Hello community, here is the log from the commit of package php5 for openSUSE:11.4 checked in at Wed Jun 1 12:22:47 CEST 2011.
-------- --- old-versions/11.4/all/php5/php5.changes 2011-02-25 10:51:25.000000000 +0100 +++ 11.4/php5/php5.changes 2011-05-26 16:45:15.000000000 +0200 @@ -1,0 +2,14 @@ +Fri Apr 1 12:47:22 CEST 2011 - pgaj...@suse.cz + +- security updates: + * CVE-2011-1470, CVE-2011-1471 [bnc#681214] + * CVE-2011-1092 [bnc#677782] + * CVE-2011-1464 [bnc#681194] + * CVE-2011-1468 [bnc#681197] + * CVE-2011-1467 [bnc#681195] + * CVE-2011-0421 [bnc#681291] + * CVE-2011-1469 [bnc#681210] + * CVE-2011-1148 [bnc#679278] + * CVE-2011-1938 [bnc#695689] + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/php5 Destination is old-versions/11.4/UPDATES/all/php5 calling whatdependson for 11.4-i586 New: ---- php-5.3.5-CVE-2011-0421.patch php-5.3.5-CVE-2011-1092.patch php-5.3.5-CVE-2011-1148.patch php-5.3.5-CVE-2011-1464.patch php-5.3.5-CVE-2011-1467.patch php-5.3.5-CVE-2011-1468.patch php-5.3.5-CVE-2011-1469.patch php-5.3.5-CVE-2011-1470.patch php-5.3.5-CVE-2011-1471.patch php-5.3.5-CVE-2011-1938.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.PkJT9b/_old 2011-06-01 12:22:11.000000000 +0200 +++ /var/tmp/diff_new_pack.PkJT9b/_new 2011-06-01 12:22:11.000000000 +0200 @@ -77,7 +77,7 @@ ### ### Version: 5.3.5 -Release: 5.<RELEASE4> +Release: 5.<RELEASE14> License: The PHP License, version 3.01 Group: Development/Languages/Other Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter @@ -120,6 +120,16 @@ Patch28: php-5.3.5-fopen_https_proxy_auth_fix.patch Patch29: php-5.3.5-CVE-2011-0420.patch Patch30: php-5.3.5-CVE-2011-0708.patch +Patch31: php-5.3.5-CVE-2011-1470.patch +Patch32: php-5.3.5-CVE-2011-1471.patch +Patch33: php-5.3.5-CVE-2011-1092.patch +Patch34: php-5.3.5-CVE-2011-1464.patch +Patch35: php-5.3.5-CVE-2011-1467.patch +Patch36: php-5.3.5-CVE-2011-1468.patch +Patch37: php-5.3.5-CVE-2011-0421.patch +Patch38: php-5.3.5-CVE-2011-1469.patch +Patch39: php-5.3.5-CVE-2011-1148.patch +Patch40: php-5.3.5-CVE-2011-1938.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1233,6 +1243,16 @@ %patch28 -p1 %patch29 %patch30 +%patch31 +%patch32 +%patch33 +%patch34 +%patch35 +%patch36 +%patch37 +%patch38 +%patch39 +%patch40 # we build three SAPI %{__mkdir_p} build-apache2 build-fpm ++++++ php-5.3.5-CVE-2011-0421.patch ++++++ --- ext/zip/lib/zip_name_locate.c 2011/01/30 22:16:39 307866 +++ ext/zip/lib/zip_name_locate.c 2011/01/30 22:28:57 307867 @@ -60,6 +60,10 @@ return -1; } + if((flags & ZIP_FL_UNCHANGED) && !za->cdir) { + return -1; + } + cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp; n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; ++++++ php-5.3.5-CVE-2011-1092.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=309018 --- ext/shmop/shmop.c 2011/03/08 12:58:22 309017 +++ ext/shmop/shmop.c 2011/03/08 13:11:14 309018 @@ -256,7 +256,7 @@ RETURN_FALSE; } - if (start + count > shmop->size || count < 0) { + if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range"); RETURN_FALSE; } ++++++ php-5.3.5-CVE-2011-1148.patch ++++++ --- ext/standard/string.c 2011/04/13 03:32:19 310193 +++ ext/standard/string.c 2011/04/13 06:32:41 310194 @@ -2352,20 +2352,35 @@ zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str); while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) { - convert_to_string_ex(tmp_str); + zval *orig_str; + zval dummy; + if(Z_TYPE_PP(tmp_str) != IS_STRING) { + dummy = **tmp_str; + orig_str = &dummy; + zval_copy_ctor(orig_str); + convert_to_string(orig_str); + } else { + orig_str = *tmp_str; + } if (Z_TYPE_PP(from) == IS_ARRAY) { if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) { - convert_to_long_ex(tmp_from); + if(Z_TYPE_PP(tmp_from) != IS_LONG) { + zval dummy = **tmp_from; + zval_copy_ctor(&dummy); + convert_to_long(&dummy); + f = Z_LVAL(dummy); + } else { + f = Z_LVAL_PP(tmp_from); + } - f = Z_LVAL_PP(tmp_from); if (f < 0) { - f = Z_STRLEN_PP(tmp_str) + f; + f = Z_STRLEN_P(orig_str) + f; if (f < 0) { f = 0; } - } else if (f > Z_STRLEN_PP(tmp_str)) { - f = Z_STRLEN_PP(tmp_str); + } else if (f > Z_STRLEN_P(orig_str)) { + f = Z_STRLEN_P(orig_str); } zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from); } else { @@ -2374,72 +2389,94 @@ } else { f = Z_LVAL_PP(from); if (f < 0) { - f = Z_STRLEN_PP(tmp_str) + f; + f = Z_STRLEN_P(orig_str) + f; if (f < 0) { f = 0; } - } else if (f > Z_STRLEN_PP(tmp_str)) { - f = Z_STRLEN_PP(tmp_str); + } else if (f > Z_STRLEN_P(orig_str)) { + f = Z_STRLEN_P(orig_str); } } if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) { if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) { - convert_to_long_ex(tmp_len); + if(Z_TYPE_PP(tmp_len) != IS_LONG) { + zval dummy = **tmp_len; + zval_copy_ctor(&dummy); + convert_to_long(&dummy); + l = Z_LVAL(dummy); + } else { + l = Z_LVAL_PP(tmp_len); + } l = Z_LVAL_PP(tmp_len); zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len); } else { - l = Z_STRLEN_PP(tmp_str); + l = Z_STRLEN_P(orig_str); } } else if (argc > 3) { l = Z_LVAL_PP(len); } else { - l = Z_STRLEN_PP(tmp_str); + l = Z_STRLEN_P(orig_str); } if (l < 0) { - l = (Z_STRLEN_PP(tmp_str) - f) + l; + l = (Z_STRLEN_P(orig_str) - f) + l; if (l < 0) { l = 0; } } - if ((f + l) > Z_STRLEN_PP(tmp_str)) { - l = Z_STRLEN_PP(tmp_str) - f; + if ((f + l) > Z_STRLEN_P(orig_str)) { + l = Z_STRLEN_P(orig_str) - f; } - result_len = Z_STRLEN_PP(tmp_str) - l; + result_len = Z_STRLEN_P(orig_str) - l; if (Z_TYPE_PP(repl) == IS_ARRAY) { if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) { - convert_to_string_ex(tmp_repl); - result_len += Z_STRLEN_PP(tmp_repl); + zval *repl_str; + zval zrepl; + if(Z_TYPE_PP(tmp_repl) != IS_STRING) { + zrepl = **tmp_repl; + repl_str = &zrepl; + zval_copy_ctor(repl_str); + convert_to_string(repl_str); + } else { + repl_str = *tmp_repl; + } + + result_len += Z_STRLEN_P(repl_str); zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl); result = emalloc(result_len + 1); - memcpy(result, Z_STRVAL_PP(tmp_str), f); - memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl)); - memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); + memcpy(result, Z_STRVAL_P(orig_str), f); + memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str)); + memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); + if(Z_TYPE_PP(tmp_repl) != IS_STRING) { + zval_dtor(repl_str); + } } else { result = emalloc(result_len + 1); - memcpy(result, Z_STRVAL_PP(tmp_str), f); - memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); + memcpy(result, Z_STRVAL_P(orig_str), f); + memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); } } else { result_len += Z_STRLEN_PP(repl); result = emalloc(result_len + 1); - memcpy(result, Z_STRVAL_PP(tmp_str), f); + memcpy(result, Z_STRVAL_P(orig_str), f); memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl)); - memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); + memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); } result[result_len] = '\0'; add_next_index_stringl(return_value, result, result_len, 0); - + if(Z_TYPE_PP(tmp_str) != IS_STRING) { + zval_dtor(orig_str); + } zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str); } /*while*/ } /* if */ ++++++ php-5.3.5-CVE-2011-1464.