From 52386b6e0fcffedfeb59435fee398e30dd859fcf Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 19 Sep 2016 15:47:58 +0200 Subject: PHP 5.4.45 with "some" backports from 5.6.26 --- bug72627.patch | 34 ++++++++++++++++++++++ bug72926.patch | 29 ++++++++++++++++++ bug72928.patch | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bug73035.patch | 32 ++++++++++++++++++++ failed.txt | 9 ++---- php.spec | 28 ++++++++++++++---- 6 files changed, 213 insertions(+), 11 deletions(-) create mode 100644 bug72627.patch create mode 100644 bug72926.patch create mode 100644 bug72928.patch create mode 100644 bug73035.patch diff --git a/bug72627.patch b/bug72627.patch new file mode 100644 index 0000000..410e40e --- /dev/null +++ b/bug72627.patch @@ -0,0 +1,34 @@ +Backported from 5.6.25 by Remi. +Binary patch dropped + +From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 8 Aug 2016 00:49:34 -0700 +Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF + +--- + ext/exif/exif.c | 5 ++- + ext/exif/tests/bug72627.phpt | 71 +++++++++++++++++++++++++++++++++++++++++++ + ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes + 3 files changed, 75 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug72627.phpt + create mode 100644 ext/exif/tests/bug72627.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index f95de3a..657a2cc1 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); + if (fgot < ImageInfo->Thumbnail.size) { + EXIF_ERRLOG_THUMBEOF(ImageInfo) ++ efree(ImageInfo->Thumbnail.data); ++ ImageInfo->Thumbnail.data = NULL; ++ } else { ++ exif_thumbnail_build(ImageInfo TSRMLS_CC); + } +- exif_thumbnail_build(ImageInfo TSRMLS_CC); + } + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done"); + diff --git a/bug72926.patch b/bug72926.patch new file mode 100644 index 0000000..044ed2b --- /dev/null +++ b/bug72926.patch @@ -0,0 +1,29 @@ +Backported from 5.6.26 by Remi. + + +From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 4 Sep 2016 20:49:34 -0700 +Subject: [PATCH] Same issue as #72926 in another place. + +--- + ext/exif/exif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 657a2cc1..8b0e34c 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); + if (fgot < ImageInfo->Thumbnail.size) { + EXIF_ERRLOG_THUMBEOF(ImageInfo) ++ efree(ImageInfo->Thumbnail.data); ++ ImageInfo->Thumbnail.data = NULL; ++ } else { ++ exif_thumbnail_build(ImageInfo TSRMLS_CC); + } +- exif_thumbnail_build(ImageInfo TSRMLS_CC); + } + } + } diff --git a/bug72928.patch b/bug72928.patch new file mode 100644 index 0000000..67701a6 --- /dev/null +++ b/bug72928.patch @@ -0,0 +1,92 @@ +Backported from 5.6.26 by Remi. +Binary diff dropped. + + +From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 4 Sep 2016 22:07:35 -0700 +Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip + phar in phar_parse_zipfile + +--- + ext/phar/tests/bug72928.phpt | 18 ++++++++++++++++++ + ext/phar/tests/bug72928.zip | Bin 0 -> 140 bytes + ext/phar/util.c | 28 ++++++++++++++++++++++++++++ + ext/phar/zip.c | 2 +- + 4 files changed, 47 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug72928.phpt + create mode 100644 ext/phar/tests/bug72928.zip + +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 4bbd867..828be8f 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -1928,6 +1928,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[64]; + PHP_SHA512_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA512Init(&context); + read_len = end_of_phar; + +@@ -1961,6 +1968,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[32]; + PHP_SHA256_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA256Init(&context); + read_len = end_of_phar; + +@@ -2002,6 +2016,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[20]; + PHP_SHA1_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA1Init(&context); + read_len = end_of_phar; + +@@ -2035,6 +2056,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[16]; + PHP_MD5_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_MD5Init(&context); + read_len = end_of_phar; + +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index bf895e7..ed156a2 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, + php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET); + sig = (char *) emalloc(entry.uncompressed_filesize); + read = php_stream_read(fp, sig, entry.uncompressed_filesize); +- if (read != entry.uncompressed_filesize) { ++ if (read != entry.uncompressed_filesize || read <= 8) { + php_stream_close(sigfile); + efree(sig); + PHAR_ZIP_FAIL("signature cannot be read"); diff --git a/bug73035.patch b/bug73035.patch new file mode 100644 index 0000000..231fd99 --- /dev/null +++ b/bug73035.patch @@ -0,0 +1,32 @@ +Backported from 5.6.26 by Remi. +Binary diff dropped. + + +From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 11 Sep 2016 21:37:44 -0700 +Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar + phar in phar_parse_tarfile) + +--- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug73035.phpt | 18 ++++++++++++++++++ + ext/phar/tests/bug73035.tar | Bin 0 -> 10240 bytes + 3 files changed, 19 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug73035.phpt + create mode 100644 ext/phar/tests/bug73035.tar + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 62edcb5..898ff85 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -277,7 +277,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, + } + curloc = php_stream_tell(fp); + read = php_stream_read(fp, buf, size); +- if (read != size) { ++ if (read != size || read <= 8) { + if (error) { + spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname); + } + diff --git a/failed.txt b/failed.txt index 755fc21..21a897e 100644 --- a/failed.txt +++ b/failed.txt @@ -1,21 +1,18 @@ -===== 5.5.45-11 (2016-07-22) +===== 5.5.45-12 (2016-09-19) $ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log /var/lib/mock/scl54el6x/build.log:Tests failed : 1 /var/lib/mock/scl54el7x/build.log:Tests failed : 0 -/var/lib/mock/scl54fc21x/build.log:Tests failed : 1 /var/lib/mock/scl54fc22x/build.log:Tests failed : 1 /var/lib/mock/scl54fc23x/build.log:Tests failed : 3 -/var/lib/mock/scl54fc24x/build.log:Tests failed : 4 +/var/lib/mock/scl54fc24x/build.log:Tests failed : 3 /var/lib/mock/scl54fc25x/build.log:Tests failed : 3 f23, f24 Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt] Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt] -f24 - file_get_contents() test using offset parameter out of range [ext/standard/tests/file/file_get_contents_error001.phpt] -f21, f22, f23, f24 +f22, f23, f24 Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt] el6 Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt] diff --git a/php.spec b/php.spec index f6060b0..37b9d4f 100644 --- a/php.spec +++ b/php.spec @@ -119,7 +119,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.4.45 -Release: 11%{?dist}.1 +Release: 12%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -237,6 +237,10 @@ Patch253: bug72613.patch Patch254: bug72618.patch Patch255: bug72519.patch Patch256: bug72735.patch +Patch257: bug72627.patch +Patch258: bug72926.patch +Patch259: bug73035.patch +Patch260: bug72928.patch # Fixes for tests (300+) # Backported from 5.5 @@ -931,6 +935,10 @@ support for using the enchant library to PHP. %patch254 -p1 -b .bug72618 %patch255 -p1 -b .bug72519 %patch256 -p1 -b .bug72735 +%patch257 -p1 -b .bug72627 +%patch258 -p1 -b .bug72926 +%patch259 -p1 -b .bug73035 +%patch260 -p1 -b .bug72928 : ------------------------ #exit 1 @@ -1593,11 +1601,14 @@ fi %posttrans common cat << EOF +===================================================================== -WARNING : PHP 5.4 have reached its "End of Life". -Even, if this package includes some security fix, backported from 5.5, -The upgrade to a maintained version is very strongly recommended. + WARNING : PHP 5.4 have reached its "End of Life" in September 2015. + Even, if this package includes some of the important security fix, + backported from 5.5 or 5.6, + The UPGRADE to a maintained version is very strongly RECOMMENDED. +===================================================================== EOF @@ -1761,7 +1772,14 @@ EOF %changelog -* Fri Aug 5 2016 Remi Collet 5.4.45-11.1 +* Mon Sep 19 2016 Remi Collet 5.4.45-12 +- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF + CVE-2016-7128 +- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage + in exif_process_IFD_in_TIFF +- fix #73035: Out of bound when verify signature of tar phar +- fix #72928: Out of bound when verify signature of zip phar + CVE-2016-7414 - fix #72735 regression in exif maker note parser * Fri Jul 22 2016 Remi Collet 5.4.45-11 -- cgit