summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 10:42:24 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 10:42:24 +0100
commit10f4882e2ed191ffac0cc5e243b9ad32478c36c8 (patch)
tree16453d56779010c69011a205a0d8c25240d77df9
parent0e26c7b3a2d48b2fe256b8b7074b02218cfd46c1 (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #75981: stack-buffer-overflow while parsing HTTP response
-rw-r--r--.gitignore9
-rw-r--r--bug73549.patch95
-rw-r--r--bug75981.patch68
-rw-r--r--php-5.5.19-systzdata-v11.patch655
-rw-r--r--php-5.5.25-systzdata-v12.patch4
-rw-r--r--php.spec22
6 files changed, 194 insertions, 659 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6f69818
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,9 @@
+clog
+package-*.xml
+*.tgz
+*.tar.gz
+*.tar.bz2
+*.tar.xz
+*.tar.xz.asc
+*.src.rpm
+*/*rpm
diff --git a/bug73549.patch b/bug73549.patch
new file mode 100644
index 0000000..5c39852
--- /dev/null
+++ b/bug73549.patch
@@ -0,0 +1,95 @@
+From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Nov 2016 13:44:30 +0100
+Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng
+
+If a stream is passed to imagepng() or other image output functions,
+opposed to a filename, we must not close this stream.
+---
+ NEWS | 3 +++
+ ext/gd/gd_ctx.c | 18 +++++++++++++++++-
+ ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+ create mode 100644 ext/gd/tests/bug73549.phpt
+
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index 34a9a00..acb96e1 100644
+--- a/ext/gd/gd_ctx.c
++++ b/ext/gd/gd_ctx.c
+@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l)
+
+ static void _php_image_stream_ctxfree(struct gdIOCtx *ctx)
+ {
++ if(ctx->data) {
++ ctx->data = NULL;
++ }
++ if(ctx) {
++ efree(ctx);
++ }
++} /* }}} */
++
++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */
++{
+ TSRMLS_FETCH();
+
+ if(ctx->data) {
+@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ gdIOCtx *ctx = NULL;
+ zval *to_zval = NULL;
+ php_stream *stream;
++ int close_stream = 1;
+
+ /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp().
+ * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called
+@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ if (stream == NULL) {
+ RETURN_FALSE;
+ }
++ close_stream = 0;
+ } else if (Z_TYPE_P(to_zval) == IS_STRING) {
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ ctx = emalloc(sizeof(gdIOCtx));
+ ctx->putC = _php_image_stream_putc;
+ ctx->putBuf = _php_image_stream_putbuf;
+- ctx->gd_free = _php_image_stream_ctxfree;
++ if (close_stream) {
++ ctx->gd_free = _php_image_stream_ctxfreeandclose;
++ } else {
++ ctx->gd_free = _php_image_stream_ctxfree;
++ }
+ ctx->data = (void *)stream;
+ }
+
+diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt
+new file mode 100644
+index 0000000..e0cc6cf
+--- /dev/null
++++ b/ext/gd/tests/bug73549.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++Bug #73549 (Use after free when stream is passed to imagepng)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available');
++?>
++--FILE--
++<?php
++$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w');
++$im = imagecreatetruecolor(8, 8);
++var_dump(imagepng($im, $stream));
++var_dump($stream);
++?>
++===DONE===
++--EXPECTF--
++bool(true)
++resource(%d) of type (stream)
++===DONE===
++--CLEAN--
++<?php
++unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png');
