From 08069d1e5b43644dc9cac9bd4d645304320cc0d0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 6 Jan 2016 17:23:22 +0100 Subject: PHP 5.4.45 with security patches from 5.5.31 --- bug70661.patch | 104 +++++++++++++++++++++++++++++++++++++++++++++++ bug70728.patch | 80 ++++++++++++++++++++++++++++++++++++ bug70741.patch | 64 +++++++++++++++++++++++++++++ bug70755.patch | 28 +++++++++++++ failed.txt | 2 +- php-5.4.45-curltls.patch | 38 +++++++++++++++++ php54.spec | 24 ++++++++++- 7 files changed, 338 insertions(+), 2 deletions(-) create mode 100644 bug70661.patch create mode 100644 bug70728.patch create mode 100644 bug70741.patch create mode 100644 bug70755.patch create mode 100644 php-5.4.45-curltls.patch diff --git a/bug70661.patch b/bug70661.patch new file mode 100644 index 0000000..90eae74 --- /dev/null +++ b/bug70661.patch @@ -0,0 +1,104 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From dcf3c9761c31e12011ba202f30caff53aae2056c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 28 Dec 2015 14:46:35 -0800 +Subject: [PATCH] Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet + Deserialization) + +--- + NEWS | 2 ++ + ext/wddx/tests/bug70661.phpt | 69 ++++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 2 +- + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100644 ext/wddx/tests/bug70661.phpt + +diff --git a/ext/wddx/tests/bug70661.phpt b/ext/wddx/tests/bug70661.phpt +new file mode 100644 +index 0000000..e068c20 +--- /dev/null ++++ b/ext/wddx/tests/bug70661.phpt +@@ -0,0 +1,69 @@ ++--TEST-- ++Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++
++ ++ ++ ++ ++ ++ stdClass ++ ++ ++ ++ ++ ++ ++ ++EOT; ++ ++$y = wddx_deserialize($x); ++ ++for ($i = 0; $i < 5; $i++) { ++ $v[$i] = $fakezval.$i; ++} ++ ++var_dump($y); ++ ++function ptr2str($ptr) ++{ ++ $out = ''; ++ ++ for ($i = 0; $i < 8; $i++) { ++ $out .= chr($ptr & 0xff); ++ $ptr >>= 8; ++ } ++ ++ return $out; ++} ++?> ++DONE ++--EXPECTF-- ++array(1) { ++ [0]=> ++ array(1) { ++ ["ryat"]=> ++ array(2) { ++ ["php_class_name"]=> ++ string(8) "stdClass" ++ [0]=> ++ NULL ++ } ++ } ++} ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 8017620..b9dd1fa 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -978,7 +978,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + + if (ent1->varname) { + if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && +- Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) { ++ Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) { + zend_bool incomplete_class = 0; + + zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); diff --git a/bug70728.patch b/bug70728.patch new file mode 100644 index 0000000..788eb34 --- /dev/null +++ b/bug70728.patch @@ -0,0 +1,80 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 4df84a648ec62b17bd8f8359452f8defd1026167 Mon Sep 17 00:00:00 2001 +From: Julien Pauli +Date: Tue, 22 Dec 2015 14:28:19 +0100 +Subject: [PATCH] Fixed #70728 + +--- + ext/xmlrpc/tests/bug70728.phpt | 30 ++++++++++++++++++++++++++++++ + ext/xmlrpc/xmlrpc-epi-php.c | 13 +++++++++++-- + 2 files changed, 41 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug70728.phpt + +diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt +new file mode 100644 +index 0000000..5510c33 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug70728.phpt +@@ -0,0 +1,30 @@ ++--TEST-- ++Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker) ++--SKIPIF-- ++ ++--FILE-- ++xmlrpc_type = 'base64'; ++$obj->scalar = 0x1122334455; ++var_dump(xmlrpc_encode($obj)); ++var_dump($obj); ++?