Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-01-05 17:06:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "php5", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-05 17:06:40.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-01-05 17:06:41.000000000 +0100 @@ -1,0 +2,19 @@ +Mon Jan 2 14:36:39 UTC 2012 - [email protected] + +- security update: + * CVE-2011-4885 [bnc#738221] -- added max_input_vars directive + to prevent attacks based on hash collisions + +------------------------------------------------------------------- +Tue Dec 20 12:58:50 UTC 2011 - [email protected] + +- apache module conflicts with apache2-worker [bnc#728671] + +------------------------------------------------------------------- +Fri Dec 9 11:35:56 UTC 2011 - [email protected] + +- security update: + * CVE-2011-4566 [bnc#733590] + * CVE-2011-1466 [bnc#736169] + +------------------------------------------------------------------- New: ---- php-5.3.8-CVE-2011-1466.patch php-5.3.8-CVE-2011-4566.patch php-5.3.8-CVE-2011-4885.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.00es7w/_old 2012-01-05 17:06:41.000000000 +0100 +++ /var/tmp/diff_new_pack.00es7w/_new 2012-01-05 17:06:41.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package php5 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -137,6 +137,9 @@ %endif Patch34: php5-2g-crash.patch Patch35: php-5.3.8-CVE-2011-3379.patch +Patch36: php-5.3.8-CVE-2011-4566.patch +Patch37: php-5.3.8-CVE-2011-1466.patch +Patch38: php-5.3.8-CVE-2011-4885.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -219,6 +222,7 @@ Requires: apache2-prefork %{apache2_mmn} %{name} = %{version} PreReq: apache2 Conflicts: apache2-mod_php4 +Conflicts: apache2-worker Provides: mod_php_any php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter %description -n apache2-mod_php5 @@ -1246,6 +1250,9 @@ %endif %patch34 %patch35 +%patch36 +%patch37 +%patch38 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test "x${vapi}" != "x%{apiver}"; then ++++++ php-5.3.8-CVE-2011-1466.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=306475 http://svn.php.net/viewvc/?view=revision&revision=317360 http://svn.php.net/viewvc/?view=revision&revision=317387 Index: ext/calendar/gregor.c =================================================================== --- ext/calendar/gregor.c.orig +++ ext/calendar/gregor.c @@ -127,6 +127,7 @@ **************************************************************************/ #include "sdncal.h" +#include <limits.h> #define GREGOR_SDN_OFFSET 32045 #define DAYS_PER_5_MONTHS 153 @@ -146,21 +147,12 @@ void SdnToGregorian( long int temp; int dayOfYear; - if (sdn <= 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; + if (sdn <= 0 || + sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) { + goto fail; } temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1; - if (temp < 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; - } - /* Calculate the century (year/100). */ century = temp / DAYS_PER_400_YEARS; @@ -190,6 +182,10 @@ void SdnToGregorian( *pYear = year; *pMonth = month; *pDay = day; +fail: + *pYear = 0; + *pMonth = 0; + *pDay = 0; } long int GregorianToSdn( ++++++ php-5.3.8-CVE-2011-4566.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=319535 --- ext/exif/exif.c 2011/11/19 04:41:03 319534 +++ ext/exif/exif.c 2011/11/19 04:49:36 319535 @@ -2874,11 +2874,11 @@ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ - if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { if (value_ptr < dir_entry) { /* we can read this if offset_val > 0 */ /* some files have their values in other parts of the file */ ++++++ php-5.3.8-CVE-2011-4885.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=321038 http://svn.php.net/viewvc?view=revision&revision=321040 Index: php.ini-development =================================================================== --- php.ini-development.orig +++ php.ini-development @@ -453,6 +453,9 @@ max_input_time = 60 ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Index: php.ini-production =================================================================== --- php.ini-production.orig +++ php.ini-production @@ -453,6 +453,9 @@ max_input_time = 60 ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Index: main/main.c =================================================================== --- main/main.c.orig +++ main/main.c @@ -512,6 +512,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) Index: main/php_globals.h =================================================================== --- main/php_globals.h.orig +++ main/php_globals.h @@ -170,6 +170,8 @@ struct _php_core_globals { char *mail_log; zend_bool in_error_log; + + long max_input_vars; }; Index: main/php_variables.c =================================================================== --- main/php_variables.c.orig +++ main/php_variables.c @@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(cha } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); @@ -236,6 +239,9 @@ plain_var: zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (escaped_index != index) { ++++++ php-suse-addons.tar.bz2 ++++++ -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
