summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-03-29 14:38:41 +0200
committerRemi Collet <fedora@famillecollet.com>2016-03-29 14:38:41 +0200
commit20725105f5fd5bbb19de56ac72576f9874138468 (patch)
tree4e8f9c06f22c49294bb297ab5949765dc274dd2e
parent6dfa2b2d9e32298dd65125133e68d23b2cce316a (diff)
php 5.4 security patches from 5.5.34 (WIP)
-rw-r--r--bug71527.patch64
-rw-r--r--bug71704.patch26
-rw-r--r--bug71798.patch26
-rw-r--r--bug71860.patch326
-rw-r--r--bug71906.patch55
-rw-r--r--php.spec9
6 files changed, 506 insertions, 0 deletions
diff --git a/bug71527.patch b/bug71527.patch
new file mode 100644
index 0000000..45ba6b6
--- /dev/null
+++ b/bug71527.patch
@@ -0,0 +1,64 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From fe13566c93f118a15a96320a546c7878fd0cfc5e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Mon, 28 Mar 2016 00:45:19 +0200
+Subject: [PATCH] Fixed bug #71527 Buffer over-write in finfo_open with
+ malformed magic file
+
+The actual fix is applying the upstream patch from
+https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
+---
+ ext/fileinfo/libmagic/funcs.c | 2 +-
+ ext/fileinfo/tests/bug71527.magic | 1 +
+ ext/fileinfo/tests/bug71527.phpt | 19 +++++++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/fileinfo/tests/bug71527.magic
+ create mode 100644 ext/fileinfo/tests/bug71527.phpt
+
+diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
+index 011ca42..def2f7b 100644
+--- a/ext/fileinfo/libmagic/funcs.c
++++ b/ext/fileinfo/libmagic/funcs.c
+@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
+ size_t len;
+
+ if (level >= ms->c.len) {
+- len = (ms->c.len += 20) * sizeof(*ms->c.li);
++ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
+ ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
+ emalloc(len) :
+ erealloc(ms->c.li, len));
+diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic
+new file mode 100644
+index 0000000..14d7781
+--- /dev/null
++++ b/ext/fileinfo/tests/bug71527.magic
+@@ -0,0 +1 @@
++>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+\ No newline at end of file
+diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt
+new file mode 100644
+index 0000000..f5b1d86
+--- /dev/null
++++ b/ext/fileinfo/tests/bug71527.phpt
+@@ -0,0 +1,19 @@
++--TEST--
++Bug #71527 Buffer over-write in finfo_open with malformed magic file
++--SKIPIF--
++<?php
++if (!class_exists('finfo'))
++ die('skip no fileinfo extension');
++--ENV--
++USE_ZEND_ALLOC=0
++--FILE--
++<?php
++ $finfo = finfo_open(FILEINFO_NONE, dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug71527.magic");
++ $info = finfo_file($finfo, __FILE__);
++ var_dump($info);
++?>
++--EXPECTF--
++Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d
++
++Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d
++bool(false)
diff --git a/bug71704.patch b/bug71704.patch
new file mode 100644
index 0000000..8497846
--- /dev/null
+++ b/bug71704.patch
@@ -0,0 +1,26 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 9c19a08b9daed6bae3071dd25742f59a59618823 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Wed, 16 Mar 2016 09:48:40 +0100
+Subject: [PATCH] Fixed bug #71704 php_snmp_error() Format String Vulnerability
+
+Conflicts:
+ ext/snmp/snmp.c
+---
+ ext/snmp/snmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
+index f7c99c1..6c1da4c 100644
+--- a/ext/snmp/snmp.c
++++ b/ext/snmp/snmp.c
+@@ -533,7 +533,7 @@ static void php_snmp_error(zval *object, const char *docref TSRMLS_DC, int type,
+ }
+
+ if (object && (snmp_object->exceptions_enabled & type)) {
+- zend_throw_exception_ex(php_snmp_exception_ce, type TSRMLS_CC, snmp_object->snmp_errstr);
++ zend_throw_exception_ex(php_snmp_exception_ce, type TSRMLS_CC, "%s", snmp_object->snmp_errstr);
+ } else {
+ va_start(args, format);
+ php_verror(docref, "", E_WARNING, format, args TSRMLS_CC);
diff --git a/bug71798.patch b/bug71798.patch
new file mode 100644
index 0000000..88c3a77
--- /dev/null
