diff --git a/SOURCES/php-5.5.6-CVE-2014-0207.patch b/SOURCES/php-5.5.6-CVE-2014-0207.patch
new file mode 100644
index 0000000..62424a7
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-0207.patch
@@ -0,0 +1,32 @@
+From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 3 Jun 2014 11:05:00 +0200
+Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient
+ boundary check
+
+Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
+Only revelant part applied
+---
+ ext/fileinfo/libmagic/cdf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 4712e84..16649f1 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -367,10 +367,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+ size_t ss = CDF_SHORT_SEC_SIZE(h);
+ size_t pos = CDF_SHORT_SEC_POS(h, id);
+ assert(ss == len);
+- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
+ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
+ SIZE_T_FORMAT "u\n",
+- pos, CDF_SEC_SIZE(h) * sst->sst_len));
++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
+ return -1;
+ }
+ (void)memcpy(((char *)buf) + offs,
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-0237.patch b/SOURCES/php-5.5.6-CVE-2014-0237.patch
new file mode 100644
index 0000000..760c5c1
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-0237.patch
@@ -0,0 +1,52 @@
+From 68ce2d0ea6da79b12a365e375e1c2ce882c77480 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 26 May 2014 17:50:14 -0700
+Subject: [PATCH] Fix bug #67328 (fileinfo: numerous file_printf calls
+ resulting in performance degradation)
+
+Upstream patch: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d
+---
+ ext/fileinfo/libmagic/cdf.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index dd7177e..8dacd2f 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -942,7 +942,7 @@ int
+ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
+ {
+- size_t i, maxcount;
++ size_t maxcount;
+ const cdf_summary_info_header_t *si =
+ CAST(const cdf_summary_info_header_t *, sst->sst_tab);
+ const cdf_section_declaration_t *sd =
+@@ -957,21 +957,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ ssi->si_os = CDF_TOLE2(si->si_os);
+ ssi->si_class = si->si_class;
+ cdf_swap_class(&ssi->si_class);
+- ssi->si_count = CDF_TOLE2(si->si_count);
++ ssi->si_count = CDF_TOLE4(si->si_count);
+ *count = 0;
+ maxcount = 0;
+ *info = NULL;
+- for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
+- if (i >= CDF_LOOP_LIMIT) {
+- DPRINTF(("Unpack summary info loop limit"));
+- errno = EFTYPE;
+- return -1;
+- }
+- if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
+- info, count, &maxcount) == -1) {
++ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
++ count, &maxcount) == -1)
+ return -1;
+- }
+- }
+ return 0;
+ }
+
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-0238.patch b/SOURCES/php-5.5.6-CVE-2014-0238.patch
new file mode 100644
index 0000000..1cd8f16
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-0238.patch
@@ -0,0 +1,39 @@
+From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 26 May 2014 17:42:18 -0700
+Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
+
+Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
+---
+ ext/fileinfo/libmagic/cdf.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 8dacd2f..4712e84 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
+ if (inp[i].pi_type & CDF_VECTOR) {
+ nelements = CDF_GETUINT32(q, 1);
++ if (nelements == 0) {
++ DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++ goto out;
++ }
+ o = 2;
+ } else {
+ nelements = 1;
+@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ }
+ DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+ nelements));
+- for (j = 0; j < nelements; j++, i++) {
++ for (j = 0; j < nelements && i < sh.sh_properties;
++ j++, i++)
++ {
+ uint32_t l = CDF_GETUINT32(q, o);
+ inp[i].pi_str.s_len = l;
+ inp[i].pi_str.s_buf = (const char *)
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-2497.patch b/SOURCES/php-5.5.6-CVE-2014-2497.patch
new file mode 100644
index 0000000..6b605e7
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-2497.patch
@@ -0,0 +1,40 @@
+From cf4753691dc55999373d1c576f62ecb298723420 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Mon, 4 Aug 2014 10:42:39 +0200
+Subject: [PATCH] Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference
+
+Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704
+
+Notice: this fix don't manage monochrome/monovisual values
+but just fix the security issue CVE-2014-2497
+failing when trying to load such an image
+---
+ ext/gd/libgd/gdxpm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c
+index 73f86e5..b69414e 100644
+--- a/ext/gd/libgd/gdxpm.c
++++ b/ext/gd/libgd/gdxpm.c
+@@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename)
+ if (ret != XpmSuccess) {
+ return 0;
+ }
++ number = image.ncolors;
++ for(i = 0; i < number; i++) {
++ if (!image.colorTable[i].c_color) {
++ goto done;
++ }
++ }
+
+ if (!(im = gdImageCreate(image.width, image.height))) {
+ goto done;
+ }
+
+- number = image.ncolors;
+ colors = (int *) safe_emalloc(number, sizeof(int), 0);
+ for (i = 0; i < number; i++) {
+ switch (strlen (image.colorTable[i].c_color)) {
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3478.patch b/SOURCES/php-5.5.6-CVE-2014-3478.patch
new file mode 100644
index 0000000..9e09d3a
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3478.patch
@@ -0,0 +1,41 @@
+From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:02:36 +0200
+Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of
+ truncated pascal string size
+
+Upstream
+https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08
+---
+ ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 21fea6b..01e4977 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ return 1;
+ }
+ case FILE_PSTRING: {
+- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
++ size_t sz = file_pstring_length_size(m);
++ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ size_t len = file_pstring_get_length(m, ptr1);
+- if (len >= sizeof(p->s))
+- len = sizeof(p->s) - 1;
++ if (len >= sizeof(p->s)) {
++ /*
++ * The size of the pascal string length (sz)
++ * is 1, 2, or 4. We need at least 1 byte for NUL
++ * termination, but we've already truncated the
++ * string by p->s, so we need to deduct sz.