++?>
+--
+2.1.4
+
diff --git a/bug75981.patch b/bug75981.patch
new file mode 100644
index 0000000..27af03b
--- /dev/null
+++ b/bug75981.patch
@@ -0,0 +1,68 @@
+From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 20 Feb 2018 15:34:43 -0800
+Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start
+
+---
+ ext/standard/http_fopen_wrapper.c | 4 ++--
+ ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/http/bug75981.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index ed6adc0..78bd935 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -737,9 +737,9 @@ finish:
+ tmp_line, response_code);
+ }
+ }
+- if (tmp_line[tmp_line_len - 1] == '\n') {
++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
+ --tmp_line_len;
+- if (tmp_line[tmp_line_len - 1] == '\r') {
++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
+ --tmp_line_len;
+ }
+ }
+diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
+new file mode 100644
+index 0000000..d415de6
+--- /dev/null
++++ b/ext/standard/tests/http/bug75981.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #75981 (stack-buffer-overflow while parsing HTTP response)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
++--FILE--
++<?php
++require 'server.inc';
++
++$options = [
++ 'http' => [
++ 'protocol_version' => '1.1',
++ 'header' => 'Connection: Close'
++ ],
++];
++
++$ctx = stream_context_create($options);
++
++$responses = [
++ "data://text/plain,000000000100\xA\xA"
++];
++$pid = http_server('tcp://127.0.0.1:12342', $responses);
++
++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
++
++http_server_kill($pid);
++
++?>
++DONE
++--EXPECT--
++DONE
+--
+2.1.4
+
diff --git a/php-5.5.19-systzdata-v11.patch b/php-5.5.19-systzdata-v11.patch
deleted file mode 100644
index bfca49b..0000000
--- a/php-5.5.19-systzdata-v11.patch
+++ /dev/null
@@ -1,655 +0,0 @@
-Add support for use of the system timezone database, rather
-than embedding a copy. Discussed upstream but was not desired.
-
-History:
-r11: use canonical names to avoid more case sensitivity issues
- round lat/long from zone.tab towards zero per builtin db
-r10: make timezone case insensitive
-r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold)
-r8: fix compile error without --with-system-tzdata configured
-r7: improve check for valid timezone id to exclude directories
-r6: fix fd leak in r5, fix country code/BC flag use in
- timezone_identifiers_list() using system db,
- fix use of PECL timezonedb to override system db,
-r5: reverts addition of "System/Localtime" fake tzname.
- updated for 5.3.0, parses zone.tab to pick up mapping between
- timezone name, country code and long/lat coords
-r4: added "System/Localtime" tzname which uses /etc/localtime
-r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert)
-r2: add filesystem trawl to set up name alias index
-r1: initial revision
-
-diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c
-index 5d2aec9..671b398 100644
---- a/ext/date/lib/parse_tz.c
-+++ b/ext/date/lib/parse_tz.c
-@@ -20,6 +20,16 @@
-
- #include "timelib.h"
-
-+#ifdef HAVE_SYSTEM_TZDATA
-+#include <sys/mman.h>
-+#include <sys/stat.h>
-+#include <limits.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+
-+#include "php_scandir.h"
-+#endif
-+
- #include <stdio.h>
-
- #ifdef HAVE_LOCALE_H
-@@ -31,7 +41,12 @@
- #else
- #include <strings.h>
