Author: glen Date: Mon Oct 10 19:36:45 2011 GMT Module: packages Tag: PHP_5_2 ---- Log message: - add bunch of bug and cve backports from 5.3 by centalt (php-5.2.17-7.el5.src.rpm)
---- Files affected: packages/php: php.spec (1.805.2.90 -> 1.805.2.91) , php-5.2.17-CVE-2011-0708.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-1092.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-1148.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-1938.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-CVE-2011-2202.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-39847.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-48484.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-49072.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-52063.patch (NONE -> 1.1.2.1) (NEW), php-5.2.17-bug-55082.patch (NONE -> 1.1.2.1) (NEW), php-5.2.19.tar.bz2 (NONE -> 1.1.2.1) (NEW), php-5.2.20.tar.bz2 (NONE -> 1.1.2.1) (NEW), php-5.3.6-39199.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-47435.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-48607.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-51336.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-52209.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-52290.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53150.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53377.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53515.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53568.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53574.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53577.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53579.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53603.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53630.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53854.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53903.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-53924.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-54055.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-54089.patch (NONE -> 1.1.2.1) (NEW), php-5.3.6-bug-54092.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-48465.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-50363.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-51958.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-51997.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-52104.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-52496.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-52935.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-53037.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-53782.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-53848.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54121.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54137.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54180.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54221.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54242.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54269.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54312.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54318.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54329.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54440.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54494.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54529.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54601.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-54946.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-55014.