> ++--EXPECTF-- ++string(135) " ++ ++ ++ ++ NzM1ODgyMjkyMDU= ++ ++ ++ ++" ++object(stdClass)#1 (2) { ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++ ["scalar"]=> ++ int(73588229205) ++} +diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c +index 613892c..6c76434 100644 +--- a/ext/xmlrpc/xmlrpc-epi-php.c ++++ b/ext/xmlrpc/xmlrpc-epi-php.c +@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep + xReturn = XMLRPC_CreateValueEmpty(); + XMLRPC_SetValueID(xReturn, key, 0); + } else { +- xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val)); ++ if (Z_TYPE_P(val) != IS_STRING) { ++ zval *newvalue; ++ ALLOC_INIT_ZVAL(newvalue); ++ MAKE_COPY_ZVAL(&val, newvalue); ++ convert_to_string(newvalue); ++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue)); ++ zval_ptr_dtor(&newvalue); ++ } else { ++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val)); ++ } + } + break; + case xmlrpc_datetime: +@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */ + if (newvalue) { + zval** val; + +- if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) { ++ if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) { + if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) { + *newvalue = *val; + } diff --git a/bug70741.patch b/bug70741.patch new file mode 100644 index 0000000..1704bfb --- /dev/null +++ b/bug70741.patch @@ -0,0 +1,64 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 1785d2b805f64eaaacf98c14c9e13107bf085ab1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 28 Dec 2015 12:42:44 -0800 +Subject: [PATCH] Fixed bug #70741: Session WDDX Packet Deserialization Type + Confusion Vulnerability + +--- + NEWS | 4 ++ + ext/wddx/tests/bug70741.phpt | 26 ++++++++ + ext/wddx/wddx.c | 139 ++++++++++++++++++++++--------------------- + 3 files changed, 101 insertions(+), 68 deletions(-) + create mode 100644 ext/wddx/tests/bug70741.phpt + +diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt +new file mode 100644 +index 0000000..9c7e09b +--- /dev/null ++++ b/ext/wddx/tests/bug70741.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++
++ ++ $hashtable ++ ++"; ++session_decode($wddx); ++?> ++DONE ++--EXPECTF-- ++ ++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 45beaece..8017620 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx) + MAKE_STD_ZVAL(retval); + + if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) { +- ++ if (Z_TYPE_P(retval) != IS_ARRAY) { ++ zval_ptr_dtor(&retval); ++ return FAILURE; ++ } + for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval)); + zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS; + zend_hash_move_forward(Z_ARRVAL_P(retval))) { diff --git a/bug70755.patch b/bug70755.patch new file mode 100644 index 0000000..1090b87 --- /dev/null +++ b/bug70755.patch @@ -0,0 +1,28 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From be19dbcb84fea0001e53cea2732c00de7ae6c371 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 8 Dec 2015 00:10:07 -0800 +Subject: [PATCH] Fixed bug #70755: fpm_log.c memory leak and buffer overflow + +--- + NEWS | 3 +++ + sapi/fpm/fpm/fpm_log.c | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c +index b0bf32a..187fe9b 100644 +--- a/sapi/fpm/fpm/fpm_log.c ++++ b/sapi/fpm/fpm/fpm_log.c +@@ -446,6 +446,11 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */ + b += len2; + len += len2; + } ++ if (len >= FPM_LOG_BUFFER) { ++ zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER); ++ len = FPM_LOG_BUFFER; ++ break; ++ } + continue; + } + diff --git a/failed.txt b/failed.txt index 4506fc3..c48c430 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 5.5.45 +===== 5.5.45-3 (2016-01-06) $ grep -r 'Tests failed' /var/lib/mock/*/build.log diff --git a/php-5.4.45-curltls.patch b/php-5.4.45-curltls.patch new file mode 100644 index 