diff options
-rw-r--r-- | .SRCINFO | 234 | ||||
-rw-r--r-- | CVE-2014-3587.patch | 18 | ||||
-rw-r--r-- | CVE-2014-3597.patch | 266 | ||||
-rw-r--r-- | CVE-2014-3668.patch | 117 | ||||
-rw-r--r-- | CVE-2014-3669.patch | 56 | ||||
-rw-r--r-- | CVE-2014-3670.patch | 40 | ||||
-rw-r--r-- | CVE-2014-8142.patch | 70 | ||||
-rw-r--r-- | CVE-2014-9705.patch | 46 | ||||
-rw-r--r-- | CVE-2015-0231.patch | 70 | ||||
-rw-r--r-- | CVE-2015-0273.patch | 182 | ||||
-rw-r--r-- | CVE-2015-2301.patch | 24 | ||||
-rw-r--r-- | CVE-2015-2305.patch | 35 | ||||
-rw-r--r-- | CVE-2015-2783.patch | 180 | ||||
-rw-r--r-- | CVE-2015-2787.patch | 29 | ||||
-rw-r--r-- | CVE-2015-3329.patch | 35 | ||||
-rw-r--r-- | CVE-2015-3330.patch | 22 | ||||
-rw-r--r-- | PKGBUILD | 465 | ||||
-rw-r--r-- | apache.conf | 13 | ||||
-rw-r--r-- | curl_embedded_null.patch | 43 | ||||
-rw-r--r-- | freetype-path.patch | 13 | ||||
-rw-r--r-- | logrotate.d.php-fpm | 6 | ||||
-rw-r--r-- | php-fpm.conf.in.patch | 52 | ||||
-rw-r--r-- | php.ini.patch | 125 | ||||
-rw-r--r-- | suhosin.patch | 13 |
24 files changed, 2154 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..191661967766 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,234 @@ +pkgbase = php53 + pkgdesc = An HTML-embedded scripting language - Legacy 5.3 version + pkgver = 5.3.29 + pkgrel = 4 + url = http://www.php.net + arch = i686 + arch = x86_64 + license = PHP + makedepends = apache + makedepends = c-client + makedepends = postgresql-libs + makedepends = libldap + makedepends = postfix + makedepends = sqlite + makedepends = unixodbc + makedepends = net-snmp + makedepends = libzip + makedepends = enchant + makedepends = file + makedepends = freetds + makedepends = libmcrypt + makedepends = tidyhtml + makedepends = aspell + makedepends = libltdl + makedepends = libpng + makedepends = libjpeg + makedepends = icu + makedepends = curl + makedepends = libxslt + makedepends = openssl + makedepends = bzip2 + makedepends = db + makedepends = gmp + makedepends = freetype2 + makedepends = sed + source = http://www.php.net/distributions/php-5.3.29.tar.bz2 + source = http://download.suhosin.org/suhosin-patch-5.3.9-0.9.10.patch.gz + source = php.ini.patch + source = apache.conf + source = php-fpm.conf.in.patch + source = logrotate.d.php-fpm + source = suhosin.patch + source = freetype-path.patch + source = CVE-2014-3587.patch + source = CVE-2014-3597.patch + source = CVE-2014-3668.patch + source = CVE-2014-3669.patch + source = CVE-2014-3670.patch + source = curl_embedded_null.patch + source = CVE-2014-8142.patch + source = CVE-2015-0231.patch + source = CVE-2014-9705.patch + source = CVE-2015-0273.patch + source = CVE-2015-2301.patch + source = CVE-2015-2305.patch + source = CVE-2015-2783.patch + source = CVE-2015-2787.patch + source = CVE-2015-3330.patch + source = CVE-2015-3329.patch + sha1sums = 6e9e492c6d5853d063ddb9a4dbef60b8e5d87444 + sha1sums = 7b9ef5c3e0831154df0d6290aba0989ca90138ed + sha1sums = 462927954b4074487b46722b0442185100def240 + sha1sums = 82776db01f70b9186ba455de22eb06fe193f1d30 + sha1sums = ea9a9101b9678a8461d9dddfc0df2a4412a4cb5d + sha1sums = b6a661523535a8e7e60d4a0c054d8f6066edf63e + sha1sums = 4d9fea0b7ab856c59ddbf722fe6c95b8e479af9b + sha1sums = 8f19ee0e351aa2cdc9b110db4e33b4c8f6131b12 + sha1sums = b5caa85fd1b76a3ece056ab5441852330989640b + sha1sums = 9f2aa7c2514cb66204f9f5c3dc5f8ebdda238c78 + sha1sums = 4672c18ece397b2f99ad0c992f61220e210b2dc1 + sha1sums = 454e96af5cab1f649fceca61c0afb46ae73179f5 + sha1sums = 2f368143bcdaae4659a65103ffdeb71cac12c5cf + sha1sums = ede78d11b7d4d6c304253bfd358607e160a3918a + sha1sums = e97ea93d37ffbf6c3025281202d2e807facb4e7e + sha1sums = 0ab48f282d62058318d08c44607aac89912f78d6 + sha1sums = b535103d79ba9791c22a841d5d72497dec3dd93d + sha1sums = 7cb38769807eb7d35ff7f3eaf1cce408d8ad2676 + sha1sums = 066fe3a84e1aabaf45afe26470cd769b9e3ab79a + sha1sums = 4968abe76ab18c15f85111b3e78dba0059f948ce + sha1sums = 18e3f12ad04adf4cc59aa5862628ab0d032c76ef + sha1sums = 4d9551ec6c2462cde45d0e556edf6d9e792c15b4 + sha1sums = 248dc92602721c193f3906f3eb7d98cd5499ba40 + sha1sums = 40fc97494110e9b312ea0f5bade8aa0b7043f40e + +pkgname = php53 + pkgdesc = An HTML-embedded scripting language - Legacy 5.3 version + depends = pcre + depends = libxml2 + depends = bzip2 + depends = curl + provides = php + provides = php-fileinfo + provides = php-gmp + provides = php-curl + conflicts = php + conflicts = php-fileinfo + conflicts = php-gmp + conflicts = php-curl + backup = etc/php/php.ini + +pkgname = php53-cgi + pkgdesc = CGI and FCGI SAPI for PHP + depends = php53 + provides = php-cgi + conflicts = php-cgi + +pkgname = php53-apache + pkgdesc = Apache SAPI for PHP + depends = php53 + depends = apache + provides = php-apache + conflicts = php-apache + backup = etc/httpd/conf/extra/php5_module.conf + +pkgname = php53-fpm + pkgdesc = FastCGI Process Manager for PHP + depends = php53 + provides = php-fpm + conflicts = php-fpm + backup = etc/php/php-fpm.conf + +pkgname = php53-embed + pkgdesc = Embed SAPI for PHP + depends = php53 + provides = php-embed + conflicts = php-embed + +pkgname = php53-pear + pkgdesc = PHP Extension and Application Repository + depends = php53 + provides = php-pear + conflicts = php-pear + backup = etc/php/pear.conf + +pkgname = php53-enchant + pkgdesc = enchant module for PHP + depends = php53 + depends = enchant + provides = php-enchant + conflicts = php-enchant + +pkgname = php53-gd + pkgdesc = gd module for PHP + depends = php53 + depends = libpng + depends = libjpeg + depends = freetype2 + provides = php-gd + conflicts = php-gd + +pkgname = php53-imap + depends = php53 + depends = c-client + provides = php-imap + conflicts = php-imap + +pkgname = php53-intl + pkgdesc = intl module for PHP + depends = php53 + depends = icu + provides = php-intl + conflicts = php-intl + +pkgname = php53-ldap + pkgdesc = ldap module for PHP + depends = php53 + depends = libldap + provides = php-ldap + conflicts = php-ldap + +pkgname = php53-mcrypt + pkgdesc = mcrypt module for PHP + depends = php53 + depends = libmcrypt + depends = libltdl + provides = php-mcrypt + conflicts = php-mcrypt + +pkgname = php53-mssql + pkgdesc = mssql module for PHP + depends = php53 + depends = freetds + provides = php-mssql + conflicts = php-mssql + +pkgname = php53-odbc + pkgdesc = ODBC modules for PHP + depends = php53 + depends = unixodbc + provides = php-odbc + conflicts = php-odbc + +pkgname = php53-pgsql + pkgdesc = PostgreSQL modules for PHP + depends = php53 + depends = postgresql-libs + provides = php-pgsql + conflicts = php-pgsql + +pkgname = php53-pspell + pkgdesc = pspell module for PHP + depends = php53 + depends = aspell + provides = php-aspell + conflicts = php-aspell + +pkgname = php53-snmp + pkgdesc = snmp module for PHP + depends = php53 + depends = net-snmp + provides = php-snmp + conflicts = php-snmp + +pkgname = php53-sqlite + pkgdesc = sqlite module for PHP + depends = php53 + depends = sqlite + provides = php-sqlite + conflicts = php-sqlite + +pkgname = php53-tidy + pkgdesc = tidy module for PHP + depends = php53 + depends = tidyhtml + provides = php-tidy + conflicts = php-tidy + +pkgname = php53-xsl + pkgdesc = xsl module for PHP + depends = php53 + depends = libxslt + provides = php-xsl + conflicts = php-xsl + diff --git a/CVE-2014-3587.patch b/CVE-2014-3587.patch new file mode 100644 index 000000000000..ae21e3904887 --- /dev/null +++ b/CVE-2014-3587.patch @@ -0,0 +1,18 @@ +From 7ba1409a1aee5925180de546057ddd84ff267947 Mon Sep 17 00:00:00 2001 +From: Remi Collet <rcollet@redhat.com> +Date: Thu, 14 Aug 2014 17:19:03 -0700 +Subject: [PATCH] Fix bug #67716 - Segfault in cdf.c + +Index: b/ext/fileinfo/libmagic/cdf.c +=================================================================== +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -759,7 +759,7 @@ + for (i = 0; i < sh.sh_properties; i++) { + q = (const uint32_t *)((const char *)p + + CDF_TOLE4(p[(i << 1) + 1])) - 2; +- if (q > e) { ++ if (q < p || q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; + } diff --git a/CVE-2014-3597.patch b/CVE-2014-3597.patch