summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-03-12 11:05:11 +0100
committerRemi Collet <remi@remirepo.net>2019-03-12 11:05:11 +0100
commit54c47c5cbf037ce982bf1868f79051c8af88bad3 (patch)
tree298507977d94b6b6fe84abc80c662e3dc2f73b7c
parentc2b0e5687f6de20065ad435a37e060f87d03604a (diff)
Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename
Fix #77586 - phar_tar_writeheaders_int() buffer overflow - spl: Fix #77431 openFile() silently truncates after a null byte - security fix synced with https://github.com/Microsoft/php-src/
-rw-r--r--failed.txt6
-rw-r--r--php-bug77396.patch76
-rw-r--r--php-bug77431.patch66
-rw-r--r--php-bug77540.patch20
-rw-r--r--php-bug77563.patch11
-rw-r--r--php-bug77586.patch102
-rw-r--r--php-bug77630.patch36
-rw-r--r--php-news.patch40
-rw-r--r--php.spec20
9 files changed, 335 insertions, 42 deletions
diff --git a/failed.txt b/failed.txt
index 92a59d4..28fb7af 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 5.6.40-4 (2019-03-05)
+===== 5.6.40-5 (2019-03-12)
$ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
@@ -9,7 +9,7 @@ $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
/var/lib/mock/scl56fc27x/build.log:Tests failed : 7
/var/lib/mock/scl56fc28x/build.log:Tests failed : 6
/var/lib/mock/scl56fc29x/build.log:Tests failed : 8
-/var/lib/mock/scl56fc30x/build.log:Tests failed : 8
+/var/lib/mock/scl56fc30x/build.log:Tests failed : 11
el6x, el7x:
@@ -19,7 +19,7 @@ el6x, el7x, fc25x, fc26x, fc27x, fc28x, fc29x, fc30x:
el6xn el7x, fc26x, fc27x, fc28x, fc29x, fc30x:
4 Bug #51819 (Case discrepancy in timezone names cause Uncaught exception and fatal error) [ext/date/tests/bug51819.phpt]
4 Test date_sunset() function : usage variation - Passing high positive and negative float values to time argument. [ext/date/tests/date_sunset_variation9.phpt]
-el6x, fc25x, fc27x:
+el6x, fc25x, fc27x, fc29x:
3 Bug #65538: SSL context "cafile" disallows URL stream wrappers [ext/openssl/tests/bug65538_002.phpt]
3 gethostbyname() function - basic return valid ip address test [ext/standard/tests/network/gethostbyname_error004.phpt]
3 getmxrr() test [ext/standard/tests/network/getmxrr.phpt]
diff --git a/php-bug77396.patch b/php-bug77396.patch
new file mode 100644
index 0000000..4a37472
--- /dev/null
+++ b/php-bug77396.patch
@@ -0,0 +1,76 @@
+From 0bfb626af1429dbd51b9f860bc54027d4e94b754 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 3 Mar 2019 18:22:32 -0800
+Subject: [PATCH] Fix bug #77396 - Null Pointer Dereference in
+ phar_create_or_parse_filename
+
+(cherry picked from commit 7f0ab7c20c83a52862ad7c8acf31c3fa739f1274)
+---
+ ext/phar/phar.c | 3 +++
+ ext/phar/tests/bug77396.phpt | 15 +++++++++++++++
+ 2 files changed, 18 insertions(+)
+ create mode 100644 ext/phar/tests/bug77396.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 6e5cec2462..850a6e6c46 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1385,6 +1385,9 @@ int phar_create_or_parse_filename(char *fname, int fname_len, char *alias, int a
+ /* set up our manifest */
+ mydata = ecalloc(1, sizeof(phar_archive_data));
+ mydata->fname = expand_filepath(fname, NULL TSRMLS_CC);
++ if (mydata->fname == NULL) {
++ return FAILURE;
++ }
+ fname_len = strlen(mydata->fname);
+ #ifdef PHP_WIN32
+ phar_unixify_path_separators(mydata->fname, fname_len);
+diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt
+new file mode 100644
+index 0000000000..f7a2a2f026
+--- /dev/null
++++ b/ext/phar/tests/bug77396.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #77396 Relative filename exceeding maximum path length causes null pointer dereference.
