From 8d87dc7113e1c756c4ddb82ef393ae85c2eeb6bb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:07:09 +0000 Subject: import php-5.4.16-42.el7 --- diff --git a/SOURCES/php-5.4.16-CVE-2016-5399.patch b/SOURCES/php-5.4.16-CVE-2016-5399.patch new file mode 100644 index 0000000..dcbce86 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2016-5399.patch @@ -0,0 +1,47 @@ +Adapted for 5.4, binary patch removed, from: + + +From f3feddb5b45b5abd93abb1a95044b7e099d51c84 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 18 Jul 2016 22:20:45 -0700 +Subject: [PATCH] Partial fix for bug #72613 - do not treat negative returns + from bz2 as size_t + +--- + ext/bz2/bz2.c | 80 +++++++++++++++++++++++--------------------- + ext/bz2/tests/72613.bz2 | Bin 0 -> 351 bytes + ext/bz2/tests/bug72613.phpt | 23 +++++++++++++ + 3 files changed, 65 insertions(+), 38 deletions(-) + create mode 100644 ext/bz2/tests/72613.bz2 + create mode 100644 ext/bz2/tests/bug72613.phpt + +diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c +index de3250e..7cfcaa8 100644 +--- a/ext/bz2/bz2.c ++++ b/ext/bz2/bz2.c +@@ -137,16 +137,20 @@ struct php_bz2_stream_data_t { + static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) + { + struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract; +- size_t ret; +- +- ret = BZ2_bzread(self->bz_file, buf, count); ++ int bz2_ret; ++ ++ bz2_ret = BZ2_bzread(self->bz_file, buf, count); + +- if (ret == 0) { ++ if (bz2_ret < 0) { ++ stream->eof = 1; ++ return -1; ++ } ++ if (bz2_ret == 0) { + stream->eof = 1; + } + +- return ret; ++ return (size_t)bz2_ret; + } + + static size_t php_bz2iop_write(php_stream *stream, const char *buf, size_t count TSRMLS_DC) + { diff --git a/SOURCES/php-5.4.16-CVE-2016-5766.patch b/SOURCES/php-5.4.16-CVE-2016-5766.patch new file mode 100644 index 0000000..d7f83d5 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2016-5766.patch @@ -0,0 +1,94 @@ +Backported from 5.5.37 for 5.4.16 + +From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Sat, 18 Jun 2016 20:15:10 +0200 +Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow + +From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 20 Jun 2016 22:54:55 -0700 +Subject: [PATCH] fix tests + +From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Tue, 21 Jun 2016 09:42:38 +0200 +Subject: [PATCH] remove the huge test file, generate it on the fly instead + + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 6726fee..63e3aef 100644 +--- php-5.4.16/ext/gd/libgd/gd_gd2.c.cve5766 2016-08-01 14:11:08.481345064 +0200 ++++ php-5.4.16/ext/gd/libgd/gd_gd2.c 2016-08-01 14:15:39.679591854 +0200 +@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, + if (gd2_compressed(*fmt)) { + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); ++ if (overflow2(sizeof(t_chunk_info), nc)) { ++ goto fail1; ++ } + sidx = sizeof(t_chunk_info) * nc; + if (sidx <= 0) { + goto fail1; + } + cidx = gdCalloc(sidx, 1); ++ if (cidx == NULL) { ++ goto fail1; ++ } ++ + for (i = 0; i < nc; i++) { + if (gdGetInt(&cidx[i].offset, in) != 1) { + goto fail1; +diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt +new file mode 100644 +index 0000000..763ae71 +--- /dev/null ++++ b/ext/gd/tests/bug72339.