Changes - j0ke.net Open Build Service

Changes of Revision 5

[-] [+]	Changed	php5.changes
@@ -1,4 +1,17 @@ ------------------------------------------------------------------- +Fri Jun 19 11:33:34 UTC 2015 - cs@linux-administrator.com + +- added php-CVE-2015-2301.patch +- added php-CVE-2015-2305.patch +- added php-CVE-2015-2783.patch +- added php-CVE-2015-2787.patch +- added php-CVE-2015-3329.patch +- added php-CVE-2015-4021.patch +- added php-CVE-2015-4022.patch +- added php-CVE-2015-4024.patch +- added php-CVE-2015-4026.patch + +------------------------------------------------------------------- Wed Mar 11 15:13:12 UTC 2015 - cs@linux-administrator.com - added php-CVE-2014-3668.patch
[-] [+]	Changed	php5.spec ^
@@ -139,6 +139,16 @@ Patch60: php-CVE-2015-0232.patch Patch61: php-CVE-2015-0273.patch +Patch62: php-CVE-2015-2301.patch +Patch63: php-CVE-2015-2305.patch +Patch64: php-CVE-2015-2783.patch +Patch65: php-CVE-2015-2787.patch +Patch66: php-CVE-2015-3329.patch +Patch67: php-CVE-2015-4021.patch +Patch68: php-CVE-2015-4022.patch +Patch69: php-CVE-2015-4024.patch +Patch70: php-CVE-2015-4026.patch + Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1249,6 +1259,16 @@ %patch60 %patch61 +%patch62 +%patch63 +%patch64 +%patch65 +%patch66 +%patch67 +%patch68 +%patch69 +%patch70 + # we build three SAPI %{__mkdir_p} build-apache2 build-fpm %{__mkdir_p} build-fastcgi/sapi/cgi/libfcgi
[-] [+]	Added	php-CVE-2015-2301.patch ^
@@ -0,0 +1,14 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Fphar_object.c;h=712795b1a4f863cea7b0a224e3adf3caa42ab881;hp=3671054b816f267f63cdd951146eeb3ac0cd54eb;hb=b2cf3f064b8f5efef89bb084521b61318c71781b;hpb=4c5995b1729b100b00707ddf32d072355dcc3ae8 + +--- ext/phar/phar_object.c ++++ ext/phar/phar_object.c +@@ -2139,8 +2139,8 @@ static zval phar_rename_archive(phar_archive_data phar, char *ext, zend_bool c + } + its_ok: + if (SUCCESS == php_stream_stat_path(newpath, &ssb)) { +- efree(oldpath); + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath); ++ efree(oldpath); + return NULL; + } + if (!phar->is_data) {
[-] [+]	Added	php-CVE-2015-2305.patch ^
@@ -0,0 +1,30 @@ +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 18 Mar 2015 00:04:57 +0000 (-0700) +Subject: Fix bug #69248 - heap overflow vulnerability in regcomp.c +X-Git-Tag: php-5.4.39~2 +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 + +Fix bug #69248 - heap overflow vulnerability in regcomp.c + +Merged from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334 +--- + +--- ext/ereg/regex/regcomp.c ++++ ext/ereg/regex/regcomp.c +@@ -117,7 +117,15 @@ int cflags; + (NC-1)sizeof(cat_t)); + if (g == NULL) + return(REG_ESPACE); +- p->ssize = len/(size_t)2(size_t)3 + (size_t)1; /* ugh / ++ { ++ / Patched for CERT Vulnerability Note VU#695940, Feb 2015. / ++ size_t new_ssize = len/(size_t)2(size_t)3 + (size_t)1; /* ugh / ++ if (new_ssize < len \|\| new_ssize > LONG_MAX / sizeof(sop)) { ++ free((char ) g); ++ return REG_INVARG; ++ } ++ p->ssize = new_ssize; ++ } + p->strip = (sop )malloc(p->ssize sizeof(sop)); + p->slen = 0; + if (p->strip == NULL) {
[-] [+]	Added	php-CVE-2015-2783.patch ^
