summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2017-02-18 16:14:07 +0100
committerRemi Collet <fedora@famillecollet.com>2017-02-18 16:14:07 +0100
commit9836adc4329f2fa71a7e9cfddae5e9a21553732b (patch)
tree00aaf49ff5623dddb052c81303c940e5f147e1ad
parent01fb0f9169c299356f917ef33b1f1d008abdfc47 (diff)
PHP 5.4.45-13 (security fix from 5.6.30)
-rw-r--r--bug73737.patch141
-rw-r--r--bug73764.patch42
-rw-r--r--bug73768.patch41
-rw-r--r--bug73773.patch37
-rw-r--r--failed.txt28
-rw-r--r--php54.spec26
6 files changed, 297 insertions, 18 deletions
diff --git a/bug73737.patch b/bug73737.patch
new file mode 100644
index 0000000..45700c9
--- /dev/null
+++ b/bug73737.patch
@@ -0,0 +1,141 @@
+Backported from 5.6.30 by Remi.
+Binary parts dropped
+
+
+From 1cda0d7c2ffb62d8331c64e703131d9cabdc03ea Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 31 Dec 2016 19:31:49 -0800
+Subject: [PATCH] Fix bug #73737 FPE when parsing a tag format
+
+---
+ ext/exif/exif.c | 2 +-
+ ext/exif/tests/bug73737.phpt | 12 ++++++++++++
+ ext/exif/tests/bug73737.tiff | Bin 0 -> 48 bytes
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug73737.phpt
+ create mode 100644 ext/exif/tests/bug73737.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 8b0e34c..83daee6 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1313,7 +1313,7 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte
+ if (s_den == 0) {
+ return 0;
+ } else {
+- return php_ifd_get32s(value, motorola_intel) / s_den;
++ return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den);
+ }
+
+ case TAG_FMT_SSHORT: return php_ifd_get16u(value, motorola_intel);
+
+--
+2.1.4
+
+From 900b17b15fd5d29b6575b175b2b120ffab3adc96 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikic@php.net>
+Date: Thu, 5 Jan 2017 11:37:06 +0100
+Subject: [PATCH] Fix printf modifier
+
+---
+ ext/exif/exif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 83daee6..3663b3f 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2865,7 +2865,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ }
+
+ if (components < 0) {
+- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%d)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
+ return FALSE;
+ }
+
+--
+2.1.4
+
+From 0ab1af7d3eff815e1809fe044e54283b5a1b8e27 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Jan 2017 17:31:08 -0800
+Subject: [PATCH] Update more functions with path check
+
+---
+ ext/curl/curl_file.c | 2 +-
+ ext/exif/exif.c | 2 +-
+ ext/zip/php_zip.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 3663b3f..1c8772f 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -4220,7 +4220,7 @@ PHP_FUNCTION(exif_imagetype)
+ php_stream * stream;
+ int itype = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &imagefile, &imagefile_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &imagefile, &imagefile_len) == FAILURE) {
+ return;
+ }
+
+
+--
+2.1.4
+
+From 814966ad33f9a734e422e34327256d58a91d1272 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Jan 2017 18:42:22 -0800
+Subject: [PATCH] Fix test
+
+---
+ ext/exif/tests/exif_imagetype_variation1.phpt | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ext/exif/tests/exif_imagetype_variation1.phpt b/ext/exif/tests/exif_imagetype_variation1.phpt
+index 767ed5f..d33217c 100644
+--- a/ext/exif/tests/exif_imagetype_variation1.phpt
++++ b/ext/exif/tests/exif_imagetype_variation1.phpt
+@@ -142,23 +142,23 @@ Warning: exif_imagetype(0.5): failed to open stream: No such file or directory i
+ bool(false)
+ -- Iteration 10 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 11 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 12 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 13 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 14 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 15 --
+
+@@ -198,7 +198,7 @@ Warning: exif_imagetype(obj'ct): failed to open stream: No such file or director
+ bool(false)
+ -- Iteration 24 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, resource given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+ -- Iteration 25 --
+
+--
+2.1.4
+
diff --git a/bug73764.patch b/bug73764.patch
new file mode 100644
index 0000000..43dafef
--- /dev/null
+++ b/bug73764.patch
@@ -0,0 +1,42 @@
+Backported from 5.6.30 by Remi.