++ */
++ len = sizeof(p->s) - sz;
++ }
+ while (len--)
+ *ptr1++ = *ptr2++;
+ *ptr1 = '\0';
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3479.patch b/SOURCES/php-5.5.6-CVE-2014-3479.patch
new file mode 100644
index 0000000..27c0204
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3479.patch
@@ -0,0 +1,37 @@
+From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:13:14 +0200
+Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset
+ insufficient boundary check
+
+Upstream:
+https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
+---
+ ext/fileinfo/libmagic/cdf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 16649f1..c9a5d50 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
+ {
+ const char *b = (const char *)sst->sst_tab;
+ const char *e = ((const char *)p) + tail;
++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
+ (void)&line;
+- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len)
++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
+ return 0;
+ DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u"
+ " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
+ SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
+- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
++ ss * sst->sst_len, ss, sst->sst_len));
+ errno = EFTYPE;
+ return -1;
+ }
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3480.patch b/SOURCES/php-5.5.6-CVE-2014-3480.patch
new file mode 100644
index 0000000..8380dee
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3480.patch
@@ -0,0 +1,40 @@
+From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:22:04 +0200
+Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient
+ boundary check
+
+Upstream:
+https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+---
+ ext/fileinfo/libmagic/cdf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index c9a5d50..ee467a6 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -470,7 +470,8 @@ size_t
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ size_t i, j;
+- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++ / sizeof(maxsector));
+
+ DPRINTF(("Chain:"));
+ for (j = i = 0; sid >= 0; i++, j++) {
+@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+- if (sid > maxsector) {
+- DPRINTF(("Sector %d > %d\n", sid, maxsector));
++ if (sid >= maxsector) {
++ DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3487.patch b/SOURCES/php-5.5.6-CVE-2014-3487.patch
new file mode 100644
index 0000000..3751e8d
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3487.patch
@@ -0,0 +1,34 @@
+From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:33:37 +0200
+Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info
+ insufficient boundary chec
+
+Upstream:
+https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
+
+Adapted for C standard.
+---
+ ext/fileinfo/libmagic/cdf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index ee467a6..429f3b9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+ goto out;
+ for (i = 0; i < sh.sh_properties; i++) {
+- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
++ size_t ofs, tail = (i << 1) + 1;
++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
++ __LINE__) == -1)
++ goto out;
++ ofs = CDF_GETUINT32(p, tail);
+ q = (const uint8_t *)(const void *)
+ ((const char *)(const void *)p + ofs
+ - 2 * sizeof(uint32_t));
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3515.patch b/SOURCES/php-5.5.6-CVE-2014-3515.patch
new file mode 100644
index 0000000..7d5bee5
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3515.patch
@@ -0,0 +1,68 @@
+From a374dfab567ff7f0ab0dc150f14cc891b0340b47 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 21 Jun 2014 19:46:16 -0700
+Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject /
+ SPLObjectStorage Type Confusion
+
+---
+ ext/spl/spl_array.c | 2 +-
+ ext/spl/spl_observer.c | 2 +-
+ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index c4b237b..c38065f 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -1789,7 +1789,7 @@ SPL_METHOD(Array, unserialize)
+ ++p;
+
+ ALLOC_INIT_ZVAL(pmembers);
+- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
+ zval_ptr_dtor(&pmembers);
+ goto outexcept;
+ }
+diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
+index 57ddf49..f493154 100644
+--- a/ext/spl/spl_observer.c
++++ b/ext/spl/spl_observer.c
+@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
+ ++p;
+
+ ALLOC_INIT_ZVAL(pmembers);
+- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
+ zval_ptr_dtor(&pmembers);
+ goto outexcept;
+ }
+diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+index a525317..8f0676d 100644
+--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
++++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+@@ -7,6 +7,7 @@ $badblobs = array(
+ 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
+ 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+ 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
++'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
+ );
+ foreach($badblobs as $blob) {
+ try {
+@@ -17,6 +18,7 @@ try {
+ echo $e->getMessage()."\n";
+ }
+ }
++echo "DONE\n";
+ --EXPECTF--
+ Error at offset 6 of 34 bytes
+ Error at offset 46 of 89 bytes
+@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
+ }
+ }
+ }
+-
++Error at offset 79 of 78 bytes
++DONE
