From 76dab6ee2fb63a89f034b5fe33374d69e72e862f Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 3 Jun 2014 15:17:26 +0200 Subject: PHP 5.4.29: apply 2 upstream fix --- php-bug67326.patch | 32 ++++++++++++++++++++++++++++++++ php-reg67072.patch | 26 ++++++++++++++++++++++++++ php54.spec | 14 +++++++++++++- 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 php-bug67326.patch create mode 100644 php-reg67072.patch diff --git a/php-bug67326.patch b/php-bug67326.patch new file mode 100644 index 0000000..2e7b0b1 --- /dev/null +++ b/php-bug67326.patch @@ -0,0 +1,32 @@ +From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 3 Jun 2014 11:05:00 +0200 +Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient + boundary check + +Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch +Only revelant part applied +--- + ext/fileinfo/libmagic/cdf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 4712e84..16649f1 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, + size_t ss = CDF_SHORT_SEC_SIZE(h); + size_t pos = CDF_SHORT_SEC_POS(h, id); + assert(ss == len); +- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { + DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" + SIZE_T_FORMAT "u\n", +- pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); + return -1; + } + (void)memcpy(((char *)buf) + offs, +-- +1.9.2 + diff --git a/php-reg67072.patch b/php-reg67072.patch new file mode 100644 index 0000000..6905db8 --- /dev/null +++ b/php-reg67072.patch @@ -0,0 +1,26 @@ +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 003bac9..ed6a69c 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -396,7 +396,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (ce->serialize == NULL) { ++ if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) { + object_init_ex(*rval, ce); + } else { + /* If this class implements Serializable, it should not land here but in object_custom(). The passed string +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index b3f5d29..b5f092b 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -400,7 +400,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (ce->serialize == NULL) { ++ if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) { + object_init_ex(*rval, ce); + } else { + /* If this class implements Serializable, it should not land here but in object_custom(). The passed string diff --git a/php54.spec b/php54.spec index 68e80c7..3c55a25 100644 --- a/php54.spec +++ b/php54.spec @@ -85,7 +85,7 @@ Version: 5.4.29 %if 0%{?snapdate:1}%{?rcver:1} Release: 0.1.%{?snapdate}%{?rcver}%{?dist} %else -Release: 1%{?dist} +Release: 2%{?dist} %endif # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -136,6 +136,8 @@ Patch46: php-5.4.9-fixheader.patch Patch47: php-5.4.9-phpinfo.patch # Upstream fixes +Patch100: php-reg67072.patch +Patch101: php-bug67326.patch # Security fixes @@ -800,6 +802,11 @@ rm -f ext/json/utf8_to_utf16.* %patch91 -p1 -b .remi-oci8 +# upstream patches +%patch100 -p1 -b .reg67072 +%patch101 -p1 -b .bug67326 + +# security patches # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE Zend/ZEND_LICENSE @@ -1646,6 +1653,11 @@ fi %changelog +* Tue Jun 3 2014 Remi Collet 5.4.29-2 +- fileinfo: fix insufficient boundary check +- workaround regression introduce in fix for 67072 in + serialize/unzerialize functions + * Wed May 28 2014 Remi Collet 5.4.29-1 - Update to 5.4.29 http://www.php.net/releases/5_4_29.php -- cgit