@@ -0,0 +1,158 @@ +From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 5 Apr 2015 15:07:36 -0700 +Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when + parsing Phar) + +--- + ext/phar/phar.c \| 65 ++++++++++++++++++++----------------------- + ext/phar/phar_internal.h \| 2 +- + ext/phar/tests/bug69324.phar \| Bin 0 -> 269 bytes + ext/phar/tests/bug69324.phpt \| 17 +++++++++++ + 4 files changed, 48 insertions(+), 36 deletions(-) + create mode 100644 ext/phar/tests/bug69324.phar + create mode 100644 ext/phar/tests/bug69324.phpt + +--- ext/phar/phar.c ++++ ext/phar/phar.c +@@ -603,25 +603,18 @@ int phar_open_parsed_phar(char fname, int fname_len, char alias, int alias_len + * + * data is the serialized zval + / +-int phar_parse_metadata(char buffer, zval metadata, int zip_metadata_len TSRMLS_DC) / {{{ / ++int phar_parse_metadata(char buffer, zval metadata, php_uint32 zip_metadata_len TSRMLS_DC) / {{{ / + { + const unsigned char p; +- php_uint32 buf_len; + php_unserialize_data_t var_hash; + +- if (!zip_metadata_len) { +- PHAR_GET_32(buffer, buf_len); +- } else { +- buf_len = zip_metadata_len; +- } +- +- if (buf_len) { ++ if (zip_metadata_len) { + ALLOC_ZVAL(metadata); + INIT_ZVAL(*metadata); + p = (const unsigned char) buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + metadata = NULL; +@@ -633,19 +626,14 @@ int phar_parse_metadata(char buffer, zval metadata, int zip_metadata_len TSR + if (PHAR_G(persist)) { + /* lazy init metadata / + zval_ptr_dtor(metadata); +- metadata = (zval ) pemalloc(buf_len, 1); +- memcpy(metadata, buffer, buf_len); +- buffer += buf_len; ++ metadata = (zval ) pemalloc(zip_metadata_len, 1); ++ memcpy(metadata, buffer, zip_metadata_len); + return SUCCESS; + } + } else { + metadata = NULL; + } + +- if (!zip_metadata_len) { +- buffer += buf_len; +- } +- + return SUCCESS; + } + /* }}}/ +@@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream fp, char fname, int fname_len, char + phar_entry_info entry; + php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; + php_uint16 manifest_ver; ++ php_uint32 len; + long offset; + int sig_len, register_alias = 0, temp_alias = 0; + char signature = NULL; +@@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream fp, char fname, int fname_len, char + mydata->is_persistent = PHAR_G(persist); + + /* check whether we have meta data, zero check works regardless of byte order / ++ PHAR_GET_32(buffer, len); + if (mydata->is_persistent) { +- PHAR_GET_32(buffer, mydata->metadata_len); +- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); +- } +- } else { +- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ mydata->metadata_len = len; ++ if(!len) { ++ / FIXME: not sure why this is needed but removing it breaks tests / ++ PHAR_GET_32(buffer, len); + } + } ++ if(len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); ++ } ++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { ++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ } ++ buffer += len; + + / set up our manifest / + zend_hash_init(&mydata->manifest, manifest_count, +@@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream fp, char fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (buffer + entry.filename_len + 20 > endbuffer) { ++ if (entry.filename_len + 20 > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +@@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream fp, char fname, int fname_len, char + entry.flags \|= PHAR_ENT_PERM_DEF_DIR; + } + ++ PHAR_GET_32(buffer, len); + if (entry.is_persistent) { +- PHAR_GET_32(buffer, entry.metadata_len); +- if (!entry.metadata_len) buffer -= 4; +- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = len; + } else { +- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = 0; ++ } ++ if (len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); ++ } ++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { ++ pefree(entry.filename, entry.is_persistent); ++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); + } ++ buffer += len; + + entry.offset = entry.offset_abs = offset; + offset += entry.compressed_filesize; +--- ext/phar/phar_internal.h ++++ ext/phar/phar_internal.h +@@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data phar, char filename, int filename_len, + char phar_find_in_include_path(char file, int file_len, phar_archive_data pphar TSRMLS_DC); + char phar_fix_filepath(char path, int new_len, int use_cwd TSRMLS_DC); + phar_entry_info * phar_open_jit(phar_archive_data phar, phar_entry_info entry, char error TSRMLS_DC); +-int phar_parse_metadata(char buffer, zval metadata, int zip_metadata_len TSRMLS_DC); ++int phar_parse_metadata(char buffer, zval *metadata, php_uint32 zip_metadata_len TSRMLS_DC); + void destroy_phar_manifest_entry(void pDest); + int phar_seek_efp(phar_entry_info entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); + php_stream phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); +-- +2.1.4
[-] [+]	Added	php-CVE-2015-2787.patch ^
@@ -0,0 +1,12 @@ +https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d +--- ext/standard/var_unserializer.re ++++ ext/standard/var_unserializer.re +@@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); +
[-] [+]	Added	php-CVE-2015-3329.patch ^
@@ -0,0 +1,21 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Fphar_internal.h;h=84282d2a8fe8f3a7da67fa00d9f5dba48f4d8124;hp=fcfc86457d623350b93e88ab2438a07093bdde86;hb=f59b67ae50064560d7bfcdb0d6a8ab284179053c;hpb=45facd15fb1be704ee1ae374fa306dad8450edbd + +--- ext/phar/phar_internal.h ++++ ext/phar/phar_internal.h +@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info entry TSRMLS_DC) / {{{ / + { + char tmp[MAXPATHLEN]; + int tmp_len; ++ size_t len; + +- tmp_len = entry->filename_len + entry->phar->fname_len; +- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); +- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); ++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); ++ len = MIN(entry->phar->fname_len, tmp_len); ++ memcpy(tmp, entry->phar->fname, len); ++ len = MIN(tmp_len - len, entry->filename_len); ++ memcpy(tmp + entry->phar->fname_len, entry->filename, len); + entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); + } + / }}} */
[-] [+]	Added	php-CVE-2015-4021.patch ^
@@ -0,0 +1,15 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Ftar.c;h=d6d63e659905b8fd28860f83d953b773ae288b91;hp=ca8eafcc8a6607d58e217273ba4e352fb1b683e3;hb=c27f012b7a447e59d4a704688971cbfa7dddaa74;hpb=ac2832935435556dc593784cd0087b5e576bbe4d + +Index: ext/phar/tar.c +=================================================================== +--- ext/phar/tar.c.orig 2015-05-22 10:18:13.999554887 +0200 ++++ ext/phar/tar.c 2015-05-22 10:19:31.123560294 +0200 +@@ -425,7 +425,7 @@ + entry.filename_len = i; + entry.filename = pestrndup(hdr->name, i, myphar->is_persistent); + +- if (entry.filename[entry.filename_len - 1] == '/') { ++ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') { + /* some tar programs store directories with trailing slash */ + entry.filename[entry.filename_len - 1] = '\0'; + entry.filename_len--;
[-] [+]	Added	php-CVE-2015-4022.patch ^
@@ -0,0 +1,27 @@ +From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 29 Apr 2015 21:57:33 -0700 +Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list + +--- ext/ftp/ftp.c ++++ ext/ftp/ftp.c +@@ -1615,8 +1615,8 @@ ftp_genlist(ftpbuf_t ftp, const char cmd, const char path TSRMLS_DC) + databuf_t data = NULL; + char ptr; + int ch, lastch; +- int size, rcvd; +- int lines; ++ size_t size, rcvd; ++ size_t lines; + char ret = NULL; + char entry; + char text; +@@ -1658,7 +1658,7 @@ ftp_genlist(ftpbuf_t ftp, const char cmd, const char *path TSRMLS_DC) + lines = 0; + lastch = 0; + while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) { +- if (rcvd == -1) { ++ if (rcvd == -1 \|\| rcvd > ((size_t)(-1))-size) { + goto bail; + } +