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3538.patch b/SOURCES/php-5.5.6-CVE-2014-3538.patch
new file mode 100644
index 0000000..f002def
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3538.patch
@@ -0,0 +1,184 @@
+From eeaec70758bfc0c0e2c0f8944c8dbeae02866206 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 4 Aug 2014 00:01:57 -0700
+Subject: [PATCH] Fix bug #67705 (extensive backtracking in rule regular
+ expression)
+
+---
+ NEWS | 4 +++
+ ext/fileinfo/data_file.c | 2 +-
+ ext/fileinfo/libmagic/softmagic.c | 29 +++++++++++-------
+ ext/fileinfo/magicdata.patch | 62 +++++++++++++++++++++++++++++++++------
+ 4 files changed, 76 insertions(+), 21 deletions(-)
+
+diff --git a/ext/fileinfo/data_file.c b/ext/fileinfo/data_file.c
+index fba4edd..15e0fa6 100644
+--- a/ext/fileinfo/data_file.c
++++ b/ext/fileinfo/data_file.c
+@@ -115198,7 +115198,7 @@ const unsigned char php_magic_database[2606480] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x40, 0x00, 0x3D, 0x1B, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+-0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x5E, 0x5C, 0x73, 0x7B, 0x30, 0x2C, 0x31, 0x30, 0x30, 0x7D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x5C,
+ 0x73, 0x7B, 0x30, 0x2C, 0x31, 0x30, 0x30, 0x7D, 0x5B, 0x7B, 0x5D, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 01e4977..7e0c856 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -58,7 +58,7 @@ private int32_t mprint(struct magic_set *, struct magic *);
+ private int32_t moffset(struct magic_set *, struct magic *);
+ private void mdebug(uint32_t, const char *, size_t);
+ private int mcopy(struct magic_set *, union VALUETYPE *, int, int,
+- const unsigned char *, uint32_t, size_t, size_t);
++ const unsigned char *, uint32_t, size_t, struct magic *);
+ private int mconvert(struct magic_set *, struct magic *, int);
+ private int print_sep(struct magic_set *, int);
+ private int handle_annotation(struct magic_set *, struct magic *);
+@@ -1003,7 +1003,7 @@ mdebug(uint32_t offset, const char *str, size_t len)
+
+ private int
+ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+- const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt)
++ const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m)
+ {
+ /*
+ * Note: FILE_SEARCH and FILE_REGEX do not actually copy
+@@ -1023,15 +1023,24 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+ const char *last; /* end of search region */
+ const char *buf; /* start of search region */
+ const char *end;
+- size_t lines;
++ size_t lines, linecnt, bytecnt;
+
++ linecnt = m->str_range;
++ bytecnt = linecnt * 80;
++
++ if (bytecnt == 0) {
++ bytecnt = 8192;
++ }
++ if (bytecnt > nbytes) {
++ bytecnt = nbytes;
++ }
+ if (s == NULL) {
+ ms->search.s_len = 0;
+ ms->search.s = NULL;
+ return 0;
+ }
+ buf = RCAST(const char *, s) + offset;
+- end = last = RCAST(const char *, s) + nbytes;
++ end = last = RCAST(const char *, s) + bytecnt;
+ /* mget() guarantees buf <= last */
+ for (lines = linecnt, b = buf; lines && b < end &&
+ ((b = CAST(const char *,
+@@ -1044,7 +1053,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+ b++;
+ }
+ if (lines)
+- last = RCAST(const char *, s) + nbytes;
++ last = RCAST(const char *, s) + bytecnt;
+
+ ms->search.s = buf;
+ ms->search.s_len = last - buf;
+@@ -1118,7 +1127,6 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ int *need_separator, int *returnval)
+ {
+ uint32_t soffset, offset = ms->offset;
+- uint32_t count = m->str_range;
+ int rv, oneed_separator;
+ char *sbuf, *rbuf;
+ union VALUETYPE *p = &ms->ms_value;
+@@ -1130,13 +1138,12 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ }
+
+ if (mcopy(ms, p, m->type, m->flag & INDIR, s, (uint32_t)(offset + o),
+- (uint32_t)nbytes, count) == -1)
++ (uint32_t)nbytes, m) == -1)
+ return -1;
+
+ if ((ms->flags & MAGIC_DEBUG) != 0) {
+ fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, o=%zu, "
+- "nbytes=%zu, count=%u)\n", m->type, m->flag, offset, o,
+- nbytes, count);
++ "nbytes=%zu)\n", m->type, m->flag, offset, o, nbytes);
+ mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
+ }
+
+@@ -1627,7 +1634,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ if ((ms->flags & MAGIC_DEBUG) != 0)
+ fprintf(stderr, "indirect +offs=%u\n", offset);
+ }
+- if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1)
++ if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1)
+ return -1;
+ ms->offset = offset;
+
+@@ -2049,7 +2056,7 @@ magiccheck(struct magic_set *ms, struct magic *m)
+ zval *retval;
+ zval *subpats;
+ char *haystack;
+-
++
+ MAKE_STD_ZVAL(retval);
+ ALLOC_INIT_ZVAL(subpats);
+
+--
+1.9.2
+
+From 61ec9b5b0f80bc6016548d48f433fe22e2dc24ec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 4 Aug 2014 00:08:08 -0700
+Subject: [PATCH] add test
+
+---
+ ext/fileinfo/tests/cve-2014-3538.phpt | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+ create mode 100644 ext/fileinfo/tests/cve-2014-3538.phpt
+
+diff --git a/ext/fileinfo/tests/cve-2014-3538.phpt b/ext/fileinfo/tests/cve-2014-3538.phpt
+new file mode 100644
+index 0000000..d6bc9c6
+--- /dev/null
++++ b/ext/fileinfo/tests/cve-2014-3538.phpt
+@@ -0,0 +1,35 @@
++--TEST--
++Bug #66731: file: extensive backtraking
++--SKIPIF--
++<?php
++if (!class_exists('finfo'))
++ die('skip no fileinfo extension');
++--FILE--
++<?php
++$fd = __DIR__.'/cve-2014-3538.data';
++
++file_put_contents($fd,
++ 'try:' .
