Package: release.debian.org Followup-For: Bug #706848 User: [email protected] Usertags: pu
Hello Adam, version number changed to -14+deb7u1 (and merged changelogs for -15 and -16 releases). $ diffstat php5_5.4.4-14+deb7u1.debdiff debian/patches/CVE-2013-1643.patch | 135 ------------------ debian/patches/CVE-2013-1824.patch | 142 +++++++++++++++++++ debian/patches/fix-crash-in-garbage-collection.patch | 35 ++++ debian/patches/fix-dropping-connections-in-FPM.patch | 46 ++++++ debian/patches/libmagic-vision-fix.patch | 11 + debian/patches/pdo_dblib.patch | 29 +++ php5-5.4.4/debian/changelog | 13 + php5-5.4.4/debian/patches/series | 6 8 files changed, 281 insertions(+), 136 deletions(-) And debdiff attached, sorry for to forgotting to attach it, I had it already prepared, but somehow I didn't attach it. O. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog --- php5-5.4.4/debian/changelog +++ php5-5.4.4/debian/changelog @@ -1,3 +1,16 @@ +php5 (5.4.4-14+deb7u1) unstable; urgency=low + + * Pull upstream fix for FPM drops connection while receiving some binary + values in FastCGI requests (Closes: #703056) + * Fix crash in garbage collection (patch courtesy of Michal Cihar) + (Closes: #706082) + * Update libmagic detection of MS Office documents (Closes: #703504) + * Fix mssql connector to work with Azure SQL (Closes: #702079) + * [CVE-2013-1824]: CVE-2013-1643 was incomplete fix; this pulls full + upstream patch (5.4.4-14 already had all the relevant security parts) + + -- Ondřej Surý <[email protected]> Mon, 06 May 2013 18:15:49 +0200 + php5 (5.4.4-14) unstable; urgency=high * [CVE-2013-1635] Fixed external entity loading diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series --- php5-5.4.4/debian/patches/series +++ php5-5.4.4/debian/patches/series @@ -81 +81,5 @@ -CVE-2013-1643.patch +CVE-2013-1824.patch +fix-dropping-connections-in-FPM.patch +fix-crash-in-garbage-collection.patch +libmagic-vision-fix.patch +pdo_dblib.patch reverted: --- php5-5.4.4/debian/patches/CVE-2013-1643.patch +++ php5-5.4.4.orig/debian/patches/CVE-2013-1643.patch @@ -1,135 +0,0 @@ ---- a/ext/libxml/libxml.c -+++ b/ext/libxml/libxml.c -@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml) - libxml_globals->error_buffer.c = NULL; - libxml_globals->error_list = NULL; - libxml_globals->entity_loader.fci.size = 0; -+ libxml_globals->entity_loader_disabled = 0; - } - - static void _php_libxml_destroy_fci(zend_fcall_info *fci) -@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v - } - - static xmlParserInputBufferPtr --php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc) --{ -- return NULL; --} -- --static xmlParserInputBufferPtr - php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc) - { - xmlParserInputBufferPtr ret; - void *context = NULL; -+ TSRMLS_FETCH(); -+ -+ if (LIBXML(entity_loader_disabled)) { -+ return NULL; -+ } - - if (URI == NULL) - return(NULL); -@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors) - } - /* }}} */ - -+PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC) -+{ -+ zend_bool old = LIBXML(entity_loader_disabled); -+ -+ LIBXML(entity_loader_disabled) = disable; -+ return old; -+} -+ - /* {{{ proto bool libxml_disable_entity_loader([boolean disable]) - Disable/Enable ability to load external entities */ - static PHP_FUNCTION(libxml_disable_entity_loader) - { - zend_bool disable = 1; -- xmlParserInputBufferCreateFilenameFunc old; - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) { - return; - } - -- if (disable == 0) { -- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename); -- } else { -- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload); -- } -- -- if (old == php_libxml_input_buffer_noload) { -- RETURN_TRUE; -- } -- -- RETURN_FALSE; -+ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC)); - } - /* }}} */ - ---- a/ext/libxml/php_libxml.h -+++ b/ext/libxml/php_libxml.h -@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml) - zend_fcall_info fci; - zend_fcall_info_cache fcc; - } entity_loader; -+ zend_bool entity_loader_disabled; - ZEND_END_MODULE_GLOBALS(libxml) - - typedef struct _libxml_doc_props { -@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error - PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s); - PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC); - PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC); -+PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC); - - /* Init/shutdown functions*/ - PHP_LIBXML_API void php_libxml_initialize(void); ---- a/ext/soap/php_xml.c -+++ b/ext/soap/php_xml.c -@@ -20,6 +20,7 @@ - /* $Id$ */ - - #include "php_soap.h" -+#include "ext/libxml/php_libxml.h" - #include "libxml/parser.h" - #include "libxml/parserInternals.h" - -@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char * - ctxt = xmlCreateFileParserCtxt(filename); - PG(allow_url_fopen) = old_allow_url_fopen; - if (ctxt) { -+ zend_bool old; -+ - ctxt->keepBlanks = 0; - ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; - ctxt->sax->comment = soap_Comment; - ctxt->sax->warning = NULL; - ctxt->sax->error = NULL; - /*ctxt->sax->fatalError = NULL;*/ -+ old = php_libxml_disable_entity_loader(1); - xmlParseDocument(ctxt); -+ php_libxml_disable_entity_loader(old); - if (ctxt->wellFormed) { - ret = ctxt->myDoc; - if (ret->URL == NULL && ctxt->directory != NULL) { -@@ -133,6 +138,8 @@ xmlDocPtr soap_xmlParseMemory(const void - */ - ctxt = xmlCreateMemoryParserCtxt(buf, buf_size); - if (ctxt) { -+ zend_bool old; -+ - ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; - ctxt->sax->comment = soap_Comment; - ctxt->sax->warning = NULL; -@@ -141,7 +148,9 @@ xmlDocPtr soap_xmlParseMemory(const void - #if LIBXML_VERSION >= 20703 - ctxt->options |= XML_PARSE_HUGE; - #endif -+ old = php_libxml_disable_entity_loader(1); - xmlParseDocument(ctxt); -+ php_libxml_disable_entity_loader(old); - if (ctxt->wellFormed) { - ret = ctxt->myDoc; - if (ret->URL == NULL && ctxt->directory != NULL) { only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/fix-dropping-connections-in-FPM.patch +++ php5-5.4.4/debian/patches/fix-dropping-connections-in-FPM.patch @@ -0,0 +1,46 @@ +X-Git-Url: http://git.php.net/?p=php-src.git;a=blobdiff_plain;f=sapi%2Ffpm%2Ffpm%2Ffastcgi.c;h=9df26f11cdb497108850d4b5ad42089d8129312b;hp=212b6ff1db5221e7540f23f4c58ed02deae9822a;hb=60cca8b9c9b879295dbf1f76e305882e347dcb53;hpb=e052da3a6bc353636fa4bf9cb488573c50adf9a0 + +--- a/sapi/fpm/fpm/fastcgi.c ++++ b/sapi/fpm/fpm/fastcgi.c +@@ -399,7 +399,7 @@ static inline int fcgi_param_get_eff_len + { + int ret = 1; + int zero_found = 0; +- *eff_len = 0; ++ *eff_len = 0; + for (; p != end; ++p) { + if (*p == '\0') { + zero_found = 1; +@@ -427,7 +427,7 @@ static int fcgi_get_params(fcgi_request + char *tmp = buf; + size_t buf_size = sizeof(buf); + int name_len, val_len; +- uint eff_name_len, eff_val_len; ++ uint eff_name_len; + char *s; + int ret = 1; + size_t bytes_consumed; +@@ -453,8 +453,12 @@ static int fcgi_get_params(fcgi_request + ret = 0; + break; + } +- if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) || +- !