summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-01-06 17:23:22 +0100
committerRemi Collet <fedora@famillecollet.com>2016-01-06 17:23:22 +0100
commitb2e73532d8e76408de08eed664c9a5ba11e7568b (patch)
treebcf7f9e1a8c9aa9cd16f949903109de037471022
parent41e771120a8e364f6076c6f009f7912b49be6d8d (diff)
PHP 5.4.45 with security patches from 5.5.31
-rw-r--r--bug70661.patch104
-rw-r--r--bug70728.patch80
-rw-r--r--bug70741.patch64
-rw-r--r--bug70755.patch28
-rw-r--r--failed.txt13
-rw-r--r--php-5.4.45-curltls.patch38
-rw-r--r--php.spec20
7 files changed, 340 insertions, 7 deletions
diff --git a/bug70661.patch b/bug70661.patch
new file mode 100644
index 0000000..90eae74
--- /dev/null
+++ b/bug70661.patch
@@ -0,0 +1,104 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From dcf3c9761c31e12011ba202f30caff53aae2056c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Dec 2015 14:46:35 -0800
+Subject: [PATCH] Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet
+ Deserialization)
+
+---
+ NEWS | 2 ++
+ ext/wddx/tests/bug70661.phpt | 69 ++++++++++++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 2 +-
+ 3 files changed, 72 insertions(+), 1 deletion(-)
+ create mode 100644 ext/wddx/tests/bug70661.phpt
+
+diff --git a/ext/wddx/tests/bug70661.phpt b/ext/wddx/tests/bug70661.phpt
+new file mode 100644
+index 0000000..e068c20
+--- /dev/null
++++ b/ext/wddx/tests/bug70661.phpt
+@@ -0,0 +1,69 @@
++--TEST--
++Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++$fakezval = ptr2str(1122334455);
++$fakezval .= ptr2str(0);
++$fakezval .= "\x00\x00\x00\x00";
++$fakezval .= "\x01";
++$fakezval .= "\x00";
++$fakezval .= "\x00\x00";
++
++$x = <<<EOT
++<?xml version='1.0'?>
++<wddxPacket version='1.0'>
++<header/>
++ <data>
++ <struct>
++ <recordset rowCount='1' fieldNames='ryat'>
++ <field name='ryat'>
++ <var name='php_class_name'>
++ <string>stdClass</string>
++ </var>
++ <null/>
++ </field>
++ </recordset>
++ </struct>
++ </data>
++</wddxPacket>
++EOT;
++
++$y = wddx_deserialize($x);
++
++for ($i = 0; $i < 5; $i++) {
++ $v[$i] = $fakezval.$i;
++}
++
++var_dump($y);
++
++function ptr2str($ptr)
++{
++ $out = '';
++
++ for ($i = 0; $i < 8; $i++) {
++ $out .= chr($ptr & 0xff);
++ $ptr >>= 8;
++ }
++
++ return $out;
++}
++?>
++DONE
++--EXPECTF--
++array(1) {
++ [0]=>
++ array(1) {
++ ["ryat"]=>
++ array(2) {
++ ["php_class_name"]=>
++ string(8) "stdClass"
++ [0]=>
++ NULL
++ }
++ }
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 8017620..b9dd1fa 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -978,7 +978,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+
+ if (ent1->varname) {
+ if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
+- Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
++ Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
+ zend_bool incomplete_class = 0;
+
+ zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
diff --git a/bug70728.patch b/bug70728.patch
new file mode 100644
index 0000000..788eb34
--- /dev/null
+++ b/bug70728.patch
@@ -0,0 +1,80 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 4df84a648ec62b17bd8f8359452f8defd1026167 Mon Sep 17 00:00:00 2001
+From: Julien Pauli <jpauli@php.net>
+Date: Tue, 22 Dec 2015 14:28:19 +0100
+Subject: [PATCH] Fixed #70728
+
+---
+ ext/xmlrpc/tests/bug70728.phpt | 30 ++++++++++++++++++++++++++++++
+ ext/xmlrpc/xmlrpc-epi-php.c | 13 +++++++++++--
+ 2 files changed, 41 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug70728.phpt
+
+diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt
+new file mode 100644
+index 0000000..5510c33
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug70728.phpt
+@@ -0,0 +1,30 @@
++--TEST--
++Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++$obj = new stdClass;
++$obj->xmlrpc_type = 'base64';
++$obj->scalar = 0x1122334455;
++var_dump(xmlrpc_encode($obj));
++var_dump($obj);
++?>
++--EXPECTF--
++string(135) "<?xml version="1.0" encoding="utf-8"?>
++<params>
++<param>
++ <value>
++ <base64>NzM1ODgyMjkyMDU=&#10;</base64>
++ </value>
++</param>
++</params>
++"
++object(stdClass)#1 (2) {
++ ["xmlrpc_type"]=>
++ string(6) "base64"
