summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2017-02-18 08:58:42 +0100
committerRemi Collet <fedora@famillecollet.com>2017-02-18 08:58:42 +0100
commit0e26c7b3a2d48b2fe256b8b7074b02218cfd46c1 (patch)
tree0c035b4ea81cae8024e5eedb4db8d837acce626b
parent7ffbd4270341b5ad5bc6a5e81edfc003ea92e5e0 (diff)
PHP 5.6.38-7 (security fix from 5.6.30)
-rw-r--r--bug69090.patch299
-rw-r--r--bug73737.patch154
-rw-r--r--bug73764.patch42
-rw-r--r--bug73768.patch41
-rw-r--r--bug73773.patch37
-rw-r--r--failed.txt4
-rw-r--r--opcache.ini11
-rw-r--r--php.spec21
8 files changed, 606 insertions, 3 deletions
diff --git a/bug69090.patch b/bug69090.patch
new file mode 100644
index 0000000..270f05a
--- /dev/null
+++ b/bug69090.patch
@@ -0,0 +1,299 @@
+Backported from php 5.6 by Remi
+Using
+
+
+From ecba563f2fa1e027ea91b9ee0d50611273852995 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Wed, 16 Nov 2016 12:43:10 +0300
+Subject: [PATCH] Fixed bug #69090 (check cached files permissions)
+
+---
+ NEWS | 1 +
+ ext/opcache/README | 10 ++++++++
+ ext/opcache/ZendAccelerator.c | 47 +++++++++++++++++++++++++++++++++++
+ ext/opcache/ZendAccelerator.h | 5 ++++
+ ext/opcache/zend_accelerator_hash.c | 12 +++++++++
+ ext/opcache/zend_accelerator_module.c | 4 +++
+ 6 files changed, 79 insertions(+)
+
+diff --git a/ext/opcache/ZendAccelerator.c b/ext/opcache/ZendAccelerator.c
+index 985a4ef..c8d2290 100644
+--- a/ext/opcache/ZendAccelerator.c
++++ b/ext/opcache/ZendAccelerator.c
+@@ -1559,6 +1559,28 @@ zend_op_array *persistent_compile_file(zend_file_handle *file_handle, int type T
+ persistent_script = NULL;
+ }
+
++ /* Revalidate acessibility of cached file */
++ if (EXPECTED(persistent_script != NULL) &&
++ UNEXPECTED(ZCG(accel_directives).validate_permission) &&
++ file_handle->type == ZEND_HANDLE_FILENAME &&
++ UNEXPECTED(access(file_handle->filename, R_OK) != 0)) {
++ if (type == ZEND_REQUIRE) {
++#if ZEND_EXTENSION_API_NO < PHP_5_3_X_API_NO
++ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, file_handle->filename);
++#else
++ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, file_handle->filename TSRMLS_CC);
++#endif
++ zend_bailout();
++ } else {
++#if ZEND_EXTENSION_API_NO < PHP_5_3_X_API_NO
++ zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, file_handle->filename);
++#else
++ zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, file_handle->filename TSRMLS_CC);
++#endif
++ }
++ return NULL;
++ }
++
+ SHM_UNPROTECT();
+
+ /* If script is found then validate_timestamps if option is enabled */
+@@ -2071,6 +2093,31 @@ static void accel_activate(void)
+ return;
+ }
+
++#ifndef ZEND_WIN32
++ if (ZCG(accel_directives).validate_root) {
++ struct stat buf;
++
++ if (stat("/", &buf) != 0) {
++ ZCG(root_hash) = 0;
++ } else {
++ unsigned long x = buf.st_ino;
++
++#if SIZEOF_LONG == 4
++ x = ((x >> 16) ^ x) * 0x45d9f3b;
++ x = ((x >> 16) ^ x) * 0x45d9f3b;
++ x = (x >> 16) ^ x;
++#elif SIZEOF_LONG == 8
++ x = (x ^ (x >> 30)) * 0xbf58476d1ce4e5b9;
++ x = (x ^ (x >> 27)) * 0x94d049bb133111eb;
++ x = x ^ (x >> 31);
++#endif
++ ZCG(root_hash) = x;
++ }
++ } else {
++ ZCG(root_hash) = 0;
++ }
++#endif
++
+ SHM_UNPROTECT();
+ /* PHP-5.4 and above return "double", but we use 1 sec precision */
+ ZCG(request_time) = (time_t)sapi_get_request_time(TSRMLS_C);
+diff --git a/ext/opcache/ZendAccelerator.h b/ext/opcache/ZendAccelerator.h
+index 11942f1..a711de7 100644
+--- a/ext/opcache/ZendAccelerator.h
++++ b/ext/opcache/ZendAccelerator.h
+@@ -229,6 +229,8 @@ typedef struct _zend_accel_directives {