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, &eff_val_len)) { ++ ++ /* ++ * get the effective length of the name in case it's not a valid string ++ * don't do this on the value because it can be binary data ++ */ ++ if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len)){ + /* Malicious request */ + ret = 0; + break; +@@ -473,7 +477,7 @@ static int fcgi_get_params(fcgi_request + } + memcpy(tmp, p, eff_name_len); + tmp[eff_name_len] = 0; +- s = estrndup((char*)p + name_len, eff_val_len); ++ s = estrndup((char*)p + name_len, val_len); + if (s == NULL) { + ret = 0; + break; only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/libmagic-vision-fix.patch +++ php5-5.4.4/debian/patches/libmagic-vision-fix.patch @@ -0,0 +1,11 @@ +--- a/ext/fileinfo/libmagic/readcdf.c ++++ b/ext/fileinfo/libmagic/readcdf.c +@@ -295,7 +295,7 @@ file_trycdf(struct magic_set *ms, int fd + d = &dir.dir_tab[j]; + for (k = 0; k < sizeof(name); k++) + name[k] = (char)cdf_tole2(d->d_name[k]); +- if (strstr(name, "WordDocument") == 0) { ++ if (strstr(name, "WordDocument") != 0) { + str = "msword"; + break; + } only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/CVE-2013-1824.patch +++ php5-5.4.4/debian/patches/CVE-2013-1824.patch @@ -0,0 +1,142 @@ +--- a/ext/soap/php_xml.c ++++ b/ext/soap/php_xml.c +@@ -20,6 +20,7 @@ + /* $Id$ */ + + #include "php_soap.h" ++#include "ext/libxml/php_libxml.h" + #include "libxml/parser.h" + #include "libxml/parserInternals.h" + +@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char * + ctxt = xmlCreateFileParserCtxt(filename); + PG(allow_url_fopen) = old_allow_url_fopen; + if (ctxt) { ++ zend_bool old; ++ + ctxt->keepBlanks = 0; + ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; + ctxt->sax->comment = soap_Comment; + ctxt->sax->warning = NULL; + ctxt->sax->error = NULL; + /*ctxt->sax->fatalError = NULL;*/ ++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC); + xmlParseDocument(ctxt); ++ php_libxml_disable_entity_loader(old TSRMLS_CC); + if (ctxt->wellFormed) { + ret = ctxt->myDoc; + if (ret->URL == NULL && ctxt->directory != NULL) { +@@ -128,11 +133,15 @@ xmlDocPtr soap_xmlParseMemory(const void + xmlParserCtxtPtr ctxt = NULL; + xmlDocPtr ret; + ++ TSRMLS_FETCH(); ++ + /* + xmlInitParser(); + */ + ctxt = xmlCreateMemoryParserCtxt(buf, buf_size); + if (ctxt) { ++ zend_bool old; ++ + ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace; + ctxt->sax->comment = soap_Comment; + ctxt->sax->warning = NULL; +@@ -141,7 +150,9 @@ xmlDocPtr soap_xmlParseMemory(const void + #if LIBXML_VERSION >= 20703 + ctxt->options |= XML_PARSE_HUGE; + #endif ++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC); + xmlParseDocument(ctxt); ++ php_libxml_disable_entity_loader(old TSRMLS_CC); + if (ctxt->wellFormed) { + ret = ctxt->myDoc; + if (ret->URL == NULL && ctxt->directory != NULL) { +--- a/ext/libxml/libxml.c ++++ b/ext/libxml/libxml.c +@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml) + libxml_globals->error_buffer.c = NULL; + libxml_globals->error_list = NULL; + libxml_globals->entity_loader.fci.size = 0; ++ libxml_globals->entity_loader_disabled = 0; + } + + static void _php_libxml_destroy_fci(zend_fcall_info *fci) +@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v + } + + static xmlParserInputBufferPtr +-php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc) +-{ +- return NULL; +-} +- +-static xmlParserInputBufferPtr + php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc) + { + xmlParserInputBufferPtr ret; + void *context = NULL; ++ TSRMLS_FETCH(); ++ ++ if (LIBXML(entity_loader_disabled)) { ++ return NULL; ++ } + + if (URI == NULL) + return(NULL); +@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors) + } + /* }}} */ + ++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC) ++{ ++ zend_bool old = LIBXML(entity_loader_disabled); ++ ++ LIBXML(entity_loader_disabled) = disable; ++ return old; ++} ++ + /* {{{ proto bool libxml_disable_entity_loader([boolean disable]) + Disable/Enable ability to load external entities */ + static PHP_FUNCTION(libxml_disable_entity_loader) + { + zend_bool disable = 1; +- xmlParserInputBufferCreateFilenameFunc old; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) { + return; + } + +- if (disable == 0) { +- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename); +- } else { +- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload); +- } +- +- if (old == php_libxml_input_buffer_noload) { +- RETURN_TRUE; +- } +- +- RETURN_FALSE; ++ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC)); + } + /* }}} */ + +--- a/ext/libxml/php_libxml.h ++++ b/ext/libxml/php_libxml.h +@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml) + zend_fcall_info fci; + zend_fcall_info_cache fcc; + } entity_loader; ++ zend_bool entity_loader_disabled; + ZEND_END_MODULE_GLOBALS(libxml) + + typedef struct _libxml_doc_props { +@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error + PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s); + PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC); + PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC); ++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC); + + /* Init/shutdown functions*/ + PHP_LIBXML_API void php_libxml_initialize(void); only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/fix-crash-in-garbage-collection.patch +++ php5-5.4.4/debian/patches/fix-crash-in-garbage-collection.patch @@ -0,0 +1,35 @@ +--- a/Zend/zend_gc.c ++++ b/Zend/zend_gc.c +@@ -644,7 +644,8 @@ tail_call: + struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj; + + if (obj->buffered == (gc_root_buffer*)GC_WHITE) { +- GC_SET_BLACK(obj->buffered); ++ /* PURPLE instead of BLACK to prevent buffering in nested gc calls */ ++ GC_SET_PURPLE(obj->buffered); + + if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid && + (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) { +@@ -715,7 +716,8 @@ static void zobj_collect_white(zval *pz + struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj; + + if (obj->buffered == (gc_root_buffer*)GC_WHITE) { +- GC_SET_BLACK(obj->buffered); ++ /* PURPLE instead of BLACK to prevent buffering in nested gc calls */ ++ GC_SET_PURPLE(obj->buffered); + + if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid && + (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) { +--- a/ext/pcre/php_pcre.c ++++ b/ext/pcre/php_pcre.c +@@ -547,8 +547,9 @@ PHPAPI void php_pcre_match_impl(pcre_cac + + /* Overwrite the passed-in value for subpatterns with an empty array. */ + if (subpats != NULL) { +- zval_dtor(subpats); ++ zval garbage = *subpats; + array_init(subpats); ++ zval_dtor(&garbage); + } + + subpats_order = global ? PREG_PATTERN_ORDER : 0; only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/pdo_dblib.patch +++ php5-5.4.4/debian/patches/pdo_dblib.patch @@ -0,0 +1,29 @@ +Use the DBSETLDBNAME macro to set the dbname in the db-lib LOGINREC. +That sets the dbname in the login packet, obviating the need for "USE +dbname" and allowing pdo_dblib to work with Azure's SQL. + +--- a/ext/pdo_dblib/dblib_driver.c ++++ b/ext/pdo_dblib/dblib_driver.c +@@ -288,6 +288,9 @@ static int pdo_dblib_handle_factory(pdo_ + if (dbh->password) { + DBSETLPWD(H->login, dbh->password); + } ++ if (vars[3].optval) { ++ DBSETLDBNAME(H->login, vars[3].optval); ++ } + + #if !PHP_DBLIB_IS_MSSQL + if (vars[0].optval) { +@@ -317,11 +320,8 @@ static int pdo_dblib_handle_factory(pdo_ + DBSETOPT(H->link, DBTEXTSIZE, "2147483647"); + + /* allow double quoted indentifiers */ +- DBSETOPT(H->link, DBQUOTEDIDENT, 1); ++ DBSETOPT(H->link, DBQUOTEDIDENT, "1"); + +- if (vars[3].optval && FAIL == dbuse(H->link, vars[3].optval)) { +- goto cleanup; +- } + + ret = 1; + dbh->max_escaped_char_length = 2;