new file mode 100644 index 000000000000..08ab95c2c56e --- /dev/null +++ b/CVE-2014-3597.patch @@ -0,0 +1,266 @@ +Origin: https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05 +From: Remi Collet +Subject: Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597 + +--- + ext/standard/dns.c | 84 +++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 60 insertions(+), 24 deletions(-) + +Index: b/ext/standard/dns.c +=================================================================== +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -412,8 +412,14 @@ + + #if HAVE_FULL_DNS_FUNCS + ++#define CHECKCP(n) do { \ ++ if (cp + n > end) { \ ++ return NULL; \ ++ } \ ++} while (0) ++ + /* {{{ php_parserr */ +-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray) ++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray) + { + u_short type, class, dlen; + u_long ttl; +@@ -425,16 +431,18 @@ + + *subarray = NULL; + +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2); + if (n < 0) { + return NULL; + } + cp += n; + ++ CHECKCP(10); + GETSHORT(type, cp); + GETSHORT(class, cp); + GETLONG(ttl, cp); + GETSHORT(dlen, cp); ++ CHECKCP(dlen); + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -451,12 +459,14 @@ + add_assoc_string(*subarray, "host", name, 1); + switch (type) { + case DNS_T_A: ++ CHECKCP(4); + add_assoc_string(*subarray, "type", "A", 1); + snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]); + add_assoc_string(*subarray, "ip", name, 1); + cp += dlen; + break; + case DNS_T_MX: ++ CHECKCP(2); + add_assoc_string(*subarray, "type", "MX", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pri", n); +@@ -475,7 +485,7 @@ + if (type == DNS_T_PTR) { + add_assoc_string(*subarray, "type", "PTR", 1); + } +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -485,18 +495,22 @@ + case DNS_T_HINFO: + /* See RFC 1010 for values */ + add_assoc_string(*subarray, "type", "HINFO", 1); ++ CHECKCP(1); + n = *cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1); + cp += n; ++ CHECKCP(1); + n = *cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(*subarray, "os", (char*)cp, n, 1); + cp += n; + break; + case DNS_T_TXT: + { +- int ll = 0; ++ int l1 = 0, l2 = 0; + zval *entries = NULL; + + add_assoc_string(*subarray, "type", "TXT", 1); +@@ -505,37 +519,41 @@ + MAKE_STD_ZVAL(entries); + array_init(entries); + +- while (ll < dlen) { +- n = cp[ll]; +- if ((ll + n) >= dlen) { ++ while (l1 < dlen) { ++ n = cp[l1]; ++ if ((l1 + n) >= dlen) { + // Invalid chunk length, truncate +- n = dlen - (ll + 1); ++ n = dlen - (l1 + 1); ++ } ++ if (n) { ++ memcpy(tp + l2 , cp + l1 + 1, n); ++ add_next_index_stringl(entries, cp + l1 + 1, n, 1); + } +- memcpy(tp + ll , cp + ll + 1, n); +- add_next_index_stringl(entries, cp + ll + 1, n, 1); +- ll = ll + n + 1; ++ l1 = l1 + n + 1; ++ l2 = l2 + n; + } +- tp[dlen] = '\0'; ++ tp[l2] = '\0'; + cp += dlen; + +- add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0); ++ add_assoc_stringl(*subarray, "txt", tp, l2, 0); + add_assoc_zval(*subarray, "entries", entries); + } + break; + case DNS_T_SOA: + add_assoc_string(*subarray, "type", "SOA", 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(*subarray, "mname", name, 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(*subarray, "rname", name, 1); ++ CHECKCP(5*4); + GETLONG(n, cp); + add_assoc_long(*subarray, "serial", n); + GETLONG(n, cp); +@@ -549,6 +567,7 @@ + break; + case DNS_T_AAAA: + tp = (u_char*)name; ++ CHECKCP(8*2); + for(i=0; i < 8; i++) { + GETSHORT(s, cp); + if (s != 0) { +@@ -583,6 +602,7 @@ + case DNS_T_A6: + p = cp; + add_assoc_string(*subarray, "type", "A6", 1); ++ CHECKCP(1); + n = ((int)cp[0]) & 0xFF; + cp++; + add_assoc_long(*subarray, "masklen", n); +@@ -618,6 +638,7 @@ + cp++; + } + for (i = (n + 8) / 16; i < 8; i++) { ++ CHECKCP(2); + GETSHORT(s, cp); + if (s != 0) { + if (tp > (u_char *)name) { +@@ -647,7 +668,7 @@ + tp[0] = '\0'; + add_assoc_string(*subarray, "ipv6", name, 1); + if (cp < p + dlen) { +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -656,6 +677,7 @@ + } + break; + case DNS_T_SRV: ++ CHECKCP(3*2); + add_assoc_string(*subarray, "type", "SRV", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pri", n); +@@ -663,7 +685,7 @@ + add_assoc_long(*subarray, "weight", n); + GETSHORT(n, cp); + add_assoc_long(*subarray, "port", n); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -671,21 +693,35 @@ + add_assoc_string(*subarray, "target", name, 1); + break; + case DNS_T_NAPTR: ++ CHECKCP(2*2); + add_assoc_string(*subarray, "type", "NAPTR", 1); + GETSHORT(n, cp); + add_assoc_long(*subarray, "order", n); + GETSHORT(n, cp); + add_assoc_long(*subarray, "pref", n); ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1); + cp += n; ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1); + cp += n; ++ ++ CHECKCP(1); + n = (cp[0] & 0xFF); +- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1); ++ cp++; ++ CHECKCP(n); ++ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1); + cp += n; +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -852,7 +888,7 @@ + while (an-- && cp && cp < end) { + zval *retval; + +- cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval); ++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval); + if (retval != NULL && store_results) { + add_next_index_zval(return_value, retval); + } +@@ -865,7 +901,7 @@ + while (ns-- > 0 && cp && cp < end) { + zval *retval = NULL; + +- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval); ++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval); + if (retval != NULL) { + add_next_index_zval(authns, retval); + } +@@ -877,7 +913,7 @@ + while (ar-- > 0 && cp && cp < end) { + zval *retval = NULL; + +- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval); ++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval); + if (retval != NULL) { + add_next_index_zval(addtl, retval); + } diff --git a/CVE-2014-3668.patch b/CVE-2014-3668.patch new file mode 100644 index 000000000000..c2f622fcd8ee --- /dev/null +++ b/CVE-2014-3668.patch @@ -0,0 +1,117 @@ +From 44035de79f5b9646064d9bdd0329a946b0c5372a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 28 Sep 2014 17:33:44 -0700 +Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib + +--- + ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++----- + ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+), 5 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug68027.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c +index ce70c2a..b766a54 100644 +--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c ++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c +@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_mon = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+4]) + tm.tm_mon += (text[i+4]-'0')*n; + n /= 10; + } + tm.tm_mon --; ++ if(tm.tm_mon < 0 || tm.tm_mon > 11) { ++ return -1; ++ } + + n = 10; + tm.tm_mday = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+6]) + tm.tm_mday += (text[i+6]-'0')*n; + n /= 10; + } +@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_hour = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+9]) + tm.tm_hour += (text[i+9]-'0')*n; + n /= 10; + } +@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_min = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+12]) + tm.tm_min += (text[i+12]-'0')*n; + n /= 10; + } +@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_sec = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+15]) + tm.tm_sec += (text[i+15]-'0')*n; + n /= 10; + } +diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt +new file mode 100644 +index 0000000..a5c96f1 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug68027.phpt +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #68027 (buffer overflow in mkgmtime() function) ++--SKIPIF-- ++<?php ++if (!extension_loaded("xmlrpc")) print "skip"; ++?