+ zend_bool file_override_enabled;
+ zend_bool inherited_hack;
+ zend_bool enable_cli;
++ zend_bool validate_permission;
++ zend_bool validate_root;
+ unsigned long revalidate_freq;
+ unsigned long file_update_protection;
+ char *error_log;
+@@ -263,6 +265,9 @@ typedef struct _zend_accel_globals {
+ int include_path_len; /* "include_path" string length */
+ int include_path_check;
+ time_t request_time;
++#ifndef ZEND_WIN32
++ unsigned long root_hash;
++#endif
+ /* preallocated shared-memory block to save current script */
+ void *mem;
+ /* cache to save hash lookup on the same INCLUDE opcode */
+diff --git a/ext/opcache/zend_accelerator_hash.c b/ext/opcache/zend_accelerator_hash.c
+index 992885f..4b8b712 100644
+--- a/ext/opcache/zend_accelerator_hash.c
++++ b/ext/opcache/zend_accelerator_hash.c
+@@ -86,6 +86,9 @@ zend_accel_hash_entry* zend_accel_hash_update(zend_accel_hash *accel_hash, char
+ }
+
+ hash_value = zend_inline_hash_func(key, key_length);
++#ifndef ZEND_WIN32
++ hash_value ^= ZCG(root_hash);
++#endif
+ index = hash_value % accel_hash->max_num_entries;
+
+ /* try to see if the element already exists in the hash */
+@@ -147,6 +150,9 @@ void* zend_accel_hash_find(zend_accel_hash *accel_hash, char *key, zend_uint key
+ zend_accel_hash_entry *entry;
+
+ hash_value = zend_inline_hash_func(key, key_length);
++#ifndef ZEND_WIN32
++ hash_value ^= ZCG(root_hash);
++#endif
+ index = hash_value % accel_hash->max_num_entries;
+
+ entry = accel_hash->hash_table[index];
+@@ -175,6 +181,9 @@ zend_accel_hash_entry* zend_accel_hash_find_entry(zend_accel_hash *accel_hash, c
+ zend_accel_hash_entry *entry;
+
+ hash_value = zend_inline_hash_func(key, key_length);
++#ifndef ZEND_WIN32
++ hash_value ^= ZCG(root_hash);
++#endif
+ index = hash_value % accel_hash->max_num_entries;
+
+ entry = accel_hash->hash_table[index];
+@@ -200,6 +209,9 @@ int zend_accel_hash_unlink(zend_accel_hash *accel_hash, char *key, zend_uint key
+ zend_accel_hash_entry *entry, *last_entry=NULL;
+
+ hash_value = zend_inline_hash_func(key, key_length);
++#ifndef ZEND_WIN32
++ hash_value ^= ZCG(root_hash);
++#endif
+ index = hash_value % accel_hash->max_num_entries;
+
+ entry = accel_hash->hash_table[index];
+diff --git a/ext/opcache/zend_accelerator_module.c b/ext/opcache/zend_accelerator_module.c
+index 5671f2f..0faa915 100644
+--- a/ext/opcache/zend_accelerator_module.c
++++ b/ext/opcache/zend_accelerator_module.c
+@@ -251,6 +251,8 @@ ZEND_INI_BEGIN()
+ STD_PHP_INI_BOOLEAN("opcache.enable" , "1", PHP_INI_ALL, OnEnable, enabled , zend_accel_globals, accel_globals)
+ STD_PHP_INI_BOOLEAN("opcache.use_cwd" , "1", PHP_INI_SYSTEM, OnUpdateBool, accel_directives.use_cwd , zend_accel_globals, accel_globals)
+ STD_PHP_INI_BOOLEAN("opcache.validate_timestamps", "1", PHP_INI_ALL , OnUpdateBool, accel_directives.validate_timestamps, zend_accel_globals, accel_globals)
++ STD_PHP_INI_BOOLEAN("opcache.validate_permission", "0", PHP_INI_SYSTEM, OnUpdateBool, accel_directives.validate_permission, zend_accel_globals, accel_globals)
++ STD_PHP_INI_BOOLEAN("opcache.validate_root" , "0", PHP_INI_SYSTEM, OnUpdateBool, accel_directives.validate_root , zend_accel_globals, accel_globals)
+ STD_PHP_INI_BOOLEAN("opcache.inherited_hack" , "1", PHP_INI_SYSTEM, OnUpdateBool, accel_directives.inherited_hack , zend_accel_globals, accel_globals)
+ STD_PHP_INI_BOOLEAN("opcache.dups_fix" , "0", PHP_INI_ALL , OnUpdateBool, accel_directives.ignore_dups , zend_accel_globals, accel_globals)