+++ b/bug71798.patch
@@ -0,0 +1,26 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 95433e8e339dbb6b5d5541473c1661db6ba2c451 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 27 Mar 2016 14:22:19 -0700
+Subject: [PATCH] Fix bug #71798 - Integer Overflow in php_raw_url_encode
+
+---
+ ext/standard/url.c | 2 +-
+ main/php_version.h | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 2f56d31..27a216a 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -600,7 +600,7 @@ PHPAPI int php_url_decode(char *str, int len)
+ */
+ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
+ {
+- register int x, y;
++ register size_t x, y;
+ unsigned char *str;
+
+ str = (unsigned char *) safe_emalloc(3, len, 1);
+
diff --git a/bug71860.patch b/bug71860.patch
new file mode 100644
index 0000000..010bafa
--- /dev/null
+++ b/bug71860.patch
@@ -0,0 +1,326 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 72281f29dd4691b2f741362d3581162fcf85f502 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 20 Mar 2016 20:54:09 -0700
+Subject: [PATCH] Fix bug #71860: Require valid paths for phar filenames
+
+---
+ ext/phar/phar.c | 4 +++
+ ext/phar/phar_object.c | 40 ++++++++++++++--------------
+ ext/phar/tests/badparameters.phpt | 18 ++++++-------
+ ext/phar/tests/bug64931/bug64931.phpt | 5 ++--
+ ext/phar/tests/create_path_error.phpt | 3 +--
+ ext/phar/tests/phar_extract.phpt | 2 +-
+ ext/phar/tests/phar_isvalidpharfilename.phpt | 2 +-
+ ext/phar/tests/phar_unlinkarchive.phpt | 2 +-
+ ext/phar/tests/pharfileinfo_construct.phpt | 2 +-
+ 9 files changed, 41 insertions(+), 37 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 4b9a493..17b0aff 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -2262,6 +2262,10 @@ int phar_split_fname(char *filename, int filename_len, char **arch, int *arch_le
+ #endif
+ int ext_len, free_filename = 0;
+
++ if (CHECK_NULL_PATH(filename, filename_len)) {
++ return FAILURE;
++ }
++
+ if (!strncasecmp(filename, "phar://", 7)) {
+ filename += 7;
+ filename_len -= 7;
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index e21a982..83ccab4 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -478,7 +478,7 @@ PHP_METHOD(Phar, mount)
+ int fname_len, arch_len, entry_len, path_len, actual_len;
+ phar_archive_data **pphar;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &actual, &actual_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &path, &path_len, &actual, &actual_len) == FAILURE) {
+ return;
+ }
+
+@@ -973,7 +973,7 @@ PHP_METHOD(Phar, createDefaultStub)
+ int index_len = 0, webindex_len = 0;
+ size_t stub_len;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|ss", &index, &index_len, &webindex, &webindex_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|pp", &index, &index_len, &webindex, &webindex_len) == FAILURE) {
+ return;
+ }
+
+@@ -1017,7 +1017,7 @@ PHP_METHOD(Phar, loadPhar)
+ char *fname, *alias = NULL, *error;
+ int fname_len, alias_len = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) {
+ return;
+ }
+
+@@ -1096,7 +1096,7 @@ PHP_METHOD(Phar, isValidPharFilename)
+ int fname_len, ext_len, is_executable;
+ zend_bool executable = 1;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &fname, &fname_len, &executable) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|b", &fname, &fname_len, &executable) == FAILURE) {
+ return;
+ }
+
+@@ -1171,11 +1171,11 @@ PHP_METHOD(Phar, __construct)
+ is_data = instanceof_function(Z_OBJCE_P(zobj), phar_ce_data TSRMLS_CC);
+
+ if (is_data) {
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) {
+ return;
+ }
+ } else {
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) {
+ return;
+ }
+ }
+@@ -1343,7 +1343,7 @@ PHP_METHOD(Phar, unlinkArchive)
+ int fname_len, zname_len, arch_len, entry_len;
+ phar_archive_data *phar;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+@@ -1824,7 +1824,7 @@ PHP_METHOD(Phar, buildFromDirectory)
+ return;
+ }