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %sbug72339.php on line %d ++ ++Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d + +diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt +index 763ae71..2c30ee8 100644 +--- a/ext/gd/tests/bug72339.phpt ++++ b/ext/gd/tests/bug72339.phpt +@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow + --SKIPIF-- + + --FILE-- +- ++ + --EXPECTF-- + Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %sbug72339.php on line %d diff --git a/SOURCES/php-5.4.16-CVE-2016-5767.patch b/SOURCES/php-5.4.16-CVE-2016-5767.patch new file mode 100644 index 0000000..1990705 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2016-5767.patch @@ -0,0 +1,30 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 20 Jun 2016 23:58:26 -0700 +Subject: [PATCH] iFixed bug #72446 - Integer Overflow in + gdImagePaletteToTrueColor() resulting in heap overflow + +--- + NEWS | 2 ++ + ext/gd/libgd/gd.c | 22 +++++++++++++--------- + 2 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c +index 2c63aac..4dad95a 100644 +--- a/ext/gd/libgd/gd.c ++++ b/ext/gd/libgd/gd.c +@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy) + return NULL; + } + ++ if (overflow2(sizeof(unsigned char *), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdCalloc(1, sizeof(gdImage)); + + /* Row-major ever since gd 1.3 */ + diff --git a/SOURCES/php-5.4.16-CVE-2016-5768.patch b/SOURCES/php-5.4.16-CVE-2016-5768.patch new file mode 100644 index 0000000..5e7243f --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2016-5768.patch @@ -0,0 +1,284 @@ +From 5b597a2e5b28e2d5a52fc1be13f425f08f47cb62 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 18 Jun 2016 21:48:39 -0700 +Subject: [PATCH] Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free + +--- + ext/mbstring/php_mbregex.c | 65 ++++++++++++++++++++-------------------- + ext/mbstring/tests/bug72402.phpt | 17 +++++++++++ + 2 files changed, 49 insertions(+), 33 deletions(-) + create mode 100644 ext/mbstring/tests/bug72402.phpt + +diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c +index d73c848..6cdee23 100644 +--- a/ext/mbstring/php_mbregex.c ++++ b/ext/mbstring/php_mbregex.c +@@ -32,7 +32,7 @@ + #include "ext/standard/info.h" + #include "php_mbregex.h" + #include "mbstring.h" +- ++ + #include "php_onig_compat.h" /* must come prior to the oniguruma header */ + #include + #undef UChar +@@ -55,7 +55,7 @@ struct _zend_mb_regex_globals { + #define MBREX(g) (MBSTRG(mb_regex_globals)->g) + + /* {{{ static void php_mb_regex_free_cache() */ +-static void php_mb_regex_free_cache(php_mb_regex_t **pre) ++static void php_mb_regex_free_cache(php_mb_regex_t **pre) + { + onig_free(*pre); + } +@@ -78,7 +78,7 @@ static int _php_mb_regex_globals_ctor(zend_mb_regex_globals *pglobals TSRMLS_DC) + /* }}} */ + + /* {{{ _php_mb_regex_globals_dtor */ +-static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC) ++static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC) + { + zend_hash_destroy(&pglobals->ht_rc); + } +@@ -466,7 +466,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl + retval = *rc; + } + out: +- return retval; ++ return retval; + } + /* }}} */ + +@@ -483,7 +483,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 'i'; + } +- ++len_req; ++ ++len_req; + } + + if ((option & ONIG_OPTION_EXTEND) != 0) { +@@ -491,7 +491,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 'x'; + } +- ++len_req; ++ ++len_req; + } + + if ((option & (ONIG_OPTION_MULTILINE | ONIG_OPTION_SINGLELINE)) == +@@ -500,14 +500,14 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 'p'; + } +- ++len_req; ++ ++len_req; + } else { + if ((option & ONIG_OPTION_MULTILINE) != 0) { + if (len_left > 0) { + --len_left; + *(p++) = 'm'; + } +- ++len_req; ++ ++len_req; + } + + if ((option & ONIG_OPTION_SINGLELINE) != 0) { +@@ -515,22 +515,22 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 's'; + } +- ++len_req; ++ ++len_req; + } +- } ++ } + if ((option & ONIG_OPTION_FIND_LONGEST) != 0) { + if (len_left > 0) { + --len_left; + *(p++) = 'l'; + } +- ++len_req; ++ ++len_req; + } + if ((option & ONIG_OPTION_FIND_NOT_EMPTY) != 0) { + if (len_left > 0) { + --len_left; + *(p++) = 