Changes - j0ke.net Open Build Service

Changes of Revision 4

[-] [+]	Changed	php5.changes
@@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Fri Jun 27 20:33:00 UTC 2014 - cs@linux-administrator.com + +- added CVE-2014-0207.patch +- added CVE-2014-3478.patch +- added CVE-2014-3479.patch +- added CVE-2014-3480.patch +- added CVE-2014-3487.patch +- added CVE-2014-3981.patch + +------------------------------------------------------------------- Mon Jun 2 19:51:27 UTC 2014 - cs@linux-administrator.com - added CVE-2014-0237.patch
[-] [+]	Changed	php5.spec ^
@@ -130,7 +130,12 @@ Patch50: CVE-2014-0185.patch Patch51: CVE-2014-0237.patch Patch52: CVE-2014-0238.patch - +Patch53: CVE-2014-0207.patch +Patch54: CVE-2014-3478.patch +Patch55: CVE-2014-3479.patch +Patch56: CVE-2014-3480.patch +Patch57: CVE-2014-3487.patch +Patch58: CVE-2014-3981.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1233,6 +1238,12 @@ %patch50 -p1 %patch51 -p1 %patch52 -p2 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 # we build three SAPI %{__mkdir_p} build-apache2 build-fpm
[-] [+]	Added	CVE-2014-0207.patch ^
@@ -0,0 +1,32 @@ +From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 3 Jun 2014 11:05:00 +0200 +Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient + boundary check + +Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch +Only revelant part applied +--- + ext/fileinfo/libmagic/cdf.c \| 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 4712e84..16649f1 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t sst, void buf, size_t offs, + size_t ss = CDF_SHORT_SEC_SIZE(h); + size_t pos = CDF_SHORT_SEC_POS(h, id); + assert(ss == len); +- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { + DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" + SIZE_T_FORMAT "u\n", +- pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); + return -1; + } + (void)memcpy(((char *)buf) + offs, +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3478.patch ^
@@ -0,0 +1,41 @@ +From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:02:36 +0200 +Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of + truncated pascal string size + +Upstream +https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 +--- + ext/fileinfo/libmagic/softmagic.c \| 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 21fea6b..01e4977 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -881,10 +881,18 @@ mconvert(struct magic_set ms, struct magic m, int flip) + return 1; + } + case FILE_PSTRING: { +- char ptr1 = p->s, ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char ptr1 = p->s, ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ / ++ len = sizeof(p->s) - sz; ++ } + while (len--) + ptr1++ = ptr2++; + ptr1 = '\0'; +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3479.patch ^
@@ -0,0 +1,20 @@ +--- php-5.3.28/ext/fileinfo/libmagic/cdf.c.orig 2014-06-27 22:20:14.827472051 +0200 ++++ php-5.3.28/ext/fileinfo/libmagic/cdf.c 2014-06-27 22:26:26.350829626 +0200 +@@ -277,13 +277,15 @@ + { + const char b = (const char )sst->sst_tab; + const char e = ((const char )p) + tail; ++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? ++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); + (void)&line; +- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) ++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) + return 0; + DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" + " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), +- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); ++ ss * sst->sst_len, ss, sst->sst_len)); + errno = EFTYPE; + return -1; + }
[-] [+]	Added	CVE-2014-3479.patch-not-working ^
@@ -0,0 +1,37 @@ +From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:13:14 +0200 +Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset + insufficient boundary check + +Upstream: +https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 +--- + ext/fileinfo/libmagic/cdf.c \| 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 16649f1..c9a5d50 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t sst, const cdf_header_t h, + { + const char b = (const char )sst->sst_tab; + const char e = ((const char )p) + tail; ++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? ++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); + (void)&line; +- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len) ++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) + return 0; + DPRINTF(("%d: offset begin %p < end %p \|\| %" SIZE_T_FORMAT "u" + " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), +- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); ++ ss * sst->sst_len, ss, sst->sst_len)); + errno = EFTYPE; + return -1; + } +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3480.patch ^