++ str_repeat("\n", 1000000));
++
++$fi = finfo_open(FILEINFO_NONE);
++$t = microtime(true);
++var_dump(finfo_file($fi, $fd));
++$t = microtime(true) - $t;
++finfo_close($fi);
++if ($t < 1) {
++ echo "Ok\n";
++} else {
++ printf("Failed, time=%.2f\n", $t);
++}
++
++?>
++Done
++--CLEAN--
++<?php
++@unlink(__DIR__.'/cve-2014-3538.data');
++?>
++--EXPECTF--
++string(%d) "%s"
++Ok
++Done
+\ No newline at end of file
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3587.patch b/SOURCES/php-5.5.6-CVE-2014-3587.patch
new file mode 100644
index 0000000..f0fb74c
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3587.patch
@@ -0,0 +1,26 @@
+From 7ba1409a1aee5925180de546057ddd84ff267947 Mon Sep 17 00:00:00 2001
+From: Remi Collet <rcollet@redhat.com>
+Date: Thu, 14 Aug 2014 17:19:03 -0700
+Subject: [PATCH] Fix bug #67716 - Segfault in cdf.c
+
+---
+ NEWS | 1 +
+ ext/fileinfo/libmagic/cdf.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 429f3b9..2c0a2d9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ q = (const uint8_t *)(const void *)
+ ((const char *)(const void *)p + ofs
+ - 2 * sizeof(uint32_t));
+- if (q > e) {
++ if (q < p || q > e) {
+ DPRINTF(("Ran of the end %p > %p\n", q, e));
+ goto out;
+ }
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3597.patch b/SOURCES/php-5.5.6-CVE-2014-3597.patch
new file mode 100644
index 0000000..cb573a4
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3597.patch
@@ -0,0 +1,275 @@
+From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 19 Aug 2014 08:33:49 +0200
+Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597
+
+Incomplete fix for CVE-2014-4049
+
+Check possible buffer overflow
+- pass real buffer end to dn_expand calls
+- check buffer len before each read
+---
+ ext/standard/dns.c | 84 ++++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 60 insertions(+), 24 deletions(-)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 214a7dc..0b5e69c 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record)
+
+ #if HAVE_FULL_DNS_FUNCS
+
++#define CHECKCP(n) do { \
++ if (cp + n > end) { \
++ return NULL; \
++ } \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
+ {
+ u_short type, class, dlen;
+ u_long ttl;
+@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+
+ *subarray = NULL;
+
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+
++ CHECKCP(10);
+ GETSHORT(type, cp);
+ GETSHORT(class, cp);
+ GETLONG(ttl, cp);
+ GETSHORT(dlen, cp);
++ CHECKCP(dlen);
+ if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ cp += dlen;
+ return cp;
+@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+
+ switch (type) {
+ case DNS_T_A:
++ CHECKCP(4);
+ add_assoc_string(*subarray, "type", "A", 1);
+ snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ add_assoc_string(*subarray, "ip", name, 1);
+ cp += dlen;
+ break;
+ case DNS_T_MX:
++ CHECKCP(2);
+ add_assoc_string(*subarray, "type", "MX", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ if (type == DNS_T_PTR) {
+ add_assoc_string(*subarray, "type", "PTR", 1);
+ }
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ case DNS_T_HINFO:
+ /* See RFC 1010 for values */
+ add_assoc_string(*subarray, "type", "HINFO", 1);
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
+ cp += n;
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
+ cp += n;
+ break;
+ case DNS_T_TXT:
+ {
+- int ll = 0;
++ int l1 = 0, l2 = 0;
+ zval *entries = NULL;
+
+ add_assoc_string(*subarray, "type", "TXT", 1);
+@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ MAKE_STD_ZVAL(entries);
+ array_init(entries);
+
+- while (ll < dlen) {
+- n = cp[ll];
+- if ((ll + n) >= dlen) {
++ while (l1 < dlen) {
++ n = cp[l1];
++ if ((l1 + n) >= dlen) {
+ // Invalid chunk length, truncate
+- n = dlen - (ll + 1);
++ n = dlen - (l1 + 1);
++ }
++ if (n) {
++ memcpy(tp + l2 , cp + l1 + 1, n);
++ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
+ }
+- memcpy(tp + ll , cp + ll + 1, n);
+- add_next_index_stringl(entries, cp + ll + 1, n, 1);
+- ll = ll + n + 1;
++ l1 = l1 + n + 1;
++ l2 = l2 + n;
+ }
+- tp[dlen] = '\0';
++ tp[l2] = '\0';
+ cp += dlen;
+
+- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
++ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ add_assoc_zval(*subarray, "entries", entries);
+ }
+ break;
+ case DNS_T_SOA:
+ add_assoc_string(*subarray, "type", "SOA", 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "mname", name, 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "rname", name, 1);