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=308525 --- main/snprintf.c 2011/02/21 06:22:00 308524 +++ main/snprintf.c 2011/02/21 06:53:24 308525 @@ -677,10 +677,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -694,6 +690,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else --- main/spprintf.c 2011/02/21 06:22:00 308524 +++ main/spprintf.c 2011/02/21 06:53:24 308525 @@ -285,10 +285,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -302,6 +298,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else --- main/snprintf.h 2011/02/21 06:22:00 308524 +++ main/snprintf.h 2011/02/21 06:53:24 308525 @@ -157,6 +157,17 @@ extern char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format, char *buf_end, register int *len); + +/* The maximum precision that's allowed for float conversion. Does not include + * decimal separator, exponent, sign, terminator. Currently does not affect + * the modes e/f, only g/k/H, as those have a different limit enforced at + * another level (see NDIG in php_conv_fp()). + * Applies to the formatting functions of both spprintf.c and snprintf.c, which + * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the + * call to php_gcvt(). + * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9 + * should be enough, but let's give some more space) */ +#define FORMAT_CONV_MAX_PRECISION 500 #endif /* SNPRINTF_H */ ++++++ php-5.3.5-CVE-2011-1467.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=306154 --- ext/intl/formatter/formatter_attr.c 2010/12/10 00:37:31 306153 +++ ext/intl/formatter/formatter_attr.c 2010/12/10 00:47:51 306154 @@ -311,6 +311,11 @@ RETURN_FALSE; } + + if (symbol >= UNUM_FORMAT_SYMBOL_COUNT || symbol < 0) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "numfmt_set_symbol: invalid symbol value", 0 TSRMLS_CC ); + RETURN_FALSE; + } /* Fetch the object. */ FORMATTER_METHOD_FETCH_OBJECT; ++++++ php-5.3.5-CVE-2011-1468.patch ++++++ url:http://svn.php.net/viewvc/?view=revision&revision=308531 url:http://svn.php.net/viewvc?view=revision&revision=308534 Index: ext/openssl/openssl.c =================================================================== --- ext/openssl/openssl.c.orig +++ ext/openssl/openssl.c @@ -4731,6 +4731,7 @@ PHP_FUNCTION(openssl_encrypt) if (free_iv) { efree(iv); } + EVP_CIPHER_CTX_cleanup(&cipher_ctx); } /* }}} */ @@ -4804,6 +4805,7 @@ PHP_FUNCTION(openssl_decrypt) if (base64_str) { efree(base64_str); } + EVP_CIPHER_CTX_cleanup(&cipher_ctx); } /* }}} */ ++++++ php-5.3.5-CVE-2011-1469.patch ++++++ Index: ext/standard/ftp_fopen_wrapper.c =================================================================== --- ext/standard/ftp_fopen_wrapper.c.orig +++ ext/standard/ftp_fopen_wrapper.c @@ -72,6 +72,12 @@ #define FTPS_ENCRYPT_DATA 1 #define GET_FTP_RESULT(stream) get_ftp_result((stream), tmp_line, sizeof(tmp_line) TSRMLS_CC) +typedef struct _php_ftp_dirstream_data { + php_stream *datastream; + php_stream *controlstream; + php_stream *dirstream; +} php_ftp_dirstream_data; + /* {{{ get_ftp_result */ static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC) @@ -97,14 +103,28 @@ static int php_stream_ftp_stream_stat(ph */ static int php_stream_ftp_stream_close(php_stream_wrapper *wrapper, php_stream *stream TSRMLS_DC) { - php_stream *controlstream = (php_stream *)stream->wrapperdata; + php_stream *controlstream = stream->wrapperthis; + int ret = 0; if (controlstream) { + if (strpbrk(stream->mode, "wa+")) { + char tmp_line[512]; + int result; + + /* For write modes close data stream first to signal EOF to server */ + result = GET_FTP_RESULT(controlstream); + if (result != 226 && result != 250) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "FTP server error %d:%s", result, tmp_line); + ret = EOF; + } + } + php_stream_write_string(controlstream, "QUIT\r\n"); php_stream_close(controlstream); - stream->wrapperdata = NULL; + stream->wrapperthis = NULL; } - return 0; + + return ret; } /* }}} */ @@ -564,7 +584,7 @@ php_stream * php_stream_url_wrap_ftp(php } /* remember control stream */ - datastream->wrapperdata = (zval *)stream; + datastream->wrapperthis = stream; php_url_free(resource); return datastream; @@ -588,11 +608,13 @@ errexit: