Changes - j0ke.net Open Build Service

Changes of Revision 2

[-] [+]	Changed	php5.spec
@@ -127,15 +127,6 @@ Patch21: php-5.3.4-session.patch Patch22: php-5.3.10-maillog-httphost.patch -Patch50: CVE-2014-0185.patch -Patch51: CVE-2014-0237.patch -Patch52: CVE-2014-0238.patch -Patch53: CVE-2014-0207.patch -Patch54: CVE-2014-3478.patch -Patch55: CVE-2014-3479.patch -Patch56: CVE-2014-3480.patch -Patch57: CVE-2014-3487.patch -Patch58: CVE-2014-3981.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1235,16 +1226,6 @@ %patch21 %patch22 -%patch50 -p1 -%patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 -%patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch58 -p1 - # we build three SAPI %{__mkdir_p} build-apache2 build-fpm %{__mkdir_p} build-fastcgi/sapi/cgi/libfcgi
[-] [+]	Deleted	CVE-2014-0185.patch ^
@@ -1,43 +0,0 @@ -From 1875b4648f138df77abcb513149a3340ade69a4c Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev <stas@php.net> -Date: Tue, 15 Apr 2014 10:43:24 -0700 -Subject: [PATCH] Fix bug #67060: use default mode of 660 - ---- - sapi/fpm/fpm/fpm_unix.c \| 2 +- - sapi/fpm/php-fpm.conf.in \| 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sapi/fpm/fpm/fpm_unix.c b/sapi/fpm/fpm/fpm_unix.c -index 48249e8..ea0e673 100644 ---- a/sapi/fpm/fpm/fpm_unix.c -+++ b/sapi/fpm/fpm/fpm_unix.c -@@ -35,7 +35,7 @@ int fpm_unix_resolve_socket_premissions(struct fpm_worker_pool_s wp) / {{{ / - / uninitialized */ - wp->socket_uid = -1; - wp->socket_gid = -1; -- wp->socket_mode = 0666; -+ wp->socket_mode = 0660; - - if (!c) { - return 0; -diff --git a/sapi/fpm/php-fpm.conf.in b/sapi/fpm/php-fpm.conf.in -index 1e70f2c..9205d42 100644 ---- a/sapi/fpm/php-fpm.conf.in -+++ b/sapi/fpm/php-fpm.conf.in -@@ -166,10 +166,10 @@ listen = 127.0.0.1:9000 - ; permissions must be set in order to allow connections from a web server. Many - ; BSD-derived systems allow connections regardless of permissions. - ; Default Values: user and group are set as the running user --; mode is set to 0666 -+; mode is set to 0660 - ;listen.owner = @php_fpm_user@ - ;listen.group = @php_fpm_group@ --;listen.mode = 0666 -+;listen.mode = 0660 - - ; List of ipv4 addresses of FastCGI clients which are allowed to connect. - ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original --- -1.8.4 -
[-] [+]	Deleted	CVE-2014-0207.patch ^
@@ -1,32 +0,0 @@ -From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 3 Jun 2014 11:05:00 +0200 -Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient - boundary check - -Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch -Only revelant part applied ---- - ext/fileinfo/libmagic/cdf.c \| 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c -index 4712e84..16649f1 100644 ---- a/ext/fileinfo/libmagic/cdf.c -+++ b/ext/fileinfo/libmagic/cdf.c -@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t sst, void buf, size_t offs, - size_t ss = CDF_SHORT_SEC_SIZE(h); - size_t pos = CDF_SHORT_SEC_POS(h, id); - assert(ss == len); -- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { -+ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { - DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" - SIZE_T_FORMAT "u\n", -- pos, CDF_SEC_SIZE(h) * sst->sst_len)); -+ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); - return -1; - } - (void)memcpy(((char *)buf) + offs, --- -1.9.3 -
[-] [+]	Deleted	CVE-2014-0237.patch ^
@@ -1,41 +0,0 @@ -X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fcdf.c;h=8dacd2f93294ea9fdf2dfe740a8151698fe4efb3;hp=dd7177ed9002a82f5596c5a81b95fcd809e78811;hb=68ce2d0ea6da79b12a365e375e1c2ce882c77480;hpb=41f01c28bc266631e742713add1f8f184284636a - -diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c -index dd7177e..8dacd2f 100644 ---- a/ext/fileinfo/libmagic/cdf.c -+++ b/ext/fileinfo/libmagic/cdf.c -@@ -942,7 +942,7 @@ int - cdf_unpack_summary_info(const cdf_stream_t sst, const cdf_header_t h, - cdf_summary_info_header_t ssi, cdf_property_info_t info, size_t count) - { -- size_t i, maxcount; -+ size_t maxcount; - const cdf_summary_info_header_t si = - CAST(const cdf_summary_info_header_t , sst->sst_tab); - const cdf_section_declaration_t sd = -@@ -957,21 +957,13 @@ cdf_unpack_summary_info(const cdf_stream_t sst, const cdf_header_t h, - ssi->si_os = CDF_TOLE2(si->si_os); - ssi->si_class = si->si_class; - cdf_swap_class(&ssi->si_class); -- ssi->si_count = CDF_TOLE2(si->si_count); -+ ssi->si_count = CDF_TOLE4(si->si_count); - count = 0; - maxcount = 0; - *info = NULL; -- for (i = 0; i < CDF_TOLE4(si->si_count); i++) { -- if (i >= CDF_LOOP_LIMIT) { -- DPRINTF(("Unpack summary info loop limit")); -- errno = EFTYPE; -- return -1; -- } -- if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), -- info, count, &maxcount) == -1) { -+ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info, -+ count, &maxcount) == -1) - return -1; -- } -- } - return 0; - } - -
[-] [+]	Deleted	CVE-2014-0238.patch ^
