Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-02-17 10:41:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "php5", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-02-03 17:05:23.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-02-17 10:41:55.000000000 +0100 @@ -1,0 +2,9 @@ +Tue Feb 7 12:44:07 UTC 2012 - [email protected] + +- security update: + * CVE-2012-0807 [bnc#743308] + * CVE-2012-0057 [bnc#741520] + * CVE-2011-4153 [bnc#741859] + * CVE-2012-0831 [bnc#746661] + +------------------------------------------------------------------- New: ---- php-5.3.8-CVE-2011-4153.patch php-5.3.8-CVE-2012-0057.patch php-5.3.8-CVE-2012-0807.patch php-5.3.8-CVE-2012-0831.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.dflNDP/_old 2012-02-17 10:41:56.000000000 +0100 +++ /var/tmp/diff_new_pack.dflNDP/_new 2012-02-17 10:41:56.000000000 +0100 @@ -169,6 +169,10 @@ Patch41: php-5.3.8-memory-corruption-parse_ini_string.patch Patch42: php-5.3.8-CVE-2012-0789.patch Patch43: php-5.3.8-CVE-2012-0830.patch +Patch44: php-5.3.8-CVE-2012-0807.patch +Patch45: php-5.3.8-CVE-2012-0057.patch +Patch46: php-5.3.8-CVE-2011-4153.patch +Patch47: php-5.3.8-CVE-2012-0831.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1288,6 +1292,10 @@ %patch41 %patch42 %patch43 -p1 +%patch44 +%patch45 +%patch46 +%patch47 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test "x${vapi}" != "x%{apiver}"; then ++++++ php-5.3.8-CVE-2011-4153.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=319442 http://svn.php.net/viewvc?view=revision&revision=319453 #-0- Zend/zend_builtin_functions.c #-1- ext/soap/php_sdl.c #-2- ext/standard/syslog.c #-3- N/A for 5.3.8 #-4- N/A #-5- N/A #-6- ext/session/mod_files.c ext/standard/file.c Index: Zend/zend_builtin_functions.c =================================================================== --- Zend/zend_builtin_functions.c.orig +++ Zend/zend_builtin_functions.c @@ -683,6 +683,9 @@ repeat: } c.flags = case_sensitive; /* non persistent */ c.name = zend_strndup(name, name_len); + if(c.name == NULL) { + RETURN_FALSE; + } c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { Index: ext/standard/syslog.c =================================================================== --- ext/standard/syslog.c.orig +++ ext/standard/syslog.c @@ -234,6 +234,9 @@ PHP_FUNCTION(openlog) free(BG(syslog_device)); } BG(syslog_device) = zend_strndup(ident, ident_len); + if(BG(syslog_device) == NULL) { + RETURN_FALSE; + } openlog(BG(syslog_device), option, facility); RETURN_TRUE; } Index: ext/soap/php_sdl.c =================================================================== --- ext/soap/php_sdl.c.orig +++ ext/soap/php_sdl.c @@ -147,6 +147,10 @@ encodePtr get_encoder(sdlPtr sdl, const memcpy(new_enc, enc, sizeof(encode)); if (sdl->is_persistent) { new_enc->details.ns = zend_strndup(ns, ns_len); + if (new_enc->details.ns == NULL) { + efree(nscat); + return NULL; + } new_enc->details.type_str = strdup(new_enc->details.type_str); } else { new_enc->details.ns = estrndup(ns, ns_len); Index: ext/standard/file.c =================================================================== --- ext/standard/file.c.orig +++ ext/standard/file.c @@ -2612,10 +2612,15 @@ PHP_FUNCTION(fnmatch) Returns directory path used for temporary files */ PHP_FUNCTION(sys_get_temp_dir) { + char *tmp_dir; if (zend_parse_parameters_none() == FAILURE) { return; } - RETURN_STRING((char *)php_get_temporary_directory(), 1); + tmp_dir = (char *)php_get_temporary_directory(); + if (tmp_dir == NULL) { + return; + } + RETURN_STRING(tmp_dir, 1); } /* }}} */ Index: ext/session/mod_files.c =================================================================== --- ext/session/mod_files.c.orig +++ ext/session/mod_files.c @@ -273,6 +273,9 @@ PS_OPEN_FUNC(files) if (*save_path == '\0') { /* if save path is an empty string, determine the temporary dir */ save_path = php_get_temporary_directory(); + if (save_path == NULL) { + return FAILURE; + } if (PG(safe_mode) && (!php_checkuid(save_path, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { return FAILURE; ++++++ php-5.3.8-CVE-2012-0057.