+ STD_PHP_INI_BOOLEAN("opcache.revalidate_path" , "0", PHP_INI_ALL , OnUpdateBool, accel_directives.revalidate_path , zend_accel_globals, accel_globals)
+@@ -659,6 +661,8 @@ static ZEND_FUNCTION(opcache_get_configuration)
+ add_assoc_bool(directives, "opcache.enable_cli", ZCG(accel_directives).enable_cli);
+ add_assoc_bool(directives, "opcache.use_cwd", ZCG(accel_directives).use_cwd);
+ add_assoc_bool(directives, "opcache.validate_timestamps", ZCG(accel_directives).validate_timestamps);
++ add_assoc_bool(directives, "opcache.validate_permission", ZCG(accel_directives).validate_permission);
++ add_assoc_bool(directives, "opcache.validate_root", ZCG(accel_directives).validate_root);
+ add_assoc_bool(directives, "opcache.inherited_hack", ZCG(accel_directives).inherited_hack);
+ add_assoc_bool(directives, "opcache.dups_fix", ZCG(accel_directives).ignore_dups);
+ add_assoc_bool(directives, "opcache.revalidate_path", ZCG(accel_directives).revalidate_path);
+--
+2.1.4
+
+From a91f3d475ee9a59c38833c683c0bd355338f1564 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Wed, 16 Nov 2016 16:43:57 +0300
+Subject: [PATCH] Fixed ZTS build
+
+---
+ ext/opcache/zend_accelerator_hash.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/ext/opcache/zend_accelerator_hash.c b/ext/opcache/zend_accelerator_hash.c
+index 4b8b712..4a16a93 100644
+--- a/ext/opcache/zend_accelerator_hash.c
++++ b/ext/opcache/zend_accelerator_hash.c
+@@ -77,6 +77,9 @@ zend_accel_hash_entry* zend_accel_hash_update(zend_accel_hash *accel_hash, char
+ zend_ulong index;
+ zend_accel_hash_entry *entry;
+ zend_accel_hash_entry *indirect_bucket = NULL;
++#ifndef ZEND_WIN32
++ TSRMLS_FETCH();
++#endif
+
+ if (indirect) {
+ indirect_bucket = (zend_accel_hash_entry*)data;
+@@ -148,6 +151,9 @@ void* zend_accel_hash_find(zend_accel_hash *accel_hash, char *key, zend_uint key
+ zend_ulong hash_value;
+ zend_ulong index;
+ zend_accel_hash_entry *entry;
++#ifndef ZEND_WIN32
++ TSRMLS_FETCH();
++#endif
+
+ hash_value = zend_inline_hash_func(key, key_length);
+ #ifndef ZEND_WIN32
+@@ -179,6 +185,9 @@ zend_accel_hash_entry* zend_accel_hash_find_entry(zend_accel_hash *accel_hash, c
+ zend_ulong hash_value;
+ zend_ulong index;
+ zend_accel_hash_entry *entry;
++#ifndef ZEND_WIN32
++ TSRMLS_FETCH();
++#endif
+
+ hash_value = zend_inline_hash_func(key, key_length);
+ #ifndef ZEND_WIN32
+@@ -207,6 +216,9 @@ int zend_accel_hash_unlink(zend_accel_hash *accel_hash, char *key, zend_uint key
+ zend_ulong hash_value;
+ zend_ulong index;
+ zend_accel_hash_entry *entry, *last_entry=NULL;
++#ifndef ZEND_WIN32
++ TSRMLS_FETCH();
++#endif
+
+ hash_value = zend_inline_hash_func(key, key_length);
+ #ifndef ZEND_WIN32
+--
+2.1.4
+
+From 8202b970777b84d57c590b78f9b6572ef0e0c205 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Wed, 16 Nov 2016 23:01:40 +0300
+Subject: [PATCH] Use full path
+
+---
+ ext/opcache/ZendAccelerator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/opcache/ZendAccelerator.c b/ext/opcache/ZendAccelerator.c
+index c8d2290..9d0d32e8 100644
+--- a/ext/opcache/ZendAccelerator.c
++++ b/ext/opcache/ZendAccelerator.c
+@@ -1563,7 +1563,7 @@ zend_op_array *persistent_compile_file(zend_file_handle *file_handle, int type T
+ if (EXPECTED(persistent_script != NULL) &&
+ UNEXPECTED(ZCG(accel_directives).validate_permission) &&
+ file_handle->type == ZEND_HANDLE_FILENAME &&
+- UNEXPECTED(access(file_handle->filename, R_OK) != 0)) {
++ UNEXPECTED(access(persistent_script->full_path, R_OK) != 0)) {
+ if (type == ZEND_REQUIRE) {
