From d2460ef96b6c333aa8d0a11150e8be3323ac9c3e Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 18 Feb 2017 16:14:07 +0100 Subject: PHP 5.4.45-13 (security fix from 5.6.30) --- bug73737.patch | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bug73764.patch | 42 +++++++++++++++++ bug73768.patch | 41 +++++++++++++++++ bug73773.patch | 37 +++++++++++++++ failed.txt | 27 ++++++----- php.spec | 22 ++++++++- 6 files changed, 298 insertions(+), 12 deletions(-) create mode 100644 bug73737.patch create mode 100644 bug73764.patch create mode 100644 bug73768.patch create mode 100644 bug73773.patch diff --git a/bug73737.patch b/bug73737.patch new file mode 100644 index 0000000..45700c9 --- /dev/null +++ b/bug73737.patch @@ -0,0 +1,141 @@ +Backported from 5.6.30 by Remi. +Binary parts dropped + + +From 1cda0d7c2ffb62d8331c64e703131d9cabdc03ea Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 31 Dec 2016 19:31:49 -0800 +Subject: [PATCH] Fix bug #73737 FPE when parsing a tag format + +--- + ext/exif/exif.c | 2 +- + ext/exif/tests/bug73737.phpt | 12 ++++++++++++ + ext/exif/tests/bug73737.tiff | Bin 0 -> 48 bytes + 3 files changed, 13 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug73737.phpt + create mode 100644 ext/exif/tests/bug73737.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 8b0e34c..83daee6 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1313,7 +1313,7 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte + if (s_den == 0) { + return 0; + } else { +- return php_ifd_get32s(value, motorola_intel) / s_den; ++ return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den); + } + + case TAG_FMT_SSHORT: return php_ifd_get16u(value, motorola_intel); + +-- +2.1.4 + +From 900b17b15fd5d29b6575b175b2b120ffab3adc96 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Jan 2017 11:37:06 +0100 +Subject: [PATCH] Fix printf modifier + +--- + ext/exif/exif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 83daee6..3663b3f 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2865,7 +2865,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha + } + + if (components < 0) { +- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%d)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); + return FALSE; + } + +-- +2.1.4 + +From 0ab1af7d3eff815e1809fe044e54283b5a1b8e27 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Jan 2017 17:31:08 -0800 +Subject: [PATCH] Update more functions with path check + +--- + ext/curl/curl_file.c | 2 +- + ext/exif/exif.c | 2 +- + ext/zip/php_zip.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 3663b3f..1c8772f 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -4220,7 +4220,7 @@ PHP_FUNCTION(exif_imagetype) + php_stream * stream; + int itype = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &imagefile, &imagefile_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &imagefile, &imagefile_len) == FAILURE) { + return; + } + + +-- +2.1.4 + +From 814966ad33f9a734e422e34327256d58a91d1272 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Jan 2017 18:42:22 -0800 +Subject: [PATCH] Fix test + +--- + ext/exif/tests/exif_imagetype_variation1.phpt | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ext/exif/tests/exif_imagetype_variation1.phpt b/ext/exif/tests/exif_imagetype_variation1.phpt +index 767ed5f..d33217c 100644 +--- a/ext/exif/tests/exif_imagetype_variation1.phpt ++++ b/ext/exif/tests/exif_imagetype_variation1.phpt +@@ -142,23 +142,23 @@ Warning: exif_imagetype(0.5): failed to open stream: No such file or directory i + bool(false) + -- Iteration 10 -- + +-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d ++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + -- Iteration 11 -- + +-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d ++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + -- Iteration 12 -- + +-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d ++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + -- Iteration 13 -- + +-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d ++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + -- Iteration 14 -- + +-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d ++Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d + NULL + -- Iteration 15 -- + +@@ -198,7 +198,7 @@ Warning: exif_imagetype(obj'ct): failed to open stream: No such file or director + bool(false) + -- Iteration 24 -- + +-Warning: exif_imagetype() expects parameter 1 to be string, resource given in %s on line %d ++Warning: exif_imagetype() expects parameter 1 to be a valid path, resource given in %s on line %d + NULL + -- Iteration 25 -- + +-- +2.1.4 + diff --git a/bug73764.patch b/bug73764.patch new file mode 100644 index 0000000..43dafef --- /dev/null +++ b/bug73764.patch @@ -0,0 +1,42 @@ +Backported from 5.6.30 by Remi. +Binary parts dropped + + +From ca46d0acbce55019b970fcd4c1e8a10edfdded93 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Fri, 30 Dec 2016 15:34:46 -0800 +Subject: [PATCH] Fix int overflows in phar (bug #73764) + +--- + ext/phar/phar.c | 4 ++-- + ext/phar/tests/bug73764.phar | Bin 0 -> 138 bytes + ext/phar/tests/bug73764.phpt | 16 ++++++++++++++++ + 3 files changed, 18 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug73764.phar + create mode 100644 ext/phar/tests/bug73764.