From c3b8116310d709f282bae9f56602b3a868d3bc64 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 2 Mar 2016 16:38:54 +0100 Subject: PHP 5.4.45 with security patches from 5.5.33 --- bug71498.patch | 31 +++++++++++++++ bug71587.patch | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ failed.txt | 2 +- php.spec | 10 ++++- 4 files changed, 158 insertions(+), 2 deletions(-) create mode 100644 bug71498.patch create mode 100644 bug71587.patch diff --git a/bug71498.patch b/bug71498.patch new file mode 100644 index 0000000..d4977e7 --- /dev/null +++ b/bug71498.patch @@ -0,0 +1,31 @@ +Backported from 5.5 for 5.4 by Remi Collet +binary patch dropped + +From a6fdc5bb27b20d889de0cd29318b3968aabb57bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 21 Feb 2016 16:51:05 -0800 +Subject: [PATCH] Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile() + +--- + ext/phar/tests/bug71488.phpt | 1 + + ext/phar/tests/bug71498.phpt | 17 +++++++++++++++++ + ext/phar/tests/bug71498.zip | Bin 0 -> 65677 bytes + ext/phar/zip.c | 6 +++--- + 4 files changed, 21 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug71498.phpt + create mode 100644 ext/phar/tests/bug71498.zip + +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index e4883d3..7f294c2 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, + } + + while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) { +- if (!memcmp(p + 1, "K\5\6", 3)) { ++ if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) { + memcpy((void *)&locator, (void *) p, sizeof(locator)); + if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) { + /* split archives not handled */ + diff --git a/bug71587.patch b/bug71587.patch new file mode 100644 index 0000000..cd1c16b --- /dev/null +++ b/bug71587.patch @@ -0,0 +1,117 @@ +Backported from 5.5 for 5.4 by Remi Collet +Backported from 5.5 for 5.4 by Remi Collet + +From b1bd4119bcafab6f9a8f84d92cd65eec3afeface Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 14 Feb 2016 22:34:39 -0800 +Subject: [PATCH] Fixed bug #71587 - Use-After-Free / Double-Free in WDDX + Deserialize + +--- + ext/wddx/tests/bug71587.phpt | 43 +++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 19 +++++++++++++++---- + 2 files changed, 58 insertions(+), 4 deletions(-) + create mode 100644 ext/wddx/tests/bug71587.phpt + +diff --git a/ext/wddx/tests/bug71587.phpt b/ext/wddx/tests/bug71587.phpt +new file mode 100644 +index 0000000..3fdfc35 +--- /dev/null ++++ b/ext/wddx/tests/bug71587.phpt +@@ -0,0 +1,43 @@ ++--TEST-- ++Bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ manhluat ++ ++ ++ ++ ++ ++EOF; ++ ++$wddx = wddx_deserialize($xml); ++var_dump($wddx); ++// Print mem leak ++foreach($wddx as $k=>$v) ++ printf("Key: %s\nValue: %s\n",bin2hex($k),bin2hex($v)); ++ ++?> ++DONE ++--EXPECTF-- ++array(2) { ++ [0]=> ++ string(8) "manhluat" ++ [1]=> ++ bool(true) ++} ++Key: 30 ++Value: 6d616e686c756174 ++Key: 31 ++Value: 31 ++DONE +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 7267ee1..da34246 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -936,6 +936,16 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + !strcmp(name, EL_DATETIME)) { + wddx_stack_top(stack, (void**)&ent1); + ++ if (!ent1->data) { ++ if (stack->top > 1) { ++ stack->top--; ++ } else { ++ stack->done = 1; ++ } ++ efree(ent1); ++ return; ++ } ++ + if (!strcmp(name, EL_BINARY)) { + int new_len=0; + unsigned char *new_str; +@@ -1032,6 +1042,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + } + } else if (!strcmp(name, EL_VAR) && stack->varname) { + efree(stack->varname); ++ stack->varname = NULL; + } else if (!strcmp(name, EL_FIELD)) { + st_entry *ent; + wddx_stack_top(stack, (void **)&ent); +@@ -1051,7 +1062,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + + if (!wddx_stack_is_empty(stack) && !stack->done) { + wddx_stack_top(stack, (void**)&ent); +- switch (Z_TYPE_P(ent)) { ++ switch (ent->type) { + case ST_STRING: + if (Z_STRLEN_P(ent->data) == 0) { + STR_FREE(Z_STRVAL_P(ent->data)); +@@ -1090,11 +1101,11 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + } else if (!strcmp(s, "false")) { + Z_LVAL_P(ent->data) = 0; + } else { +- stack->top--; + zval_ptr_dtor(&ent->data); +- if (ent->varname) ++ if (ent->varname) { + efree(ent->varname); +- efree(ent); ++ } ++ ent->data = NULL; + } + break; + diff --git a/failed.txt b/failed.txt index 5e03425..124e172 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 5.5.45-4 (2016-02-16) +===== 5.5.45-5 (2016-03-02) $ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log diff --git a/php.spec b/php.spec index f461b9f..394cdc7 100644 --- a/php.spec +++ b/php.spec @@ -119,7 +119,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.4.45 -Release: 4%{?dist} +Release: 5%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -193,6 +193,8 @@ Patch210: bug71459.patch Patch211: bug71039.patch Patch212: bug71488.patch Patch213: pcre838.patch +Patch214: bug71498.patch +Patch215: bug71587.patch # Fixes for tests (300+) # Backported from 5.5 @@ -844,6 +846,8 @@ support for using the enchant library to PHP. %patch211 -p1 -b .bug71039 %patch212 -p1 -b .bug71488 %patch213 -p1 -b .pcre838 +%patch214 -p1 -b .bug71498 +%patch215 -p1 -b .bug71587 # Fixes for tests %patch300 -p1 -b .datetests1 @@ -1658,6 +1662,10 @@ EOF %changelog +* Wed Mar 2 2016 Remi Collet 5.4.45-5 +- Fix #71498: Out-of-Bound Read in phar_parse_zipfile() +- Fix #71587: Use-After-Free / Double-Free in WDDX Deserialize + * Tue Feb 16 2016 Remi Collet 5.4.45-4 - Fix #71354: phar, remove UMR when size is 0 - Fix #71335: type confusion in WDDX packet deserialization -- cgit