From: Elan Ruusamäe Date: Mon, 23 Feb 2015 10:54:45 +0000 (+0200) Subject: fix for CVE-2015-0232 X-Git-Tag: auto/th/php52-5.2.17-20130717.10~1 X-Git-Url: https://git.pld-linux.org/?p=packages%2Fphp.git;a=commitdiff_plain;h=b7b0e363252dcb1fc2b8fcfc7436459c28009259 fix for CVE-2015-0232 --- diff --git a/CVE-2015-0232.patch b/CVE-2015-0232.patch new file mode 100644 index 0000000..e814eea --- /dev/null +++ b/CVE-2015-0232.patch @@ -0,0 +1,95 @@ +Adjusted for PHP 5.2.17 +Author: Elan Ruusamäe + +From: Stanislav Malyshev +Date: Sun, 11 Jan 2015 08:51:05 +0000 (-0800) +Subject: Fix bug #68799: Free called on unitialized pointer +X-Git-Tag: php-5.4.37~5^2 +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=2fc178cf448d8e1b95d1314e47eeef610729e0df;hp=f9ad3086693fce680fbe246e4a45aa92edd2ac35 + +Fix bug #68799: Free called on unitialized pointer +--- + +--- php-5.2.17/ext/exif/exif.c~ 2015-02-23 12:38:58.000000000 +0200 ++++ php-5.2.17/ext/exif/exif.c 2015-02-23 12:41:41.138901305 +0200 +@@ -2721,6 +2721,7 @@ + static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) + { + xp_field->tag = tag; ++ xp_field->value = NULL; + + /* Copy the comment */ + #if EXIF_USE_MBSTRING +diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg +new file mode 100644 +index 0000000..acc326d +Binary files /dev/null and b/ext/exif/tests/bug68799.jpg differ +diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt +new file mode 100644 +index 0000000..b09f21c +--- /dev/null ++++ b/ext/exif/tests/bug68799.phpt +@@ -0,0 +1,63 @@ ++--TEST-- ++Bug #68799 (Free called on unitialized pointer) ++--SKIPIF-- ++ ++--FILE-- ++a = $a . $a . $a . $a . $a . $a; ++ } ++}; ++ ++function doStuff ($limit) { ++ ++ $a = new A; ++ ++ $b = array(); ++ for ($i = 0; $i < $limit; $i++) { ++ $b[$i] = clone $a; ++ } ++ ++ unset($a); ++ ++ gc_collect_cycles(); ++} ++ ++$iterations = 3; ++ ++doStuff($iterations); ++doStuff($iterations); ++ ++gc_collect_cycles(); ++ ++print_r(exif_read_data(__DIR__.'/bug68799.jpg')); ++ ++?> ++--EXPECTF-- ++Array ++( ++ [FileName] => bug68799.jpg ++ [FileDateTime] => %d ++ [FileSize] => 735 ++ [FileType] => 2 ++ [MimeType] => image/jpeg ++ [SectionsFound] => ANY_TAG, IFD0, WINXP ++ [COMPUTED] => Array ++ ( ++ [html] => width="1" height="1" ++ [Height] => 1 ++ [Width] => 1 ++ [IsColor] => 1 ++ [ByteOrderMotorola] => 1 ++ ) ++ ++ [XResolution] => 96/1 ++ [YResolution] => 96/1 ++ [ResolutionUnit] => 2 ++ [Author] => ++) diff --git a/php.spec b/php.spec index 5064004..7929418 100644 --- a/php.spec +++ b/php.spec @@ -112,7 +112,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules. %define magic_mime /usr/share/misc/magic.mime %endif -%define rel 9 +%define rel 10 %define orgname php %define ver_suffix 52 %define php_suffix %{!?with_default_php:%{ver_suffix}} @@ -217,6 +217,7 @@ Patch72: exif-crash-bug-36.patch Patch73: CVE-2013-6420.patch Patch74: CVE-2013-4073.patch Patch75: php-secbug-67498.patch +Patch76: CVE-2015-0232.patch # CENTALT patches # Backport from 5.3.6 Patch311: php-5.3.6-bug-47435.patch @@ -1937,6 +1938,7 @@ done %patch73 -p1 %patch74 -p1 %patch75 -p1 +%patch76 -p1 # Bugfix backport from 5.3.6 %patch311 -p1 -b .bug-47435