PHP 5.4.45 with "some" backports from 5.6.26

author: Remi Collet <fedora@famillecollet.com> 2016-09-19 15:47:58 +0200
committer: Remi Collet <fedora@famillecollet.com> 2016-09-19 15:47:58 +0200
commit: 52386b6e0fcffedfeb59435fee398e30dd859fcf (patch)
tree: df5fe9324ace1f6c6e5d7707d46c42269613f903
parent: 009ea0a2144e7f78907c4d9cec1d94652921161d (diff)
6 files changed, 213 insertions, 11 deletions
diff --git a/bug72627.patch b/bug72627.patch
new file mode 100644
index 0000000..410e40e
--- /dev/null
+++ b/bug72627.patch
@@ -0,0 +1,34 @@
+Backported from 5.6.25 by Remi.
+Binary patch dropped
+
+From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 8 Aug 2016 00:49:34 -0700
+Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
+
+---
+ ext/exif/exif.c              |   5 ++-
+ ext/exif/tests/bug72627.phpt |  71 +++++++++++++++++++++++++++++++++++++++++++
+ ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes
+ 3 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug72627.phpt
+ create mode 100644 ext/exif/tests/bug72627.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f95de3a..657a2cc1 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 						fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ 						if (fgot < ImageInfo->Thumbnail.size) {
+ 							EXIF_ERRLOG_THUMBEOF(ImageInfo)
++							efree(ImageInfo->Thumbnail.data);
++							ImageInfo->Thumbnail.data = NULL;
++						} else {
++							exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ 						}
+-						exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ 					}
+ #ifdef EXIF_DEBUG
+ 					exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done");
+
diff --git a/bug72926.patch b/bug72926.patch
new file mode 100644
index 0000000..044ed2b
--- /dev/null
+++ b/bug72926.patch
@@ -0,0 +1,29 @@
+Backported from 5.6.26 by Remi.
+
+
+From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 20:49:34 -0700
+Subject: [PATCH] Same issue as #72926 in another place.
+
+---
+ ext/exif/exif.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 657a2cc1..8b0e34c 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 									fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ 									if (fgot < ImageInfo->Thumbnail.size) {
+ 										EXIF_ERRLOG_THUMBEOF(ImageInfo)
++										efree(ImageInfo->Thumbnail.data);
++										ImageInfo->Thumbnail.data = NULL;
++									} else {
++										exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ 									}
+-									exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ 								}
+ 							}
+ 						}
diff --git a/bug72928.patch b/bug72928.patch
new file mode 100644
index 0000000..67701a6
--- /dev/null
+++ b/bug72928.patch
@@ -0,0 +1,92 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 22:07:35 -0700
+Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip
+ phar in phar_parse_zipfile
+
+---
+ ext/phar/tests/bug72928.phpt |  18 ++++++++++++++++++
+ ext/phar/tests/bug72928.zip  | Bin 0 -> 140 bytes
+ ext/phar/util.c              |  28 ++++++++++++++++++++++++++++
+ ext/phar/zip.c               |   2 +-
+ 4 files changed, 47 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug72928.phpt
+ create mode 100644 ext/phar/tests/bug72928.zip
+
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 4bbd867..828be8f 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -1928,6 +1928,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[64];
+ 			PHP_SHA512_CTX context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_SHA512Init(&context);
+ 			read_len = end_of_phar;
+ 
+@@ -1961,6 +1968,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[32];
+ 			PHP_SHA256_CTX context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_SHA256Init(&context);
+ 			read_len = end_of_phar;
+ 
+@@ -2002,6 +2016,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[20];
+ 			PHP_SHA1_CTX  context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_SHA1Init(&context);
+ 			read_len = end_of_phar;
+ 
+@@ -2035,6 +2056,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[16];
+ 			PHP_MD5_CTX   context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_MD5Init(&context);
+ 			read_len = end_of_phar;
+ 
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index bf895e7..ed156a2 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ 			php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
+ 			sig = (char *) emalloc(entry.uncompressed_filesize);
+ 			read = php_stream_read(fp, sig, entry.uncompressed_filesize);
+-			if (read != entry.uncompressed_filesize) {
++			if (read != entry.uncompressed_filesize || read <= 8) {
+ 				php_stream_close(sigfile);
+ 				efree(sig);
+ 				PHAR_ZIP_FAIL("signature cannot be read");
diff --git a/bug73035.patch b/bug73035.patch
new file mode 100644
index 0000000..231fd99
--- /dev/null
+++ b/bug73035.patch
@@ -0,0 +1,32 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:37:44 -0700
+Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar
+ phar in phar_parse_tarfile)
+
+---
+ ext/phar/tar.c               |   2 +-
+ ext/phar/tests/bug73035.phpt |  18 ++++++++++++++++++
+ ext/phar/tests/bug73035.tar  | Bin 0 -> 10240 bytes
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug73035.phpt
+ create mode 100644 ext/phar/tests/bug73035.tar
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 62edcb5..898ff85 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -277,7 +277,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
+ 			}
+ 			curloc = php_stream_tell(fp);
+ 			read = php_stream_read(fp, buf, size);
+-			if (read != size) {
++			if (read != size || read <= 8) {
+ 				if (error) {
+ 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname);
+ 				}
+
diff --git a/failed.txt b/failed.txt
index 755fc21..21a897e 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,21 +1,18 @@
-===== 5.5.45-11 (2016-07-22)
+===== 5.5.45-12 (2016-09-19)
 