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 14b80e1..532b4c3 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1056,7 +1056,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.is_persistent = mydata->is_persistent; + + for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) { +- if (buffer + 4 > endbuffer) { ++ if (buffer + 24 > endbuffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)") + } + +@@ -1070,7 +1070,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (entry.filename_len + 20 > endbuffer - buffer) { ++ if (entry.filename_len > endbuffer - buffer - 20) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +-- +2.1.4 + diff --git a/bug73768.patch b/bug73768.patch new file mode 100644 index 0000000..0244070 --- /dev/null +++ b/bug73768.patch @@ -0,0 +1,41 @@ +Backported from 5.6.30 by Remi. +Binary parts dropped + + +From b28b8b2fee6dfa6fcd13305c581bb835689ac3be Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Fri, 30 Dec 2016 15:57:24 -0800 +Subject: [PATCH] Fix bug #73768 - Memory corruption when loading hostile phar + +--- + ext/phar/phar.c | 3 +-- + ext/phar/tests/bug73768.phar | Bin 0 -> 219 bytes + ext/phar/tests/bug73768.phpt | 16 ++++++++++++++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug73768.phar + create mode 100644 ext/phar/tests/bug73768.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 532b4c3..158f417 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -982,7 +982,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + /* if the alias is stored we enforce it (implicit overrides explicit) */ + if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len))) + { +- buffer[tmp_len] = '\0'; + php_stream_close(fp); + + if (signature) { +@@ -990,7 +989,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + } + + if (error) { +- spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias); ++ spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias); + } + + efree(savebuf); +-- +2.1.4 + diff --git a/bug73773.patch b/bug73773.patch new file mode 100644 index 0000000..98c4dc6 --- /dev/null +++ b/bug73773.patch @@ -0,0 +1,37 @@ +Backported from 5.6.30 by Remi. + + +From e5246580a85f031e1a3b8064edbaa55c1643a451 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 31 Dec 2016 18:47:50 -0800 +Subject: [PATCH] Fix bug #73773 - Seg fault when loading hostile phar + +--- + ext/phar/phar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 158f417..780be43 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.is_persistent = mydata->is_persistent; + + for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) { +- if (buffer + 24 > endbuffer) { ++ if (buffer + 28 > endbuffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)") + } + +@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (entry.filename_len > endbuffer - buffer - 20) { ++ if (entry.filename_len > endbuffer - buffer - 24) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +-- +2.1.4 + diff --git a/failed.txt b/failed.txt index 21a897e..5003835 100644 --- a/failed.txt +++ b/failed.txt @@ -1,21 +1,26 @@ -===== 5.5.45-12 (2016-09-19) +===== 5.5.45-13 (2017-02-18) $ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log -/var/lib/mock/scl54el6x/build.log:Tests failed : 1 -/var/lib/mock/scl54el7x/build.log:Tests failed : 0 +/var/lib/mock/scl54el6x/build.log:Tests failed : 4 +/var/lib/mock/scl54el7x/build.log:Tests failed : 3 /var/lib/mock/scl54fc22x/build.log:Tests failed : 1 /var/lib/mock/scl54fc23x/build.log:Tests failed : 3 -/var/lib/mock/scl54fc24x/build.log:Tests failed : 3 -/var/lib/mock/scl54fc25x/build.log:Tests failed : 3 +/var/lib/mock/scl54fc24x/build.log:Tests failed : 5 +/var/lib/mock/scl54fc25x/build.log:Tests failed : 5 -f23, f24 + +fc22x, fc23x, fc24x, fc25x + Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt] +fc23x, fc24x, fc25x + Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt] +el6x, el7x, fc23x, fc24x, fc25x Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt] - Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt] -f22, f23, f24 - Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt] -el6 +el6x, el7x, fc24x, fc25x + Bug #20382 [2] (strtotime ("Monday", $date) produces wrong result on DST changeover) [ext/date/tests/bug20382-2.phpt] + Bug #33415 [1] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-1.phpt] +el6x Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt] -* bug33414-1.phpt fails since tzdata-2016e +* "date" test failures are only tzdata related diff --git a/php.spec b/php.spec index 37b9d4f..b32962f 100644 --- a/php.spec +++ b/php.spec @@ -119,7 +119,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.4.45 -Release: 12%{?dist} +Release: 13%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -241,6 +241,10 @@ Patch257: bug72627.patch Patch258: bug72926.patch Patch259: bug73035.patch Patch260: bug72928.patch +Patch261: bug73737.patch +Patch262: bug73764.patch +Patch263: bug73768.patch +Patch264: bug73773.patch # Fixes for tests (300+) # Backported from 5.5 @@ -939,6 +943,10 @@ support for using the enchant library to PHP. %patch258 -p1 -b .bug72926 %patch259 -p1 -b .bug73035 %patch260 -p1 -b .bug72928 +%patch261 -p1 -b .bug73737 +%patch262 -p1 -b .bug73764 +%patch263 -p1 -b .bug73768 +%patch264 -p1 -b .bug73773 : ------------------------ #exit 1 @@ -1608,6 +1616,10 @@ cat << EOF backported from 5.5 or 5.6, The UPGRADE to a maintained version is very strongly RECOMMENDED. +%if %{?fedora}%{!?fedora:99} < 24 + WARNING : Fedora %{fedora} is now EOL : + You should consider upgrading to a supported release +%endif ===================================================================== EOF @@ -1772,6 +1784,14 @@ EOF %changelog +* Sat Feb 18 2017 Remi Collet - 5.4.45-13 +- fix #73737: FPE when parsing a tag format + CVE-2016-10158 +- fix #73764: int overflows in phar + CVE-2016-10159 +- fix #73768: Memory corruption when loading hostile phar + CVE-2016-10160 + * Mon Sep 19 2016 Remi Collet 5.4.45-12 - fix #72627: Memory Leakage In exif_process_IFD_in_TIFF CVE-2016-7128 -- cgit