'n'; + } +- ++len_req; ++ ++len_req; + } + + c = 0; +@@ -566,7 +566,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = '\0'; + } +- ++len_req; ++ ++len_req; + if (len < len_req) { + return len_req; + } +@@ -577,11 +577,11 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + + /* {{{ _php_mb_regex_init_options */ + static void +-_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval) ++_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval) + { + int n; + char c; +- int optm = 0; ++ int optm = 0; + + *syntax = ONIG_SYNTAX_RUBY; + +@@ -636,13 +636,13 @@ _php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, O + *syntax = ONIG_SYNTAX_POSIX_EXTENDED; + break; + case 'e': +- if (eval != NULL) *eval = 1; ++ if (eval != NULL) *eval = 1; + break; + default: + break; + } + } +- if (option != NULL) *option|=optm; ++ if (option != NULL) *option|=optm; + } + } + /* }}} */ +@@ -860,11 +860,11 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + } else { + /* FIXME: this code is not multibyte aware! */ + convert_to_long_ex(arg_pattern_zval); +- pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval); ++ pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval); + pat_buf[1] = '\0'; + + arg_pattern = pat_buf; +- arg_pattern_len = 1; ++ arg_pattern_len = 1; + } + /* create regex pattern buffer */ + re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, options, MBREX(current_mbctype), syntax TSRMLS_CC); +@@ -934,7 +934,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + } + } + } +- ++ + if (eval) { + zval v; + /* null terminate buffer */ +@@ -953,32 +953,31 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + eval_buf.len = 0; + zval_dtor(&v); + } else if (is_callable) { +- zval *retval_ptr; ++ zval *retval_ptr = NULL; + zval **args[1]; + zval *subpats; + int i; +- ++ + MAKE_STD_ZVAL(subpats); + array_init(subpats); +- ++ + for (i = 0; i < regs->num_regs; i++) { + add_next_index_stringl(subpats, string + regs->beg[i], regs->end[i] - regs->beg[i], 1); +- } +- ++ } ++ + args[0] = &subpats; + /* null terminate buffer */ + smart_str_0(&eval_buf); +- ++ + arg_replace_fci.param_count = 1; + arg_replace_fci.params = args; + arg_replace_fci.retval_ptr_ptr = &retval_ptr; +- if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) { ++ if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) { + convert_to_string_ex(&retval_ptr); + smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr)); + eval_buf.len = 0; + zval_ptr_dtor(&retval_ptr); + } else { +- efree(description); + if (!EG(exception)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function"); + } +@@ -991,7 +990,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + pos = (OnigUChar *)string + n; + } else { + if (pos < string_lim) { +- smart_str_appendl(&out_buf, pos, 1); ++ smart_str_appendl(&out_buf, pos, 1); + } + pos++; + } +@@ -1013,7 +1012,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + smart_str_free(&eval_buf); + + if (err <= -2) { +- smart_str_free(&out_buf); ++ smart_str_free(&out_buf); + RETVAL_FALSE; + } else { + smart_str_appendc(&out_buf, '\0'); +@@ -1063,7 +1062,7 @@ PHP_FUNCTION(mb_split) + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) { + RETURN_FALSE; +- } ++ } + + if (count > 0) { + count--; +@@ -1317,7 +1316,7 @@ PHP_FUNCTION(mb_ereg_search_init) + if (zend_parse_parameters(argc TSRMLS_CC, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) { + return; + } +- ++ + if (argc > 1 && arg_pattern_len == 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty pattern"); + RETURN_FALSE; +@@ -1416,7 +1415,7 @@ PHP_FUNCTION(mb_ereg_search_setpos) + /* }}} */ + + /* {{{ php_mb_regex_set_options */ +-static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC) ++static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC) + { + if (prev_options != NULL) { + *prev_options = MBREX(regex_default_options); +diff --git a/ext/mbstring/tests/bug72402.phpt b/ext/mbstring/tests/bug72402.phpt +new file mode 100644 +index 0000000..abb290b +--- /dev/null ++++ b/ext/mbstring/tests/bug72402.