summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-09-19 15:47:58 +0200
committerRemi Collet <fedora@famillecollet.com>2016-09-19 15:47:58 +0200
commit52386b6e0fcffedfeb59435fee398e30dd859fcf (patch)
treedf5fe9324ace1f6c6e5d7707d46c42269613f903
parent009ea0a2144e7f78907c4d9cec1d94652921161d (diff)
PHP 5.4.45 with "some" backports from 5.6.26
-rw-r--r--bug72627.patch34
-rw-r--r--bug72926.patch29
-rw-r--r--bug72928.patch92
-rw-r--r--bug73035.patch32
-rw-r--r--failed.txt9
-rw-r--r--php.spec28
6 files changed, 213 insertions, 11 deletions
diff --git a/bug72627.patch b/bug72627.patch
new file mode 100644
index 0000000..410e40e
--- /dev/null
+++ b/bug72627.patch
@@ -0,0 +1,34 @@
+Backported from 5.6.25 by Remi.
+Binary patch dropped
+
+From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 8 Aug 2016 00:49:34 -0700
+Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
+
+---
+ ext/exif/exif.c | 5 ++-
+ ext/exif/tests/bug72627.phpt | 71 +++++++++++++++++++++++++++++++++++++++++++
+ ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes
+ 3 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug72627.phpt
+ create mode 100644 ext/exif/tests/bug72627.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f95de3a..657a2cc1 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ if (fgot < ImageInfo->Thumbnail.size) {
+ EXIF_ERRLOG_THUMBEOF(ImageInfo)
++ efree(ImageInfo->Thumbnail.data);
++ ImageInfo->Thumbnail.data = NULL;
++ } else {
++ exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+- exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done");
+
diff --git a/bug72926.patch b/bug72926.patch
new file mode 100644
index 0000000..044ed2b
--- /dev/null
+++ b/bug72926.patch
@@ -0,0 +1,29 @@
+Backported from 5.6.26 by Remi.
+
+
+From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 20:49:34 -0700
+Subject: [PATCH] Same issue as #72926 in another place.
+
+---
+ ext/exif/exif.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 657a2cc1..8b0e34c 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ if (fgot < ImageInfo->Thumbnail.size) {
+ EXIF_ERRLOG_THUMBEOF(ImageInfo)
++ efree(ImageInfo->Thumbnail.data);
++ ImageInfo->Thumbnail.data = NULL;
++ } else {
++ exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+- exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+ }
+ }
diff --git a/bug72928.patch b/bug72928.patch
new file mode 100644
index 0000000..67701a6
--- /dev/null
+++ b/bug72928.patch
@@ -0,0 +1,92 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 22:07:35 -0700
+Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip
+ phar in phar_parse_zipfile
+
+---
+ ext/phar/tests/bug72928.phpt | 18 ++++++++++++++++++
+ ext/phar/tests/bug72928.zip | Bin 0 -> 140 bytes
+ ext/phar/util.c | 28 ++++++++++++++++++++++++++++
+ ext/phar/zip.c | 2 +-
+ 4 files changed, 47 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug72928.phpt
+ create mode 100644 ext/phar/tests/bug72928.zip
+
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 4bbd867..828be8f 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -1928,6 +1928,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[64];
+ PHP_SHA512_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA512Init(&context);
+ read_len = end_of_phar;
+
+@@ -1961,6 +1968,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[32];
+ PHP_SHA256_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA256Init(&context);
+ read_len = end_of_phar;
+
+@@ -2002,6 +2016,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[20];
+ PHP_SHA1_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA1Init(&context);
+ read_len = end_of_phar;
+
+@@ -2035,6 +2056,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[16];
+ PHP_MD5_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_MD5Init(&context);
+ read_len = end_of_phar;
+
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index bf895e7..ed156a2 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
+ sig = (char *) emalloc(entry.uncompressed_filesize);
+ read = php_stream_read(fp, sig, entry.uncompressed_filesize);
+- if (read != entry.uncompressed_filesize) {
