From f9075485f13029d1ae6b7c9fe79a92df78f1e495 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 25 2015 08:02:21 +0000 Subject: import rh-php56-php-5.6.5-7.el7 --- diff --git a/SOURCES/php-5.6.5-CVE-2015-1352.patch b/SOURCES/php-5.6.5-CVE-2015-1352.patch index 4c8f3e3..5f16565 100644 --- a/SOURCES/php-5.6.5-CVE-2015-1352.patch +++ b/SOURCES/php-5.6.5-CVE-2015-1352.patch @@ -25,3 +25,94 @@ index 16ce7bf..eb55777 100644 -- 2.1.4 +From 2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 20 May 2015 08:08:41 +0200 +Subject: [PATCH] Fixed Bug #69667 segfault in php_pgsql_meta_data + +Incomplete fix for #68741 +--- + ext/pgsql/pg_insert_002.phpt | 27 +++++++++++++++++++++++++++ + ext/pgsql/pgsql.c | 9 +++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/pgsql/pg_insert_002.phpt + +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index 23d55cb..5418b3c 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -5463,7 +5463,11 @@ PHP_PGSQL_API int php_pgsql_meta_data(PGconn *pg_link, const char *table_name, z + + src = estrdup(table_name); + tmp_name = php_strtok_r(src, ".", &tmp_name2); +- ++ if (!tmp_name) { ++ efree(src); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The table name must be specified"); ++ return FAILURE; ++ } + if (!tmp_name2 || !*tmp_name2) { + /* Default schema */ + tmp_name2 = tmp_name; +@@ -6478,7 +6486,8 @@ static int do_exec(smart_str *querystr, int expect, PGconn *pg_link, ulong opt T + + static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const char *table) + { +- char *table_copy, *escaped, *token, *tmp; ++ char *table_copy, *escaped, *tmp; ++ const char *token; + size_t len; + + /* schame.table should be "schame"."table" */ +-- +2.1.4 + +From 3be4e5d71af3d7f495876fabd5a9ce46580e2d0d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 20 May 2015 14:02:13 +0200 +Subject: [PATCH] move test + +--- + ext/pgsql/pg_insert_002.phpt | 27 --------------------------- + ext/pgsql/tests/pg_insert_002.phpt | 27 +++++++++++++++++++++++++++ + 2 files changed, 27 insertions(+), 27 deletions(-) + delete mode 100644 ext/pgsql/pg_insert_002.phpt + create mode 100644 ext/pgsql/tests/pg_insert_002.phpt + +diff --git a/ext/pgsql/tests/pg_insert_002.phpt b/ext/pgsql/tests/pg_insert_002.phpt +new file mode 100644 +index 0000000..87d87b8 +--- /dev/null ++++ b/ext/pgsql/tests/pg_insert_002.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++PostgreSQL pg_select() - basic test using schema ++--SKIPIF-- ++ ++--FILE-- ++ 1, 'id2' => 1))); ++} ++?> ++Done ++--EXPECTF-- ++ ++Warning: pg_insert(): The table name must be specified in %s on line %d ++bool(false) ++ ++Warning: pg_insert(): The table name must be specified in %s on line %d ++bool(false) ++ ++Warning: pg_insert(): The table name must be specified in %s on line %d ++bool(false) ++Done +\ No newline at end of file +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-2783.patch b/SOURCES/php-5.6.5-CVE-2015-2783.patch new file mode 100644 index 0000000..087ee97 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-2783.patch @@ -0,0 +1,255 @@ +From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 15:07:36 -0700 +Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when + parsing Phar) + +--- + ext/phar/phar.c | 65 ++++++++++++++++++++----------------------- + ext/phar/phar_internal.h | 2 +- + ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes + ext/phar/tests/bug69324.phpt | 17 +++++++++++ + 4 files changed, 48 insertions(+), 36 deletions(-) + create mode 100644 ext/phar/tests/bug69324.phar + create mode 100644 ext/phar/tests/bug69324.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index ec82351..bf0c985 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -601,25 +601,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len + * + * data is the serialized zval + */ +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ + { + const unsigned char *p; +- php_uint32 buf_len; + php_unserialize_data_t var_hash; + +- if (!zip_metadata_len) { +- PHAR_GET_32(*buffer, buf_len); +- } else { +- buf_len = zip_metadata_len; +- } +- +- if (buf_len) { ++ if (zip_metadata_len) { + ALLOC_ZVAL(*metadata); + INIT_ZVAL(**metadata); + p = (const unsigned char*) *buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + *metadata = NULL; +@@ -631,19 +624,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR + if (PHAR_G(persist)) { + /* lazy init metadata */ + zval_ptr_dtor(metadata); +- *metadata = (zval *) pemalloc(buf_len, 1); +- memcpy(*metadata, *buffer, buf_len); +- *buffer += buf_len; ++ *metadata = (zval *) pemalloc(zip_metadata_len, 1); ++ memcpy(*metadata, *buffer, zip_metadata_len); + return SUCCESS; + } + } else { + *metadata = NULL; + } + +- if (!zip_metadata_len) { +- *buffer += buf_len; +- } +- + return SUCCESS; + } + /* }}}*/ +@@ -664,6 +652,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + phar_entry_info entry; + php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; + php_uint16 manifest_ver; ++ php_uint32 len; + long offset; + int sig_len, register_alias = 0, temp_alias = 0; + char *signature = NULL; +@@ -1029,16 +1018,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + mydata->is_persistent = PHAR_G(persist); + + /* check whether we have meta data, zero check works regardless of byte order */ ++ PHAR_GET_32(buffer, len); + if (mydata->is_persistent) { +- PHAR_GET_32(buffer, mydata->metadata_len); +- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); +- } +- } else { +- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ mydata->metadata_len = len; ++ if(!len) { ++ /* FIXME: not sure why this is needed but removing it breaks tests */ ++ PHAR_GET_32(buffer, len); + } + } ++ if(len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); ++ } ++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { ++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ } ++ buffer += len; + + /* set up our manifest */ + zend_hash_init(&mydata->manifest, manifest_count, +@@ -1073,7 +1067,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (buffer + entry.filename_len + 20 > endbuffer) { ++ if (entry.filename_len + 20 > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +@@ -1109,19 +1103,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.flags |= PHAR_ENT_PERM_DEF_DIR; + } + ++ PHAR_GET_32(buffer, len); + if (entry.is_persistent) { +- PHAR_GET_32(buffer, entry.metadata_len); +- if (!entry.metadata_len) buffer -= 4; +- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = len; + } else { +- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = 0; ++ } ++ if (len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); ++ } ++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { ++ pefree(entry.filename, entry.is_persistent); ++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); + } ++ buffer += len; + + entry.offset = entry.offset_abs = offset; + offset += entry.compressed_filesize; +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index c9306c1..fcfc864 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -570,7 +570,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len, + char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); + char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); + phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); + void destroy_phar_manifest_entry(void *pDest); + int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); + php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); +-- +2.1.4 + +From 12d3bdee3dfa6605024a72080d8a17c165c5ed24 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 11 Apr 2015 16:42:16 -0700 +Subject: [PATCH] Additional fix for bug #69324 + +Not so happy about duplication but needed due to bug #69429 +--- + ext/phar/phar.