- #endif
-+
-+#ifndef HAVE_SYSTEM_TZDATA
- #include "timezonedb.h"
-+#endif
-+
-+#include <ctype.h>
-
- #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__))
- # if defined(__LITTLE_ENDIAN__)
-@@ -51,9 +66,14 @@
-
- static void read_preamble(const unsigned char **tzf, timelib_tzinfo *tz)
- {
-- /* skip ID */
-- *tzf += 4;
--
-+ if (memcmp(tzf, "TZif", 4) == 0) {
-+ *tzf += 20;
-+ return;
-+ }
-+
-+ /* skip ID */
-+ *tzf += 4;
-+
- /* read BC flag */
- tz->bc = (**tzf == '\1');
- *tzf += 1;
-@@ -256,7 +276,418 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz)
- }
- }
-
--static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb)
-+#ifdef HAVE_SYSTEM_TZDATA
-+
-+#ifdef HAVE_SYSTEM_TZDATA_PREFIX
-+#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX
-+#else
-+#define ZONEINFO_PREFIX "/usr/share/zoneinfo"
-+#endif
-+
-+/* System timezone database pointer. */
-+static const timelib_tzdb *timezonedb_system;
-+
-+/* Hash table entry for the cache of the zone.tab mapping table. */
-+struct location_info {
-+ char code[2];
-+ double latitude, longitude;
-+ char name[64];
-+ char *comment;
-+ struct location_info *next;
-+};
-+
-+/* Cache of zone.tab. */
-+static struct location_info **system_location_table;
-+
-+/* Size of the zone.tab hash table; a random-ish prime big enough to
-+ * prevent too many collisions. */
-+#define LOCINFO_HASH_SIZE (1021)
-+
-+/* Compute a case insensitive hash of str */
-+static uint32_t tz_hash(const char *str)
-+{
-+ const unsigned char *p = (const unsigned char *)str;
-+ uint32_t hash = 5381;
-+ int c;
-+
-+ while ((c = tolower(*p++)) != '\0') {
-+ hash = (hash << 5) ^ hash ^ c;
-+ }
-+
-+ return hash % LOCINFO_HASH_SIZE;
-+}
-+
-+/* Parse an ISO-6709 date as used in zone.tab. Returns end of the
-+ * parsed string on success, or NULL on parse error. On success,
-+ * writes the parsed number to *result. */
-+static char *parse_iso6709(char *p, double *result)
-+{
-+ double v, sign;
-+ char *pend;
-+ size_t len;
-+
-+ if (*p == '+')
-+ sign = 1.0;
-+ else if (*p == '-')
-+ sign = -1.0;
-+ else
-+ return NULL;
-+
-+ p++;
-+ for (pend = p; *pend >= '0' && *pend <= '9'; pend++)
-+ ;;
-+
-+ /* Annoying encoding used by zone.tab has no decimal point, so use
-+ * the length to determine the format:
-+ *
-+ * 4 = DDMM
-+ * 5 = DDDMM
-+ * 6 = DDMMSS
-+ * 7 = DDDMMSS
-+ */
-+ len = pend - p;
-+ if (len < 4 || len > 7) {
-+ return NULL;
-+ }
-+
-+ /* p => [D]DD */
-+ v = (p[0] - '0') * 10.0 + (p[1] - '0');
-+ p += 2;
-+ if (len == 5 || len == 7)
-+ v = v * 10.0 + (*p++ - '0');
-+ /* p => MM[SS] */
-+ v += (10.0 * (p[0] - '0')
-+ + p[1] - '0') / 60.0;
-+ p += 2;
-+ /* p => [SS] */
-+ if (len > 5) {
-+ v += (10.0 * (p[0] - '0')
-+ + p[1] - '0') / 3600.0;
-+ p += 2;
-+ }
-+
-+ /* Round to five decimal place, not because it's a good idea,
-+ * but, because the builtin data uses rounded data, so, match
-+ * that. */
-+ *result = trunc(v * sign * 100000.0) / 100000.0;
-+
-+ return p;
-+}
-+
-+/* This function parses the zone.tab file to build up the mapping of
-+ * timezone to country code and geographic location, and returns a
-+ * hash table. The hash table is indexed by the function:
-+ *
-+ * tz_hash(timezone-name)
-+ */
-+static struct location_info **create_location_table(void)
-+{
-+ struct location_info **li, *i;
-+ char zone_tab[PATH_MAX];