0000000..8643e2b --- /dev/null +++ b/php-5.4.45-curltls.patch @@ -0,0 +1,38 @@ +Backport from PHP 5.5.0 and 5.5.19 + +Adapted from: + +From e69f987948982d4259a574ca824398c26153bf42 Mon Sep 17 00:00:00 2001 +From: Pierrick Charron +Date: Thu, 1 Dec 2011 21:48:07 +0000 +Subject: [PATCH] Clean / Improve the curl extension # NEWS file will come soon + +From 2b5bffe6c70bc00ebe57390f48ef7569e401d2d3 Mon Sep 17 00:00:00 2001 +From: Rasmus Lerdorf +Date: Thu, 16 Oct 2014 21:25:29 -0700 +Subject: [PATCH] TLS 1.0, 1.1 and 1.2 Curl constants - bug #68247 + +Macro available in upstream curl > 7.34 +Macro available since curl-7.19.7-43.el6 see https://bugzilla.redhat.com/1012136 + + +diff -up a/ext/curl/interface.c.old b/ext/curl/interface.c +--- a/ext/curl/interface.c.old 2015-12-14 11:29:34.591570003 +0100 ++++ b/ext/curl/interface.c 2015-12-14 11:38:42.366016986 +0100 +@@ -601,6 +601,16 @@ PHP_MINIT_FUNCTION(curl) + REGISTER_CURL_CONSTANT(CURLOPT_SSL_VERIFYHOST); + REGISTER_CURL_CONSTANT(CURLOPT_COOKIEFILE); + REGISTER_CURL_CONSTANT(CURLOPT_SSLVERSION); ++ ++ /* Curl SSL Version constants (CURLOPT_SSLVERSION) */ ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_DEFAULT); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv2); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv3); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1); ++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2); ++ + REGISTER_CURL_CONSTANT(CURLOPT_TIMECONDITION); + REGISTER_CURL_CONSTANT(CURLOPT_TIMEVALUE); + REGISTER_CURL_CONSTANT(CURLOPT_CUSTOMREQUEST); diff --git a/php54.spec b/php54.spec index 28ac867..c7c0d94 100644 --- a/php54.spec +++ b/php54.spec @@ -98,7 +98,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.45 -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -146,6 +146,8 @@ Patch45: php-5.4.8-ldap_r.patch Patch46: php-5.4.9-fixheader.patch # drop "Configure command" from phpinfo output Patch47: php-5.4.9-phpinfo.patch +# Add CURL_SSLVERSION_* constant +Patch49: php-5.4.45-curltls.patch # Upstream fixes # Backported from 5.5.18 for https://bugs.php.net/65641 @@ -156,6 +158,10 @@ Patch102: php-5.4.39-bug50444.patch # Security fixes Patch200: bug69720.patch Patch201: bug70433.patch +Patch202: bug70755.patch +Patch203: bug70728.patch +Patch204: bug70741.patch +Patch205: bug70661.patch # Fixes for tests # no_NO issue @@ -433,7 +439,11 @@ Provides: php_database Provides: php-mysqli = %{version}-%{release} Provides: php-mysqli%{?_isa} = %{version}-%{release} Provides: php-pdo_mysql, php-pdo_mysql%{?_isa} +%if 0%{?fedora} +BuildRequires: mariadb-devel >= 4.1.0 +%else BuildRequires: mysql-devel >= 4.1.0 +%endif Conflicts: php-mysqlnd Obsoletes: php53-mysql, php53u-mysql, php54-mysql, php54w-mysql @@ -850,6 +860,7 @@ rm -f ext/json/utf8_to_utf16.* %endif %patch46 -p1 -b .fixheader %patch47 -p1 -b .phpinfo +%patch49 -p1 -b .curltls %patch91 -p1 -b .remi-oci8 @@ -860,6 +871,10 @@ rm -f ext/json/utf8_to_utf16.* # security patches %patch200 -p1 -b .bug69720 %patch201 -p1 -b .bug70433 +%patch202 -p1 -b .bug70755 +%patch203 -p1 -b .bug70728 +%patch204 -p1 -b .bug70741 +%patch205 -p1 -b .bug70661 # Fixes for tests %patch301 -p1 -b .datetests2 @@ -1749,6 +1764,13 @@ fi %changelog +* Wed Jan 6 2016 Remi Collet 5.4.45-3 +- Fix #70755: fpm_log.c memory leak and buffer overflow +- Fix #70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker +- Fix #70741: Session WDDX Packet Deserialization Type +- Fix #70661: Use After Free Vulnerability in WDDX Packet Deserialization +- curl: add CURL_SSLVERSION_TLSv1_x constants + * Wed Sep 30 2015 Remi Collet 5.4.45-2 - Fix bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" -- cgit