETURN_FALSE; ++ } + zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); + + s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); +diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt +new file mode 100644 +index 0000000..4e74168 +--- /dev/null ++++ b/ext/standard/tests/serialize/bug69152.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() ++--FILE-- ++test(); ++ ++?> ++--EXPECTF-- ++exception 'Exception' in %s:%d ++Stack trace: ++#0 {main} ++ ++Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug69353.patch b/SOURCES/php-5.4.16-bug69353.patch new file mode 100644 index 0000000..299b633 --- /dev/null +++ b/SOURCES/php-5.4.16-bug69353.patch @@ -0,0 +1,613 @@ +Adapted for 5.4.16 from + +From 52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 16:01:24 -0700 +Subject: [PATCH] Fixed bug #69353 (Missing null byte checks for paths in + various PHP extensions) + +--- + ext/dom/document.c | 5 ++++- + ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 +++++ + ext/fileinfo/fileinfo.c | 5 +++++ + ext/fileinfo/tests/finfo_file_basic.phpt | 4 ++++ + ext/gd/gd.c | 8 ++++---- + ext/hash/hash.c | 7 ++++++- + ext/hash/tests/hash_hmac_file_error.phpt | 7 +++++++ + ext/pgsql/pgsql.c | 2 +- + ext/standard/link.c | 2 +- + ext/standard/streamsfuncs.c | 2 +- + ext/xmlwriter/php_xmlwriter.c | 4 ++-- + ext/zlib/zlib.c | 4 ++-- + 12 files changed, 42 insertions(+), 13 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index 18c9cc6..7c5817a 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1574,6 +1574,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc + xmlInitParser(); + + if (mode == DOM_LOAD_FILE) { ++ if (CHECK_NULL_PATH(source, source_len)) { ++ return NULL; ++ } + char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (file_dest) { + ctxt = xmlCreateFileParserCtxt(file_dest); +@@ -2165,7 +2165,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ + + id = getThis(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { + return; + } + +diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c +index ead7585..9f651af 100644 +--- a/ext/fileinfo/fileinfo.c ++++ b/ext/fileinfo/fileinfo.c +@@ -506,6 +506,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime + RETVAL_FALSE; + goto clean; + } ++ if (CHECK_NULL_PATH(buffer, buffer_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETVAL_FALSE; ++ goto clean; ++ } + + wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC); + +diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt +index 20223fd..ee70e2e 100644 +--- a/ext/fileinfo/tests/finfo_file_basic.phpt ++++ b/ext/fileinfo/tests/finfo_file_basic.phpt +@@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n"; + var_dump( finfo_file( $finfo, __FILE__) ); + var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); + var_dump( finfo_file( $finfo, $magicFile ) ); ++var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); + + ?> + ===DONE=== +@@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) ); + string(28) "text/x-php; charset=us-ascii" + string(22) "PHP script, ASCII text" + string(25) "text/plain; charset=utf-8" ++ ++Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d ++bool(false) + ===DONE=== +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index cbc1d2b..322325e 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1495,7 +1495,7 @@ PHP_FUNCTION(imageloadfont) + gdFontPtr font; + php_stream *stream; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) { + return; + } + +@@ -2438,7 +2438,7 @@ static void _php_image_create_from(INTER + long ignore_warning; + #endif + if (image_type == PHP_GDIMG_TYPE_GD2PART) { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { + return; + } + if (width < 1 || height < 1) { +@@ -2446,7 +2446,7 @@ static void _php_image_create_from(INTER + RETURN_FALSE; + } + } else { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { + return; + } + } +@@ -4178,7 +4178,7 @@ PHP_FUNCTION(imagepsencodefont) + char *enc, **enc_vector; + int enc_len, *f_ind; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) { + return; + } + +diff --git a/ext/hash/hash.c b/ext/hash/hash.c +index abdc62b..9cd6b8e 100644 +--- a/ext/hash/hash.c ++++ b/ext/hash/hash.c +@@ -142,6 +142,7 @@ static void php_hash_do_hash(INTERNAL_FU + } + if (isfilename) { + if (CHECK_NULL_PATH(data, data_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETURN_FALSE; + } + stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); +@@ -222,6 +223,10 @@ static void php_hash_do_hash_hmac(INTERN + RETURN_FALSE; + } + if (isfilename) { ++ if (CHECK_NULL_PATH(data, data_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETURN_FALSE; ++ } + stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); + if (!stream) { + /* Stream will report errors opening file */ +@@ -449,7 +454,7 @@ PHP_FUNCTION(hash_update_file) + char *filename, buf[1024]; + int filename_len, n; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { + return; + } + +diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt +index 42ab122..26ba8aa 100644 +--- a/ext/hash/tests/hash_hmac_file_error.phpt ++++ b/ext/hash/tests/hash_hmac_file_error.phpt +@@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg); + echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; + hash_hmac_file('foo', $file, $key, TRUE); + ++echo "\n-- Testing hash_hmac_file() function with bad path --\n"; ++hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); ++ + ?> + ===Done=== + --EXPECTF-- +@@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d + -- Testing hash_hmac_file() function with invalid hash algorithm -- + + Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d ++ ++-- Testing hash_hmac_file() function with bad path -- ++ ++Warning: hash_hmac_file(): Invalid path in %s on line %d + ===Done=== +\ No newline at end of file +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index 7af7e8b..23d55cb 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -2884,7 +2884,7 @@ PHP_FUNCTION(pg_trace) + php_stream *stream; + id = PGG(default_link); + +- if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { ++ if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { + return; + } + +diff --git a/ext/standard/link.c b/ext/standard/link.c +index 0e40a0b..4ed2c5e 100644 +--- a/ext/standard/link.c ++++ b/ext/standard/link.c +@@ -59,7 +59,7 @@ PHP_FUNCTION(readlink) + char buff[MAXPATHLEN]; + int ret; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c +index 7ddfc66..4c2837e 100644 +--- a/ext/standard/streamsfuncs.c ++++ b/ext/standard/streamsfuncs.c +@@ -1545,7 +1545,7 @@ PHP_FUNCTION(stream_resolve_include_path) + char *filename, *resolved_path; + int filename_len; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) { + return; + } + +diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c +index 206d82a..7a650e2 100644 +--- a/ext/xmlwriter/php_xmlwriter.c ++++ b/ext/xmlwriter/php_xmlwriter.c +@@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity) + /* }}} */ + #endif + +-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) ++/* {{{ proto resource xmlwriter_open_uri(string source) + Create new xmlwriter using source uri for output */ + static PHP_FUNCTION(xmlwriter_open_uri) + { +@@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri) + void *ioctx; + #endif + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) { + return; + } + +diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c +index d70198c..ec958e1 100644 +--- a/ext/zlib/zlib.c ++++ b/ext/zlib/zlib.c +@@ -581,7 +581,7 @@ static PHP_FUNCTION(gzopen) + php_stream *stream; + long use_include_path = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { + return; + } + +@@ -609,7 +609,7 @@ static PHP_FUNCTION(readgzfile) + int size; + long use_include_path = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) { + return; + } + +-- +2.1.4 + +From 1defbb25ed69e7a1a90e2bcb2ee3b9190ea06577 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 12 Apr 2015 00:56:02 -0700 +Subject: [PATCH] Fix test + +--- + ext/standard/tests/file/readlink_variation1.