@@ -0,0 +1,40 @@ +From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:22:04 +0200 +Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient + boundary check + +Upstream: +https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 +--- + ext/fileinfo/libmagic/cdf.c \| 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index c9a5d50..ee467a6 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -470,7 +470,8 @@ size_t + cdf_count_chain(const cdf_sat_t sat, cdf_secid_t sid, size_t size) + { + size_t i, j; +- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len size); ++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) ++ / sizeof(maxsector)); + + DPRINTF(("Chain:")); + for (j = i = 0; sid >= 0; i++, j++) { +@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + errno = EFTYPE; + return (size_t)-1; + } +- if (sid > maxsector) { +- DPRINTF(("Sector %d > %d\n", sid, maxsector)); ++ if (sid >= maxsector) { ++ DPRINTF(("Sector %d >= %d\n", sid, maxsector)); + errno = EFTYPE; + return (size_t)-1; + } +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3487.patch ^
@@ -0,0 +1,34 @@ +From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:33:37 +0200 +Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info + insufficient boundary chec + +Upstream: +https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d + +Adapted for C standard. +--- + ext/fileinfo/libmagic/cdf.c \| 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index ee467a6..429f3b9 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h, + if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ size_t ofs, tail = (i << 1) + 1; ++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), ++ __LINE__) == -1) ++ goto out; ++ ofs = CDF_GETUINT32(p, tail); + q = (const uint8_t )(const void ) + ((const char )(const void )p + ofs + - 2 * sizeof(uint32_t)); +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3515.patch-not-working ^
@@ -0,0 +1,82 @@ +From 88223c5245e9b470e1e6362bfd96829562ffe6ab Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 21 Jun 2014 19:46:16 -0700 +Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject / + SPLObjectStorage Type Confusion + +--- + NEWS \| 2 ++ + ext/spl/spl_array.c \| 2 +- + ext/spl/spl_observer.c \| 2 +- + ext/spl/tests/SplObjectStorage_unserialize_bad.phpt \| 5 ++++- + 4 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/NEWS b/NEWS +index 507b545..24ce950 100644 +--- a/NEWS ++++ b/NEWS +@@ -53,6 +53,8 @@ PHP NEWS + . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) + . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) + . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) ++ . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type ++ Confusion). (Stefan Esser) + + 29 May 2014, PHP 5.4.29 + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 758947a..bf034ab 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -1808,7 +1808,7 @@ SPL_METHOD(Array, unserialize) + ++p; + + ALLOC_INIT_ZVAL(pmembers); +- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) { + zval_ptr_dtor(&pmembers); + goto outexcept; + } +diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c +index 1a706f7..da9110b 100644 +--- a/ext/spl/spl_observer.c ++++ b/ext/spl/spl_observer.c +@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize) + ++p; + + ALLOC_INIT_ZVAL(pmembers); +- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) { + zval_ptr_dtor(&pmembers); + goto outexcept; + } +diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +index a525317..8f0676d 100644 +--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt ++++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +@@ -7,6 +7,7 @@ $badblobs = array( + 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', + 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', + 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', + ); + foreach($badblobs as $blob) { + try { +@@ -17,6 +18,7 @@ try { + echo $e->getMessage()."\n"; + } + } ++echo "DONE\n"; + --EXPECTF-- + Error at offset 6 of 34 bytes + Error at offset 46 of 89 bytes +@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) { + } + } + } +- ++Error at offset 79 of 78 bytes ++DONE +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3981.patch ^
@@ -0,0 +1,26 @@ +From 91bcadd85e20e50d3f8c2e9721327681640e6f16 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Fri, 6 Jun 2014 14:16:04 +0200 +Subject: [PATCH] Fix bug #67390 insecure temporary file use in the configure + script + +--- + acinclude.m4 \| 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/acinclude.m4 b/acinclude.m4 +index 448659f..25f3655 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -1711,7 +1711,7 @@ int main(int argc, char argv[]) + { + FILE fp; + long position; +- char filename = "/tmp/phpglibccheck"; ++ char filename = tmpnam(NULL); + + fp = fopen(filename, "w"); + if (fp == NULL) { +-- +1.9.3 +