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72402: _php_mb_regex_ereg_replace_exec - double free ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECT-- ++DONE +\ No newline at end of file diff --git a/SOURCES/php-5.4.16-bug66762.patch b/SOURCES/php-5.4.16-bug66762.patch new file mode 100644 index 0000000..eb5bffc --- /dev/null +++ b/SOURCES/php-5.4.16-bug66762.patch @@ -0,0 +1,137 @@ +From 9137acc7ecdf1542fe6fda5056a0273359682735 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 27 Feb 2014 08:45:16 +0100 +Subject: [PATCH] Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when + link closed + +Each new mysqli_stmt now increase the refcount of the link object. +So the link is really destroy after all statements. + +Only implemented with libmysqlclient, as mysqlnd already implement +this internally. + +So, libmysqlclient and mysqlnd have the same behavior. +--- + ext/mysqli/mysqli.c | 9 ++++++++- + ext/mysqli/mysqli_api.c | 8 ++++++++ + ext/mysqli/php_mysqli_structs.h | 4 ++++ + 3 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c +index 4e4ed5b..cbeb183 100644 +--- a/ext/mysqli/mysqli.c ++++ b/ext/mysqli/mysqli.c +@@ -176,8 +176,11 @@ void php_clear_stmt_bind(MY_STMT *stmt TSRMLS_DC) + php_free_stmt_bind_buffer(stmt->param, FETCH_SIMPLE); + /* Clean output bind */ + php_free_stmt_bind_buffer(stmt->result, FETCH_RESULT); +-#endif + ++ if (stmt->link_handle) { ++ zend_objects_store_del_ref_by_handle(stmt->link_handle TSRMLS_CC); ++ } ++#endif + if (stmt->query) { + efree(stmt->query); + } +@@ -1055,6 +1058,10 @@ PHP_FUNCTION(mysqli_stmt_construct) + efree(stmt); + RETURN_FALSE; + } ++#ifndef MYSQLI_USE_MYSQLND ++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link); ++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC); ++#endif + + mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE)); + mysqli_resource->ptr = (void *)stmt; +diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c +index 1dbff87..0b28a43 100644 +--- a/ext/mysqli/mysqli_api.c ++++ b/ext/mysqli/mysqli_api.c +@@ -1840,6 +1840,10 @@ PHP_FUNCTION(mysqli_prepare) + efree(stmt); + RETURN_FALSE; + } ++#ifndef MYSQLI_USE_MYSQLND ++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link); ++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC); ++#endif + + mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE)); + mysqli_resource->ptr = (void *)stmt; +@@ -2368,6 +2372,10 @@ PHP_FUNCTION(mysqli_stmt_init) + efree(stmt); + RETURN_FALSE; + } ++#ifndef MYSQLI_USE_MYSQLND ++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link); ++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC); ++#endif + + mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE)); + mysqli_resource->status = MYSQLI_STATUS_INITIALIZED; +diff --git a/ext/mysqli/php_mysqli_structs.h b/ext/mysqli/php_mysqli_structs.h +index d652592..d2fb34b 100644 +--- a/ext/mysqli/php_mysqli_structs.h ++++ b/ext/mysqli/php_mysqli_structs.h +@@ -116,6 +116,10 @@ typedef struct { + BIND_BUFFER param; + BIND_BUFFER result; + char *query; ++#ifndef MYSQLI_USE_MYSQLND ++ /* used to manage refcount with libmysql (already implement in mysqlnd) */ ++ zend_object_handle link_handle; ++#endif + } MY_STMT; + + typedef struct { +-- +2.1.4 + +From 816a5d207270556aa5a9d74cdd8629d1b06cc350 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 27 Feb 2014 08:48:01 +0100 +Subject: [PATCH] test for bug #66762 + +--- + ext/mysqli/tests/bug66762.phpt | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + create mode 100644 ext/mysqli/tests/bug66762.phpt + +diff --git a/ext/mysqli/tests/bug66762.phpt b/ext/mysqli/tests/bug66762.phpt +new file mode 100644 +index 0000000..2b8a92c +--- /dev/null ++++ b/ext/mysqli/tests/bug66762.