diff --git a/SOURCES/php-5.4.16-CVE-2013-6420.patch b/SOURCES/php-5.4.16-CVE-2013-6420.patch new file mode 100644 index 0000000..df64151 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2013-6420.patch @@ -0,0 +1,90 @@ +diff -up php-5.4.16/ext/openssl/openssl.c.cve6420 php-5.4.16/ext/openssl/openssl.c +--- php-5.4.16/ext/openssl/openssl.c.cve6420 2013-12-06 07:05:06.870106576 +0100 ++++ php-5.4.16/ext/openssl/openssl.c 2013-12-06 07:05:06.872106575 +0100 +@@ -656,18 +656,28 @@ static time_t asn1_time_to_time_t(ASN1_U + char * thestr; + long gmadjust = 0; + +- if (timestr->length < 13) { ++ if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp"); ++ return (time_t)-1; ++ } ++ ++ if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); ++ return (time_t)-1; ++ } ++ ++ if (ASN1_STRING_length(timestr) < 13) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data); + return (time_t)-1; + } + +- strbuf = estrdup((char *)timestr->data); ++ strbuf = estrdup((char *)ASN1_STRING_data(timestr)); + + memset(&thetime, 0, sizeof(thetime)); + + /* we work backwards so that we can use atoi more easily */ + +- thestr = strbuf + timestr->length - 3; ++ thestr = strbuf + ASN1_STRING_length(timestr) - 3; + + thetime.tm_sec = atoi(thestr); + *thestr = '\0'; +diff -up php-5.4.16/ext/openssl/tests/cve-2013-6420.crt.cve6420 php-5.4.16/ext/openssl/tests/cve-2013-6420.crt +--- php-5.4.16/ext/openssl/tests/cve-2013-6420.crt.cve6420 2013-12-06 07:05:06.872106575 +0100 ++++ php-5.4.16/ext/openssl/tests/cve-2013-6420.crt 2013-12-06 07:05:06.872106575 +0100 +@@ -0,0 +1,29 @@ ++-----BEGIN CERTIFICATE----- ++MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD ++VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH ++S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91 ++cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k ++ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY ++ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO ++b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT ++ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G ++A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz ++dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB ++DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu ++wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh ++0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8 ++pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6 ++SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX ++1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw ++EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF ++BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD ++8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl ++VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7 ++lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319 ++o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg ++Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg== ++-----END CERTIFICATE----- ++ ++ +diff -up php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt.cve6420 php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt +--- php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt.cve6420 2013-12-06 07:05:06.872106575 +0100 ++++ php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt 2013-12-06 07:05:06.872106575 +0100 +@@ -0,0 +1,18 @@ ++--TEST-- ++CVE-2013-6420 ++--SKIPIF-- ++ ++--FILE-- ++ ++Done ++--EXPECTF-- ++%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3 ++string(27) "stefan.esser@sektioneins.de" ++int(-1) ++Done diff --git a/SOURCES/php-5.4.16-CVE-2013-6712.patch b/SOURCES/php-5.4.16-CVE-2013-6712.patch new file mode 100644 index 0000000..ba7d0f0 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2013-6712.patch @@ -0,0 +1,40 @@ +From 12fe4e90be7bfa2a763197079f68f5568a14e071 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 27 Nov 2013 11:13:16 +0100 +Subject: [PATCH] Fixed bug #66060 (Heap buffer over-read in DateInterval) + +--- + NEWS | 3 +++ + ext/date/lib/parse_iso_intervals.c | 4 ++-- + ext/date/lib/parse_iso_intervals.re | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c +index bd1ad05..480ea38 100644 +--- a/ext/date/lib/parse_iso_intervals.c ++++ b/ext/date/lib/parse_iso_intervals.c +@@ -415,7 +415,7 @@ yy6: + break; + } + ptr++; +- } while (*ptr); ++ } while (!s->errors->error_count && *ptr); + s->have_period = 1; + TIMELIB_DEINIT; + return TIMELIB_PERIOD; +diff --git a/ext/date/lib/parse_iso_intervals.re b/ext/date/lib/parse_iso_intervals.re +index 56aa34d..c5e9f67 100644 +--- a/ext/date/lib/parse_iso_intervals.re ++++ b/ext/date/lib/parse_iso_intervals.re +@@ -383,7 +383,7 @@ isoweek = year4 "-"? "W" weekofyear; + break; + } + ptr++; +- } while (*ptr); ++ } while (!s->errors->error_count && *ptr); + s->have_period = 1; + TIMELIB_DEINIT; + return TIMELIB_PERIOD; +-- +1.8.4.3 + diff --git a/SOURCES/php-5.4.16-CVE-2014-1943.patch b/SOURCES/php-5.4.16-CVE-2014-1943.patch new file mode 100644 index 0000000..6842286 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-1943.patch @@ -0,0 +1,213 @@ +From 89f864c547014646e71862df3664e3ff33d7143d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 18 Feb 2014 13:54:33 +0100 +Subject: [PATCH] Fixed Bug #66731 file: infinite recursion + +Upstream commit (available in file-5.17) + +https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f +https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 +--- + ext/fileinfo/libmagic/ascmagic.c | 2 +- + ext/fileinfo/libmagic/file.h | 2 +- + ext/fileinfo/libmagic/funcs.c | 2 +- + ext/fileinfo/libmagic/softmagic.c | 8 ++++--- + ext/fileinfo/tests/cve-2014-1943.phpt | 39 +++++++++++++++++++++++++++++++++++ + 5 files changed, 47 insertions(+), 6 deletions(-) + create mode 100644 ext/fileinfo/tests/cve-2014-1943.phpt + +diff --git a/ext/fileinfo/libmagic/ascmagic.c b/ext/fileinfo/libmagic/ascmagic.c +index 2090097..c0041df 100644 +--- a/ext/fileinfo/libmagic/ascmagic.c ++++ b/ext/fileinfo/libmagic/ascmagic.c +@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf, + == NULL) + goto done; + if ((rv = file_softmagic(ms, utf8_buf, +- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) ++ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) + rv = -1; + } + +diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h +index 19b6872..ab5082d 100644 +--- a/ext/fileinfo/libmagic/file.h ++++ b/ext/fileinfo/libmagic/file.h +@@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t, + unichar **, size_t *, const char **, const char **, const char **); + protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); + protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, +- int, int); ++ size_t, int, int); + protected int file_apprentice(struct magic_set *, const char *, int); + protected int file_magicfind(struct magic_set *, const char *, struct mlist *); + protected uint64_t file_signextend(struct magic_set *, struct magic *, +diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c +index 9c0d2bd..011ca42 100644 +--- a/ext/fileinfo/libmagic/funcs.c ++++ b/ext/fileinfo/libmagic/funcs.c +@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const + + /* try soft magic tests */ + if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) +- if ((m = file_softmagic(ms, ubuf, nb, BINTEST, ++ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, + looks_text)) != 0) { + if ((ms->flags & MAGIC_DEBUG) != 0) + (void)fprintf(stderr, "softmagic %d\n", m); +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 0671fa9..7c5f628 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *); + /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ + protected int + file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, +- int mode, int text) ++ size_t level, int mode, int text) + { + struct mlist *ml; + int rv, printed_something = 0, need_separator = 0; + for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next) + if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode, +- text, 0, 0, &printed_something, &need_separator, ++ text, 0, level, &printed_something, &need_separator, + NULL)) != 0) + return rv; + +@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + + case FILE_INDIRECT: ++ if (offset == 0) ++ return 0; + if (nbytes < offset) + return 0; + sbuf = ms->o.buf; +@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + ms->o.buf = NULL; + ms->offset = 0; + rv = file_softmagic(ms, s + offset, nbytes - offset, +- BINTEST, text); ++ recursion_level, BINTEST, text); + if ((ms->flags & MAGIC_DEBUG) != 0) + fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); + rbuf = ms->o.buf; +diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt +new file mode 100644 +index 0000000..b2e9c17 +--- /dev/null ++++ b/ext/fileinfo/tests/cve-2014-1943.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++Bug #66731: file: infinite recursion ++--SKIPIF-- ++(1.b) indirect x\n"; ++ ++file_put_contents($fd, $a); ++$fi = finfo_open(FILEINFO_NONE); ++var_dump(finfo_file($fi, $fd)); ++finfo_close($fi); ++ ++file_put_contents($fd, $b); ++file_put_contents($fm, $m); ++$fi = finfo_open(FILEINFO_NONE, $fm); ++var_dump(finfo_file($fi, $fd)); ++finfo_close($fi); ++?> ++Done ++--CLEAN-- ++ ++--EXPECTF-- ++string(%d) "%s" ++ ++Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d ++bool(false) ++Done +-- +1.8.4.3 + +From 10eb0070700382f966bf260e44135e1f724a15d2 Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Thu, 20 Feb 2014 18:53:53 +0100 +Subject: [PATCH] fixed leak introduced after CVE/upgrade + +--- + ext/fileinfo/libmagic/softmagic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 7c5f628..33970e5 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -1701,6 +1701,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + return -1; + if (file_printf(ms, "%s", rbuf) == -1) + return -1; ++ } ++ if (rbuf) { + efree(rbuf); + } + return rv; +-- +1.8.4.3 + +From 731013ee8e9cf405101d4fd584214fadb1c1d390 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 4 Mar 2014 13:41:37 +0100 +Subject: [PATCH] Improves fix for memory leak, keep in sync with upstream. + +Previous fix: +http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb0070700382f966bf260e44135e1f724a15d2 + +Upstream fix: +https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9 +--- + ext/fileinfo/libmagic/softmagic.