|
|
Author: jorton
Update of /cvs/dist/rpms/php/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv17182
Modified Files:
php.spec
Added Files:
php-4.3.9-CVE-2007-0906-strreplace.patch
php-4.3.9-CVE-2007-0907.patch php-4.3.9-CVE-2007-0908.patch
php-4.3.9-CVE-2007-0909-odbc.patch
php-4.3.9-CVE-2007-0909-printf.patch
php-4.3.9-CVE-2007-0988.patch
php-5.1.6-CVE-2007-0906-imap.patch
php-5.1.6-CVE-2007-0910.patch
Log Message:
* Fri Feb 16 2007 Joe Orton <jorton@xxxxxxxxxx> 5.1.6-3.4.fc6
- add security fixes for: CVE-2007-0906, CVE-2007-0907,
CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988 (#228011)
- package /usr/share/php and append to default include_path (#225434)
- add php(api), php(zend-abi) provides (#221302)
- package /usr/share/php
- fix magic file used by mime-magic (Kir Kolyshkin, #177926)
php-4.3.9-CVE-2007-0906-strreplace.patch:
string.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE php-4.3.9-CVE-2007-0906-strreplace.patch ---
--- php-4.3.9/ext/standard/string.c.cve0906-strreplace
+++ php-4.3.9/ext/standard/string.c
@@ -2506,7 +2506,7 @@
}
Z_STRLEN_P(result) = len + (char_count * (to_len - 1));
- Z_STRVAL_P(result) = target = emalloc(Z_STRLEN_P(result) + 1);
+ Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len + 1);
Z_TYPE_P(result) = IS_STRING;
for (source = str; source < source_end; source++) {
php-4.3.9-CVE-2007-0907.patch:
SAPI.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE php-4.3.9-CVE-2007-0907.patch ---
--- php-4.3.9/main/SAPI.c.cve0907
+++ php-4.3.9/main/SAPI.c
@@ -529,7 +529,7 @@
header_line = estrndup(header_line, header_line_len);
/* cut of trailing spaces, linefeeds and carriage-returns */
- while(isspace(header_line[header_line_len-1]))
+ while(header_line_len && isspace(header_line[header_line_len-1]))
header_line[--header_line_len]='\0';
php-4.3.9-CVE-2007-0908.patch:
wddx.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE php-4.3.9-CVE-2007-0908.patch ---
--- php-4.3.9/ext/wddx/wddx.c.cve0908
+++ php-4.3.9/ext/wddx/wddx.c
@@ -285,7 +285,7 @@
switch (hash_type) {
case HASH_KEY_IS_LONG:
- sprintf(tmp, "%ld", idx);
+ key_length = sprintf(tmp, "%ld", idx) +
1;
key = tmp;
/* fallthru */
case HASH_KEY_IS_STRING:
php-4.3.9-CVE-2007-0909-odbc.patch:
php_odbc.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE php-4.3.9-CVE-2007-0909-odbc.patch ---
--- php-4.3.9/ext/odbc/php_odbc.c.cve0909-odbc
+++ php-4.3.9/ext/odbc/php_odbc.c
@@ -1980,12 +1980,12 @@
RETURN_FALSE;
}
if (rc == SQL_SUCCESS_WITH_INFO)
-
php_printf(buf,result->longreadlen);
+ PHPWRITE(buf,
result->longreadlen);
else if (result->values[i].vallen ==
SQL_NULL_DATA) {
php_printf("<td>NULL</td>");
break;
} else {
- php_printf(buf,
result->values[i].vallen);
+ PHPWRITE(buf,
result->values[i].vallen);
}
php_printf("</td>");
break;
php-4.3.9-CVE-2007-0909-printf.patch:
formatted_print.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE php-4.3.9-CVE-2007-0909-printf.patch ---
--- php-4.3.9/ext/standard/formatted_print.c.cve0909-printf
+++ php-4.3.9/ext/standard/formatted_print.c
@@ -477,9 +477,10 @@
{
zval ***args, **z_format, **array;
int argc, size = 240, inpos = 0, outpos = 0, temppos;
- int alignment, width, precision, currarg, adjusting, argnum;
+ int alignment, currarg, adjusting;
char *format, *result, padding;
int always_sign;
+ long argnum, width, precision;
argc = ZEND_NUM_ARGS();
php-4.3.9-CVE-2007-0988.patch:
zend_hash.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
--- NEW FILE php-4.3.9-CVE-2007-0988.patch ---
--- php-4.3.9/Zend/zend_hash.c.zhash64
+++ php-4.3.9/Zend/zend_hash.c
@@ -178,11 +178,16 @@
SET_INCONSISTENT(HT_OK);
- while ((1U << i) < nSize) {
- i++;
+ if (nSize >= 0x80000000) {
+ /* prevent overflow */
+ ht->nTableSize = 0x80000000;
+ } else {
+ while ((1U << i) < nSize) {
+ i++;
+ }
+ ht->nTableSize = 1 << i;
}
- ht->nTableSize = 1 << i;
ht->nTableMask = ht->nTableSize - 1;
ht->pDestructor = pDestructor;
ht->pListHead = NULL;
php-5.1.6-CVE-2007-0906-imap.patch:
php_imap.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletion(-)
--- NEW FILE php-5.1.6-CVE-2007-0906-imap.patch ---
--- php-5.1.6/ext/imap/php_imap.c.cve0906-imap
+++ php-5.1.6/ext/imap/php_imap.c
@@ -62,6 +62,9 @@
#define CRLF_LEN sizeof("\015\012") - 1
#define PHP_EXPUNGE 32768
#define PHP_IMAP_ADDRESS_SIZE_BUF 10
+#ifndef SENDBUFLEN
+#define SENDBUFLEN 16385
+#endif