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &dir, &dir_len, &regex, &regex_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s", &dir, &dir_len, &regex, &regex_len) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+@@ -2707,7 +2707,7 @@ PHP_METHOD(Phar, delete)
+ return;
+ }
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+@@ -3519,7 +3519,7 @@ PHP_METHOD(Phar, copy)
+
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) {
+ return;
+ }
+
+@@ -3629,7 +3629,7 @@ PHP_METHOD(Phar, offsetExists)
+
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) {
+ return;
+ }
+
+@@ -3666,7 +3666,7 @@ PHP_METHOD(Phar, offsetGet)
+ phar_entry_info *entry;
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) {
+ return;
+ }
+
+@@ -3814,8 +3814,8 @@ PHP_METHOD(Phar, offsetSet)
+ return;
+ }
+
+- if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "sr", &fname, &fname_len, &zresource) == FAILURE
+- && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) {
++ if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "pr", &fname, &fname_len, &zresource) == FAILURE
++ && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) {
+ return;
+ }
+
+@@ -3853,7 +3853,7 @@ PHP_METHOD(Phar, offsetUnset)
+ return;
+ }
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) {
+ return;
+ }
+
+@@ -3900,7 +3900,7 @@ PHP_METHOD(Phar, addEmptyDir)
+
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &dirname, &dirname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &dirname, &dirname_len) == FAILURE) {
+ return;
+ }
+
+@@ -3925,7 +3925,7 @@ PHP_METHOD(Phar, addFile)
+
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) {
+ return;
+ }
+
+@@ -3969,7 +3969,7 @@ PHP_METHOD(Phar, addFromString)
+
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) {
+ return;
+ }
+
+@@ -4396,7 +4396,7 @@ PHP_METHOD(Phar, extractTo)
+
+ PHAR_ARCHIVE_OBJECT();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) {
+ return;
+ }
+
+@@ -4545,7 +4545,7 @@ PHP_METHOD(PharFileInfo, __construct)
+ phar_archive_data *phar_data;
+ zval *zobj = getThis(), arg1;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/phar/tests/badparameters.phpt b/ext/phar/tests/badparameters.phpt
+index 3179697..c33426e 100644
+--- a/ext/phar/tests/badparameters.phpt
++++ b/ext/phar/tests/badparameters.phpt
+@@ -126,19 +126,19 @@ echo $e->getMessage() . "\n";
+ --EXPECTF--
+ Warning: Phar::mungServer() expects parameter 1 to be array, %string given in %sbadparameters.php on line %d
+
+-Warning: Phar::createDefaultStub() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::createDefaultStub() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+-Warning: Phar::loadPhar() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::loadPhar() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+ Warning: Phar::canCompress() expects parameter 1 to be long, %string given in %sbadparameters.php on line %d
+
+-Warning: Phar::__construct() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::__construct() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+ Warning: Phar::convertToExecutable() expects parameter 1 to be long, array given in %sbadparameters.php on line %d
+
+ Warning: Phar::convertToData() expects parameter 1 to be long, array given in %sbadparameters.php on line %d
+
+-Warning: PharData::delete() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: PharData::delete() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+ Cannot write out phar archive, phar is read-only
+ Entry oops does not exist and cannot be deleted
+ %sfiles/frontcontroller10.phar
+@@ -165,18 +165,18 @@ Phar is readonly, cannot change compression
+ Warning: Phar::copy() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d
+ Cannot copy "a" to "b", phar is read-only
+
+-Warning: Phar::offsetExists() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::offsetExists() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+-Warning: Phar::offsetGet() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::offsetGet() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+ Warning: Phar::offsetSet() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d
+
+-Warning: PharData::offsetUnset() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: PharData::offsetUnset() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+ Write operations disabled by the php.ini setting phar.readonly
+
+-Warning: Phar::addEmptyDir() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::addEmptyDir() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+-Warning: Phar::addFile() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
++Warning: Phar::addFile() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
+
+ Warning: Phar::addFromString() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d
+ Write operations disabled by the php.ini setting phar.readonly
+diff --git a/ext/phar/tests/create_path_error.phpt b/ext/phar/tests/create_path_error.phpt
+index 886ba81..d457deb2 100644
+--- a/ext/phar/tests/create_path_error.phpt
++++ b/ext/phar/tests/create_path_error.phpt
+@@ -80,6 +80,5 @@ string(5) "query"
+ 11:Error: file_put_contents(phar:///%s): failed to open stream: phar error: invalid path "%s" contains illegal character
+ 12:Error: file_put_contents(phar:///%s): failed to open stream: phar error: invalid path "%s" contains illegal character
+ 13:Error: file_put_contents(phar:///%s): failed to open stream: phar error: invalid path "%s" contains illegal character
+-Exception: Entry a does not exist and cannot be created: phar error: invalid path "a" contains illegal character
+-===DONE===
++Error: Phar::offsetSet() expects parameter 1 to be a valid path, string given===DONE===
+
+diff --git a/ext/phar/tests/phar_extract.phpt b/ext/phar/tests/phar_extract.phpt
+index 01d65f9..2ff4a78 100644
+--- a/ext/phar/tests/phar_extract.phpt
++++ b/ext/phar/tests/phar_extract.phpt
+@@ -138,7 +138,7 @@ string(3) "hi2"
+ bool(false)
+ Invalid argument, expected a filename (string) or array of filenames
+
+-Warning: Phar::extractTo() expects parameter 1 to be %string, array given in %sphar_extract.php on line %d
++Warning: Phar::extractTo() expects parameter 1 to be a valid path, array given in %sphar_extract.php on line %d
+ Invalid argument, extraction path must be non-zero length
+ Unable to use path "%soops" for extraction, it is a file, must be a directory
+ Invalid argument, array of filenames to extract contains non-string value
+diff --git a/ext/phar/tests/phar_isvalidpharfilename.phpt b/ext/phar/tests/phar_isvalidpharfilename.phpt
+index dee9b7d..da07bec 100644
+--- a/ext/phar/tests/phar_isvalidpharfilename.phpt
++++ b/ext/phar/tests/phar_isvalidpharfilename.phpt
+@@ -76,7 +76,7 @@ var_dump(Phar::isValidPharFilename('dir.phar.php', false));
+ <?php
+ rmdir(dirname(__FILE__) . '/.phar');
+ --EXPECTF--
+-Warning: Phar::isValidPharFilename() expects parameter 1 to be %string, array given in %sphar_isvalidpharfilename.php on line %d
++Warning: Phar::isValidPharFilename() expects parameter 1 to be a valid path, array given in %sphar_isvalidpharfilename.php on line %d
+ *
+ bool(false)
+ bool(false)
+diff --git a/ext/phar/tests/phar_unlinkarchive.phpt b/ext/phar/tests/phar_unlinkarchive.phpt
+index 4800c52..2f441ba 100644
+--- a/ext/phar/tests/phar_unlinkarchive.phpt
++++ b/ext/phar/tests/phar_unlinkarchive.phpt
+@@ -90,7 +90,7 @@ Unknown phar archive ""
+ Unknown phar archive "%sphar_unlinkarchive.phar"
+ Unknown phar archive "%sphar_unlinkarchive.phar.tar": internal corruption of phar "%sphar_unlinkarchive.phar.tar" (truncated entry)
+
+-Warning: Phar::unlinkArchive() expects parameter 1 to be %string, array given in %sphar_unlinkarchive.php on line %d
++Warning: Phar::unlinkArchive() expects parameter 1 to be a valid path, array given in %sphar_unlinkarchive.php on line %d
+ bool(false)
+ string(48) "<?php echo "first stub\n"; __HALT_COMPILER(); ?>"