-+ char line[512];
-+ FILE *fp;
-+
-+ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab);
-+
-+ fp = fopen(zone_tab, "r");
-+ if (!fp) {
-+ return NULL;
-+ }
-+
-+ li = calloc(LOCINFO_HASH_SIZE, sizeof *li);
-+
-+ while (fgets(line, sizeof line, fp)) {
-+ char *p = line, *code, *name, *comment;
-+ uint32_t hash;
-+ double latitude, longitude;
-+
-+ while (isspace(*p))
-+ p++;
-+
-+ if (*p == '#' || *p == '\0' || *p == '\n')
-+ continue;
-+
-+ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t')
-+ continue;
-+
-+ /* code => AA */
-+ code = p;
-+ p[2] = 0;
-+ p += 3;
-+
-+ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */
-+ p = parse_iso6709(p, &latitude);
-+ if (!p) {
-+ continue;
-+ }
-+ p = parse_iso6709(p, &longitude);
-+ if (!p) {
-+ continue;
-+ }
-+
-+ if (!p || *p != '\t') {
-+ continue;
-+ }
-+
-+ /* name = string */
-+ name = ++p;
-+ while (*p != '\t' && *p && *p != '\n')
-+ p++;
-+
-+ *p++ = '\0';
-+
-+ /* comment = string */
-+ comment = p;
-+ while (*p != '\t' && *p && *p != '\n')
-+ p++;
-+
-+ if (*p == '\n' || *p == '\t')
-+ *p = '\0';
-+
-+ hash = tz_hash(name);
-+ i = malloc(sizeof *i);
-+ memcpy(i->code, code, 2);
-+ strncpy(i->name, name, sizeof i->name);
-+ i->comment = strdup(comment);
-+ i->longitude = longitude;
-+ i->latitude = latitude;
-+ i->next = li[hash];
-+ li[hash] = i;
-+ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */
-+ }
-+
-+ fclose(fp);
-+
-+ return li;
-+}
-+
-+/* Return location info from hash table, using given timezone name.
-+ * Returns NULL if the name could not be found. */
-+const struct location_info *find_zone_info(struct location_info **li,
-+ const char *name)
-+{
-+ uint32_t hash = tz_hash(name);
-+ const struct location_info *l;
-+
-+ if (!li) {
-+ return NULL;
-+ }
-+
-+ for (l = li[hash]; l; l = l->next) {
-+ if (strcasecmp(l->name, name) == 0)
-+ return l;
-+ }
-+
-+ return NULL;
-+}
-+
-+/* Filter out some non-tzdata files and the posix/right databases, if
-+ * present. */
-+static int index_filter(const struct dirent *ent)
-+{
-+ return strcmp(ent->d_name, ".") != 0
-+ && strcmp(ent->d_name, "..") != 0
-+ && strcmp(ent->d_name, "posix") != 0
-+ && strcmp(ent->d_name, "posixrules") != 0
-+ && strcmp(ent->d_name, "right") != 0
-+ && strstr(ent->d_name, ".tab") == NULL;
-+}
-+
-+static int sysdbcmp(const void *first, const void *second)
-+{
-+ const timelib_tzdb_index_entry *alpha = first, *beta = second;
-+
-+ return strcasecmp(alpha->id, beta->id);
-+}
-+
-+
-+/* Create the zone identifier index by trawling the filesystem. */
-+static void create_zone_index(timelib_tzdb *db)
-+{
-+ size_t dirstack_size, dirstack_top;
-+ size_t index_size, index_next;
-+ timelib_tzdb_index_entry *db_index;
-+ char **dirstack;
-+
-+ /* LIFO stack to hold directory entries to scan; each slot is a
-+ * directory name relative to the zoneinfo prefix. */
-+ dirstack_size = 32;
-+ dirstack = malloc(dirstack_size * sizeof *dirstack);
-+ dirstack_top = 1;
-+ dirstack[0] = strdup("");
-+
-+ /* Index array. */
-+ index_size = 64;
-+ db_index = malloc(index_size * sizeof *db_index);
-+ index_next = 0;
-+
-+ do {
-+ struct dirent **ents;
-+ char name[PATH_MAX], *top;
-+ int count;
-+
-+ /* Pop the top stack entry, and iterate through its contents. */
-+ top = dirstack[--dirstack_top];
-+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top);