++ ["scalar"]=>
++ int(73588229205)
++}
+diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
+index 613892c..6c76434 100644
+--- a/ext/xmlrpc/xmlrpc-epi-php.c
++++ b/ext/xmlrpc/xmlrpc-epi-php.c
+@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
+ xReturn = XMLRPC_CreateValueEmpty();
+ XMLRPC_SetValueID(xReturn, key, 0);
+ } else {
+- xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
++ if (Z_TYPE_P(val) != IS_STRING) {
++ zval *newvalue;
++ ALLOC_INIT_ZVAL(newvalue);
++ MAKE_COPY_ZVAL(&val, newvalue);
++ convert_to_string(newvalue);
++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
++ zval_ptr_dtor(&newvalue);
++ } else {
++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
++ }
+ }
+ break;
+ case xmlrpc_datetime:
+@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */
+ if (newvalue) {
+ zval** val;
+
+- if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
++ if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
+ if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
+ *newvalue = *val;
+ }
diff --git a/bug70741.patch b/bug70741.patch
new file mode 100644
index 0000000..1704bfb
--- /dev/null
+++ b/bug70741.patch
@@ -0,0 +1,64 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 1785d2b805f64eaaacf98c14c9e13107bf085ab1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Dec 2015 12:42:44 -0800
+Subject: [PATCH] Fixed bug #70741: Session WDDX Packet Deserialization Type
+ Confusion Vulnerability
+
+---
+ NEWS | 4 ++
+ ext/wddx/tests/bug70741.phpt | 26 ++++++++
+ ext/wddx/wddx.c | 139 ++++++++++++++++++++++---------------------
+ 3 files changed, 101 insertions(+), 68 deletions(-)
+ create mode 100644 ext/wddx/tests/bug70741.phpt
+
+diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt
+new file mode 100644
+index 0000000..9c7e09b
+--- /dev/null
++++ b/ext/wddx/tests/bug70741.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++ini_set('session.serialize_handler', 'wddx');
++session_start();
++
++$hashtable = str_repeat('A', 66);
++$wddx = "<?xml version='1.0'?>
++<wddxPacket version='1.0'>
++<header/>
++ <data>
++ <string>$hashtable</string>
++ </data>
++</wddxPacket>";
++session_decode($wddx);
++?>
++DONE
++--EXPECTF--
++
++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 45beaece..8017620 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
+ MAKE_STD_ZVAL(retval);
+
+ if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
+-
++ if (Z_TYPE_P(retval) != IS_ARRAY) {
++ zval_ptr_dtor(&retval);
++ return FAILURE;
++ }
+ for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
+ zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
+ zend_hash_move_forward(Z_ARRVAL_P(retval))) {
diff --git a/bug70755.patch b/bug70755.patch
new file mode 100644
index 0000000..1090b87
--- /dev/null
+++ b/bug70755.patch
@@ -0,0 +1,28 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From be19dbcb84fea0001e53cea2732c00de7ae6c371 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 8 Dec 2015 00:10:07 -0800
+Subject: [PATCH] Fixed bug #70755: fpm_log.c memory leak and buffer overflow
+
+---
+ NEWS | 3 +++
+ sapi/fpm/fpm/fpm_log.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c
+index b0bf32a..187fe9b 100644
+--- a/sapi/fpm/fpm/fpm_log.c
++++ b/sapi/fpm/fpm/fpm_log.c
+@@ -446,6 +446,11 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
+ b += len2;
+ len += len2;
+ }
++ if (len >= FPM_LOG_BUFFER) {
++ zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
++ len = FPM_LOG_BUFFER;
++ break;
++ }
+ continue;
+ }
+
diff --git a/failed.txt b/failed.txt
index 23301d2..7400a58 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,20 +1,21 @@
-===== 5.5.45
+===== 5.5.45-3 (2016-01-06)
$ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log
-/var/lib/mock/scl54fc19x/build.log:Tests failed : 0 ( 0.0%) ( 0.0%)
/var/lib/mock/scl54fc20x/build.log:Tests failed : 0 ( 0.0%) ( 0.0%)
/var/lib/mock/scl54fc21x/build.log:Tests failed : 1 ( 0.0%) ( 0.0%)
/var/lib/mock/scl54fc22x/build.log:Tests failed : 1 ( 0.0%) ( 0.0%)
/var/lib/mock/scl54fc23x/build.log:Tests failed : 2 ( 0.0%) ( 0.0%)
-/var/lib/mock/scl54el6x/build.log:Tests failed : 1 ( 0.0%) ( 0.0%)