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++$path = '../' . str_repeat("x", PHP_MAXPATHLEN) . '.tar';
++$phar = new PharData($path);
++?>
++--EXPECTF--
++Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d
++Stack trace:
++#0 %s/bug77396.php(%d): PharData->__construct(%s)
++#1 {main}
++ thrown in %s/bug77396.php on line %d
+
+From e03269512a8c092f1b1d2320b9f993795cf0fb76 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Mon, 4 Mar 2019 14:28:47 +0100
+Subject: [PATCH] Fix test portability
+
+(cherry picked from commit 040196972c7a757200c2e1aa88f360322c38ffde)
+---
+ ext/exif/tests/bug77563.phpt | 8 ++++----
+ ext/phar/tests/bug77396.phpt | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt
+index f7a2a2f026..ede25ff81f 100644
+--- a/ext/phar/tests/bug77396.phpt
++++ b/ext/phar/tests/bug77396.phpt
+@@ -8,8 +8,8 @@ $path = '../' . str_repeat("x", PHP_MAXPATHLEN) . '.tar';
+ $phar = new PharData($path);
+ ?>
+ --EXPECTF--
+-Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d
++Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s%ebug77396.php:%d
+ Stack trace:
+-#0 %s/bug77396.php(%d): PharData->__construct(%s)
++#0 %s%ebug77396.php(%d): PharData->__construct(%s)
+ #1 {main}
+- thrown in %s/bug77396.php on line %d
++ thrown in %s%ebug77396.php on line %d
diff --git a/php-bug77431.patch b/php-bug77431.patch
new file mode 100644
index 0000000..c0c27b3
--- /dev/null
+++ b/php-bug77431.patch
@@ -0,0 +1,66 @@
+From 6d9dcae7b2828a2c4d1853eecc2e62743515b36b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 9 Jan 2019 14:26:18 +0100
+Subject: [PATCH] Fix #77431 SplFileInfo::__construct() accepts NUL bytes
+
+`SplFileInfo::__construct()` has to expect a path instead of a string,
+analogous to `SplFileObject::__construct()`.
+
+(cherry picked from commit 254a5914ad7f9dbdc4f6090229f6b0f4317a695e)
+---
+ ext/spl/spl_directory.c | 2 +-
+ ext/spl/tests/bug77431.phpt | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 ext/spl/tests/bug77431.phpt
+
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index c08334573e..fbcf892c3d 100644
+--- a/ext/spl/spl_directory.c
++++ b/ext/spl/spl_directory.c
+@@ -1135,7 +1135,7 @@ SPL_METHOD(SplFileInfo, __construct)
+
+ zend_replace_error_handling(EH_THROW, spl_ce_RuntimeException, &error_handling TSRMLS_CC);
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &path, &len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &path, &len) == FAILURE) {
+ zend_restore_error_handling(&error_handling TSRMLS_CC);
+ return;
+ }
+diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt
+new file mode 100644
+index 0000000000..eb1ca96b75
+--- /dev/null
++++ b/ext/spl/tests/bug77431.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #77431 (SplFileInfo::__construct() accepts NUL bytes)
++--FILE--
++<?php
++new SplFileInfo("bad\0good");
++?>
++--EXPECTF--
++Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Stack trace:%A
+\ No newline at end of file
+From dfea88758c8add916be72e666b193a993540cfde Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Wed, 6 Mar 2019 12:19:33 +0100
+Subject: [PATCH] Fix test
+
+---
+ ext/spl/tests/bug77431.phpt | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt
+index eb1ca96b75..04e4ce2eba 100644
+--- a/ext/spl/tests/bug77431.phpt
++++ b/ext/spl/tests/bug77431.phpt
+@@ -5,5 +5,5 @@ Bug #77431 (SplFileInfo::__construct() accepts NUL bytes)
+ new SplFileInfo("bad\0good");
+ ?>
+ --EXPECTF--
+-Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d
+-Stack trace:%A
+\ No newline at end of file
++Fatal error: Uncaught exception 'RuntimeException' with message 'SplFileInfo::__construct() expects parameter 1 to be a valid path, string given' in %s:%d
++Stack trace:%A
diff --git a/php-bug77540.patch b/php-bug77540.patch
index 228c59d..946b3cb 100644
--- a/php-bug77540.patch
+++ b/php-bug77540.patch
@@ -1,19 +1,15 @@
-Backported for 5.6 from 7.1 by remi
-without binary diff
-
-
-
-From 5e824a88d073d282c4f358f186cb87ddc284f83d Mon Sep 17 00:00:00 2001
+From 3f875bf0da30b46aaa772367b9638b867e2b7690 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Fri, 1 Mar 2019 23:25:45 -0800