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-55323.patch (NONE -> 1.1.2.1) (NEW), php-5.3.7-bug-55399.patch (NONE -> 1.1.2.1) (NEW) ---- Diffs: ================================================================ Index: packages/php/php.spec diff -u packages/php/php.spec:1.805.2.90 packages/php/php.spec:1.805.2.91 --- packages/php/php.spec:1.805.2.90 Mon Oct 10 20:54:38 2011 +++ packages/php/php.spec Mon Oct 10 21:36:37 2011 @@ -113,7 +113,7 @@ Summary(uk.UTF-8): PHP Версії 5 - мова препроцесування HTML-файлів, виконувана на сервері Name: php Version: 5.2.17 -Release: 6 +Release: 7 Epoch: 4 License: PHP Group: Libraries @@ -193,6 +193,69 @@ Patch57: php-php_dl.patch # http://spot.fedorapeople.org/php-5.3.6-libzip.patch Patch65: system-libzip.patch +# CENTALT patches +# CVE +Patch201: php-5.2.17-CVE-2011-2202.patch +Patch202: php-5.2.17-CVE-2011-1938.patch +Patch203: php-5.2.17-CVE-2011-1148.patch +Patch204: php-5.2.17-CVE-2011-0708.patch +Patch205: php-5.2.17-CVE-2011-1092.patch +# Backport from 5.3.6 +Patch301: php-5.3.6-bug-54055.patch +Patch302: php-5.3.6-bug-53577.patch +Patch303: php-5.2.17-bug-48484.patch +Patch304: php-5.3.6-bug-48607.patch +Patch305: php-5.3.6-bug-53574.patch +Patch306: php-5.3.6-bug-52290.patch +Patch307: php-5.2.17-bug-52063.patch +Patch308: php-5.3.6-bug-53924.patch +Patch309: php-5.3.6-bug-53150.patch +Patch310: php-5.3.6-bug-52209.patch +Patch311: php-5.3.6-bug-47435.patch +Patch312: php-5.3.6-bug-53377.patch +Patch313: php-5.2.17-bug-39847.patch +Patch314: php-5.3.6-39199.patch +Patch315: php-5.3.6-bug-53630.patch +Patch316: php-5.3.6-bug-51336.patch +Patch317: php-5.3.6-bug-53515.patch +Patch318: php-5.3.6-bug-54092.patch +Patch319: php-5.3.6-bug-53903.patch +Patch320: php-5.3.6-bug-54089.patch +Patch321: php-5.3.6-bug-53603.patch +Patch322: php-5.3.6-bug-53854.patch +Patch323: php-5.3.6-bug-53579.patch +Patch324: php-5.3.6-bug-53568.patch +Patch325: php-5.2.17-bug-49072.patch +# 5.3.7 +Patch330: php-5.3.7-bug-55399.patch +Patch331: php-5.2.17-bug-55082.patch +Patch332: php-5.3.7-bug-55014.patch +#Patch333: php-5.3.7-bug-54924.patch +Patch334: php-5.3.7-bug-54180.patch +Patch335: php-5.3.7-bug-54137.patch +Patch336: php-5.3.7-bug-53848.patch +Patch337: php-5.3.7-bug-52935.patch +Patch338: php-5.3.7-bug-51997.patch +Patch339: php-5.3.7-bug-50363.patch +Patch340: php-5.3.7-bug-48465.patch +Patch341: php-5.3.7-bug-54529.patch +Patch342: php-5.3.7-bug-52496.patch +Patch343: php-5.3.7-bug-54242.patch +Patch344: php-5.3.7-bug-54121.patch +Patch345: php-5.3.7-bug-53037.patch +Patch346: php-5.3.7-bug-54269.patch +Patch347: php-5.3.7-bug-54601.patch +Patch348: php-5.3.7-bug-54440.patch +Patch349: php-5.3.7-bug-54494.patch +Patch350: php-5.3.7-bug-54221.patch +Patch351: php-5.3.7-bug-52104.patch +Patch352: php-5.3.7-bug-54329.patch +Patch353: php-5.3.7-bug-53782.patch +Patch354: php-5.3.7-bug-54318.patch +Patch355: php-5.3.7-bug-55323.patch +Patch356: php-5.3.7-bug-54312.patch +Patch357: php-5.3.7-bug-51958.patch +Patch358: php-5.3.7-bug-54946.patch URL: http://www.php.net/ %{?with_interbase:%{!?with_interbase_inst:BuildRequires: Firebird-devel >= 1.0.2.908-2}} %{?with_pspell:BuildRequires: aspell-devel >= 2:0.50.0} @@ -1873,6 +1936,69 @@ %patch57 -p1 %patch65 -p1 +%patch201 -p1 -b .CVE-2011-2202 +%patch202 -p1 -b .CVE-2011-1938 +%patch203 -p1 -b .CVE-2011-1148 +%patch204 -p1 -b .CVE-2011-0708 +%patch205 -p1 -b .CVE-2011-1092 + +# Bugfix backport from 5.3.6 +%patch301 -p1 -b .bug-54055 +%patch302 -p1 -b .bug-53577 +%patch303 -p1 -b .bug-48484 +%patch304 -p1 -b .bug-48607 +%patch305 -p1 -b .bug-53574 +%patch306 -p1 -b .bug-52290 +%patch307 -p1 -b .bug-52063 +%patch308 -p1 -b .bug-53924 +%patch309 -p1 -b .bug-53150 +%patch310 -p1 -b .bug-52209 +%patch311 -p1 -b .bug-47435 +%patch312 -p1 -b .bug-53377 +%patch313 -p1 -b .bug-39847 +%patch314 -p1 -b .bug-39199 +%patch315 -p1 -b .bug-53630 +%patch316 -p1 -b .bug-51336 +%patch317 -p1 -b .bug-53515 +%patch318 -p1 -b .bug-54092 +%patch319 -p1 -b .bug-53903 +%patch320 -p1 -b .bug-54089 +%patch321 -p1 -b .bug-53603 +%patch322 -p1 -b .bug-53854 +%patch323 -p1 -b .bug-53579 +%patch324 -p1 -b .bug-53568 +%patch325 -p1 -b .bug-49072 +# Bugfix backport from 5.3.7 +%patch330 -p1 -b .bug-55399 +%patch331 -p1 -b .bug-55082 +%patch332 -p1 -b .bug-55014 +#accert %patch333 -p1 -b .bug-54924 +%patch334 -p1 -b .bug-54180 +%patch335 -p1 -b .bug-54137 +%patch336 -p1 -b .bug-53848 +%patch337 -p1 -b .bug-52935 +%patch338 -p1 -b .bug-51997 +%patch339 -p1 -b .bug-50363 +%patch340 -p1 -b .bug-48465 +%patch341 -p1 -b .bug-54529 +%patch342 -p1 -b .bug-52496 +%patch343 -p1 -b .bug-54242 +%patch344 -p1 -b .bug-54121 +%patch345 -p1 -b .bug-53037 +%patch346 -p1 -b .bug-54269 +%patch347 -p1 -b .bug-54601 +%patch348 -p1 -b .bug-54440 +%patch349 -p1 -b .bug-54494 +%patch350 -p1 -b .bug-54221 +%patch351 -p1 -b .bug-52104 +%patch352 -p1 -b .bug-54329 +%patch353 -p1 -b .bug-53782 +%patch354 -p1 -b .bug-54318 +#soap %patch355 -p1 -b .bug-55323 +%patch356 -p1 -b .bug-54312 +%patch357 -p1 -b .bug-51958 +%patch358 -p1 -b .bug-54946 + # conflict seems to be resolved by recode patches rm -f ext/recode/config9.m4 @@ -3178,6 +3304,9 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.805.2.91 2011/10/10 19:36:37 glen +- add bunch of bug and cve backports from 5.3 by centalt (php-5.2.17-7.el5.src.rpm) + Revision 1.805.2.90 2011/10/10 18:54:38 glen - use system libzip 0.10, resolves CVE-2011-0421 ================================================================ Index: packages/php/php-5.2.17-CVE-2011-0708.patch diff -u /dev/null packages/php/php-5.2.17-CVE-2011-0708.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-CVE-2011-0708.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,52 @@ +--- PHP_5_3/ext/exif/exif.c 2011/02/14 08:46:53 308315 ++++ PHP_5_3/ext/exif/exif.c 2011/02/14 09:08:44 308316 +@@ -40,6 +40,10 @@ + #include "php.h" + #include "ext/standard/file.h" + ++#ifdef PHP_WIN32 ++include "win32/php_stdint.h" ++#endif ++ + #if HAVE_EXIF + + /* When EXIF_DEBUG is defined the module generates a lot of debug messages +@@ -2821,6 +2825,7 @@ + int tag, format, components; + char *value_ptr, tagname[64], cbuf[32], *outside=NULL; + size_t byte_count, offset_val, fpos, fgot; ++ int64_t byte_count_signed; + xp_field_type *tmp_xp; + #ifdef EXIF_DEBUG + char *dump_data; +@@ -2845,13 +2850,20 @@ + /*return TRUE;*/ + } + +- byte_count = components * php_tiff_bytes_per_format[format]; ++ if (components < 0) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); ++ return FALSE; ++ } ++ ++ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + +- if ((ssize_t)byte_count < 0) { ++ if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } + ++ byte_count = (size_t)byte_count_signed; ++ + if (byte_count > 4) { + offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); + /* If its bigger than 4 bytes, the dir entry contains an offset. */ +@@ -2916,6 +2928,7 @@ + efree(dump_data); + } + #endif ++ + if (section_index==SECTION_THUMBNAIL) { + if (!ImageInfo->Thumbnail.data) { + switch(tag) { ================================================================ Index: packages/php/php-5.2.17-CVE-2011-1092.patch diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1092.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-CVE-2011-1092.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,11 @@ +--- PHP_5_3/ext/shmop/shmop.c 2011/01/01 02:19:59 306939 ++++ PHP_5_3/ext/shmop/shmop.c 2011/03/08 13:11:14 309018 +@@ -256,7 +256,7 @@ + RETURN_FALSE; + } + +- if (start + count > shmop->size || count < 0) { ++ if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range"); + RETURN_FALSE; + } ================================================================ Index: packages/php/php-5.2.17-CVE-2011-1148.patch diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1148.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-CVE-2011-1148.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,159 @@ +--- PHP_5_3/ext/standard/string.c 2011/04/13 03:32:19 310193 ++++ PHP_5_3/ext/standard/string.c 2011/04/13 06:32:41 310194 +@@ -2352,20 +2352,35 @@ + + zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str); + while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) { +- convert_to_string_ex(tmp_str); ++ zval *orig_str; ++ zval dummy; ++ if(Z_TYPE_PP(tmp_str) != IS_STRING) { ++ dummy = **tmp_str; ++ orig_str = &dummy; ++ zval_copy_ctor(orig_str); ++ convert_to_string(orig_str); ++ } else { ++ orig_str = *tmp_str; ++ } + + if (Z_TYPE_PP(from) == IS_ARRAY) { + if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) { +- convert_to_long_ex(tmp_from); ++ if(Z_TYPE_PP(tmp_from) != IS_LONG) { ++ zval dummy = **tmp_from; ++ zval_copy_ctor(&dummy); ++ convert_to_long(&dummy); ++ f = Z_LVAL(dummy); ++ } else { ++ f = Z_LVAL_PP(tmp_from); ++ } + +- f = Z_LVAL_PP(tmp_from); + if (f < 0) { +- f = Z_STRLEN_PP(tmp_str) + f; ++ f = Z_STRLEN_P(orig_str) + f; + if (f < 0) { + f = 0; + } +- } else if (f > Z_STRLEN_PP(tmp_str)) { +- f = Z_STRLEN_PP(tmp_str); ++ } else if (f > Z_STRLEN_P(orig_str)) { ++ f = Z_STRLEN_P(orig_str); + } + zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from); + } else { +@@ -2374,72 +2389,94 @@ + } else { + f = Z_LVAL_PP(from); + if (f < 0) { +- f = Z_STRLEN_PP(tmp_str) + f; ++ f = Z_STRLEN_P(orig_str) + f; + if (f < 0) { + f = 0; + } +- } else if (f > Z_STRLEN_PP(tmp_str)) { +- f = Z_STRLEN_PP(tmp_str); ++ } else if (f > Z_STRLEN_P(orig_str)) { ++ f = Z_STRLEN_P(orig_str); + } + } + + if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) { + if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) { +- convert_to_long_ex(tmp_len); ++ if(Z_TYPE_PP(tmp_len) != IS_LONG) { ++ zval dummy = **tmp_len; ++ zval_copy_ctor(&dummy); ++ convert_to_long(&dummy); ++ l = Z_LVAL(dummy); ++ } else { ++ l = Z_LVAL_PP(tmp_len); ++ } + + l = Z_LVAL_PP(tmp_len); + zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len); + } else { +- l = Z_STRLEN_PP(tmp_str); ++ l = Z_STRLEN_P(orig_str); + } + } else if (argc > 3) { + l = Z_LVAL_PP(len); + } else { +- l = Z_STRLEN_PP(tmp_str); ++ l = Z_STRLEN_P(orig_str); + } + + if (l < 0) { +- l = (Z_STRLEN_PP(tmp_str) - f) + l; ++ l = (Z_STRLEN_P(orig_str) - f) + l; + if (l < 0) { + l = 0; + } + } + +- if ((f + l) > Z_STRLEN_PP(tmp_str)) { +- l = Z_STRLEN_PP(tmp_str) - f; ++ if ((f + l) > Z_STRLEN_P(orig_str)) { ++ l = Z_STRLEN_P(orig_str) - f; + } + +- result_len = Z_STRLEN_PP(tmp_str) - l; ++ result_len = Z_STRLEN_P(orig_str) - l; + + if (Z_TYPE_PP(repl) == IS_ARRAY) { + if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) { +- convert_to_string_ex(tmp_repl); +- result_len += Z_STRLEN_PP(tmp_repl); ++ zval *repl_str; ++ zval zrepl; ++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { ++ zrepl = **tmp_repl; ++ repl_str = &zrepl; ++ zval_copy_ctor(repl_str); ++ convert_to_string(repl_str); ++ } else { ++ repl_str = *tmp_repl; ++ } ++ ++ result_len += Z_STRLEN_P(repl_str); + zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl); + result = emalloc(result_len + 1); + +- memcpy(result, Z_STRVAL_PP(tmp_str), f); +- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl)); +- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); ++ memcpy(result, Z_STRVAL_P(orig_str), f); ++ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str)); ++ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); ++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { ++ zval_dtor(repl_str); ++ } + } else { + result = emalloc(result_len + 1); + +- memcpy(result, Z_STRVAL_PP(tmp_str), f); +- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); ++ memcpy(result, Z_STRVAL_P(orig_str), f); ++ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); + } + } else { + result_len += Z_STRLEN_PP(repl); + + result = emalloc(result_len + 1); + +- memcpy(result, Z_STRVAL_PP(tmp_str), f); ++ memcpy(result, Z_STRVAL_P(orig_str), f); + memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl)); +- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); ++ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); + } + + result[result_len] = '\0'; + add_next_index_stringl(return_value, result, result_len, 0); +- ++ if(Z_TYPE_PP(tmp_str) != IS_STRING) { ++ zval_dtor(orig_str); ++ } + zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str); + } /*while*/ + } /* if */ ================================================================ Index: packages/php/php-5.2.17-CVE-2011-1938.patch diff -u /dev/null packages/php/php-5.2.17-CVE-2011-1938.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-CVE-2011-1938.