Hello community, here is the log from the commit of package php5 for openSUSE:11.4 checked in at Fri Feb 17 16:47:33 CET 2012.
-------- --- old-versions/11.4/UPDATES/all/php5/php5.changes 2012-01-18 10:06:06.000000000 +0100 +++ 11.4/php5/php5.changes 2012-02-16 17:36:48.000000000 +0100 @@ -1,0 +2,24 @@ +Tue Feb 7 14:00:12 UTC 2012 - [email protected] + +- security update: + * CVE-2012-0807 [bnc#743308] + * CVE-2012-0057 [bnc#741520] + * CVE-2011-4153 [bnc#741859] + * CVE-2012-0831 [bnc#746661] + +------------------------------------------------------------------- +Fri Feb 3 08:32:32 UTC 2012 - [email protected] + +- security update CVE-2012-0830 and other memory leaks + (fixes the fix of CVE-2011-4885) [bnc#744966] + +------------------------------------------------------------------- +Wed Jan 25 15:02:28 UTC 2012 - [email protected] + +- security update: + * CVE-2012-0781 [bnc#742273] + * CVE-2012-0788 [bnc#742806] + * memory corruption in parse_ini_string() [bnc#742806] + * CVE-2012-0789 [bnc#742806] + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- php-5.3.5-CVE-2011-4153.patch php-5.3.5-CVE-2012-0057.patch php-5.3.5-CVE-2012-0781.patch php-5.3.5-CVE-2012-0788.patch php-5.3.5-CVE-2012-0789.patch php-5.3.5-CVE-2012-0807.patch php-5.3.5-CVE-2012-0830.patch php-5.3.5-CVE-2012-0831.patch php-5.3.5-memory-corruption-parse_ini_string.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.Fxuo0G/_old 2012-02-17 16:47:10.000000000 +0100 +++ /var/tmp/diff_new_pack.Fxuo0G/_new 2012-02-17 16:47:10.000000000 +0100 @@ -103,7 +103,7 @@ ### ### Version: 5.3.5 -Release: 5.<RELEASE20> +Release: 5.<RELEASE22> Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter Provides: php-api = %{apiver}, php-zend-abi = %{zendver} Provides: php(api) = %{apiver}, php(zend-abi) = %{zendver} @@ -163,6 +163,15 @@ Patch48: php-5.3.5-CVE-2011-3182.patch Patch49: php-5.3.5-CVE-2011-1466.patch Patch50: php-5.3.5-CVE-2011-4885.patch +Patch51: php-5.3.5-CVE-2012-0781.patch +Patch52: php-5.3.5-CVE-2012-0788.patch +Patch53: php-5.3.5-memory-corruption-parse_ini_string.patch +Patch54: php-5.3.5-CVE-2012-0789.patch +Patch55: php-5.3.5-CVE-2012-0830.patch +Patch56: php-5.3.5-CVE-2012-0807.patch +Patch57: php-5.3.5-CVE-2012-0057.patch +Patch58: php-5.3.5-CVE-2011-4153.patch +Patch59: php-5.3.5-CVE-2012-0831.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1298,6 +1307,15 @@ %patch48 %patch49 %patch50 +%patch51 +%patch52 +%patch53 +%patch54 +%patch55 -p1 +%patch56 +%patch57 +%patch58 +%patch59 # we build three SAPI %{__mkdir_p} build-apache2 build-fpm ++++++ php-5.3.5-CVE-2011-1466.patch ++++++ --- /var/tmp/diff_new_pack.Fxuo0G/_old 2012-02-17 16:47:10.000000000 +0100 +++ /var/tmp/diff_new_pack.Fxuo0G/_new 2012-02-17 16:47:10.000000000 +0100 @@ -39,10 +39,11 @@ /* Calculate the century (year/100). */ century = temp / DAYS_PER_400_YEARS; -@@ -190,6 +182,10 @@ void SdnToGregorian( +@@ -190,6 +182,11 @@ void SdnToGregorian( *pYear = year; *pMonth = month; *pDay = day; ++ return; +fail: + *pYear = 0; + *pMonth = 0; ++++++ php-5.3.5-CVE-2011-4153.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=319442 http://svn.php.net/viewvc?view=revision&revision=319453 #-0- Zend/zend_builtin_functions.c #-1- ext/soap/php_sdl.c #-2- ext/standard/syslog.c #-3- ext/standard/browscap.c #-4- N/A #-5- N/A #-6- ext/session/mod_files.c ext/standard/file.c Index: Zend/zend_builtin_functions.c =================================================================== --- Zend/zend_builtin_functions.c.orig +++ Zend/zend_builtin_functions.c @@ -683,6 +683,9 @@ repeat: } c.flags = case_sensitive; /* non persistent */ c.name = zend_strndup(name, name_len); + if(c.name == NULL) { + RETURN_FALSE; + } c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { Index: ext/standard/syslog.c =================================================================== --- ext/standard/syslog.c.orig +++ ext/standard/syslog.c @@ -234,6 +234,9 @@ PHP_FUNCTION(openlog) free(BG(syslog_device)); } BG(syslog_device) = zend_strndup(ident, ident_len); + if(BG(syslog_device) == NULL) { + RETURN_FALSE; + } openlog(BG(syslog_device), option, facility); RETURN_TRUE; } Index: ext/soap/php_sdl.c =================================================================== --- ext/soap/php_sdl.c.orig +++ ext/soap/php_sdl.c @@ -147,6 +147,10 @@ encodePtr get_encoder(sdlPtr sdl, const memcpy(new_enc, enc, sizeof(encode)); if (sdl->is_persistent) { new_enc->details.ns = zend_strndup(ns, ns_len); + if (new_enc->details.ns == NULL) { + efree(nscat); + return NULL; + } new_enc->details.type_str = strdup(new_enc->details.type_str); } else { new_enc->details.ns = estrndup(ns, ns_len); Index: ext/standard/file.c =================================================================== --- ext/standard/file.c.orig +++ ext/standard/file.c @@ -2625,7 +2625,12 @@ PHP_FUNCTION(fnmatch) Returns directory path used for temporary files */ PHP_FUNCTION(sys_get_temp_dir) { - RETURN_STRING((char *)php_get_temporary_directory(), 1); + char *tmp_dir; + tmp_dir = (char *)php_get_temporary_directory(); + if (tmp_dir == NULL) { + return; + } + RETURN_STRING(tmp_dir, 1); } /* }}} */ Index: ext/session/mod_files.c =================================================================== --- ext/session/mod_files.c.orig +++ ext/session/mod_files.c @@ -273,6 +273,9 @@ PS_OPEN_FUNC(files) if (*save_path == '\0') { /* if save path is an empty string, determine the temporary dir */ save_path = php_get_temporary_directory(); + if (save_path == NULL) { + return FAILURE; + } if (PG(safe_mode) && (!php_checkuid(save_path, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { return FAILURE; Index: ext/standard/browscap.c =================================================================== --- ext/standard/browscap.c.orig +++ ext/standard/browscap.c @@ -147,9 +147,17 @@ static void php_browscap_parser_cb(zval Z_STRLEN_P(new_property) = 0; } else { /* Other than true/false setting */ Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2)); + if (Z_STRVAL_P(new_property) == NULL) { + zend_error(E_CORE_ERROR, "Out of memory"); + return; + } Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2); } new_key = zend_strndup(Z_STRVAL_P(arg1), Z_STRLEN_P(arg1)); + if (new_key == NULL) { + zend_error(E_CORE_ERROR, "Out of memory"); + return; + } zend_str_tolower(new_key, Z_STRLEN_P(arg1)); zend_hash_update(Z_ARRVAL_P(current_section), new_key, Z_STRLEN_P(arg1) + 1, &new_property, sizeof(zval *), NULL); free(new_key); ++++++ php-5.3.5-CVE-2012-0057.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=317759 http://svn.php.net/viewvc/?view=revision&revision=317801 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658088#22 Index: ext/xsl/xsltprocessor.c =================================================================== --- ext/xsl/xsltprocessor.c.orig +++ ext/xsl/xsltprocessor.c @@ -26,6 +26,7 @@ #include "php.h" #include "php_xsl.h" #include "ext/libxml/php_libxml.h" +#include "zend_ini.h" /* {{{ arginfo */ ZEND_BEGIN_ARG_INFO_EX(arginfo_xsl_xsltprocessor_import_stylesheet, 0, 0, 1) @@ -475,6 +476,9 @@ static xmlDocPtr php_xsl_apply_styleshee zval *doXInclude, *member; zend_object_handlers *std_hnd; FILE *f; + int secPrefsError = 0; + int secPrefsIni; + xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); @@ -531,11 +535,56 @@ static xmlDocPtr php_xsl_apply_styleshee } efree(member); - newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt); + + secPrefsIni = INI_INT("xsl.security_prefs"); + + //if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... + if (secPrefsIni != XSL_SECPREF_NONE) { + secPrefs = xsltNewSecurityPrefs(); + if (secPrefsIni & XSL_SECPREF_READ_FILE ) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_WRITE_FILE ) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_CREATE_DIRECTORY ) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_READ_NETWORK) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + if (secPrefsIni & XSL_SECPREF_WRITE_NETWORK) { + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { + secPrefsError = 1; + } + } + + if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { + secPrefsError = 1; + } + } + + if (secPrefsError == 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons"); + } else { + newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt); + } if (f) { fclose(f); } + xsltFreeTransformContext(ctxt); + if (secPrefs) { + xsltFreeSecurityPrefs(secPrefs); + } if (intern->node_list != NULL) { zend_hash_destroy(intern->node_list); Index: ext/xsl/php_xsl.h =================================================================== --- ext/xsl/php_xsl.h.orig +++ ext/xsl/php_xsl.h @@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr #include <libxslt/xsltInternals.h> #include <libxslt/xsltutils.h> #include <libxslt/transform.h> +#include <libxslt/security.h> #if HAVE_XSL_EXSLT #include <libexslt/exslt.h> #include <libexslt/exsltconfig.h> @@ -43,6 +44,13 @@ extern zend_module_entry xsl_module_entr #include <libxslt/extensions.h> #include <libxml/xpathInternals.h> +#define XSL_SECPREF_NONE 0 +#define XSL_SECPREF_READ_FILE 2 +#define XSL_SECPREF_WRITE_FILE 4 +#define XSL_SECPREF_CREATE_DIRECTORY 8 +#define XSL_SECPREF_READ_NETWORK 16 +#define XSL_SECPREF_WRITE_NETWORK 32 + typedef struct _xsl_object { zend_object std; void *ptr; Index: ext/xsl/php_xsl.c =================================================================== --- ext/xsl/php_xsl.c.orig +++ ext/xsl/php_xsl.c @@ -141,6 +141,11 @@ zend_object_value xsl_objects_new(zend_c } /* }}} */ +PHP_INI_BEGIN() +//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK |Â XSL_SECPREF_WRITE_FILE == 44 +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) +PHP_INI_END() + /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(xsl) @@ -167,6 +172,13 @@ PHP_MINIT_FUNCTION(xsl) REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); @@ -175,6 +187,8 @@ PHP_MINIT_FUNCTION(xsl) REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); #endif + REGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ @@ -258,6 +272,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl) xsltCleanupGlobals(); + UNREGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ ++++++ php-5.3.5-CVE-2012-0781.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=319254 --- ext/tidy/tidy.c 2011/11/15 14:20:13 319253 +++ ext/tidy/tidy.c 2011/11/15 15:16:20 319254 @@ -1288,7 +1288,7 @@ { TIDY_FETCH_OBJECT; - if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { + if (tidyStatus(obj->ptdoc->doc) != 0 && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { tidy_doc_update_properties(obj TSRMLS_CC); RETURN_TRUE; } ++++++ php-5.3.5-CVE-2012-0788.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=317272 --- ext/pdo/pdo_stmt.c 2011/09/25 12:14:09 317271 +++ ext/pdo/pdo_stmt.c 2011/09/25 12:39:05 317272 @@ -2351,6 +2351,7 @@ } zend_object_handlers pdo_dbstmt_object_handlers; +static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC); void pdo_stmt_init(TSRMLS_D) { @@ -2374,6 +2375,7 @@ pdo_row_ce = zend_register_internal_class(&ce TSRMLS_CC); pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ pdo_row_ce->create_object = pdo_row_new; + pdo_row_ce->serialize = pdo_row_serialize; } static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) @@ -2796,6 +2798,12 @@ retval.handlers = &pdo_row_object_handlers; return retval; +} + +static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC) +{ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "PDORow instances may not be serialized"); + return FAILURE; } /* }}} */ ++++++ php-5.3.5-CVE-2012-0789.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=320481 Modified: ext/date/lib/parse_date.re =================================================================== Index: ext/date/lib/parse_date.re =================================================================== --- ext/date/lib/parse_date.re.orig +++ ext/date/lib/parse_date.re @@ -755,7 +755,7 @@ static long timelib_lookup_zone(char **p return value; } -static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb) +static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_wrapper) { timelib_tzinfo *res; long retval = 0; @@ -804,7 +804,7 @@ static long timelib_get_zone(char **ptr, #endif /* If we have a TimeZone identifier to start with, use it */ if (strstr(tz_abbr, "/") || strcmp(tz_abbr, "UTC") == 0) { - if ((res = timelib_parse_tzfile(tz_abbr, tzdb)) != NULL) { + if ((res = tz_wrapper(tz_abbr, tzdb)) != NULL) { t->tz_info = res; t->zone_type = TIMELIB_ZONETYPE_ID; found++; @@ -833,7 +833,7 @@ static long timelib_get_zone(char **ptr, } \ } -static int scan(Scanner *s) +static int scan(Scanner *s, timelib_tz_get_wrapper tz_get_wrapper) { uchar *cursor = s->cur; char *str, *ptr = NULL; @@ -1166,7 +1166,7 @@ weekdayof = (reltextnumber|reltex } if (*ptr != '\0') { - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1207,7 +1207,7 @@ weekdayof = (reltextnumber|reltex s->time->h = timelib_get_nr((char **) &ptr, 2); s->time->i = timelib_get_nr((char **) &ptr, 2); s->time->s = 0; - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, s->tzdb, tz_get_wrapper); break; case 1: s->time->y = timelib_get_nr((char **) &ptr, 4); @@ -1232,7 +1232,7 @@ weekdayof = (reltextnumber|reltex s->time->s = timelib_get_nr((char **) &ptr, 2); if (*ptr != '\0') { - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1425,7 +1425,7 @@ weekdayof = (reltextnumber|reltex if (*ptr == '.') { s->time->f = timelib_get_frac_nr((char **) &ptr, 9); if (*ptr) { /* timezone is optional */ - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1525,7 +1525,7 @@ weekdayof = (reltextnumber|reltex s->time->h = timelib_get_nr((char **) &ptr, 2); s->time->i = timelib_get_nr((char **) &ptr, 2); s->time->s = timelib_get_nr((char **) &ptr, 2); - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1638,7 +1638,7 @@ weekdayof = (reltextnumber|reltex DEBUG_OUTPUT("tzcorrection | tz"); TIMELIB_INIT; TIMELIB_HAVE_TZ(); - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1691,7 +1691,7 @@ weekdayof = (reltextnumber|reltex } if (*ptr != '\0') { - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1737,7 +1737,7 @@ weekdayof = (reltextnumber|reltex /*!max:re2c */ -timelib_time* timelib_strtotime(char *s, int len, struct timelib_error_container **errors, const timelib_tzdb *tzdb) +timelib_time* timelib_strtotime(char *s, int len, struct timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper) { Scanner in; int t; @@ -1792,7 +1792,7 @@ timelib_time* timelib_strtotime(char *s, in.time->zone_type = 0; do { - t = scan(&in); + t = scan(&in, tz_get_wrapper); #ifdef DEBUG_PARSER printf("%d\n", t); #endif @@ -1823,7 +1823,7 @@ timelib_time* timelib_strtotime(char *s, } -timelib_time *timelib_parse_from_format(char *format, char *string, int len, timelib_error_container **errors, const timelib_tzdb *tzdb) +timelib_time *timelib_parse_from_format(char *format, char *string, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper) { char *fptr = format; char *ptr = string; @@ -1989,7 +1989,7 @@ timelib_time *timelib_parse_from_format( case 'O': /* timezone */ { int tz_not_found; - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_pbf_error(s, "The timezone could not be found in the database", string, begin); } Index: ext/date/lib/timelib.h =================================================================== --- ext/date/lib/timelib.h.orig +++ ext/date/lib/timelib.h @@ -50,6 +50,9 @@ #define strncasecmp strnicmp #endif +/* Function pointers */ +typedef timelib_tzinfo* (*timelib_tz_get_wrapper)(char *tzname, const timelib_tzdb *tzdb); + /* From dow.c */ timelib_sll timelib_day_of_week(timelib_sll y, timelib_sll m, timelib_sll d); timelib_sll timelib_iso_day_of_week(timelib_sll y, timelib_sll m, timelib_sll d); @@ -61,8 +64,8 @@ int timelib_valid_time(timelib_sll h, ti int timelib_valid_date(timelib_sll y, timelib_sll m, timelib_sll d); /* From parse_date.re */ -timelib_time *timelib_strtotime(char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb); -timelib_time *timelib_parse_from_format(char *format, char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb); +timelib_time *timelib_strtotime(char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper); +timelib_time *timelib_parse_from_format(char *format, char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper); void timelib_fill_holes(timelib_time *parsed, timelib_time *now, int options); char *timelib_timezone_id_from_abbr(const char *abbr, long gmtoffset, int isdst); const timelib_tz_lookup_table *timelib_timezone_abbreviations_list(void); Index: ext/date/php_date.c =================================================================== --- ext/date/php_date.c.orig +++ ext/date/php_date.c @@ -832,6 +832,12 @@ static timelib_tzinfo *php_date_parse_tz } return tzi; } + +timelib_tzinfo *php_date_parse_tzfile_wrapper(char *formal_tzname, const timelib_tzdb *tzdb) +{ + TSRMLS_FETCH(); + return php_date_parse_tzfile(formal_tzname, tzdb TSRMLS_CC); +} /* }}} */ /* {{{ Helper functions */ @@ -1365,7 +1371,7 @@ PHPAPI signed long php_parse_date(char * int error2; signed long retval; - parsed_time = timelib_strtotime(string, strlen(string), &error, DATE_TIMEZONEDB); + parsed_time = timelib_strtotime(string, strlen(string), &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); if (error->error_count) { timelib_error_container_dtor(error); return -1; @@ -1402,7 +1408,7 @@ PHP_FUNCTION(strtotime) initial_ts = emalloc(25); snprintf(initial_ts, 24, "@%ld UTC", preset_ts); - t = timelib_strtotime(initial_ts, strlen(initial_ts), NULL, DATE_TIMEZONEDB); /* we ignore the error here, as this should never fail */ + t = timelib_strtotime(initial_ts, strlen(initial_ts), NULL, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); /* we ignore the error here, as this should never fail */ timelib_update_ts(t, tzi); now->tz_info = tzi; now->zone_type = TIMELIB_ZONETYPE_ID; @@ -1424,7 +1430,7 @@ PHP_FUNCTION(strtotime) RETURN_FALSE; } - t = timelib_strtotime(times, time_len, &error, DATE_TIMEZONEDB); + t = timelib_strtotime(times, time_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); error1 = error->error_count; timelib_error_container_dtor(error); timelib_fill_holes(t, now, TIMELIB_NO_CLONE); @@ -2385,9 +2391,9 @@ PHPAPI int php_date_initialize(php_date_ timelib_time_dtor(dateobj->time); } if (format) { - dateobj->time = timelib_parse_from_format(format, time_str_len ? time_str : "", time_str_len ? time_str_len : 0, &err, DATE_TIMEZONEDB); + dateobj->time = timelib_parse_from_format(format, time_str_len ? time_str : "", time_str_len ? time_str_len : 0, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); } else { - dateobj->time = timelib_strtotime(time_str_len ? time_str : "now", time_str_len ? time_str_len : sizeof("now") -1, &err, DATE_TIMEZONEDB); + dateobj->time = timelib_strtotime(time_str_len ? time_str : "now", time_str_len ? time_str_len : sizeof("now") -1, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); } /* update last errors and warnings */ @@ -2721,7 +2727,7 @@ PHP_FUNCTION(date_parse) RETURN_FALSE; } - parsed_time = timelib_strtotime(date, date_len, &error, DATE_TIMEZONEDB); + parsed_time = timelib_strtotime(date, date_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); php_date_do_return_parsed_time(INTERNAL_FUNCTION_PARAM_PASSTHRU, parsed_time, error); } /* }}} */ @@ -2740,7 +2746,7 @@ PHP_FUNCTION(date_parse_from_format) RETURN_FALSE; } - parsed_time = timelib_parse_from_format(format, date, date_len, &error, DATE_TIMEZONEDB); + parsed_time = timelib_parse_from_format(format, date, date_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); php_date_do_return_parsed_time(INTERNAL_FUNCTION_PARAM_PASSTHRU, parsed_time, error); } /* }}} */ @@ -2782,7 +2788,7 @@ PHP_FUNCTION(date_modify) dateobj = (php_date_obj *) zend_object_store_get_object(object TSRMLS_CC); DATE_CHECK_INITIALIZED(dateobj->time, DateTime); - tmp_time = timelib_strtotime(modify, modify_len, &err, DATE_TIMEZONEDB); + tmp_time = timelib_strtotime(modify, modify_len, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); /* update last errors and warnings */ update_errors_warnings(err TSRMLS_CC); @@ -3578,7 +3584,7 @@ PHP_FUNCTION(date_interval_create_from_d php_date_instantiate(date_ce_interval, return_value TSRMLS_CC); - time = timelib_strtotime(time_str, time_str_len, &err, DATE_TIMEZONEDB); + time = timelib_strtotime(time_str, time_str_len, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); diobj = (php_interval_obj *) zend_object_store_get_object(return_value TSRMLS_CC); diobj->diff = timelib_rel_time_clone(&time->relative); diobj->initialized = 1; ++++++ php-5.3.5-CVE-2012-0807.patch ++++++ https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa Index: ext/suhosin/header.c =================================================================== --- ext/suhosin/header.c.orig +++ ext/suhosin/header.c @@ -3,7 +3,7 @@ | Suhosin Version 1 | +----------------------------------------------------------------------+ | Copyright (c) 2006-2007 The Hardened-PHP Project | - | Copyright (c) 2007-2010 SektionEins GmbH | + | Copyright (c) 2007-2012 SektionEins GmbH | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_h char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC) { - char buffer[4096]; - char buffer2[4096]; - char *buf = buffer, *buf2 = buffer2, *d, *d_url; - int l; - - if (name_len > sizeof(buffer)-2) { - buf = estrndup(name, name_len); - } else { - memcpy(buf, name, name_len); - buf[name_len] = 0; - } + char *buf, *buf2, *d, *d_url; + int l; + + buf = estrndup(name, name_len); + name_len = php_url_decode(buf, name_len); - normalize_varname(buf); - name_len = strlen(buf); + normalize_varname(buf); + name_len = strlen(buf); if (SUHOSIN_G(cookie_plainlist)) { if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) { encrypt_return_plain: - if (buf != buffer) { - efree(buf); - } + efree(buf); return estrndup(value, value_len); } } else if (SUHOSIN_G(cookie_cryptlist)) { @@ -70,52 +62,34 @@ encrypt_return_plain: } } - if (strlen(value) <= sizeof(buffer2)-2) { - memcpy(buf2, value, value_len); - buf2[value_len] = 0; - } else { - buf2 = estrndup(value, value_len); - } + buf2 = estrndup(value, value_len); value_len = php_url_decode(buf2, value_len); d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC); d_url = php_url_encode(d, strlen(d), &l); efree(d); - if (buf != buffer) { - efree(buf); - } - if (buf2 != buffer2) { - efree(buf2); - } + efree(buf); + efree(buf2); return d_url; } char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC) { - char buffer[4096]; - char buffer2[4096]; int o_name_len = name_len; - char *buf = buffer, *buf2 = buffer2, *d, *d_url; + char *buf, *buf2, *d, *d_url; int l; - if (name_len > sizeof(buffer)-2) { - buf = estrndup(name, name_len); - } else { - memcpy(buf, name, name_len); - buf[name_len] = 0; - } - + buf = estrndup(name, name_len); + name_len = php_url_decode(buf, name_len); - normalize_varname(buf); - name_len = strlen(buf); + normalize_varname(buf); + name_len = strlen(buf); if (SUHOSIN_G(cookie_plainlist)) { if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) { decrypt_return_plain: - if (buf != buffer) { - efree(buf); - } + efree(buf); memcpy(*where, name, o_name_len); *where += o_name_len; **where = '='; *where +=1; @@ -130,12 +104,7 @@ decrypt_return_plain: } - if (strlen(value) <= sizeof(buffer2)-2) { - memcpy(buf2, value, value_len); - buf2[value_len] = 0; - } else { - buf2 = estrndup(value, value_len); - } + buf2 = estrndup(value, value_len); value_len = php_url_decode(buf2, value_len); @@ -152,12 +121,8 @@ decrypt_return_plain: *where += l; efree(d_url); skip_cookie: - if (buf != buffer) { - efree(buf); - } - if (buf2 != buffer2) { - efree(buf2); - } + efree(buf); + efree(buf2); return *where; } @@ -240,7 +205,7 @@ int suhosin_header_handler(sapi_header_s } #endif - if (!SUHOSIN_G(allow_multiheader) && sapi_header && sapi_header->header) { + if (sapi_header && sapi_header->header) { tmp = sapi_header->header; @@ -256,6 +221,9 @@ int suhosin_header_handler(sapi_header_s if (!SUHOSIN_G(simulation)) { sapi_header->header_len = i; } + } + if (SUHOSIN_G(allow_multiheader)) { + continue; } else if ((tmp[0] == '\r' && (tmp[1] != '\n' || i == 0)) || (tmp[0] == '\n' && (i == sapi_header->header_len-1 || i == 0 || (tmp[1] != ' ' && tmp[1] != '\t')))) { char *fname = get_active_function_name(TSRMLS_C); ++++++ php-5.3.5-CVE-2012-0830.patch ++++++ Index: php-5.3.8/main/php_variables.c =================================================================== --- php-5.3.8.orig/main/php_variables.c +++ php-5.3.8/main/php_variables.c @@ -182,7 +182,13 @@ PHPAPI void php_register_variable_ex(cha if (!index) { MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); - zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) { + zval_ptr_dtor(&gpc_element); + zval_dtor(val); + efree(var_orig); + return; + } + } else { if (PG(magic_quotes_gpc)) { escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); @@ -197,6 +203,13 @@ PHPAPI void php_register_variable_ex(cha MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { + if (index != escaped_index) { + efree(escaped_index); + } + zval_dtor(val); + efree(var_orig); + return; } if (index != escaped_index) { efree(escaped_index); @@ -221,7 +234,9 @@ plain_var: gpc_element->value = val->value; Z_TYPE_P(gpc_element) = Z_TYPE_P(val); if (!index) { - zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) { + zval_ptr_dtor(&gpc_element); + } } else { if (PG(magic_quotes_gpc)) { escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); ++++++ php-5.3.5-CVE-2012-0831.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=323016 Index: main/php_variables.c =================================================================== --- main/php_variables.c.orig +++ main/php_variables.c @@ -452,7 +452,10 @@ void _php_import_environment_variables(z /* turn off magic_quotes while importing environment variables */ int magic_quotes_gpc = PG(magic_quotes_gpc); - PG(magic_quotes_gpc) = 0; + + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } for (env = environ; env != NULL && *env != NULL; env++) { p = strchr(*env, '='); @@ -595,7 +598,9 @@ static inline void php_register_server_v zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); } PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; - PG(magic_quotes_gpc) = 0; + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } /* Server variables */ if (sapi_module.register_server_variables) { Index: sapi/cgi/cgi_main.c =================================================================== --- sapi/cgi/cgi_main.c.orig +++ sapi/cgi/cgi_main.c @@ -624,7 +624,9 @@ void cgi_php_import_environment_variable int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; /* turn off magic_quotes while importing environment variables */ - PG(magic_quotes_gpc) = 0; + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } for (zend_hash_internal_pointer_reset_ex(request->env, &pos); zend_hash_get_current_key_ex(request->env, &var, &var_len, &idx, 0, &pos) == HASH_KEY_IS_STRING && zend_hash_get_current_data_ex(request->env, (void **) &val, &pos) == SUCCESS; Index: sapi/fpm/fpm/fpm_main.c =================================================================== --- sapi/fpm/fpm/fpm_main.c.orig +++ sapi/fpm/fpm/fpm_main.c @@ -641,7 +641,9 @@ void cgi_php_import_environment_variable int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; /* turn off magic_quotes while importing environment variables */ - PG(magic_quotes_gpc) = 0; + if (PG(magic_quotes_gpc)) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } for (zend_hash_internal_pointer_reset_ex(request->env, &pos); zend_hash_get_current_key_ex(request->env, &var, &var_len, &idx, 0, &pos) == HASH_KEY_IS_STRING && zend_hash_get_current_data_ex(request->env, (void **) &val, &pos) == SUCCESS; ++++++ php-5.3.5-memory-corruption-parse_ini_string.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=316285 http://svn.php.net/viewvc?view=revision&revision=317304 Index: ext/standard/basic_functions.c =================================================================== --- ext/standard/basic_functions.c.orig +++ ext/standard/basic_functions.c @@ -6032,6 +6032,10 @@ PHP_FUNCTION(parse_ini_string) RETURN_FALSE; } + if (INT_MAX - str_len < ZEND_MMAP_AHEAD) { + RETVAL_FALSE; + } + /* Set callback function */ if (process_sections) { BG(active_ini_file_section) = NULL; continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
