From 10f4882e2ed191ffac0cc5e243b9ad32478c36c8 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 1 Mar 2018 10:42:24 +0100 Subject: fix #73549: Use after free when stream is passed to imagepng fix #75981: stack-buffer-overflow while parsing HTTP response --- .gitignore | 9 + bug73549.patch | 95 ++++++ bug75981.patch | 68 +++++ php-5.5.19-systzdata-v11.patch | 655 ----------------------------------------- php-5.5.25-systzdata-v12.patch | 4 + php.spec | 22 +- 6 files changed, 194 insertions(+), 659 deletions(-) create mode 100644 .gitignore create mode 100644 bug73549.patch create mode 100644 bug75981.patch delete mode 100644 php-5.5.19-systzdata-v11.patch diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6f69818 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +clog +package-*.xml +*.tgz +*.tar.gz +*.tar.bz2 +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/bug73549.patch b/bug73549.patch new file mode 100644 index 0000000..5c39852 --- /dev/null +++ b/bug73549.patch @@ -0,0 +1,95 @@ +From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 17 Nov 2016 13:44:30 +0100 +Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng + +If a stream is passed to imagepng() or other image output functions, +opposed to a filename, we must not close this stream. +--- + NEWS | 3 +++ + ext/gd/gd_ctx.c | 18 +++++++++++++++++- + ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + create mode 100644 ext/gd/tests/bug73549.phpt + +diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c +index 34a9a00..acb96e1 100644 +--- a/ext/gd/gd_ctx.c ++++ b/ext/gd/gd_ctx.c +@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l) + + static void _php_image_stream_ctxfree(struct gdIOCtx *ctx) + { ++ if(ctx->data) { ++ ctx->data = NULL; ++ } ++ if(ctx) { ++ efree(ctx); ++ } ++} /* }}} */ ++ ++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */ ++{ + TSRMLS_FETCH(); + + if(ctx->data) { +@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + gdIOCtx *ctx = NULL; + zval *to_zval = NULL; + php_stream *stream; ++ int close_stream = 1; + + /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp(). + * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called +@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + if (stream == NULL) { + RETURN_FALSE; + } ++ close_stream = 0; + } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); +@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + ctx = emalloc(sizeof(gdIOCtx)); + ctx->putC = _php_image_stream_putc; + ctx->putBuf = _php_image_stream_putbuf; +- ctx->gd_free = _php_image_stream_ctxfree; ++ if (close_stream) { ++ ctx->gd_free = _php_image_stream_ctxfreeandclose; ++ } else { ++ ctx->gd_free = _php_image_stream_ctxfree; ++ } + ctx->data = (void *)stream; + } + +diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt +new file mode 100644 +index 0000000..e0cc6cf +--- /dev/null ++++ b/ext/gd/tests/bug73549.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++Bug #73549 (Use after free when stream is passed to imagepng) ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++bool(true) ++resource(%d) of type (stream) ++===DONE=== ++--CLEAN-- ++ +-- +2.1.4 + diff --git a/bug75981.patch b/bug75981.patch new file mode 100644 index 0000000..27af03b --- /dev/null +++ b/bug75981.patch @@ -0,0 +1,68 @@ +From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index ed6adc0..78bd935 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -737,9 +737,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++ ++--FILE-- ++ [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + diff --git a/php-5.5.19-systzdata-v11.patch