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,14 @@ +diff -up php-5.2.17/ext/sockets/sockets.c.CVE-2011-1938 php-5.2.17/ext/sockets/sockets.c +--- php-5.2.17/ext/sockets/sockets.c.CVE-2011-1938 2011-08-19 08:40:08.000000000 +0700 ++++ php-5.2.17/ext/sockets/sockets.c 2011-08-19 08:41:11.000000000 +0700 +@@ -1176,6 +1176,10 @@ PHP_FUNCTION(socket_connect) + break; + + case AF_UNIX: ++ if (addr_len >= sizeof(s_un.sun_path)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); ++ RETURN_FALSE; ++ } + memset(&s_un, 0, sizeof(struct sockaddr_un)); + + s_un.sun_family = AF_UNIX; ================================================================ Index: packages/php/php-5.2.17-CVE-2011-2202.patch diff -u /dev/null packages/php/php-5.2.17-CVE-2011-2202.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-CVE-2011-2202.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,21 @@ +diff -up php-5.2.17/main/rfc1867.c.orig php-5.2.17/main/rfc1867.c +--- php-5.2.17/main/rfc1867.c.orig 2011-08-19 08:33:09.000000000 +0700 ++++ php-5.2.17/main/rfc1867.c 2011-08-19 08:34:29.000000000 +0700 +@@ -1215,7 +1215,7 @@ filedone: + #endif + + if (!is_anonymous) { +- if (s && s > filename) { ++ if (s && s >= filename) { + safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); + } else { + safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); +@@ -1228,7 +1228,7 @@ filedone: + } else { + snprintf(lbuf, llen, "%s[name]", param); + } +- if (s && s > filename) { ++ if (s && s >= filename) { + register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); + } else { + register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); ================================================================ Index: packages/php/php-5.2.17-bug-39847.patch diff -u /dev/null packages/php/php-5.2.17-bug-39847.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-bug-39847.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,21 @@ +diff -up php-5.2.17/ext/mysqli/mysqli_api.c.bug-39847 php-5.2.17/ext/mysqli/mysqli_api.c +--- php-5.2.17/ext/mysqli/mysqli_api.c.bug-39847 2010-04-21 19:52:24.000000000 +0700 ++++ php-5.2.17/ext/mysqli/mysqli_api.c 2011-08-28 11:33:15.000000000 +0700 +@@ -795,6 +795,8 @@ PHP_FUNCTION(mysqli_fetch_field) + add_property_string(return_value, "orgname",(field->org_name ? field->org_name : ""), 1); + add_property_string(return_value, "table",(field->table ? field->table : ""), 1); + add_property_string(return_value, "orgtable",(field->org_table ? field->org_table : ""), 1); ++ add_property_string(return_value, "db",(field->db ? field->db : ""), 1); ++ add_property_string(return_value, "catalog",(field->catalog ? field->catalog : ""), 1); + add_property_string(return_value, "def",(field->def ? field->def : ""), 1); + add_property_long(return_value, "max_length", field->max_length); + add_property_long(return_value, "length", field->length); +@@ -878,6 +880,8 @@ PHP_FUNCTION(mysqli_fetch_field_direct) + add_property_string(return_value, "orgname",(field->org_name ? field->org_name : ""), 1); + add_property_string(return_value, "table",(field->table ? field->table : ""), 1); + add_property_string(return_value, "orgtable",(field->org_table ? field->org_table : ""), 1); ++ add_property_string(return_value, "db",(field->db ? field->db : ""), 1); ++ add_property_string(return_value, "catalog",(field->catalog ? field->catalog : ""), 1); + add_property_string(return_value, "def",(field->def ? field->def : ""), 1); + add_property_long(return_value, "max_length", field->max_length); + add_property_long(return_value, "length", field->length); ================================================================ Index: packages/php/php-5.2.17-bug-48484.patch diff -u /dev/null packages/php/php-5.2.17-bug-48484.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-bug-48484.