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index bf0c985..c5c8b46 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -598,27 +598,28 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len + * + * Meta-data is in this format: + * [len32][data...] +- * ++ * + * data is the serialized zval + */ + int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ + { +- const unsigned char *p; + php_unserialize_data_t var_hash; + + if (zip_metadata_len) { ++ const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); ++ p = p_buff; + ALLOC_ZVAL(*metadata); + INIT_ZVAL(**metadata); +- p = (const unsigned char*) *buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + + if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { ++ efree(p_buff); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + *metadata = NULL; + return FAILURE; + } +- ++ efree(p_buff); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + + if (PHAR_G(persist)) { +@@ -641,7 +642,7 @@ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_ + * + * Parse a new one and add it to the cache, returning either SUCCESS or + * FAILURE, and setting pphar to the pointer to the manifest entry +- * ++ * + * This is used by phar_open_from_filename to process the manifest, but can be called + * directly. + */ +@@ -2212,7 +2213,7 @@ last_time: + + /** + * Process a phar stream name, ensuring we can handle any of: +- * ++ * + * - whatever.phar + * - whatever.phar.gz + * - whatever.phar.bz2 +-- +2.1.4 + +From cee97220285fd7b955a58617b3e0300ec104ed87 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Tue, 14 Apr 2015 15:47:26 +0300 +Subject: [PATCH] Fixed recently introduced memory leak + +--- + ext/phar/phar.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index c5c8b46..223bfe8 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1111,6 +1111,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.metadata_len = 0; + } + if (len > endbuffer - buffer) { ++ pefree(entry.filename, entry.is_persistent); + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-3329.patch b/SOURCES/php-5.6.5-CVE-2015-3329.patch new file mode 100644 index 0000000..ffbff30 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-3329.patch @@ -0,0 +1,38 @@ +From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 14 Apr 2015 00:03:50 -0700 +Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode) + +--- + ext/phar/phar_internal.h | 9 ++++++--- + ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes + ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ + 3 files changed, 27 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug69441.phar + create mode 100644 ext/phar/tests/bug69441.phpt + +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index fcfc864..84282d2 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -534,10 +534,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */ + { + char tmp[MAXPATHLEN]; + int tmp_len; ++ size_t len; + +- tmp_len = entry->filename_len + entry->phar->fname_len; +- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); +- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); ++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); ++ len = MIN(entry->phar->fname_len, tmp_len); ++ memcpy(tmp, entry->phar->fname, len); ++ len = MIN(tmp_len - len, entry->filename_len); ++ memcpy(tmp + entry->phar->fname_len, entry->filename, len); + entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); + } + /* }}} */ +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-3330.patch b/SOURCES/php-5.6.5-CVE-2015-3330.patch new file mode 100644 index 0000000..4e5b963 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-3330.patch @@ -0,0 +1,25 @@ +From 809610f5ea38a83b284e1125d1fff129bdd615e7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 4 Apr 2015 15:03:46 -0700 +Subject: [PATCH] Fix bug #68486 and bug #69218 (segfault in apache2handler + with apache 2.4) + +--- + sapi/apache2handler/sapi_apache2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c +index e97f11c..cfebc5f 100644 +--- a/sapi/apache2handler/sapi_apache2.c ++++ b/sapi/apache2handler/sapi_apache2.c +@@ -688,6 +688,7 @@ zend_first_try { + } zend_end_try(); + } + apr_brigade_cleanup(brigade); ++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); + } else { + ctx->r = parent_req; + } +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-4021.patch b/SOURCES/php-5.6.5-CVE-2015-4021.patch new file mode 100644 index 0000000..4310ff1 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-4021.patch @@ -0,0 +1,27 @@ +From c27f012b7a447e59d4a704688971cbfa7dddaa74 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 29 Apr 2015 22:04:20 -0700 +Subject: [PATCH] Fix bug #69453 - don't try to cut empty string + +--- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug69453.phpt | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug69453.phpt + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index ca8eafc..d6d63e6 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -425,7 +425,7 @@ bail: + entry.filename_len = i; + entry.filename = pestrndup(hdr->name, i, myphar->is_persistent); + +- if (entry.filename[entry.filename_len - 1] == '/') { ++ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') { + /* some tar programs store directories with trailing slash */ + entry.filename[entry.filename_len - 1] = '\0'; + entry.filename_len--; +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-4022.patch b/SOURCES/php-5.6.5-CVE-2015-4022.patch new file mode 100644 index 0000000..c1a8b39 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-4022.patch @@ -0,0 +1,352 @@ +From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 29 Apr 2015 21:57:33 -0700 +Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list + +--- + ext/ftp/ftp.c | 82 +++++++++++++++++++++++++++++------------------------------ + 1 file changed, 41 insertions(+), 41 deletions(-) + +diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c +index 3ff54ff..53560eb 100644 +--- a/ext/ftp/ftp.c ++++ b/ext/ftp/ftp.c +@@ -188,9 +188,9 @@ ftp_close(ftpbuf_t *ftp) + SSL_shutdown(ftp->ssl_handle); + SSL_free(ftp->ssl_handle); + } +-#endif ++#endif + closesocket(ftp->fd); +- } ++ } + ftp_gc(ftp); + efree(ftp); + return NULL; +@@ -262,7 +262,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) + if (!ftp_getresp(ftp)) { + return 0; + } +- ++ + if (ftp->resp != 234) { + if (!ftp_putcmd(ftp, "AUTH", "SSL")) { + return 0; +@@ -270,7 +270,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) + if (!ftp_getresp(ftp)) { + return 0; + } +- ++ + if (ftp->resp != 334) { + return 0; + } else { +@@ -278,7 +278,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) + ftp->use_ssl_for_data = 1; + } + } +- ++ + ctx = SSL_CTX_new(SSLv23_client_method()); + if (ctx == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create the SSL context"); +@@ -325,8 +325,8 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) + if (!ftp_getresp(ftp)) { + return 0; + } +- +- ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); ++ ++ ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); + } + } + #endif +@@ -360,7 +360,7 @@ ftp_reinit(ftpbuf_t *ftp) + { + if (ftp == NULL) { + return 0; +- } ++ } + + ftp_gc(ftp); + +@@ -395,7 +395,7 @@ ftp_syst(ftpbuf_t *ftp) + if (!ftp_putcmd(ftp, "SYST", NULL)) { + return NULL; + } +- if (!ftp_getresp(ftp) || ftp->resp != 215) { ++ if (!ftp_getresp(ftp) || ftp->resp != 215) { + return NULL; + } + syst = ftp->inbuf; +@@ -431,14 +431,14 @@ ftp_pwd(ftpbuf_t *ftp) + if (!ftp_putcmd(ftp, "PWD", NULL)) { + return NULL; + } +- if (!ftp_getresp(ftp) || ftp->resp != 257) { ++ if (!ftp_getresp(ftp) || ftp->resp != 257) { + return NULL; + } + /* copy out the pwd from response */ +- if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { ++ if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { + return NULL; + } +- if ((end = strrchr(++pwd, '"')) == NULL) { ++ if ((end = strrchr(++pwd, '"')) == NULL) { + return NULL; + } + ftp->pwd = estrndup(pwd, end - pwd); +@@ -608,7 +608,7 @@ ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename, const int filenam + if (!ftp_getresp(ftp) || ftp->resp != 200) { + return 0; + } +- ++ + return 1; + } + /* }}} */ +@@ -625,7 +625,7 @@ ftp_alloc(ftpbuf_t *ftp, const long size, char **response) + } + + snprintf(buffer, sizeof(buffer) - 1, "%ld", size); +- ++ + if (!ftp_putcmd(ftp, "ALLO", buffer)) { + return 0; + } +@@ -642,7 +642,7 @@ ftp_alloc(ftpbuf_t *ftp, const long size, char **response) + return 0; + } + +- return 1; ++ return 1; + } + /* }}} */ + +@@ -674,7 +674,7 @@ ftp_type(ftpbuf_t *ftp, ftptype_t type) + if (ftp == NULL) { + return 0; + } +- if (type == ftp->type) { ++ if (type == ftp->type) { + return 1; + } + if (type == FTPTYPE_ASCII) { +@@ -765,7 +765,7 @@ ftp_pasv(ftpbuf_t *ftp, int pasv) + if (!ftp_putcmd(ftp, "PASV", NULL)) { + return 0; + } +- if (!ftp_getresp(ftp) || ftp->resp != 227) { ++ if (!ftp_getresp(ftp) || ftp->resp != 227) { + return 0; + } + /* parse out the IP and port */ +@@ -807,7 +807,7 @@ ftp_get(ftpbuf_t *ftp, php_stream *outstream, const char *path, ftptype_t type, + if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { + goto bail; + } +- ++ + ftp->data = data; + + if (resumepos > 0) { +@@ -900,7 +900,7 @@ ftp_put(ftpbuf_t *ftp, const char *path, php_stream *instream, ftptype_t type, l + if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { + goto bail; + } +- ftp->data = data; ++ ftp->data = data; + + if (startpos > 0) { + snprintf(arg, sizeof(arg), "%ld", startpos); +@@ -1101,7 +1101,7 @@ ftp_putcmd(ftpbuf_t *ftp, const char *cmd, const char *args) + + if (strpbrk(cmd, "\r\n")) { + return 0; +- } ++ } + /* build the output buffer */ + if (args && args[0]) { + /* "cmd args\r\n\0" */ +@@ -1247,7 +1247,7 @@ my_send(ftpbuf_t *ftp, php_socket_t s, void *buf, size_t len) + #if HAVE_OPENSSL_EXT + if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { + sent = SSL_write(ftp->ssl_handle, buf, size); +- } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { ++ } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { + sent = SSL_write(ftp->data->ssl_handle, buf, size); + } else { + #endif +@@ -1287,14 +1287,14 @@ my_recv(ftpbuf_t *ftp, php_socket_t s, void *buf, size_t len) + #if HAVE_OPENSSL_EXT + if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { + nr_bytes = SSL_read(ftp->ssl_handle, buf, len); +- } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { ++ } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { + nr_bytes = SSL_read(ftp->data->ssl_handle, buf, len); + } else { + #endif + nr_bytes = recv(s, buf, len, 0); + #if HAVE_OPENSSL_EXT + } +-#endif ++#endif + return (nr_bytes); + } + /* }}} */ +@@ -1511,7 +1511,7 @@ data_accept(databuf_t *data, ftpbuf_t *ftp TSRMLS_DC) + + data_accepted: + #if HAVE_OPENSSL_EXT +- ++ + /* now enable ssl if we need to */ + if (ftp->use_ssl && ftp->use_ssl_for_data) { + ctx = SSL_CTX_new(SSLv23_client_method()); +@@ -1531,23 +1531,23 @@ data_accepted: + SSL_CTX_free(ctx); + return 0; + } +- +- ++ ++ + SSL_set_fd(data->ssl_handle, data->fd); + + if (ftp->old_ssl) { + SSL_copy_session_id(data->ssl_handle, ftp->ssl_handle); + } +- ++ + if (SSL_connect(data->ssl_handle) <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_accept: SSL/TLS handshake failed"); + SSL_shutdown(data->ssl_handle); + SSL_free(data->ssl_handle); + return 0; + } +- ++ + data->ssl_active = 1; +- } ++ } + + #endif + +@@ -1562,14 +1562,14 @@ data_close(ftpbuf_t *ftp, databuf_t *data) + { + #if HAVE_OPENSSL_EXT + SSL_CTX *ctx; +-#endif ++#endif + if (data == NULL) { + return NULL; + } + if (data->listener != -1) { + #if HAVE_OPENSSL_EXT + if (data->ssl_active) { +- ++ + ctx = SSL_get_SSL_CTX(data->ssl_handle); + SSL_CTX_free(ctx); + +@@ -1577,9 +1577,9 @@ data_close(ftpbuf_t *ftp, databuf_t *data) + SSL_free(data->ssl_handle); + data->ssl_active = 0; + } +-#endif ++#endif + closesocket(data->listener); +- } ++ } + if (data->fd != -1) { + #if HAVE_OPENSSL_EXT + if (data->ssl_active) { +@@ -1590,9 +1590,9 @@ data_close(ftpbuf_t *ftp, databuf_t *data) + SSL_free(data->ssl_handle); + data->ssl_active = 0; + } +-#endif ++#endif + closesocket(data->fd); +- } ++ } + if (ftp) { + ftp->data = NULL; + } +@@ -1610,8 +1610,8 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + databuf_t *data = NULL; + char *ptr; + int ch, lastch; +- int size, rcvd; +- int lines; ++ size_t size, rcvd; ++ size_t lines; + char **ret = NULL; + char **entry; + char *text; +@@ -1629,7 +1629,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { + goto bail; + } +- ftp->data = data; ++ ftp->data = data; + + if (!ftp_putcmd(ftp, cmd, path)) { + goto bail; +@@ -1653,7 +1653,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + lines = 0; + lastch = 0; + while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) { +- if (rcvd == -1) { ++ if (rcvd == -1 || rcvd > ((size_t)(-1))-size) { + goto bail; + } + +@@ -1858,7 +1858,7 @@ ftp_nb_put(ftpbuf_t *ftp, const char *path, php_stream *instream, ftptype_t type + if (!ftp_getresp(ftp) || (ftp->resp != 150 && ftp->resp != 125)) { + goto bail; + } +- if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { ++ if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { + goto bail; + } + ftp->data = data; +@@ -1914,7 +1914,7 @@ ftp_nb_continue_write(ftpbuf_t *ftp TSRMLS_DC) + goto bail; + } + ftp->data = data_close(ftp, ftp->data); +- ++ + if (!ftp_getresp(ftp) || (ftp->resp != 226 && ftp->resp != 250)) { + goto bail; + } +-- +2.1.4 + +From 0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 May 2015 17:23:06 -0700 +Subject: [PATCH] improve fix for Bug #69545 + +--- + NEWS | 4 ++++ + ext/ftp/ftp.c | 2 -- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c +index 53560eb..50d8def 100644 +--- a/ext/ftp/ftp.c ++++ b/ext/ftp/ftp.c +@@ -1663,8 +1663,6 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) + for (ptr = data->buf; rcvd; rcvd--, ptr++) { + if (*ptr == '\n' && lastch == '\r') { + lines++; +- } else { +- size++; + } + lastch = *ptr; + } +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-4024.patch b/SOURCES/php-5.6.5-CVE-2015-4024.patch new file mode 100644 index 0000000..9b29074 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-4024.patch @@ -0,0 +1,111 @@ +From 4605d536d23b00813d11cc906bb48d39bdcf5f25 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 9 May 2015 23:04:25 -0700 +Subject: [PATCH] Fixed bug #69364 - use smart_str to assemble strings + +--- + main/rfc1867.c | 51 +++++++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 24 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index fab199b..9e2fbd5 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -33,6 +33,7 @@ + #include "php_variables.h" + #include "rfc1867.h" + #include "ext/standard/php_string.h" ++#include "ext/standard/php_smart_str.h" + + #if defined(PHP_WIN32) && !defined(HAVE_ATOLL) + # define atoll(s) _atoi64(s) +@@ -403,8 +404,9 @@ static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC) + static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC) + { + char *line; +- mime_header_entry prev_entry = {0}, entry; +- int prev_len, cur_len; ++ mime_header_entry entry = {0}; ++ smart_str buf_value = {0}; ++ char *key = NULL; + + /* didn't find boundary, abort */ + if (!find_boundary(self, self->boundary TSRMLS_CC)) { +@@ -416,11 +418,10 @@ + while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' ) + { + /* add header to table */ +- char *key = line; + char *value = NULL; + + if (php_rfc1867_encoding_translation(TSRMLS_C)) { +- self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); ++ self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); + } + + /* space in the beginning means same header */ +@@ -429,31 +430,33 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T + } + + if (value) { +- *value = 0; +- do { value++; } while(isspace(*value)); +- +- entry.value = estrdup(value); +- entry.key = estrdup(key); +- +- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ +- +- prev_len = strlen(prev_entry.value); +- cur_len = strlen(line); +- +- entry.value = emalloc(prev_len + cur_len + 1); +- memcpy(entry.value, prev_entry.value, prev_len); +- memcpy(entry.value + prev_len, line, cur_len); +- entry.value[cur_len + prev_len] = '\0'; ++ if(buf_value.c && key) { ++ /* new entry, add the old one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; ++ zend_llist_add_element(header, &entry); ++ buf_value.c = NULL; ++ key = NULL; ++ } + +- entry.key = estrdup(prev_entry.key); ++ *value = '\0'; ++ do { value++; } while(isspace(*value)); + +- zend_llist_remove_tail(header); ++ key = estrdup(line); ++ smart_str_appends(&buf_value, value); ++ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */ ++ smart_str_appends(&buf_value, line); + } else { + continue; + } +- ++ } ++ if(buf_value.c && key) { ++ /* add the last one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; + zend_llist_add_element(header, &entry); +- prev_entry = entry; + } + + return 1; +@@ -890,7 +893,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + if (count == PG(max_input_vars) + 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } +- ++ + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; + +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-CVE-2015-4025.patch b/SOURCES/php-5.6.5-CVE-2015-4025.patch new file mode 100644 index 0000000..e7c3d19 --- /dev/null +++ b/SOURCES/php-5.6.5-CVE-2015-4025.patch @@ -0,0 +1,415 @@ +From be9b2a95adb504abd5acdc092d770444ad6f6854 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 9 May 2015 23:13:06 -0700 +Subject: [PATCH] Fixed bug #69418 - more s->p fixes for filenames + +--- + ext/pcntl/pcntl.c | 74 +++++++++++++++++++++--------------------- + ext/standard/basic_functions.c | 24 +++++++------- + ext/standard/dir.c | 62 +++++++++++++++++------------------ + ext/standard/file.c | 10 +++--- + 4 files changed, 85 insertions(+), 85 deletions(-) + +diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c +index 7a8acaf..6189bdf 100644 +--- a/ext/pcntl/pcntl.c ++++ b/ext/pcntl/pcntl.c +@@ -755,7 +755,7 @@ PHP_FUNCTION(pcntl_exec) + int path_len; + ulong key_num; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|aa", &path, &path_len, &args, &envs) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|aa", &path, &path_len, &args, &envs) == FAILURE) { + return; + } + +diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c +index c3e2230..7d0bfed 100644 +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -5460,7 +5460,7 @@ PHP_FUNCTION(set_include_path) + int new_value_len; + char *old_value; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &new_value, &new_value_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &new_value, &new_value_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/dir.c b/ext/standard/dir.c +index c64f37c..27ffb9d 100644 +--- a/ext/standard/dir.c ++++ b/ext/standard/dir.c +@@ -219,12 +219,12 @@ static void _php_do_opendir(INTERNAL_FUNCTION_PARAMETERS, int createobject) + php_stream_context *context = NULL; + php_stream *dirp; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dirname, &dir_len, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dirname, &dir_len, &zcontext) == FAILURE) { + RETURN_NULL(); + } + + context = php_stream_context_from_zval(zcontext, 0); +- ++ + dirp = php_stream_opendir(dirname, REPORT_ERRORS, context); + + if (dirp == NULL) { +@@ -293,11 +293,11 @@ PHP_FUNCTION(chroot) + { + char *str; + int ret, str_len; +- +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { ++ ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &str, &str_len) == FAILURE) { + RETURN_FALSE; + } +- ++ + ret = chroot(str); + if (ret != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); +diff --git a/ext/standard/file.c b/ext/standard/file.c +index 708c3e2..21e1e53 100644 +--- a/ext/standard/file.c ++++ b/ext/standard/file.c +@@ -822,7 +822,7 @@ PHP_FUNCTION(tempnam) + char *p; + int fd; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { + return; + } + +@@ -1347,7 +1347,7 @@ PHP_FUNCTION(rmdir) + zval *zcontext = NULL; + php_stream_context *context; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dir, &dir_len, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dir, &dir_len, &zcontext) == FAILURE) { + RETURN_FALSE; + } + +-- +2.1.4 + +From 634aa0a2dbf8ec5e6fabb4ee01c6d1355ba7ee67 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 10 May 2015 23:33:44 -0700 +Subject: [PATCH] Update tests + +--- + ext/standard/tests/dir/dir_variation1.phpt | 22 +++++++++++----------- + .../tests/dir/opendir_variation1-win32.phpt | 12 ++++++------ + ext/standard/tests/dir/opendir_variation1.phpt | 12 ++++++------ + .../tests/file/mkdir_rmdir_variation2.phpt | 2 +- + .../tests/file/tempnam_variation3-win32.phpt | 18 +++++++++--------- + ext/standard/tests/file/tempnam_variation3.phpt | 22 ++++++++++++---------- + .../tests/general_functions/include_path.phpt | 4 ++-- + 7 files changed, 47 insertions(+), 45 deletions(-) + +diff --git a/ext/standard/tests/dir/dir_variation1.phpt b/ext/standard/tests/dir/dir_variation1.phpt +index abb4719..fff04ba 100644 +--- a/ext/standard/tests/dir/dir_variation1.phpt ++++ b/ext/standard/tests/dir/dir_variation1.phpt +@@ -8,7 +8,7 @@ if (substr(PHP_OS, 0, 3) == 'WIN') { + ?> + --FILE-- + path = $path; +@@ -73,7 +73,7 @@ $inputs = array( + false, + TRUE, + FALSE, +- ++ + // empty data + /*16*/ "", + '', +@@ -83,7 +83,7 @@ $inputs = array( + /*19*/ "$path", + 'string', + $heredoc, +- ++ + // object data + /*22*/ new classA($path), + +@@ -194,7 +194,7 @@ bool(false) + + -- Iteration 18 -- + +-Warning: opendir() expects parameter 1 to be string, array given in %s on line %d ++Warning: opendir() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + + -- Iteration 19 -- +@@ -219,6 +219,6 @@ bool(false) + + -- Iteration 25 -- + +-Warning: opendir() expects parameter 1 to be string, resource given in %s on line %d ++Warning: opendir() expects parameter 1 to be a valid path, resource given in %s on line %d + NULL + ===DONE=== +diff --git a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt +index 14dd361..24dfc96 100644 +--- a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt ++++ b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt +@@ -68,7 +68,7 @@ bool(false) + Warning: mkdir() expects parameter 1 to be a valid path, string given in %s on line %d + bool(false) + +-Warning: rmdir(%s): No such file or directory in %s on line %d ++Warning: rmdir() expects parameter 1 to be a valid path, string given in %s on line %d + bool(false) + + *** Testing mkdir() with miscelleneous input *** +diff --git a/ext/standard/tests/file/tempnam_variation3-win32.phpt b/ext/standard/tests/file/tempnam_variation3-win32.phpt +index fb457cb..cc8194a 100644 +--- a/ext/standard/tests/file/tempnam_variation3-win32.phpt ++++ b/ext/standard/tests/file/tempnam_variation3-win32.phpt +@@ -22,9 +22,9 @@ if (!mkdir($file_path)) { + + $file_path = realpath($file_path); + +-/* An array of prefixes */ ++/* An array of prefixes */ + $names_arr = array( +- /* Valid args (casting)*/ ++ /* Valid args (casting)*/ + -1, + TRUE, + FALSE, +@@ -32,17 +32,17 @@ $names_arr = array( + "", + " ", + "\0", +- /* Invalid args */ ++ /* Invalid args */ + array(), + +- /* Valid args*/ ++ /* Valid args*/ + /* prefix with path separator of a non existing directory*/ +- "/no/such/file/dir", ++ "/no/such/file/dir", + "php/php" + ); + + $res_arr = array( +- /* Invalid args */ ++ /* Invalid args */ + true, + true, + true, +@@ -53,7 +53,7 @@ $res_arr = array( + false, + + /* prefix with path separator of a non existing directory*/ +- true, ++ true, + true + ); + +@@ -72,7 +72,7 @@ for( $i=0; $i "; + printf("%o", fileperms($file_name) ); + echo "\n"; +- ++ + echo "File created in => "; + $file_dir = dirname($file_name); +- ++ + if ($file_dir == sys_get_temp_dir()) { + echo "temp dir\n"; + } +@@ -61,7 +61,7 @@ for( $i=0; $i %s/%s + File permissions are => 100600 + File created in => directory specified + -- Iteration 6 -- +-File name is => %s/%s +-File permissions are => 100600 +-File created in => directory specified ++ ++Warning: tempnam() expects parameter 2 to be a valid path, string given in %s on line %d ++-- File is not created -- ++ ++Warning: unlink(): %s in %s on line %d + -- Iteration 7 -- + +-Warning: tempnam() expects parameter 2 to be string, array given in %s on line %d ++Warning: tempnam() expects parameter 2 to be a valid path, array given in %s on line %d + -- File is not created -- + + Warning: unlink(): %s in %s on line %d +diff --git a/ext/standard/tests/general_functions/include_path.phpt b/ext/standard/tests/general_functions/include_path.phpt +index 0392307..8b6626f 100644 +--- a/ext/standard/tests/general_functions/include_path.phpt ++++ b/ext/standard/tests/general_functions/include_path.phpt +@@ -41,7 +41,7 @@ var_dump(get_include_path()); + + echo "Done\n"; + ?> +---EXPECTF-- ++--EXPECTF-- + string(1) "." + + Warning: get_include_path() expects exactly 0 parameters, 1 given in %s on line %d +@@ -67,7 +67,7 @@ string(1) "." + NULL + string(1) "." + +-Warning: set_include_path() expects parameter 1 to be string, array given in %s on line %d ++Warning: set_include_path() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + string(1) "." + NULL +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-bug68819.patch b/SOURCES/php-5.6.5-bug68819.patch new file mode 100644 index 0000000..b93c492 --- /dev/null +++ b/SOURCES/php-5.6.5-bug68819.patch @@ -0,0 +1,87 @@ +From f938112c495b0d26572435c0be73ac0bfe642ecd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 4 Apr 2015 15:01:37 -0700 +Subject: [PATCH] Fix bug #68819 (Fileinfo on specific file causes spurious OOM + and/or segfault) + +--- + ext/fileinfo/libmagic/softmagic.c | 3 +++ + ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++ + ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+) + create mode 100644 ext/fileinfo/tests/bug68819_001.phpt + create mode 100644 ext/fileinfo/tests/bug68819_002.phpt + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index e7b7855..54c1a03 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -1072,6 +1072,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, + if (bytecnt > nbytes) { + bytecnt = nbytes; + } ++ if (offset > bytecnt) { ++ offset = bytecnt; ++ } + if (s == NULL) { + ms->search.s_len = 0; + ms->search.s = NULL; +diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt +new file mode 100644 +index 0000000..ce39ee6 +--- /dev/null ++++ b/ext/fileinfo/tests/bug68819_001.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 ++--SKIPIF-- ++ ++--FILE-- ++buffer($string); ++ ++var_dump($type); ++?