From: Elan Ruusamäe Date: Wed, 11 Feb 2015 12:53:34 +0000 (+0200) Subject: add two fixes from centos/el. addresses CVE-2011-4153 CVE-2014-2270 X-Git-Tag: auto/th/php53-5.3.29-11~1 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=6e15a154c9f65f4dde0ade9eded7b3b4a1ff1524;p=packages%2Fphp.git add two fixes from centos/el. addresses CVE-2011-4153 CVE-2014-2270 two additional patches from php-5.3.3-38.el6.src.rpm --- diff --git a/php-5.3.3-CVE-2011-4153.patch b/php-5.3.3-CVE-2011-4153.patch new file mode 100644 index 0000000..73777ae --- /dev/null +++ b/php-5.3.3-CVE-2011-4153.patch @@ -0,0 +1,29 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4153 + +http://svn.php.net/viewvc?view=revision&revision=319442 + +--- php-5.3.3/ext/standard/syslog.c.cve4153 ++++ php-5.3.3/ext/standard/syslog.c +@@ -234,6 +234,9 @@ PHP_FUNCTION(openlog) + free(BG(syslog_device)); + } + BG(syslog_device) = zend_strndup(ident, ident_len); ++ if(BG(syslog_device) == NULL) { ++ RETURN_FALSE; ++ } + openlog(BG(syslog_device), option, facility); + RETURN_TRUE; + } +--- php-5.3.3/Zend/zend_builtin_functions.c.cve4153 ++++ php-5.3.3/Zend/zend_builtin_functions.c +@@ -683,6 +683,9 @@ repeat: + } + c.flags = case_sensitive; /* non persistent */ + c.name = zend_strndup(name, name_len); ++ if (c.name == NULL) { ++ RETURN_FALSE; ++ } + c.name_len = name_len+1; + c.module_number = PHP_USER_CONSTANT; + if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { diff --git a/php-5.3.3-CVE-2014-2270.patch b/php-5.3.3-CVE-2014-2270.patch new file mode 100644 index 0000000..0990853 --- /dev/null +++ b/php-5.3.3-CVE-2014-2270.patch @@ -0,0 +1,477 @@ +diff --git a/src/softmagic.c b/src/softmagic.c +index 1f02fec..58a1cf7 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *); + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s, + { + uint32_t offset = ms->offset; + uint32_t count = m->str_range; ++ uint32_t lhs; + union VALUETYPE *p = &ms->ms_value; + + if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1) +@@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s, + } + switch (m->in_type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_BESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; ++ lhs = (p->hs[0] << 8) | p->hs[1]; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { + case FILE_OPAND: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) & +- off; ++ offset = lhs & off; + break; + case FILE_OPOR: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) | +- off; ++ offset = lhs | off; + break; + case FILE_OPXOR: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) ^ +- off; ++ offset = lhs ^ off; + break; + case FILE_OPADD: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) + +- off; ++ offset = lhs + off; + break; + case FILE_OPMINUS: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) - +- off; ++ offset = lhs - off; + break; + case FILE_OPMULTIPLY: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) * +- off; ++ offset = lhs * off; + break; + case FILE_OPDIVIDE: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) / +- off; ++ offset = lhs / off; + break; + case FILE_OPMODULO: +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])) % +- off; ++ offset = lhs % off; + break; + } + } else +- offset = (short)((p->hs[0]<<8)| +- (p->hs[1])); ++ offset = lhs; + if (m->in_op & FILE_OPINVERSE) + offset = ~offset; + break; + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; ++ lhs = (p->hs[1] << 8) | p->hs[0]; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { + case FILE_OPAND: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) & +- off; ++ offset = lhs & off; + break; + case FILE_OPOR: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) | +- off; ++ offset = lhs | off; + break; + case FILE_OPXOR: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) ^ +- off; ++ offset = lhs ^ off; + break; + case FILE_OPADD: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) + +- off; ++ offset = lhs + off; + break; + case FILE_OPMINUS: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) - +- off; ++ offset = lhs - off; + break; + case FILE_OPMULTIPLY: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) * +- off; ++ offset = lhs * off; + break; + case FILE_OPDIVIDE: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) / +- off; ++ offset = lhs / off; + break; + case FILE_OPMODULO: +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])) % +- off; ++ offset = lhs % off; + break; + } + } else +- offset = (short)((p->hs[1]<<8)| +- (p->hs[0])); ++ offset = lhs; + if (m->in_op & FILE_OPINVERSE) + offset = ~offset; + break; + case FILE_SHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s, + break; + case FILE_BELONG: + case FILE_BEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; ++ lhs = (p->hl[0] << 24) | (p->hl[1] << 16) | ++ (p->hl[2] << 8) | p->hl[3]; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { + case FILE_OPAND: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) & +- off; ++ offset = lhs & off; + break; + case FILE_OPOR: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) | +- off; ++ offset = lhs | off; + break; + case FILE_OPXOR: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) ^ +- off; ++ offset = lhs ^ off; + break; + case FILE_OPADD: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) + +- off; ++ offset = lhs + off; + break; + case FILE_OPMINUS: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) - +- off; ++ offset = lhs - off; + break; + case FILE_OPMULTIPLY: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) * +- off; ++ offset = lhs * off; + break; + case FILE_OPDIVIDE: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) / +- off; ++ offset = lhs / off; + break; + case FILE_OPMODULO: +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])) % +- off; ++ offset = lhs % off; + break; + } + } else +- offset = (int32_t)((p->hl[0]<<24)| +- (p->hl[1]<<16)| +- (p->hl[2]<<8)| +- (p->hl[3])); ++ offset = lhs; + if (m->in_op & FILE_OPINVERSE) + offset = ~offset; + break; + case FILE_LELONG: + case FILE_LEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; ++ lhs = (p->hl[3] << 24) | (p->hl[2] << 16) | ++ (p->hl[1] << 8) | p->hl[0]; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { + case FILE_OPAND: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) & +- off; ++ offset = lhs & off; + break; + case FILE_OPOR: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) | +- off; ++ offset = lhs | off; + break; + case FILE_OPXOR: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) ^ +- off; ++ offset = lhs ^ off; + break; + case FILE_OPADD: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) + +- off; ++ offset = lhs + off; + break; + case FILE_OPMINUS: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) - +- off; ++ offset = lhs - off; + break; + case FILE_OPMULTIPLY: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) * +- off; ++ offset = lhs * off; + break; + case FILE_OPDIVIDE: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) / +- off; ++ offset = lhs / off; + break; + case FILE_OPMODULO: +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])) % +- off; ++ offset = lhs % off; + break; + } + } else +- offset = (int32_t)((p->hl[3]<<24)| +- (p->hl[2]<<16)| +- (p->hl[1]<<8)| +- (p->hl[0])); ++ offset = lhs; + if (m->in_op & FILE_OPINVERSE) + offset = ~offset; + break; + case FILE_MELONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; ++ lhs = (p->hl[1] << 24) | (p->hl[0] << 16) | ++ (p->hl[3] << 8) | p->hl[2]; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { + case FILE_OPAND: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) & +- off; ++ offset = lhs & off; + break; + case FILE_OPOR: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) | +- off; ++ offset = lhs | off; + break; + case FILE_OPXOR: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) ^ +- off; ++ offset = lhs ^ off; + break; + case FILE_OPADD: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) + +- off; ++ offset = lhs + off; + break; + case FILE_OPMINUS: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) - +- off; ++ offset = lhs - off; + break; + case FILE_OPMULTIPLY: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) * +- off; ++ offset = lhs * off; + break; + case FILE_OPDIVIDE: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) / +- off; ++ offset = lhs / off; + break; + case FILE_OPMODULO: +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])) % +- off; ++ offset = lhs % off; + break; + } + } else +- offset = (int32_t)((p->hl[1]<<24)| +- (p->hl[0]<<16)| +- (p->hl[3]<<8)| +- (p->hl[2])); ++ offset = lhs; + if (m->in_op & FILE_OPINVERSE) + offset = ~offset; + break; + case FILE_LONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s, + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) /* should alway be true */ ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + break; + + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + break; + +@@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + break; + + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: +- if (nbytes < (offset + 8)) ++ if (OFFSET_OOB(nbytes, offset, 8)) + return 0; + break; + + case FILE_STRING: + case FILE_PSTRING: + case FILE_SEARCH: +- if (nbytes < (offset + m->vallen)) ++ if (OFFSET_OOB(nbytes, offset, m->vallen)) + return 0; + break; + + case FILE_REGEX: +- if (nbytes < offset) ++ if (nbytes < offset) + return 0; + break; + +@@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s, + if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && + file_printf(ms, m->desc) == -1) + return -1; +- if (nbytes < offset) ++ if (nbytes < offset) + return 0; + return file_softmagic(ms, s + offset, nbytes - offset, + BINTEST); diff --git a/php.spec b/php.spec index 3d1ace8..36ccc11 100644 --- a/php.spec +++ b/php.spec @@ -211,6 +211,9 @@ Patch68: mysql-lib-ver-mismatch.patch Patch69: fpm-conf-split.patch # Fixes for security bugs # https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html +# also from RHEL6/CentOS7 +Patch220: php-5.3.3-CVE-2011-4153.patch +Patch238: php-5.3.3-CVE-2014-2270.patch Patch247: php-5.3.3-CVE-2014-2497.patch Patch248: php-5.3.3-CVE-2014-3587.patch Patch249: php-5.3.29-CVE-2014-3597.patch @@ -2070,6 +2073,8 @@ gzip -dc %{SOURCE15} | tar xf - -C sapi/ %patch67 -p1 %patch68 -p1 +%patch220 -p1 +%patch238 -p1 %patch247 -p1 %patch248 -p1 %patch249 -p1