From 2f139b72597b02df51f1f0005b9300f0955bf9cd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 24 Mar 2015 12:26:10 +0100 Subject: [PATCH] - rel 14; update libmagic from php5.6 (as our old 5.3 bundled libmagic segfaults easily) --- php-5.3.3-CVE-2014-2270.patch | 477 ---------------------------------- php-5.3.3-CVE-2014-3587.patch | 27 -- php-5.3.3-CVE-2014-3710.patch | 35 --- php.spec | 22 +- 4 files changed, 15 insertions(+), 546 deletions(-) delete mode 100644 php-5.3.3-CVE-2014-2270.patch delete mode 100644 php-5.3.3-CVE-2014-3587.patch delete mode 100644 php-5.3.3-CVE-2014-3710.patch diff --git a/php-5.3.3-CVE-2014-2270.patch b/php-5.3.3-CVE-2014-2270.patch deleted file mode 100644 index 0990853..0000000 --- a/php-5.3.3-CVE-2014-2270.patch +++ /dev/null @@ -1,477 +0,0 @@ -diff --git a/src/softmagic.c b/src/softmagic.c -index 1f02fec..58a1cf7 100644 ---- a/ext/fileinfo/libmagic/softmagic.c -+++ b/ext/fileinfo/libmagic/softmagic.c -@@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *); - private void cvt_32(union VALUETYPE *, const struct magic *); - private void cvt_64(union VALUETYPE *, const struct magic *); - -+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) - /* - * softmagic - lookup one file in parsed, in-memory copy of database - * Passed the name and FILE * of one file to be typed. -@@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s, - { - uint32_t offset = ms->offset; - uint32_t count = m->str_range; -+ uint32_t lhs; - union VALUETYPE *p = &ms->ms_value; - - if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1) -@@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s, - } - switch (m->in_type) { - case FILE_BYTE: -- if (nbytes < (offset + 1)) -+ if (OFFSET_OOB(nbytes, offset, 1)) - return 0; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { -@@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s, - offset = ~offset; - break; - case FILE_BESHORT: -- if (nbytes < (offset + 2)) -+ if (OFFSET_OOB(nbytes, offset, 2)) - return 0; -+ lhs = (p->hs[0] << 8) | p->hs[1]; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { - case FILE_OPAND: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) & -- off; -+ offset = lhs & off; - break; - case FILE_OPOR: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) | -- off; -+ offset = lhs | off; - break; - case FILE_OPXOR: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) ^ -- off; -+ offset = lhs ^ off; - break; - case FILE_OPADD: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) + -- off; -+ offset = lhs + off; - break; - case FILE_OPMINUS: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) - -- off; -+ offset = lhs - off; - break; - case FILE_OPMULTIPLY: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) * -- off; -+ offset = lhs * off; - break; - case FILE_OPDIVIDE: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) / -- off; -+ offset = lhs / off; - break; - case FILE_OPMODULO: -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])) % -- off; -+ offset = lhs % off; - break; - } - } else -- offset = (short)((p->hs[0]<<8)| -- (p->hs[1])); -+ offset = lhs; - if (m->in_op & FILE_OPINVERSE) - offset = ~offset; - break; - case FILE_LESHORT: -- if (nbytes < (offset + 2)) -+ if (OFFSET_OOB(nbytes, offset, 2)) - return 0; -+ lhs = (p->hs[1] << 8) | p->hs[0]; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { - case FILE_OPAND: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) & -- off; -+ offset = lhs & off; - break; - case FILE_OPOR: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) | -- off; -+ offset = lhs | off; - break; - case FILE_OPXOR: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) ^ -- off; -+ offset = lhs ^ off; - break; - case FILE_OPADD: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) + -- off; -+ offset = lhs + off; - break; - case FILE_OPMINUS: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) - -- off; -+ offset = lhs - off; - break; - case FILE_OPMULTIPLY: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) * -- off; -+ offset = lhs * off; - break; - case FILE_OPDIVIDE: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) / -- off; -+ offset = lhs / off; - break; - case FILE_OPMODULO: -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])) % -- off; -+ offset = lhs % off; - break; - } - } else -- offset = (short)((p->hs[1]<<8)| -- (p->hs[0])); -+ offset = lhs; - if (m->in_op & FILE_OPINVERSE) - offset = ~offset; - break; - case FILE_SHORT: -- if (nbytes < (offset + 2)) -+ if (OFFSET_OOB(nbytes, offset, 2)) - return 0; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { -@@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s, - break; - case FILE_BELONG: - case FILE_BEID3: -- if (nbytes < (offset + 4)) -+ if (OFFSET_OOB(nbytes, offset, 4)) - return 0; -+ lhs = (p->hl[0] << 24) | (p->hl[1] << 16) | -+ (p->hl[2] << 8) | p->hl[3]; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { - case FILE_OPAND: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) & -- off; -+ offset = lhs & off; - break; - case FILE_OPOR: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) | -- off; -+ offset = lhs | off; - break; - case FILE_OPXOR: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) ^ -- off; -+ offset = lhs ^ off; - break; - case FILE_OPADD: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) + -- off; -+ offset = lhs + off; - break; - case FILE_OPMINUS: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) - -- off; -+ offset = lhs - off; - break; - case FILE_OPMULTIPLY: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) * -- off; -+ offset = lhs * off; - break; - case FILE_OPDIVIDE: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) / -- off; -+ offset = lhs / off; - break; - case FILE_OPMODULO: -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])) % -- off; -+ offset = lhs % off; - break; - } - } else -- offset = (int32_t)((p->hl[0]<<24)| -- (p->hl[1]<<16)| -- (p->hl[2]<<8)| -- (p->hl[3])); -+ offset = lhs; - if (m->in_op & FILE_OPINVERSE) - offset = ~offset; - break; - case FILE_LELONG: - case FILE_LEID3: -- if (nbytes < (offset + 4)) -+ if (OFFSET_OOB(nbytes, offset, 4)) - return 0; -+ lhs = (p->hl[3] << 24) | (p->hl[2] << 16) | -+ (p->hl[1] << 8) | p->hl[0]; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { - case FILE_OPAND: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) & -- off; -+ offset = lhs & off; - break; - case FILE_OPOR: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) | -- off; -+ offset = lhs | off; - break; - case FILE_OPXOR: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) ^ -- off; -+ offset = lhs ^ off; - break; - case FILE_OPADD: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) + -- off; -+ offset = lhs + off; - break; - case FILE_OPMINUS: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) - -- off; -+ offset = lhs - off; - break; - case FILE_OPMULTIPLY: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) * -- off; -+ offset = lhs * off; - break; - case FILE_OPDIVIDE: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) / -- off; -+ offset = lhs / off; - break; - case FILE_OPMODULO: -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])) % -- off; -+ offset = lhs % off; - break; - } - } else -- offset = (int32_t)((p->hl[3]<<24)| -- (p->hl[2]<<16)| -- (p->hl[1]<<8)| -- (p->hl[0])); -+ offset = lhs; - if (m->in_op & FILE_OPINVERSE) - offset = ~offset; - break; - case FILE_MELONG: -- if (nbytes < (offset + 4)) -+ if (OFFSET_OOB(nbytes, offset, 4)) - return 0; -+ lhs = (p->hl[1] << 24) | (p->hl[0] << 16) | -+ (p->hl[3] << 8) | p->hl[2]; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { - case FILE_OPAND: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) & -- off; -+ offset = lhs & off; - break; - case FILE_OPOR: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) | -- off; -+ offset = lhs | off; - break; - case FILE_OPXOR: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) ^ -- off; -+ offset = lhs ^ off; - break; - case FILE_OPADD: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) + -- off; -+ offset = lhs + off; - break; - case FILE_OPMINUS: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) - -- off; -+ offset = lhs - off; - break; - case FILE_OPMULTIPLY: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) * -- off; -+ offset = lhs * off; - break; - case FILE_OPDIVIDE: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) / -- off; -+ offset = lhs / off; - break; - case FILE_OPMODULO: -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])) % -- off; -+ offset = lhs % off; - break; - } - } else -- offset = (int32_t)((p->hl[1]<<24)| -- (p->hl[0]<<16)| -- (p->hl[3]<<8)| -- (p->hl[2])); -+ offset = lhs; - if (m->in_op & FILE_OPINVERSE) - offset = ~offset; - break; - case FILE_LONG: -- if (nbytes < (offset + 4)) -+ if (OFFSET_OOB(nbytes, offset, 4)) - return 0; - if (off) { - switch (m->in_op & FILE_OPS_MASK) { -@@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s, - /* Verify we have enough data to match magic type */ - switch (m->type) { - case FILE_BYTE: -- if (nbytes < (offset + 1)) /* should alway be true */ -+ if (OFFSET_OOB(nbytes, offset, 1)) - return 0; - break; - - case FILE_SHORT: - case FILE_BESHORT: - case FILE_LESHORT: -- if (nbytes < (offset + 2)) -+ if (OFFSET_OOB(nbytes, offset, 2)) - return 0; - break; - -@@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s, - case FILE_FLOAT: - case FILE_BEFLOAT: - case FILE_LEFLOAT: -- if (nbytes < (offset + 4)) -+ if (OFFSET_OOB(nbytes, offset, 4)) - return 0; - break; - - case FILE_DOUBLE: - case FILE_BEDOUBLE: - case FILE_LEDOUBLE: -- if (nbytes < (offset + 8)) -+ if (OFFSET_OOB(nbytes, offset, 8)) - return 0; - break; - - case FILE_STRING: - case FILE_PSTRING: - case FILE_SEARCH: -- if (nbytes < (offset + m->vallen)) -+ if (OFFSET_OOB(nbytes, offset, m->vallen)) - return 0; - break; - - case FILE_REGEX: -- if (nbytes < offset) -+ if (nbytes < offset) - return 0; - break; - -@@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s, - if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && - file_printf(ms, m->desc) == -1) - return -1; -- if (nbytes < offset) -+ if (nbytes < offset) - return 0; - return file_softmagic(ms, s + offset, nbytes - offset, - BINTEST); diff --git a/php-5.3.3-CVE-2014-3587.patch b/php-5.3.3-CVE-2014-3587.patch deleted file mode 100644 index 209b57f..0000000 --- a/php-5.3.3-CVE-2014-3587.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0641e56be1af003aa02c7c6b0184466540637233 Mon Sep 17 00:00:00 2001 -From: Christos Zoulas -Date: Thu, 7 Aug 2014 09:38:35 +0000 -Subject: [PATCH] Prevent wrap around (Remi Collet at redhat) - ---- - src/cdf.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/cdf.c b/src/cdf.c -index 5dbf3b1..3e691f4 100644 ---- a/ext/fileinfo/libmagic/cdf.c 2014-08-14 14:40:06.875720471 +0200 -+++ b/ext/fileinfo/libmagic/cdf.c 2014-08-14 14:41:19.907273015 +0200 -@@ -768,6 +768,10 @@ - q = (const uint32_t *)(const void *) - ((const char *)(const void *)p + ofs - - 2 * sizeof(uint32_t)); -+ if (q < p) { -+ DPRINTF(("Wrapped around %p < %p\n", q, p)); -+ goto out; -+ } - if (q > e) { - DPRINTF(("Ran of the end %p > %p\n", q, e)); - goto out; --- -2.0.3 - diff --git a/php-5.3.3-CVE-2014-3710.patch b/php-5.3.3-CVE-2014-3710.patch deleted file mode 100644 index d1a9971..0000000 --- a/php-5.3.3-CVE-2014-3710.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 22 Oct 2014 15:37:04 +0200 -Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note - headers - -Upstream commit -https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0 - -CVE -2014-3710 ---- - ext/fileinfo/libmagic/readelf.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c -index 1c3845f..bb6f70f 100644 ---- a/ext/fileinfo/libmagic/readelf.c -+++ b/ext/fileinfo/libmagic/readelf.c -@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size, - #endif - uint32_t namesz, descsz; - -+ if (xnh_sizeof + offset > size) { -+ /* -+ * We're out of note headers. -+ */ -+ return xnh_sizeof + offset; -+ } -+ - (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof); - offset += xnh_sizeof; - --- -2.1.0 - diff --git a/php.spec b/php.spec index 08f7f58..a35862d 100644 --- a/php.spec +++ b/php.spec @@ -119,7 +119,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules. %endif %endif -%define rel 13 +%define rel 14 %define orgname php %define ver_suffix 53 %define php_suffix %{!?with_default_php:%{ver_suffix}} @@ -210,20 +210,27 @@ Patch67: php-litespeed.patch Patch68: x32.patch Patch69: fpm-conf-split.patch Patch70: mysql-lib-ver-mismatch.patch +# git clone git://github.com/php/php-src.git && git checkout PHP_5_6 +# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/libmagic > ~/rpm/packages/php/php-fileinfo.patch +# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/config.m4 >> ~/rpm/packages/php/php-fileinfo.patch +# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/Makefile.frag >> ~/rpm/packages/php/php-fileinfo.patch +# git diff php-5.3.29..PHP-5.6 ./ext/fileinfo/data_file.c >> ~/rpm/packages/php/php-fileinfo.patch +Patch71: php-fileinfo.patch +# Patch71-md5: 771e4934132c5f5c968248c954d1ef6e # Fixes for security bugs # https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html # also from RHEL6/CentOS7 Patch220: php-5.3.3-CVE-2011-4153.patch -Patch238: php-5.3.3-CVE-2014-2270.patch + Patch247: php-5.3.3-CVE-2014-2497.patch -Patch248: php-5.3.3-CVE-2014-3587.patch + Patch249: php-5.3.29-CVE-2014-3597.patch Patch250: php-5.3.3-CVE-2014-4698.patch Patch251: php-5.3.3-CVE-2014-4670.patch Patch252: php-5.3.3-CVE-2014-3668.patch Patch253: php-5.3.3-CVE-2014-3669.patch Patch254: php-5.3.3-CVE-2014-3670.patch -Patch255: php-5.3.3-CVE-2014-3710.patch + Patch256: php-5.3.29-CVE-2014-8142.patch Patch257: php-5.3.29-CVE-2015-0231.patch Patch258: php-5.3.29-CVE-2015-0232.patch @@ -2074,18 +2081,19 @@ cp -p php.ini-production php.ini gzip -dc %{SOURCE15} | tar xf - -C sapi/ %patch67 -p1 %patch70 -p1 +%patch71 -p1 %patch220 -p1 -%patch238 -p1 + %patch247 -p1 -%patch248 -p1 + %patch249 -p1 %patch250 -p1 %patch251 -p1 %patch252 -p1 %patch253 -p1 %patch254 -p1 -%patch255 -p1 + %patch256 -p1 %patch257 -p1 %patch258 -p1 -- 2.43.0