+ #if ZEND_EXTENSION_API_NO < PHP_5_3_X_API_NO
+ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, file_handle->filename);
+--
+2.1.4
+
+From 9849c97b1bdfd7f0a7c499cad4cf601ebd68cc22 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Thu, 17 Nov 2016 01:08:42 +0300
+Subject: [PATCH] Accorate handling of too big inodes of chroot directories
+
+---
+ ext/opcache/ZendAccelerator.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/ext/opcache/ZendAccelerator.c b/ext/opcache/ZendAccelerator.c
+index 9d0d32e8..7e8a444 100644
+--- a/ext/opcache/ZendAccelerator.c
++++ b/ext/opcache/ZendAccelerator.c
+@@ -2100,18 +2100,14 @@ static void accel_activate(void)
+ if (stat("/", &buf) != 0) {
+ ZCG(root_hash) = 0;
+ } else {
+- unsigned long x = buf.st_ino;
+-
+-#if SIZEOF_LONG == 4
+- x = ((x >> 16) ^ x) * 0x45d9f3b;
+- x = ((x >> 16) ^ x) * 0x45d9f3b;
+- x = (x >> 16) ^ x;
+-#elif SIZEOF_LONG == 8
+- x = (x ^ (x >> 30)) * 0xbf58476d1ce4e5b9;
+- x = (x ^ (x >> 27)) * 0x94d049bb133111eb;
+- x = x ^ (x >> 31);
+-#endif
+- ZCG(root_hash) = x;
++ ZCG(root_hash) = buf.st_ino;
++ if (sizeof(buf.st_ino) > sizeof(ZCG(root_hash))) {
++ if (ZCG(root_hash) != buf.st_ino) {
++ zend_alter_ini_entry("opcache.enable", sizeof("opcache.enable"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_RUNTIME);
++ zend_accel_error(ACCEL_LOG_WARNING, "Can't cache files in chroot() directory with too big inode");
++ return;
++ }
++ }
+ }
+ } else {
+ ZCG(root_hash) = 0;
+--
+2.1.4
+
diff --git a/bug73737.patch b/bug73737.patch
new file mode 100644
index 0000000..36fd6a6
--- /dev/null
+++ b/bug73737.patch
@@ -0,0 +1,154 @@
+Backported from 5.6.30 by Remi.
+Binary parts dropped
+
+
+From 1cda0d7c2ffb62d8331c64e703131d9cabdc03ea Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 31 Dec 2016 19:31:49 -0800
+Subject: [PATCH] Fix bug #73737 FPE when parsing a tag format
+
+---
+ ext/exif/exif.c | 2 +-
+ ext/exif/tests/bug73737.phpt | 12 ++++++++++++
+ ext/exif/tests/bug73737.tiff | Bin 0 -> 48 bytes
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug73737.phpt
+ create mode 100644 ext/exif/tests/bug73737.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 8b0e34c..83daee6 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1313,7 +1313,7 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte
+ if (s_den == 0) {
+ return 0;
+ } else {
+- return php_ifd_get32s(value, motorola_intel) / s_den;
++ return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den);
+ }
+
+ case TAG_FMT_SSHORT: return php_ifd_get16u(value, motorola_intel);
+
+--
+2.1.4
+
+From 900b17b15fd5d29b6575b175b2b120ffab3adc96 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikic@php.net>
+Date: Thu, 5 Jan 2017 11:37:06 +0100
+Subject: [PATCH] Fix printf modifier
+
+---
+ ext/exif/exif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 83daee6..3663b3f 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2865,7 +2865,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ }
+
+ if (components < 0) {
+- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%d)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
+ return FALSE;
+ }
+
+--
+2.1.4
+
+From 0ab1af7d3eff815e1809fe044e54283b5a1b8e27 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Jan 2017 17:31:08 -0800
+Subject: [PATCH] Update more functions with path check
+
+---
+ ext/curl/curl_file.c | 2 +-
+ ext/exif/exif.c | 2 +-
+ ext/zip/php_zip.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c
+index 029a58a..9792492 100644
+--- a/ext/curl/curl_file.c