Subject: [PATCH] Fix integer overflows on 32-bits
+(cherry picked from commit 5e824a88d073d282c4f358f186cb87ddc284f83d)
---
ext/exif/exif.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
-index cbde3effedf9..b4563927a505 100644
+index cad29b7295..47055a180c 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3577,10 +3577,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
@@ -53,11 +49,12 @@ index cbde3effedf9..b4563927a505 100644
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size);
return FALSE;
}
-From 5f0e62a3e5b525163e538aaab0161c2c8c5d057b Mon Sep 17 00:00:00 2001
+From 67d1a5b7d7330ceb414fd3d33ab3243fc06fa0dc Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 2 Mar 2019 13:38:00 -0800
Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn
+(cherry picked from commit 5f0e62a3e5b525163e538aaab0161c2c8c5d057b)
---
ext/exif/exif.c | 10 ++++++++--
ext/exif/tests/bug77540.jpg | Bin 0 -> 91 bytes
@@ -67,10 +64,10 @@ Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn
create mode 100644 ext/exif/tests/bug77540.phpt
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
-index b4563927a505..ea88a8f115e8 100644
+index 47055a180c..5497068fb1 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
-@@ -3519,7 +3519,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+@@ -3519,7 +3519,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
return FALSE;
marker = c;
length = php_jpg_get16(data+pos);
@@ -79,7 +76,7 @@ index b4563927a505..ea88a8f115e8 100644
return FALSE;
}
#ifdef EXIF_DEBUG
-@@ -3540,6 +3540,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+@@ -3540,6 +3540,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
case M_SOF14:
case M_SOF15:
/* handle SOFn block */
@@ -101,3 +98,4 @@ index b4563927a505..ea88a8f115e8 100644
}
zval_dtor(p_width);
zval_dtor(p_height);
+
diff --git a/php-bug77563.patch b/php-bug77563.patch
index 33b196d..2fc6dea 100644
--- a/php-bug77563.patch
+++ b/php-bug77563.patch
@@ -1,15 +1,12 @@
-Backported for 5.6 from 7.1 by remi
-without binary diff
-
-
-
-From 8ac6fee8562533a15db90062117210ed28b44fea Mon Sep 17 00:00:00 2001
+From ac4a9cd56f8145c0b1226fe977772a40e3a994a9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 2 Mar 2019 15:07:40 -0800
Subject: [PATCH] Fix bug #77563 - Uninitialized read in
exif_process_IFD_in_MAKERNOTE
Also fix for bug #77659
+
+(cherry picked from commit 8ac6fee8562533a15db90062117210ed28b44fea)
---
ext/exif/exif.c | 3 ++-
ext/exif/tests/bug77563.jpg | Bin 0 -> 63 bytes
@@ -19,7 +16,7 @@ Also fix for bug #77659
create mode 100644 ext/exif/tests/bug77563.phpt
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
-index ea88a8f115e8..fe89b8547118 100644
+index 5497068fb1..ce8db170c7 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2751,7 +2751,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
diff --git a/php-bug77586.patch b/php-bug77586.patch
new file mode 100644
index 0000000..45a983f
--- /dev/null
+++ b/php-bug77586.patch
@@ -0,0 +1,102 @@
+From 11dda9a4fb4106bb2f35a717ca0bfb379fa7d1ad Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 3 Mar 2019 22:33:38 -0800
+Subject: [PATCH] Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow
+
+(cherry picked from commit e0f5d62bd6690169998474b62f92a8c5ddf0e699)
+---
+ ext/phar/tar.c | 7 ++++++-
+ ext/phar/tests/bug71488.phpt | 5 +++--
+ ext/phar/tests/bug77586.phpt | 21 +++++++++++++++++++
+ ...-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC | 1 +
+ 4 files changed, 31 insertions(+), 3 deletions(-)
+ create mode 100644 ext/phar/tests/bug77586.phpt
+ create mode 100644 ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 898ff859ab..7ad95ebba6 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -765,7 +765,12 @@ static int phar_tar_writeheaders(void *pDest, void *argument TSRMLS_DC) /* {{{ *
+ header.typeflag = entry->tar_type;
+
+ if (entry->link) {
+- strncpy(header.linkname, entry->link, strlen(entry->link));
++ if (strlcpy(header.linkname, entry->link, sizeof(header.linkname)) >= sizeof(header.linkname)) {
++ if (fp->error) {
++ spprintf(fp->error, 4096, "tar-based phar \"%s\" cannot be created, link \"%s\" is too long for format", entry->phar->fname, entry->link);
