From 20725105f5fd5bbb19de56ac72576f9874138468 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 29 Mar 2016 14:38:41 +0200 Subject: php 5.4 security patches from 5.5.34 (WIP) --- bug71527.patch | 64 +++++++++++ bug71704.patch | 26 +++++ bug71798.patch | 26 +++++ bug71860.patch | 326 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bug71906.patch | 55 ++++++++++ php.spec | 9 ++ 6 files changed, 506 insertions(+) create mode 100644 bug71527.patch create mode 100644 bug71704.patch create mode 100644 bug71798.patch create mode 100644 bug71860.patch create mode 100644 bug71906.patch diff --git a/bug71527.patch b/bug71527.patch new file mode 100644 index 0000000..45ba6b6 --- /dev/null +++ b/bug71527.patch @@ -0,0 +1,64 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From fe13566c93f118a15a96320a546c7878fd0cfc5e Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Mon, 28 Mar 2016 00:45:19 +0200 +Subject: [PATCH] Fixed bug #71527 Buffer over-write in finfo_open with + malformed magic file + +The actual fix is applying the upstream patch from +https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 +--- + ext/fileinfo/libmagic/funcs.c | 2 +- + ext/fileinfo/tests/bug71527.magic | 1 + + ext/fileinfo/tests/bug71527.phpt | 19 +++++++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/fileinfo/tests/bug71527.magic + create mode 100644 ext/fileinfo/tests/bug71527.phpt + +diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c +index 011ca42..def2f7b 100644 +--- a/ext/fileinfo/libmagic/funcs.c ++++ b/ext/fileinfo/libmagic/funcs.c +@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level) + size_t len; + + if (level >= ms->c.len) { +- len = (ms->c.len += 20) * sizeof(*ms->c.li); ++ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li); + ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ? + emalloc(len) : + erealloc(ms->c.li, len)); +diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic +new file mode 100644 +index 0000000..14d7781 +--- /dev/null ++++ b/ext/fileinfo/tests/bug71527.magic +@@ -0,0 +1 @@ ++>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +\ No newline at end of file +diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt +new file mode 100644 +index 0000000..f5b1d86 +--- /dev/null ++++ b/ext/fileinfo/tests/bug71527.phpt +@@ -0,0 +1,19 @@ ++--TEST-- ++Bug #71527 Buffer over-write in finfo_open with malformed magic file ++--SKIPIF-- ++ ++--EXPECTF-- ++Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d ++ ++Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d ++bool(false) diff --git a/bug71704.patch b/bug71704.patch new file mode 100644 index 0000000..8497846 --- /dev/null +++ b/bug71704.patch @@ -0,0 +1,26 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 9c19a08b9daed6bae3071dd25742f59a59618823 Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Wed, 16 Mar 2016 09:48:40 +0100 +Subject: [PATCH] Fixed bug #71704 php_snmp_error() Format String Vulnerability + +Conflicts: + ext/snmp/snmp.c +--- + ext/snmp/snmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c +index f7c99c1..6c1da4c 100644 +--- a/ext/snmp/snmp.c ++++ b/ext/snmp/snmp.c +@@ -533,7 +533,7 @@ static void php_snmp_error(zval *object, const char *docref TSRMLS_DC, int type, + } + + if (object && (snmp_object->exceptions_enabled & type)) { +- zend_throw_exception_ex(php_snmp_exception_ce, type TSRMLS_CC, snmp_object->snmp_errstr); ++ zend_throw_exception_ex(php_snmp_exception_ce, type TSRMLS_CC, "%s", snmp_object->snmp_errstr); + } else { + va_start(args, format); + php_verror(docref, "", E_WARNING, format, args TSRMLS_CC); diff --git a/bug71798.patch b/bug71798.patch new file mode 100644 index 0000000..88c3a77 --- /dev/null +++ b/bug71798.patch @@ -0,0 +1,26 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 95433e8e339dbb6b5d5541473c1661db6ba2c451 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 27 Mar 2016 14:22:19 -0700 +Subject: [PATCH] Fix bug #71798 - Integer Overflow in php_raw_url_encode + +--- + ext/standard/url.c | 2 +- + main/php_version.h | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 2f56d31..27a216a 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -600,7 +600,7 @@ PHPAPI int php_url_decode(char *str, int len) + */ + PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) + { +- register int x, y; ++ register size_t x, y; + unsigned char *str; + + str = (unsigned char *) safe_emalloc(3, len, 1); + diff --git a/bug71860.patch b/bug71860.patch new file mode 