PHP 5.4.45 with security patches from 5.5.31

7 files changed, 338 insertions, 2 deletions

diff --git a/bug70661.patch b/bug70661.patch
new file mode 100644
index 0000000..90eae74
--- /dev/null
+++ b/bug70661.patch
@@ -0,0 +1,104 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From dcf3c9761c31e12011ba202f30caff53aae2056c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Dec 2015 14:46:35 -0800
+Subject: [PATCH] Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet
+ Deserialization)
+
+---
+ NEWS                         |  2 ++
+ ext/wddx/tests/bug70661.phpt | 69 ++++++++++++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c              |  2 +-
+ 3 files changed, 72 insertions(+), 1 deletion(-)
+ create mode 100644 ext/wddx/tests/bug70661.phpt
+
+diff --git a/ext/wddx/tests/bug70661.phpt b/ext/wddx/tests/bug70661.phpt
+new file mode 100644
+index 0000000..e068c20
+--- /dev/null
++++ b/ext/wddx/tests/bug70661.phpt
+@@ -0,0 +1,69 @@
++--TEST--
++Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++$fakezval = ptr2str(1122334455);
++$fakezval .= ptr2str(0);
++$fakezval .= "\x00\x00\x00\x00";
++$fakezval .= "\x01";
++$fakezval .= "\x00";
++$fakezval .= "\x00\x00";
++
++$x = <<<EOT
++<?xml version='1.0'?>
++<wddxPacket version='1.0'>
++<header/>
++	<data>
++		<struct>
++			<recordset rowCount='1' fieldNames='ryat'>
++				<field name='ryat'>
++					<var name='php_class_name'>
++						<string>stdClass</string>
++					</var>
++					<null/>
++				</field>
++			</recordset>
++		</struct>	
++	</data>
++</wddxPacket>
++EOT;
++
++$y = wddx_deserialize($x);
++
++for ($i = 0; $i < 5; $i++) {
++	$v[$i] = $fakezval.$i;
++}
++
++var_dump($y);
++
++function ptr2str($ptr)
++{
++	$out = '';
++	
++	for ($i = 0; $i < 8; $i++) {
++		$out .= chr($ptr & 0xff);
++		$ptr >>= 8;
++	}
++	
++	return $out;
++}
++?>
++DONE
++--EXPECTF--
++array(1) {
++  [0]=>
++  array(1) {
++    ["ryat"]=>
++    array(2) {
++      ["php_class_name"]=>
++      string(8) "stdClass"
++      [0]=>
++      NULL
++    }
++  }
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 8017620..b9dd1fa 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -978,7 +978,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ 
+ 				if (ent1->varname) {
+ 					if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
+-						Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
++						Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
+ 						zend_bool incomplete_class = 0;
+ 
+ 						zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
diff --git a/bug70728.patch b/bug70728.patch
new file mode 100644
index 0000000..788eb34
--- /dev/null
+++ b/bug70728.patch
@@ -0,0 +1,80 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 4df84a648ec62b17bd8f8359452f8defd1026167 Mon Sep 17 00:00:00 2001
+From: Julien Pauli <jpauli@php.net>
+Date: Tue, 22 Dec 2015 14:28:19 +0100
+Subject: [PATCH] Fixed #70728
+
+---
+ ext/xmlrpc/tests/bug70728.phpt | 30 ++++++++++++++++++++++++++++++
+ ext/xmlrpc/xmlrpc-epi-php.c    | 13 +++++++++++--
+ 2 files changed, 41 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug70728.phpt
+
+diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt
+new file mode 100644
+index 0000000..5510c33
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug70728.phpt
+@@ -0,0 +1,30 @@
++--TEST--
++Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++$obj = new stdClass;
++$obj->xmlrpc_type = 'base64';
++$obj->scalar = 0x1122334455;
++var_dump(xmlrpc_encode($obj));
++var_dump($obj);
++?>
++--EXPECTF--	
++string(135) "<?xml version="1.0" encoding="utf-8"?>
++<params>
++<param>
++ <value>
++  <base64>NzM1ODgyMjkyMDU=&#10;</base64>
++ </value>
++</param>
++</params>
++"
++object(stdClass)#1 (2) {
++  ["xmlrpc_type"]=>
++  string(6) "base64"
++  ["scalar"]=>
++  int(73588229205)
++}
+diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
+index 613892c..6c76434 100644
+--- a/ext/xmlrpc/xmlrpc-epi-php.c
++++ b/ext/xmlrpc/xmlrpc-epi-php.c
+@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
+ 						xReturn = XMLRPC_CreateValueEmpty();
+ 						XMLRPC_SetValueID(xReturn, key, 0);
+ 					} else {
+-						xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
++						if (Z_TYPE_P(val) != IS_STRING) {
++							zval *newvalue;
++							ALLOC_INIT_ZVAL(newvalue);
++							MAKE_COPY_ZVAL(&val, newvalue);
++							convert_to_string(newvalue);
++							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
++							zval_ptr_dtor(&newvalue);
++						} else {
++							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
++						}
+ 					}
+ 					break;
+ 				case xmlrpc_datetime:
+@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */
+ 		if (newvalue) {
+ 			zval** val;
+ 
+-			if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
++			if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
+ 				if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
+ 					*newvalue = *val;
+ 				}
diff --git a/bug70741.patch b/bug70741.patch
new file mode 100644
index 0000000..1704bfb
