diff --git a/SOURCES/php-5.5.6-CVE-2014-0207.patch b/SOURCES/php-5.5.6-CVE-2014-0207.patch new file mode 100644 index 0000000..62424a7 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-0207.patch @@ -0,0 +1,32 @@ +From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 3 Jun 2014 11:05:00 +0200 +Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient + boundary check + +Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch +Only revelant part applied +--- + ext/fileinfo/libmagic/cdf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 4712e84..16649f1 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -367,10 +367,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, + size_t ss = CDF_SHORT_SEC_SIZE(h); + size_t pos = CDF_SHORT_SEC_POS(h, id); + assert(ss == len); +- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { + DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" + SIZE_T_FORMAT "u\n", +- pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); + return -1; + } + (void)memcpy(((char *)buf) + offs, +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-0237.patch b/SOURCES/php-5.5.6-CVE-2014-0237.patch new file mode 100644 index 0000000..760c5c1 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-0237.patch @@ -0,0 +1,52 @@ +From 68ce2d0ea6da79b12a365e375e1c2ce882c77480 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 26 May 2014 17:50:14 -0700 +Subject: [PATCH] Fix bug #67328 (fileinfo: numerous file_printf calls + resulting in performance degradation) + +Upstream patch: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d +--- + ext/fileinfo/libmagic/cdf.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index dd7177e..8dacd2f 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -942,7 +942,7 @@ int + cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, + cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) + { +- size_t i, maxcount; ++ size_t maxcount; + const cdf_summary_info_header_t *si = + CAST(const cdf_summary_info_header_t *, sst->sst_tab); + const cdf_section_declaration_t *sd = +@@ -957,21 +957,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, + ssi->si_os = CDF_TOLE2(si->si_os); + ssi->si_class = si->si_class; + cdf_swap_class(&ssi->si_class); +- ssi->si_count = CDF_TOLE2(si->si_count); ++ ssi->si_count = CDF_TOLE4(si->si_count); + *count = 0; + maxcount = 0; + *info = NULL; +- for (i = 0; i < CDF_TOLE4(si->si_count); i++) { +- if (i >= CDF_LOOP_LIMIT) { +- DPRINTF(("Unpack summary info loop limit")); +- errno = EFTYPE; +- return -1; +- } +- if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), +- info, count, &maxcount) == -1) { ++ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info, ++ count, &maxcount) == -1) + return -1; +- } +- } + return 0; + } + +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-0238.patch b/SOURCES/php-5.5.6-CVE-2014-0238.patch new file mode 100644 index 0000000..1cd8f16 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-0238.patch @@ -0,0 +1,39 @@ +From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 26 May 2014 17:42:18 -0700 +Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS + +Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 +--- + ext/fileinfo/libmagic/cdf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 8dacd2f..4712e84 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); + if (inp[i].pi_type & CDF_VECTOR) { + nelements = CDF_GETUINT32(q, 1); ++ if (nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ goto out; ++ } + o = 2; + } else { + nelements = 1; +@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + } + DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", + nelements)); +- for (j = 0; j < nelements; j++, i++) { ++ for (j = 0; j < nelements && i < sh.sh_properties; ++ j++, i++) ++ { + uint32_t l = CDF_GETUINT32(q, o); + inp[i].pi_str.s_len = l; + inp[i].pi_str.s_buf = (const char *) +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-2497.patch b/SOURCES/php-5.5.6-CVE-2014-2497.patch new file mode 100644 index 0000000..6b605e7 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-2497.patch @@ -0,0 +1,40 @@ +From cf4753691dc55999373d1c576f62ecb298723420 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 4 Aug 2014 10:42:39 +0200 +Subject: [PATCH] Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference + +Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704 + +Notice: this fix don't manage monochrome/monovisual values +but just fix the security issue CVE-2014-2497 +failing when trying to load such an image +--- + ext/gd/libgd/gdxpm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c +index 73f86e5..b69414e 100644 +--- a/ext/gd/libgd/gdxpm.c ++++ b/ext/gd/libgd/gdxpm.c +@@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename) + if (ret != XpmSuccess) { + return 0; + } ++ number = image.ncolors; ++ for(i = 0; i < number; i++) { ++ if (!image.colorTable[i].c_color) { ++ goto done; ++ } ++ } + + if (!