@@ -1,29 +0,0 @@ -X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fcdf.c;h=4712e84942eae72ce63a85a5ea5109cfd7ffe386;hp=8dacd2f93294ea9fdf2dfe740a8151698fe4efb3;hb=22736b7c56d678f142d5dd21f4996e5819507a2b;hpb=68ce2d0ea6da79b12a365e375e1c2ce882c77480 - -diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c -index 8dacd2f..4712e84 100644 ---- a/ext/fileinfo/libmagic/cdf.c -+++ b/ext/fileinfo/libmagic/cdf.c -@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h, - i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); - if (inp[i].pi_type & CDF_VECTOR) { - nelements = CDF_GETUINT32(q, 1); -+ if (nelements == 0) { -+ DPRINTF(("CDF_VECTOR with nelements == 0\n")); -+ goto out; -+ } - o = 2; - } else { - nelements = 1; -@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h, - } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); -- for (j = 0; j < nelements; j++, i++) { -+ for (j = 0; j < nelements && i < sh.sh_properties; -+ j++, i++) -+ { - uint32_t l = CDF_GETUINT32(q, o); - inp[i].pi_str.s_len = l; - inp[i].pi_str.s_buf = (const char *) -
[-] [+]	Deleted	CVE-2014-3478.patch ^
@@ -1,41 +0,0 @@ -From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 10 Jun 2014 14:02:36 +0200 -Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of - truncated pascal string size - -Upstream -https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 ---- - ext/fileinfo/libmagic/softmagic.c \| 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c -index 21fea6b..01e4977 100644 ---- a/ext/fileinfo/libmagic/softmagic.c -+++ b/ext/fileinfo/libmagic/softmagic.c -@@ -881,10 +881,18 @@ mconvert(struct magic_set ms, struct magic m, int flip) - return 1; - } - case FILE_PSTRING: { -- char ptr1 = p->s, ptr2 = ptr1 + file_pstring_length_size(m); -+ size_t sz = file_pstring_length_size(m); -+ char ptr1 = p->s, ptr2 = ptr1 + sz; - size_t len = file_pstring_get_length(m, ptr1); -- if (len >= sizeof(p->s)) -- len = sizeof(p->s) - 1; -+ if (len >= sizeof(p->s)) { -+ /* -+ * The size of the pascal string length (sz) -+ * is 1, 2, or 4. We need at least 1 byte for NUL -+ * termination, but we've already truncated the -+ * string by p->s, so we need to deduct sz. -+ / -+ len = sizeof(p->s) - sz; -+ } - while (len--) - ptr1++ = ptr2++; - ptr1 = '\0'; --- -1.9.3 -
[-] [+]	Deleted	CVE-2014-3479.patch ^
@@ -1,20 +0,0 @@ ---- php-5.3.28/ext/fileinfo/libmagic/cdf.c.orig 2014-06-27 22:20:14.827472051 +0200 -+++ php-5.3.28/ext/fileinfo/libmagic/cdf.c 2014-06-27 22:26:26.350829626 +0200 -@@ -277,13 +277,15 @@ - { - const char b = (const char )sst->sst_tab; - const char e = ((const char )p) + tail; -+ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? -+ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); - (void)&line; -- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) -+ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) - return 0; - DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" - " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" - SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), -- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); -+ ss * sst->sst_len, ss, sst->sst_len)); - errno = EFTYPE; - return -1; - }
[-] [+]	Deleted	CVE-2014-3479.patch-not-working ^
@@ -1,37 +0,0 @@ -From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 10 Jun 2014 14:13:14 +0200 -Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset - insufficient boundary check - -Upstream: -https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 ---- - ext/fileinfo/libmagic/cdf.c \| 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c -index 16649f1..c9a5d50 100644 ---- a/ext/fileinfo/libmagic/cdf.c -+++ b/ext/fileinfo/libmagic/cdf.c -@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t sst, const cdf_header_t h, - { - const char b = (const char )sst->sst_tab; - const char e = ((const char )p) + tail; -+ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? -+ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); - (void)&line; -- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len) -+ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) - return 0; - DPRINTF(("%d: offset begin %p < end %p \|\| %" SIZE_T_FORMAT "u" - " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" - SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), -- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); -+ ss * sst->sst_len, ss, sst->sst_len)); - errno = EFTYPE; - return -1; - } --- -1.9.3 -
[-] [+]	Deleted	CVE-2014-3480.patch ^