100644 index 0000000..010bafa --- /dev/null +++ b/bug71860.patch @@ -0,0 +1,326 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 72281f29dd4691b2f741362d3581162fcf85f502 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 20 Mar 2016 20:54:09 -0700 +Subject: [PATCH] Fix bug #71860: Require valid paths for phar filenames + +--- + ext/phar/phar.c | 4 +++ + ext/phar/phar_object.c | 40 ++++++++++++++-------------- + ext/phar/tests/badparameters.phpt | 18 ++++++------- + ext/phar/tests/bug64931/bug64931.phpt | 5 ++-- + ext/phar/tests/create_path_error.phpt | 3 +-- + ext/phar/tests/phar_extract.phpt | 2 +- + ext/phar/tests/phar_isvalidpharfilename.phpt | 2 +- + ext/phar/tests/phar_unlinkarchive.phpt | 2 +- + ext/phar/tests/pharfileinfo_construct.phpt | 2 +- + 9 files changed, 41 insertions(+), 37 deletions(-) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 4b9a493..17b0aff 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2262,6 +2262,10 @@ int phar_split_fname(char *filename, int filename_len, char **arch, int *arch_le + #endif + int ext_len, free_filename = 0; + ++ if (CHECK_NULL_PATH(filename, filename_len)) { ++ return FAILURE; ++ } ++ + if (!strncasecmp(filename, "phar://", 7)) { + filename += 7; + filename_len -= 7; +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index e21a982..83ccab4 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -478,7 +478,7 @@ PHP_METHOD(Phar, mount) + int fname_len, arch_len, entry_len, path_len, actual_len; + phar_archive_data **pphar; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &actual, &actual_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &path, &path_len, &actual, &actual_len) == FAILURE) { + return; + } + +@@ -973,7 +973,7 @@ PHP_METHOD(Phar, createDefaultStub) + int index_len = 0, webindex_len = 0; + size_t stub_len; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|ss", &index, &index_len, &webindex, &webindex_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|pp", &index, &index_len, &webindex, &webindex_len) == FAILURE) { + return; + } + +@@ -1017,7 +1017,7 @@ PHP_METHOD(Phar, loadPhar) + char *fname, *alias = NULL, *error; + int fname_len, alias_len = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) { + return; + } + +@@ -1096,7 +1096,7 @@ PHP_METHOD(Phar, isValidPharFilename) + int fname_len, ext_len, is_executable; + zend_bool executable = 1; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &fname, &fname_len, &executable) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|b", &fname, &fname_len, &executable) == FAILURE) { + return; + } + +@@ -1171,11 +1171,11 @@ PHP_METHOD(Phar, __construct) + is_data = instanceof_function(Z_OBJCE_P(zobj), phar_ce_data TSRMLS_CC); + + if (is_data) { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) { + return; + } + } else { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) { + return; + } + } +@@ -1343,7 +1343,7 @@ PHP_METHOD(Phar, unlinkArchive) + int fname_len, zname_len, arch_len, entry_len; + phar_archive_data *phar; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + RETURN_FALSE; + } + +@@ -1824,7 +1824,7 @@ PHP_METHOD(Phar, buildFromDirectory) + return; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &dir, &dir_len, ®ex, ®ex_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s", &dir, &dir_len, ®ex, ®ex_len) == FAILURE) { + RETURN_FALSE; + } + +@@ -2707,7 +2707,7 @@ PHP_METHOD(Phar, delete) + return; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + RETURN_FALSE; + } + +@@ -3519,7 +3519,7 @@ PHP_METHOD(Phar, copy) + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) { + return; + } + +@@ -3629,7 +3629,7 @@ PHP_METHOD(Phar, offsetExists) + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +@@ -3666,7 +3666,7 @@ PHP_METHOD(Phar, offsetGet) + phar_entry_info *entry; + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +@@ -3814,8 +3814,8 @@ PHP_METHOD(Phar, offsetSet) + return; + } + +- if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "sr", &fname, &fname_len, &zresource) == FAILURE +- && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) { ++ if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "pr", &fname, &fname_len, &zresource) == FAILURE ++ && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) { + return; + } + +@@ -3853,7 +3853,7 @@ PHP_METHOD(Phar, offsetUnset) + return; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +@@ -3900,7 +3900,7 @@ PHP_METHOD(Phar, addEmptyDir) + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &dirname, &dirname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &dirname, &dirname_len) == FAILURE) { + return; + } + +@@ -3925,7 +3925,7 @@ PHP_METHOD(Phar, addFile) + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) { + return; + } + +@@ -3969,7 +3969,7 @@ PHP_METHOD(Phar, addFromString) + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) { + return; + } + +@@ -4396,7 +4396,7 @@ PHP_METHOD(Phar, extractTo) + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) { + return; + } + +@@ -4545,7 +4545,7 @@ PHP_METHOD(PharFileInfo, __construct) + phar_archive_data *phar_data; + zval *zobj = getThis(), arg1; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +diff --git a/ext/phar/tests/badparameters.phpt b/ext/phar/tests/badparameters.phpt +index 3179697..c33426e 100644 +--- a/ext/phar/tests/badparameters.phpt ++++ b/ext/phar/tests/badparameters.phpt +@@ -126,19 +126,19 @@ echo $e->getMessage() . "\n"; + --EXPECTF-- + Warning: Phar::mungServer() expects parameter 1 to be array, %string given in %sbadparameters.php on line %d + +-Warning: Phar::createDefaultStub() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::createDefaultStub() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + +-Warning: Phar::loadPhar() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::loadPhar() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::canCompress() expects parameter 1 to be long, %string given in %sbadparameters.php on line %d + +-Warning: Phar::__construct() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::__construct() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::convertToExecutable() expects parameter 1 to be long, array given in %sbadparameters.php on line %d + + Warning: Phar::convertToData() expects parameter 1 to be long, array given in %sbadparameters.php on line %d + +-Warning: PharData::delete() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: PharData::delete() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + Cannot write out phar archive, phar is read-only + Entry oops does not exist and cannot be deleted + %sfiles/frontcontroller10.phar +@@ -165,18 +165,18 @@ Phar is readonly, cannot change compression + Warning: Phar::copy() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d + Cannot copy "a" to "b", phar is read-only + +-Warning: Phar::offsetExists() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::offsetExists() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + +-Warning: Phar::offsetGet() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::offsetGet() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::offsetSet() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d + +-Warning: PharData::offsetUnset() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: PharData::offsetUnset() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + Write operations disabled by the php.ini setting phar.readonly + +-Warning: Phar::addEmptyDir() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::addEmptyDir() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + +-Warning: Phar::addFile() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::addFile() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::addFromString() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d + Write operations disabled by the php.ini setting phar.readonly +diff --git a/ext/phar/tests/create_path_error.phpt b/ext/phar/tests/create_path_error.phpt +index 886ba81..d457deb2 100644 +--- a/ext/phar/tests/create_path_error.phpt ++++ b/ext/phar/tests/create_path_error.phpt +@@ -80,6 +80,5 @@ string(5) "query" + 11:Error: file_put_contents(phar:///%s): failed to open stream: phar error: invalid path "%s" contains illegal character + 12:Error: file_put_contents(phar:///%s): failed to open stream: phar error: invalid path "%s" contains illegal character + 13:Error: file_put_contents(phar:///%s): failed to open stream: phar error: invalid path "%s" contains illegal character +-Exception: Entry a does not exist and cannot be created: phar error: invalid path "a" contains illegal character +-===DONE=== ++Error: Phar::offsetSet() expects parameter 1 to be a valid path, string given===DONE=== + +diff --git a/ext/phar/tests/phar_extract.phpt b/ext/phar/tests/phar_extract.phpt +index 01d65f9..2ff4a78 100644 +--- a/ext/phar/tests/phar_extract.phpt ++++ b/ext/phar/tests/phar_extract.phpt +@@ -138,7 +138,7 @@ string(3) "hi2" + bool(false) + Invalid argument, expected