> ++--FILE-- ++<?php ++ ++$d = '6-01-01 20:00:00'; ++xmlrpc_set_type($d, 'datetime'); ++var_dump($d); ++$datetime = "2001-0-08T21:46:40-0400"; ++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); ++print_r($obj); ++ ++$datetime = "34770-0-08T21:46:40-0400"; ++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); ++print_r($obj); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++object(stdClass)#1 (3) { ++ ["scalar"]=> ++ string(16) "6-01-01 20:00:00" ++ ["xmlrpc_type"]=> ++ string(8) "datetime" ++ ["timestamp"]=> ++ int(%d) ++} ++stdClass Object ++( ++ [scalar] => 2001-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %s ++) ++stdClass Object ++( ++ [scalar] => 34770-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %d ++) ++Done +-- +2.1.0 + diff --git a/CVE-2014-3669.patch b/CVE-2014-3669.patch new file mode 100644 index 000000000000..5266f37dbcd8 --- /dev/null +++ b/CVE-2014-3669.patch @@ -0,0 +1,56 @@ +From 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 28 Sep 2014 14:19:31 -0700 +Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits + only) + +--- + ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++ + ext/standard/var_unserializer.c | 4 ++-- + ext/standard/var_unserializer.re | 2 +- + 3 files changed, 15 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug68044.phpt + +Index: php5-5.3.10/ext/standard/tests/serialize/bug68044.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/standard/tests/serialize/bug68044.phpt 2014-10-28 10:47:49.392858855 -0400 +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #68044 Integer overflow in unserialize() (32-bits only) ++--FILE-- ++<?php ++ echo unserialize('C:3:"XYZ":18446744075857035259:{}'); ++?> ++===DONE== ++--EXPECTF-- ++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 ++ ++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 ++===DONE== +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2014-10-28 10:47:49.392858855 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2014-10-28 10:47:49.392858855 -0400 +@@ -333,7 +333,7 @@ + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2014-10-28 10:47:49.392858855 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2014-10-28 10:47:49.392858855 -0400 +@@ -339,7 +339,7 @@ + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } diff --git a/CVE-2014-3670.patch b/CVE-2014-3670.patch new file mode 100644 index 000000000000..bdba3b0ddd12 --- /dev/null +++ b/CVE-2014-3670.patch @@ -0,0 +1,40 @@ +From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 28 Sep 2014 16:57:42 -0700 +Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail()) + +--- + create mode 100755 ext/exif/tests/bug68113.jpg + create mode 100644 ext/exif/tests/bug68113.phpt + +From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 28 Sep 2014 16:57:42 -0700 +Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail()) + +--- + ext/exif/exif.c | 4 ++-- + ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes + ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++ + 3 files changed, 19 insertions(+), 2 deletions(-) + create mode 100755 ext/exif/tests/bug68113.jpg + create mode 100644 ext/exif/tests/bug68113.phpt + +Index: php5-5.3.10/ext/exif/exif.c +=================================================================== +--- php5-5.3.10.orig/ext/exif/exif.c 2014-10-28 10:48:06.317008432 -0400 ++++ php5-5.3.10/ext/exif/exif.c 2014-10-28 10:48:06.317008432 -0400 +@@ -2446,11 +2446,11 @@ + data_ptr += 8; + break; + case TAG_FMT_SINGLE: +- memmove(data_ptr, &info_data->value.f, byte_count); ++ memmove(data_ptr, &info_value->f, 4); + data_ptr += 4; + break; + case TAG_FMT_DOUBLE: +- memmove(data_ptr, &info_data->value.d, byte_count); ++ memmove(data_ptr, &info_value->d, 8); + data_ptr += 8; + break; + } diff --git a/CVE-2014-8142.patch b/CVE-2014-8142.patch new file mode 100644 index 000000000000..c4ebeb55b69c --- /dev/null +++ b/CVE-2014-8142.patch @@ -0,0 +1,70 @@ +From 630f9c33c23639de85c3fd306b209b538b73b4c9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 11 Dec 2014 19:28:32 -0800 +Subject: [PATCH] Fix bug #68594 - Use after free vulnerability in + unserialize() + +--- + NEWS | 2 + + ext/standard/tests/serialize/bug68594.phpt | 23 ++++++++++ + ext/standard/var_unserializer.c | 68 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 3 ++ + 4 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug68594.phpt + +Index: php5-5.3.10/ext/standard/tests/serialize/bug68594.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/standard/tests/serialize/bug68594.phpt 2015-02-13 11:27:34.753347966 -0500 +@@ -0,0 +1,23 @@ ++--TEST-- ++Bug #68545 Use after free vulnerability in unserialize() ++--FILE-- ++<?php ++for ($i=4; $i<100; $i++) { ++ $m = new StdClass(); ++ ++ $u = array(1); ++ ++ $m->aaa = array(1,2,&$u,4,5); ++ $m->bbb = 1; ++ $m->ccc = &$u; ++ $m->ddd = str_repeat("A", $i); ++ ++ $z = serialize($m); ++ $z = str_replace("bbb", "aaa", $z); ++ $y = unserialize($z); ++ $z = serialize($y); ++} ++?> ++===DONE=== ++--EXPECTF-- ++===DONE=== +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-02-13 11:27:34.793348294 -0500 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2015-02-13 11:27:34.753347966 -0500 +@@ -298,6 +298,9 @@ + } else { + /* object properties should include no integers */ + convert_to_string(key); ++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ var_push_dtor(var_hash, old_data); ++ } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-02-13 11:27:34.793348294 -0500 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2015-02-13 11:27:34.753347966 -0500 +@@ -304,6 +304,9 @@ + } else { + /* object properties should include no integers */ + convert_to_string(key); ++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ var_push_dtor(var_hash, old_data); ++ } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } diff --git a/CVE-2014-9705.patch b/CVE-2014-9705.patch new file mode 100644 index 000000000000..12f834b8c2da --- /dev/null +++ b/CVE-2014-9705.patch @@ -0,0 +1,46 @@ +From bdfe457a2c1b47209e32783b3a6447e81baf179a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 16 Feb 2015 06:50:10 +0100 +Subject: [PATCH] Port for for bug #68552 + +--- + NEWS | 6 ++++++ + ext/enchant/enchant.c | 7 +++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +Index: php5-5.3.10/ext/enchant/enchant.c +=================================================================== +--- php5-5.3.10.orig/ext/enchant/enchant.c 2015-03-16 13:42:36.063819735 -0400 ++++ php5-5.3.10/ext/enchant/enchant.c 2015-03-16 13:42:36.059819705 -0400 +@@ -545,13 +545,12 @@ + + d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag); + if (d) { ++ pos = pbroker->dictcnt++; + if (pbroker->dictcnt) { + pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); +- pos = pbroker->dictcnt++; + } else { + pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); + pos = 0; +- pbroker->dictcnt++; + } + + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); +@@ -606,14 +605,14 @@ + + d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl); + if (d) { ++ pos = pbroker->dictcnt++; + if (pbroker->dictcnt) { +- pos = pbroker->dictcnt++; + pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); + } else { + pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); + pos = 0; +- pbroker->dictcnt++; + } ++ + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); + dict->id = pos; + dict->pbroker = pbroker; diff --git a/CVE-2015-0231.patch b/CVE-2015-0231.patch new file mode 100644 index 000000000000..99b15d19e3ec --- /dev/null +++ b/CVE-2015-0231.patch @@ -0,0 +1,70 @@ +From b585a3aed7880a5fa5c18e2b838fc96f40e075bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 1 Jan 2015 16:19:05 -0800 +Subject: [PATCH] Fix for bug #68710 (Use After Free Vulnerability in PHP's + unserialize()) + +--- + NEWS | 4 ++++ + ext/standard/tests/strings/bug68710.phpt | 25 +++++++++++++++++++++++++ + ext/standard/var_unserializer.c | 4 ++-- + ext/standard/var_unserializer.re | 2 +- + 4 files changed, 32 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/strings/bug68710.phpt + +Index: php5-5.3.10/ext/standard/tests/strings/bug68710.