b/php-5.5.19-systzdata-v11.patch deleted file mode 100644 index bfca49b..0000000 --- a/php-5.5.19-systzdata-v11.patch +++ /dev/null @@ -1,655 +0,0 @@ -Add support for use of the system timezone database, rather -than embedding a copy. Discussed upstream but was not desired. - -History: -r11: use canonical names to avoid more case sensitivity issues - round lat/long from zone.tab towards zero per builtin db -r10: make timezone case insensitive -r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold) -r8: fix compile error without --with-system-tzdata configured -r7: improve check for valid timezone id to exclude directories -r6: fix fd leak in r5, fix country code/BC flag use in - timezone_identifiers_list() using system db, - fix use of PECL timezonedb to override system db, -r5: reverts addition of "System/Localtime" fake tzname. - updated for 5.3.0, parses zone.tab to pick up mapping between - timezone name, country code and long/lat coords -r4: added "System/Localtime" tzname which uses /etc/localtime -r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) -r2: add filesystem trawl to set up name alias index -r1: initial revision - -diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c -index 5d2aec9..671b398 100644 ---- a/ext/date/lib/parse_tz.c -+++ b/ext/date/lib/parse_tz.c -@@ -20,6 +20,16 @@ - - #include "timelib.h" - -+#ifdef HAVE_SYSTEM_TZDATA -+#include -+#include -+#include -+#include -+#include -+ -+#include "php_scandir.h" -+#endif -+ - #include - - #ifdef HAVE_LOCALE_H -@@ -31,7 +41,12 @@ - #else - #include - #endif -+ -+#ifndef HAVE_SYSTEM_TZDATA - #include "timezonedb.h" -+#endif -+ -+#include - - #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) - # if defined(__LITTLE_ENDIAN__) -@@ -51,9 +66,14 @@ - - static void read_preamble(const unsigned char **tzf, timelib_tzinfo *tz) - { -- /* skip ID */ -- *tzf += 4; -- -+ if (memcmp(tzf, "TZif", 4) == 0) { -+ *tzf += 20; -+ return; -+ } -+ -+ /* skip ID */ -+ *tzf += 4; -+ - /* read BC flag */ - tz->bc = (**tzf == '\1'); - *tzf += 1; -@@ -256,7 +276,418 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) - } - } - --static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) -+#ifdef HAVE_SYSTEM_TZDATA -+ -+#ifdef HAVE_SYSTEM_TZDATA_PREFIX -+#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX -+#else -+#define ZONEINFO_PREFIX "/usr/share/zoneinfo" -+#endif -+ -+/* System timezone database pointer. */ -+static const timelib_tzdb *timezonedb_system; -+ -+/* Hash table entry for the cache of the zone.tab mapping table. */ -+struct location_info { -+ char code[2]; -+ double latitude, longitude; -+ char name[64]; -+ char *comment; -+ struct location_info *next; -+}; -+ -+/* Cache of zone.tab. */ -+static struct location_info **system_location_table; -+ -+/* Size of the zone.tab hash table; a random-ish prime big enough to -+ * prevent too many collisions. */ -+#define LOCINFO_HASH_SIZE (1021) -+ -+/* Compute a case insensitive hash of str */ -+static uint32_t tz_hash(const char *str) -+{ -+ const unsigned char *p = (const unsigned char *)str; -+ uint32_t hash = 5381; -+ int c; -+ -+ while ((c = tolower(*p++)) != '\0') { -+ hash = (hash << 5) ^ hash ^ c; -+ } -+ -+ return hash % LOCINFO_HASH_SIZE; -+} -+ -+/* Parse an ISO-6709 date as used in zone.tab. Returns end of the -+ * parsed string on success, or NULL on parse error. On success, -+ * writes the parsed number to *result. */ -+static char *parse_iso6709(char *p, double *result) -+{ -+ double v, sign; -+ char *pend; -+ size_t len; -+ -+ if (*p == '+') -+ sign = 1.0; -+ else if (*p == '-') -+ sign = -1.0; -+ else -+ return NULL; -+ -+ p++; -+ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) -+ ;; -+ -+ /* Annoying encoding used by zone.tab has no decimal point, so use -+ * the length to determine the format: -+ * -+ * 4 = DDMM -+ * 5 = DDDMM -+ * 6 = DDMMSS -+ * 7 = DDDMMSS -+ */ -+ len = pend - p; -+ if (len < 4 || len > 7) { -+ return NULL; -+ } -+ -+ /* p => [D]DD */ -+ v = (p[0] - '0') * 10.0 + (p[1] - '0'); -+ p += 2; -+ if (len == 5 || len == 7) -+ v = v * 10.0 + (*p++ - '0'); -+ /* p => MM[SS] */ -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 60.0; -+ p += 2; -+ /* p => [SS] */ -+ if (len > 5) { -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 3600.0; -+ p += 2; -+ } -+ -+ /* Round to five decimal place, not because it's a good idea, -+ * but, because the builtin data uses rounded data, so, match -+ * that. */ -+ *result = trunc(v * sign * 100000.0) / 100000.0; -+ -+ return p; -+} -+ -+/* This function parses the zone.tab file to build up the mapping of -+ * timezone to country code and geographic location, and returns a -+ * hash table. The hash table is indexed by the function: -+ * -+ * tz_hash(timezone-name) -+ */ -+static struct location_info **create_location_table(void) -+{ -+ struct location_info **li, *i; -+ char zone_tab[PATH_MAX]; -+ char line[512]; -+ FILE *fp; -+ -+ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); -+ -+ fp = fopen(zone_tab, "r"); -+ if (!fp) { -+ return NULL; -+ } -+ -+ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); -+ -+ while (fgets(line, sizeof line, fp)) { -+ char *p = line, *code, *name, *comment; -+ uint32_t hash; -+ double latitude, longitude; -+ -+ while (isspace(*p)) -+ p++; -+ -+ if (*p == '#' || *p == '\0' || *p == '\n') -+ continue; -+ -+ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') -+ continue; -+ -+ /* code => AA */ -+ code = p; -+ p[2] = 0; -+ p += 3; -+ -+ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ -+ p = parse_iso6709(p, &latitude); -+ if (!p) { -+ continue; -+ } -+ p = parse_iso6709(p, &longitude); -+ if (!p) { -+ continue; -+ } -+ -+ if (!p || *p != '\t') { -+ continue; -+ } -+ -+ /* name = string */ -+ name = ++p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ *p++ = '\0'; -+ -+ /* comment = string */ -+ comment = p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ if (*p == '\n' || *p == '\t') -+ *p = '\0'; -+ -+ hash = tz_hash(name); -+ i = malloc(sizeof *i); -+ memcpy(i->code, code, 2); -+ strncpy(i->name, name, sizeof i->name); -+ i->comment = strdup(comment); -+ i->longitude = longitude; -+ i->latitude = latitude; -+ i->next = li[hash]; -+ li[hash] = i; -+ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ -+ } -+ -+ fclose(fp); -+ -+ return li; -+} -+ -+/* Return location info from hash table, using given timezone name. -+ * Returns NULL if the name could not be found. */ -+const struct location_info *find_zone_info(struct location_info **li, -+ const char *name) -+{ -+ uint32_t hash = tz_hash(name); -+ const struct location_info *l; -+ -+ if (!li) { -+ return NULL; -+ } -+ -+ for (l = li[hash]; l; l = l->next) { -+ if (strcasecmp(l->name, name) == 0) -+ return l; -+ } -+ -+ return NULL; -+} -+ -+/* Filter out some non-tzdata files and the posix/right databases, if -+ * present. */ -+static int index_filter(const struct dirent *ent) -+{ -+ return strcmp(ent->d_name, ".") != 0 -+ && strcmp(ent->d_name, "..") != 0 -+ && strcmp(ent->d_name, "posix") != 0 -+ && strcmp(ent->d_name, "posixrules") != 0 -+ && strcmp(ent->d_name, "right") != 0 -+ && strstr(ent->d_name, ".tab") == NULL; -+} -+ -+static int sysdbcmp(const