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=317759 http://svn.php.net/viewvc/?view=revision&revision=317801 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658088#22 Index: ext/xsl/xsltprocessor.c =================================================================== --- ext/xsl/xsltprocessor.c.orig +++ ext/xsl/xsltprocessor.c @@ -26,6 +26,7 @@ #include "php.h" #include "php_xsl.h" #include "ext/libxml/php_libxml.h" +#include "zend_ini.h" /* {{{ arginfo */ ZEND_BEGIN_ARG_INFO_EX(arginfo_xsl_xsltprocessor_import_stylesheet, 0, 0, 1) @@ -475,6 +476,9 @@ static xmlDocPtr php_xsl_apply_styleshee zval *doXInclude, *member; zend_object_handlers *std_hnd; FILE *f; + int secPrefsError = 0; + int secPrefsIni; + xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); @@ -531,11 +535,56 @@ static xmlDocPtr php_xsl_apply_styleshee } efree(member); - newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt); + + secPrefsIni = INI_INT("xsl.security_prefs"); + + //if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... + if (secPrefsIni != XSL_SECPREF_NONE) { + secPrefs = xsltNewSecurityPrefs(); + if (secPrefsIni & XSL_SECPREF_READ_FILE ) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_WRITE_FILE ) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_CREATE_DIRECTORY ) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_READ_NETWORK) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_WRITE_NETWORK) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + + if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { + secPrefsError = 1; + } + } + + if (secPrefsError == 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons"); + } else { + newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt); + } if (f) { fclose(f); } + xsltFreeTransformContext(ctxt); + if (secPrefs) { + xsltFreeSecurityPrefs(secPrefs); + } if (intern->node_list != NULL) { zend_hash_destroy(intern->node_list); Index: ext/xsl/php_xsl.h =================================================================== --- ext/xsl/php_xsl.h.orig +++ ext/xsl/php_xsl.h @@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr #include <libxslt/xsltInternals.h> #include <libxslt/xsltutils.h> #include <libxslt/transform.h> +#include <libxslt/security.h> #if HAVE_XSL_EXSLT #include <libexslt/exslt.h> #include <libexslt/exsltconfig.h> @@ -43,6 +44,13 @@ extern zend_module_entry xsl_module_entr #include <libxslt/extensions.h> #include <libxml/xpathInternals.h> +#define XSL_SECPREF_NONE 0 +#define XSL_SECPREF_READ_FILE 2 +#define XSL_SECPREF_WRITE_FILE 4 +#define XSL_SECPREF_CREATE_DIRECTORY 8 +#define XSL_SECPREF_READ_NETWORK 16 +#define XSL_SECPREF_WRITE_NETWORK 32 + typedef struct _xsl_object { zend_object std; void *ptr; Index: ext/xsl/php_xsl.c =================================================================== --- ext/xsl/php_xsl.c.orig +++ ext/xsl/php_xsl.c @@ -141,6 +141,11 @@ zend_object_value xsl_objects_new(zend_c } /* }}} */ +PHP_INI_BEGIN() +//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK |Â XSL_SECPREF_WRITE_FILE == 44 +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) +PHP_INI_END() + /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(xsl) @@ -167,6 +172,13 @@ PHP_MINIT_FUNCTION(xsl) REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); @@ -175,6 +187,8 @@ PHP_MINIT_FUNCTION(xsl) REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); #endif + REGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ @@ -258,6 +272,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl) xsltCleanupGlobals(); + UNREGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ ++++++ php-5.3.8-CVE-2012-0807.patch ++++++ https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa Index: ext/suhosin/header.c =================================================================== --- ext/suhosin/header.c.orig +++ ext/suhosin/header.c @@ -3,7 +3,7 @@ | Suhosin Version 1 | +----------------------------------------------------------------------+ | Copyright (c) 2006-2007 The Hardened-PHP Project | - | Copyright (c) 2007-2010 SektionEins GmbH | + | Copyright (c) 2007-2012 SektionEins GmbH | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_h char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC) { - char buffer[4096]; - char buffer2[4096]; - char *buf = buffer, *buf2 = buffer2, *d, *d_url; - int l; - - if (name_len > sizeof(buffer)-2) { - buf = estrndup(name, name_len); - } else { - memcpy(buf, name, name_len); - buf[name_len] = 0; - } + char *buf, *buf2, *d, *d_url; + int l; + + buf = estrndup(name, name_len); + name_len = php_url_decode(buf, name_len); - normalize_varname(buf); - name_len = strlen(buf); + normalize_varname(buf); + name_len = strlen(buf); if (SUHOSIN_G(cookie_plainlist)) { if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) { encrypt_return_plain: - if (buf != buffer) { - efree(buf); - } + efree(buf); return estrndup(value, value_len); } } else if (SUHOSIN_G(cookie_cryptlist)) { @@ -70,52 +62,34 @@ encrypt_return_plain: } } - if (strlen(value) <= sizeof(buffer2)-2) { - memcpy(buf2, value, value_len); - buf2[value_len] = 