@@ -1,40 +0,0 @@ -From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 10 Jun 2014 14:22:04 +0200 -Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient - boundary check - -Upstream: -https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 ---- - ext/fileinfo/libmagic/cdf.c \| 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c -index c9a5d50..ee467a6 100644 ---- a/ext/fileinfo/libmagic/cdf.c -+++ b/ext/fileinfo/libmagic/cdf.c -@@ -470,7 +470,8 @@ size_t - cdf_count_chain(const cdf_sat_t sat, cdf_secid_t sid, size_t size) - { - size_t i, j; -- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len size); -+ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) -+ / sizeof(maxsector)); - - DPRINTF(("Chain:")); - for (j = i = 0; sid >= 0; i++, j++) { -@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) - errno = EFTYPE; - return (size_t)-1; - } -- if (sid > maxsector) { -- DPRINTF(("Sector %d > %d\n", sid, maxsector)); -+ if (sid >= maxsector) { -+ DPRINTF(("Sector %d >= %d\n", sid, maxsector)); - errno = EFTYPE; - return (size_t)-1; - } --- -1.9.3 -
[-] [+]	Deleted	CVE-2014-3487.patch ^
@@ -1,34 +0,0 @@ -From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Tue, 10 Jun 2014 14:33:37 +0200 -Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info - insufficient boundary chec - -Upstream: -https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d - -Adapted for C standard. ---- - ext/fileinfo/libmagic/cdf.c \| 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c -index ee467a6..429f3b9 100644 ---- a/ext/fileinfo/libmagic/cdf.c -+++ b/ext/fileinfo/libmagic/cdf.c -@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h, - if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) - goto out; - for (i = 0; i < sh.sh_properties; i++) { -- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); -+ size_t ofs, tail = (i << 1) + 1; -+ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), -+ __LINE__) == -1) -+ goto out; -+ ofs = CDF_GETUINT32(p, tail); - q = (const uint8_t )(const void ) - ((const char )(const void )p + ofs - - 2 * sizeof(uint32_t)); --- -1.9.3 -
[-] [+]	Deleted	CVE-2014-3515.patch-not-working ^
@@ -1,82 +0,0 @@ -From 88223c5245e9b470e1e6362bfd96829562ffe6ab Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev <stas@php.net> -Date: Sat, 21 Jun 2014 19:46:16 -0700 -Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject / - SPLObjectStorage Type Confusion - ---- - NEWS \| 2 ++ - ext/spl/spl_array.c \| 2 +- - ext/spl/spl_observer.c \| 2 +- - ext/spl/tests/SplObjectStorage_unserialize_bad.phpt \| 5 ++++- - 4 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/NEWS b/NEWS -index 507b545..24ce950 100644 ---- a/NEWS -+++ b/NEWS -@@ -53,6 +53,8 @@ PHP NEWS - . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) - . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) - . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) -+ . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type -+ Confusion). (Stefan Esser) - - 29 May 2014, PHP 5.4.29 - -diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c -index 758947a..bf034ab 100644 ---- a/ext/spl/spl_array.c -+++ b/ext/spl/spl_array.c -@@ -1808,7 +1808,7 @@ SPL_METHOD(Array, unserialize) - ++p; - - ALLOC_INIT_ZVAL(pmembers); -- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { -+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) { - zval_ptr_dtor(&pmembers); - goto outexcept; - } -diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c -index 1a706f7..da9110b 100644 ---- a/ext/spl/spl_observer.c -+++ b/ext/spl/spl_observer.c -@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize) - ++p; - - ALLOC_INIT_ZVAL(pmembers); -- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { -+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) { - zval_ptr_dtor(&pmembers); - goto outexcept; - } -diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt -index a525317..8f0676d 100644 ---- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt -+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt -@@ -7,6 +7,7 @@ $badblobs = array( - 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', - 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', - 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', - ); - foreach($badblobs as $blob) { - try { -@@ -17,6 +18,7 @@ try { - echo $e->getMessage()."\n"; - } - } -+echo "DONE\n"; - --EXPECTF-- - Error at offset 6 of 34 bytes - Error at offset 46 of 89 bytes -@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) { - } - } - } -- -+Error at offset 79 of 78 bytes -+DONE --- -1.9.3 -
[-] [+]	Deleted	CVE-2014-3981.patch ^
@@ -1,26 +0,0 @@ -From 91bcadd85e20e50d3f8c2e9721327681640e6f16 Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Fri, 6 Jun 2014 14:16:04 +0200 -Subject: [PATCH] Fix bug #67390 insecure temporary file use in the configure - script - ---- - acinclude.m4 \| 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/acinclude.m4 b/acinclude.m4 -index 448659f..25f3655 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -1711,7 +1711,7 @@ int main(int argc, char argv[]) - { - FILE fp; - long position; -- char filename = "/tmp/phpglibccheck"; -+ char filename = tmpnam(NULL); - - fp = fopen(filename, "w"); - if (fp == NULL) { --- -1.9.3 -