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,18 @@ +diff -up php-5.2.17/ext/standard/array.c.bug-48484 php-5.2.17/ext/standard/array.c +--- php-5.2.17/ext/standard/array.c.bug-48484 2010-11-20 04:06:44.000000000 +0600 ++++ php-5.2.17/ext/standard/array.c 2011-08-28 00:21:52.000000000 +0700 +@@ -4368,11 +4368,11 @@ PHP_FUNCTION(array_product) + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array"); + return; + } +- ++ ++ ZVAL_LONG(return_value, 1); + if (!zend_hash_num_elements(Z_ARRVAL_PP(input))) { +- RETURN_LONG(0); ++ return; + } +- ZVAL_LONG(return_value, 1); + + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); + zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&entry, &pos) == SUCCESS; ================================================================ Index: packages/php/php-5.2.17-bug-49072.patch diff -u /dev/null packages/php/php-5.2.17-bug-49072.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-bug-49072.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,28 @@ +diff -up php-5.2.17/ext/zip/zip_stream.c.bug-49072 php-5.2.17/ext/zip/zip_stream.c +--- php-5.2.17/ext/zip/zip_stream.c.bug-49072 2011-08-28 14:06:52.000000000 +0700 ++++ php-5.2.17/ext/zip/zip_stream.c 2011-08-28 14:09:41.000000000 +0700 +@@ -34,7 +34,7 @@ static size_t php_zip_ops_read(php_strea + STREAM_DATA_FROM_STREAM(); + + if (self->za && self->zf) { +- n = (size_t)zip_fread(self->zf, buf, (int)count); ++ n = zip_fread(self->zf, buf, count); + if (n < 0) { + int ze, se; + zip_file_error_get(self->zf, &ze, &se); +@@ -42,13 +42,13 @@ static size_t php_zip_ops_read(php_strea + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf)); + return 0; + } +- if (n == 0 || n < count) { ++ if (n == 0 || n < (ssize_t)count) { + stream->eof = 1; + } else { + self->cursor += n; + } + } +- return n<1 ? 0 : n; ++ return (n < 1 ? 0 : (size_t)n); + } + /* }}} */ + ================================================================ Index: packages/php/php-5.2.17-bug-52063.patch diff -u /dev/null packages/php/php-5.2.17-bug-52063.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-bug-52063.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,21 @@ +diff -up php-5.2.17/ext/date/php_date.c.bug-52063 php-5.2.17/ext/date/php_date.c +--- php-5.2.17/ext/date/php_date.c.bug-52063 2011-08-28 09:44:11.000000000 +0700 ++++ php-5.2.17/ext/date/php_date.c 2011-08-28 09:45:09.000000000 +0700 +@@ -1778,7 +1778,7 @@ PHP_FUNCTION(date_create) + char *time_str = NULL; + int time_str_len = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { + RETURN_FALSE; + } + +@@ -1799,7 +1799,7 @@ PHP_METHOD(DateTime, __construct) + int time_str_len = 0; + + php_set_error_handling(EH_THROW, NULL TSRMLS_CC); +- if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO", &time_str, &time_str_len, &timezone_object, date_ce_timezone)) { ++ if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone)) { + date_initialize(zend_object_store_get_object(getThis() TSRMLS_CC), time_str, time_str_len, timezone_object, 1 TSRMLS_CC); + } + php_set_error_handling(EH_NORMAL, NULL TSRMLS_CC); ================================================================ Index: packages/php/php-5.2.17-bug-55082.patch diff -u /dev/null packages/php/php-5.2.17-bug-55082.patch:1.1.2.1 --- /dev/null Mon Oct 10 21:36:45 2011 +++ packages/php/php-5.2.17-bug-55082.patch Mon Oct 10 21:36:37 2011 @@ -0,0 +1,35 @@ +diff -up php-5.2.17/ext/standard/var.c.bug-55082 php-5.2.17/ext/standard/var.c +--- php-5.2.17/ext/standard/var.c.bug-55082 2010-09-14 03:14:18.000000000 +0700 ++++ php-5.2.17/ext/standard/var.c 2011-08-28 15:18:52.000000000 +0700 +@@ -401,7 +401,7 @@ static int php_object_element_export(zva + { + int level; + smart_str *buf; +- char *prop_name, *class_name; ++ + TSRMLS_FETCH(); + + level = va_arg(args, int); +@@ -409,11 +409,20 @@ static int php_object_element_export(zva + + buffer_append_spaces(buf, level + 2); + if (hash_key->nKeyLength != 0) { +- zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, &class_name, &prop_name); ++ char *class_name, /* ignored, but must be passed to unmangle */ ++ *pname, ++ *pname_esc; ++ int pname_esc_len; ++ ++ zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, ++ &class_name, &pname); ++ pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0, ++ "'\\", 2 TSRMLS_CC); + + smart_str_appendc(buf, '\''); <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/php/php.spec?r1=1.805.2.90&r2=1.805.2.91&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