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/standard/tests/strings/bug68710.phpt 2015-02-13 11:36:32.969760122 -0500 +@@ -0,0 +1,25 @@ ++--TEST-- ++Bug #68710 Use after free vulnerability in unserialize() (bypassing the ++CVE-2014-8142 fix) ++--FILE-- ++<?php ++for ($i=4; $i<100; $i++) { ++ $m = new StdClass(); ++ ++ $u = array(1); ++ ++ $m->aaa = array(1,2,&$u,4,5); ++ $m->bbb = 1; ++ $m->ccc = &$u; ++ $m->ddd = str_repeat("A", $i); ++ ++ $z = serialize($m); ++ $z = str_replace("aaa", "123", $z); ++ $z = str_replace("bbb", "123", $z); ++ $y = unserialize($z); ++ $z = serialize($y); ++} ++?> ++===DONE=== ++--EXPECTF-- ++===DONE=== +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-02-13 11:36:33.009760449 -0500 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2015-02-13 11:36:32.969760122 -0500 +@@ -298,7 +298,7 @@ + } else { + /* object properties should include no integers */ + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-02-13 11:36:33.009760449 -0500 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2015-02-13 11:36:32.969760122 -0500 +@@ -304,7 +304,7 @@ + } else { + /* object properties should include no integers */ + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, diff --git a/CVE-2015-0273.patch b/CVE-2015-0273.patch new file mode 100644 index 000000000000..cd4768be2c53 --- /dev/null +++ b/CVE-2015-0273.patch @@ -0,0 +1,182 @@ +Backport of: + +From 7b1898183032eeabc64a086ff040af991cebcd93 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 31 Jan 2015 22:40:08 -0800 +Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize() + with DateTimeZone) + +and: + +From 8d199c7c4f93ebe5b9293096143d7007a6ad13a4 Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Tue, 19 Mar 2013 21:19:55 +0100 +Subject: [PATCH] Backported fix for bug #62852 + +Index: php5-5.3.10/ext/date/php_date.c +=================================================================== +--- php5-5.3.10.orig/ext/date/php_date.c 2015-03-16 16:51:20.694390712 -0400 ++++ php5-5.3.10/ext/date/php_date.c 2015-03-16 16:53:43.635562605 -0400 +@@ -2539,26 +2539,23 @@ + timelib_tzinfo *tzi; + php_timezone_obj *tzobj; + +- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { +- convert_to_string(*z_date); +- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { +- convert_to_long(*z_timezone_type); +- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { +- convert_to_string(*z_timezone); ++ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { ++ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { ++ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { + + switch (Z_LVAL_PP(z_timezone_type)) { + case TIMELIB_ZONETYPE_OFFSET: + case TIMELIB_ZONETYPE_ABBR: { + char *tmp = emalloc(Z_STRLEN_PP(z_date) + Z_STRLEN_PP(z_timezone) + 2); ++ int ret; + snprintf(tmp, Z_STRLEN_PP(z_date) + Z_STRLEN_PP(z_timezone) + 2, "%s %s", Z_STRVAL_PP(z_date), Z_STRVAL_PP(z_timezone)); +- php_date_initialize(*dateobj, tmp, Z_STRLEN_PP(z_date) + Z_STRLEN_PP(z_timezone) + 1, NULL, NULL, 0 TSRMLS_CC); ++ ret = php_date_initialize(*dateobj, tmp, Z_STRLEN_PP(z_date) + Z_STRLEN_PP(z_timezone) + 1, NULL, NULL, 0 TSRMLS_CC); + efree(tmp); +- return 1; ++ return 1 == ret; + } + +- case TIMELIB_ZONETYPE_ID: +- convert_to_string(*z_timezone); +- ++ case TIMELIB_ZONETYPE_ID: { ++ int ret; + tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); + + ALLOC_INIT_ZVAL(tmp_obj); +@@ -2567,9 +2564,10 @@ + tzobj->tzi.tz = tzi; + tzobj->initialized = 1; + +- php_date_initialize(*dateobj, Z_STRVAL_PP(z_date), Z_STRLEN_PP(z_date), NULL, tmp_obj, 0 TSRMLS_CC); ++ ret = php_date_initialize(*dateobj, Z_STRVAL_PP(z_date), Z_STRLEN_PP(z_date), NULL, tmp_obj, 0 TSRMLS_CC); + zval_ptr_dtor(&tmp_obj); +- return 1; ++ return 1 == ret; ++ } + } + } + } +@@ -2593,7 +2591,9 @@ + + php_date_instantiate(date_ce_date, return_value TSRMLS_CC); + dateobj = (php_date_obj *) zend_object_store_get_object(return_value TSRMLS_CC); +- php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC); ++ if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { ++ php_error(E_ERROR, "Invalid serialization data for DateTime object"); ++ } + } + /* }}} */ + +@@ -2609,7 +2609,9 @@ + + myht = Z_OBJPROP_P(object); + +- php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC); ++ if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { ++ php_error(E_ERROR, "Invalid serialization data for DateTime object"); ++ } + } + /* }}} */ + +Index: php5-5.3.10/ext/date/tests/bug68942_2.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/date/tests/bug68942_2.phpt 2015-03-16 16:51:20.690390678 -0400 +@@ -0,0 +1,9 @@ ++--TEST-- ++Bug #68942 (Use after free vulnerability in unserialize() with DateTime). ++--FILE-- ++<?php ++$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}'); ++var_dump($data); ++?> ++--EXPECTF-- ++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d +Index: php5-5.3.10/ext/date/tests/bug62852.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/date/tests/bug62852.phpt 2015-03-16 16:55:12.372289384 -0400 +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #62852 (Unserialize invalid DateTime causes crash), variation 1 ++--INI-- ++date.timezone=GMT ++--FILE-- ++<?php ++$s1 = 'O:8:"DateTime":3:{s:4:"date";s:20:"10007-06-07 03:51:49";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}'; ++ ++try { ++ unserialize( $s1 ); ++} catch ( Exception $e ) {} ++ ++--EXPECTF-- ++Fatal error: Invalid serialization data for DateTime object in %sbug62852.php on line %d +Index: php5-5.3.10/ext/date/tests/bug62852_var2.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/date/tests/bug62852_var2.phpt 2015-03-16 16:52:15.814842786 -0400 +@@ -0,0 +1,25 @@ ++--TEST-- ++Bug #62852 (Unserialize invalid DateTime causes crash), variation 2 ++--INI-- ++date.timezone=GMT ++--FILE-- ++<?php ++$s2 = 'O:3:"Foo":3:{s:4:"date";s:20:"10007-06-07 03:51:49";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}'; ++ ++global $foo; ++ ++class Foo extends DateTime { ++ function __wakeup() { ++ global $foo; ++ $foo = $this; ++ parent::__wakeup(); ++ } ++} ++ ++try { ++ unserialize( $s2 ); ++} catch ( Exception $e ) {} ++var_dump( $foo ); ++ ++--EXPECTF-- ++Fatal error: Invalid serialization data for DateTime object in %sbug62852_var2.php on line %d +Index: php5-5.3.10/ext/date/tests/bug62852_var3.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/date/tests/bug62852_var3.phpt 2015-03-16 16:52:15.814842786 -0400 +@@ -0,0 +1,25 @@ ++--TEST-- ++Bug #62852 (Unserialize invalid DateTime causes crash), variation 3 ++--INI-- ++date.timezone=GMT ++--FILE-- ++<?php ++$s2 = 'O:3:"Foo":3:{s:4:"date";s:19:"0000-00-00 00:00:00";s:13:"timezone_type";i:0;s:8:"timezone";s:3:"UTC";}'; ++ ++global $foo; ++ ++class Foo extends DateTime { ++ function __wakeup() { ++ global $foo; ++ $foo = $this; ++ parent::__wakeup(); ++ } ++} ++ ++try { ++ unserialize( $s2 ); ++} catch ( Exception $e ) {} ++var_dump( $foo ); ++ ++--EXPECTF-- ++Fatal error: Invalid serialization data for DateTime object in %sbug62852_var3.php on line %d diff --git a/CVE-2015-2301.patch b/CVE-2015-2301.patch new file mode 100644 index 000000000000..bdeceaa67b24 --- /dev/null +++ b/CVE-2015-2301.patch @@ -0,0 +1,24 @@ +From b2cf3f064b8f5efef89bb084521b61318c71781b Mon Sep 17 00:00:00 2001 +From: Xinchen Hui <laruence@php.net> +Date: Thu, 29 Jan 2015 00:00:09 +0800 +Subject: [PATCH] Fixed bug #68901 (use after free) + +--- + NEWS | 3 +++ + ext/phar/phar_object.