++ if (read != entry.uncompressed_filesize || read <= 8) {
+ php_stream_close(sigfile);
+ efree(sig);
+ PHAR_ZIP_FAIL("signature cannot be read");
diff --git a/bug73035.patch b/bug73035.patch
new file mode 100644
index 0000000..231fd99
--- /dev/null
+++ b/bug73035.patch
@@ -0,0 +1,32 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:37:44 -0700
+Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar
+ phar in phar_parse_tarfile)
+
+---
+ ext/phar/tar.c | 2 +-
+ ext/phar/tests/bug73035.phpt | 18 ++++++++++++++++++
+ ext/phar/tests/bug73035.tar | Bin 0 -> 10240 bytes
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug73035.phpt
+ create mode 100644 ext/phar/tests/bug73035.tar
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 62edcb5..898ff85 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -277,7 +277,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
+ }
+ curloc = php_stream_tell(fp);
+ read = php_stream_read(fp, buf, size);
+- if (read != size) {
++ if (read != size || read <= 8) {
+ if (error) {
+ spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname);
+ }
+
diff --git a/failed.txt b/failed.txt
index 755fc21..21a897e 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,21 +1,18 @@
-===== 5.5.45-11 (2016-07-22)
+===== 5.5.45-12 (2016-09-19)
$ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log
/var/lib/mock/scl54el6x/build.log:Tests failed : 1
/var/lib/mock/scl54el7x/build.log:Tests failed : 0
-/var/lib/mock/scl54fc21x/build.log:Tests failed : 1
/var/lib/mock/scl54fc22x/build.log:Tests failed : 1
/var/lib/mock/scl54fc23x/build.log:Tests failed : 3
-/var/lib/mock/scl54fc24x/build.log:Tests failed : 4
+/var/lib/mock/scl54fc24x/build.log:Tests failed : 3
/var/lib/mock/scl54fc25x/build.log:Tests failed : 3
f23, f24
Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
-f24
- file_get_contents() test using offset parameter out of range [ext/standard/tests/file/file_get_contents_error001.phpt]
-f21, f22, f23, f24
+f22, f23, f24
Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt]
el6
Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
diff --git a/php.spec b/php.spec
index f6060b0..37b9d4f 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.4.45
-Release: 11%{?dist}.1
+Release: 12%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -237,6 +237,10 @@ Patch253: bug72613.patch
Patch254: bug72618.patch
Patch255: bug72519.patch
Patch256: bug72735.patch
+Patch257: bug72627.patch
+Patch258: bug72926.patch
+Patch259: bug73035.patch
+Patch260: bug72928.patch
# Fixes for tests (300+)
# Backported from 5.5
@@ -931,6 +935,10 @@ support for using the enchant library to PHP.
%patch254 -p1 -b .bug72618
%patch255 -p1 -b .bug72519
%patch256 -p1 -b .bug72735
+%patch257 -p1 -b .bug72627
+%patch258 -p1 -b .bug72926
+%patch259 -p1 -b .bug73035
+%patch260 -p1 -b .bug72928
: ------------------------
#exit 1
@@ -1593,11 +1601,14 @@ fi
%posttrans common
cat << EOF
+=====================================================================
-WARNING : PHP 5.4 have reached its "End of Life".
-Even, if this package includes some security fix, backported from 5.5,
-The upgrade to a maintained version is very strongly recommended.
+ WARNING : PHP 5.4 have reached its "End of Life" in September 2015.
+ Even, if this package includes some of the important security fix,
+ backported from 5.5 or 5.6,
+ The UPGRADE to a maintained version is very strongly RECOMMENDED.
+=====================================================================
EOF
@@ -1761,7 +1772,14 @@ EOF
%changelog
-* Fri Aug 5 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11.1
+* Mon Sep 19 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-12
+- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF
+ CVE-2016-7128
+- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage
+ in exif_process_IFD_in_TIFF
+- fix #73035: Out of bound when verify signature of tar phar
+- fix #72928: Out of bound when verify signature of zip phar
+ CVE-2016-7414
- fix #72735 regression in exif maker note parser
* Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-11