a filename (string) or array of filenames + +-Warning: Phar::extractTo() expects parameter 1 to be %string, array given in %sphar_extract.php on line %d ++Warning: Phar::extractTo() expects parameter 1 to be a valid path, array given in %sphar_extract.php on line %d + Invalid argument, extraction path must be non-zero length + Unable to use path "%soops" for extraction, it is a file, must be a directory + Invalid argument, array of filenames to extract contains non-string value +diff --git a/ext/phar/tests/phar_isvalidpharfilename.phpt b/ext/phar/tests/phar_isvalidpharfilename.phpt +index dee9b7d..da07bec 100644 +--- a/ext/phar/tests/phar_isvalidpharfilename.phpt ++++ b/ext/phar/tests/phar_isvalidpharfilename.phpt +@@ -76,7 +76,7 @@ var_dump(Phar::isValidPharFilename('dir.phar.php', false)); + " + phar archive "%sphar_unlinkarchive.phar" has open file handles or objects. fclose() all file handles, and unset() all objects prior to calling unlinkArchive() +diff --git a/ext/phar/tests/pharfileinfo_construct.phpt b/ext/phar/tests/pharfileinfo_construct.phpt +index 2610095..6a41a52 100644 +--- a/ext/phar/tests/pharfileinfo_construct.phpt ++++ b/ext/phar/tests/pharfileinfo_construct.phpt +@@ -47,7 +47,7 @@ echo $e->getMessage() . "\n"; + --EXPECTF-- + Cannot open phar file 'phar://%spharfileinfo_construct.phar/oops': internal corruption of phar "%spharfileinfo_construct.phar" (truncated entry) + +-Warning: PharFileInfo::__construct() expects parameter 1 to be %string, array given in %spharfileinfo_construct.php on line %d ++Warning: PharFileInfo::__construct() expects parameter 1 to be a valid path, array given in %spharfileinfo_construct.php on line %d + Cannot access phar file entry '/oops/I/do/not/exist' in archive '%spharfileinfo_construct.phar' + Cannot call constructor twice + '%spharfileinfo_construct.php' is not a valid phar archive URL (must have at least phar://filename.phar) +-- +2.1.4 + diff --git a/bug71906.patch b/bug71906.patch new file mode 100644 index 0000000..6a29692 --- /dev/null +++ b/bug71906.patch @@ -0,0 +1,55 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From f8dd10508bd66b6eefb18d319577b443fb1e0c55 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 28 Mar 2016 01:22:37 -0700 +Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1) + in mbfl_strcut + +--- + ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++----------------- + main/php_version.h | 6 +++--- + 2 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c +index 3b14727..4986472 100644 +--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c ++++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c +@@ -1501,7 +1501,7 @@ mbfl_strcut( + if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) { + from &= -2; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1510,14 +1510,14 @@ mbfl_strcut( + } else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) { + from &= -4; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + + start = string->val + from; + end = start + (length & -4); + } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1539,7 +1539,7 @@ mbfl_strcut( + start = p; + + /* search end position */ +- if ((start - string->val) + length >= (int)string->len) { ++ if (length >= (int)string->len - (start - string->val)) { + end = string->val + string->len; + } else { + for (q = p + length; p < q; p += (m = mbtab[*p])); +-- +2.1.4 + diff --git a/php.spec b/php.spec index dc52138..9fc872c 100644 --- a/php.spec +++ b/php.spec @@ -197,6 +197,9 @@ Patch214: bug71498.patch Patch215: bug71587.patch Patch216: bug71860.patch Patch217: bug71906.patch +Patch218: bug71798.patch +Patch219: bug71704.patch +Patch220: bug71527.patch # Fixes for tests (300+) # Backported from 5.5 @@ -852,6 +855,9 @@ support for using the enchant library to PHP. %patch215 -p1 -b .bug71587 %patch216 -p1 -b .bug71860 %patch217 -p1 -b .bug71906 +%patch218 -p1 -b .bug71798 +%patch219 -p1 -b .bug71704 +%patch220 -p1 -b .bug71527 # Fixes for tests %patch300 -p1 -b .datetests1 @@ -1678,6 +1684,9 @@ EOF * Tue Mar 29 2016 Remi Collet 5.4.45-7 - Fix #71860: Require valid paths for phar filenames - Fix #71906: AddressSanitizer: negative-size-param in mbfl_strcut +- Fix #71798: Integer Overflow in php_raw_url_encode +- Fix #71704: php_snmp_error() Format String Vulnerability +- Fix #71527: Buffer over-write in finfo_open with malformed magic file * Thu Mar 10 2016 Remi Collet 5.4.45-6 - adapt for F24: define %%pecl_xmldir and own it -- cgit