summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-04-02 12:50:10 +0200
committerRemi Collet <remi@remirepo.net>2019-04-02 12:50:10 +0200
commite2a406ee9ecbf96c0ffe04178d158c4572acd38d (patch)
treeed783b639ce9334b5bfb337e15bf70fb2e9de77e
parentfc2b23f976fba2810ea49b6f59c4f23fdbed8a1f (diff)
- exif:
Fix #77753 Heap-buffer-overflow in php_ifd_get32s Fix #77831 Heap-buffer-overflow in exif_iif_add_value - sqlite3: Added sqlite3.defensive INI directive
-rw-r--r--failed.txt32
-rw-r--r--php-bug77753.patch34
-rw-r--r--php-bug77831.patch211
-rw-r--r--php-sqlite3-defensive.patch167
-rw-r--r--php.spec21
5 files changed, 441 insertions, 24 deletions
diff --git a/failed.txt b/failed.txt
index 28fb7af..9834657 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,33 +1,25 @@
-===== 5.6.40-5 (2019-03-12)
+===== 5.6.40-7 (2019-04-02)
$ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
-/var/lib/mock/scl56el6x/build.log:Tests failed : 7
-/var/lib/mock/scl56el7x/build.log:Tests failed : 4
-/var/lib/mock/scl56el7x/build.log:Tests failed : 34
-/var/lib/mock/scl56fc26x/build.log:Tests failed : 3
-/var/lib/mock/scl56fc27x/build.log:Tests failed : 7
-/var/lib/mock/scl56fc28x/build.log:Tests failed : 6
-/var/lib/mock/scl56fc29x/build.log:Tests failed : 8
-/var/lib/mock/scl56fc30x/build.log:Tests failed : 11
+/var/lib/mock/scl56el6x/build.log:Tests failed : 3
+/var/lib/mock/scl56el7x/build.log:Tests failed : 0
+/var/lib/mock/scl56el8x/build.log:Tests failed : 28
+/var/lib/mock/scl56fc27x/build.log:Tests failed : 6
+/var/lib/mock/scl56fc28x/build.log:Tests failed : 1
+/var/lib/mock/scl56fc29x/build.log:Tests failed : 3
+/var/lib/mock/scl56fc30x/build.log:Tests failed : 3
-el6x, el7x:
- 4 Bug #33414 [2] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-2.phpt]
-el6x, el7x, fc25x, fc26x, fc27x, fc28x, fc29x, fc30x:
- 4 Bug #33415 [2] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-2.phpt]
-el6xn el7x, fc26x, fc27x, fc28x, fc29x, fc30x:
- 4 Bug #51819 (Case discrepancy in timezone names cause Uncaught exception and fatal error) [ext/date/tests/bug51819.phpt]
- 4 Test date_sunset() function : usage variation - Passing high positive and negative float values to time argument. [ext/date/tests/date_sunset_variation9.phpt]
-el6x, fc25x, fc27x, fc29x:
+fc27x:
+ 4 Bug #32086 (strtotime don't work in DST) [ext/date/tests/bug32086.phpt]
+ 4 Bug #33415 [1] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-1.phpt]
+el6x, fc27x:
3 Bug #65538: SSL context "cafile" disallows URL stream wrappers [ext/openssl/tests/bug65538_002.phpt]
3 gethostbyname() function - basic return valid ip address test [ext/standard/tests/network/gethostbyname_error004.phpt]
3 getmxrr() test [ext/standard/tests/network/getmxrr.phpt]
fc27x, fc28x, fc29x, fc30x:
2 substr_compare() [ext/standard/tests/strings/substr_compare.phpt]
-fc28x, fc29x, fc30x:
- Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
- date_modify() function [1] [ext/date/tests/date_modify-1.phpt]
fc29x, fc30x:
openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt]
TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt]
diff --git a/php-bug77753.patch b/php-bug77753.patch
new file mode 100644
index 0000000..bcb324d
--- /dev/null
+++ b/php-bug77753.patch
@@ -0,0 +1,34 @@
+Without test as binary patch not supported
+
+
+
+
+From 1e7511f2476380f9eb523f60817610c8eab6b116 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 17 Mar 2019 22:54:46 -0700
+Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
+
+(cherry picked from commit f3aefc6d071b807ddacae0a0bc49f09c38e18490)
+---
+ ext/exif/exif.c | 4 ++++
+ ext/exif/tests/bug77753.phpt | 16 ++++++++++++++++
+ ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes
+ 3 files changed, 20 insertions(+)
+ create mode 100644 ext/exif/tests/bug77753.phpt
+ create mode 100644 ext/exif/tests/bug77753.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index ce8db170c7..4350124305 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2812,6 +2812,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ return FALSE;
+ }
++ if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
++ return FALSE;
++ }
+
+ for (de=0;de<NumDirEntries;de++) {
