Changes - j0ke.net Open Build Service

Changes of Revision 5

[-] [+]	Changed	php.changes
@@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Fri Jun 27 21:22:13 UTC 2014 - cs@linux-administrator.com + +- added CVE-2014-0207.patch +- added CVE-2014-3478.patch +- added CVE-2014-3479.patch +- added CVE-2014-3480.patch +- added CVE-2014-3487.patch +- added CVE-2014-3981.patch + +------------------------------------------------------------------- Fri May 2 20:42:49 UTC 2014 - cs@linux-administrator.com - added CVE-2014-0185.patch
[-] [+]	Changed	php.spec ^
@@ -128,6 +128,12 @@ Patch150: CVE-2014-0185.patch Patch151: CVE-2014-0237.patch Patch152: CVE-2014-0238.patch +Patch153: CVE-2014-0207.patch +Patch154: CVE-2014-3478.patch +Patch155: CVE-2014-3479.patch +Patch156: CVE-2014-3480.patch +Patch157: CVE-2014-3487.patch +Patch158: CVE-2014-3981.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -747,6 +753,12 @@ %patch150 -p1 %patch151 -p1 %patch152 -p1 +%patch153 -p1 +%patch154 -p1 +%patch155 -p1 +%patch156 -p1 +%patch157 -p1 +%patch158 -p1 # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE Zend/ZEND_LICENSE
[-] [+]	Added	CVE-2014-0207.patch ^
@@ -0,0 +1,32 @@ +From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 3 Jun 2014 11:05:00 +0200 +Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient + boundary check + +Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch +Only revelant part applied +--- + ext/fileinfo/libmagic/cdf.c \| 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 4712e84..16649f1 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t sst, void buf, size_t offs, + size_t ss = CDF_SHORT_SEC_SIZE(h); + size_t pos = CDF_SHORT_SEC_POS(h, id); + assert(ss == len); +- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { + DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" + SIZE_T_FORMAT "u\n", +- pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); + return -1; + } + (void)memcpy(((char *)buf) + offs, +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3478.patch ^
@@ -0,0 +1,41 @@ +From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:02:36 +0200 +Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of + truncated pascal string size + +Upstream +https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 +--- + ext/fileinfo/libmagic/softmagic.c \| 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 21fea6b..01e4977 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -881,10 +881,18 @@ mconvert(struct magic_set ms, struct magic m, int flip) + return 1; + } + case FILE_PSTRING: { +- char ptr1 = p->s, ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char ptr1 = p->s, ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ / ++ len = sizeof(p->s) - sz; ++ } + while (len--) + ptr1++ = ptr2++; + ptr1 = '\0'; +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3479.patch ^
@@ -0,0 +1,20 @@ +--- php-5.3.28/ext/fileinfo/libmagic/cdf.c.orig 2014-06-27 22:20:14.827472051 +0200 ++++ php-5.3.28/ext/fileinfo/libmagic/cdf.c 2014-06-27 22:26:26.350829626 +0200 +@@ -277,13 +277,15 @@ + { + const char b = (const char )sst->sst_tab; + const char e = ((const char )p) + tail; ++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? ++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); + (void)&line; +- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) ++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) + return 0; + DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" + " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), +- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); ++ ss * sst->sst_len, ss, sst->sst_len)); + errno = EFTYPE; + return -1; + }
[-] [+]	Added	CVE-2014-3480.patch ^
@@ -0,0 +1,40 @@ +From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:22:04 +0200 +Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient + boundary check + +Upstream: +https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 +--- + ext/fileinfo/libmagic/cdf.c \| 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index c9a5d50..ee467a6 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -470,7 +470,8 @@ size_t + cdf_count_chain(const cdf_sat_t sat, cdf_secid_t sid, size_t size) + { + size_t i, j; +- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len size); ++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) ++ / sizeof(maxsector)); + + DPRINTF(("Chain:")); + for (j = i = 0; sid >= 0; i++, j++) { +@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + errno = EFTYPE; + return (size_t)-1; + } +- if (sid > maxsector) { +- DPRINTF(("Sector %d > %d\n", sid, maxsector)); ++ if (sid >= maxsector) { ++ DPRINTF(("Sector %d >= %d\n", sid, maxsector)); + errno = EFTYPE; + return (size_t)-1; + } +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3487.patch ^
@@ -0,0 +1,34 @@ +From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:33:37 +0200 +Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info + insufficient boundary chec + +Upstream: +https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d + +Adapted for C standard. +--- + ext/fileinfo/libmagic/cdf.c \| 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index ee467a6..429f3b9 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h, + if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ size_t ofs, tail = (i << 1) + 1; ++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), ++ __LINE__) == -1) ++ goto out; ++ ofs = CDF_GETUINT32(p, tail); + q = (const uint8_t )(const void ) + ((const char )(const void )p + ofs + - 2 * sizeof(uint32_t)); +-- +1.9.3 +
[-] [+]	Added	CVE-2014-3981.patch ^
@@ -0,0 +1,26 @@ +From 91bcadd85e20e50d3f8c2e9721327681640e6f16 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Fri, 6 Jun 2014 14:16:04 +0200 +Subject: [PATCH] Fix bug #67390 insecure temporary file use in the configure + script + +--- + acinclude.m4 \| 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/acinclude.m4 b/acinclude.m4 +index 448659f..25f3655 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -1711,7 +1711,7 @@ int main(int argc, char argv[]) + { + FILE fp; + long position; +- char filename = "/tmp/phpglibccheck"; ++ char filename = tmpnam(NULL); + + fp = fopen(filename, "w"); + if (fp == NULL) { +-- +1.9.3 +