[-] [+]	Added	php-CVE-2015-4024.patch ^
@@ -0,0 +1,87 @@ +-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=main%2Frfc1867.c;h=9e2fbd52ebc79ee0ea895146c58fd49e9376b9c3;hp=fab199b543aa81534728ed31598aabe76fd463f0;hb=4605d536d23b00813d11cc906bb48d39bdcf5f25;hpb=c27f012b7a447e59d4a704688971cbfa7dddaa74 + +Index: main/rfc1867.c +=================================================================== +--- main/rfc1867.c.orig 2015-05-21 11:41:44.495109019 +0200 ++++ main/rfc1867.c 2015-05-21 12:06:09.197189933 +0200 +@@ -33,6 +33,7 @@ + #include "php_variables.h" + #include "rfc1867.h" + #include "ext/standard/php_string.h" ++#include "ext/standard/php_smart_str.h" + + #define DEBUG_FILE_UPLOAD ZEND_DEBUG + +@@ -462,8 +463,9 @@ + static int multipart_buffer_headers(multipart_buffer self, zend_llist header TSRMLS_DC) + { + char line; +- mime_header_entry prev_entry, entry; +- int prev_len, cur_len; ++ mime_header_entry entry = {0}; ++ smart_str buf_value = {0}; ++ char key = NULL; + + /* didn't find boundary, abort / + if (!find_boundary(self, self->boundary TSRMLS_CC)) { +@@ -475,7 +477,6 @@ + while( (line = get_line(self TSRMLS_CC)) && strlen(line) > 0 ) + { + / add header to table / +- char key = line; + char value = NULL; + + / space in the beginning means same header / +@@ -484,31 +485,33 @@ + } + + if (value) { +- value = 0; +- do { value++; } while(isspace(value)); +- +- entry.value = estrdup(value); +- entry.key = estrdup(key); +- +- } else if (zend_llist_count(header)) { / If no ':' on the line, add to previous line / +- +- prev_len = strlen(prev_entry.value); +- cur_len = strlen(line); ++ if(buf_value.c && key) { ++ / new entry, add the old one to the list / ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; ++ zend_llist_add_element(header, &entry); ++ buf_value.c = NULL; ++ key = NULL; ++ } + +- entry.value = emalloc(prev_len + cur_len + 1); +- memcpy(entry.value, prev_entry.value, prev_len); +- memcpy(entry.value + prev_len, line, cur_len); +- entry.value[cur_len + prev_len] = '\0'; +- +- entry.key = estrdup(prev_entry.key); ++ value = '\0'; ++ do { value++; } while(isspace(value)); + +- zend_llist_remove_tail(header); ++ key = estrdup(line); ++ smart_str_appends(&buf_value, value); ++ } else if (buf_value.c) { / If no ':' on the line, add to previous line / ++ smart_str_appends(&buf_value, line); + } else { + continue; + } +- ++ } ++ if(buf_value.c && key) { ++ / add the last one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; + zend_llist_add_element(header, &entry); +- prev_entry = entry; + } + + return 1;
[-] [+]	Added	php-CVE-2015-4026.patch ^
@@ -0,0 +1,15 @@ +Index: ext/pcntl/pcntl.c +=================================================================== +--- ext/pcntl/pcntl.c.orig 2012-09-12 23:27:16.000000000 +0200 ++++ ext/pcntl/pcntl.c 2015-05-21 17:35:31.954895720 +0200 +@@ -758,6 +758,10 @@ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s\|aa", &path, &path_len, &args, &envs) == FAILURE) { + return; + } ++ if (strlen(path) != path_len) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "pcntl_exec() expects parameter 1 to be a valid path"); ++ return; ++ } + + if (ZEND_NUM_ARGS() > 1) { + /* Build argument list */