void *first, const void *second) -+{ -+ const timelib_tzdb_index_entry *alpha = first, *beta = second; -+ -+ return strcasecmp(alpha->id, beta->id); -+} -+ -+ -+/* Create the zone identifier index by trawling the filesystem. */ -+static void create_zone_index(timelib_tzdb *db) -+{ -+ size_t dirstack_size, dirstack_top; -+ size_t index_size, index_next; -+ timelib_tzdb_index_entry *db_index; -+ char **dirstack; -+ -+ /* LIFO stack to hold directory entries to scan; each slot is a -+ * directory name relative to the zoneinfo prefix. */ -+ dirstack_size = 32; -+ dirstack = malloc(dirstack_size * sizeof *dirstack); -+ dirstack_top = 1; -+ dirstack[0] = strdup(""); -+ -+ /* Index array. */ -+ index_size = 64; -+ db_index = malloc(index_size * sizeof *db_index); -+ index_next = 0; -+ -+ do { -+ struct dirent **ents; -+ char name[PATH_MAX], *top; -+ int count; -+ -+ /* Pop the top stack entry, and iterate through its contents. */ -+ top = dirstack[--dirstack_top]; -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); -+ -+ count = php_scandir(name, &ents, index_filter, php_alphasort); -+ -+ while (count > 0) { -+ struct stat st; -+ const char *leaf = ents[count - 1]->d_name; -+ -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", -+ top, leaf); -+ -+ if (strlen(name) && stat(name, &st) == 0) { -+ /* Name, relative to the zoneinfo prefix. */ -+ const char *root = top; -+ -+ if (root[0] == '/') root++; -+ -+ snprintf(name, sizeof name, "%s%s%s", root, -+ *root ? "/": "", leaf); -+ -+ if (S_ISDIR(st.st_mode)) { -+ if (dirstack_top == dirstack_size) { -+ dirstack_size *= 2; -+ dirstack = realloc(dirstack, -+ dirstack_size * sizeof *dirstack); -+ } -+ dirstack[dirstack_top++] = strdup(name); -+ } -+ else { -+ if (index_next == index_size) { -+ index_size *= 2; -+ db_index = realloc(db_index, -+ index_size * sizeof *db_index); -+ } -+ -+ db_index[index_next++].id = strdup(name); -+ } -+ } -+ -+ free(ents[--count]); -+ } -+ -+ if (count != -1) free(ents); -+ free(top); -+ } while (dirstack_top); -+ -+ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); -+ -+ db->index = db_index; -+ db->index_size = index_next; -+ -+ free(dirstack); -+} -+ -+#define FAKE_HEADER "1234\0??\1??" -+#define FAKE_UTC_POS (7 - 4) -+ -+/* Create a fake data segment for database 'sysdb'. */ -+static void fake_data_segment(timelib_tzdb *sysdb, -+ struct location_info **info) -+{ -+ size_t n; -+ char *data, *p; -+ -+ data = malloc(3 * sysdb->index_size + 7); -+ -+ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); -+ -+ for (n = 0; n < sysdb->index_size; n++) { -+ const struct location_info *li; -+ timelib_tzdb_index_entry *ent; -+ -+ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; -+ -+ /* Lookup the timezone name in the hash table. */ -+ if (strcmp(ent->id, "UTC") == 0) { -+ ent->pos = FAKE_UTC_POS; -+ continue; -+ } -+ -+ li = find_zone_info(info, ent->id); -+ if (li) { -+ /* If found, append the BC byte and the -+ * country code; set the position for this -+ * section of timezone data. */ -+ ent->pos = (p - data) - 4; -+ *p++ = '\1'; -+ *p++ = li->code[0]; -+ *p++ = li->code[1]; -+ } -+ else { -+ /* If not found, the timezone data can -+ * point at the header. */ -+ ent->pos = 0; -+ } -+ } -+ -+ sysdb->data = (unsigned char *)data; -+} -+ -+/* Returns true if the passed-in stat structure describes a -+ * probably-valid timezone file. */ -+static int is_valid_tzfile(const struct stat *st) -+{ -+ return S_ISREG(st->st_mode) && st->st_size > 20; -+} -+ -+/* To allow timezone names to be used case-insensitively, find the -+ * canonical name for this timezone, if