static size_t php_ftp_dirstream_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) { php_stream_dirent *ent = (php_stream_dirent *)buf; - php_stream *innerstream = (php_stream *)stream->abstract; + php_stream *innerstream; size_t tmp_len; char *basename; size_t basename_len; + innerstream = ((php_ftp_dirstream_data *)stream->abstract)->datastream; + if (count != sizeof(php_stream_dirent)) { return 0; } @@ -636,13 +658,18 @@ static size_t php_ftp_dirstream_read(php */ static int php_ftp_dirstream_close(php_stream *stream, int close_handle TSRMLS_DC) { - php_stream *innerstream = (php_stream *)stream->abstract; + php_ftp_dirstream_data *data = stream->abstract; - if (innerstream->wrapperdata) { - php_stream_close((php_stream *)innerstream->wrapperdata); - innerstream->wrapperdata = NULL; - } - php_stream_close((php_stream *)stream->abstract); + /* close control connection */ + if (data->controlstream) { + php_stream_close(data->controlstream); + data->controlstream = NULL; + } + /* close data connection */ + php_stream_close(data->datastream); + data->datastream = NULL; + + efree(data); stream->abstract = NULL; return 0; @@ -668,6 +695,7 @@ static php_stream_ops php_ftp_dirstream_ php_stream * php_stream_ftp_opendir(php_stream_wrapper *wrapper, char *path, char *mode, int options, char **opened_path, php_stream_context *context STREAMS_DC TSRMLS_DC) { php_stream *stream, *reuseid, *datastream = NULL; + php_ftp_dirstream_data *dirsdata; php_url *resource = NULL; int result = 0, use_ssl, use_ssl_on_data = 0; char *hoststart = NULL, tmp_line[512]; @@ -727,11 +755,14 @@ php_stream * php_stream_ftp_opendir(php_ goto opendir_errexit; } - /* remember control stream */ - datastream->wrapperdata = (zval *)stream; - php_url_free(resource); - return php_stream_alloc(&php_ftp_dirstream_ops, datastream, 0, mode); + + dirsdata = emalloc(sizeof *dirsdata); + dirsdata->datastream = datastream; + dirsdata->controlstream = stream; + dirsdata->dirstream = php_stream_alloc(&php_ftp_dirstream_ops, dirsdata, 0, mode); + + return dirsdata->dirstream; opendir_errexit: if (resource) { ++++++ php-5.3.5-CVE-2011-1470.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=306493 --- ext/zip/zip_stream.c 2010/12/20 10:50:59 306492 +++ ext/zip/zip_stream.c 2010/12/20 11:00:27 306493 @@ -216,6 +216,7 @@ self->stream = NULL; self->cursor = 0; stream = php_stream_alloc(&php_stream_zipio_ops, self, NULL, mode); + stream->orig_path = estrdup(path); } else { zip_close(stream_za); } ++++++ php-5.3.5-CVE-2011-1471.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=307917 --- ext/zip/zip_stream.c 2011/02/01 14:01:00 307915 +++ ext/zip/zip_stream.c 2011/02/01 14:43:52 307916 @@ -30,11 +30,11 @@ /* {{{ php_zip_ops_read */ static size_t php_zip_ops_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) { - size_t n = 0; + ssize_t n = 0; STREAM_DATA_FROM_STREAM(); if (self->za && self->zf) { - n = (size_t)zip_fread(self->zf, buf, (int)count); + n = zip_fread(self->zf, buf, count); if (n < 0) { int ze, se; zip_file_error_get(self->zf, &ze, &se); @@ -42,13 +42,15 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf)); return 0; } - if (n == 0 || n < count) { + /* cast count to signed value to avoid possibly negative n + * being cast to unsigned value */ + if (n == 0 || n < (ssize_t)count) { stream->eof = 1; } else { self->cursor += n; } } - return (n < 1 ? 0 : n); + return (n < 1 ? 0 : (size_t)n); } /* }}} */ ++++++ php-5.3.5-CVE-2011-1938.patch ++++++ --- ext/sockets/sockets.c 2011/05/23 23:51:28 311368 +++ ext/sockets/sockets.c 2011/05/24 00:05:50 311369 @@ -1336,6 +1336,11 @@ break; case AF_UNIX: + if (addr_len >= sizeof(s_un.sun_path)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); + RETURN_FALSE; + } + memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org