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #66762 mysqli@libmysql segfault in mysqli_stmt::bind_result() when link closed ++--SKIPIF-- ++ ++--FILE-- ++prepare("SELECT 1"); ++ ++ var_dump($read_stmt->bind_result($data)); ++ ++ unset($mysqli); ++ var_dump($read_stmt->bind_result($data)); ++ ++?> ++done! ++--EXPECT-- ++bool(true) ++bool(true) ++done! +\ No newline at end of file +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug66833.patch b/SOURCES/php-5.4.16-bug66833.patch new file mode 100644 index 0000000..dde6e50 --- /dev/null +++ b/SOURCES/php-5.4.16-bug66833.patch @@ -0,0 +1,40 @@ +From 17f6391bf8bc5e0e74ea981c795455a18826ed35 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Fri, 14 Mar 2014 09:50:15 +0100 +Subject: [PATCH] Fixed Bug #66833 Default digest algo is still MD5 + +Switch to SHA1, which match internal openssl hardcoded algo. + +In most case, won't even be noticed +- priority on user input (default_md) +- fallback on system config +- fallback on this default value + +Recent system reject MD5 digest, noticed in bug36732.phpt failure. + +While SHA1 is better than MD5, SHA256 is recommenced, +and defined as default algo in provided configuration on +recent system (Fedora 21, RHEL-7, ...). But the idea is to +keep in sync with openssl internal value for PHP internal value. +--- + ext/openssl/openssl.c | 2 +- + ext/openssl/tests/openssl.cnf | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index b2ac712..88ad2ef 100755 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -855,7 +855,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option + req->digest = req->md_alg = EVP_get_digestbyname(req->digest_name); + } + if (req->md_alg == NULL) { +- req->md_alg = req->digest = EVP_md5(); ++ req->md_alg = req->digest = EVP_sha1(); + } + + PHP_SSL_CONFIG_SYNTAX_CHECK(extensions_section); + +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-bug71089.patch b/SOURCES/php-5.4.16-bug71089.patch new file mode 100644 index 0000000..6b730d6 --- /dev/null +++ b/SOURCES/php-5.4.16-bug71089.patch @@ -0,0 +1,31 @@ +From 410eacc1a9b50ec3cb6c5fc0ff252516d0c0a4f1 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Fri, 11 Dec 2015 13:21:24 +0100 +Subject: [PATCH] Fix Bug #71089 No check to duplicate zend_extension + +--- + Zend/zend_extensions.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/Zend/zend_extensions.c b/Zend/zend_extensions.c +index 8321f1c..fbf1f32 100644 +--- a/Zend/zend_extensions.c ++++ b/Zend/zend_extensions.c +@@ -105,6 +105,14 @@ int zend_load_extension(const char *path) + #endif + DL_UNLOAD(handle); + return FAILURE; ++ } else if (zend_get_extension(new_extension->name)) { ++ fprintf(stderr, "Cannot load %s - extension already loaded\n", new_extension->name); ++/* See http://support.microsoft.com/kb/190351 */ ++#ifdef PHP_WIN32 ++ fflush(stderr); ++#endif ++ DL_UNLOAD(handle); ++ return FAILURE; + } + + return zend_register_extension(new_extension, handle); +-- +2.1.4 + diff --git a/SOURCES/php-5.4.16-curltls.patch b/SOURCES/php-5.4.16-curltls.patch new file mode 100644 index 0000000..1c35da5 --- /dev/null +++ b/SOURCES/php-5.4.16-curltls.patch @@ -0,0 +1,38 @@ +Backport from PHP 5.5.0 and 5.5.19 + +Adapted from: + +From e69f987948982d4259a574ca824398c26153bf42 Mon Sep 17 00:00:00 2001 +From: Pierrick Charron +Date: Thu, 1 Dec 2011 21:48:07 +0000 +Subject: [PATCH] Clean / Improve the curl extension # NEWS file will come soon + +From 2b5bffe6c70bc00ebe57390f48ef7569e401d2d3 Mon Sep 17 00:00:00 2001 +From: Rasmus Lerdorf +Date: Thu, 16 Oct 2014 21:25:29 -0700 +Subject: [PATCH] TLS 1.0, 1.1 and 1.2 Curl constants - bug #68247 + +Macro available in upstream curl > 7.34 +Macro available since curl-7.19.7-43.el6 see https://bugzilla.redhat.com/1012136 + + +diff -up a/ext/curl/interface.c.old b/ext/curl/interface.c +--- a/ext/curl/interface.c.old 2015-12-14 11:29:34.591570003 +0100 ++++ b/ext/curl/interface.c 2015-12-14 11:38:42.366016986 +0100 +@@ -595,6 +595,16 @@ PHP_MINIT_FUNCTION(curl) + REGISTER_CURL_CONSTANT(CURLOPT_SSL_VERIFYHOST); + REGISTER_CURL_CONSTANT(CURLOPT_COOKIEFILE); + REGISTER_CURL_CONSTANT(CURLOPT_SSLVERSION); ++ ++ /* Curl SSL Version constants (CURLOPT_SSLVERSION) */ ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_DEFAULT); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv2); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv3); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2); ++ + REGISTER_CURL_CONSTANT(CURLOPT_TIMECONDITION); + REGISTER_CURL_CONSTANT(CURLOPT_TIMEVALUE); + REGISTER_CURL_CONSTANT(CURLOPT_CUSTOMREQUEST); diff --git a/SOURCES/php-5.4.16-wddx.patch b/SOURCES/php-5.4.16-wddx.patch new file mode 100644 index 0000000..9f36834 --- /dev/null +++ b/SOURCES/php-5.4.16-wddx.patch @@ -0,0 +1,41 @@ +From 95ea1e7ca787537a93c25c401dba010d51aa8d59 Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Sat, 11 May 2013 02:47:48 +0200 +Subject: [PATCH] fixed variable corruption under win x64 + +--- + ext/wddx/wddx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 967da6a..afeca90 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -405,7 +405,7 @@ static void php_wddx_serialize_string(wddx_packet *packet, zval *var TSRMLS_DC) + + if (Z_STRLEN_P(var) > 0) { + char *buf; +- int buf_len; ++ size_t buf_len; + + buf = php_escape_html_entities(Z_STRVAL_P(var), Z_STRLEN_P(var), &buf_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + +@@ -626,12 +626,12 @@ static void php_wddx_serialize_array(wddx_packet *packet, zval *arr) + */ + void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name_len TSRMLS_DC) + { +- char *tmp_buf; +- char *name_esc; +- int name_esc_len; + HashTable *ht; + + if (name) { ++ size_t name_esc_len; ++ char *tmp_buf, *name_esc; ++ + name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + tmp_buf = emalloc(name_esc_len + sizeof(WDDX_VAR_S)); + snprintf(tmp_buf, name_esc_len + sizeof(WDDX_VAR_S), WDDX_VAR_S, name_esc); +-- +2.1.4 + diff --git a/SOURCES/php-5.4.6-bug65641.patch b/SOURCES/php-5.4.6-bug65641.patch new file mode 100644 index 0000000..6909439 --- /dev/null +++ b/SOURCES/php-5.4.6-bug65641.patch @@ -0,0 +1,118 @@ +From ee275e34c8b303945945c650d4bc90dcc2ac0b17 Mon Sep 17 00:00:00 2001 +From: David Zuelke +Date: Sat, 9 Aug 2014 08:26:33 +0200 +Subject: [PATCH] restore FPM compatibility with mod_fastcgi broken since #694 + / 67541, fixes bug 67606 + +--- + sapi/fpm/fpm/fpm_main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c +index e879325..56a06f9 100644 +--- a/sapi/fpm/fpm/fpm_main.c ++++ b/sapi/fpm/fpm/fpm_main.c +@@ -1142,13 +1142,16 @@ static void init_request_info(TSRMLS_D) + TRANSLATE_SLASHES(env_document_root); + } + +- if (env_path_translated != NULL && env_redirect_url != NULL && ++ if (!apache_was_here && env_path_translated != NULL && env_redirect_url != NULL && + env_path_translated != script_path_translated && + strcmp(env_path_translated, script_path_translated) != 0) { + /* + * pretty much apache specific. If we have a redirect_url + * then our script_filename