++ CHECKCP(5*4);
+ GETLONG(n, cp);
+ add_assoc_long(*subarray, "serial", n);
+ GETLONG(n, cp);
+@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ break;
+ case DNS_T_AAAA:
+ tp = (u_char*)name;
++ CHECKCP(8*2);
+ for(i=0; i < 8; i++) {
+ GETSHORT(s, cp);
+ if (s != 0) {
+@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ case DNS_T_A6:
+ p = cp;
+ add_assoc_string(*subarray, "type", "A6", 1);
++ CHECKCP(1);
+ n = ((int)cp[0]) & 0xFF;
+ cp++;
+ add_assoc_long(*subarray, "masklen", n);
+@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ cp++;
+ }
+ for (i = (n + 8) / 16; i < 8; i++) {
++ CHECKCP(2);
+ GETSHORT(s, cp);
+ if (s != 0) {
+ if (tp > (u_char *)name) {
+@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ tp[0] = '\0';
+ add_assoc_string(*subarray, "ipv6", name, 1);
+ if (cp < p + dlen) {
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ }
+ break;
+ case DNS_T_SRV:
++ CHECKCP(3*2);
+ add_assoc_string(*subarray, "type", "SRV", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ add_assoc_long(*subarray, "weight", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "port", n);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ add_assoc_string(*subarray, "target", name, 1);
+ break;
+ case DNS_T_NAPTR:
++ CHECKCP(2*2);
+ add_assoc_string(*subarray, "type", "NAPTR", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "order", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pref", n);
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
+ cp += n;
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record)
+ while (an-- && cp && cp < end) {
+ zval *retval;
+
+- cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval);
++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval);
+ if (retval != NULL && store_results) {
+ add_next_index_zval(return_value, retval);
+ }
+@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record)
+ while (ns-- > 0 && cp && cp < end) {
+ zval *retval = NULL;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(authns, retval);
+ }
+@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record)
+ while (ar-- > 0 && cp && cp < end) {
+ zval *retval = NULL;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(addtl, retval);
+ }
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3668.patch b/SOURCES/php-5.5.6-CVE-2014-3668.patch
new file mode 100644
index 0000000..c2f622f
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3668.patch
@@ -0,0 +1,117 @@
+From 44035de79f5b9646064d9bdd0329a946b0c5372a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 28 Sep 2014 17:33:44 -0700
+Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
+
+---
+ ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++-----
+ ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 5 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug68027.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+index ce70c2a..b766a54 100644
+--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_mon = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+4])
+ tm.tm_mon += (text[i+4]-'0')*n;
+ n /= 10;
+ }
+ tm.tm_mon --;
++ if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++ return -1;
++ }
+
+ n = 10;
+ tm.tm_mday = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+6])
+ tm.tm_mday += (text[i+6]-'0')*n;
+ n /= 10;
+ }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_hour = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+9])
+ tm.tm_hour += (text[i+9]-'0')*n;
+ n /= 10;
+ }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_min = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+12])
+ tm.tm_min += (text[i+12]-'0')*n;
+ n /= 10;
+ }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_sec = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+15])
+ tm.tm_sec += (text[i+15]-'0')*n;
+ n /= 10;
+ }
+diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
+new file mode 100644
+index 0000000..a5c96f1
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug68027.phpt
+@@ -0,0 +1,44 @@
++--TEST--
++Bug #68027 (buffer overflow in mkgmtime() function)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++
++$d = '6-01-01 20:00:00';
++xmlrpc_set_type($d, 'datetime');
++var_dump($d);
++$datetime = "2001-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++$datetime = "34770-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++echo "Done\n";
++?>
++--EXPECTF--
++object(stdClass)#1 (3) {
++ ["scalar"]=>
++ string(16) "6-01-01 20:00:00"