-+
-+ count = php_scandir(name, &ents, index_filter, php_alphasort);
-+
-+ while (count > 0) {
-+ struct stat st;
-+ const char *leaf = ents[count - 1]->d_name;
-+
-+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s",
-+ top, leaf);
-+
-+ if (strlen(name) && stat(name, &st) == 0) {
-+ /* Name, relative to the zoneinfo prefix. */
-+ const char *root = top;
-+
-+ if (root[0] == '/') root++;
-+
-+ snprintf(name, sizeof name, "%s%s%s", root,
-+ *root ? "/": "", leaf);
-+
-+ if (S_ISDIR(st.st_mode)) {
-+ if (dirstack_top == dirstack_size) {
-+ dirstack_size *= 2;
-+ dirstack = realloc(dirstack,
-+ dirstack_size * sizeof *dirstack);
-+ }
-+ dirstack[dirstack_top++] = strdup(name);
-+ }
-+ else {
-+ if (index_next == index_size) {
-+ index_size *= 2;
-+ db_index = realloc(db_index,
-+ index_size * sizeof *db_index);
-+ }
-+
-+ db_index[index_next++].id = strdup(name);
-+ }
-+ }
-+
-+ free(ents[--count]);
-+ }
-+
-+ if (count != -1) free(ents);
-+ free(top);
-+ } while (dirstack_top);
-+
-+ qsort(db_index, index_next, sizeof *db_index, sysdbcmp);
-+
-+ db->index = db_index;
-+ db->index_size = index_next;
-+
-+ free(dirstack);
-+}
-+
-+#define FAKE_HEADER "1234\0??\1??"
-+#define FAKE_UTC_POS (7 - 4)
-+
-+/* Create a fake data segment for database 'sysdb'. */
-+static void fake_data_segment(timelib_tzdb *sysdb,
-+ struct location_info **info)
-+{
-+ size_t n;
-+ char *data, *p;
-+
-+ data = malloc(3 * sysdb->index_size + 7);
-+
-+ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1);
-+
-+ for (n = 0; n < sysdb->index_size; n++) {
-+ const struct location_info *li;
-+ timelib_tzdb_index_entry *ent;
-+
-+ ent = (timelib_tzdb_index_entry *)&sysdb->index[n];
-+
-+ /* Lookup the timezone name in the hash table. */
-+ if (strcmp(ent->id, "UTC") == 0) {
-+ ent->pos = FAKE_UTC_POS;
-+ continue;
-+ }
-+
-+ li = find_zone_info(info, ent->id);
-+ if (li) {
-+ /* If found, append the BC byte and the
-+ * country code; set the position for this
-+ * section of timezone data. */
-+ ent->pos = (p - data) - 4;
-+ *p++ = '\1';
-+ *p++ = li->code[0];
-+ *p++ = li->code[1];
-+ }
-+ else {
-+ /* If not found, the timezone data can
-+ * point at the header. */
-+ ent->pos = 0;
-+ }
-+ }
-+
-+ sysdb->data = (unsigned char *)data;
-+}
-+
-+/* Returns true if the passed-in stat structure describes a
-+ * probably-valid timezone file. */
-+static int is_valid_tzfile(const struct stat *st)
-+{
-+ return S_ISREG(st->st_mode) && st->st_size > 20;
-+}
-+
-+/* To allow timezone names to be used case-insensitively, find the
-+ * canonical name for this timezone, if possible. */
-+static const char *canonical_tzname(const char *timezone)
-+{
-+ if (timezonedb_system) {
-+ timelib_tzdb_index_entry *ent, lookup;
-+
-+ lookup.id = (char *)timezone;
-+
-+ ent = bsearch(&lookup, timezonedb_system->index,
-+ timezonedb_system->index_size, sizeof lookup,
-+ sysdbcmp);
-+ if (ent) {
-+ return ent->id;
-+ }
-+ }
-+
-+ return timezone;
-+}
-+
-+/* Return the mmap()ed tzfile if found, else NULL. On success, the
-+ * length of the mapped data is placed in *length. */
-+static char *map_tzfile(const char *timezone, size_t *length)
-+{
-+ char fname[PATH_MAX];
-+ struct stat st;
-+ char *p;
-+ int fd;
-+
-+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) {
-+ return NULL;
-+ }
-+
-+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone));