++++ b/ext/curl/curl_file.c
+@@ -35,7 +35,7 @@ static void curlfile_ctor(INTERNAL_FUNCTION_PARAMETERS)
+ int fname_len, mime_len, postname_len;
+ zval *cf = return_value;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ss", &fname, &fname_len, &mime, &mime_len, &postname, &postname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ss", &fname, &fname_len, &mime, &mime_len, &postname, &postname_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 3663b3f..1c8772f 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -4220,7 +4220,7 @@ PHP_FUNCTION(exif_imagetype)
+ php_stream * stream;
+ int itype = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &imagefile, &imagefile_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &imagefile, &imagefile_len) == FAILURE) {
+ return;
+ }
+
+
+--
+2.1.4
+
+From 814966ad33f9a734e422e34327256d58a91d1272 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Jan 2017 18:42:22 -0800
+Subject: [PATCH] Fix test
+
+---
+ ext/exif/tests/exif_imagetype_variation1.phpt | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ext/exif/tests/exif_imagetype_variation1.phpt b/ext/exif/tests/exif_imagetype_variation1.phpt
+index 767ed5f..d33217c 100644
+--- a/ext/exif/tests/exif_imagetype_variation1.phpt
++++ b/ext/exif/tests/exif_imagetype_variation1.phpt
+@@ -142,23 +142,23 @@ Warning: exif_imagetype(0.5): failed to open stream: No such file or directory i
+ bool(false)
+ -- Iteration 10 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 11 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 12 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 13 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 14 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ -- Iteration 15 --
+
+@@ -198,7 +198,7 @@ Warning: exif_imagetype(obj'ct): failed to open stream: No such file or director
+ bool(false)
+ -- Iteration 24 --
+
+-Warning: exif_imagetype() expects parameter 1 to be string, resource given in %s on line %d
++Warning: exif_imagetype() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+ -- Iteration 25 --
+
+--
+2.1.4
+
diff --git a/bug73764.patch b/bug73764.patch
new file mode 100644
index 0000000..540c588
--- /dev/null
+++ b/bug73764.patch
@@ -0,0 +1,42 @@
+Backported from 5.6.30 by Remi.
+Binary parts dropped
+
+
+From ca46d0acbce55019b970fcd4c1e8a10edfdded93 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Fri, 30 Dec 2016 15:34:46 -0800
+Subject: [PATCH] Fix int overflows in phar (bug #73764)
+
+---
+ ext/phar/phar.c | 4 ++--
+ ext/phar/tests/bug73764.phar | Bin 0 -> 138 bytes
+ ext/phar/tests/bug73764.phpt | 16 ++++++++++++++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 ext/phar/tests/bug73764.phar
+ create mode 100644 ext/phar/tests/bug73764.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 14b80e1..532b4c3 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.is_persistent = mydata->is_persistent;
+
+ for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
+- if (buffer + 4 > endbuffer) {
++ if (buffer + 24 > endbuffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
+ }
+
+@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.manifest_pos = manifest_index;
+ }
+
+- if (entry.filename_len + 20 > endbuffer - buffer) {
++ if (entry.filename_len > endbuffer - buffer - 20) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+
+--
+2.1.4
+
diff --git a/bug73768.patch b/bug73768.patch
new file mode 100644
index 0000000..b8d2b9a
--- /dev/null
+++ b/bug73768.patch
@@ -0,0 +1,41 @@
+Backported from 5.6.30 by Remi.
