fix for CVE-2015-0232

diff --git a/CVE-2015-0232.patch b/CVE-2015-0232.patch
new file mode 100644 (file)
index 0000000..e814eea
--- /dev/null
+++ b/CVE-2015-0232.patch
@@ -0,0 +1,95 @@
+Adjusted for PHP 5.2.17
+Author: Elan Ruusamäe <glen@pld-linux.org>
+
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Jan 2015 08:51:05 +0000 (-0800)
+Subject: Fix bug #68799: Free called on unitialized pointer
+X-Git-Tag: php-5.4.37~5^2
+X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=2fc178cf448d8e1b95d1314e47eeef610729e0df;hp=f9ad3086693fce680fbe246e4a45aa92edd2ac35
+
+Fix bug #68799: Free called on unitialized pointer
+---
+
+--- php-5.2.17/ext/exif/exif.c~        2015-02-23 12:38:58.000000000 +0200
++++ php-5.2.17/ext/exif/exif.c 2015-02-23 12:41:41.138901305 +0200
+@@ -2721,6 +2721,7 @@
+ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
+ {
+       xp_field->tag = tag;    
++      xp_field->value = NULL;
+ 
+       /* Copy the comment */
+ #if EXIF_USE_MBSTRING
+diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg
+new file mode 100644
+index 0000000..acc326d
+Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ
+diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt
+new file mode 100644
+index 0000000..b09f21c
+--- /dev/null
++++ b/ext/exif/tests/bug68799.phpt
+@@ -0,0 +1,63 @@
++--TEST--
++Bug #68799 (Free called on unitialized pointer)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++/*
++* Pollute the heap. Helps trigger bug. Sometimes not needed.
++*/
++class A {
++    function __construct() {
++        $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
++        $this->a = $a . $a . $a . $a . $a . $a;
++    }
++};
++
++function doStuff ($limit) {
++
++    $a = new A;
++
++    $b = array();
++    for ($i = 0; $i < $limit; $i++) {
++        $b[$i] = clone $a;
++    }
++
++    unset($a);
++
++    gc_collect_cycles();
++}
++
++$iterations = 3;
++
++doStuff($iterations);
++doStuff($iterations);
++
++gc_collect_cycles();
++
++print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
++
++?>
++--EXPECTF--
++Array
++(
++    [FileName] => bug68799.jpg
++    [FileDateTime] => %d
++    [FileSize] => 735
++    [FileType] => 2
++    [MimeType] => image/jpeg
++    [SectionsFound] => ANY_TAG, IFD0, WINXP
++    [COMPUTED] => Array
++        (
++            [html] => width="1" height="1"
++            [Height] => 1
++            [Width] => 1
++            [IsColor] => 1
++            [ByteOrderMotorola] => 1
++        )
++
++    [XResolution] => 96/1
++    [YResolution] => 96/1
++    [ResolutionUnit] => 2
++    [Author] => 
++)

diff --git a/php.spec b/php.spec
index 5064004da012af8b265001c3a0296302dac8f852..7929418eecf9e94b595c5b8a2eeb0b5799094999 100644 (file)
--- a/php.spec
+++ b/php.spec
@@ -112,7 +112,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
 %define                magic_mime      /usr/share/misc/magic.mime
 %endif
 
-%define                rel             9
+%define                rel             10
 %define                orgname php
 %define                ver_suffix 52
 %define                php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -217,6 +217,7 @@ Patch72:    exif-crash-bug-36.patch
 Patch73:       CVE-2013-6420.patch
 Patch74:       CVE-2013-4073.patch
 Patch75:       php-secbug-67498.patch
+Patch76:       CVE-2015-0232.patch
 # CENTALT patches
 # Backport from 5.3.6
 Patch311:      php-5.3.6-bug-47435.patch
@@ -1937,6 +1938,7 @@ done
 %patch73 -p1
 %patch74 -p1
 %patch75 -p1
+%patch76 -p1
 
 # Bugfix backport from 5.3.6
 %patch311 -p1 -b .bug-47435