++ }
++ return ZEND_HASH_APPLY_STOP;
++ }
+ }
+
+ strncpy(header.magic, "ustar", sizeof("ustar")-1);
+diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
+index 22d2bf098f..65bd7b2d3c 100644
+--- a/ext/phar/tests/bug71488.phpt
++++ b/ext/phar/tests/bug71488.phpt
+@@ -13,5 +13,6 @@ DONE
+ <?php
+ @unlink(__DIR__."/bug71488.test");
+ ?>
+---EXPECT--
+-DONE
+\ No newline at end of file
++--EXPECTF--
++Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
++Stack trace:%A
+diff --git a/ext/phar/tests/bug77586.phpt b/ext/phar/tests/bug77586.phpt
+new file mode 100644
+index 0000000000..039cc16994
+--- /dev/null
++++ b/ext/phar/tests/bug77586.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Bug #77586 Symbolic link names in tar-formatted phar must be less than 100 bytes.
++--SKIPIF--
++<?php if (!extension_loaded("phar") || true /* blocked by bug 65332 */) die("skip"); ?>
++--FILE--
++<?php
++$dir = __DIR__."/bug77586";
++$phar = new PharData($dir . "/bug77586.tar");
++$phar->buildFromDirectory($dir . "/files");
++?>
++--CLEAN--
++<?php
++$dir = __DIR__."/bug77586";
++unlink($dir . "/bug77586.tar");
++?>
++--EXPECTF--
++Fatal error: Uncaught PharException: tar-based phar "%s/bug77586.tar" cannot be created, link "%s" is too long for format %s
++Stack trace:
++#0 %s/bug77586.php(%d): PharData->buildFromDirectory('%s')
++#1 {main}
++ thrown in %s/bug77586.php %s on line %d
+diff --git a/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC b/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC
+new file mode 100644
+index 0000000000..1de565933b
+--- /dev/null
++++ b/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC
+@@ -0,0 +1 @@
++target
+\ No newline at end of file
+From 426ecc2f86e65a6105d510569b9f7bbbe67f765a Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Wed, 6 Mar 2019 12:48:42 +0100
+Subject: [PATCH] Fix test
+
+---
+ ext/phar/tests/bug71488.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
+index 65bd7b2d3c..8468ce212a 100644
+--- a/ext/phar/tests/bug71488.phpt
++++ b/ext/phar/tests/bug71488.phpt
+@@ -14,5 +14,5 @@ DONE
+ @unlink(__DIR__."/bug71488.test");
+ ?>
+ --EXPECTF--
+-Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
++Fatal error: Uncaught exception 'BadMethodCallException' with message 'tar-based phar "%sbug71488.test" cannot be created, link "%s" is too long for format' in %sbug71488.php:%d
+ Stack trace:%A
diff --git a/php-bug77630.patch b/php-bug77630.patch
index bc3f645..71cbf12 100644
--- a/php-bug77630.patch
+++ b/php-bug77630.patch
@@ -1,8 +1,4 @@
-Backported to 5.6 from 7.1 by remi
-
-
-
-From e3133e4db70476fb7adfdedb738483e2255ce0e1 Mon Sep 17 00:00:00 2001
+From 0c78ce21f96537dbea40c1d4f7467617600d266b Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 2 Mar 2019 23:42:53 -0800
Subject: [PATCH] Fix bug #77630 - safer rename() procedure
@@ -11,15 +7,17 @@ In order to rename safer, we do the following:
- set umask to 077 (unfortunately, not TS, so excluding ZTS)
- chown() first, to set proper group before allowing group access
- chmod() after, even if chown() fails
+
+(cherry picked from commit e3133e4db70476fb7adfdedb738483e2255ce0e1)
---
- main/streams/plain_wrapper.c | 51 ++++++++++++++++++++++++------------
- 1 file changed, 34 insertions(+), 17 deletions(-)
+ main/streams/plain_wrapper.c | 48 ++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
-index af890a9aa3bb..7fdf906e6fad 100644
+index f472bad4b9..3e114a64ea 100644
--- a/main/streams/plain_wrapper.c
+++ b/main/streams/plain_wrapper.c
-@@ -1126,34 +1126,51 @@ static int php_plain_files_rename(php_st
+@@ -1126,34 +1126,50 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f
# ifdef EXDEV
if (errno == EXDEV) {
struct stat sb;
@@ -33,11 +31,6 @@ index af890a9aa3bb..7fdf906e6fad 100644
+ success = 1;
# if !defined(TSRM_WIN32) && !defined(NETWARE)
- if (VCWD_CHMOD(url_to, sb.st_mode)) {
-- if (errno == EPERM) {
-- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
-- VCWD_UNLINK(url_from);
-- return 1;
-- }
+ /*
+ * Try to set user and permission info on the target.