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2015-03-16 13:56:47.878348393 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2015-03-16 13:56:47.826347993 -0400 +@@ -2320,8 +2320,8 @@ + } + its_ok: + if (SUCCESS == php_stream_stat_path(newpath, &ssb)) { +- efree(oldpath); + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath); ++ efree(oldpath); + return NULL; + } + if (!phar->is_data) { diff --git a/CVE-2015-2305.patch b/CVE-2015-2305.patch new file mode 100644 index 000000000000..e3309f408271 --- /dev/null +++ b/CVE-2015-2305.patch @@ -0,0 +1,35 @@ +From fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 17 Mar 2015 17:04:57 -0700 +Subject: [PATCH] Fix bug #69248 - heap overflow vulnerability in regcomp.c + +Merged from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334 +--- + NEWS | 3 +++ + ext/ereg/regex/regcomp.c | 10 +++++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c +index 156eee9..f4bfc1c 100644 +--- a/ext/ereg/regex/regcomp.c ++++ b/ext/ereg/regex/regcomp.c +@@ -117,7 +117,15 @@ int cflags; + (NC-1)*sizeof(cat_t)); + if (g == NULL) + return(REG_ESPACE); +- p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ ++ { ++ /* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */ ++ size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ ++ if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) { ++ free((char *) g); ++ return REG_INVARG; ++ } ++ p->ssize = new_ssize; ++ } + p->strip = (sop *)malloc(p->ssize * sizeof(sop)); + p->slen = 0; + if (p->strip == NULL) { +-- +2.1.4 + diff --git a/CVE-2015-2783.patch b/CVE-2015-2783.patch new file mode 100644 index 000000000000..29ad5f707876 --- /dev/null +++ b/CVE-2015-2783.patch @@ -0,0 +1,180 @@ +Description: fix buffer overflow in unserialize when parsing Phar +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=12d3bdee3dfa6605024a72080d8a17c165c5ed24 +Bug: https://bugs.php.net/bug.php?id=69324 + +Index: php5-5.3.10/ext/phar/phar.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar.c 2015-04-17 06:24:19.250127940 -0400 ++++ php5-5.3.10/ext/phar/phar.c 2015-04-17 06:24:19.246127904 -0400 +@@ -600,52 +600,41 @@ + * + * Meta-data is in this format: + * [len32][data...] +- * ++ * + * data is the serialized zval + */ +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ + { +- const unsigned char *p; +- php_uint32 buf_len; + php_unserialize_data_t var_hash; + +- if (!zip_metadata_len) { +- PHAR_GET_32(*buffer, buf_len); +- } else { +- buf_len = zip_metadata_len; +- } +- +- if (buf_len) { ++ if (zip_metadata_len) { ++ const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); ++ p = p_buff; + ALLOC_ZVAL(*metadata); + INIT_ZVAL(**metadata); +- p = (const unsigned char*) *buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { ++ efree(p_buff); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + *metadata = NULL; + return FAILURE; + } +- ++ efree(p_buff); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + + if (PHAR_G(persist)) { + /* lazy init metadata */ + zval_ptr_dtor(metadata); +- *metadata = (zval *) pemalloc(buf_len, 1); +- memcpy(*metadata, *buffer, buf_len); +- *buffer += buf_len; ++ *metadata = (zval *) pemalloc(zip_metadata_len, 1); ++ memcpy(*metadata, *buffer, zip_metadata_len); + return SUCCESS; + } + } else { + *metadata = NULL; + } + +- if (!zip_metadata_len) { +- *buffer += buf_len; +- } +- + return SUCCESS; + } + /* }}}*/ +@@ -655,7 +644,7 @@ + * + * Parse a new one and add it to the cache, returning either SUCCESS or + * FAILURE, and setting pphar to the pointer to the manifest entry +- * ++ * + * This is used by phar_open_from_filename to process the manifest, but can be called + * directly. + */ +@@ -666,6 +655,7 @@ + phar_entry_info entry; + php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; + php_uint16 manifest_ver; ++ php_uint32 len; + long offset; + int sig_len, register_alias = 0, temp_alias = 0; + char *signature = NULL; +@@ -1031,16 +1021,21 @@ + mydata->is_persistent = PHAR_G(persist); + + /* check whether we have meta data, zero check works regardless of byte order */ ++ PHAR_GET_32(buffer, len); + if (mydata->is_persistent) { +- PHAR_GET_32(buffer, mydata->metadata_len); +- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); +- } +- } else { +- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ mydata->metadata_len = len; ++ if(!len) { ++ /* FIXME: not sure why this is needed but removing it breaks tests */ ++ PHAR_GET_32(buffer, len); + } + } ++ if(len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); ++ } ++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { ++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ } ++ buffer += len; + + /* set up our manifest */ + zend_hash_init(&mydata->manifest, manifest_count, +@@ -1075,7 +1070,7 @@ + entry.manifest_pos = manifest_index; + } + +- if (buffer + entry.filename_len + 20 > endbuffer) { ++ if (entry.filename_len + 20 > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +@@ -1111,19 +1106,20 @@ + entry.flags |= PHAR_ENT_PERM_DEF_DIR; + } + ++ PHAR_GET_32(buffer, len); + if (entry.is_persistent) { +- PHAR_GET_32(buffer, entry.metadata_len); +- if (!entry.metadata_len) buffer -= 4; +- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = len; + } else { +- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = 0; + } ++ if (len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); ++ } ++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { ++ pefree(entry.filename, entry.is_persistent); ++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); ++ } ++ buffer += len; + + entry.offset = entry.offset_abs = offset; + offset += entry.compressed_filesize; +@@ -2243,7 +2239,7 @@ + + /** + * Process a phar stream name, ensuring we can handle any of: +- * ++ * + * - whatever.phar + * - whatever.phar.gz + * - whatever.phar.bz2 +Index: php5-5.3.10/ext/phar/phar_internal.h +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_internal.h 2015-04-17 06:24:19.250127940 -0400 ++++ php5-5.3.10/ext/phar/phar_internal.h 2015-04-17 06:24:19.250127940 -0400 +@@ -654,7 +654,7 @@ + char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); + char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); + phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); + void destroy_phar_manifest_entry(void *pDest); + int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); + php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); diff --git a/CVE-2015-2787.patch b/CVE-2015-2787.patch new file mode 100644 index 000000000000..141c56a879b1 --- /dev/null +++ b/CVE-2015-2787.patch @@ -0,0 +1,29 @@ +Description: fix arbitrary code exection via process_nested_data use-after-free +Origin: backport, https://github.com/php/php-src/commit/780222f97f47644a6a118ada86a269a96a1e8134 +Origin: backport, https://github.com/php/php-src/commit/d76b293ac71aa5bd4e9a433192afef6e0dd5a4ee +Bug: https://bugs.php.net/bug.php?id=68976 + +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-04-17 06:24:38.154295164 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2015-04-17 06:24:38.154295164 -0400 +@@ -304,6 +304,7 @@ + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-04-17 06:24:38.154295164 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2015-04-17 06:24:38.154295164 -0400 +@@ -310,6 +310,7 @@ + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); diff --git a/CVE-2015-3329.patch b/CVE-2015-3329.patch new file mode 100644 index 000000000000..b1660fc2b11f --- /dev/null +++ b/CVE-2015-3329.patch @@ -0,0 +1,35 @@ +From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 14 Apr 2015 00:03:50 -0700 +Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode) + +--- + ext/phar/phar_internal.h | 9 ++++++--- + ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes + ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ + 3 files changed, 27 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug69441.phar + create mode 100644 ext/phar/tests/bug69441.phpt + +Index: php5-5.3.10/ext/phar/phar_internal.h +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_internal.h 2015-04-17 06:25:17.074639244 -0400 ++++ php5-5.3.10/ext/phar/phar_internal.h 2015-04-17 06:25:17.070639210 -0400 +@@ -618,10 +618,13 @@ + { + char tmp[MAXPATHLEN]; + int tmp_len; ++ size_t len; + +- tmp_len = entry->filename_len + entry->phar->fname_len; +- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); +- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); ++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); ++ len = MIN(entry->phar->fname_len, tmp_len); ++ memcpy(tmp, entry->phar->fname, len); ++ len = MIN(tmp_len - len, entry->filename_len); ++ memcpy(tmp + entry->phar->fname_len, entry->filename, len); + entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); + } + /* }}} */ diff --git a/CVE-2015-3330.patch b/CVE-2015-3330.patch new file mode 100644 index 000000000000..8ca82f13c410 --- /dev/null +++ b/CVE-2015-3330.patch @@ -0,0 +1,22 @@ +From 