++ ["xmlrpc_type"]=>
++ string(8) "datetime"
++ ["timestamp"]=>
++ int(%d)
++}
++stdClass Object
++(
++ [scalar] => 2001-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %s
++)
++stdClass Object
++(
++ [scalar] => 34770-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %d
++)
++Done
+--
+2.1.0
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3669.patch b/SOURCES/php-5.5.6-CVE-2014-3669.patch
new file mode 100644
index 0000000..ea81d60
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3669.patch
@@ -0,0 +1,62 @@
+Adapted for PHP 5.5.6 from
+
+From 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 28 Sep 2014 14:19:31 -0700
+Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
+ only)
+
+---
+ ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
+ ext/standard/var_unserializer.c | 4 ++--
+ ext/standard/var_unserializer.re | 2 +-
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug68044.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
+new file mode 100644
+index 0000000..031e44e
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68044.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #68044 Integer overflow in unserialize() (32-bits only)
++--FILE--
++<?php
++ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
++?>
++===DONE==
++--EXPECTF--
++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
++
++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
++===DONE==
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 657051f..8129da3 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -369,7 +369,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 1307508..6de1583 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -375,7 +375,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+--
+2.1.0
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3670.patch b/SOURCES/php-5.5.6-CVE-2014-3670.patch
new file mode 100644
index 0000000..d9856f6
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3670.patch
@@ -0,0 +1,36 @@
+bug68113.phpt removed as binary patch not supported
+
+From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 28 Sep 2014 16:57:42 -0700
+Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail())
+
+---
+ ext/exif/exif.c | 4 ++--
+ ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes
+ ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100755 ext/exif/tests/bug68113.jpg
+ create mode 100644 ext/exif/tests/bug68113.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 38907b4..637ebf9 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
+ data_ptr += 8;
+ break;
+ case TAG_FMT_SINGLE:
+- memmove(data_ptr, &info_data->value.f, byte_count);
++ memmove(data_ptr, &info_value->f, 4);
+ data_ptr += 4;
+ break;
+ case TAG_FMT_DOUBLE:
+- memmove(data_ptr, &info_data->value.d, byte_count);
++ memmove(data_ptr, &info_value->d, 8);
+ data_ptr += 8;
+ break;
+ }
+--
+2.1.0
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-3710.patch b/SOURCES/php-5.5.6-CVE-2014-3710.patch
new file mode 100644
index 0000000..48fbe6d
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-3710.patch
@@ -0,0 +1,35 @@
+From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Wed, 22 Oct 2014 15:37:04 +0200
+Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
+ headers
+
+Upstream commit
+https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
+
+CVE -2014-3710
+---
+ ext/fileinfo/libmagic/readelf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
+index 1c3845f..bb6f70f 100644
+--- a/ext/fileinfo/libmagic/readelf.c
++++ b/ext/fileinfo/libmagic/readelf.c
+@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
+ uint32_t namesz, descsz;
+ unsigned char *nbuf = CAST(unsigned char *, vbuf);
+
++ if (xnh_sizeof + offset > size) {
++ /*
++ * We're out of note headers.
++ */
++ return xnh_sizeof + offset;
++ }
++
+ (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ offset += xnh_sizeof;
+
+--
+2.1.0
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-4049.patch b/SOURCES/php-5.5.6-CVE-2014-4049.patch
new file mode 100644
index 0000000..c614d43
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-4049.patch
@@ -0,0 +1,30 @@
+From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
+From: Sara Golemon <pollita@php.net>
+Date: Tue, 10 Jun 2014 11:18:02 -0700
+Subject: [PATCH] Fix potential segfault in dns_get_record()
+
+If the remote sends us a packet with a malformed TXT record,
+we could end up trying to over-consume the packet and wander
+off into overruns.
+---
+ ext/standard/dns.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 6a89446..214a7dc 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+
+ while (ll < dlen) {
+ n = cp[ll];
++ if ((ll + n) >= dlen) {
++ // Invalid chunk length, truncate
++ n = dlen - (ll + 1);
++ }
+ memcpy(tp + ll , cp + ll + 1, n);
+ add_next_index_stringl(entries, cp + ll + 1, n, 1);
+ ll = ll + n + 1;
+--
+1.9.3
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-4670.patch b/SOURCES/php-5.5.6-CVE-2014-4670.patch
new file mode 100644
index 0000000..96cbb64
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-4670.patch
@@ -0,0 +1,67 @@
+From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence@php.net>
+Date: Wed, 2 Jul 2014 17:45:09 +0800
+Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
+
+---
+ NEWS | 3 +++
+ ext/spl/spl_dllist.c | 7 +++++--
+ ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug67538.phpt
+
+diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
+index 39a0733..0b44d41 100644
+--- a/ext/spl/spl_dllist.c
++++ b/ext/spl/spl_dllist.c
+@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
+
+ #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
+ efree(elem); \
+- elem = NULL; \
+ }
+
+ #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
+ efree(elem); \
+- elem = NULL; \
+ }
+
+ #define SPL_LLIST_ADDREF(elem) (elem)->rc++
+@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
+ llist->dtor(element TSRMLS_CC);
+ }
+
++ if (intern->traverse_pointer == element) {
++ SPL_LLIST_DELREF(element);
++ intern->traverse_pointer = NULL;
++ }
++
+ zval_ptr_dtor((zval **)&element->data);
+ element->data = NULL;
+
+diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
+new file mode 100644
+index 0000000..b6f3848
+--- /dev/null
++++ b/ext/spl/tests/bug67538.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #67538 (SPL Iterators use-after-free)
++--FILE--
++<?php
++$list = new SplDoublyLinkedList();
++$list->push('a');
++$list->push('b');
++
++$list->rewind();
++$list->offsetUnset(0);
++$list->push('b');
++$list->offsetUnset(0);
++$list->next();
++echo "okey";
++?>
++--EXPECTF--
++okey
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-4698.patch b/SOURCES/php-5.5.6-CVE-2014-4698.patch
new file mode 100644
index 0000000..750e400
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-4698.patch
@@ -0,0 +1,61 @@
+From 51c38a09970c1f8395e68500c0b2ed1b3c9a6786 Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence@php.net>
+Date: Wed, 2 Jul 2014 17:57:42 +0800
+Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
+ change during sorting)
+
+---
+ ext/spl/spl_array.c | 7 +++++++
+ ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 ext/spl/tests/bug67539.phpt
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index bf034ab..ec9ce21 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -1726,6 +1726,7 @@ SPL_METHOD(Array, unserialize)
+ const unsigned char *p, *s;
+ php_unserialize_data_t var_hash;
+ zval *pmembers, *pflags = NULL;
++ HashTable *aht;
+ long flags;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
+@@ -1737,6 +1738,12 @@ SPL_METHOD(Array, unserialize)
+ return;
+ }
+
++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
++ if (aht->nApplyCount > 0) {
++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
++ return;
++ }
++
+ /* storage */
+ s = p = (const unsigned char*)buf;
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
+new file mode 100644
+index 0000000..8bab2a8
+--- /dev/null
++++ b/ext/spl/tests/bug67539.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
++--FILE--
++<?php
++
++$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
++
++function badsort($a, $b) {
++ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
++ return TRUE;
++}
++
++$it->uksort('badsort');
++--EXPECTF--
++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
+--
+2.1.0
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-4721.patch b/SOURCES/php-5.5.6-CVE-2014-4721.patch
new file mode 100644
index 0000000..a5ecaf9
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-4721.patch
@@ -0,0 +1,61 @@
+From 3804c0d00fa6e629173fb1c8c61f8f88d5fe39b9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 23 Jun 2014 00:19:37 -0700
+Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak
+ Vulnerability
+
+---
+ ext/standard/info.c | 8 ++++----
+ ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/general_functions/bug67498.phpt
+
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 03ced35..0626a70 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
+@@ -863,16 +863,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
+
+ php_info_print_table_start();
+ php_info_print_table_header(2, "Variable", "Value");
+- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
+ }
+ php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
+diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
+new file mode 100644
+index 0000000..5b5951b
+--- /dev/null
++++ b/ext/standard/tests/general_functions/bug67498.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