(im = gdImageCreate(image.width, image.height))) { + goto done; + } + +- number = image.ncolors; + colors = (int *) safe_emalloc(number, sizeof(int), 0); + for (i = 0; i < number; i++) { + switch (strlen (image.colorTable[i].c_color)) { +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3478.patch b/SOURCES/php-5.5.6-CVE-2014-3478.patch new file mode 100644 index 0000000..9e09d3a --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3478.patch @@ -0,0 +1,41 @@ +From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 10 Jun 2014 14:02:36 +0200 +Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of + truncated pascal string size + +Upstream +https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 +--- + ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 21fea6b..01e4977 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) + return 1; + } + case FILE_PSTRING: { +- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ */ ++ len = sizeof(p->s) - sz; ++ } + while (len--) + *ptr1++ = *ptr2++; + *ptr1 = '\0'; +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3479.patch b/SOURCES/php-5.5.6-CVE-2014-3479.patch new file mode 100644 index 0000000..27c0204 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3479.patch @@ -0,0 +1,37 @@ +From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 10 Jun 2014 14:13:14 +0200 +Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset + insufficient boundary check + +Upstream: +https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 +--- + ext/fileinfo/libmagic/cdf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 16649f1..c9a5d50 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, + { + const char *b = (const char *)sst->sst_tab; + const char *e = ((const char *)p) + tail; ++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? ++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); + (void)&line; +- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len) ++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) + return 0; + DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u" + " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), +- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); ++ ss * sst->sst_len, ss, sst->sst_len)); + errno = EFTYPE; + return -1; + } +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3480.patch b/SOURCES/php-5.5.6-CVE-2014-3480.patch new file mode 100644 index 0000000..8380dee --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3480.patch @@ -0,0 +1,40 @@ +From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 10 Jun 2014 14:22:04 +0200 +Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient + boundary check + +Upstream: +https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 +--- + ext/fileinfo/libmagic/cdf.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index c9a5d50..ee467a6 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -470,7 +470,8 @@ size_t + cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + { + size_t i, j; +- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size); ++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) ++ / sizeof(maxsector)); + + DPRINTF(("Chain:")); + for (j = i = 0; sid >= 0; i++, j++) { +@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + errno = EFTYPE; + return (size_t)-1; + } +- if (sid > maxsector) { +- DPRINTF(("Sector %d > %d\n", sid, maxsector)); ++ if (sid >= maxsector) { ++ DPRINTF(("Sector %d >= %d\n", sid, maxsector)); + errno = EFTYPE; + return (size_t)-1; + } +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3487.patch b/SOURCES/php-5.5.6-CVE-2014-3487.patch new file mode 100644 index 0000000..3751e8d --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3487.patch @@ -0,0 +1,34 @@ +From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 10 Jun 2014 14:33:37 +0200 +Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info + insufficient boundary chec + +Upstream: +https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d + +Adapted for C standard. +--- + ext/fileinfo/libmagic/cdf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index ee467a6..429f3b9 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ size_t ofs, tail = (i << 1) + 1; ++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), ++ __LINE__) == -1) ++ goto out; ++ ofs = CDF_GETUINT32(p, tail); + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3515.patch b/SOURCES/php-5.5.6-CVE-2014-3515.patch new file mode 100644 index 0000000..7d5bee5 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3515.patch @@ -0,0 +1,68 @@ +From a374dfab567ff7f0ab0dc150f14cc891b0340b47 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 21 Jun 2014 19:46:16 -0700 +Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject / + SPLObjectStorage Type Confusion + +--- + ext/spl/spl_array.c | 2 +- + ext/spl/spl_observer.c | 2 +- + ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index c4b237b..c38065f 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -1789,7 +1789,7 @@ SPL_METHOD(Array, unserialize) + ++p; + + ALLOC_INIT_ZVAL(pmembers); +- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { + zval_ptr_dtor(&pmembers); + goto