summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--bug72627.patch34
-rw-r--r--bug72926.patch29
-rw-r--r--bug72928.patch92
-rw-r--r--bug73035.patch32
-rw-r--r--failed.txt2
-rw-r--r--php54.spec38
6 files changed, 215 insertions, 12 deletions
diff --git a/bug72627.patch b/bug72627.patch
new file mode 100644
index 0000000..410e40e
--- /dev/null
+++ b/bug72627.patch
@@ -0,0 +1,34 @@
+Backported from 5.6.25 by Remi.
+Binary patch dropped
+
+From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 8 Aug 2016 00:49:34 -0700
+Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
+
+---
+ ext/exif/exif.c | 5 ++-
+ ext/exif/tests/bug72627.phpt | 71 +++++++++++++++++++++++++++++++++++++++++++
+ ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes
+ 3 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug72627.phpt
+ create mode 100644 ext/exif/tests/bug72627.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f95de3a..657a2cc1 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ if (fgot < ImageInfo->Thumbnail.size) {
+ EXIF_ERRLOG_THUMBEOF(ImageInfo)
++ efree(ImageInfo->Thumbnail.data);
++ ImageInfo->Thumbnail.data = NULL;
++ } else {
++ exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+- exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done");
+
diff --git a/bug72926.patch b/bug72926.patch
new file mode 100644
index 0000000..044ed2b
--- /dev/null
+++ b/bug72926.patch
@@ -0,0 +1,29 @@
+Backported from 5.6.26 by Remi.
+
+
+From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 20:49:34 -0700
+Subject: [PATCH] Same issue as #72926 in another place.
+
+---
+ ext/exif/exif.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 657a2cc1..8b0e34c 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ if (fgot < ImageInfo->Thumbnail.size) {
+ EXIF_ERRLOG_THUMBEOF(ImageInfo)
++ efree(ImageInfo->Thumbnail.data);
++ ImageInfo->Thumbnail.data = NULL;
++ } else {
++ exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+- exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+ }
+ }
diff --git a/bug72928.patch b/bug72928.patch
new file mode 100644
index 0000000..67701a6
--- /dev/null
+++ b/bug72928.patch
@@ -0,0 +1,92 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 22:07:35 -0700
+Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip
+ phar in phar_parse_zipfile
+
+---
+ ext/phar/tests/bug72928.phpt | 18 ++++++++++++++++++
+ ext/phar/tests/bug72928.zip | Bin 0 -> 140 bytes
+ ext/phar/util.c | 28 ++++++++++++++++++++++++++++
+ ext/phar/zip.c | 2 +-
+ 4 files changed, 47 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug72928.phpt
+ create mode 100644 ext/phar/tests/bug72928.zip
+
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 4bbd867..828be8f 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -1928,6 +1928,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[64];
+ PHP_SHA512_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA512Init(&context);
+ read_len = end_of_phar;
+
+@@ -1961,6 +1968,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[32];
+ PHP_SHA256_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA256Init(&context);
+ read_len = end_of_phar;
+
+@@ -2002,6 +2016,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[20];
+ PHP_SHA1_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA1Init(&context);
+ read_len = end_of_phar;
+
+@@ -2035,6 +2056,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[16];
+ PHP_MD5_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_MD5Init(&context);
+ read_len = end_of_phar;
+
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index bf895e7..ed156a2 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
+ sig = (char *) emalloc(entry.uncompressed_filesize);
+ read = php_stream_read(fp, sig, entry.uncompressed_filesize);
+- if (read != entry.uncompressed_filesize) {
++ if (read != entry.uncompressed_filesize || read <= 8) {
+ php_stream_close(sigfile);
+ efree(sig);
+ PHAR_ZIP_FAIL("signature cannot be read");
diff --git a/bug73035.patch b/bug73035.patch
new file mode 100644
index 0000000..231fd99
--- /dev/null
+++ b/bug73035.patch
@@ -0,0 +1,32 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:37:44 -0700
+Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar
+ phar in phar_parse_tarfile)
+
+---
+ ext/phar/tar.c | 2 +-
+ ext/phar/tests/bug73035.phpt | 18 ++++++++++++++++++
+ ext/phar/tests/bug73035.tar | Bin 0 -> 10240 bytes
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug73035.phpt
+ create mode 100644 ext/phar/tests/bug73035.tar
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 62edcb5..898ff85 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -277,7 +277,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
+ }
+ curloc = php_stream_tell(fp);
+ read = php_stream_read(fp, buf, size);
+- if (read != size) {
++ if (read != size || read <= 8) {
+ if (error) {
+ spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname);
+ }
+
diff --git a/failed.txt b/failed.txt
index 20cd299..6ebfc97 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 5.5.45-11 (2016-07-22)
+===== 5.5.45-12 (2016-09-19)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
diff --git a/php54.spec b/php54.spec
index 582c8fb..6c5844b 100644
--- a/php54.spec
+++ b/php54.spec
@@ -98,7 +98,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.45
-Release: 11%{?dist}.1
+Release: 12%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -214,6 +214,10 @@ Patch253: bug72613.patch
Patch254: bug72618.patch
Patch255: bug72519.patch
Patch256: bug72735.patch
+Patch257: bug72627.patch
+Patch258: bug72926.patch
+Patch259: bug73035.patch
+Patch260: bug72928.patch
# Fixes for tests
# no_NO issue
@@ -978,6 +982,10 @@ rm -f ext/json/utf8_to_utf16.*
%patch254 -p1 -b .bug72618
%patch255 -p1 -b .bug72519
%patch256 -p1 -b .bug72735
+%patch257 -p1 -b .bug72627
+%patch258 -p1 -b .bug72926
+%patch259 -p1 -b .bug73035
+%patch260 -p1 -b .bug72928
# Fixes for tests
%patch301 -p1 -b .datetests2
@@ -1638,17 +1646,18 @@ rm -f README.{Zeus,QNX,CVS-RULES}
cat << EOF
==========================================================================
-WARNING : PHP 5.4 have reached its "End of Life".
-Even, if this package includes some security fix, backported from 5.5,
-The upgrade to a maintained version is very strongly recommended.
+ WARNING : PHP 5.4 have reached its "End of Life" in September 2015.
+ Even, if this package includes some of the important security fix,
+ backported from 5.5 or 5.6,
+ The UPGRADE to a maintained version is very strongly RECOMMENDED.
-WARNING : These php-* RPMs are not official Fedora / Red Hat build and
-overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.
+ WARNING : These php-* RPMs are not official Fedora / Red Hat build and
+ overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.
-Use dedicated forum at http://forum.remirepo.net/
-%if %{?fedora}%{!?fedora:99} < 21
-WARNING : Fedora %{fedora} is now EOL :
-You should consider upgrading to a supported release
+ Use dedicated forum at http://forum.remirepo.net/
+%if %{?fedora}%{!?fedora:99} < 23
+ WARNING : Fedora %{fedora} is now EOL :
+ You should consider upgrading to a supported release
%endif
==========================================================================
EOF
@@ -1867,7 +1876,14 @@ fi
%changelog
-* Fri Aug 5 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11.1
+* Mon Sep 19 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-12
+- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF
+ CVE-2016-7128
+- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage
+ in exif_process_IFD_in_TIFF
+- fix #73035: Out of bound when verify signature of tar phar
+- fix #72928: Out of bound when verify signature of zip phar
+ CVE-2016-7414
- fix #72735 regression in exif maker note parser
* Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11