+Binary parts dropped
+
+
+From ca46d0acbce55019b970fcd4c1e8a10edfdded93 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Fri, 30 Dec 2016 15:34:46 -0800
+Subject: [PATCH] Fix int overflows in phar (bug #73764)
+
+---
+ ext/phar/phar.c | 4 ++--
+ ext/phar/tests/bug73764.phar | Bin 0 -> 138 bytes
+ ext/phar/tests/bug73764.phpt | 16 ++++++++++++++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 ext/phar/tests/bug73764.phar
+ create mode 100644 ext/phar/tests/bug73764.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 14b80e1..532b4c3 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1056,7 +1056,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.is_persistent = mydata->is_persistent;
+
+ for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
+- if (buffer + 4 > endbuffer) {
++ if (buffer + 24 > endbuffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
+ }
+
+@@ -1070,7 +1070,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.manifest_pos = manifest_index;
+ }
+
+- if (entry.filename_len + 20 > endbuffer - buffer) {
++ if (entry.filename_len > endbuffer - buffer - 20) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+
+--
+2.1.4
+
diff --git a/bug73768.patch b/bug73768.patch
new file mode 100644
index 0000000..0244070
--- /dev/null
+++ b/bug73768.patch
@@ -0,0 +1,41 @@
+Backported from 5.6.30 by Remi.
+Binary parts dropped
+
+
+From b28b8b2fee6dfa6fcd13305c581bb835689ac3be Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Fri, 30 Dec 2016 15:57:24 -0800
+Subject: [PATCH] Fix bug #73768 - Memory corruption when loading hostile phar
+
+---
+ ext/phar/phar.c | 3 +--
+ ext/phar/tests/bug73768.phar | Bin 0 -> 219 bytes
+ ext/phar/tests/bug73768.phpt | 16 ++++++++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+ create mode 100644 ext/phar/tests/bug73768.phar
+ create mode 100644 ext/phar/tests/bug73768.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 532b4c3..158f417 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -982,7 +982,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ /* if the alias is stored we enforce it (implicit overrides explicit) */
+ if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len)))
+ {
+- buffer[tmp_len] = '\0';
+ php_stream_close(fp);
+
+ if (signature) {
+@@ -990,7 +989,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ }
+
+ if (error) {
+- spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias);
++ spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias);
+ }
+
+ efree(savebuf);
+--
+2.1.4
+
diff --git a/bug73773.patch b/bug73773.patch
new file mode 100644
index 0000000..98c4dc6
--- /dev/null
+++ b/bug73773.patch
@@ -0,0 +1,37 @@
+Backported from 5.6.30 by Remi.
+
+
+From e5246580a85f031e1a3b8064edbaa55c1643a451 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 31 Dec 2016 18:47:50 -0800
+Subject: [PATCH] Fix bug #73773 - Seg fault when loading hostile phar
+
+---
+ ext/phar/phar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 158f417..780be43 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.is_persistent = mydata->is_persistent;
+
+ for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
+- if (buffer + 24 > endbuffer) {
++ if (buffer + 28 > endbuffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
+ }
+
+@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.manifest_pos = manifest_index;
+ }
+
+- if (entry.filename_len > endbuffer - buffer - 20) {
++ if (entry.filename_len > endbuffer - buffer - 24) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+
+--
+2.1.4
+
diff --git a/failed.txt b/failed.txt
index 6ebfc97..e1b13c3 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,20 +1,21 @@
-===== 5.5.45-12 (2016-09-19)
+===== 5.5.45-13 (2017-02-18)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