outexcept; + } +diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c +index 57ddf49..f493154 100644 +--- a/ext/spl/spl_observer.c ++++ b/ext/spl/spl_observer.c +@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize) + ++p; + + ALLOC_INIT_ZVAL(pmembers); +- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { + zval_ptr_dtor(&pmembers); + goto outexcept; + } +diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +index a525317..8f0676d 100644 +--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt ++++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +@@ -7,6 +7,7 @@ $badblobs = array( + 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', + 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', + 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', + ); + foreach($badblobs as $blob) { + try { +@@ -17,6 +18,7 @@ try { + echo $e->getMessage()."\n"; + } + } ++echo "DONE\n"; + --EXPECTF-- + Error at offset 6 of 34 bytes + Error at offset 46 of 89 bytes +@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) { + } + } + } +- ++Error at offset 79 of 78 bytes ++DONE +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3538.patch b/SOURCES/php-5.5.6-CVE-2014-3538.patch new file mode 100644 index 0000000..f002def --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3538.patch @@ -0,0 +1,184 @@ +From eeaec70758bfc0c0e2c0f8944c8dbeae02866206 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 4 Aug 2014 00:01:57 -0700 +Subject: [PATCH] Fix bug #67705 (extensive backtracking in rule regular + expression) + +--- + NEWS | 4 +++ + ext/fileinfo/data_file.c | 2 +- + ext/fileinfo/libmagic/softmagic.c | 29 +++++++++++------- + ext/fileinfo/magicdata.patch | 62 +++++++++++++++++++++++++++++++++------ + 4 files changed, 76 insertions(+), 21 deletions(-) + +diff --git a/ext/fileinfo/data_file.c b/ext/fileinfo/data_file.c +index fba4edd..15e0fa6 100644 +--- a/ext/fileinfo/data_file.c ++++ b/ext/fileinfo/data_file.c +@@ -115198,7 +115198,7 @@ const unsigned char php_magic_database[2606480] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x40, 0x00, 0x3D, 0x1B, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +-0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5E, 0x5C, 0x73, 0x7B, 0x30, 0x2C, 0x31, 0x30, 0x30, 0x7D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x5C, + 0x73, 0x7B, 0x30, 0x2C, 0x31, 0x30, 0x30, 0x7D, 0x5B, 0x7B, 0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 01e4977..7e0c856 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -58,7 +58,7 @@ private int32_t mprint(struct magic_set *, struct magic *); + private int32_t moffset(struct magic_set *, struct magic *); + private void mdebug(uint32_t, const char *, size_t); + private int mcopy(struct magic_set *, union VALUETYPE *, int, int, +- const unsigned char *, uint32_t, size_t, size_t); ++ const unsigned char *, uint32_t, size_t, struct magic *); + private int mconvert(struct magic_set *, struct magic *, int); + private int print_sep(struct magic_set *, int); + private int handle_annotation(struct magic_set *, struct magic *); +@@ -1003,7 +1003,7 @@ mdebug(uint32_t offset, const char *str, size_t len) + + private int + mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, +- const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt) ++ const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m) + { + /* + * Note: FILE_SEARCH and FILE_REGEX do not actually copy +@@ -1023,15 +1023,24 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, + const char *last; /* end of search region */ + const char *buf; /* start of search region */ + const char *end; +- size_t lines; ++ size_t lines, linecnt, bytecnt; + ++ linecnt = m->str_range; ++ bytecnt = linecnt * 80; ++ ++ if (bytecnt == 0) { ++ bytecnt = 8192; ++ } ++ if (bytecnt > nbytes) { ++ bytecnt = nbytes; ++ } + if (s == NULL) { + ms->search.s_len = 0; + ms->search.s = NULL; + return 0; + } + buf = RCAST(const char *, s) + offset; +- end = last = RCAST(const char *, s) + nbytes; ++ end = last = RCAST(const char *, s) + bytecnt; + /* mget() guarantees buf <= last */ + for (lines = linecnt, b = buf; lines && b < end && + ((b = CAST(const char *, +@@ -1044,7 +1053,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, + b++; + } + if (lines) +- last = RCAST(const char *, s) + nbytes; ++ last = RCAST(const char *, s) + bytecnt; + + ms->search.s = buf; + ms->search.s_len = last - buf; +@@ -1118,7 +1127,6 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + int *need_separator, int *returnval) + { + uint32_t soffset, offset = ms->offset; +- uint32_t count = m->str_range; + int rv, oneed_separator; + char *sbuf, *rbuf; + union VALUETYPE *p = &ms->ms_value; +@@ -1130,13 +1138,12 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + } + + if (mcopy(ms, p, m->type, m->flag & INDIR, s, (uint32_t)(offset + o), +- (uint32_t)nbytes, count) == -1) ++ (uint32_t)nbytes, m) == -1) + return -1; + + if ((ms->flags & MAGIC_DEBUG) != 0) { + fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, o=%zu, " +- "nbytes=%zu, count=%u)\n", m->type, m->flag, offset, o, +- nbytes, count); ++ "nbytes=%zu)\n", m->type, m->flag, offset, o, nbytes); + mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE)); + } + +@@ -1627,7 +1634,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + if ((ms->flags & MAGIC_DEBUG) != 0) + fprintf(stderr, "indirect +offs=%u\n", offset); + } +- if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1) ++ if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1) + return -1; + ms->offset = offset; + +@@ -2049,7 +2056,7 @@ magiccheck(struct magic_set *ms, struct magic *m) + zval *retval; + zval *subpats; + char *haystack; +- ++ + MAKE_STD_ZVAL(retval); + ALLOC_INIT_ZVAL(subpats); + +-- +1.9.2 + +From 61ec9b5b0f80bc6016548d48f433fe22e2dc24ec Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 4 Aug 2014 00:08:08 -0700 +Subject: [PATCH] add test + +--- + ext/fileinfo/tests/cve-2014-3538.phpt | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + create mode 100644 ext/fileinfo/tests/cve-2014-3538.phpt + +diff --git a/ext/fileinfo/tests/cve-2014-3538.phpt b/ext/fileinfo/tests/cve-2014-3538.phpt +new file mode 100644 +index 0000000..d6bc9c6 +--- /dev/null ++++ b/ext/fileinfo/tests/cve-2014-3538.phpt +@@ -0,0 +1,35 @@ ++--TEST-- ++Bug #66731: file: extensive backtraking ++--SKIPIF-- ++ ++Done ++--CLEAN-- ++ ++--EXPECTF-- ++string(%d) "%s" ++Ok ++Done +\ No newline at end of file +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3587.patch b/SOURCES/php-5.5.6-CVE-2014-3587.patch new file mode 100644 index 0000000..f0fb74c --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3587.patch @@ -0,0 +1,26 @@ +From 7ba1409a1aee5925180de546057ddd84ff267947 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 14 Aug 2014 17:19:03 -0700 +Subject: [PATCH] Fix bug #67716 - Segfault in cdf.c + +--- + NEWS | 1 + + ext/fileinfo/libmagic/cdf.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 429f3b9..2c0a2d9 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); +- if (q > e) { ++ if (q < p || q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; + } +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3597.patch b/SOURCES/php-5.5.6-CVE-2014-3597.patch new file mode 100644 index 0000000..cb573a4 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3597.patch @@ -0,0 +1,275 @@ +From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 19 Aug 2014 08:33:49 +0200 +Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597 + +Incomplete fix for CVE-2014-4049 + +Check possible buffer overflow +- pass real buffer end to dn_expand calls +- check buffer len before each read +--- + ext/standard/dns.c | 84 ++++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 60 insertions(+), 24 deletions(-) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 214a7dc..0b5e69c 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record) + + #if HAVE_FULL_DNS_FUNCS + ++#define CHECKCP(n) do { \ ++ if (cp + n > end) { \ ++ return NULL; \ ++ } \ ++} while (0) ++ + /* {{{ php_parserr */ +-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray) ++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray) + { + u_short type, class, dlen; + u_long ttl; +@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + + *subarray = NULL; + +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2); + if (n < 0) { + return NULL; + } + cp += n; + ++ CHECKCP(10); + GETSHORT(type, cp); + GETSHORT(class, cp); + GETLONG(ttl, cp); + GETSHORT(dlen, cp); ++ CHECKCP(dlen); + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + + switch (type) { + case DNS_T_A: ++ CHECKCP(4); + add_assoc_string(*subarray, "type", "A", 1); + snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]); + add_assoc_string(*subarray, "ip", name, 1); + cp += dlen; + break; + case DNS_T_MX: ++ CHECKCP(2); + add_assoc_string(*subarray, "type", "MX", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pri", n); +@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + if (type == DNS_T_PTR) { + add_assoc_string(*subarray, "type", "PTR", 1); + } +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + case DNS_T_HINFO: + /* See RFC 1010 for values */ + add_assoc_string(*subarray, "type", "HINFO", 1); ++ CHECKCP(1); + n = *cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1); + cp += n; ++ CHECKCP(1); + n = *cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(*subarray, "os", (char*)cp, n, 1); + cp += n; + break; + case DNS_T_TXT: + { +- int ll = 0; ++ int l1 = 0, l2 = 0; + zval *entries = NULL; + + add_assoc_string(*subarray, "type", "TXT", 1); +@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + MAKE_STD_ZVAL(entries); + array_init(entries); + +- while (ll < dlen) { +- n = cp[ll]; +- if ((ll + n) >= dlen) { ++ while (l1 < dlen) { ++ n = cp[l1]; ++ if ((l1 + n) >= dlen) { + // Invalid chunk length, truncate +- n = dlen - (ll + 1); ++ n = dlen - (l1 + 1); ++ } ++ if (n) { ++ memcpy(tp + l2 , cp + l1 + 1, n); ++ add_next_index_stringl(entries, cp + l1 + 1, n, 1); + } +- memcpy(tp + ll , cp + ll + 1, n); +- add_next_index_stringl(entries, cp + ll + 1, n, 1); +- ll = ll + n + 1; ++ l1 = l1 + n + 1; ++ l2 = l2 + n; + } +- tp[dlen] = '\0'; ++ tp[l2] = '\0'; + cp += dlen; + +- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0); ++ add_assoc_stringl(*subarray, "txt", tp, l2, 0); + add_assoc_zval(*subarray, "entries", entries); + } + break; + case DNS_T_SOA: + add_assoc_string(*subarray, "type", "SOA", 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(*subarray, "mname", name, 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(*subarray, "rname", name, 1); ++ CHECKCP(5*4); + GETLONG(n, cp); + add_assoc_long(*subarray, "serial", n); + GETLONG(n, cp); +@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + break; + case DNS_T_AAAA: + tp = (u_char*)name; ++ CHECKCP(8*2); + for(i=0; i < 8; i++) { + GETSHORT(s, cp); + if (s != 0) { +@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + case DNS_T_A6: + p = cp; + add_assoc_string(*subarray, "type", "A6", 1); ++ CHECKCP(1); + n = ((int)cp[0]) & 0xFF; + cp++; + add_assoc_long(*subarray, "masklen", n); +@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + cp++; + } + for (i = (n + 8) / 16; i < 8; i++) { ++ CHECKCP(2); + GETSHORT(s, cp); + if (s != 0) { + if (tp > (u_char *)name) { +@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + tp[0] = '\0'; + add_assoc_string(*subarray, "ipv6", name, 1); + if (cp < p + dlen) { +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + } + break; + case DNS_T_SRV: ++ CHECKCP(3*2); + add_assoc_string(*subarray, "type", "SRV", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pri", n); +@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + add_assoc_long(*subarray, "weight", n); + GETSHORT(n, cp); + add_assoc_long(*subarray, "port", n); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + add_assoc_string(*subarray, "target", name, 1); + break; + case DNS_T_NAPTR: ++ CHECKCP(2*2); + add_assoc_string(*subarray, "type", "NAPTR", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "order", n); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pref", n); ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1); + cp += n; ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1); + cp += n; ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1); + cp += n; +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record) + while (an-- && cp && cp < end) { + zval *retval; + +- cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval); ++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval); + if (retval != NULL && store_results) { + add_next_index_zval(return_value, retval); + } +@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record) + while (ns-- > 0 && cp && cp < end) { + zval *retval = NULL; + +- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval); ++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval); + if (retval != NULL) { + add_next_index_zval(authns, retval); + } +@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record) + while (ar-- > 0 && cp && cp < end) { + zval *retval = NULL; + +- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval); ++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval); + if (retval != NULL) { + add_next_index_zval(addtl, retval); + } +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3668.patch b/SOURCES/php-5.5.6-CVE-2014-3668.patch new file mode 100644 index 0000000..c2f622f --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3668.patch @@ -0,0 +1,117 @@ +From 44035de79f5b9646064d9bdd0329a946b0c5372a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 17:33:44 -0700 +Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib + +--- + ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++----- + ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+), 5 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug68027.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c +index ce70c2a..b766a54 100644 +--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c ++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c +@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_mon = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+4]) + tm.tm_mon += (text[i+4]-'0')*n; + n /= 10; + } + tm.tm_mon --; ++ if(tm.tm_mon < 0 || tm.tm_mon > 11) { ++ return -1; ++ } + + n = 10; + tm.tm_mday = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+6]) + tm.tm_mday += (text[i+6]-'0')*n; + n /= 10; + } +@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_hour = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+9]) + tm.tm_hour += (text[i+9]-'0')*n; + n /= 10; + } +@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_min = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+12]) + tm.tm_min += (text[i+12]-'0')*n; + n /= 10; + } +@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_sec = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+15]) + tm.tm_sec += (text[i+15]-'0')*n; + n /= 10; + } +diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt +new file mode 100644 +index 0000000..a5c96f1 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug68027.phpt +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #68027 (buffer overflow in mkgmtime() function) ++--SKIPIF-- ++ ++--FILE-- ++$datetime"); ++print_r($obj); ++ ++$datetime = "34770-0-08T21:46:40-0400"; ++$obj = xmlrpc_decode("$datetime"); ++print_r($obj); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++object(stdClass)#1 (3) { ++ ["scalar"]=> ++ string(16) "6-01-01 20:00:00" ++ ["xmlrpc_type"]=> ++ string(8) "datetime" ++ ["timestamp"]=> ++ int(%d) ++} ++stdClass Object ++( ++ [scalar] => 2001-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %s ++) ++stdClass Object ++( ++ [scalar] => 34770-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %d ++) ++Done +-- +2.1.0 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3669.patch b/SOURCES/php-5.5.6-CVE-2014-3669.patch new file mode 100644 index 0000000..ea81d60 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3669.patch @@ -0,0 +1,62 @@ +Adapted for PHP 5.5.6 from + +From 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 14:19:31 -0700 +Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits + only) + +--- + ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++ + ext/standard/var_unserializer.c | 4 ++-- + ext/standard/var_unserializer.re | 2 +- + 3 files changed, 15 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug68044.phpt + +diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt +new file mode 100644 +index 0000000..031e44e +--- /dev/null ++++ b/ext/standard/tests/serialize/bug68044.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #68044 Integer overflow in unserialize() (32-bits only) ++--FILE-- ++ ++===DONE== ++--EXPECTF-- ++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 ++ ++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 ++===DONE== +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 657051f..8129da3 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -369,7 +369,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 1307508..6de1583 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -375,7 +375,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +-- +2.1.0 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3670.patch b/SOURCES/php-5.5.6-CVE-2014-3670.patch new file mode 100644 index 0000000..d9856f6 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3670.patch @@ -0,0 +1,36 @@ +bug68113.phpt removed as binary patch not supported + +From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 16:57:42 -0700 +Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail()) + +--- + ext/exif/exif.c | 4 ++-- + ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes + ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++ + 3 files changed, 19 insertions(+), 2 deletions(-) + create mode 100755 ext/exif/tests/bug68113.jpg + create mode 100644 ext/exif/tests/bug68113.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 38907b4..637ebf9 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel + data_ptr += 8; + break; + case TAG_FMT_SINGLE: +- memmove(data_ptr, &info_data->value.f, byte_count); ++ memmove(data_ptr, &info_value->f, 4); + data_ptr += 4; + break; + case TAG_FMT_DOUBLE: +- memmove(data_ptr, &info_data->value.d, byte_count); ++ memmove(data_ptr, &info_value->d, 8); + data_ptr += 8; + break; + } +-- +2.1.0 + diff --git a/SOURCES/php-5.5.6-CVE-2014-3710.patch b/SOURCES/php-5.5.6-CVE-2014-3710.patch new file mode 100644 index 0000000..48fbe6d --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-3710.patch @@ -0,0 +1,35 @@ +From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 22 Oct 2014 15:37:04 +0200 +Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note + headers + +Upstream commit +https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0 + +CVE -2014-3710 +--- + ext/fileinfo/libmagic/readelf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c +index 1c3845f..bb6f70f 100644 +--- a/ext/fileinfo/libmagic/readelf.c ++++ b/ext/fileinfo/libmagic/readelf.c +@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size, + uint32_t namesz, descsz; + unsigned char *nbuf = CAST(unsigned char *, vbuf); + ++ if (xnh_sizeof + offset > size) { ++ /* ++ * We're out of note headers. ++ */ ++ return xnh_sizeof + offset; ++ } ++ + (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof); + offset += xnh_sizeof; + +-- +2.1.0 + diff --git a/SOURCES/php-5.5.6-CVE-2014-4049.patch b/SOURCES/php-5.5.6-CVE-2014-4049.patch new file mode 100644 index 0000000..c614d43 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-4049.patch @@ -0,0 +1,30 @@ +From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001 +From: Sara Golemon +Date: Tue, 10 Jun 2014 11:18:02 -0700 +Subject: [PATCH] Fix potential segfault in dns_get_record() + +If the remote sends us a packet with a malformed TXT record, +we could end up trying to over-consume the packet and wander +off into overruns. +--- + ext/standard/dns.