+ * If we're not root, then some of these may fail.
@@ -46,21 +39,24 @@ index af890a9aa3bb..7fdf906e6fad 100644
+ * access to the file in the meantime.
+ */
+ if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
-- return 0;
-+ if (errno != EPERM) {
++ php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ if (errno == EPERM) {
+- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- VCWD_UNLINK(url_from);
+- return 1;
+ success = 0;
-+ }
+ }
+- php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+- return 0;
}
- if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
- if (errno == EPERM) {
-+
+ if (success) {
+ if (VCWD_CHMOD(url_to, sb.st_mode)) {
php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
- VCWD_UNLINK(url_from);
- return 1;
-+ if (errno != EPERM) {
++ if (errno == EPERM) {
+ success = 0;
+ }
}
diff --git a/php-news.patch b/php-news.patch
new file mode 100644
index 0000000..6dda924
--- /dev/null
+++ b/php-news.patch
@@ -0,0 +1,40 @@
+From 1176f7d0378dba89f58dac7e81c45d2e1254f57e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Thu, 7 Mar 2019 16:18:00 +0100
+Subject: [PATCH] Update NEWS
+
+---
+ NEWS | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index b8d480cacc..16da63bbb2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,26 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
++
++Backported from 7.1.27
++
++- Core:
++ . Fixed bug #77630 (rename() across the device may allow unwanted access during
++ processing). (Stas)
++
++- EXIF:
++ . Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas)
++ . Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas)
++ . Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)
++ . Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)
++
++- PHAR:
++ . Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename).
++ (bishop)
++ . Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (bishop)
++
++- SPL:
++ . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb)
++
+ 10 Jan 2019, PHP 5.6.40
+
+ - GD:
diff --git a/php.spec b/php.spec
index b863cd2..f028875 100644
--- a/php.spec
+++ b/php.spec
@@ -136,7 +136,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 4%{?dist}
+Release: 5%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -195,9 +195,15 @@ Patch91: php-5.6.3-oci8conf.patch
Patch100: php-5.6.31-oci.patch
# Security fixes (200+)
+# See https://github.com/Microsoft/php-src/commits/PHP-5.6-security-backports
+Patch208: php-bug77396.patch
+Patch209: php-bug77431.patch
Patch210: php-bug77540.patch
Patch211: php-bug77563.patch
+Patch212: php-bug77586.patch
Patch213: php-bug77630.patch
+# update NEWS file with backport information
+Patch299: php-news.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -919,9 +925,13 @@ support for using the enchant library to PHP.
%patch100 -p1 -b .pdo_oci
# security patches
+%patch208 -p1 -b .bug77396
+%patch209 -p1 -b .bug77431
%patch210 -p1 -b .bug77540
%patch211 -p1 -b .bug77563
+%patch212 -p1 -b .bug77586
%patch213 -p1 -b .bug77630
+%patch299 -p1 -b .backport
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1861,6 +1871,14 @@ EOF
%changelog
+* Tue Mar 12 2019 Remi Collet <remi@remirepo.net> - 5.6.40-5
+- phar:
+ Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename
+ Fix #77586 - phar_tar_writeheaders_int() buffer overflow
+- spl:
+ Fix #77431 openFile() silently truncates after a null byte
+- security fix synced with https://github.com/Microsoft/php-src/
+
* Tue Mar 5 2019 Remi Collet <remi@remirepo.net> - 5.6.40-4
- Fix #77630 rename() across the device may allow unwanted access
during processing