+--
+1.9.2
+
diff --git a/SOURCES/php-5.5.6-CVE-2014-5120.patch b/SOURCES/php-5.5.6-CVE-2014-5120.patch
new file mode 100644
index 0000000..a42ac7c
--- /dev/null
+++ b/SOURCES/php-5.5.6-CVE-2014-5120.patch
@@ -0,0 +1,29 @@
+From 1daa4c0090b7cd8178dcaa96287234c69ac6ca18 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 18 Aug 2014 22:49:10 -0700
+Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
+ functions
+
+---
+ ext/gd/gd_ctx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index 59eff80..253b664 100644
+--- a/ext/gd/gd_ctx.c
++++ b/ext/gd/gd_ctx.c
+@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ RETURN_FALSE;
+ }
+ } else if (Z_TYPE_P(to_zval) == IS_STRING) {
++ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
++ RETURN_FALSE;
++ }
++
+ stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
+ if (stream == NULL) {
+ RETURN_FALSE;
+--
+1.9.2
+
diff --git a/SPECS/php.spec b/SPECS/php.spec
index f76673b..61971f2 100644
--- a/SPECS/php.spec
+++ b/SPECS/php.spec
@@ -163,7 +163,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.5.6
-Release: 10%{?dist}
+Release: 13%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -221,6 +221,27 @@ Patch105: php-5.5.6-CVE-2013-6712.patch
Patch106: php-5.5.6-CVE-2013-7327.patch
Patch107: php-5.5.6-CVE-2014-2270.patch
Patch108: php-5.5.6-CVE-2013-7345.patch
+Patch109: php-5.5.6-CVE-2014-0237.patch
+Patch110: php-5.5.6-CVE-2014-0238.patch
+Patch111: php-5.5.6-CVE-2014-3479.patch
+Patch112: php-5.5.6-CVE-2014-3480.patch
+Patch113: php-5.5.6-CVE-2014-4721.patch
+Patch114: php-5.5.6-CVE-2014-4049.patch
+Patch115: php-5.5.6-CVE-2014-3515.patch
+Patch116: php-5.5.6-CVE-2014-0207.patch
+Patch117: php-5.5.6-CVE-2014-3487.patch
+Patch118: php-5.5.6-CVE-2014-2497.patch
+Patch119: php-5.5.6-CVE-2014-3478.patch
+Patch120: php-5.5.6-CVE-2014-3538.patch
+Patch121: php-5.5.6-CVE-2014-3587.patch
+Patch122: php-5.5.6-CVE-2014-5120.patch
+Patch123: php-5.5.6-CVE-2014-4698.patch
+Patch124: php-5.5.6-CVE-2014-4670.patch
+Patch125: php-5.5.6-CVE-2014-3597.patch
+Patch126: php-5.5.6-CVE-2014-3668.patch
+Patch127: php-5.5.6-CVE-2014-3669.patch
+Patch128: php-5.5.6-CVE-2014-3670.patch
+Patch129: php-5.5.6-CVE-2014-3710.patch
# Fixes for tests
@@ -901,6 +922,27 @@ support for using the enchant library to PHP.
%patch106 -p1 -b .cve7327
%patch107 -p1 -b .cve2270
%patch108 -p1 -b .cve7345
+%patch109 -p1 -b .cve0237
+%patch110 -p1 -b .cve0238
+%patch111 -p1 -b .cve3479
+%patch112 -p1 -b .cve3480
+%patch113 -p1 -b .cve4721
+%patch114 -p1 -b .cve4049
+%patch115 -p1 -b .cve3515
+%patch116 -p1 -b .cve0207
+%patch117 -p1 -b .cve3487
+%patch118 -p1 -b .cve2497
+%patch119 -p1 -b .cve3478
+%patch120 -p1 -b .cve3538
+%patch121 -p1 -b .cve3587
+%patch122 -p1 -b .cve5120
+%patch123 -p1 -b .cve4698
+%patch124 -p1 -b .cve4670
+%patch125 -p1 -b .cve3597
+%patch126 -p1 -b .cve3668
+%patch127 -p1 -b .cve3669
+%patch128 -p1 -b .cve3670
+%patch129 -p1 -b .cve3710
# Prevent %%doc confusion over LICENSE files
@@ -1810,6 +1852,47 @@ fi
%changelog
+* Thu Oct 23 2014 Jan Kaluza <jkaluza@redhat.com> - 5.5.6-13
+- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
+
+* Mon Oct 20 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-12
+- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
+- core: fix integer overflow in unserialize() CVE-2014-3669
+- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
+
+* Wed Oct 8 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-11
+- gd: fix NULL pointer dereference in gdImageCreateFromXpm().
+ CVE-2014-2497
+- gd: fix NUL byte injection in file names. CVE-2014-5120
+- core: fix heap-based buffer overflow in DNS TXT record
+ parsing. CVE-2014-4049
+- network: fix segfault in dns_get_record
+ (incomplete fix for CVE-2014-4049). CVE-2014-3597
+- core: unserialize() SPL ArrayObject / SPLObjectStorage
+ type confusion flaw. CVE-2014-3515
+- core: type confusion issue in phpinfo(). CVE-2014-4721
+- spl: fix use-after-free in ArrayIterator due to object
+ change during sorting. CVE-2014-4698
+- spl: fix use-after-free in SPL Iterators. CVE-2014-4670
+- fileinfo: cdf_unpack_summary_info() excessive looping
+ DoS. CVE-2014-0237
+- fileinfo: CDF property info parsing nelements infinite
+ loop. CVE-2014-0238
+- fileinfo: cdf_read_short_sector insufficient boundary
+ check. CVE-2014-0207
+- fileinfo: fix extensive backtracking in regular expression
+ (incomplete fix for CVE-2013-7345). CVE-2014-3538
+- fileinfo: cdf_check_stream_offset insufficient boundary
+ check. CVE-2014-3479
+- fileinfo: cdf_count_chain insufficient boundary check
+ CVE-2014-3480
+- fileinfo: fix mconvert incorrect handling of truncated
+ pascal string size. CVE-2014-3478
+- fileinfo: cdf_read_property_info insufficient boundary
+ check. CVE-2014-3487
+- fileinfo: fix cdf_read_property_info
+ (incomplete fix for CVE-2012-1571). CVE-2014-3587
+
* Tue May 13 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-10
- fileinfo: fix out-of-bounds memory access CVE-2014-2270
- fileinfo: fix extensive backtracking CVE-2013-7345