diff --git a/SOURCES/php-5.4.16-CVE-2014-2497.patch b/SOURCES/php-5.4.16-CVE-2014-2497.patch new file mode 100644 index 0000000..6b605e7 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-2497.patch @@ -0,0 +1,40 @@ +From cf4753691dc55999373d1c576f62ecb298723420 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 4 Aug 2014 10:42:39 +0200 +Subject: [PATCH] Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference + +Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704 + +Notice: this fix don't manage monochrome/monovisual values +but just fix the security issue CVE-2014-2497 +failing when trying to load such an image +--- + ext/gd/libgd/gdxpm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c +index 73f86e5..b69414e 100644 +--- a/ext/gd/libgd/gdxpm.c ++++ b/ext/gd/libgd/gdxpm.c +@@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename) + if (ret != XpmSuccess) { + return 0; + } ++ number = image.ncolors; ++ for(i = 0; i < number; i++) { ++ if (!image.colorTable[i].c_color) { ++ goto done; ++ } ++ } + + if (!(im = gdImageCreate(image.width, image.height))) { + goto done; + } + +- number = image.ncolors; + colors = (int *) safe_emalloc(number, sizeof(int), 0); + for (i = 0; i < number; i++) { + switch (strlen (image.colorTable[i].c_color)) { +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3478.patch b/SOURCES/php-5.4.16-CVE-2014-3478.patch new file mode 100644 index 0000000..9e09d3a --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3478.patch @@ -0,0 +1,41 @@ +From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 10 Jun 2014 14:02:36 +0200 +Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of + truncated pascal string size + +Upstream +https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 +--- + ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 21fea6b..01e4977 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) + return 1; + } + case FILE_PSTRING: { +- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ */ ++ len = sizeof(p->s) - sz; ++ } + while (len--) + *ptr1++ = *ptr2++; + *ptr1 = '\0'; +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3538.patch b/SOURCES/php-5.4.16-CVE-2014-3538.patch new file mode 100644 index 0000000..47d852d --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3538.patch @@ -0,0 +1,184 @@ +From eeaec70758bfc0c0e2c0f8944c8dbeae02866206 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 4 Aug 2014 00:01:57 -0700 +Subject: [PATCH] Fix bug #67705 (extensive backtracking in rule regular + expression) + +--- + NEWS | 4 +++ + ext/fileinfo/data_file.c | 2 +- + ext/fileinfo/libmagic/softmagic.c | 29 +++++++++++------- + ext/fileinfo/magicdata.patch | 62 +++++++++++++++++++++++++++++++++------ + 4 files changed, 76 insertions(+), 21 deletions(-) + +diff --git a/ext/fileinfo/data_file.c b/ext/fileinfo/data_file.c +index fba4edd..15e0fa6 100644 +--- a/ext/fileinfo/data_file.c ++++ b/ext/fileinfo/data_file.c +@@ -115198,7 +115198,7 @@ const unsigned char php_magic_database[2606480] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x40, 0x00, 0x3D, 0x1B, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +-0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5E, 0x5C, 0x73, 0x7B, 0x30, 0x2C, 0x31, 0x30, 0x30, 0x7D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x5C, + 0x73, 0x7B, 0x30, 0x2C, 0x31, 0x30, 0x30, 0x7D, 0x5B, 0x7B, 0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 01e4977..7e0c856 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -58,7 +58,7 @@ private int32_t mprint(struct magic_set *, struct magic *); + private int32_t moffset(struct magic_set *, struct magic *); + private void mdebug(uint32_t, const char *, size_t); + private int mcopy(struct magic_set *, union VALUETYPE *, int, int, +- const unsigned char *, uint32_t, size_t, size_t); ++ const unsigned char *, uint32_t, size_t, struct magic *); + private int mconvert(struct magic_set *, struct magic *, int); + private int print_sep(struct magic_set *, int); + private int handle_annotation(struct magic_set *, struct magic *); +@@ -1003,7 +1003,7 @@ mdebug(uint32_t offset, const char *str, size_t len) + + private int + mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, +- const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt) ++ const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m) + { + /* + * Note: FILE_SEARCH and FILE_REGEX do not actually copy +@@ -1023,15 +1023,24 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, + const char *last; /* end of search region */ + const char *buf; /* start of search region */ + const char *end; +- size_t lines; ++ size_t lines, linecnt, bytecnt; + ++ linecnt = m->str_range; ++ bytecnt = linecnt * 80; ++ ++ if (bytecnt == 0) { ++ bytecnt = 8192; ++ } ++ if (bytecnt > nbytes) { ++ bytecnt = nbytes; ++ } + if (s == NULL) { + ms->search.s_len = 0; + ms->search.s = NULL; + return 0; + } + buf = RCAST(const char *, s) + offset; +- end = last = RCAST(const char *, s) + nbytes; ++ end = last = RCAST(const char *, s) + bytecnt; + /* mget() guarantees buf <= last */ + for (lines = linecnt, b = buf; lines && b < end && + ((b = CAST(const char *, +@@ -1044,7 +1053,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, + b++; + } + if (lines) +- last = RCAST(const char *, s) + nbytes; ++ last = RCAST(const char *, s) + bytecnt; + + ms->search.s = buf; + ms->search.s_len = last - buf; +@@ -1118,7 +1127,6 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + int *need_separator, int *returnval) + { + uint32_t soffset, offset = ms->offset; +- uint32_t count = m->str_range; + int rv, oneed_separator; + char *sbuf, *rbuf; + union VALUETYPE *p = &ms->ms_value; +@@ -1130,13 +1138,12 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + } + + if (mcopy(ms, p, m->type, m->flag & INDIR, s, (uint32_t)(offset + o), +- (uint32_t)nbytes, count) == -1) ++ (uint32_t)nbytes, m) == -1) + return -1; + + if ((ms->flags & MAGIC_DEBUG) != 0) { + fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, o=%zu, " +- "nbytes=%zu, count=%u)\n", m->type, m->flag, offset, o, +- nbytes, count); ++ "nbytes=%zu)\n", m->type, m->flag, offset, o, nbytes); + mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE)); + } + +@@ -1627,7 +1634,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + if ((ms->flags & MAGIC_DEBUG) != 0) + fprintf(stderr, "indirect +offs=%u\n", offset); + } +- if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1) ++ if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1) + return -1; + ms->offset = offset; + +@@ -2057,7 +2064,7 @@ magiccheck(struct magic_set *ms, struct magic *m) + zval *retval; + zval *subpats; + char *haystack; +- ++ + MAKE_STD_ZVAL(retval); + ALLOC_INIT_ZVAL(subpats); + +-- +1.9.2 + +From 61ec9b5b0f80bc6016548d48f433fe22e2dc24ec Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 4 Aug 2014 00:08:08 -0700 +Subject: [PATCH] add test + +--- + ext/fileinfo/tests/cve-2014-3538.phpt | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + create mode 100644 ext/fileinfo/tests/cve-2014-3538.phpt + +diff --git a/ext/fileinfo/tests/cve-2014-3538.phpt b/ext/fileinfo/tests/cve-2014-3538.phpt +new file mode 100644 +index 0000000..d6bc9c6 +--- /dev/null ++++ b/ext/fileinfo/tests/cve-2014-3538.phpt +@@ -0,0 +1,35 @@ ++--TEST-- ++Bug #66731: file: extensive backtraking ++--SKIPIF-- ++ ++Done ++--CLEAN-- ++ ++--EXPECTF-- ++string(%d) "%s" ++Ok ++Done +\ No newline at end of file +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3587.patch b/SOURCES/php-5.4.16-CVE-2014-3587.patch new file mode 100644 index 0000000..f0fb74c --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3587.patch @@ -0,0 +1,26 @@ +From 7ba1409a1aee5925180de546057ddd84ff267947 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 14 Aug 2014 17:19:03 -0700 +Subject: [PATCH] Fix bug #67716 - Segfault in cdf.c + +--- + NEWS | 1 + + ext/fileinfo/libmagic/cdf.