0; - } else { - buf2 = estrndup(value, value_len); - } + buf2 = estrndup(value, value_len); value_len = php_url_decode(buf2, value_len); d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC); d_url = php_url_encode(d, strlen(d), &l); efree(d); - if (buf != buffer) { - efree(buf); - } - if (buf2 != buffer2) { - efree(buf2); - } + efree(buf); + efree(buf2); return d_url; } char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC) { - char buffer[4096]; - char buffer2[4096]; int o_name_len = name_len; - char *buf = buffer, *buf2 = buffer2, *d, *d_url; + char *buf, *buf2, *d, *d_url; int l; - if (name_len > sizeof(buffer)-2) { - buf = estrndup(name, name_len); - } else { - memcpy(buf, name, name_len); - buf[name_len] = 0; - } - + buf = estrndup(name, name_len); + name_len = php_url_decode(buf, name_len); - normalize_varname(buf); - name_len = strlen(buf); + normalize_varname(buf); + name_len = strlen(buf); if (SUHOSIN_G(cookie_plainlist)) { if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) { decrypt_return_plain: - if (buf != buffer) { - efree(buf); - } + efree(buf); memcpy(*where, name, o_name_len); *where += o_name_len; **where = '='; *where +=1; @@ -130,12 +104,7 @@ decrypt_return_plain: } - if (strlen(value) <= sizeof(buffer2)-2) { - memcpy(buf2, value, value_len); - buf2[value_len] = 0; - } else { - buf2 = estrndup(value, value_len); - } + buf2 = estrndup(value, value_len); value_len = php_url_decode(buf2, value_len); @@ -152,12 +121,8 @@ decrypt_return_plain: *where += l; efree(d_url); skip_cookie: - if (buf != buffer) { - efree(buf); - } - if (buf2 != buffer2) { - efree(buf2); - } + efree(buf); + efree(buf2); return *where; } @@ -240,7 +205,7 @@ int suhosin_header_handler(sapi_header_s } #endif - if (!SUHOSIN_G(allow_multiheader) && sapi_header && sapi_header->header) { + if (sapi_header && sapi_header->header) { tmp = sapi_header->header; @@ -256,6 +221,9 @@ int suhosin_header_handler(sapi_header_s if (!SUHOSIN_G(simulation)) { sapi_header->header_len = i; } + } + if (SUHOSIN_G(allow_multiheader)) { + continue; } else if ((tmp[0] == '\r' && (tmp[1] != '\n' || i == 0)) || (tmp[0] == '\n' && (i == sapi_header->header_len-1 || i == 0 || (tmp[1] != ' ' && tmp[1] != '\t')))) { char *fname = get_active_function_name(TSRMLS_C); ++++++ php-5.3.8-CVE-2012-0831.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=323016 Index: main/php_variables.c =================================================================== --- main/php_variables.c.orig +++ main/php_variables.c @@ -452,7 +452,10 @@ void _php_import_environment_variables(z /* turn off magic_quotes while importing environment variables */ int magic_quotes_gpc = PG(magic_quotes_gpc); - PG(magic_quotes_gpc) = 0; + + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } for (env = environ; env != NULL && *env != NULL; env++) { p = strchr(*env, '='); @@ -595,7 +598,9 @@ static inline void php_register_server_v zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); } PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; - PG(magic_quotes_gpc) = 0; + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } /* Server variables */ if (sapi_module.register_server_variables) { Index: sapi/cgi/cgi_main.c =================================================================== --- sapi/cgi/cgi_main.c.orig +++ sapi/cgi/cgi_main.c @@ -624,7 +624,9 @@ void cgi_php_import_environment_variable int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; /* turn off magic_quotes while importing environment variables */ - PG(magic_quotes_gpc) = 0; + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } for (zend_hash_internal_pointer_reset_ex(request->env, &pos); zend_hash_get_current_key_ex(request->env, &var, &var_len, &idx, 0, &pos) == HASH_KEY_IS_STRING && zend_hash_get_current_data_ex(request->env, (void **) &val, &pos) == SUCCESS; Index: sapi/fpm/fpm/fpm_main.c =================================================================== --- sapi/fpm/fpm/fpm_main.c.orig +++ sapi/fpm/fpm/fpm_main.c @@ -641,7 +641,9 @@ void cgi_php_import_environment_variable int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; /* turn off magic_quotes while importing environment variables */ - PG(magic_quotes_gpc) = 0; + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } for (zend_hash_internal_pointer_reset_ex(request->env, &pos); zend_hash_get_current_key_ex(request->env, &var, &var_len, &idx, 0, &pos) == HASH_KEY_IS_STRING && zend_hash_get_current_data_ex(request->env, (void **) &val, &pos) == SUCCESS; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