+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
diff --git a/php-bug77831.patch b/php-bug77831.patch
new file mode 100644
index 0000000..840fbfd
--- /dev/null
+++ b/php-bug77831.patch
@@ -0,0 +1,211 @@
+Without test as binary patch not supported
+
+
+
+
+From 1f2fdcd9a2471e6fac220ec2e7a2ca56b7879113 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Apr 2019 00:12:26 -0700
+Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value
+ in EXIF
+
+(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4)
+---
+ NEWS | 4 ++++
+ ext/exif/exif.c | 43 +++++++++++++++++++++++------------
+ ext/exif/tests/bug77831.phpt | 13 +++++++++++
+ ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes
+ 4 files changed, 45 insertions(+), 15 deletions(-)
+ create mode 100644 ext/exif/tests/bug77831.phpt
+ create mode 100644 ext/exif/tests/bug77831.tiff
+
+diff --git a/NEWS b/NEWS
+index 0bff457d2b..0dde9880d5 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP NEWS
+
+ Backported from 7.1.28
+
++- EXIF:
++ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
++
+ - SQLite3:
+ . Added sqlite3.defensive INI directive. (BohwaZ)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 4350124305..547bd58dfb 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1660,10 +1660,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
+ /* {{{ exif_iif_add_value
+ Add a value to image_info
+ */
+-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel TSRMLS_DC)
++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel TSRMLS_DC)
+ {
+ size_t idex;
+- void *vptr;
++ void *vptr, *vptr_end;
+ image_info_value *info_value;
+ image_info_data *info_data;
+ image_info_data *list;
+@@ -1685,8 +1685,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+
+ switch (format) {
+ case TAG_FMT_STRING:
++ if (length > value_len) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++ value = NULL;
++ }
+ if (value) {
+- length = php_strnlen(value, length);
++ length = (int)php_strnlen(value, length);
+ info_value->s = estrndup(value, length);
+ info_data->length = length;
+ } else {
+@@ -1708,6 +1712,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ if (!length)
+ break;
+ case TAG_FMT_UNDEFINED:
++ if (length > value_len) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++ value = NULL;
++ }
+ if (value) {
+ if (tag == TAG_MAKER_NOTE) {
+ length = (int) php_strnlen(value, length);
+@@ -1738,7 +1746,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ } else {
+ info_value = &info_data->value;
+ }
++ vptr_end = value+value_len;
+ for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
++ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
++ break;
++ }
+ if (length>1) {
+ info_value = &info_data->value.list[idex];
+ }
+@@ -1774,7 +1787,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type single");
+ #endif
+ info_value->f = *(float *)value;
+-
++ break;
+ case TAG_FMT_DOUBLE:
+ #ifdef EXIF_DEBUG
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type double");
+@@ -1792,9 +1805,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ /* {{{ exif_iif_add_tag
+ Add a tag from IFD to image_info
+ */
+-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC)
++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len TSRMLS_DC)
+ {
+- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel TSRMLS_CC);
++ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel TSRMLS_CC);
+ }
+ /* }}} */
+
+@@ -2218,7 +2231,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
+ */
+ static void exif_process_COM (image_info_type *image_info, char *value, size_t length TSRMLS_DC)
+ {
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2 TSRMLS_CC);
+ }
+ /* }}} */
+
+@@ -2233,17 +2246,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ if (length>3) {
+ switch(value[2]) {
+ case 0:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length TSRMLS_CC);
+ break;
+ case 1:
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+ break;
+ default:
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Undefined JPEG2000 comment encoding");
+ break;
+ }
+ } else {
+- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0 TSRMLS_CC);
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "JPEG2000 comment section too small");
+ }
+ }
+@@ -2837,7 +2850,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table TSRMLS_DC)
+ {
+ size_t length;
+- int tag, format, components;
++ unsigned int tag, format, components;
+ char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ size_t byte_count, offset_val, fpos, fgot;
+ int64_t byte_count_signed;
+@@ -3148,7 +3161,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ }
+ }
+ }
+- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC);
++ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr, byte_count TSRMLS_CC);
+ EFREE_IF(outside);
+ return TRUE;
+ }
+@@ -3306,10 +3319,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
+ size_t l1, l2=0;
+
+ if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
+- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1 TSRMLS_CC);
+ if (length > 2+l1+1) {
+ l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
+- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2 TSRMLS_CC);
+ }
+ }
+ #ifdef EXIF_DEBUG
+@@ -4107,7 +4120,7 @@ PHP_FUNCTION(exif_read_data)
+ if (ImageInfo.Thumbnail.size) {
+ if (read_thumbnail) {
+ /* not exif_iif_add_str : this is a buffer */
+- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC);
++ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size TSRMLS_CC);
+ }
+ if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+ /* try to evaluate if thumbnail data is present */
+From 8b4b035dcd3f382e9de4e2f661df2dc0797fc478 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 2 Apr 2019 10:37:40 +0200
+Subject: [PATCH] Pointer arithmetic on void pointers is illegal
+
+We quick-fix this by casting to char*; it might be more appropriate to
+use char pointers in the first place.
+
+(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
+---
+ ext/exif/exif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 547bd58dfb..81cf438a8e 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1746,9 +1746,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ } else {
+ info_value = &info_data->value;
+ }
+- vptr_end = value+value_len;
++ vptr_end = (char *) value + value_len;
+ for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+- if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++ if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {
+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ break;
+ }
diff --git a/php-sqlite3-defensive.patch b/php-sqlite3-defensive.patch
new file mode 100644
index 0000000..c2e87ca
--- /dev/null
+++ b/php-sqlite3-defensive.patch
@@ -0,0 +1,167 @@
+From 467239f10a6021d3eabe237ad0508b12d5d7d19e Mon Sep 17 00:00:00 2001
+From: bohwaz <github.bohwaz@miam.kd2.org>
+Date: Sun, 16 Dec 2018 22:52:37 +0100
+Subject: [PATCH] SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a
+ mitigation strategy against potential security flaws
+
+(cherry picked from commit 58c25bf679125a2da354db58ddc6b0cf6d10ee00)
+---
+ NEWS | 5 +++
+ ext/sqlite3/php_sqlite3.h | 1 +
+ ext/sqlite3/sqlite3.c | 9 ++++++
+ ext/sqlite3/tests/sqlite3_defensive.phpt | 40 ++++++++++++++++++++++++
+ php.ini-development | 11 +++++++
+ php.ini-production | 11 +++++++
+ 6 files changed, 77 insertions(+)
+ create mode 100644 ext/sqlite3/tests/sqlite3_defensive.phpt
+
+diff --git a/NEWS b/NEWS
+index 16da63bbb2..0bff457d2b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,11 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.28
++
++- SQLite3:
++ . Added sqlite3.defensive INI directive. (BohwaZ)
++
+ Backported from 7.1.27
+
+ - Core:
+diff --git a/ext/sqlite3/php_sqlite3.h b/ext/sqlite3/php_sqlite3.h
+index 88da39e75c..5304f00dbf 100644
+--- a/ext/sqlite3/php_sqlite3.h
++++ b/ext/sqlite3/php_sqlite3.h
+@@ -28,6 +28,7 @@ extern zend_module_entry sqlite3_module_entry;
+
+ ZEND_BEGIN_MODULE_GLOBALS(sqlite3)
+ char *extension_dir;
++ int dbconfig_defensive;
+ ZEND_END_MODULE_GLOBALS(sqlite3)
+
+ #ifdef ZTS
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
+index 80d6b897f1..761b777d06 100644
+--- a/ext/sqlite3/sqlite3.c
++++ b/ext/sqlite3/sqlite3.c
+@@ -82,6 +82,9 @@ static void php_sqlite3_error(php_sqlite3_db_object *db_obj, char *format, ...)