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 429f3b9..2c0a2d9 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); +- if (q > e) { ++ if (q < p || q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; + } +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-3597.patch b/SOURCES/php-5.4.16-CVE-2014-3597.patch new file mode 100644 index 0000000..cb573a4 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-3597.patch @@ -0,0 +1,275 @@ +From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 19 Aug 2014 08:33:49 +0200 +Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597 + +Incomplete fix for CVE-2014-4049 + +Check possible buffer overflow +- pass real buffer end to dn_expand calls +- check buffer len before each read +--- + ext/standard/dns.c | 84 ++++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 60 insertions(+), 24 deletions(-) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 214a7dc..0b5e69c 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record) + + #if HAVE_FULL_DNS_FUNCS + ++#define CHECKCP(n) do { \ ++ if (cp + n > end) { \ ++ return NULL; \ ++ } \ ++} while (0) ++ + /* {{{ php_parserr */ +-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray) ++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray) + { + u_short type, class, dlen; + u_long ttl; +@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + + *subarray = NULL; + +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2); + if (n < 0) { + return NULL; + } + cp += n; + ++ CHECKCP(10); + GETSHORT(type, cp); + GETSHORT(class, cp); + GETLONG(ttl, cp); + GETSHORT(dlen, cp); ++ CHECKCP(dlen); + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + + switch (type) { + case DNS_T_A: ++ CHECKCP(4); + add_assoc_string(*subarray, "type", "A", 1); + snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]); + add_assoc_string(*subarray, "ip", name, 1); + cp += dlen; + break; + case DNS_T_MX: ++ CHECKCP(2); + add_assoc_string(*subarray, "type", "MX", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pri", n); +@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + if (type == DNS_T_PTR) { + add_assoc_string(*subarray, "type", "PTR", 1); + } +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + case DNS_T_HINFO: + /* See RFC 1010 for values */ + add_assoc_string(*subarray, "type", "HINFO", 1); ++ CHECKCP(1); + n = *cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1); + cp += n; ++ CHECKCP(1); + n = *cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(*subarray, "os", (char*)cp, n, 1); + cp += n; + break; + case DNS_T_TXT: + { +- int ll = 0; ++ int l1 = 0, l2 = 0; + zval *entries = NULL; + + add_assoc_string(*subarray, "type", "TXT", 1); +@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + MAKE_STD_ZVAL(entries); + array_init(entries); + +- while (ll < dlen) { +- n = cp[ll]; +- if ((ll + n) >= dlen) { ++ while (l1 < dlen) { ++ n = cp[l1]; ++ if ((l1 + n) >= dlen) { + // Invalid chunk length, truncate +- n = dlen - (ll + 1); ++ n = dlen - (l1 + 1); ++ } ++ if (n) { ++ memcpy(tp + l2 , cp + l1 + 1, n); ++ add_next_index_stringl(entries, cp + l1 + 1, n, 1); + } +- memcpy(tp + ll , cp + ll + 1, n); +- add_next_index_stringl(entries, cp + ll + 1, n, 1); +- ll = ll + n + 1; ++ l1 = l1 + n + 1; ++ l2 = l2 + n; + } +- tp[dlen] = '\0'; ++ tp[l2] = '\0'; + cp += dlen; + +- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0); ++ add_assoc_stringl(*subarray, "txt", tp, l2, 0); + add_assoc_zval(*subarray, "entries", entries); + } + break; + case DNS_T_SOA: + add_assoc_string(*subarray, "type", "SOA", 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(*subarray, "mname", name, 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(*subarray, "rname", name, 1); ++ CHECKCP(5*4); + GETLONG(n, cp); + add_assoc_long(*subarray, "serial", n); + GETLONG(n, cp); +@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + break; + case DNS_T_AAAA: + tp = (u_char*)name; ++ CHECKCP(8*2); + for(i=0; i < 8; i++) { + GETSHORT(s, cp); + if (s != 0) { +@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + case DNS_T_A6: + p = cp; + add_assoc_string(*subarray, "type", "A6", 1); ++ CHECKCP(1); + n = ((int)cp[0]) & 0xFF; + cp++; + add_assoc_long(*subarray, "masklen", n); +@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + cp++; + } + for (i = (n + 8) / 16; i < 8; i++) { ++ CHECKCP(2); + GETSHORT(s, cp); + if (s != 0) { + if (tp > (u_char *)name) { +@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + tp[0] = '\0'; + add_assoc_string(*subarray, "ipv6", name, 1); + if (cp < p + dlen) { +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + } + break; + case DNS_T_SRV: ++ CHECKCP(3*2); + add_assoc_string(*subarray, "type", "SRV", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pri", n); +@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + add_assoc_long(*subarray, "weight", n); + GETSHORT(n, cp); + add_assoc_long(*subarray, "port", n); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + add_assoc_string(*subarray, "target", name, 1); + break; + case DNS_T_NAPTR: ++ CHECKCP(2*2); + add_assoc_string(*subarray, "type", "NAPTR", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "order", n); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pref", n); ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1); + cp += n; ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1); + cp += n; ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1); + cp += n; +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record) + while (an-- && cp && cp < end) { + zval *retval; + +- cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval); ++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval); + if (retval != NULL && store_results) { + add_next_index_zval(return_value, retval); + } +@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record) + while (ns-- > 0 && cp && cp < end) { + zval *retval = NULL; + +- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval); ++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval); + if (retval != NULL) { + add_next_index_zval(authns, retval); + } +@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record) + while (ar-- > 0 && cp && cp < end) { + zval *retval = NULL; + +- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval); ++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval); + if (retval != NULL) { + add_next_index_zval(addtl, retval); + } +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-4670.patch b/SOURCES/php-5.4.16-CVE-2014-4670.patch new file mode 100644 index 0000000..96cbb64 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-4670.patch @@ -0,0 +1,67 @@ +From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001 +From: Xinchen Hui +Date: Wed, 2 Jul 2014 17:45:09 +0800 +Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free) + +--- + NEWS | 3 +++ + ext/spl/spl_dllist.c | 7 +++++-- + ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++ + 3 files changed, 25 insertions(+), 2 deletions(-) + create mode 100644 ext/spl/tests/bug67538.phpt + +diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c +index 39a0733..0b44d41 100644 +--- a/ext/spl/spl_dllist.c ++++ b/ext/spl/spl_dllist.c +@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack; + + #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \ + efree(elem); \ +- elem = NULL; \ + } + + #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \ + efree(elem); \ +- elem = NULL; \ + } + + #define SPL_LLIST_ADDREF(elem) (elem)->rc++ +@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) + llist->dtor(element TSRMLS_CC); + } + ++ if (intern->traverse_pointer == element) { ++ SPL_LLIST_DELREF(element); ++ intern->traverse_pointer = NULL; ++ } ++ + zval_ptr_dtor((zval **)&element->data); + element->data = NULL; + +diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt +new file mode 100644 +index 0000000..b6f3848 +--- /dev/null ++++ b/ext/spl/tests/bug67538.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #67538 (SPL Iterators use-after-free) ++--FILE-- ++push('a'); ++$list->push('b'); ++ ++$list->rewind(); ++$list->offsetUnset(0); ++$list->push('b'); ++$list->offsetUnset(0); ++$list->next(); ++echo "okey"; ++?> ++--EXPECTF-- ++okey +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-4698.patch b/SOURCES/php-5.4.16-CVE-2014-4698.patch new file mode 100644 index 0000000..fc8c8bf --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-4698.patch @@ -0,0 +1,62 @@ +From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001 +From: Xinchen Hui +Date: Wed, 2 Jul 2014 17:57:42 +0800 +Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object + change during sorting) + +--- + NEWS | 2 ++ + ext/spl/spl_array.c | 7 +++++++ + ext/spl/tests/bug67539.phpt | 15 +++++++++++++++ + 3 files changed, 24 insertions(+) + create mode 100644 ext/spl/tests/bug67539.phpt + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 8392e72..0fe47b6 