-+
-+ fd = open(fname, O_RDONLY);
-+ if (fd == -1) {
-+ return NULL;
-+ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st)) {
-+ close(fd);
-+ return NULL;
-+ }
-+
-+ *length = st.st_size;
-+ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
-+ close(fd);
-+
-+ return p != MAP_FAILED ? p : NULL;
-+}
-+
-+#endif
-+
-+static int inmem_seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb)
- {
- int left = 0, right = tzdb->index_size - 1;
- #ifdef HAVE_SETLOCALE
-@@ -295,36 +726,135 @@ static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const
- return 0;
- }
-
-+static int seek_to_tz_position(const unsigned char **tzf, char *timezone,
-+ char **map, size_t *maplen,
-+ const timelib_tzdb *tzdb)
-+{
-+#ifdef HAVE_SYSTEM_TZDATA
-+ if (tzdb == timezonedb_system) {
-+ char *orig;
-+
-+ orig = map_tzfile(timezone, maplen);
-+ if (orig == NULL) {
-+ return 0;
-+ }
-+
-+ (*tzf) = (unsigned char *)orig ;
-+ *map = orig;
-+
-+ return 1;
-+ }
-+ else
-+#endif
-+ {
-+ return inmem_seek_to_tz_position(tzf, timezone, tzdb);
-+ }
-+}
-+
- const timelib_tzdb *timelib_builtin_db(void)
- {
-+#ifdef HAVE_SYSTEM_TZDATA
-+ if (timezonedb_system == NULL) {
-+ timelib_tzdb *tmp = malloc(sizeof *tmp);
-+
-+ tmp->version = "0.system";
-+ tmp->data = NULL;
-+ create_zone_index(tmp);
-+ system_location_table = create_location_table();
-+ fake_data_segment(tmp, system_location_table);
-+ timezonedb_system = tmp;
-+ }
-+
-+
-+ return timezonedb_system;
-+#else
- return &timezonedb_builtin;
-+#endif
- }
-
- const timelib_tzdb_index_entry *timelib_timezone_builtin_identifiers_list(int *count)
- {
-+#ifdef HAVE_SYSTEM_TZDATA
-+ *count = timezonedb_system->index_size;
-+ return timezonedb_system->index;
-+#else
- *count = sizeof(timezonedb_idx_builtin) / sizeof(*timezonedb_idx_builtin);
- return timezonedb_idx_builtin;
-+#endif
- }
-
- int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb)
- {
- const unsigned char *tzf;
-- return (seek_to_tz_position(&tzf, timezone, tzdb));
-+
-+#ifdef HAVE_SYSTEM_TZDATA
-+ if (tzdb == timezonedb_system) {
-+ char fname[PATH_MAX];
-+ struct stat st;
-+
-+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) {
-+ return 0;
-+ }
-+
-+ if (system_location_table) {
-+ if (find_zone_info(system_location_table, timezone) != NULL) {
-+ /* found in cache */
-+ return 1;
-+ }
-+ }
-+
-+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone));
-+
-+ return stat(fname, &st) == 0 && is_valid_tzfile(&st);
-+ }
-+#endif
-+
-+ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb));
- }
-
- timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb)
- {
- const unsigned char *tzf;
-+ char *memmap = NULL;
-+ size_t maplen;
- timelib_tzinfo *tmp;
-
-- if (seek_to_tz_position(&tzf, timezone, tzdb)) {
-+ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) {
- tmp = timelib_tzinfo_ctor(timezone);
-
- read_preamble(&tzf, tmp);
- read_header(&tzf, tmp);
- read_transistions(&tzf, tmp);
- read_types(&tzf, tmp);
-- read_location(&tzf, tmp);
-+
-+#ifdef HAVE_SYSTEM_TZDATA
-+ if (memmap) {
-+ const struct location_info *li;
-+
-+ /* TZif-style - grok the location info from the system database,
-+ * if possible. */
-+
-+ if ((li = find_zone_info(system_location_table, timezone)) != NULL) {
-+ tmp->location.comments = strdup(li->comment);