809610f5ea38a83b284e1125d1fff129bdd615e7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 4 Apr 2015 15:03:46 -0700 +Subject: [PATCH] Fix bug #68486 and bug #69218 (segfault in apache2handler + with apache 2.4) + +--- + sapi/apache2handler/sapi_apache2.c | 1 + + 1 file changed, 1 insertion(+) + +Index: php5-5.3.10/sapi/apache2handler/sapi_apache2.c +=================================================================== +--- php5-5.3.10.orig/sapi/apache2handler/sapi_apache2.c 2015-04-17 06:25:08.218560975 -0400 ++++ php5-5.3.10/sapi/apache2handler/sapi_apache2.c 2015-04-17 06:25:08.214560939 -0400 +@@ -708,6 +708,7 @@ + } zend_end_try(); + } + apr_brigade_cleanup(brigade); ++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); + } else { + ctx->r = parent_req; + } diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..731dc4feaaf7 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,465 @@ +# $Id$ +# Maintainer: Felix Yan <felixonmars@archlinux.org> +# Contributor: Pierre Schmitz <pierre@archlinux.de> + +pkgbase=php53 +pkgname=('php53' + 'php53-cgi' + 'php53-apache' + 'php53-fpm' + 'php53-embed' + 'php53-pear' + 'php53-enchant' + 'php53-gd' + 'php53-imap' + 'php53-intl' + 'php53-ldap' + 'php53-mcrypt' + 'php53-mssql' + 'php53-odbc' + 'php53-pgsql' + 'php53-pspell' + 'php53-snmp' + 'php53-sqlite' + 'php53-tidy' + 'php53-xsl') +pkgver=5.3.29 +_suhosinver=5.3.9-0.9.10 +pkgrel=4 +arch=('i686' 'x86_64') +license=('PHP') +url='http://www.php.net' +makedepends=('apache' 'c-client' 'postgresql-libs' 'libldap' 'postfix' + 'sqlite' 'unixodbc' 'net-snmp' 'libzip' 'enchant' 'file' 'freetds' + 'libmcrypt' 'tidyhtml' 'aspell' 'libltdl' 'libpng' 'libjpeg' 'icu' + 'curl' 'libxslt' 'openssl' 'bzip2' 'db' 'gmp' 'freetype2' 'sed') +source=("http://www.php.net/distributions/${pkgbase%53}-${pkgver}.tar.bz2" + "http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz" + php.ini.patch apache.conf php-fpm.conf.in.patch + logrotate.d.php-fpm suhosin.patch freetype-path.patch + CVE-2014-3587.patch CVE-2014-3597.patch CVE-2014-3668.patch + CVE-2014-3669.patch CVE-2014-3670.patch curl_embedded_null.patch + CVE-2014-8142.patch CVE-2015-0231.patch CVE-2014-9705.patch + CVE-2015-0273.patch CVE-2015-2301.patch CVE-2015-2305.patch + CVE-2015-2783.patch CVE-2015-2787.patch CVE-2015-3330.patch + CVE-2015-3329.patch) + +build() { + phpconfig="--srcdir=../${pkgbase%53}-${pkgver} \ + --prefix=/usr \ + --sysconfdir=/etc/php \ + --localstatedir=/var \ + --with-layout=GNU \ + --with-config-file-path=/etc/php \ + --with-config-file-scan-dir=/etc/php/conf.d \ + --enable-inline-optimization \ + --disable-debug \ + --disable-rpath \ + --disable-static \ + --enable-shared \ + --mandir=/usr/share/man \ + --without-pear \ + " + + phpextensions="--enable-bcmath=shared \ + --enable-calendar=shared \ + --enable-dba=shared \ + --enable-exif=shared \ + --enable-ftp=shared \ + --enable-gd-native-ttf \ + --enable-intl=shared \ + --enable-json=shared \ + --enable-mbregex \ + --enable-mbstring \ + --enable-pdo \ + --enable-phar=shared \ + --enable-posix=shared \ + --enable-session \ + --enable-shmop=shared \ + --enable-soap=shared \ + --enable-sockets=shared \ + --enable-sqlite-utf8 \ + --enable-sysvmsg=shared \ + --enable-sysvsem=shared \ + --enable-sysvshm=shared \ + --enable-xml \ + --enable-zip=shared \ + --with-bz2=shared \ + --with-curl=shared \ + --with-enchant=shared,/usr \ + --with-freetype-dir=shared,/usr \ + --with-gd=shared \ + --with-gdbm=shared \ + --with-gettext=shared \ + --with-gmp=shared \ + --with-iconv=shared \ + --with-icu-dir=/usr \ + --with-imap-ssl=shared,/usr \ + --with-imap=shared,/usr \ + --with-jpeg-dir=shared,/usr \ + --with-kerberos=/usr \ + --with-ldap=shared \ + --with-ldap-sasl \ + --with-mcrypt=shared \ + --with-mhash \ + --with-mssql=shared \ + --with-mysql-sock=/var/run/mysqld/mysqld.sock \ + --with-mysql=shared,mysqlnd \ + --with-mysqli=shared,mysqlnd \ + --with-openssl=shared \ + --with-pcre-regex=/usr \ + --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-odbc=shared,unixODBC,/usr \ + --with-pdo-pgsql=shared \ + --with-pdo-sqlite=shared,/usr \ + --with-pgsql=shared \ + --with-png-dir=shared,/usr \ + --with-pspell=shared \ + --with-regex=php \ + --with-snmp=shared \ + --with-sqlite3=shared,/usr \ + --with-sqlite=shared \ + --with-tidy=shared \ + --with-unixODBC=shared,/usr \ + --with-xmlrpc=shared \ + --with-xsl=shared \ + --with-zlib \ + --without-db2 \ + --without-db3 \ + " + + EXTENSION_DIR=/usr/lib/php/modules + export EXTENSION_DIR + PEAR_INSTALLDIR=/usr/share/pear + export PEAR_INSTALLDIR + + # -D_FORTIFY_SOURCE=2 will generate a warning, which will fail the configure script + unset CPPFLAGS + + msg "Fix the suhosin patch" + patch -l -i ${srcdir}/suhosin.patch + sed -i 's/1997-2004/1997-2014/g' ${srcdir}/suhosin-patch-${_suhosinver}.patch + sed -i 's/1997-2012/1997-2014/g' ${srcdir}/suhosin-patch-${_suhosinver}.patch + + cd ${srcdir}/${pkgbase%53}-${pkgver} + + # TODO: some doesn't apply + msg "Applying security patches (from Ubuntu)" + # patch -p1 -i ../CVE-2014-3587.patch + # patch -p1 -i ../CVE-2014-3597.patch + patch -p1 -i ../CVE-2014-3668.patch + patch -p1 -i ../CVE-2014-3669.patch + patch -p1 -i ../CVE-2014-3670.patch + patch -p1 -i ../curl_embedded_null.patch + patch -p1 -i ../CVE-2014-8142.patch + patch -p1 -i ../CVE-2015-0231.patch + patch -p1 -i ../CVE-2014-9705.patch + # patch -p1 -i ../CVE-2015-0273.patch + patch -p1 -i ../CVE-2015-2301.patch + patch -p1 -i ../CVE-2015-2305.patch + patch -p1 -i ../CVE-2015-2783.patch + patch -p1 -i ../CVE-2015-2787.patch + patch -p1 -i ../CVE-2015-3330.patch + patch -p1 -i ../CVE-2015-3329.patch + + msg "Applying suhosin patch" + patch -F3 -p1 -i ${srcdir}/suhosin-patch-${_suhosinver}.patch + + msg "Adjust paths" + patch -p0 -i ${srcdir}/php.ini.patch + patch -p0 -i ${srcdir}/php-fpm.conf.in.patch + patch -p1 -i ${srcdir}/freetype-path.patch + + # To workaround c-client linking problem + export IMAP_SHARED_LIBADD="-lssl" + + # php + mkdir ${srcdir}/build-php + cd ${srcdir}/build-php + ln -s ../${pkgbase%53}-${pkgver}/configure + ./configure ${phpconfig} \ + --disable-cgi \ + --with-readline \ + --enable-pcntl \ + ${phpextensions} + make + + # cgi and fcgi + # reuse the previous run; this will save us a lot of time + cp -a ${srcdir}/build-php ${srcdir}/build-cgi + cd ${srcdir}/build-cgi + ./configure ${phpconfig} \ + --disable-cli \ + --enable-cgi \ + ${phpextensions} + make + + # apache + cp -a ${srcdir}/build-php ${srcdir}/build-apache + cd ${srcdir}/build-apache + ./configure ${phpconfig} \ + --disable-cli \ + --with-apxs2 \ + ${phpextensions} + make + + # fpm + cp -a ${srcdir}/build-php ${srcdir}/build-fpm + cd ${srcdir}/build-fpm + ./configure ${phpconfig} \ + --disable-cli \ + --enable-fpm \ + --with-fpm-user=http \ + --with-fpm-group=http \ + ${phpextensions} + make + + # embed + cp -a ${srcdir}/build-php ${srcdir}/build-embed + cd ${srcdir}/build-embed + ./configure ${phpconfig} \ + --disable-cli \ + --enable-embed=shared \ + ${phpextensions} + make + + # pear + cp -a ${srcdir}/build-php ${srcdir}/build-pear + cd ${srcdir}/build-pear + ./configure ${phpconfig} \ + --disable-cgi \ + --with-readline \ + --enable-pcntl \ + --with-pear \ + ${phpextensions} + make +} + +# check() { +# cd ${srcdir}/build-php +# make test +# } + +package_php53() { + pkgdesc='An HTML-embedded scripting language - Legacy 5.3 version' + depends=('pcre' 'libxml2' 'bzip2' 'curl') + provides=('php' 'php-fileinfo' 'php-gmp' 'php-curl') + conflicts=('php' 'php-fileinfo' 'php-gmp' 'php-curl') + backup=('etc/php/php.ini') + + cd ${srcdir}/build-php + make -j1 INSTALL_ROOT=${pkgdir} install + install -d -m755 ${pkgdir}/usr/share/pear + # install php.ini + install -D -m644 ${srcdir}/${pkgbase%53}-${pkgver}/php.ini-production ${pkgdir}/etc/php/php.ini + install -d -m755 ${pkgdir}/etc/php/conf.d/ + + # remove static modules + rm -f ${pkgdir}/usr/lib/php/modules/*.a + # remove modules provided by sub packages + rm -f ${pkgdir}/usr/lib/php/modules/{enchant,gd,imap,intl,ldap,mcrypt,mssql,odbc,pdo_odbc,pgsql,pdo_pgsql,pspell,snmp,sqlite3,pdo_sqlite,tidy,xsl}.so + # remove empty directory + rmdir ${pkgdir}/usr/include/php/include +} + +package_php53-cgi() { + pkgdesc='CGI and FCGI SAPI for PHP' + depends=('php53') + conflicts=('php-cgi') + provides=('php-cgi') + + install -D -m755 ${srcdir}/build-cgi/sapi/cgi/php-cgi ${pkgdir}/usr/bin/php-cgi +} + +package_php53-apache() { + pkgdesc='Apache SAPI for PHP' + depends=('php53' 'apache') + conflicts=('php-apache') + provides=('php-apache') + backup=('etc/httpd/conf/extra/php5_module.conf') + + install -D -m755 ${srcdir}/build-apache/libs/libphp5.so ${pkgdir}/usr/lib/httpd/modules/libphp5.so + install -D -m644 ${srcdir}/apache.conf ${pkgdir}/etc/httpd/conf/extra/php5_module.conf +} + +package_php53-fpm() { + pkgdesc='FastCGI Process Manager for PHP' + depends=('php53') + conflicts=('php-fpm') + provides=('php-fpm') + backup=('etc/php/php-fpm.conf') + + install -D -m755 ${srcdir}/build-fpm/sapi/fpm/php-fpm ${pkgdir}/usr/bin/php-fpm + install -D -m644 ${srcdir}/build-fpm/sapi/fpm/php-fpm.8 ${pkgdir}/usr/share/man/man8/php-fpm.8 + install -D -m644 ${srcdir}/build-fpm/sapi/fpm/php-fpm.conf ${pkgdir}/etc/php/php-fpm.conf + install -D -m644 ${srcdir}/logrotate.d.php-fpm ${pkgdir}/etc/logrotate.d/php-fpm + install -d -m755 ${pkgdir}/etc/php/fpm.d +} + +package_php53-embed() { + pkgdesc='Embed SAPI for PHP' + depends=('php53') + conflicts=('php-embed') + provides=('php-embed') + + install -D -m755 ${srcdir}/build-embed/libs/libphp5.so ${pkgdir}/usr/lib/libphp5.so + install -D -m644 ${srcdir}/${pkgbase%53}-${pkgver}/sapi/embed/php_embed.h ${pkgdir}/usr/include/php/sapi/embed/php_embed.h +} + +package_php53-pear() { + pkgdesc='PHP Extension and Application Repository' + depends=('php53') + conflicts=('php-pear') + provides=('php-pear') + backup=('etc/php/pear.conf') + + cd ${srcdir}/build-pear + make -j1 install-pear INSTALL_ROOT=${pkgdir} + local i + while read i; do + [ ! -e "$i" ] || rm -rf "$i" + done < <(find ${pkgdir} -name '.*') +} + +package_php53-enchant() { + depends=('php53' 'enchant') + conflicts=('php-enchant') + provides=('php-enchant') + pkgdesc='enchant module for PHP' + install -D -m755 ${srcdir}/build-php/modules/enchant.so ${pkgdir}/usr/lib/php/modules/enchant.so +} + +package_php53-gd() { + depends=('php53' 'libpng' 'libjpeg' 'freetype2') + conflicts=('php-gd') + provides=('php-gd') + pkgdesc='gd module for PHP' + install -D -m755 ${srcdir}/build-php/modules/gd.so ${pkgdir}/usr/lib/php/modules/gd.so +} + +package_php53-imap() { + depends=('php53' 'c-client') + conflicts=('php-imap') + provides=('php-imap') + + install -D -m755 ${srcdir}/build-php/modules/imap.so ${pkgdir}/usr/lib/php/modules/imap.so +} + +package_php53-intl() { + depends=('php53' 'icu') + conflicts=('php-intl') + provides=('php-intl') + pkgdesc='intl module for PHP' + install -D -m755 ${srcdir}/build-php/modules/intl.so ${pkgdir}/usr/lib/php/modules/intl.so +} + +package_php53-ldap() { + depends=('php53' 'libldap') + conflicts=('php-ldap') + provides=('php-ldap') + pkgdesc='ldap module for PHP' + install -D -m755 ${srcdir}/build-php/modules/ldap.so ${pkgdir}/usr/lib/php/modules/ldap.so +} + +package_php53-mcrypt() { + depends=('php53' 'libmcrypt' 'libltdl') + conflicts=('php-mcrypt') + provides=('php-mcrypt') + pkgdesc='mcrypt module for PHP' + install -D -m755 ${srcdir}/build-php/modules/mcrypt.so ${pkgdir}/usr/lib/php/modules/mcrypt.so +} + +package_php53-mssql() { + depends=('php53' 'freetds') + conflicts=('php-mssql') + provides=('php-mssql') + pkgdesc='mssql module for PHP' + install -D -m755 ${srcdir}/build-php/modules/mssql.so ${pkgdir}/usr/lib/php/modules/mssql.so +} + +package_php53-odbc() { + depends=('php53' 'unixodbc') + conflicts=('php-odbc') + provides=('php-odbc') + pkgdesc='ODBC modules for PHP' + install -D -m755 ${srcdir}/build-php/modules/odbc.so ${pkgdir}/usr/lib/php/modules/odbc.so + install -D -m755 ${srcdir}/build-php/modules/pdo_odbc.so ${pkgdir}/usr/lib/php/modules/pdo_odbc.so +} + +package_php53-pgsql() { + depends=('php53' 'postgresql-libs') + conflicts=('php-pgsql') + provides=('php-pgsql') + pkgdesc='PostgreSQL modules for PHP' + install -D -m755 ${srcdir}/build-php/modules/pgsql.so ${pkgdir}/usr/lib/php/modules/pgsql.so + install -D -m755 ${srcdir}/build-php/modules/pdo_pgsql.so ${pkgdir}/usr/lib/php/modules/pdo_pgsql.so +} + +package_php53-pspell() { + depends=('php53' 'aspell') + conflicts=('php-aspell') + provides=('php-aspell') + pkgdesc='pspell module for PHP' + install -D -m755 ${srcdir}/build-php/modules/pspell.so ${pkgdir}/usr/lib/php/modules/pspell.so +} + +package_php53-snmp() { + depends=('php53' 'net-snmp') + conflicts=('php-snmp') + provides=('php-snmp') + pkgdesc='snmp module for PHP' + install -D -m755 ${srcdir}/build-php/modules/snmp.so ${pkgdir}/usr/lib/php/modules/snmp.so +} + +package_php53-sqlite() { + depends=('php53' 'sqlite') + conflicts=('php-sqlite') + provides=('php-sqlite') + pkgdesc='sqlite module for PHP' + install -D -m755 ${srcdir}/build-php/modules/sqlite3.so ${pkgdir}/usr/lib/php/modules/sqlite3.so + install -D -m755 ${srcdir}/build-php/modules/pdo_sqlite.so ${pkgdir}/usr/lib/php/modules/pdo_sqlite.so +} + +package_php53-tidy() { + depends=('php53' 'tidyhtml') + conflicts=('php-tidy') + provides=('php-tidy') + pkgdesc='tidy module for PHP' + install -D -m755 ${srcdir}/build-php/modules/tidy.so ${pkgdir}/usr/lib/php/modules/tidy.so +} + +package_php53-xsl() { + depends=('php53' 'libxslt') + conflicts=('php-xsl') + provides=('php-xsl') + pkgdesc='xsl module for PHP' + install -D -m755 ${srcdir}/build-php/modules/xsl.so ${pkgdir}/usr/lib/php/modules/xsl.so +} + +sha1sums=('6e9e492c6d5853d063ddb9a4dbef60b8e5d87444' + '7b9ef5c3e0831154df0d6290aba0989ca90138ed' + '462927954b4074487b46722b0442185100def240' + '82776db01f70b9186ba455de22eb06fe193f1d30' + 'ea9a9101b9678a8461d9dddfc0df2a4412a4cb5d' + 'b6a661523535a8e7e60d4a0c054d8f6066edf63e' + '4d9fea0b7ab856c59ddbf722fe6c95b8e479af9b' + '8f19ee0e351aa2cdc9b110db4e33b4c8f6131b12' + 'b5caa85fd1b76a3ece056ab5441852330989640b' + '9f2aa7c2514cb66204f9f5c3dc5f8ebdda238c78' + '4672c18ece397b2f99ad0c992f61220e210b2dc1' + '454e96af5cab1f649fceca61c0afb46ae73179f5' + '2f368143bcdaae4659a65103ffdeb71cac12c5cf' + 'ede78d11b7d4d6c304253bfd358607e160a3918a' + 'e97ea93d37ffbf6c3025281202d2e807facb4e7e' + '0ab48f282d62058318d08c44607aac89912f78d6' + 'b535103d79ba9791c22a841d5d72497dec3dd93d' + '7cb38769807eb7d35ff7f3eaf1cce408d8ad2676' + '066fe3a84e1aabaf45afe26470cd769b9e3ab79a' + '4968abe76ab18c15f85111b3e78dba0059f948ce' + '18e3f12ad04adf4cc59aa5862628ab0d032c76ef' + '4d9551ec6c2462cde45d0e556edf6d9e792c15b4' + '248dc92602721c193f3906f3eb7d98cd5499ba40' + '40fc97494110e9b312ea0f5bade8aa0b7043f40e') + +# Fix for AUR +pkgdesc='An HTML-embedded scripting language - Legacy 5.3 version' diff --git a/apache.conf b/apache.conf new file mode 100644 index 000000000000..c3ca0aad509e --- /dev/null +++ b/apache.conf @@ -0,0 +1,13 @@ +# Required modules: dir_module, php5_module + +<IfModule dir_module> + <IfModule php5_module> + DirectoryIndex index.php index.html + <FilesMatch "\.php$"> + SetHandler application/x-httpd-php + </FilesMatch> + <FilesMatch "\.phps$"> + SetHandler application/x-httpd-php-source + </FilesMatch> + </IfModule> +</IfModule> diff --git a/curl_embedded_null.patch b/curl_embedded_null.patch new file mode 100644 index 000000000000..eca9b1d1c39e --- /dev/null +++ b/curl_embedded_null.patch @@ -0,0 +1,43 @@ +Description: fix local file disclosure via curl NULL byte injection +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=ab0939e5e5449cba04b02fff3a5595f725bce0a0 +Bug: https://bugs.php.net/bug.php?id=68089 + +Index: php5-5.3.10/ext/curl/interface.c +=================================================================== +--- php5-5.3.10.orig/ext/curl/interface.c 2014-10-28 14:54:02.671549358 -0400 ++++ php5-5.3.10/ext/curl/interface.c 2014-10-28 14:54:49.427898135 -0400 +@@ -172,6 +172,11 @@ + #endif + TSRMLS_FETCH(); + ++ if (strlen(url) != len) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)"); ++ return 0; ++ } ++ + /* Disable file:// if open_basedir or safe_mode are used */ + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + #if LIBCURL_VERSION_NUM >= 0x071304 +Index: php5-5.3.10/ext/curl/tests/bug68089.