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -1738,6 +1738,7 @@ SPL_METHOD(Array, unserialize) + const unsigned char *p, *s; + php_unserialize_data_t var_hash; + zval *pmembers, *pflags = NULL; ++ HashTable *aht; + long flags; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { +@@ -1749,6 +1750,12 @@ SPL_METHOD(Array, unserialize) + return; + } + ++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); ++ if (aht->nApplyCount > 0) { ++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); ++ return; ++ } ++ + /* storage */ + s = p = (const unsigned char*)buf; + PHP_VAR_UNSERIALIZE_INIT(var_hash); +diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt +new file mode 100644 +index 0000000..8bab2a8 +--- /dev/null ++++ b/ext/spl/tests/bug67539.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #67539 (ArrayIterator use-after-free due to object change during sorting) ++--FILE-- ++unserialize($GLOBALS['it']->serialize()); ++ return TRUE; ++} ++ ++$it->uksort('badsort'); ++--EXPECTF-- ++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d +-- +1.9.2 + diff --git a/SOURCES/php-5.4.16-CVE-2014-5120.patch b/SOURCES/php-5.4.16-CVE-2014-5120.patch new file mode 100644 index 0000000..a42ac7c --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-5120.patch @@ -0,0 +1,29 @@ +From 1daa4c0090b7cd8178dcaa96287234c69ac6ca18 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 18 Aug 2014 22:49:10 -0700 +Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx + functions + +--- + ext/gd/gd_ctx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c +index 59eff80..253b664 100644 +--- a/ext/gd/gd_ctx.c ++++ b/ext/gd/gd_ctx.c +@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + RETURN_FALSE; + } + } else if (Z_TYPE_P(to_zval) == IS_STRING) { ++ if (CHECK_ZVAL_NULL_PATH(to_zval)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); ++ RETURN_FALSE; ++ } ++ + stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); + if (stream == NULL) { + RETURN_FALSE; +-- +1.9.2 + diff --git a/SPECS/php.spec b/SPECS/php.spec index 9856c89..5167510 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -68,7 +68,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.16 # Only odd release to avoid conflicts with even release used by php54 SCL -Release: 23%{?dist} +Release: 23%{?dist}.1 # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -142,6 +142,14 @@ Patch114: php-5.4.16-CVE-2014-4049.patch Patch115: php-5.4.16-CVE-2014-3515.patch Patch116: php-5.4.16-CVE-2014-0207.patch Patch117: php-5.4.16-CVE-2014-3487.patch +Patch118: php-5.4.16-CVE-2014-2497.patch +Patch119: php-5.4.16-CVE-2014-3478.patch +Patch120: php-5.4.16-CVE-2014-3538.patch +Patch121: php-5.4.16-CVE-2014-3587.patch +Patch122: php-5.4.16-CVE-2014-5120.patch +Patch123: php-5.4.16-CVE-2014-4698.patch +Patch124: php-5.4.16-CVE-2014-4670.patch +Patch125: php-5.4.16-CVE-2014-3597.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel @@ -665,6 +673,14 @@ support for using the enchant library to PHP. %patch115 -p1 -b .cve3515 %patch116 -p1 -b .cve0207 %patch117 -p1 -b .cve3487 +%patch118 -p1 -b .cve2497 +%patch119 -p1 -b .cve3478 +%patch120 -p1 -b .cve3538 +%patch121 -p1 -b .cve3587 +%patch122 -p1 -b .cve5120 +%patch123 -p1 -b .cve4698 +%patch124 -p1 -b .cve4670 +%patch125 -p1 -b .cve3597 # Prevent %%doc confusion over LICENSE files @@ -1439,6 +1455,22 @@ fi %changelog +* Thu Sep 11 2014 Remi Collet - 5.4.16-23.1 +- gd: fix NULL pointer dereference in gdImageCreateFromXpm(). + CVE-2014-2497 +- gd: fix NUL byte injection in file names. CVE-2014-5120 +- fileinfo: fix extensive backtracking in regular expression + (incomplete fix for CVE-2013-7345). CVE-2014-3538 +- fileinfo: fix mconvert incorrect handling of truncated + pascal string size. CVE-2014-3478 +- fileinfo: fix cdf_read_property_info + (incomplete fix for CVE-2012-1571). CVE-2014-3587 +- spl: fix use-after-free in ArrayIterator due to object + change during sorting. CVE-2014-4698 +- spl: fix use-after-free in SPL Iterators. CVE-2014-4670 +- network: fix segfault in dns_get_record + (incomplete fix for CVE-2014-4049). CVE-2014-3597 + * Fri Jun 13 2014 Remi Collet - 5.4.16-23 - fileinfo: cdf_unpack_summary_info() excessive looping DoS. CVE-2014-0237