> ++--EXPECT-- ++string(60) "ASCII text, with very long lines, with CRLF line terminators" +diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt +new file mode 100644 +index 0000000..cec238d +--- /dev/null ++++ b/ext/fileinfo/tests/bug68819_002.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 ++--SKIPIF-- ++ ++--FILE-- ++ 8192 ++$string .= str_repeat(chr(rand(32, 127)), 8184); ++ ++// Ending in this string ++$string .= "say"; ++ ++$finfo = new finfo(); ++$type = $finfo->buffer($string); ++var_dump($type); ++ ++?> ++--EXPECT-- ++string(60) "ASCII text, with very long lines, with CRLF line terminators" +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-bug69152.patch b/SOURCES/php-5.6.5-bug69152.patch new file mode 100644 index 0000000..61d753e --- /dev/null +++ b/SOURCES/php-5.6.5-bug69152.patch @@ -0,0 +1,75 @@ +From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 22 Mar 2015 18:17:47 -0700 +Subject: [PATCH] Check that the type is correct + +--- + ext/standard/incomplete_class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c +index 1816ac4..30c82e6 100644 +--- a/ext/standard/incomplete_class.c ++++ b/ext/standard/incomplete_class.c +@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) + + object_properties = Z_OBJPROP_P(object); + +- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { ++ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { + retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); + + if (nlen) { +-- +2.1.4 + +From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 17:30:59 -0700 +Subject: [PATCH] More fixes for bug #69152 + +--- + Zend/zend_exceptions.c | 3 +++ + ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 ext/standard/tests/serialize/bug69152.phpt + +diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c +index bf90ae7..1ca2ead 100644 +--- a/Zend/zend_exceptions.c ++++ b/Zend/zend_exceptions.c +@@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString) + str = &res; + + trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); ++ if(Z_TYPE_P(trace) != IS_ARRAY) { ++ RETURN_FALSE; ++ } + zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); + + s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); +diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt +new file mode 100644 +index 0000000..4e74168 +--- /dev/null ++++ b/ext/standard/tests/serialize/bug69152.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() ++--FILE-- ++test(); ++ ++?> ++--EXPECTF-- ++exception 'Exception' in %s:%d ++Stack trace: ++#0 {main} ++ ++Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d +-- +2.1.4 + diff --git a/SOURCES/php-5.6.5-bug69353.patch b/SOURCES/php-5.6.5-bug69353.patch new file mode 100644 index 0000000..4e32ba0 --- /dev/null +++ b/SOURCES/php-5.6.5-bug69353.patch @@ -0,0 +1,597 @@ +From 52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 16:01:24 -0700 +Subject: [PATCH] Fixed bug #69353 (Missing null byte checks for paths in + various PHP extensions) + +--- + ext/dom/document.c | 5 ++++- + ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 +++++ + ext/fileinfo/fileinfo.c | 5 +++++ + ext/fileinfo/tests/finfo_file_basic.phpt | 4 ++++ + ext/gd/gd.c | 8 ++++---- + ext/hash/hash.c | 7 ++++++- + ext/hash/tests/hash_hmac_file_error.phpt | 7 +++++++ + ext/pgsql/pgsql.c | 2 +- + ext/standard/link.c | 2 +- + ext/standard/streamsfuncs.c | 2 +- + ext/xmlwriter/php_xmlwriter.c | 4 ++-- + ext/zlib/zlib.c | 4 ++-- + 12 files changed, 42 insertions(+), 13 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index 18c9cc6..7c5817a 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1519,6 +1519,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc + xmlInitParser(); + + if (mode == DOM_LOAD_FILE) { ++ if (CHECK_NULL_PATH(source, source_len)) { ++ return NULL; ++ } + char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (file_dest) { + ctxt = xmlCreateFileParserCtxt(file_dest); +@@ -2115,7 +2118,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ + + id = getThis(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { + return; + } + +diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +index e59ff56..75004e2 100644 +--- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt ++++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +@@ -13,6 +13,11 @@ assert.bail=true + $doc = new DOMDocument(); + $result = $doc->loadHTMLFile(""); + assert('$result === false'); ++$doc = new DOMDocument(); ++$result = $doc->loadHTMLFile("text.html\0something"); ++assert('$result === null'); + ?> + --EXPECTF-- + %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s ++ ++%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s +diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c +index ead7585..9f651af 100644 +--- a/ext/fileinfo/fileinfo.c ++++ b/ext/fileinfo/fileinfo.c +@@ -508,6 +508,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime + RETVAL_FALSE; + goto clean; + } ++ if (CHECK_NULL_PATH(buffer, buffer_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETVAL_FALSE; ++ goto clean; ++ } + + wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC); + +diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt +index 20223fd..ee70e2e 100644 +--- a/ext/fileinfo/tests/finfo_file_basic.phpt ++++ b/ext/fileinfo/tests/finfo_file_basic.phpt +@@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n"; + var_dump( finfo_file( $finfo, __FILE__) ); + var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); + var_dump( finfo_file( $finfo, $magicFile ) ); ++var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); + + ?> + ===DONE=== +@@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) ); + string(28) "text/x-php; charset=us-ascii" + string(22) "PHP script, ASCII text" + string(25) "text/plain; charset=utf-8" ++ ++Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d ++bool(false) + ===DONE=== +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index cbc1d2b..322325e 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1432,7 +1432,7 @@ PHP_FUNCTION(imageloadfont) + gdFontPtr font; + php_stream *stream; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) { + return; + } + +@@ -2369,7 +2369,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, + long ignore_warning; + + if (image_type == PHP_GDIMG_TYPE_GD2PART) { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { + return; + } + if (width < 1 || height < 1) { +@@ -2377,7 +2377,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, + RETURN_FALSE; + } + } else { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { + return; + } + } +@@ -4046,7 +4046,7 @@ PHP_FUNCTION(imagepsencodefont) + char *enc, **enc_vector; + int enc_len, *f_ind; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) { + return; + } + +diff --git a/ext/hash/hash.c b/ext/hash/hash.c +index abdc62b..9cd6b8e 100644 +--- a/ext/hash/hash.c ++++ b/ext/hash/hash.c +@@ -143,6 +143,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_ + } + if (isfilename) { + if (CHECK_NULL_PATH(data, data_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETURN_FALSE; + } + stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); +@@ -258,6 +259,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename, + RETURN_FALSE; + } + if (isfilename) { ++ if (CHECK_NULL_PATH(data, data_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETURN_FALSE; ++ } + stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); + if (!stream) { + /* Stream will report errors opening file */ +@@ -462,7 +467,7 @@ PHP_FUNCTION(hash_update_file) + char *filename, buf[1024]; + int filename_len, n; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { + return; + } + +diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt +index 42ab122..26ba8aa 100644 +--- a/ext/hash/tests/hash_hmac_file_error.phpt ++++ b/ext/hash/tests/hash_hmac_file_error.phpt +@@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg); + echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; + hash_hmac_file('foo', $file, $key, TRUE); + ++echo "\n-- Testing hash_hmac_file() function with bad path --\n"; ++hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); ++ + ?> + ===Done=== + --EXPECTF-- +@@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d + -- Testing hash_hmac_file() function with invalid hash algorithm -- + + Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d ++ ++-- Testing hash_hmac_file() function with bad path -- ++ ++Warning: hash_hmac_file(): Invalid path in %s on line %d + ===Done=== +\ No newline at end of file +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index 7af7e8b..23d55cb 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -3114,7 +3114,7 @@ PHP_FUNCTION(pg_trace) + php_stream *stream; + id = PGG(default_link); + +- if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { ++ if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { + return; + } + +diff --git a/ext/standard/link.c b/ext/standard/link.c +index 0e40a0b..4ed2c5e 100644 +--- a/ext/standard/link.c ++++ b/ext/standard/link.c +@@ -59,7 +59,7 @@ PHP_FUNCTION(readlink) + char buff[MAXPATHLEN]; + int ret; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c +index 7ddfc66..4c2837e 100644 +--- a/ext/standard/streamsfuncs.c ++++ b/ext/standard/streamsfuncs.c +@@ -1548,7 +1548,7 @@ PHP_FUNCTION(stream_resolve_include_path) + char *filename, *resolved_path; + int filename_len; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) { + return; + } + +diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c +index 206d82a..7a650e2 100644 +--- a/ext/xmlwriter/php_xmlwriter.c ++++ b/ext/xmlwriter/php_xmlwriter.c +@@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity) + /* }}} */ + #endif + +-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) ++/* {{{ proto resource xmlwriter_open_uri(string source) + Create new xmlwriter using source uri for output */ + static PHP_FUNCTION(xmlwriter_open_uri) + { +@@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri) + void *ioctx; + #endif + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) { + return; + } + +diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c +index d70198c..ec958e1 100644 +--- a/ext/zlib/zlib.c ++++ b/ext/zlib/zlib.c +@@ -593,7 +593,7 @@ static PHP_FUNCTION(gzopen) + php_stream *stream; + long use_include_path = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { + return; + } + +@@ -621,7 +621,7 @@ static PHP_FUNCTION(readgzfile) + int size; + long use_include_path = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) { + return; + } + +-- +2.1.4 + +From a643ccfb90750e0d830106588d2a46af87706b5b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 12 Apr 2015 20:53:09 -0700 +Subject: [PATCH] Fix tests + +--- + ext/gd/tests/imageloadfont_error1.phpt | 6 +++--- + ext/zlib/tests/gzopen_variation1.phpt | 28 ++++++++++++++-------------- + ext/zlib/tests/readgzfile_variation1.phpt | 10 +++++----- + ext/zlib/tests/readgzfile_variation6.phpt | 4 ++-- + 4 files changed, 24 insertions(+), 24 deletions(-) + +diff --git a/ext/gd/tests/imageloadfont_error1.phpt b/ext/gd/tests/imageloadfont_error1.phpt +index 16d1a3c..418bbf3 100644 +--- a/ext/gd/tests/imageloadfont_error1.phpt ++++ b/ext/gd/tests/imageloadfont_error1.phpt +@@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter + --CREDITS-- + Neveo Harrison #testfest #tek11 + --SKIPIF-- +- + --FILE-- +@@ -11,5 +11,5 @@ Neveo Harrison #testfest #tek11 + var_dump( imageloadfont(array()) ); + ?> + --EXPECTF-- +-Warning: imageloadfont() expects parameter 1 to be string, array given in %s on line %d +-NULL +\ No newline at end of file ++Warning: imageloadfont() expects parameter 1 to be a valid path, array given in %s on line %d ++NULL +diff --git a/ext/zlib/tests/gzopen_variation1.phpt b/ext/zlib/tests/gzopen_variation1.phpt +index c5a47f4..bca48f3 100644 +--- a/ext/zlib/tests/gzopen_variation1.phpt ++++ b/ext/zlib/tests/gzopen_variation1.phpt +@@ -1,17 +1,17 @@ + --TEST-- +-Test gzopen() function : usage variation ++Test gzopen() function : usage variation + --SKIPIF-- +- + --FILE-- + @$unset_var, +- ++ + // resource variable +- 'resource' => $fp ++ 'resource' => $fp + ); + + // loop through each element of the array for filename +@@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d) + bool(false) + + --empty array-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --int indexed array-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --associative array-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --nested arrays-- +-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) + NULL + + --uppercase NULL-- +@@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct + bool(false) + + --instance of classWithoutToString-- +-Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d) + NULL + + --undefined var-- +@@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d) + bool(false) + + --resource-- +-Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d) ++Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d) + NULL + ===DONE=== + +diff --git a/ext/zlib/tests/readgzfile_variation1.phpt b/ext/zlib/tests/readgzfile_variation1.phpt +index 5a5ec4f..5d9b639 100644 +--- a/ext/zlib/tests/readgzfile_variation1.phpt ++++ b/ext/zlib/tests/readgzfile_variation1.phpt +@@ -29,15 +29,15 @@ foreach ( $variation as $var ) { + ===DONE=== + --EXPECTF-- + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + +-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d ++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d + NULL +-===DONE=== +\ No newline at end of file ++===DONE=== +diff --git a/ext/zlib/tests/readgzfile_variation6.phpt b/ext/zlib/tests/readgzfile_variation6.phpt +index 702f918..9fcea02 100644 +--- a/ext/zlib/tests/readgzfile_variation6.phpt ++++ b/ext/zlib/tests/readgzfile_variation6.phpt +@@ -45,5 +45,5 @@ foreach ( $variation as $var ) { + --EXPECTF-- + Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d) + bool(false) +-Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d) +-NULL +\ No newline at end of file ++Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d) ++NULL +-- +2.1.4 + +From 1defbb25ed69e7a1a90e2bcb2ee3b9190ea06577 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 12 Apr 2015 00:56:02 -0700 +Subject: [PATCH] Fix test + +--- + ext/standard/tests/file/readlink_variation1.