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/curl/tests/bug68089.phpt 2014-10-28 14:54:02.667549328 -0400 +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #68089 (NULL byte injection - cURL lib) ++--SKIPIF-- ++<?php ++include 'skipif.inc'; ++ ++?> ++--FILE-- ++<?php ++$url = "file:///etc/passwd\0http://google.com"; ++$ch = curl_init(); ++var_dump(curl_setopt($ch, CURLOPT_URL, $url)); ++?> ++Done ++--EXPECTF-- ++Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4 ++bool(false) ++Done diff --git a/freetype-path.patch b/freetype-path.patch new file mode 100644 index 000000000000..e3515df4055a --- /dev/null +++ b/freetype-path.patch @@ -0,0 +1,13 @@ +diff --git a/configure b/configure +index d506892..51617e8 100755 +--- a/configure ++++ b/configure +@@ -38277,7 +38277,7 @@ fi + if test "$PHP_FREETYPE_DIR" != "no"; then + + for i in $PHP_FREETYPE_DIR /usr/local /usr; do +- if test -f "$i/include/freetype2/freetype/freetype.h"; then ++ if test -f "$i/include/freetype2/freetype.h"; then + FREETYPE2_DIR=$i + FREETYPE2_INC_DIR=$i/include/freetype2 + break diff --git a/logrotate.d.php-fpm b/logrotate.d.php-fpm new file mode 100644 index 000000000000..7a1ba2597d6e --- /dev/null +++ b/logrotate.d.php-fpm @@ -0,0 +1,6 @@ +/var/log/php-fpm.log { + missingok + postrotate + /etc/rc.d/php-fpm logrotate >/dev/null || true + endscript +} diff --git a/php-fpm.conf.in.patch b/php-fpm.conf.in.patch new file mode 100644 index 000000000000..ca8f92083616 --- /dev/null +++ b/php-fpm.conf.in.patch @@ -0,0 +1,52 @@ +--- sapi/fpm/php-fpm.conf.in 2011-10-08 23:04:10.000000000 +0200 ++++ sapi/fpm/php-fpm.conf.in 2012-03-01 19:50:48.549947258 +0100 +@@ -12,7 +12,7 @@ + ; Relative path can also be used. They will be prefixed by: + ; - the global prefix if it's been set (-p arguement) + ; - @prefix@ otherwise +-;include=etc/fpm.d/*.conf ++;include=/etc/php/fpm.d/*.conf + + ;;;;;;;;;;;;;;;;;; + ; Global Options ; +@@ -22,7 +22,7 @@ + ; Pid file + ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@ + ; Default Value: none +-;pid = run/php-fpm.pid ++pid = run/php-fpm/php-fpm.pid + + ; Error log file + ; If it's set to "syslog", log is sent to syslogd instead of being written +@@ -140,7 +140,8 @@ + ; specific port; + ; '/path/to/unix/socket' - to listen on a unix socket. + ; Note: This value is mandatory. +-listen = 127.0.0.1:9000 ++;listen = 127.0.0.1:9000 ++listen = /var/run/php-fpm/php-fpm.sock + + ; Set listen(2) backlog. + ; Default Value: 128 (-1 on FreeBSD and OpenBSD) +@@ -151,9 +152,9 @@ + ; BSD-derived systems allow connections regardless of permissions. + ; Default Values: user and group are set as the running user + ; mode is set to 0660 +-;listen.owner = @php_fpm_user@ +-;listen.group = @php_fpm_group@ +-;listen.mode = 0660 ++listen.owner = @php_fpm_user@ ++listen.group = @php_fpm_group@ ++listen.mode = 0660 + + ; List of ipv4 addresses of FastCGI clients which are allowed to connect. + ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +@@ -442,7 +443,7 @@ + ; Chdir to this directory at the start. + ; Note: relative path can be used. + ; Default Value: current directory or / when chroot +-;chdir = /var/www ++;chdir = /srv/http + + ; Redirect worker stdout and stderr into main error log. If not set, stdout and + ; stderr will be redirected to /dev/null according to FastCGI specs. diff --git a/php.ini.patch b/php.ini.patch new file mode 100644 index 000000000000..87b1aef919ec --- /dev/null +++ b/php.ini.patch @@ -0,0 +1,125 @@ +--- php.ini-production 2012-03-29 06:17:59.000000000 +0200 ++++ php.ini-production 2012-03-30 10:46:21.181340861 +0200 +@@ -305,7 +305,7 @@ + ; or per-virtualhost web server configuration file. This directive is + ; *NOT* affected by whether Safe Mode is turned On or Off. + ; http://php.net/open-basedir +-;open_basedir = ++open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/ + + ; This directive allows you to disable certain functions for security reasons. + ; It receives a comma-delimited list of function names. This directive is +@@ -702,7 +702,7 @@ + ;;;;;;;;;;;;;;;;;;;;;;;;; + + ; UNIX: "/path1:/path2" +-;include_path = ".:/php/includes" ++include_path = ".:/usr/share/pear" + ; + ; Windows: "\path1;\path2" + ;include_path = ".;c:\php\includes" +@@ -725,7 +725,7 @@ + + ; Directory in which the loadable extensions (modules) reside. + ; http://php.net/extension-dir +-; extension_dir = "./" ++extension_dir = "/usr/lib/php/modules/" + ; On windows: + ; extension_dir = "ext" + +@@ -859,53 +859,48 @@ + ; If you only provide the name of the extension, PHP will look for it in its + ; default extension directory. + ; +-; Windows Extensions +-; Note that ODBC support is built in, so no dll is needed for it. +-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) +-; extension folders as well as the separate PECL DLL download (PHP 5). +-; Be sure to appropriately set the extension_dir directive. +-; +-;extension=php_bz2.dll +-;extension=php_curl.dll +-;extension=php_fileinfo.dll +-;extension=php_gd2.dll +-;extension=php_gettext.dll +-;extension=php_gmp.dll +-;extension=php_intl.dll +-;extension=php_imap.dll +-;extension=php_interbase.dll +-;extension=php_ldap.dll +-;extension=php_mbstring.dll +-;extension=php_exif.dll ; Must be after mbstring as it depends on it +-;extension=php_mysql.dll +-;extension=php_mysqli.dll +-;extension=php_oci8.dll ; Use with Oracle 10gR2 Instant Client +-;extension=php_oci8_11g.dll ; Use with Oracle 11gR2 Instant Client +-;extension=php_openssl.dll +-;extension=php_pdo_firebird.dll +-;extension=php_pdo_mssql.dll +-;extension=php_pdo_mysql.dll +-;extension=php_pdo_oci.dll +-;extension=php_pdo_odbc.dll +-;extension=php_pdo_pgsql.dll +-;extension=php_pdo_sqlite.dll +-;extension=php_pgsql.dll +-;extension=php_pspell.dll +-;extension=php_shmop.dll +- +-; The MIBS data available in the PHP distribution must be installed. +-; See http://www.php.net/manual/en/snmp.installation.php +-;extension=php_snmp.dll +- +-;extension=php_soap.dll +-;extension=php_sockets.dll +-;extension=php_sqlite.dll +-;extension=php_sqlite3.dll +-;extension=php_sybase_ct.dll +-;extension=php_tidy.dll +-;extension=php_xmlrpc.dll +-;extension=php_xsl.dll +-;extension=php_zip.dll ++;extension=bcmath.so ++;extension=bz2.so ++;extension=calendar.so ++extension=curl.so ++;extension=dba.so ++;extension=enchant.so ++;extension=exif.so ++;extension=ftp.so ++;extension=gd.so ++;extension=gettext.so ++;extension=gmp.so ++extension=json.so ++;extension=iconv.so ++;extension=imap.so ++;extension=intl.so ++;extension=ldap.so ++;extension=mcrypt.so ++;extension=mssql.so ++;extension=mysqli.so ++;extension=mysql.so ++;extension=odbc.so ++;extension=openssl.so ++;extension=pdo_mysql.so ++;extension=pdo_odbc.so ++;extension=pdo_pgsql.so ++;extension=pdo_sqlite.so ++;extension=pgsql.so ++;extension=phar.so ++;extension=posix.so ++;extension=pspell.so ++;extension=shmop.so ++;extension=snmp.so ++;extension=soap.so ++;extension=sockets.so ++;extension=sqlite3.so ++;extension=sysvmsg.so ++;extension=sysvsem.so ++;extension=sysvshm.so ++;extension=tidy.so ++;extension=xmlrpc.so ++;extension=xsl.so ++;extension=zip.so + + ;;;;;;;;;;;;;;;;;;; + ; Module Settings ; diff --git a/suhosin.patch b/suhosin.patch new file mode 100644 index 000000000000..0f7a1114d568 --- /dev/null +++ b/suhosin.patch @@ -0,0 +1,13 @@ +--- suhosin-patch-5.3.9-0.9.10.patch 2012-04-01 11:55:46.699676255 +0200 ++++ suhosin-patch-5.3.9-0.9.10.patch 2012-04-01 11:56:19.322146479 +0200 +@@ -4515,8 +4515,8 @@ + +#define SUHOSIN_PATCH 1 + +EOF + +- echo $ac_n "checking for declared timezone""... $ac_c" 1>&6 +- echo "configure:19377: checking for declared timezone" >&5 ++ echo "$as_me:$LINENO: checking for declared timezone" >&5 ++ echo $ECHO_N "checking for declared timezone... $ECHO_C" >&6 + @@ -115830,7 +115833,7 @@ + php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \ + strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \ |