Hello community, here is the log from the commit of package php5 for openSUSE:11.3 checked in at Thu Jan 5 16:16:14 CET 2012.
-------- --- old-versions/11.3/UPDATES/all/php5/php5.changes 2011-09-05 17:23:21.000000000 +0200 +++ 11.3/php5/php5.changes 2012-01-05 10:25:39.000000000 +0100 @@ -1,0 +2,21 @@ +Mon Jan 2 14:32:42 UTC 2012 - [email protected] + +- security update: + * CVE-2011-4885 [bnc#738221] -- added max_input_vars directive + to prevent attacks based on hash collisions + +------------------------------------------------------------------- +Tue Dec 20 14:53:08 UTC 2011 - [email protected] + +- apache module conflicts with apache2-worker [bnc#728671] + +------------------------------------------------------------------- +Fri Dec 9 11:38:27 UTC 2011 - [email protected] + +- security update: + * CVE-2011-4566 [bnc#733590] + * CVE-2011-3182 [bnc#713652] + * CVE-2011-1466 [bnc#736169] + * CVE-2011-1072 [bnc#735613] + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- php-5.3.3-CVE-2011-1466.patch php-5.3.3-CVE-2011-3182.patch php-5.3.3-CVE-2011-4566.patch php-5.3.3-CVE-2011-4885.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.ct4wbe/_old 2012-01-05 16:12:20.000000000 +0100 +++ /var/tmp/diff_new_pack.ct4wbe/_new 2012-01-05 16:12:20.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package php5 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -77,7 +77,7 @@ ### ### Version: 5.3.3 -Release: 0.<RELEASE21> +Release: 0.<RELEASE23> License: The PHP License, version 3.01 Group: Development/Languages/Other Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter @@ -145,6 +145,10 @@ Patch54: php-5.3.3-CVE-2011-2202.patch Patch55: php-5.3.3-CVE-2011-3268.patch Patch56: php-5.3.3-64-bit-post-large-files.patch +Patch57: php-5.3.3-CVE-2011-4566.patch +Patch58: php-5.3.3-CVE-2011-3182.patch +Patch59: php-5.3.3-CVE-2011-1466.patch +Patch60: php-5.3.3-CVE-2011-4885.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -229,6 +233,7 @@ Requires: apache2-prefork %{apache2_mmn} %{name} = %{version} PreReq: apache2 Conflicts: apache2-mod_php4 +Conflicts: apache2-worker Provides: mod_php_any php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter %description -n apache2-mod_php5 @@ -1259,6 +1264,10 @@ %patch54 %patch55 %patch56 -p1 +%patch57 +%patch58 +%patch59 +%patch60 # we build three SAPI %{__mkdir_p} build-apache2 %{__mkdir_p} build-fastcgi/sapi/cgi/libfcgi ++++++ install-pear-nozlib.phar ++++++ ++++ 8646 lines (skipped) ++++ between install-pear-nozlib.phar ++++ and 11.3/php5/install-pear-nozlib.phar ++++++ php-5.3.3-CVE-2011-1466.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=306475 http://svn.php.net/viewvc/?view=revision&revision=317360 http://svn.php.net/viewvc/?view=revision&revision=317387 Index: ext/calendar/gregor.c =================================================================== --- ext/calendar/gregor.c.orig +++ ext/calendar/gregor.c @@ -127,6 +127,7 @@ **************************************************************************/ #include "sdncal.h" +#include <limits.h> #define GREGOR_SDN_OFFSET 32045 #define DAYS_PER_5_MONTHS 153 @@ -146,21 +147,12 @@ void SdnToGregorian( long int temp; int dayOfYear; - if (sdn <= 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; + if (sdn <= 0 || + sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) { + goto fail; } temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1; - if (temp < 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; - } - /* Calculate the century (year/100). */ century = temp / DAYS_PER_400_YEARS; @@ -190,6 +182,10 @@ void SdnToGregorian( *pYear = year; *pMonth = month; *pDay = day; +fail: + *pYear = 0; + *pMonth = 0; + *pDay = 0; } long int GregorianToSdn( Index: ext/calendar/julian.c =================================================================== --- ext/calendar/julian.c.orig +++ ext/calendar/julian.c @@ -146,6 +146,7 @@ **************************************************************************/ #include "sdncal.h" +#include <limits.h> #define JULIAN_SDN_OFFSET 32083 #define DAYS_PER_5_MONTHS 153 @@ -164,15 +165,22 @@ void SdnToJulian( int dayOfYear; if (sdn <= 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; + goto fail; } - temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1; + /* Check for overflow */ + if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) { + goto fail; + } + temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1); /* Calculate the year and day of year (1 <= dayOfYear <= 366). */ - year = temp / DAYS_PER_4_YEARS; + { + long yearl = temp / DAYS_PER_4_YEARS; + if (yearl > INT_MAX || yearl < INT_MIN) { + goto fail; + } + year = (int) yearl; + } dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1; /* Calculate the month and day of month. */ @@ -196,6 +204,12 @@ void SdnToJulian( *pYear = year; *pMonth = month; *pDay = day; + return; + +fail: + *pYear = 0; + *pMonth = 0; + *pDay = 0; } long int JulianToSdn( ++++++ php-5.3.3-CVE-2011-3182.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=313826 http://svn.php.net/viewvc?view=revision&revision=313827 http://svn.php.net/viewvc?view=revision&revision=313828 http://svn.php.net/viewvc?view=revision&revision=313830 http://svn.php.net/viewvc?view=revision&revision=313831 http://svn.php.net/viewvc?view=revision&revision=313832 http://svn.php.net/viewvc?view=revision&revision=313833 http://svn.php.net/viewvc?view=revision&revision=313835 http://svn.php.net/viewvc?view=revision&revision=313903 https://bugzilla.redhat.com/show_bug.cgi?id=732516 Index: ext/curl/interface.c =================================================================== --- ext/curl/interface.c.orig +++ ext/curl/interface.c @@ -803,6 +803,9 @@ PHP_MINIT_FUNCTION(curl) int i, c = CRYPTO_num_locks(); php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T)); + if (!php_curl_openssl_tsl) { + return FAILURE; + } for (i = 0; i < c; ++i) { php_curl_openssl_tsl[i] = tsrm_mutex_alloc(); Index: ext/com_dotnet/com_dotnet.c =================================================================== --- ext/com_dotnet/com_dotnet.c.orig +++ ext/com_dotnet/com_dotnet.c @@ -129,6 +129,9 @@ static HRESULT dotnet_init(char **p_wher char *where = ""; stuff = malloc(sizeof(*stuff)); + if (!stuff) { + return S_FALSE; + } memset(stuff, 0, sizeof(*stuff)); where = "CoCreateInstance"; Index: ext/pdo_odbc/pdo_odbc.c =================================================================== --- ext/pdo_odbc/pdo_odbc.c.orig +++ ext/pdo_odbc/pdo_odbc.c @@ -98,6 +98,9 @@ PHP_MINIT_FUNCTION(pdo_odbc) char *instance = INI_STR("pdo_odbc.db2_instance_name"); if (instance) { char *env = malloc(sizeof("DB2INSTANCE=") + strlen(instance)); + if (!env) { + return FAILURE; + } strcpy(env, "DB2INSTANCE="); strcat(env, instance); putenv(env); Index: ext/interbase/interbase.c =================================================================== --- ext/interbase/interbase.c.orig +++ ext/interbase/interbase.c @@ -998,9 +998,12 @@ static void _php_ibase_connect(INTERNAL_ ZEND_REGISTER_RESOURCE(return_value, ib_link, le_link); } else { zend_rsrc_list_entry new_le; - + ib_link = (ibase_db_link *) malloc(sizeof(ibase_db_link)); - + if (!ib_link) { + RETURN_FALSE; + } + /* hash it up */ Z_TYPE(new_le) = le_plink; new_le.ptr = ib_link; Index: ext/readline/readline.c =================================================================== --- ext/readline/readline.c.orig +++ ext/readline/readline.c @@ -465,6 +465,9 @@ static char **_readline_completion_cb(co matches = rl_completion_matches(text,_readline_command_generator); } else { matches = malloc(sizeof(char *) * 2); + if (!matches) { + return NULL; + } matches[0] = strdup(""); matches[1] = '\0'; } @@ -505,6 +508,10 @@ PHP_FUNCTION(readline_completion_functio zval_copy_ctor(_readline_completion); rl_attempted_completion_function = _readline_completion_cb; + if (rl_attempted_completion_function == NULL) { + efree(name); + RETURN_FALSE; + } RETURN_TRUE; } Index: ext/standard/url_scanner_ex.re =================================================================== --- ext/standard/url_scanner_ex.re.orig +++ ext/standard/url_scanner_ex.re @@ -55,9 +55,13 @@ static PHP_INI_MH(OnUpdateTags) if (ctx->tags) zend_hash_destroy(ctx->tags); - else + else { ctx->tags = malloc(sizeof(HashTable)); - + if (!ctx->tags) { + return FAILURE; + } + } + zend_hash_init(ctx->tags, 0, NULL, NULL, 1); for (key = php_strtok_r(tmp, ",", &lasts); Index: ext/sybase_ct/php_sybase_ct.c =================================================================== --- ext/sybase_ct/php_sybase_ct.c.orig +++ ext/sybase_ct/php_sybase_ct.c @@ -777,6 +777,10 @@ static void php_sybase_do_connect(INTERN } sybase_ptr = (sybase_link *) malloc(sizeof(sybase_link)); + if (!sybase_ptr) { + efree(hashed_details); + RETURN_FALSE; + } if (!php_sybase_do_connect_internal(sybase_ptr, host, user, passwd, charset, appname TSRMLS_CC)) { free(sybase_ptr); efree(hashed_details); Index: ext/mssql/php_mssql.c =================================================================== --- ext/mssql/php_mssql.c.orig +++ ext/mssql/php_mssql.c @@ -685,6 +685,13 @@ static void php_mssql_do_connect(INTERNA /* hash it up */ mssql_ptr = (mssql_link *) malloc(sizeof(mssql_link)); + if (!mssql_ptr) { + efree(hashed_details); + dbfreelogin(mssql.login); + dbclose(mssql.link); + RETURN_FALSE; + } + memcpy(mssql_ptr, &mssql, sizeof(mssql_link)); Z_TYPE(new_le) = le_plink; new_le.ptr = mssql_ptr; ++++++ php-5.3.3-CVE-2011-4566.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=319535 --- ext/exif/exif.c 2011/11/19 04:41:03 319534 +++ ext/exif/exif.c 2011/11/19 04:49:36 319535 @@ -2874,11 +2874,11 @@ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ ++++++ php-5.3.3-CVE-2011-4885.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=321038 http://svn.php.net/viewvc?view=revision&revision=321040 Index: php.ini-development =================================================================== --- php.ini-development.orig +++ php.ini-development @@ -453,6 +453,9 @@ max_input_time = 60 ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Index: php.ini-production =================================================================== --- php.ini-production.orig +++ php.ini-production @@ -453,6 +453,9 @@ max_input_time = 60 ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Index: main/main.c =================================================================== --- main/main.c.orig +++ main/main.c @@ -512,6 +512,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) Index: main/php_globals.h =================================================================== --- main/php_globals.h.orig +++ main/php_globals.h @@ -170,6 +170,8 @@ struct _php_core_globals { char *mail_log; zend_bool in_error_log; + + long max_input_vars; }; Index: main/php_variables.c =================================================================== --- main/php_variables.c.orig +++ main/php_variables.c @@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(cha } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); @@ -236,6 +239,9 @@ plain_var: zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (escaped_index != index) { ++++++ php-suse-addons.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/php-suse-addons/README.SUSE new/php-suse-addons/README.SUSE --- old/php-suse-addons/README.SUSE 2005-02-09 15:40:33.000000000 +0100 +++ new/php-suse-addons/README.SUSE 2012-01-05 10:24:20.000000000 +0100 @@ -41,6 +41,7 @@ Enabling/disabling the PHP5 module for Apache ============================================= + - do not use PHP module with Apache Worker - in /etc/sysconfig/apache2, add "php5" to APACHE_MODULES, or remove it to disable - possibly include /etc/apache2/conf.d/mod_php5.conf in individual virtual continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