+Binary parts dropped
+
+
+From b28b8b2fee6dfa6fcd13305c581bb835689ac3be Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Fri, 30 Dec 2016 15:57:24 -0800
+Subject: [PATCH] Fix bug #73768 - Memory corruption when loading hostile phar
+
+---
+ ext/phar/phar.c | 3 +--
+ ext/phar/tests/bug73768.phar | Bin 0 -> 219 bytes
+ ext/phar/tests/bug73768.phpt | 16 ++++++++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+ create mode 100644 ext/phar/tests/bug73768.phar
+ create mode 100644 ext/phar/tests/bug73768.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 532b4c3..158f417 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -981,7 +981,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ /* if the alias is stored we enforce it (implicit overrides explicit) */
+ if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len)))
+ {
+- buffer[tmp_len] = '\0';
+ php_stream_close(fp);
+
+ if (signature) {
+@@ -989,7 +988,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ }
+
+ if (error) {
+- spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias);
++ spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias);
+ }
+
+ efree(savebuf);
+--
+2.1.4
+
diff --git a/bug73773.patch b/bug73773.patch
new file mode 100644
index 0000000..1aab14c
--- /dev/null
+++ b/bug73773.patch
@@ -0,0 +1,37 @@
+Backported from 5.6.30 by Remi.
+
+
+From e5246580a85f031e1a3b8064edbaa55c1643a451 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 31 Dec 2016 18:47:50 -0800
+Subject: [PATCH] Fix bug #73773 - Seg fault when loading hostile phar
+
+---
+ ext/phar/phar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 158f417..780be43 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1054,7 +1054,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.is_persistent = mydata->is_persistent;
+
+ for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
+- if (buffer + 24 > endbuffer) {
++ if (buffer + 28 > endbuffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
+ }
+
+@@ -1068,7 +1068,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.manifest_pos = manifest_index;
+ }
+
+- if (entry.filename_len > endbuffer - buffer - 20) {
++ if (entry.filename_len > endbuffer - buffer - 24) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+
+--
+2.1.4
+
diff --git a/failed.txt b/failed.txt
index 32284e6..d34c2b8 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-==== PHP 5.5.38-6 (2016-12-10)
+==== PHP 5.5.38-7 (2017-02-18)
$ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log
@@ -11,7 +11,7 @@ $ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log
fc23x, fc24x, fc25x:
Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
-el6x, el7x, fc23x
+el6x, el7x, fc23x, fc24x, fc25x
Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
el6x, el7x, fc24x, fc25x
Bug #20382 [2] (strtotime ("Monday", $date) produces wrong result on DST changeover) [ext/date/tests/bug20382-2.phpt]
diff --git a/opcache.ini b/opcache.ini
index dd117db..5919a6e 100644
--- a/opcache.ini
+++ b/opcache.ini
@@ -93,3 +93,14 @@ opcache.blacklist_filename=/etc/php.d/opcache*.blacklist
; Useful for internal debugging only.
;opcache.protect_memory=0
+; Validate cached file permissions.
+; Leads OPcache to check file readability on each access to cached file.
+; This directive should be enabled in shared hosting environment, when few
+; users (PHP-FPM pools) reuse the common OPcache shared memory.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+; This directive prevents file name collisions in different "chroot"
+; environments. It should be enabled for sites that may serve requests in
+; different "chroot" environments.
+;opcache.validate_root=0
diff --git a/php.spec b/php.spec
index 78a5ee6..1d50c18 100644
--- a/php.spec
+++ b/php.spec
@@ -140,7 +140,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.5.38
-Release: 6%{?dist}
+Release: 7%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -242,6 +242,11 @@ Patch146: bug73144.patch
Patch147: bug73418.patch
Patch148: bug73356.patch
Patch149: bug73631.patch
+Patch150: bug73737.patch
+Patch151: bug73764.patch
+Patch152: bug73768.patch
+Patch153: bug73773.patch
+Patch154: bug69090.patch
# Security fixes (200+)
@@ -984,6 +989,11 @@ support for using the enchant library to PHP.
%patch147 -p1 -b .bug73418
%patch148 -p1 -b .bug73356
%patch149 -p1 -b .bug73631
+%patch150 -p1 -b .bug73737
+%patch151 -p1 -b .bug73767
+%patch152 -p1 -b .bug73768
+%patch153 -p1 -b .bug73773
+%patch154 -p1 -b .bug69090
: ------------------------
# Fixes for tests
@@ -1889,6 +1899,15 @@ EOF
%changelog
+* Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.5.38-7
+- fix #73737: FPE when parsing a tag format
+ CVE-2016-10158
+- fix #73764: int overflows in phar
+ CVE-2016-10159
+- fix #73768: Memory corruption when loading hostile phar
+ CVE-2016-10160
+- fix #69090: check cached files permissions
+
* Sat Dec 10 2016 Remi Collet <remi@remirepo.net> - 5.5.38-6
- fix #73631: Invalid read when wddx decodes empty boolean element
CVE-2016-9935