--- /dev/null
+++ b/bug70741.patch
@@ -0,0 +1,64 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 1785d2b805f64eaaacf98c14c9e13107bf085ab1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Dec 2015 12:42:44 -0800
+Subject: [PATCH] Fixed bug #70741: Session WDDX Packet Deserialization Type
+ Confusion Vulnerability
+
+---
+ NEWS                         |   4 ++
+ ext/wddx/tests/bug70741.phpt |  26 ++++++++
+ ext/wddx/wddx.c              | 139 ++++++++++++++++++++++---------------------
+ 3 files changed, 101 insertions(+), 68 deletions(-)
+ create mode 100644 ext/wddx/tests/bug70741.phpt
+
+diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt
+new file mode 100644
+index 0000000..9c7e09b
+--- /dev/null
++++ b/ext/wddx/tests/bug70741.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++ini_set('session.serialize_handler', 'wddx');
++session_start();
++
++$hashtable = str_repeat('A', 66);
++$wddx = "<?xml version='1.0'?>
++<wddxPacket version='1.0'>
++<header/>
++	<data>
++		<string>$hashtable</string>
++	</data>
++</wddxPacket>";
++session_decode($wddx);
++?>
++DONE
++--EXPECTF--
++
++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 45beaece..8017620 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
+ 	MAKE_STD_ZVAL(retval);
+ 
+ 	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
+-
++		if (Z_TYPE_P(retval) != IS_ARRAY) {
++			zval_ptr_dtor(&retval);
++			return FAILURE;
++		}
+ 		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
+ 			 zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
+ 			 zend_hash_move_forward(Z_ARRVAL_P(retval))) {
diff --git a/bug70755.patch b/bug70755.patch
new file mode 100644
index 0000000..1090b87
--- /dev/null
+++ b/bug70755.patch
@@ -0,0 +1,28 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From be19dbcb84fea0001e53cea2732c00de7ae6c371 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 8 Dec 2015 00:10:07 -0800
+Subject: [PATCH] Fixed bug #70755: fpm_log.c memory leak and buffer overflow
+
+---
+ NEWS                   | 3 +++
+ sapi/fpm/fpm/fpm_log.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c
+index b0bf32a..187fe9b 100644
+--- a/sapi/fpm/fpm/fpm_log.c
++++ b/sapi/fpm/fpm/fpm_log.c
+@@ -446,6 +446,11 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
+ 				b += len2;
+ 				len += len2;
+ 			}
++			if (len >= FPM_LOG_BUFFER) {
++				zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
++				len = FPM_LOG_BUFFER;
++				break;
++			}
+ 			continue;
+ 		}
+ 
diff --git a/failed.txt b/failed.txt
index 4506fc3..c48c430 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 5.5.45
+===== 5.5.45-3 (2016-01-06)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
diff --git a/php-5.4.45-curltls.patch b/php-5.4.45-curltls.patch
new file mode 100644
index 0000000..8643e2b
--- /dev/null
+++ b/php-5.4.45-curltls.patch
@@ -0,0 +1,38 @@
+Backport from PHP 5.5.0 and 5.5.19
+
+Adapted from:
+
+From e69f987948982d4259a574ca824398c26153bf42 Mon Sep 17 00:00:00 2001
+From: Pierrick Charron <pierrick@php.net>
+Date: Thu, 1 Dec 2011 21:48:07 +0000
+Subject: [PATCH] Clean / Improve the curl extension # NEWS file will come soon
+
+From 2b5bffe6c70bc00ebe57390f48ef7569e401d2d3 Mon Sep 17 00:00:00 2001
+From: Rasmus Lerdorf <rasmus@php.net>
+Date: Thu, 16 Oct 2014 21:25:29 -0700
+Subject: [PATCH] TLS 1.0, 1.1 and 1.2 Curl constants - bug #68247
+
+Macro available in upstream curl > 7.34
+Macro available since curl-7.19.7-43.el6 see https://bugzilla.redhat.com/1012136
+
+
+diff -up a/ext/curl/interface.c.old b/ext/curl/interface.c
+--- a/ext/curl/interface.c.old	2015-12-14 11:29:34.591570003 +0100
++++ b/ext/curl/interface.c	2015-12-14 11:38:42.366016986 +0100
+@@ -601,6 +601,16 @@ PHP_MINIT_FUNCTION(curl)
+ 	REGISTER_CURL_CONSTANT(CURLOPT_SSL_VERIFYHOST);
+ 	REGISTER_CURL_CONSTANT(CURLOPT_COOKIEFILE);
+ 	REGISTER_CURL_CONSTANT(CURLOPT_SSLVERSION);
++
++        /* Curl SSL Version constants (CURLOPT_SSLVERSION) */
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_DEFAULT);
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv2);
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv3);
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1);
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0);
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1);
++	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2);
++
+ 	REGISTER_CURL_CONSTANT(CURLOPT_TIMECONDITION);
+ 	REGISTER_CURL_CONSTANT(CURLOPT_TIMEVALUE);
+ 	REGISTER_CURL_CONSTANT(CURLOPT_CUSTOMREQUEST);
diff --git a/php54.spec b/php54.spec
index 28ac867..c7c0d94 100644
--- a/php54.spec
+++ b/php54.spec
@@ -98,7 +98,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.4.45
-Release: 2%{?dist}
+Release: 3%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -146,6 +146,8 @@ Patch45: php-5.4.8-ldap_r.patch
 Patch46: php-5.4.9-fixheader.patch
 # drop "Configure command" from phpinfo output
 Patch47: php-5.4.9-phpinfo.patch
+# Add CURL_SSLVERSION_* constant
+Patch49: php-5.4.45-curltls.patch
 