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 6a89446..214a7dc 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int + + while (ll < dlen) { + n = cp[ll]; ++ if ((ll + n) >= dlen) { ++ // Invalid chunk length, truncate ++ n = dlen - (ll + 1); ++ } + memcpy(tp + ll , cp + ll + 1, n); + add_next_index_stringl(entries, cp + ll + 1, n, 1); + ll = ll + n + 1; +-- +1.9.3 + diff --git a/SOURCES/php-5.5.6-CVE-2014-4670.patch b/SOURCES/php-5.5.6-CVE-2014-4670.patch new file mode 100644 index 0000000..96cbb64 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-4670.patch @@ -0,0 +1,67 @@ +From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001 +From: Xinchen Hui +Date: Wed, 2 Jul 2014 17:45:09 +0800 +Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free) + +--- + NEWS | 3 +++ + ext/spl/spl_dllist.c | 7 +++++-- + ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++ + 3 files changed, 25 insertions(+), 2 deletions(-) + create mode 100644 ext/spl/tests/bug67538.phpt + +diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c +index 39a0733..0b44d41 100644 +--- a/ext/spl/spl_dllist.c ++++ b/ext/spl/spl_dllist.c +@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack; + + #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \ + efree(elem); \ +- elem = NULL; \ + } + + #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \ + efree(elem); \ +- elem = NULL; \ + } + + #define SPL_LLIST_ADDREF(elem) (elem)->rc++ +@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) + llist->dtor(element TSRMLS_CC); + } + ++ if (intern->traverse_pointer == element) { ++ SPL_LLIST_DELREF(element); ++ intern->traverse_pointer = NULL; ++ } ++ + zval_ptr_dtor((zval **)&element->data); + element->data = NULL; + +diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt +new file mode 100644 +index 0000000..b6f3848 +--- /dev/null ++++ b/ext/spl/tests/bug67538.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #67538 (SPL Iterators use-after-free) ++--FILE-- ++push('a'); ++$list->push('b'); ++ ++$list->rewind(); ++$list->offsetUnset(0); ++$list->push('b'); ++$list->offsetUnset(0); ++$list->next(); ++echo "okey"; ++?> ++--EXPECTF-- ++okey +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-4698.patch b/SOURCES/php-5.5.6-CVE-2014-4698.patch new file mode 100644 index 0000000..750e400 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-4698.patch @@ -0,0 +1,61 @@ +From 51c38a09970c1f8395e68500c0b2ed1b3c9a6786 Mon Sep 17 00:00:00 2001 +From: Xinchen Hui +Date: Wed, 2 Jul 2014 17:57:42 +0800 +Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object + change during sorting) + +--- + ext/spl/spl_array.c | 7 +++++++ + ext/spl/tests/bug67539.phpt | 15 +++++++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 ext/spl/tests/bug67539.phpt + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index bf034ab..ec9ce21 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -1726,6 +1726,7 @@ SPL_METHOD(Array, unserialize) + const unsigned char *p, *s; + php_unserialize_data_t var_hash; + zval *pmembers, *pflags = NULL; ++ HashTable *aht; + long flags; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { +@@ -1737,6 +1738,12 @@ SPL_METHOD(Array, unserialize) + return; + } + ++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); ++ if (aht->nApplyCount > 0) { ++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); ++ return; ++ } ++ + /* storage */ + s = p = (const unsigned char*)buf; + PHP_VAR_UNSERIALIZE_INIT(var_hash); +diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt +new file mode 100644 +index 0000000..8bab2a8 +--- /dev/null ++++ b/ext/spl/tests/bug67539.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #67539 (ArrayIterator use-after-free due to object change during sorting) ++--FILE-- ++unserialize($GLOBALS['it']->serialize()); ++ return TRUE; ++} ++ ++$it->uksort('badsort'); ++--EXPECTF-- ++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d +-- +2.1.0 + diff --git a/SOURCES/php-5.5.6-CVE-2014-4721.patch b/SOURCES/php-5.5.6-CVE-2014-4721.patch new file mode 100644 index 0000000..a5ecaf9 --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-4721.patch @@ -0,0 +1,61 @@ +From 3804c0d00fa6e629173fb1c8c61f8f88d5fe39b9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 23 Jun 2014 00:19:37 -0700 +Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak + Vulnerability + +--- + ext/standard/info.c | 8 ++++---- + ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++ + 2 files changed, 19 insertions(+), 4 deletions(-) + create mode 100644 ext/standard/tests/general_functions/bug67498.phpt + +diff --git a/ext/standard/info.c b/ext/standard/info.c +index 03ced35..0626a70 100644 +--- a/ext/standard/info.c ++++ b/ext/standard/info.c +@@ -863,16 +863,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC) + + php_info_print_table_start(); + php_info_print_table_header(2, "Variable", "Value"); +- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); + } + php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC); +diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt +new file mode 100644 +index 0000000..5b5951b +--- /dev/null ++++ b/ext/standard/tests/general_functions/bug67498.