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/tests/file/readlink_variation1.phpt b/ext/standard/tests/file/readlink_variation1.phpt +index 1dae17c..d4f1a5f 100644 +--- a/ext/standard/tests/file/readlink_variation1.phpt ++++ b/ext/standard/tests/file/readlink_variation1.phpt +@@ -65,7 +65,7 @@ bool(false) + Warning: readlink(): %s in %s on line %d + bool(false) + +-Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d ++Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d + NULL + + Warning: readlink(): %s in %s on line %d +-- +2.1.4 + +From f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 May 2015 22:47:52 -0700 +Subject: [PATCH] Fix #69719 - more checks for nulls in paths + +--- + ext/dom/document.c | 22 +++++++++++++++++----- + ext/gd/gd.c | 16 ++++++++-------- + 2 files changed, 25 insertions(+), 13 deletions(-) + +diff --git a/ext/dom/document.c b/ext/dom/document.c +index 48a19dd..097fcba 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -1699,7 +1699,7 @@ PHP_FUNCTION(dom_document_save) + char *file; + long options = 0; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { + return; + } + +@@ -1929,7 +1929,7 @@ static void _dom_document_schema_validat + int is_valid; + char resolved_path[MAXPATHLEN + 1]; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) { + return; + } + +@@ -1942,6 +1942,10 @@ static void _dom_document_schema_validat + + switch (type) { + case DOM_LOAD_FILE: ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); ++ RETURN_FALSE; ++ } + valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); +@@ -2025,7 +2029,7 @@ static void _dom_document_relaxNG_valida + int is_valid; + char resolved_path[MAXPATHLEN + 1]; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { + return; + } + +@@ -2038,6 +2042,10 @@ static void _dom_document_relaxNG_valida + + switch (type) { + case DOM_LOAD_FILE: ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); ++ RETURN_FALSE; ++ } + valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); +@@ -2118,7 +2126,7 @@ static void dom_load_html(INTERNAL_FUNCT + + id = getThis(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { + return; + } + +@@ -2128,6 +2136,10 @@ static void dom_load_html(INTERNAL_FUNCT + } + + if (mode == DOM_LOAD_FILE) { ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); ++ RETURN_FALSE; ++ } + ctxt = htmlCreateFileParserCtxt(source, NULL); + } else { + source_len = xmlStrlen(source); +@@ -2216,7 +2228,7 @@ PHP_FUNCTION(dom_document_save_html_file + char *file; + const char *encoding; + +- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { ++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { + return; + } + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index d258c3d..e527575 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -3939,7 +3939,7 @@ PHP_FUNCTION(imagepsloadfont) + struct stat st; + #endif + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { + return; + } + +-- +2.1.4 + +From eee8b6c33fc968ef8c496db8fb54e8c9d9d5a8f9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 9 Jun 2015 17:11:33 -0700 +Subject: [PATCH] fix test + +--- + ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +index 75004e2..e0d0923 100644 +--- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt ++++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +@@ -15,9 +15,9 @@ $result = $doc->loadHTMLFile(""); + assert('$result === false'); + $doc = new DOMDocument(); + $result = $doc->loadHTMLFile("text.html\0something"); +-assert('$result === null'); ++assert('$result === false'); + ?> + --EXPECTF-- + %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s + +-%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s ++%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Invalid file source %s +-- +2.1.4 + diff --git a/SPECS/php.spec b/SPECS/php.spec index 4e15f32..03fe3e0 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -111,7 +111,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.6.5 -Release: 5%{?dist} +Release: 7%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -170,6 +170,16 @@ Patch141: php-5.6.5-CVE-2015-1351.patch Patch142: php-5.6.5-CVE-2015-1352.patch Patch143: php-5.6.5-CVE-2015-2305.patch Patch144: php-5.6.5-CVE-2015-2331.patch +Patch145: php-5.6.5-CVE-2015-4022.patch +Patch146: php-5.6.5-CVE-2015-4021.patch +Patch147: php-5.6.5-CVE-2015-4024.patch +Patch148: php-5.6.5-CVE-2015-4025.patch +Patch149: php-5.6.5-CVE-2015-3330.patch +Patch150: php-5.6.5-bug69353.patch +Patch151: php-5.6.5-CVE-2015-2783.patch +Patch152: php-5.6.5-CVE-2015-3329.patch +Patch153: php-5.6.5-bug68819.patch +Patch154: php-5.6.5-bug69152.patch # Fixes for tests (300+) @@ -749,6 +759,16 @@ support for using the enchant library to PHP. %patch142 -p1 -b .cve1352 %patch143 -p1 -b .cve2305 %patch144 -p1 -b .cve2331 +%patch145 -p1 -b .cve4022 +%patch146 -p1 -b .cve4021 +%patch147 -p1 -b .cve4024 +%patch148 -p1 -b .cve4025 +%patch149 -p1 -b .cve3330 +%patch150 -p1 -b .bug69353 +%patch151 -p1 -b .cve2783 +%patch152 -p1 -b .cve3329 +%patch153 -p1 -b .bug68819 +%patch154 -p1 -b .bug69152 # Fixes for tests %patch300 -p1 -b .datetests @@ -1671,6 +1691,29 @@ fi %changelog +* Wed Jun 10 2015 Remi Collet - 5.6.5-7 +- fix more functions accept paths with NUL character #1213407 + +* Tue Jun 9 2015 Remi Collet - 5.6.5-6 +- core: fix multipart/form-data request can use excessive + amount of CPU usage CVE-2015-4024 +- fix various functions accept paths with NUL character + CVE-2015-4025, CVE-2015-4026, #1213407 +- fileinfo: fix denial of service when processing a crafted + file #1213442 +- ftp: fix integer overflow leading to heap overflow when + reading FTP file listing CVE-2015-4022 +- phar: fix buffer over-read in metadata parsing CVE-2015-2783 +- phar: invalid pointer free() in phar_tar_process_metadata() + CVE-2015-3307 +- phar: fix buffer overflow in phar_set_inode() CVE-2015-3329 +- phar: fix memory corruption in phar_parse_tarfile caused by + empty entry file name CVE-2015-4021 +- pgsql: fix NULL pointer dereference CVE-2015-1352 +- soap: fix type confusion through unserialize #1222538 +- apache2handler: fix pipelined request executed in deinitialized + interpreter under httpd 2.4 CVE-2015-3330 + * Fri Apr 17 2015 Remi Collet - 5.6.5-5 - mod_php: filter libphp5.so out of provides #1212726 - fpm: fix incorrect selinux contexts #1194337