+/var/lib/mock/scl54el6x/build.log:Tests failed : 3 ( 0.0%) ( 0.0%)
/var/lib/mock/scl54el7x/build.log:Tests failed : 0 ( 0.0%) ( 0.0%)
f23
- Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
+ Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
f21, f22, f23
- Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt]
+ Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt]
el6
- Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
+ IPv4 Loopback test [ext/sockets/tests/ipv4loop.phpt]
+ ext/sockets - socket_getpeername_ipv4loop - basic test [ext/sockets/tests/socket_getpeername_ipv4loop.phpt]
+ Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
diff --git a/php-5.4.45-curltls.patch b/php-5.4.45-curltls.patch
new file mode 100644
index 0000000..8643e2b
--- /dev/null
+++ b/php-5.4.45-curltls.patch
@@ -0,0 +1,38 @@
+Backport from PHP 5.5.0 and 5.5.19
+
+Adapted from:
+
+From e69f987948982d4259a574ca824398c26153bf42 Mon Sep 17 00:00:00 2001
+From: Pierrick Charron <pierrick@php.net>
+Date: Thu, 1 Dec 2011 21:48:07 +0000
+Subject: [PATCH] Clean / Improve the curl extension # NEWS file will come soon
+
+From 2b5bffe6c70bc00ebe57390f48ef7569e401d2d3 Mon Sep 17 00:00:00 2001
+From: Rasmus Lerdorf <rasmus@php.net>
+Date: Thu, 16 Oct 2014 21:25:29 -0700
+Subject: [PATCH] TLS 1.0, 1.1 and 1.2 Curl constants - bug #68247
+
+Macro available in upstream curl > 7.34
+Macro available since curl-7.19.7-43.el6 see https://bugzilla.redhat.com/1012136
+
+
+diff -up a/ext/curl/interface.c.old b/ext/curl/interface.c
+--- a/ext/curl/interface.c.old 2015-12-14 11:29:34.591570003 +0100
++++ b/ext/curl/interface.c 2015-12-14 11:38:42.366016986 +0100
+@@ -601,6 +601,16 @@ PHP_MINIT_FUNCTION(curl)
+ REGISTER_CURL_CONSTANT(CURLOPT_SSL_VERIFYHOST);
+ REGISTER_CURL_CONSTANT(CURLOPT_COOKIEFILE);
+ REGISTER_CURL_CONSTANT(CURLOPT_SSLVERSION);
++
++ /* Curl SSL Version constants (CURLOPT_SSLVERSION) */
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_DEFAULT);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv2);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv3);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2);
++
+ REGISTER_CURL_CONSTANT(CURLOPT_TIMECONDITION);
+ REGISTER_CURL_CONSTANT(CURLOPT_TIMEVALUE);
+ REGISTER_CURL_CONSTANT(CURLOPT_CUSTOMREQUEST);
diff --git a/php.spec b/php.spec
index d7687db..98766f3 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.4.45
-Release: 2%{?dist}
+Release: 3%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -164,6 +164,8 @@ Patch46: php-5.4.9-fixheader.patch
Patch47: php-5.4.9-phpinfo.patch
# Allow multiple paths in ini_scan_dir
Patch48: php-5.4.16-iniscan.patch
+# Add CURL_SSLVERSION_* constant
+Patch49: php-5.4.45-curltls.patch
# RC Patch
Patch91: php-5.3.7-oci8conf.patch
@@ -179,6 +181,10 @@ Patch102: php-5.4.39-bug50444.patch
# Security fixes (200+)
Patch200: bug69720.patch
Patch201: bug70433.patch
+Patch202: bug70755.patch
+Patch203: bug70728.patch
+Patch204: bug70741.patch
+Patch205: bug70661.patch
# Fixes for tests (300+)
# Backported from 5.5
@@ -806,6 +812,7 @@ support for using the enchant library to PHP.
%patch46 -p1 -b .fixheader
%patch47 -p1 -b .phpinfo
%patch48 -p1 -b .iniscan
+%patch49 -p1 -b .curltls
%patch91 -p1 -b .remi-oci8
@@ -817,6 +824,10 @@ support for using the enchant library to PHP.
# security patches
%patch200 -p1 -b .bug69720
%patch201 -p1 -b .bug70433
+%patch202 -p1 -b .bug70755
+%patch203 -p1 -b .bug70728
+%patch204 -p1 -b .bug70741
+%patch205 -p1 -b .bug70661
# Fixes for tests
%patch300 -p1 -b .datetests1
@@ -1631,6 +1642,13 @@ EOF
%changelog
+* Wed Jan 6 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-3
+- Fix #70755: fpm_log.c memory leak and buffer overflow
+- Fix #70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker
+- Fix #70741: Session WDDX Packet Deserialization Type
+- Fix #70661: Use After Free Vulnerability in WDDX Packet Deserialization
+- curl: add CURL_SSLVERSION_TLSv1_x constants
+
* Wed Sep 30 2015 Remi Collet <remi@fedoraproject.org> 5.4.45-2
- Fix bug #70433 - Uninitialized pointer in phar_make_dirstream
when zip entry filename is "/"