Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=ccb5da697c4b54839bc0d36a8610658a2547c33e
commit ccb5da697c4b54839bc0d36a8610658a2547c33e Author: kikadf <[email protected]> Date: Thu Jul 17 10:49:24 2014 +0200 php-5.3.26-2arcturus4-x86_64 * Fix CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, * CVE-2014-3487, CVE-2014-4721 diff --git a/source/devel/php/CVE-2014-0207.patch b/source/devel/php/CVE-2014-0207.patch new file mode 100644 index 0000000..3ea128a --- /dev/null +++ b/source/devel/php/CVE-2014-0207.patch @@ -0,0 +1,15 @@ +--- php5.orig/ext/fileinfo/libmagic/cdf.c ++++ php5/ext/fileinfo/libmagic/cdf.c +@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t + size_t ss = CDF_SHORT_SEC_SIZE(h); + size_t pos = CDF_SHORT_SEC_POS(h, id); + assert(ss == len); +- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { + DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" + SIZE_T_FORMAT "u\n", +- pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); + return -1; + } + (void)memcpy(((char *)buf) + offs, diff --git a/source/devel/php/CVE-2014-3478.patch b/source/devel/php/CVE-2014-3478.patch new file mode 100644 index 0000000..bae6343 --- /dev/null +++ b/source/devel/php/CVE-2014-3478.patch @@ -0,0 +1,24 @@ +--- php5.orig/ext/fileinfo/libmagic/softmagic.c ++++ php5/ext/fileinfo/libmagic/softmagic.c +@@ -780,10 +780,18 @@ mconvert(struct magic_set *ms, struct ma + return 1; + } + case FILE_PSTRING: { +- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ */ ++ len = sizeof(p->s) - sz; ++ } + while (len--) + *ptr1++ = *ptr2++; + *ptr1 = '\0'; diff --git a/source/devel/php/CVE-2014-3479.patch b/source/devel/php/CVE-2014-3479.patch new file mode 100644 index 0000000..06e7320 --- /dev/null +++ b/source/devel/php/CVE-2014-3479.patch @@ -0,0 +1,20 @@ +--- php5.orig/ext/fileinfo/libmagic/cdf.c ++++ php5/ext/fileinfo/libmagic/cdf.c +@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream + { + const char *b = (const char *)sst->sst_tab; + const char *e = ((const char *)p) + tail; ++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? ++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); + (void)&line; +- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) ++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) + return 0; + DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" + " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), +- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); ++ ss * sst->sst_len, ss, sst->sst_len)); + errno = EFTYPE; + return -1; + } diff --git a/source/devel/php/CVE-2014-3480.patch b/source/devel/php/CVE-2014-3480.patch new file mode 100644 index 0000000..4cda087 --- /dev/null +++ b/source/devel/php/CVE-2014-3480.patch @@ -0,0 +1,23 @@ +--- php5.orig/ext/fileinfo/libmagic/cdf.c ++++ php5/ext/fileinfo/libmagic/cdf.c +@@ -470,7 +470,8 @@ size_t + cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + { + size_t i, j; +- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size); ++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) ++ / sizeof(maxsector)); + + DPRINTF(("Chain:")); + for (j = i = 0; sid >= 0; i++, j++) { +@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cd + errno = EFTYPE; + return (size_t)-1; + } +- if (sid > maxsector) { +- DPRINTF(("Sector %d > %d\n", sid, maxsector)); ++ if (sid >= maxsector) { ++ DPRINTF(("Sector %d >= %d\n", sid, maxsector)); + errno = EFTYPE; + return (size_t)-1; + } diff --git a/source/devel/php/CVE-2014-3487.patch b/source/devel/php/CVE-2014-3487.patch new file mode 100644 index 0000000..d396377 --- /dev/null +++ b/source/devel/php/CVE-2014-3487.patch @@ -0,0 +1,15 @@ +--- php5.orig/ext/fileinfo/libmagic/cdf.c ++++ php5/ext/fileinfo/libmagic/cdf.c +@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_ + if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ size_t ofs, tail = (i << 1) + 1; ++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), ++ __LINE__) == -1) ++ goto out; ++ ofs = CDF_GETUINT32(p, tail); + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); diff --git a/source/devel/php/CVE-2014-3515.patch b/source/devel/php/CVE-2014-3515.patch new file mode 100644 index 0000000..3d68024 --- /dev/null +++ b/source/devel/php/CVE-2014-3515.patch @@ -0,0 +1,47 @@ +--- php5.orig/ext/spl/spl_array.c ++++ php5/ext/spl/spl_array.c +@@ -1804,7 +1804,7 @@ SPL_METHOD(Array, unserialize) + ++p; + + ALLOC_INIT_ZVAL(pmembers); +- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { + zval_ptr_dtor(&pmembers); + goto outexcept; + } +--- php5.orig/ext/spl/spl_observer.c ++++ php5/ext/spl/spl_observer.c +@@ -905,7 +905,7 @@ SPL_METHOD(SplObjectStorage, unserialize + ++p; + + ALLOC_INIT_ZVAL(pmembers); +- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { + zval_ptr_dtor(&pmembers); + goto outexcept; + } +--- php5.orig/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt ++++ php5/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +@@ -7,6 +7,7 @@ $badblobs = array( + 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', + 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', + 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', + ); + foreach($badblobs as $blob) { + try { +@@ -17,6 +18,7 @@ try { + echo $e->getMessage()."\n"; + } + } ++echo "DONE\n"; + --EXPECTF-- + Error at offset 6 of 34 bytes + Error at offset 46 of 89 bytes +@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) { + } + } + } +- ++Error at offset 79 of 78 bytes ++DONE diff --git a/source/devel/php/CVE-2014-4721.patch b/source/devel/php/CVE-2014-4721.patch new file mode 100644 index 0000000..af40307 --- /dev/null +++ b/source/devel/php/CVE-2014-4721.patch @@ -0,0 +1,53 @@ +From 3804c0d00fa6e629173fb1c8c61f8f88d5fe39b9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <[email protected]> +Date: Mon, 23 Jun 2014 00:19:37 -0700 +Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak + Vulnerability + +--- + ext/standard/info.c | 8 ++++---- + ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++ + 2 files changed, 19 insertions(+), 4 deletions(-) + create mode 100644 ext/standard/tests/general_functions/bug67498.phpt + +--- php5.orig/ext/standard/info.c ++++ php5/ext/standard/info.c +@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRM + + php_info_print_table_start(); + php_info_print_table_header(2, "Variable", "Value"); +- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); + } + php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC); +--- /dev/null ++++ php5/ext/standard/tests/general_functions/bug67498.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++phpinfo() Type Confusion Information Leak Vulnerability ++--FILE-- ++<?php ++$PHP_SELF = 1; ++phpinfo(INFO_VARIABLES); ++ ++?> ++==DONE== ++--EXPECTF-- ++phpinfo() ++ ++PHP Variables ++%A ++==DONE== diff --git a/source/devel/php/FrugalBuild b/source/devel/php/FrugalBuild index 6b9ca01..2e81490 100644 --- a/source/devel/php/FrugalBuild +++ b/source/devel/php/FrugalBuild @@ -4,7 +4,7 @@ pkgname=php pkgver=5.3.26 -pkgrel=2arcturus3 +pkgrel=2arcturus4 pkgdesc="A widely-used general-purpose scripting language" url="http://www.php.net"; backup=(etc/{php.ini,httpd/conf/modules.d/$pkgname.conf}) @@ -38,7 +38,9 @@ subarchs=('i686 x86_64') source=(${source[@]} CVE-2013-4113.patch CVE-2013-4248.patch CVE-2013-6420.patch CVE-2013-6712.patch CVE-2014-1943.patch CVE-2014-0185.patch CVE-2014-0237.patch CVE-2014-0238.patch CVE-2014-2270.patch - CVE-2014-4049.patch) + CVE-2014-4049.patch CVE-2014-0207.patch CVE-2014-3478.patch + CVE-2014-3479.patch CVE-2014-3480.patch CVE-2014-3487.patch + CVE-2014-4721.patch) sha1sums=(${sha1sums[@]} '7b9f92b247bf141012b4a83d5bad1b823e4eb2d1' \ 'b75fe24356d0e6c5d375c4d2d2315f17d5e34e31' \ '805231398c06b27e4e1f8c18ce9d6aed7b06382d' \ @@ -48,7 +50,13 @@ sha1sums=(${sha1sums[@]} '7b9f92b247bf141012b4a83d5bad1b823e4eb2d1' \ '9fd5280138a6a9d8bfa4c5239f9451869985de35' \ '2c0db438c6773d5bc9d1af3b637c4d8cd93bf4e7' \ 'e2c4c40700c1004c4924abc329fc4f75030350e0' \ - 'a3fa0995e26e03681f0ce20289587645e6a4e401') + 'a3fa0995e26e03681f0ce20289587645e6a4e401' \ + '547c48428d7d772a6d12000ca09808a5beb149bc' \ + 'f2937c031002888fdd5b56070b58d2c0e860b4c4' \ + '205f1a29dc6f097a25171ded7ae69b291c2d98b3' \ + '267fc9f6e12f03d41640e890173867b3aa05144c' \ + 'd34955143d655b5a1496b2f939630e978529b4b6' \ + '72da3715195108595959c27ddace6822534bb765') # *********** _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