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 33970e5..82a470a 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -1696,11 +1696,19 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + ms->o.buf = sbuf; + ms->offset = soffset; + if (rv == 1) { +- if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && +- file_printf(ms, m->desc, offset) == -1) +- return -1; +- if (file_printf(ms, "%s", rbuf) == -1) ++ if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && ++ file_printf(ms, m->desc, offset) == -1) { ++ if (rbuf) { ++ efree(rbuf); ++ } ++ return -1; ++ } ++ if (file_printf(ms, "%s", rbuf) == -1) { ++ if (rbuf) { ++ efree(rbuf); ++ } + return -1; ++ } + } + if (rbuf) { + efree(rbuf); +-- +1.8.4.3 + diff --git a/SOURCES/php-5.4.16-CVE-2014-2270.patch b/SOURCES/php-5.4.16-CVE-2014-2270.patch new file mode 100644 index 0000000..1923b66 --- /dev/null +++ b/SOURCES/php-5.4.16-CVE-2014-2270.patch @@ -0,0 +1,168 @@ +From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 4 Mar 2014 20:32:52 +0100 +Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo + +Upstream fix: +https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801 + +Notice, test changed, with upstream agreement: +-define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o))) ++define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) +--- + ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 82a470a..21fea6b 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *); + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) ++ + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + } + switch (cvt_flip(m->in_type, flip)) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_BESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_SHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + case FILE_BELONG: + case FILE_BEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + case FILE_LELONG: + case FILE_LEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_MELONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_LONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1630,14 +1632,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) /* should alway be true */ ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + break; + + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + break; + +@@ -1656,33 +1658,33 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + break; + + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: +- if (nbytes < (offset + 8)) ++ if (OFFSET_OOB(nbytes, offset, 8)) + return 0; + break; + + case FILE_STRING: + case FILE_PSTRING: + case FILE_SEARCH: +- if (nbytes < (offset + m->vallen)) ++ if (OFFSET_OOB(nbytes, offset, m->vallen)) + return 0; + break; + + case FILE_REGEX: +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + break; + + case FILE_INDIRECT: + if (offset == 0) + return 0; +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + sbuf = ms->o.buf; + soffset = ms->offset; +@@ -1716,7 +1718,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + return rv; + + case FILE_USE: +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + sbuf = m->value.s; + if (*sbuf == '^') { +-- +1.8.4.3 + diff --git a/SPECS/php.spec b/SPECS/php.spec index d9f0f09..8870edd 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -67,7 +67,8 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.16 -Release: 7%{?dist} +# Only odd release to avoid conflicts with even release used by php54 SCL +Release: 21%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -127,6 +128,10 @@ Patch60: php-5.4.16-pdotests.patch # Security fixes Patch100: php-5.4.17-CVE-2013-4013.patch Patch101: php-5.4.16-CVE-2013-4248.patch +Patch102: php-5.4.16-CVE-2013-6420.patch +Patch104: php-5.4.16-CVE-2014-1943.patch +Patch105: php-5.4.16-CVE-2013-6712.patch +Patch106: php-5.4.16-CVE-2014-2270.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel @@ -636,6 +641,10 @@ support for using the enchant library to PHP. %patch100 -p1 -b .cve4113 %patch101 -p1 -b .cve4248 +%patch102 -p1 -b .cve6420 +%patch104 -p1 -b .cve1943 +%patch105 -p1 -b .cve6712 +%patch106 -p1 -b .cve2270 # Prevent %%doc confusion over LICENSE files @@ -743,8 +752,8 @@ chmod 644 README.* # php-fpm configuration files for tmpfiles.d echo "d /run/php-fpm 755 root root" >php-fpm.tmpfiles -# bring in newer config.guess and config.sub for aarch64 support -cp -f /usr/lib/rpm/config.{guess,sub} . +# bring in newer Red Hat config.guess and config.sub for aarch64/ppc64p7 support +cp -f /usr/lib/rpm/redhat/config.{guess,sub} . %build @@ -760,6 +769,9 @@ touch configure.in ./buildconf --force CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-pointer-sign" +%ifarch ppc64 +CFLAGS="$CFLAGS -O3" +%endif export CFLAGS # Install extension modules in %{_libdir}/php/modules. @@ -1407,6 +1419,35 @@ fi %changelog +* Fri Mar 7 2014 Remi Collet - 5.5.16-21 +- fix out-of-bounds memory access in fileinfo CVE-2014-2270 + +* Fri Feb 21 2014 Remi Collet - 5.5.16-19 +- fix memory leak introduce in patch for CVE-2014-1943 +- fix heap-based buffer over-read in DateInterval CVE-2013-6712 + +* Wed Feb 19 2014 Remi Collet - 5.5.16-17 +- fix infinite recursion in fileinfo CVE-2014-1943 + +* Fri Jan 24 2014 Daniel Mach - 5.4.16-15 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Honza Horak - 5.4.16-14 +- Rebuild for mariadb-libs + Related: #1045013 + +* Fri Jan 10 2014 Remi Collet - 5.4.16-13 +- build with -O3 on ppc64 #1051073 + +* Thu Jan 9 2014 Remi Collet - 5.4.16-11 +- use correct config.{guess,sub} for ppc64p7 #1048892 + +* Fri Dec 27 2013 Daniel Mach - 5.4.16-10 +- Mass rebuild 2013-12-27 + +* Fri Dec 6 2013 Remi Collet - 5.4.16-9 +- add security fix for CVE-2013-6420 + * Mon Nov 4 2013 Remi Collet - 5.4.16-7 - fix for non x86 build #1023796