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++phpinfo() Type Confusion Information Leak Vulnerability ++--FILE-- ++ ++==DONE== ++--EXPECTF-- ++phpinfo() ++ ++PHP Variables ++%A ++==DONE== +-- +1.9.2 + diff --git a/SOURCES/php-5.5.6-CVE-2014-5120.patch b/SOURCES/php-5.5.6-CVE-2014-5120.patch new file mode 100644 index 0000000..a42ac7c --- /dev/null +++ b/SOURCES/php-5.5.6-CVE-2014-5120.patch @@ -0,0 +1,29 @@ +From 1daa4c0090b7cd8178dcaa96287234c69ac6ca18 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 18 Aug 2014 22:49:10 -0700 +Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx + functions + +--- + ext/gd/gd_ctx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c +index 59eff80..253b664 100644 +--- a/ext/gd/gd_ctx.c ++++ b/ext/gd/gd_ctx.c +@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + RETURN_FALSE; + } + } else if (Z_TYPE_P(to_zval) == IS_STRING) { ++ if (CHECK_ZVAL_NULL_PATH(to_zval)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); ++ RETURN_FALSE; ++ } ++ + stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); + if (stream == NULL) { + RETURN_FALSE; +-- +1.9.2 + diff --git a/SPECS/php.spec b/SPECS/php.spec index f76673b..61971f2 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -163,7 +163,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.6 -Release: 10%{?dist} +Release: 13%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -221,6 +221,27 @@ Patch105: php-5.5.6-CVE-2013-6712.patch Patch106: php-5.5.6-CVE-2013-7327.patch Patch107: php-5.5.6-CVE-2014-2270.patch Patch108: php-5.5.6-CVE-2013-7345.patch +Patch109: php-5.5.6-CVE-2014-0237.patch +Patch110: php-5.5.6-CVE-2014-0238.patch +Patch111: php-5.5.6-CVE-2014-3479.patch +Patch112: php-5.5.6-CVE-2014-3480.patch +Patch113: php-5.5.6-CVE-2014-4721.patch +Patch114: php-5.5.6-CVE-2014-4049.patch +Patch115: php-5.5.6-CVE-2014-3515.patch +Patch116: php-5.5.6-CVE-2014-0207.patch +Patch117: php-5.5.6-CVE-2014-3487.patch +Patch118: php-5.5.6-CVE-2014-2497.patch +Patch119: php-5.5.6-CVE-2014-3478.patch +Patch120: php-5.5.6-CVE-2014-3538.patch +Patch121: php-5.5.6-CVE-2014-3587.patch +Patch122: php-5.5.6-CVE-2014-5120.patch +Patch123: php-5.5.6-CVE-2014-4698.patch +Patch124: php-5.5.6-CVE-2014-4670.patch +Patch125: php-5.5.6-CVE-2014-3597.patch +Patch126: php-5.5.6-CVE-2014-3668.patch +Patch127: php-5.5.6-CVE-2014-3669.patch +Patch128: php-5.5.6-CVE-2014-3670.patch +Patch129: php-5.5.6-CVE-2014-3710.patch # Fixes for tests @@ -901,6 +922,27 @@ support for using the enchant library to PHP. %patch106 -p1 -b .cve7327 %patch107 -p1 -b .cve2270 %patch108 -p1 -b .cve7345 +%patch109 -p1 -b .cve0237 +%patch110 -p1 -b .cve0238 +%patch111 -p1 -b .cve3479 +%patch112 -p1 -b .cve3480 +%patch113 -p1 -b .cve4721 +%patch114 -p1 -b .cve4049 +%patch115 -p1 -b .cve3515 +%patch116 -p1 -b .cve0207 +%patch117 -p1 -b .cve3487 +%patch118 -p1 -b .cve2497 +%patch119 -p1 -b .cve3478 +%patch120 -p1 -b .cve3538 +%patch121 -p1 -b .cve3587 +%patch122 -p1 -b .cve5120 +%patch123 -p1 -b .cve4698 +%patch124 -p1 -b .cve4670 +%patch125 -p1 -b .cve3597 +%patch126 -p1 -b .cve3668 +%patch127 -p1 -b .cve3669 +%patch128 -p1 -b .cve3670 +%patch129 -p1 -b .cve3710 # Prevent %%doc confusion over LICENSE files @@ -1810,6 +1852,47 @@ fi %changelog +* Thu Oct 23 2014 Jan Kaluza - 5.5.6-13 +- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 + +* Mon Oct 20 2014 Remi Collet - 5.5.6-12 +- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668 +- core: fix integer overflow in unserialize() CVE-2014-3669 +- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670 + +* Wed Oct 8 2014 Remi Collet - 5.5.6-11 +- gd: fix NULL pointer dereference in gdImageCreateFromXpm(). + CVE-2014-2497 +- gd: fix NUL byte injection in file names. CVE-2014-5120 +- core: fix heap-based buffer overflow in DNS TXT record + parsing. CVE-2014-4049 +- network: fix segfault in dns_get_record + (incomplete fix for CVE-2014-4049). CVE-2014-3597 +- core: unserialize() SPL ArrayObject / SPLObjectStorage + type confusion flaw. CVE-2014-3515 +- core: type confusion issue in phpinfo(). CVE-2014-4721 +- spl: fix use-after-free in ArrayIterator due to object + change during sorting. CVE-2014-4698 +- spl: fix use-after-free in SPL Iterators. CVE-2014-4670 +- fileinfo: cdf_unpack_summary_info() excessive looping + DoS. CVE-2014-0237 +- fileinfo: CDF property info parsing nelements infinite + loop. CVE-2014-0238 +- fileinfo: cdf_read_short_sector insufficient boundary + check. CVE-2014-0207 +- fileinfo: fix extensive backtracking in regular expression + (incomplete fix for CVE-2013-7345). CVE-2014-3538 +- fileinfo: cdf_check_stream_offset insufficient boundary + check. CVE-2014-3479 +- fileinfo: cdf_count_chain insufficient boundary check + CVE-2014-3480 +- fileinfo: fix mconvert incorrect handling of truncated + pascal string size. CVE-2014-3478 +- fileinfo: cdf_read_property_info insufficient boundary + check. CVE-2014-3487 +- fileinfo: fix cdf_read_property_info + (incomplete fix for CVE-2012-1571). CVE-2014-3587 + * Tue May 13 2014 Remi Collet - 5.5.6-10 - fileinfo: fix out-of-bounds memory access CVE-2014-2270 - fileinfo: fix extensive backtracking CVE-2013-7345