-+ strncpy(tmp->location.country_code, li->code, 2);
-+ tmp->location.longitude = li->longitude;
-+ tmp->location.latitude = li->latitude;
-+ tmp->bc = 1;
-+ }
-+ else {
-+ strcpy(tmp->location.country_code, "??");
-+ tmp->bc = 0;
-+ tmp->location.comments = strdup("");
-+ }
-+
-+ /* Now done with the mmap segment - discard it. */
-+ munmap(memmap, maplen);
-+ } else
-+#endif
-+ {
-+ /* PHP-style - use the embedded info. */
-+ read_location(&tzf, tmp);
-+ }
- } else {
- tmp = NULL;
- }
-diff --git a/ext/date/lib/timelib.m4 b/ext/date/lib/timelib.m4
-index c725572..4c837c7 100644
---- a/ext/date/lib/timelib.m4
-+++ b/ext/date/lib/timelib.m4
-@@ -78,3 +78,17 @@ stdlib.h
-
- dnl Check for strtoll, atoll
- AC_CHECK_FUNCS(strtoll atoll strftime)
-+
-+PHP_ARG_WITH(system-tzdata, for use of system timezone data,
-+[ --with-system-tzdata[=DIR] to specify use of system timezone data],
-+no, no)
-+
-+if test "$PHP_SYSTEM_TZDATA" != "no"; then
-+ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used])
-+
-+ if test "$PHP_SYSTEM_TZDATA" != "yes"; then
-+ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA",
-+ [Define for location of system timezone data])
-+ fi
-+fi
-+
-
diff --git a/php-5.5.25-systzdata-v12.patch b/php-5.5.25-systzdata-v12.patch
index c4e56ae..b893e65 100644
--- a/php-5.5.25-systzdata-v12.patch
+++ b/php-5.5.25-systzdata-v12.patch
@@ -1,3 +1,7 @@
+# License: MIT
+# http://opensource.org/licenses/MIT
+
+
Add support for use of the system timezone database, rather
than embedding a copy. Discussed upstream but was not desired.
diff --git a/php.spec b/php.spec
index 1d50c18..ab7fee8 100644
--- a/php.spec
+++ b/php.spec
@@ -140,7 +140,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.5.38
-Release: 7%{?dist}
+Release: 8%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -247,6 +247,8 @@ Patch151: bug73764.patch
Patch152: bug73768.patch
Patch153: bug73773.patch
Patch154: bug69090.patch
+Patch155: bug73549.patch
+Patch156: bug75981.patch
# Security fixes (200+)
@@ -994,6 +996,8 @@ support for using the enchant library to PHP.
%patch152 -p1 -b .bug73768
%patch153 -p1 -b .bug73773
%patch154 -p1 -b .bug69090
+%patch155 -p1 -b .bug73549
+%patch156 -p1 -b .bug75981
: ------------------------
# Fixes for tests
@@ -1725,11 +1729,17 @@ fi
%posttrans common
cat << EOF
+==========================================================================
-WARNING : PHP 5.5 have reached its "End of Life" in July 2016.
-Even, if this package includes some security fix, backported from 5.6,
-The upgrade to a maintained version is very strongly recommended.
+ WARNING : PHP 5.5 have reached its "End of Life" in July 2016.
+ Even, if this package includes some security fix, backported from 5.6,
+ The UPGRADE to a maintained version is very strongly RECOMMENDED.
+%if %{?fedora}%{!?fedora:99} < 26
+ WARNING : Fedora %{fedora} is now EOL :
+ You should consider upgrading to a supported release
+%endif
+==========================================================================
EOF
@@ -1899,6 +1909,10 @@ EOF
%changelog
+* Thu Mar 1 2018 Remi Collet <remi@remirepo.net> - 5.5.38-8
+- fix #73549: Use after free when stream is passed to imagepng
+- fix #75981: stack-buffer-overflow while parsing HTTP response
+
* Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.5.38-7
- fix #73737: FPE when parsing a tag format
CVE-2016-10158