Hello community, here is the log from the commit of package php5 for openSUSE:11.3 checked in at Wed Mar 9 18:04:34 CET 2011.
-------- --- old-versions/11.3/UPDATES/all/php5/php5.changes 2011-02-25 11:14:06.000000000 +0100 +++ 11.3/php5/php5.changes 2011-03-08 12:16:00.000000000 +0100 @@ -1,0 +2,7 @@ +Tue Mar 8 12:12:50 CET 2011 - [email protected] + +- security fixes + * CVE-2011-0420 [bnc#672933] + * CVE-2011-0708 [bnc#671710] + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- php-5.3.3-CVE-2011-0420.patch php-5.3.3-CVE-2011-0708.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.eBY1qz/_old 2011-03-09 17:47:13.000000000 +0100 +++ /var/tmp/diff_new_pack.eBY1qz/_new 2011-03-09 17:47:13.000000000 +0100 @@ -77,7 +77,7 @@ ### ### Version: 5.3.3 -Release: 0.<RELEASE12> +Release: 0.<RELEASE13> License: The PHP License, version 3.01 Group: Development/Languages/Other Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter @@ -128,6 +128,8 @@ Patch37: php-5.3.3-CVE-2011-0755.patch Patch38: php-5.3.3-CVE-2011-0752.patch Patch39: php-5.3.3-CVE-2011-0753.patch +Patch40: php-5.3.3-CVE-2011-0420.patch +Patch41: php-5.3.3-CVE-2011-0708.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1225,6 +1227,8 @@ %patch37 %patch38 %patch39 +%patch40 +%patch41 # we build three SAPI %{__mkdir_p} build-apache2 %{__mkdir_p} build-fastcgi/sapi/cgi/libfcgi ++++++ php-5.3.3-CVE-2011-0420.patch ++++++ --- ext/intl/grapheme/grapheme_string.c 2010/12/19 04:10:49 306448 +++ ext/intl/grapheme/grapheme_string.c 2010/12/19 05:07:31 306449 @@ -799,7 +799,7 @@ if ( NULL != next ) { if ( !PZVAL_IS_REF(next) ) { - intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: 'next' was not passed by reference", 0 TSRMLS_CC ); RETURN_FALSE; @@ -819,10 +819,16 @@ } if ( lstart > INT32_MAX || lstart < 0 || lstart >= str_len ) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: start not contained in string", 0 TSRMLS_CC ); + RETURN_FALSE; + } - intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: start not contained in string", 1 TSRMLS_CC ); - + if ( size > INT32_MAX || size < 0) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: size is invalid", 0 TSRMLS_CC ); RETURN_FALSE; + } + if (size == 0) { + RETURN_EMPTY_STRING(); } /* we checked that it will fit: */ ++++++ php-5.3.3-CVE-2011-0708.patch ++++++ Index: ext/exif/exif.c =================================================================== --- ext/exif/exif.c.orig +++ ext/exif/exif.c @@ -40,6 +40,10 @@ #include "php.h" #include "ext/standard/file.h" +#ifdef PHP_WIN32 +#include "win32/php_stdint.h" +#endif + #if HAVE_EXIF /* When EXIF_DEBUG is defined the module generates a lot of debug messages @@ -2821,6 +2825,7 @@ static int exif_process_IFD_TAG(image_in int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; xp_field_type *tmp_xp; #ifdef EXIF_DEBUG char *dump_data; @@ -2845,13 +2850,20 @@ static int exif_process_IFD_TAG(image_in /*return TRUE;*/ } - byte_count = components * php_tiff_bytes_per_format[format]; + if (components < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); + return FALSE; + } - if ((ssize_t)byte_count < 0) { - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); return FALSE; } + byte_count = (size_t)byte_count_signed; + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2916,6 +2928,7 @@ static int exif_process_IFD_TAG(image_in efree(dump_data); } #endif + if (section_index==SECTION_THUMBNAIL) { if (!ImageInfo->Thumbnail.data) { switch(tag) { ++++++ php-5.3.3-CVE-2011-0753.patch ++++++ --- /var/tmp/diff_new_pack.eBY1qz/_old 2011-03-09 17:47:14.000000000 +0100 +++ /var/tmp/diff_new_pack.eBY1qz/_new 2011-03-09 17:47:14.000000000 +0100 @@ -42,3 +42,46 @@ } +--- ext/pcntl/php_signal.c 2010/11/01 22:40:29 305019 ++++ ext/pcntl/php_signal.c 2010/11/01 22:43:59 305020 +@@ -22,11 +22,15 @@ + + /* php_signal using sigaction is derrived from Advanced Programing + * in the Unix Environment by W. Richard Stevens p 298. */ +-Sigfunc *php_signal(int signo, Sigfunc *func, int restart) ++Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all) + { + struct sigaction act,oact; + act.sa_handler = func; +- sigemptyset(&act.sa_mask); ++ if (mask_all) { ++ sigfillset(&act.sa_mask); ++ } else { ++ sigemptyset(&act.sa_mask); ++ } + act.sa_flags = 0; + if (signo == SIGALRM || (! restart)) { + #ifdef SA_INTERRUPT +@@ -41,6 +45,11 @@ + return SIG_ERR; + + return oact.sa_handler; ++} ++ ++Sigfunc *php_signal(int signo, Sigfunc *func, int restart) ++{ ++ return php_signal4(signo, func, restart, 0); + } + + /* + +--- ext/pcntl/php_signal.h 2010/11/01 22:40:29 305019 ++++ ext/pcntl/php_signal.h 2010/11/01 22:43:59 305020 +@@ -31,5 +31,6 @@ + + typedef void Sigfunc(int); + Sigfunc *php_signal(int signo, Sigfunc *func, int restart); ++Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all); + + #endif + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