 # Upstream fixes
 # Backported from 5.5.18 for https://bugs.php.net/65641
@@ -156,6 +158,10 @@ Patch102: php-5.4.39-bug50444.patch
 # Security fixes
 Patch200: bug69720.patch
 Patch201: bug70433.patch
+Patch202: bug70755.patch
+Patch203: bug70728.patch
+Patch204: bug70741.patch
+Patch205: bug70661.patch
 
 # Fixes for tests
 # no_NO issue
@@ -433,7 +439,11 @@ Provides: php_database
 Provides: php-mysqli = %{version}-%{release}
 Provides: php-mysqli%{?_isa} = %{version}-%{release}
 Provides: php-pdo_mysql, php-pdo_mysql%{?_isa}
+%if 0%{?fedora}
+BuildRequires: mariadb-devel >= 4.1.0
+%else
 BuildRequires: mysql-devel >= 4.1.0
+%endif
 Conflicts: php-mysqlnd
 Obsoletes: php53-mysql, php53u-mysql, php54-mysql, php54w-mysql
 
@@ -850,6 +860,7 @@ rm -f ext/json/utf8_to_utf16.*
 %endif
 %patch46 -p1 -b .fixheader
 %patch47 -p1 -b .phpinfo
+%patch49 -p1 -b .curltls
 
 %patch91 -p1 -b .remi-oci8
 
@@ -860,6 +871,10 @@ rm -f ext/json/utf8_to_utf16.*
 # security patches
 %patch200 -p1 -b .bug69720
 %patch201 -p1 -b .bug70433
+%patch202 -p1 -b .bug70755
+%patch203 -p1 -b .bug70728
+%patch204 -p1 -b .bug70741
+%patch205 -p1 -b .bug70661
 
 # Fixes for tests
 %patch301 -p1 -b .datetests2
@@ -1749,6 +1764,13 @@ fi
 
 
 %changelog
+* Wed Jan  6 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-3
+- Fix #70755: fpm_log.c memory leak and buffer overflow
+- Fix #70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker
+- Fix #70741: Session WDDX Packet Deserialization Type
+- Fix #70661: Use After Free Vulnerability in WDDX Packet Deserialization
+- curl: add CURL_SSLVERSION_TLSv1_x constants
+
 * Wed Sep 30 2015 Remi Collet <remi@fedoraproject.org> 5.4.45-2
 - Fix bug #70433 - Uninitialized pointer in phar_make_dirstream
   when zip entry filename is "/"