and script_name point to the + * php executable ++ * we don't want to do this for the new mod_proxy_fcgi approach, ++ * where redirect_url may also exist but the below will break ++ * with rewrites to PATH_INFO, hence the !apache_was_here check + */ + script_path_translated = env_path_translated; + /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */ +@@ -1323,7 +1326,7 @@ static void init_request_info(TSRMLS_D) + efree(pt); + } + } else { +- /* make sure path_info/translated are empty */ ++ /* make sure original values are remembered in ORIG_ copies if we've changed them */ + if (!orig_script_filename || + (script_path_translated != orig_script_filename && + strcmp(script_path_translated, orig_script_filename) != 0)) { +@@ -1332,7 +1335,9 @@ static void init_request_info(TSRMLS_D) + } + script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", script_path_translated TSRMLS_CC); + } +- if (env_redirect_url) { ++ if (!apache_was_here && env_redirect_url) { ++ /* if we used PATH_TRANSLATED to work around Apache mod_fastcgi (but not mod_proxy_fcgi, ++ * hence !apache_was_here) weirdness, strip info accordingly */ + if (orig_path_info) { + _sapi_cgibin_putenv("ORIG_PATH_INFO", orig_path_info TSRMLS_CC); + _sapi_cgibin_putenv("PATH_INFO", NULL TSRMLS_CC); +-- +2.1.4 + +From 8cac75969e5abb2b6be5bbd489d851a4f9e50979 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 15 Sep 2014 13:29:55 +0200 +Subject: [PATCH] Fixed bug #65641 PHP-FPM incorrectly defines the SCRIPT_NAME + variable when using Apache + +ProxyPass is unable to provide correct PATH_INFO +as it is not aware of file path (while SetHandler is). + +As we can extract PATH_INFO from PATH_TRANSLATED, +we also need to check if present in SCRIPT_NAME +and remove it. + +After applying this patch. +With mod_php +_SERVER["REQUEST_URI"] /info.php/foo/bar?q=1 +_SERVER["SCRIPT_NAME"] /info.php +_SERVER["PATH_INFO"] /foor/bar +_SERVER["PHP_SELF"] /info.php/foo/bar +_SERVER["QUERY_STRING"] q=1 + +With mod_proxy_fcgi + SetHandler +_SERVER["REQUEST_URI"] /info.php/foo/bar?q=1 +_SERVER["SCRIPT_NAME"] /info.php +_SERVER["PATH_INFO"] /foo/bar +_SERVER["PHP_SELF"] /info.php/foo/bar +_SERVER["QUERY_STRING"] q=1 + +With mod_proxy_fcgi + ProxyPass +_SERVER["REQUEST_URI"] /info.php/foo/bar?q=1 +_SERVER["SCRIPT_NAME"] /info.php +_SERVER["PATH_INFO"] /foo/bar +_SERVER["PHP_SELF"] /info.php/foo/bar +_SERVER["QUERY_STRING"] q=1 +--- + sapi/fpm/fpm/fpm_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c +index 56a06f9..331342c 100644 +--- a/sapi/fpm/fpm/fpm_main.c ++++ b/sapi/fpm/fpm/fpm_main.c +@@ -1231,6 +1231,17 @@ static void init_request_info(TSRMLS_D) + SG(request_info).request_uri = orig_script_name; + } + path_info[0] = old; ++ } else if (apache_was_here && env_script_name) { ++ /* Using mod_proxy_fcgi and ProxyPass, apache cannot set PATH_INFO ++ * As we can extract PATH_INFO from PATH_TRANSLATED ++ * it is probably also in SCRIPT_NAME and need to be removed ++ */ ++ int snlen = strlen(env_script_name); ++ if (snlen>slen && !strcmp(env_script_name+snlen-slen, path_info)) { ++ _sapi_cgibin_putenv("ORIG_SCRIPT_NAME", orig_script_name TSRMLS_CC); ++ env_script_name[snlen-slen] = 0; ++ SG(request_info).request_uri = _sapi_cgibin_putenv("SCRIPT_NAME", env_script_name TSRMLS_CC); ++ } + } + env_path_info = _sapi_cgibin_putenv("PATH_INFO", path_info TSRMLS_CC); + } +-- +2.1.4 + diff --git a/SPECS/php.spec b/SPECS/php.spec index 745b3eb..7024bf6 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -69,7 +69,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.16 -Release: 36.3%{?dist} +Release: 42%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -115,6 +115,16 @@ Patch27: php-5.4.16-bug50444.patch Patch28: php-5.4.16-bug63595.patch # https://bugs.php.net/62129 session rfc1867 Patch29: php-5.4.16-bug62129.patch +# https://bugs.php.net/66762 mysqli segfault +Patch30: php-5.4.16-bug66762.patch +# https://bugs.php.net/65641 fpm script name +Patch31: php-5.4.6-bug65641.patch +# https://bugs.php.net/71089 duplicate ext +Patch32: php-5.4.16-bug71089.patch +# https://bugs.php.net/66833 default digest algo +Patch33: php-5.4.16-bug66833.patch +# fixed variable corruption +Patch34: php-5.4.16-wddx.patch # bad logic in sapi header callback routine Patch35: php-5.4.16-bug66375.patch @@ -134,6 +144,7 @@ Patch46: php-5.4.9-fixheader.patch Patch47: php-5.4.9-phpinfo.patch # Fix php_select on aarch64 (http://bugs.php.net/67406) Patch48: php-5.4.16-aarch64-select.patch +Patch49: php-5.4.16-curltls.patch # Fixes for tests Patch60: php-5.4.16-pdotests.patch @@ -189,6 +200,10 @@ Patch152: php-5.4.16-CVE-2015-3329.patch Patch153: php-5.4.16-bug68819.patch Patch154: php-5.4.16-bug69152.patch Patch155: php-5.4.16-CVE-2016-5385.patch +Patch156: php-5.4.16-CVE-2016-5766.patch +Patch157: php-5.4.16-CVE-2016-5767.patch +Patch158: php-5.4.16-CVE-2016-5768.patch +Patch159: php-5.4.16-CVE-2016-5399.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel @@ -684,6 +699,11 @@ support for using the enchant library to PHP. %patch27 -p1 -b .bug50444 %patch28 -p1 -b .bug63595 %patch29 -p1 -b .bug62129 +%patch30 -p1 -b .bug66762 +%patch31 -p1 -b .bug65641 +%patch32 -p1 -b .bug71089 +%patch33 -p1 -b .bug66833 +%patch34 -p1 -b .fix %patch35 -p1 -b .bug66375 %patch40 -p1 -b .dlopen @@ -699,6 +719,7 @@ support for using the enchant library to PHP. %patch46 -p1 -b .fixheader %patch47 -p1 -b .phpinfo %patch48 -p1 -b .aarch64select +%patch49 -p1 -b .curltls %patch60 -p1 -b .pdotests @@ -752,6 +773,10 @@ support for using the enchant library to PHP. %patch153 -p1 -b .bug68819 %patch154 -p1 -b .bug69152 %patch155 -p1 -b .cve5385 +%patch156 -p1 -b .cve5766 +%patch157 -p1 -b .cve5767 +%patch158 -p1 -b .cve5768 +%patch159 -p1 -b .cve5399 # Prevent %%doc confusion over LICENSE files @@ -1523,15 +1548,36 @@ fi %changelog -* Fri Jul 22 2016 Remi Collet - 5.4.16-36.3 +* Fri Aug 5 2016 Remi Collet - 5.4.16-42 +- bz2: fix improper error handling in bzread() CVE-2016-5399 + +* Mon Aug 1 2016 Remi Collet - 5.4.16-41 +- gd: fix integer overflow in _gd2GetHeader() resulting in + heap overflow CVE-2016-5766 +- gd: fix integer overflow in gdImagePaletteToTrueColor() + resulting in heap overflow CVE-2016-5767 +- mbstring: fix double free in _php_mb_regex_ereg_replace_exec + CVE-2016-5768 + +* Fri Jul 22 2016 Remi Collet - 5.4.16-40 - don't set environmental variable based on user supplied Proxy request header CVE-2016-5385 -* Wed Jun 15 2016 Remi Collet - 5.4.16-36.2 -- fix segmentation fault in header_register_callback #1346758 - -* Mon Apr 4 2016 Remi Collet - 5.4.16-36.1 -- session: fix segfault in session with rfc1867 #1323643 +* Wed Jun 15 2016 Remi Collet - 5.4.16-39 +- fix segmentation fault in header_register_callback #1344578 + +* Mon May 30 2016 Remi Collet - 5.4.16-38 +- curl: add options to enable TLS #1291667 +- mysqli: fix segfault in mysqli_stmt::bind_result() when + link is closed #1096800 +- fpm: fix incorrectly defined SCRIPT_NAME variable when + using Apache #1138563 +- core: fix segfault when a zend_extension is loaded twice #1289457 +- openssl: change default_md algo from MD5 to SHA1 #1073388 +- wddx: fix segfault in php_wddx_serialize_var #1131979 + +* Mon Apr 4 2016 Remi Collet - 5.4.16-37 +- session: fix segfault in session with rfc1867 #1297179 * Wed Jun 10 2015 Remi Collet - 5.4.16-36 - fix more functions accept paths with NUL character #1213407