 $ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log
 
 /var/lib/mock/scl54el6x/build.log:Tests failed    :    1
 /var/lib/mock/scl54el7x/build.log:Tests failed    :    0
-/var/lib/mock/scl54fc21x/build.log:Tests failed    :    1
 /var/lib/mock/scl54fc22x/build.log:Tests failed    :    1
 /var/lib/mock/scl54fc23x/build.log:Tests failed    :    3
-/var/lib/mock/scl54fc24x/build.log:Tests failed    :    4
+/var/lib/mock/scl54fc24x/build.log:Tests failed    :    3
 /var/lib/mock/scl54fc25x/build.log:Tests failed    :    3
 
 f23, f24
 	Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
     Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
-f24
-	file_get_contents() test using offset parameter out of range [ext/standard/tests/file/file_get_contents_error001.phpt]
-f21, f22, f23, f24
+f22, f23, f24
     Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt]
 el6
     Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
diff --git a/php.spec b/php.spec
index f6060b0..37b9d4f 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.4.45
-Release: 11%{?dist}.1
+Release: 12%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -237,6 +237,10 @@ Patch253: bug72613.patch
 Patch254: bug72618.patch
 Patch255: bug72519.patch
 Patch256: bug72735.patch
+Patch257: bug72627.patch
+Patch258: bug72926.patch
+Patch259: bug73035.patch
+Patch260: bug72928.patch
 
 # Fixes for tests (300+)
 # Backported from 5.5
@@ -931,6 +935,10 @@ support for using the enchant library to PHP.
 %patch254 -p1 -b .bug72618
 %patch255 -p1 -b .bug72519
 %patch256 -p1 -b .bug72735
+%patch257 -p1 -b .bug72627
+%patch258 -p1 -b .bug72926
+%patch259 -p1 -b .bug73035
+%patch260 -p1 -b .bug72928
 : ------------------------
 #exit 1
 
@@ -1593,11 +1601,14 @@ fi
 
 %posttrans common
 cat << EOF
+=====================================================================
 
-WARNING : PHP 5.4 have reached its "End of Life".
-Even, if this package includes some security fix, backported from 5.5,
-The upgrade to a maintained version is very strongly recommended.
+ WARNING : PHP 5.4 have reached its "End of Life" in September 2015.
+ Even, if this package includes some of the important security fix,
+ backported from 5.5 or 5.6,
+ The UPGRADE to a maintained version is very strongly RECOMMENDED.
 
+=====================================================================
 EOF
 
 
@@ -1761,7 +1772,14 @@ EOF
 
 
 %changelog
-* Fri Aug  5 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11.1
+* Mon Sep 19 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-12
+- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF
+  CVE-2016-7128
+- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage
+  in exif_process_IFD_in_TIFF
+- fix #73035: Out of bound when verify signature of tar phar
+- fix #72928: Out of bound when verify signature of zip phar
+  CVE-2016-7414
 - fix #72735 regression in exif maker note parser
 
 * Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11
author	Remi Collet <fedora@famillecollet.com>	2016-09-19 15:47:58 +0200
committer	Remi Collet <fedora@famillecollet.com>	2016-09-19 15:47:58 +0200
commit	52386b6e0fcffedfeb59435fee398e30dd859fcf (patch)
tree	df5fe9324ace1f6c6e5d7707d46c42269613f903
parent	009ea0a2144e7f78907c4d9cec1d94652921161d (diff)