-/var/lib/mock/el5i/build.log:Tests failed : 9
-/var/lib/mock/el5x/build.log:Tests failed : 3
-/var/lib/mock/el6i/build.log:Tests failed : 5
-/var/lib/mock/el6x/build.log:Tests failed : 1
-/var/lib/mock/el7x/build.log:Tests failed : 0
+/var/lib/mock/el5i/build.log:Tests failed : 11
+/var/lib/mock/el5x/build.log:Tests failed : 5
+/var/lib/mock/el6i/build.log:Tests failed : 8
+/var/lib/mock/el6x/build.log:Tests failed : 4
+/var/lib/mock/el7x/build.log:Tests failed : 3
+
el5i
IPv4 Loopback test [ext/sockets/tests/ipv4loop.phpt]
ext/sockets - socket_getpeername_ipv4loop - basic test [ext/sockets/tests/socket_getpeername_ipv4loop.phpt]
-el5i, el5x
- Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
- Bug #66501: EC private key support in openssl_sign [ext/openssl/tests/bug66501.phpt]
+el5i
Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
+ Bug #66501: EC private key support in openssl_sign [ext/openssl/tests/bug66501.phpt]
+el5i, el5x
el5i, el6i
Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) (32 bit) [ext/date/tests/bug41523.phpt]
Bug #53437 DateInterval unserialize bad data, 32 bit [ext/date/tests/bug53437_var3.phpt]
@@ -22,6 +23,11 @@ el5i, el6i
Bug #64146 (serialize incorrectly saving objects when they are cloned) [ext/standard/tests/serialize/bug64146.phpt]
el6i, el6x
Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
-el6x
- Implement Req #60850 (Built in web server does not set $_SERVER['SCRIPT_FILENAME'] when using router) [sapi/cli/tests/php_cli_server_017.phpt]
+el5i, el5x, el6i, el6x, el7x
+ Bug #20382 [2] (strtotime ("Monday", $date) produces wrong result on DST changeover) [ext/date/tests/bug20382-2.phpt]
+ Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
+ Bug #33415 [1] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-1.phpt]
+
+
+* "date" test failures are only tzdata related
diff --git a/php54.spec b/php54.spec
index 6c5844b..4f653e0 100644
--- a/php54.spec
+++ b/php54.spec
@@ -51,7 +51,7 @@
%endif
%if 0%{?__isa:1}
-%if 0%{?rhel} == 7
+%if 0%{?rhel} == 7 || 0%{?fedora} > 0
%global isasuffix -%{__isa_bits}
%else
%global isasuffix -%{__isa}
@@ -98,7 +98,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.45
-Release: 12%{?dist}
+Release: 13%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -218,6 +218,10 @@ Patch257: bug72627.patch
Patch258: bug72926.patch
Patch259: bug73035.patch
Patch260: bug72928.patch
+Patch261: bug73737.patch
+Patch262: bug73764.patch
+Patch263: bug73768.patch
+Patch264: bug73773.patch
# Fixes for tests
# no_NO issue
@@ -986,6 +990,10 @@ rm -f ext/json/utf8_to_utf16.*
%patch258 -p1 -b .bug72926
%patch259 -p1 -b .bug73035
%patch260 -p1 -b .bug72928
+%patch261 -p1 -b .bug73737
+%patch262 -p1 -b .bug73764
+%patch263 -p1 -b .bug73768
+%patch264 -p1 -b .bug73773
# Fixes for tests
%patch301 -p1 -b .datetests2
@@ -1651,11 +1659,7 @@ cat << EOF
backported from 5.5 or 5.6,
The UPGRADE to a maintained version is very strongly RECOMMENDED.
- WARNING : These php-* RPMs are not official Fedora / Red Hat build and
- overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.
-
- Use dedicated forum at http://forum.remirepo.net/
-%if %{?fedora}%{!?fedora:99} < 23
+%if %{?fedora}%{!?fedora:99} < 24
WARNING : Fedora %{fedora} is now EOL :
You should consider upgrading to a supported release
%endif
@@ -1876,6 +1880,14 @@ fi
%changelog
+* Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.4.45-13
+- fix #73737: FPE when parsing a tag format
+ CVE-2016-10158
+- fix #73764: int overflows in phar
+ CVE-2016-10159
+- fix #73768: Memory corruption when loading hostile phar
+ CVE-2016-10160
+
* Mon Sep 19 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-12
- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF
CVE-2016-7128