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/tests/file/readlink_variation1.phpt b/ext/standard/tests/file/readlink_variation1.phpt +index 1dae17c..d4f1a5f 100644 +--- a/ext/standard/tests/file/readlink_variation1.phpt ++++ b/ext/standard/tests/file/readlink_variation1.phpt +@@ -65,7 +65,7 @@ bool(false) + Warning: readlink(): %s in %s on line %d + bool(false) + +-Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d ++Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d + NULL + + Warning: readlink(): %s in %s on line %d +-- +2.1.4 + +From a643ccfb90750e0d830106588d2a46af87706b5b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 12 Apr 2015 20:53:09 -0700 +Subject: [PATCH] Fix tests + +--- + ext/gd/tests/imageloadfont_error1.phpt | 6 +++--- + ext/zlib/tests/gzopen_variation1.phpt | 28 ++++++++++++++-------------- + ext/zlib/tests/readgzfile_variation1.phpt | 10 +++++----- + ext/zlib/tests/readgzfile_variation6.phpt | 4 ++-- + 4 files changed, 24 insertions(+), 24 deletions(-) + +diff --git a/ext/gd/tests/imageloadfont_error1.phpt b/ext/gd/tests/imageloadfont_error1.phpt +index 16d1a3c..418bbf3 100644 +--- a/ext/gd/tests/imageloadfont_error1.phpt ++++ b/ext/gd/tests/imageloadfont_error1.phpt +@@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter + --CREDITS-- + Neveo Harrison #testfest #tek11 + --SKIPIF-- +- + --FILE-- +@@ -11,5 +11,5 @@ Neveo Harrison #testfest #tek11 + var_dump( imageloadfont(array()) ); + ?> + --EXPECTF-- +-Warning: imageloadfont() expects parameter 1 to be string, array given in %s on line %d +-NULL +\ No newline at end of file ++Warning: imageloadfont() expects parameter 1 to be a valid path, array given in %s on line %d ++NULL +diff --git a/ext/zlib/tests/gzopen_variation1.phpt b/ext/zlib/tests/gzopen_variation1.phpt +index c5a47f4..bca48f3 100644 +--- a/ext/zlib/tests/gzopen_variation1.phpt ++++ b/ext/zlib/tests/gzopen_variation1.phpt +@@ -1,17 +1,17 @@ + --TEST-- +-Test gzopen() function : usage variation ++Test gzopen() function : usage variation + --SKIPIF-- +- + --FILE-- + @$unset_var, +- ++ + // resource variable +- 'resource' => $fp ++ 'resource' => $fp + ); + + // loop through each element of the array for filename +@@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d) + bool(false) + + --empty array-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --int indexed array-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --associative array-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --nested arrays-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --uppercase NULL-- +@@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct + bool(false) + + --instance of classWithoutToString-- +-Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d) + NULL + + --undefined var-- +@@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d) + bool(false) + + --resource-- +-Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d) + NULL + ===DONE=== + +diff --git a/ext/zlib/tests/readgzfile_variation1.phpt b/ext/zlib/tests/readgzfile_variation1.phpt +index 5a5ec4f..5d9b639 100644 +--- a/ext/zlib/tests/readgzfile_variation1.phpt ++++ b/ext/zlib/tests/readgzfile_variation1.phpt +@@ -29,15 +29,15 @@ foreach ( $variation as $var ) { + ===DONE=== + --EXPECTF-- + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL +-===DONE=== +\ No newline at end of file ++===DONE=== +diff --git a/ext/zlib/tests/readgzfile_variation6.phpt b/ext/zlib/tests/readgzfile_variation6.phpt +index 702f918..9fcea02 100644 +--- a/ext/zlib/tests/readgzfile_variation6.phpt ++++ b/ext/zlib/tests/readgzfile_variation6.phpt +@@ -45,5 +45,5 @@ foreach ( $variation as $var ) { + --EXPECTF-- + Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d) + bool(false) +-Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d) +-NULL +\ No newline at end of file ++Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d) ++NULL +-- +2.1.4 + +From f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 May 2015 22:47:52 -0700 +Subject: [PATCH] Fix #69719 - more checks for nulls in paths + +--- + ext/dom/document.c | 22 +++++++++++++++++----- + ext/gd/gd.c | 16 ++++++++-------- + 2 files changed, 25 insertions(+), 13 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index 48a19dd..097fcba 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1754,7 +1754,7 @@ PHP_FUNCTION(dom_document_save) + char *file; + long options = 0; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { + return; + } + +@@ -1983,7 +1983,7 @@ static void _dom_document_schema_validat + int is_valid; + char resolved_path[MAXPATHLEN + 1]; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { + return; + } + +@@ -1996,6 +1996,10 @@ static void _dom_document_schema_validat + + switch (type) { + case DOM_LOAD_FILE: ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); ++ RETURN_FALSE; ++ } + valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); +@@ -2072,7 +2076,7 @@ static void _dom_document_relaxNG_valida + int is_valid; + char resolved_path[MAXPATHLEN + 1]; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { + return; + } + +@@ -2085,6 +2089,10 @@ static void _dom_document_relaxNG_valida + + switch (type) { + case DOM_LOAD_FILE: ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); ++ RETURN_FALSE; ++ } + valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); +@@ -2165,7 +2173,7 @@ static void dom_load_html(INTERNAL_FUNCT + + id = getThis(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { + return; + } + +@@ -2175,6 +2183,10 @@ static void dom_load_html(INTERNAL_FUNCT + } + + if (mode == DOM_LOAD_FILE) { ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); ++ RETURN_FALSE; ++ } + ctxt = htmlCreateFileParserCtxt(source, NULL); + } else { + source_len = xmlStrlen(source); +@@ -2263,7 +2275,7 @@ PHP_FUNCTION(dom_document_save_html_file + char *file; + const char *encoding; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { + return; + } + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index d258c3d..e527575 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1790,7 +1790,7 @@ PHP_FUNCTION(imagefilledarc) + long cx, cy, w, h, ST, E, col, style; + gdImagePtr im; + int e, st; +- ++ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) { + return; + } +@@ -2033,7 +2033,7 @@ PHP_FUNCTION(imagegrabwindow) + if ( handle == 0 ) { + goto clean; + } +- pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); ++ pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); + + if ( pPrintWindow ) { + pPrintWindow(window, memDC, (UINT) client_area); +@@ -3984,7 +3984,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int + if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) { + continue; + } +- ++ + if (strcmp("linespacing", key) == 0) { + convert_to_double_ex(item); + strex.flags |= gdFTEX_LINESPACE; +@@ -4006,7 +4006,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int + #endif + + PHP_GD_CHECK_OPEN_BASEDIR(fontname, "Invalid font filename"); +- ++ + #ifdef USE_GD_IMGSTRTTF + # if HAVE_GD_STRINGFTEX + if (extended) { +@@ -4071,7 +4071,7 @@ PHP_FUNCTION(imagepsloadfont) + struct stat st; + #endif + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { + return; + } + +@@ -4411,11 +4411,11 @@ PHP_FUNCTION(imagepsbbox) + if (argc != 3 && argc != 6) { + ZEND_WRONG_PARAM_COUNT(); + } +- ++ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) { + return; + } +- ++ + if (argc == 6) { + space = sp; + add_width = wd; +@@ -4600,7 +4600,7 @@ static void _php_image_convert(INTERNAL_FUNCTION_PARAMETERS, int image_type ) + #ifdef HAVE_GD_JPG + long ignore_warning; + #endif +- ++ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pplll", &f_org, &f_org_len, &f_dest, &f_dest_len, &height, &width, &threshold) == FAILURE) { + return; + } +-- +2.1.4 diff --git a/SPECS/php.spec b/SPECS/php.spec index 2b479ff..bc9767a 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -62,13 +62,14 @@ %global db_devel libdb-devel %endif +%global _performance_build 1 + #global rcver RC2 Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.16 -# Only odd release to avoid conflicts with even release used by php54 SCL -Release: 23%{?dist}.3 +Release: 36%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -106,6 +107,12 @@ Patch24: php-5.4.16-fpm.patch # https://bugs.php.net/65143 php-cgi man page # https://bugs.php.net/65142 phar man page Patch25: php-5.4.16-man.patch +# https://bugs.php.net/66987 fileinfo / bigendian +Patch26: php-5.4.16-bug66987.patch +# https://bugs.php.net/50444 pdo_odbc / x86_64 +Patch27: php-5.4.16-bug50444.patch +# https://bugs.php.net/63595 gmp memory allocator +Patch28: php-5.4.16-bug63595.patch # Functional changes Patch40: php-5.4.0-dlopen.patch @@ -121,6 +128,8 @@ Patch45: php-5.4.8-ldap_r.patch Patch46: php-5.4.9-fixheader.patch # drop "Configure command" from phpinfo output Patch47: php-5.4.9-phpinfo.patch +# Fix php_select on aarch64 (http://bugs.php.net/67406) +Patch48: php-5.4.16-aarch64-select.patch # Fixes for tests Patch60: php-5.4.16-pdotests.patch @@ -154,6 +163,27 @@ Patch126: php-5.4.16-CVE-2014-3668.patch Patch127: php-5.4.16-CVE-2014-3669.patch Patch128: php-5.4.16-CVE-2014-3670.patch Patch129: php-5.4.16-CVE-2014-3710.patch +Patch130: php-5.4.16-CVE-2014-8142.patch +Patch131: php-5.4.16-CVE-2015-0231.patch +Patch132: php-5.4.16-CVE-2015-0232.patch +Patch133: php-5.4.16-CVE-2014-9652.patch +Patch134: php-5.4.16-CVE-2014-9709.patch +Patch135: php-5.4.16-CVE-2015-0273.patch +Patch136: php-5.4.16-CVE-2014-9705.patch +Patch137: php-5.4.16-CVE-2015-2301.patch +Patch138: php-5.4.16-bug69085.patch +Patch139: php-5.4.16-CVE-2015-2787.patch +Patch140: php-5.4.16-CVE-2015-2348.patch +Patch145: php-5.4.16-CVE-2015-4022.patch +Patch146: php-5.4.16-CVE-2015-4021.patch +Patch147: php-5.4.16-CVE-2015-4024.patch +Patch148: php-5.4.16-CVE-2015-4025.patch +Patch149: php-5.4.16-CVE-2015-3330.patch +Patch150: php-5.4.16-bug69353.patch +Patch151: php-5.4.16-CVE-2015-2783.patch +Patch152: php-5.4.16-CVE-2015-3329.patch +Patch153: php-5.4.16-bug68819.patch +Patch154: php-5.4.16-bug69152.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel @@ -645,6 +675,9 @@ support for using the enchant library to PHP. %patch23 -p1 -b .gc %patch24 -p1 -b .fpm %patch25 -p1 -b .manpages +%patch26 -p1 -b .bug66987 +%patch27 -p1 -b .bug50444 +%patch28 -p1 -b .bug63595 %patch40 -p1 -b .dlopen %patch41 -p1 -b .easter @@ -658,6 +691,7 @@ support for using the enchant library to PHP. %endif %patch46 -p1 -b .fixheader %patch47 -p1 -b .phpinfo +%patch48 -p1 -b .aarch64select %patch60 -p1 -b .pdotests @@ -689,6 +723,28 @@ support for using the enchant library to PHP. %patch127 -p1 -b .cve3669 %patch128 -p1 -b .cve3670 %patch129 -p1 -b .cve3710 +%patch130 -p1 -b .cve8142 +%patch131 -p1 -b .cve0231 +%patch132 -p1 -b .cve0232 +%patch133 -p1 -b .cve9652 +%patch134 -p1 -b .cve9709 +%patch135 -p1 -b .cve0273 +%patch136 -p1 -b .cve9705 +%patch137 -p1 -b .cve2301 +%patch138 -p1 -b .bug68095 +%patch139 -p1 -b .cve2787 +%patch140 -p1 -b .cve2348 +%patch145 -p1 -b .cve4022 +%patch146 -p1 -b .cve4021 +%patch147 -p1 -b .cve4024 +%patch148 -p1 -b .cve4025 +%patch149 -p1 -b .cve3330 +%patch150 -p1 -b .bug69353 +%patch151 -p1 -b .cve2783 +%patch152 -p1 -b .cve3329 +%patch153 -p1 -b .bug68819 +%patch154 -p1 -b .bug69152 + # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE Zend/ZEND_LICENSE @@ -812,9 +868,6 @@ touch configure.in ./buildconf --force CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-pointer-sign" -%ifarch ppc64 -CFLAGS="$CFLAGS -O3" -%endif export CFLAGS # Install extension modules in %{_libdir}/php/modules. @@ -1462,15 +1515,58 @@ fi %changelog -* Thu Oct 23 2014 Jan Kaluza - 5.4.16-23.3 +* Wed Jun 10 2015 Remi Collet - 5.4.16-36 +- fix more functions accept paths with NUL character #1213407 + +* Fri Jun 5 2015 Remi Collet - 5.4.16-35 +- core: fix multipart/form-data request can use excessive + amount of CPU usage CVE-2015-4024 +- fix various functions accept paths with NUL character + CVE-2015-4025, CVE-2015-4026, #1213407 +- fileinfo: fix denial of service when processing a crafted + file #1213442 +- ftp: fix integer overflow leading to heap overflow when + reading FTP file listing CVE-2015-4022 +- phar: fix buffer over-read in metadata parsing CVE-2015-2783 +- phar: invalid pointer free() in phar_tar_process_metadata() + CVE-2015-3307 +- phar: fix buffer overflow in phar_set_inode() CVE-2015-3329 +- phar: fix memory corruption in phar_parse_tarfile caused by + empty entry file name CVE-2015-4021 +- soap: fix type confusion through unserialize #1222538 +- apache2handler: fix pipelined request executed in deinitialized + interpreter under httpd 2.4 CVE-2015-3330 + +* Thu Apr 16 2015 Remi Collet - 5.4.16-34 +- fix memory corruption in fileinfo module on big endian + machines #1082624 +- fix segfault in pdo_odbc on x86_64 #1159892 +- fix segfault in gmp allocator #1154760 + +* Fri Apr 10 2015 Remi Collet - 5.4.16-33 +- core: use after free vulnerability in unserialize() + CVE-2014-8142 and CVE-2015-0231 +- core: fix use-after-free in unserialize CVE-2015-2787 +- core: fix NUL byte injection in file name argument of + move_uploaded_file() CVE-2015-2348 +- date: use after free vulnerability in unserialize CVE-2015-0273 +- enchant: fix heap buffer overflow in enchant_broker_request_dict + CVE-2014-9705 +- exif: free called on unitialized pointer CVE-2015-0232 +- fileinfo: fix out of bounds read in mconvert CVE-2014-9652 +- gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709 +- phar: use after free in phar_object.c CVE-2015-2301 +- soap: fix type confusion through unserialize + +* Thu Oct 23 2014 Jan Kaluza - 5.4.16-31 - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 -* Tue Oct 21 2014 Remi Collet - 5.4.16-23.2 +* Tue Oct 21 2014 Remi Collet - 5.4.16-29 - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668 - core: fix integer overflow in unserialize() CVE-2014-3669 - exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670 -* Thu Sep 11 2014 Remi Collet - 5.4.16-23.1 +* Fri Sep 12 2014 Remi Collet - 5.4.16-27 - gd: fix NULL pointer dereference in gdImageCreateFromXpm(). CVE-2014-2497 - gd: fix NUL byte injection in file names. CVE-2014-5120 @@ -1486,6 +1582,11 @@ fi - network: fix segfault in dns_get_record (incomplete fix for CVE-2014-4049). CVE-2014-3597 + +* Thu Aug 21 2014 Jan Kaluza - 5.4.16-25 +- fix segfault after startup on aarch64 (#1107567) +- compile php with -O3 on ppc64le (#1123499) + * Fri Jun 13 2014 Remi Collet - 5.4.16-23 - fileinfo: cdf_unpack_summary_info() excessive looping DoS. CVE-2014-0237