diff --git a/SOURCES/php-5.4.16-CVE-2014-3668.patch b/SOURCES/php-5.4.16-CVE-2014-3668.patch new file mode 100644 index 0000000..a19991f --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3668.patch @@ -0,0 +1,118 @@ +From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 17:33:44 -0700 +Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib + +--- + NEWS | 5 ++++- + ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++----- + ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 6 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug68027.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c +index ce70c2a..b766a54 100644 +--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c ++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c +@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_mon = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+4]) + tm.tm_mon += (text[i+4]-'0')*n; + n /= 10; + } + tm.tm_mon --; ++ if(tm.tm_mon < 0 || tm.tm_mon > 11) { ++ return -1; ++ } + + n = 10; + tm.tm_mday = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+6]) + tm.tm_mday += (text[i+6]-'0')*n; + n /= 10; + } +@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_hour = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+9]) + tm.tm_hour += (text[i+9]-'0')*n; + n /= 10; + } +@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_min = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+12]) + tm.tm_min += (text[i+12]-'0')*n; + n /= 10; + } +@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_sec = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+15]) + tm.tm_sec += (text[i+15]-'0')*n; + n /= 10; + } +diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt +new file mode 100644 +index 0000000..a5c96f1 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug68027.phpt +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #68027 (buffer overflow in mkgmtime() function) ++--SKIPIF-- ++ ++--FILE-- ++$datetime"); ++print_r($obj); ++ ++$datetime = "34770-0-08T21:46:40-0400"; ++$obj = xmlrpc_decode("$datetime"); ++print_r($obj); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++object(stdClass)#1 (3) { ++ ["scalar"]=> ++ string(16) "6-01-01 20:00:00" ++ ["xmlrpc_type"]=> ++ string(8) "datetime" ++ ["timestamp"]=> ++ int(%d) ++} ++stdClass Object ++( ++ [scalar] => 2001-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %s ++) ++stdClass Object ++( ++ [scalar] => 34770-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %d ++) ++Done +-- +2.1.0 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3669.patch b/SOURCES/php-5.4.16-CVE-2014-3669.patch new file mode 100644 index 0000000..d2c743a --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3669.patch @@ -0,0 +1,63 @@ +Adapted for PHP 5.4.16 from + +From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 14:19:31 -0700 +Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits + only) + +--- + NEWS | 5 ++++- + ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++ + ext/standard/var_unserializer.c | 4 ++-- + ext/standard/var_unserializer.re | 2 +- + 4 files changed, 19 insertions(+), 4 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug68044.phpt + +diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt +new file mode 100644 +index 0000000..031e44e +--- /dev/null ++++ b/ext/standard/tests/serialize/bug68044.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #68044 Integer overflow in unserialize() (32-bits only) ++--FILE-- ++ ++===DONE== ++--EXPECTF-- ++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 ++ ++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 ++===DONE== +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 657051f..8129da3 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -344,7 +344,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 1307508..6de1583 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -350,7 +350,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +-- +2.1.0 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3670.patch b/SOURCES/php-5.4.16-CVE-2014-3670.patch new file mode 100644 index 0000000..795b1a3 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3670.patch @@ -0,0 +1,38 @@ +bug68113.phpt removed as binary patch not supported + + +From 287c91c1f060dc85a8bdb51488c50db8614448b7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 16:57:42 -0700 +Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail()) + +--- + NEWS | 6 +++++- + ext/exif/exif.c | 4 ++-- + ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes + ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++ + 4 files changed, 24 insertions(+), 3 deletions(-) + create mode 100755 ext/exif/tests/bug68113.jpg + create mode 100644 ext/exif/tests/bug68113.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 38907b4..637ebf9 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel + data_ptr += 8; + break; + case TAG_FMT_SINGLE: +- memmove(data_ptr, &info_data->value.f, byte_count); ++ memmove(data_ptr, &info_value->f, 4); + data_ptr += 4; + break; + case TAG_FMT_DOUBLE: +- memmove(data_ptr, &info_data->value.d, byte_count); ++ memmove(data_ptr, &info_value->d, 8); + data_ptr += 8; + break; + } +-- +2.1.0 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3710.patch b/SOURCES/php-5.4.16-CVE-2014-3710.patch new file mode 100644 index 0000000..48fbe6d --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3710.patch @@ -0,0 +1,35 @@ +From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 22 Oct 2014 15:37:04 +0200 +Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note + headers + +Upstream commit +https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0 + +CVE -2014-3710 +--- + ext/fileinfo/libmagic/readelf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c +index 1c3845f..bb6f70f 100644 +--- a/ext/fileinfo/libmagic/readelf.c ++++ b/ext/fileinfo/libmagic/readelf.c +@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size, + uint32_t namesz, descsz; + unsigned char *nbuf = CAST(unsigned char *, vbuf); + ++ if (xnh_sizeof + offset > size) { ++ /* ++ * We're out of note headers. ++ */ ++ return xnh_sizeof + offset; ++ } ++ + (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof); + offset += xnh_sizeof; + +-- +2.1.0 + diff --git a/SPECS/php.spec b/SPECS/php.spec index 5167510..2b479ff 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -68,7 +68,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.16 # Only odd release to avoid conflicts with even release used by php54 SCL -Release: 23%{?dist}.1 +Release: 23%{?dist}.3 # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -150,6 +150,10 @@ Patch122: php-5.4.16-CVE-2014-5120.patch Patch123: php-5.4.16-CVE-2014-4698.patch Patch124: php-5.4.16-CVE-2014-4670.patch Patch125: php-5.4.16-CVE-2014-3597.patch +Patch126: php-5.4.16-CVE-2014-3668.patch +Patch127: php-5.4.16-CVE-2014-3669.patch +Patch128: php-5.4.16-CVE-2014-3670.patch +Patch129: php-5.4.16-CVE-2014-3710.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel @@ -681,7 +685,10 @@ support for using the enchant library to PHP. %patch123 -p1 -b .cve4698 %patch124 -p1 -b .cve4670 %patch125 -p1 -b .cve3597 - +%patch126 -p1 -b .cve3668 +%patch127 -p1 -b .cve3669 +%patch128 -p1 -b .cve3670 +%patch129 -p1 -b .cve3710 # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE Zend/ZEND_LICENSE @@ -1455,6 +1462,14 @@ fi %changelog +* Thu Oct 23 2014 Jan Kaluza - 5.4.16-23.3 +- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 + +* Tue Oct 21 2014 Remi Collet - 5.4.16-23.2 +- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668 +- core: fix integer overflow in unserialize() CVE-2014-3669 +- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670 + * Thu Sep 11 2014 Remi Collet - 5.4.16-23.1 - gd: fix NULL pointer dereference in gdImageCreateFromXpm(). CVE-2014-2497