possible. */ -+static const char *canonical_tzname(const char *timezone) -+{ -+ if (timezonedb_system) { -+ timelib_tzdb_index_entry *ent, lookup; -+ -+ lookup.id = (char *)timezone; -+ -+ ent = bsearch(&lookup, timezonedb_system->index, -+ timezonedb_system->index_size, sizeof lookup, -+ sysdbcmp); -+ if (ent) { -+ return ent->id; -+ } -+ } -+ -+ return timezone; -+} -+ -+/* Return the mmap()ed tzfile if found, else NULL. On success, the -+ * length of the mapped data is placed in *length. */ -+static char *map_tzfile(const char *timezone, size_t *length) -+{ -+ char fname[PATH_MAX]; -+ struct stat st; -+ char *p; -+ int fd; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return NULL; -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ fd = open(fname, O_RDONLY); -+ if (fd == -1) { -+ return NULL; -+ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st)) { -+ close(fd); -+ return NULL; -+ } -+ -+ *length = st.st_size; -+ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); -+ close(fd); -+ -+ return p != MAP_FAILED ? p : NULL; -+} -+ -+#endif -+ -+static int inmem_seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) - { - int left = 0, right = tzdb->index_size - 1; - #ifdef HAVE_SETLOCALE -@@ -295,36 +726,135 @@ static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const - return 0; - } - -+static int seek_to_tz_position(const unsigned char **tzf, char *timezone, -+ char **map, size_t *maplen, -+ const timelib_tzdb *tzdb) -+{ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char *orig; -+ -+ orig = map_tzfile(timezone, maplen); -+ if (orig == NULL) { -+ return 0; -+ } -+ -+ (*tzf) = (unsigned char *)orig ; -+ *map = orig; -+ -+ return 1; -+ } -+ else -+#endif -+ { -+ return inmem_seek_to_tz_position(tzf, timezone, tzdb); -+ } -+} -+ - const timelib_tzdb *timelib_builtin_db(void) - { -+#ifdef HAVE_SYSTEM_TZDATA -+ if (timezonedb_system == NULL) { -+ timelib_tzdb *tmp = malloc(sizeof *tmp); -+ -+ tmp->version = "0.system"; -+ tmp->data = NULL; -+ create_zone_index(tmp); -+ system_location_table = create_location_table(); -+ fake_data_segment(tmp, system_location_table); -+ timezonedb_system = tmp; -+ } -+ -+ -+ return timezonedb_system; -+#else - return &timezonedb_builtin; -+#endif - } - - const timelib_tzdb_index_entry *timelib_timezone_builtin_identifiers_list(int *count) - { -+#ifdef HAVE_SYSTEM_TZDATA -+ *count = timezonedb_system->index_size; -+ return timezonedb_system->index; -+#else - *count = sizeof(timezonedb_idx_builtin) / sizeof(*timezonedb_idx_builtin); - return timezonedb_idx_builtin; -+#endif - } - - int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) - { - const unsigned char *tzf; -- return (seek_to_tz_position(&tzf, timezone, tzdb)); -+ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char fname[PATH_MAX]; -+ struct stat st; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return 0; -+ } -+ -+ if (system_location_table) { -+ if (find_zone_info(system_location_table, timezone) != NULL) { -+ /* found in cache */ -+ return 1; -+ } -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ return stat(fname, &st) == 0 && is_valid_tzfile(&st); -+ } -+#endif -+ -+ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); - } - - timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb) - { - const unsigned char *tzf; -+ char *memmap = NULL; -+ size_t maplen; - timelib_tzinfo *tmp; - -- if (seek_to_tz_position(&tzf, timezone, tzdb)) { -+ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { - tmp = timelib_tzinfo_ctor(timezone); - - read_preamble(&tzf, tmp); - read_header(&tzf, tmp); - read_transistions(&tzf, tmp); - read_types(&tzf, tmp); -- read_location(&tzf, tmp); -+ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (memmap) { -+ const struct location_info *li; -+ -+ /* TZif-style - grok the location info from the system database, -+ * if possible. */ -+ -+ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { -+ tmp->location.comments = strdup(li->comment); -+ strncpy(tmp->location.country_code, li->code, 2); -+ tmp->location.longitude = li->longitude; -+ tmp->location.latitude = li->latitude; -+ tmp->bc = 1; -+ } -+ else { -+ strcpy(tmp->location.country_code, "??"); -+ tmp->bc = 0; -+ tmp->location.comments = strdup(""); -+ } -+ -+ /* Now done with the mmap segment - discard it. */ -+ munmap(memmap, maplen); -+ } else -+#endif -+ { -+ /* PHP-style - use the embedded info. */ -+ read_location(&tzf, tmp); -+ } - } else { - tmp = NULL; - } -diff --git a/ext/date/lib/timelib.m4 b/ext/date/lib/timelib.m4 -index c725572..4c837c7 100644 ---- a/ext/date/lib/timelib.m4 -+++ b/ext/date/lib/timelib.m4 -@@ -78,3 +78,17 @@ stdlib.h - - dnl Check for strtoll, atoll - AC_CHECK_FUNCS(strtoll atoll strftime) -+ -+PHP_ARG_WITH(system-tzdata, for use of system timezone data, -+[ --with-system-tzdata[=DIR] to specify use of system timezone data], -+no, no) -+ -+if test "$PHP_SYSTEM_TZDATA" != "no"; then -+ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) -+ -+ if test "$PHP_SYSTEM_TZDATA" != "yes"; then -+ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", -+ [Define for location of system timezone data]) -+ fi -+fi -+ - diff --git a/php-5.5.25-systzdata-v12.patch b/php-5.5.25-systzdata-v12.patch index c4e56ae..b893e65 100644 --- a/php-5.5.25-systzdata-v12.patch +++ b/php-5.5.25-systzdata-v12.patch @@ -1,3 +1,7 @@ +# License: MIT +# http://opensource.org/licenses/MIT + + Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. diff --git a/php.spec b/php.spec index 1d50c18..ab7fee8 100644 --- a/php.spec +++ b/php.spec @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 7%{?dist} +Release: 8%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -247,6 +247,8 @@ Patch151: bug73764.patch Patch152: bug73768.patch Patch153: bug73773.patch Patch154: bug69090.patch +Patch155: bug73549.patch +Patch156: bug75981.patch # Security fixes (200+) @@ -994,6 +996,8 @@ support for using the enchant library to PHP. %patch152 -p1 -b .bug73768 %patch153 -p1 -b .bug73773 %patch154 -p1 -b .bug69090 +%patch155 -p1 -b .bug73549 +%patch156 -p1 -b .bug75981 : ------------------------ # Fixes for tests @@ -1725,11 +1729,17 @@ fi %posttrans common cat << EOF +========================================================================== -WARNING : PHP 5.5 have reached its "End of Life" in July 2016. -Even, if this package includes some security fix, backported from 5.6, -The upgrade to a maintained version is very strongly recommended. + WARNING : PHP 5.5 have reached its "End of Life" in July 2016. + Even, if this package includes some security fix, backported from 5.6, + The UPGRADE to a maintained version is very strongly RECOMMENDED. +%if %{?fedora}%{!?fedora:99} < 26 + WARNING : Fedora %{fedora} is now EOL : + You should consider upgrading to a supported release +%endif +========================================================================== EOF @@ -1899,6 +1909,10 @@ EOF %changelog +* Thu Mar 1 2018 Remi Collet - 5.5.38-8 +- fix #73549: Use after free when stream is passed to imagepng +- fix #75981: stack-buffer-overflow while parsing HTTP response + * Sat Feb 18 2017 Remi Collet - 5.5.38-7 - fix #73737: FPE when parsing a tag format CVE-2016-10158 -- cgit