+ phar archive "%sphar_unlinkarchive.phar" has open file handles or objects. fclose() all file handles, and unset() all objects prior to calling unlinkArchive()
+diff --git a/ext/phar/tests/pharfileinfo_construct.phpt b/ext/phar/tests/pharfileinfo_construct.phpt
+index 2610095..6a41a52 100644
+--- a/ext/phar/tests/pharfileinfo_construct.phpt
++++ b/ext/phar/tests/pharfileinfo_construct.phpt
+@@ -47,7 +47,7 @@ echo $e->getMessage() . "\n";
+ --EXPECTF--
+ Cannot open phar file 'phar://%spharfileinfo_construct.phar/oops': internal corruption of phar "%spharfileinfo_construct.phar" (truncated entry)
+
+-Warning: PharFileInfo::__construct() expects parameter 1 to be %string, array given in %spharfileinfo_construct.php on line %d
++Warning: PharFileInfo::__construct() expects parameter 1 to be a valid path, array given in %spharfileinfo_construct.php on line %d
+ Cannot access phar file entry '/oops/I/do/not/exist' in archive '%spharfileinfo_construct.phar'
+ Cannot call constructor twice
+ '%spharfileinfo_construct.php' is not a valid phar archive URL (must have at least phar://filename.phar)
+--
+2.1.4
+
diff --git a/bug71906.patch b/bug71906.patch
new file mode 100644
index 0000000..6a29692
--- /dev/null
+++ b/bug71906.patch
@@ -0,0 +1,55 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From f8dd10508bd66b6eefb18d319577b443fb1e0c55 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Mar 2016 01:22:37 -0700
+Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1)
+ in mbfl_strcut
+
+---
+ ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++-----------------
+ main/php_version.h | 6 +++---
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
+index 3b14727..4986472 100644
+--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
++++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
+@@ -1501,7 +1501,7 @@ mbfl_strcut(
+ if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) {
+ from &= -2;
+
+- if (from + length >= string->len) {
++ if (length >= string->len - from) {
+ length = string->len - from;
+ }
+
+@@ -1510,14 +1510,14 @@ mbfl_strcut(
+ } else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) {
+ from &= -4;
+
+- if (from + length >= string->len) {
++ if (length >= string->len - from) {
+ length = string->len - from;
+ }
+
+ start = string->val + from;
+ end = start + (length & -4);
+ } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
+- if (from + length >= string->len) {
++ if (length >= string->len - from) {
+ length = string->len - from;
+ }
+
+@@ -1539,7 +1539,7 @@ mbfl_strcut(
+ start = p;
+
+ /* search end position */
+- if ((start - string->val) + length >= (int)string->len) {
++ if (length >= (int)string->len - (start - string->val)) {
+ end = string->val + string->len;
+ } else {
+ for (q = p + length; p < q; p += (m = mbtab[*p]));
+--
+2.1.4
+
diff --git a/php.spec b/php.spec
index dc52138..9fc872c 100644
--- a/php.spec
+++ b/php.spec
@@ -197,6 +197,9 @@ Patch214: bug71498.patch
Patch215: bug71587.patch
Patch216: bug71860.patch
Patch217: bug71906.patch
+Patch218: bug71798.patch
+Patch219: bug71704.patch
+Patch220: bug71527.patch
# Fixes for tests (300+)
# Backported from 5.5
@@ -852,6 +855,9 @@ support for using the enchant library to PHP.
%patch215 -p1 -b .bug71587
%patch216 -p1 -b .bug71860
%patch217 -p1 -b .bug71906
+%patch218 -p1 -b .bug71798
+%patch219 -p1 -b .bug71704
+%patch220 -p1 -b .bug71527
# Fixes for tests
%patch300 -p1 -b .datetests1
@@ -1678,6 +1684,9 @@ EOF
* Tue Mar 29 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-7
- Fix #71860: Require valid paths for phar filenames
- Fix #71906: AddressSanitizer: negative-size-param in mbfl_strcut
+- Fix #71798: Integer Overflow in php_raw_url_encode
+- Fix #71704: php_snmp_error() Format String Vulnerability
+- Fix #71527: Buffer over-write in finfo_open with malformed magic file
* Thu Mar 10 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-6
- adapt for F24: define %%pecl_xmldir and own it