+ */
+ PHP_INI_BEGIN()
+ STD_PHP_INI_ENTRY("sqlite3.extension_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals)
++#if SQLITE_VERSION_NUMBER >= 3026000
++ STD_PHP_INI_ENTRY("sqlite3.defensive", "1", PHP_INI_SYSTEM, OnUpdateBool, dbconfig_defensive, zend_sqlite3_globals, sqlite3_globals)
++#endif
+ PHP_INI_END()
+ /* }}} */
+
+@@ -177,6 +180,12 @@ PHP_METHOD(sqlite3, open)
+ sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL);
+ }
+
++#if SQLITE_VERSION_NUMBER >= 3026000
++ if (SQLITE3G(dbconfig_defensive)) {
++ sqlite3_db_config(db_obj->db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL);
++ }
++#endif
++
+ if (fullpath != filename) {
+ efree(fullpath);
+ }
+diff --git a/ext/sqlite3/tests/sqlite3_defensive.phpt b/ext/sqlite3/tests/sqlite3_defensive.phpt
+new file mode 100644
+index 0000000000..064d87b50a
+--- /dev/null
++++ b/ext/sqlite3/tests/sqlite3_defensive.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++SQLite3 defensive mode ini setting
++--SKIPIF--
++<?php require_once(__DIR__ . '/skipif.inc');
++
++if (SQLite3::version()['versionNumber'] < 3026000) {
++ die("skip: sqlite3 library version < 3.26: no support for defensive mode");
++}
++
++?>
++--INI--
++sqlite3.defensive=On
++--FILE--
++<?php
++
++$db = new SQLite3(':memory:');
++var_dump($db->exec('CREATE TABLE test (a, b);'));
++
++// This does not generate an error!
++var_dump($db->exec('PRAGMA writable_schema = ON;'));
++var_dump($db->querySingle('PRAGMA writable_schema;'));
++
++// Should be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++
++// Should generate an error!
++var_dump($db->querySingle('DELETE FROM sqlite_master;'));
++
++// Should still be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++?>
++--EXPECTF--
++bool(true)
++bool(true)
++int(1)
++int(1)
++
++Warning: SQLite3::querySingle(): Unable to prepare statement: 1, table sqlite_master may not be modified in %s on line %d
++bool(false)
++int(1)
+\ No newline at end of file
+diff --git a/php.ini-development b/php.ini-development
+index 752f601436..27cc55b75b 100644
+--- a/php.ini-development
++++ b/php.ini-development
+@@ -981,8 +981,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
+diff --git a/php.ini-production b/php.ini-production
+index 97b5043ce9..d7e9420a72 100644
+--- a/php.ini-production
++++ b/php.ini-production
+@@ -981,8 +981,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
diff --git a/php.spec b/php.spec
index 66bf8cb..7247d65 100644
--- a/php.spec
+++ b/php.spec
@@ -136,7 +136,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.6.40
-Release: 6%{?dist}
+Release: 7%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -203,8 +203,11 @@ Patch210: php-bug77540.patch
Patch211: php-bug77563.patch
Patch212: php-bug77586.patch
Patch213: php-bug77630.patch
-# update NEWS file with backport information
-Patch299: php-news.patch
+Patch214: php-news.patch
+Patch215: php-sqlite3-defensive.patch
+Patch216: php-bug77753.patch
+Patch217: php-bug77831.patch
+
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -939,7 +942,10 @@ support for using the enchant library to PHP.
%patch211 -p1 -b .bug77563
%patch212 -p1 -b .bug77586
%patch213 -p1 -b .bug77630
-%patch299 -p1 -b .backport
+%patch214 -p1 -b .backport
+%patch215 -p1 -b .sqlite3.defensive
+%patch216 -p1 -b .bug77753
+%patch217 -p1 -b .bug77831
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1885,6 +1891,13 @@ EOF
%changelog
+* Tue Apr 2 2019 Remi Collet <remi@remirepo.net> - 5.6.40-7
+- exif:
+ Fix #77753 Heap-buffer-overflow in php_ifd_get32s
+ Fix #77831 Heap-buffer-overflow in exif_iif_add_value
+- sqlite3:
+ Added sqlite3.defensive INI directive
+
* Fri Mar 15 2019 Remi Collet <remi@remirepo.net> - 5.6.40-6
- Fix #76846 Segfault in shutdown function after memory limit error