static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC);
static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC);
@@ -2915,7 +2918,7 @@
BODY *bod=NULL, *topbod=NULL;
PART *mypart=NULL, *part;
PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL,
*tmp_param = NULL;
- char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;
+ char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL;
int toppart = 0;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body)
== FAILURE) {
@@ -3266,6 +3269,10 @@
/* yucky default */
if (!cookie) {
cookie = "-";
+ } else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) {
/* validate cookie length -- + CRLF */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
"The boundary should be no longer then 4kb");
+ RETVAL_FALSE;
+ return;
}
/* for each part */
php-5.1.6-CVE-2007-0910.patch:
session.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 48 insertions(+), 14 deletions(-)
--- NEW FILE php-5.1.6-CVE-2007-0910.patch ---
--- php-5.1.6/ext/session/session.c.cve0910
+++ php-5.1.6/ext/session/session.c
@@ -247,7 +247,7 @@
static void php_rinit_session_globals(TSRMLS_D);
static void php_rshutdown_session_globals(TSRMLS_D);
-static zend_bool php_session_destroy(TSRMLS_D);
+static int php_session_destroy(TSRMLS_D);
zend_module_entry session_module_entry = {
STANDARD_MODULE_HEADER,
@@ -291,9 +291,12 @@
if (PG(register_globals)) {
zval **sym_global = NULL;
- zend_hash_find(&EG(symbol_table), name, namelen + 1,
- (void *) &sym_global);
-
+ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void
*) &sym_global) == SUCCESS) {
+ if ((Z_TYPE_PP(sym_global) == IS_ARRAY &&
Z_ARRVAL_PP(sym_global) == &EG(symbol_table)) || *sym_global ==
PS(http_session_vars)) {
+ return;
+ }
+ }
+
if (sym_global == NULL && sym_track == NULL) {
zval *empty_var;
@@ -323,7 +326,10 @@
if (PG(register_globals)) {
zval **old_symbol;
if (zend_hash_find(&EG(symbol_table),name,namelen+1,(void
*)&old_symbol) == SUCCESS) {
-
+ if ((Z_TYPE_PP(old_symbol) == IS_ARRAY &&
Z_ARRVAL_PP(old_symbol) == &EG(symbol_table)) || *old_symbol ==
PS(http_session_vars)) {
+ return;
+ }
+
/*
* A global symbol with the same name exists already.
That
* symbol might have been created by other means (e.g.
$_GET).
@@ -432,13 +438,26 @@
PHP_VAR_UNSERIALIZE_INIT(var_hash);
for (p = val; p < endptr; ) {
+ zval **tmp;
namelen = *p & (~PS_BIN_UNDEF);
+
+ if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+ return FAILURE;
+ }
+
has_value = *p & PS_BIN_UNDEF ? 0 : 1;
name = estrndup(p + 1, namelen);
-
+
p += namelen + 1;
-
+
+ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void
**) &tmp) == SUCCESS) {
+ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) ==
&EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+ efree(name);
+ continue;
+ }
+ }
+
if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(¤t, (const unsigned char
**) &p, endptr, &var_hash TSRMLS_CC)) {
@@ -504,6 +523,7 @@
p = val;
while (p < endptr) {
+ zval **tmp;
q = p;
while (*q != PS_DELIMITER)
if (++q >= endptr) goto break_outer_loop;
@@ -519,6 +539,12 @@
name = estrndup(p, namelen);
q++;
+ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void
**) &tmp) == SUCCESS) {
+ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) ==
&EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+ goto skip;
+ }
+ }
+
if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(¤t, (const unsigned char
**) &q, endptr, &var_hash TSRMLS_CC)) {
@@ -527,8 +553,8 @@
zval_ptr_dtor(¤t);
}
PS_ADD_VARL(name, namelen);
+skip:
efree(name);
-
p = q;
}
break_outer_loop:
@@ -546,16 +572,20 @@
zend_delete_global_variable("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS")-1 TSRMLS_CC);
zend_delete_global_variable("_SESSION", sizeof("_SESSION")-1 TSRMLS_CC);
+ if (PS(http_session_vars)) {
+ zval_ptr_dtor(&PS(http_session_vars));
+ }
+
MAKE_STD_ZVAL(session_vars);
array_init(session_vars);
PS(http_session_vars) = session_vars;
if (PG(register_long_arrays)) {
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 2, 1);
+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 3, 1);
+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 3, 1);
}
else {
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 1, 0);
+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 2, 1);
}
}
@@ -1250,9 +1280,9 @@
}
}
-static zend_bool php_session_destroy(TSRMLS_D)
+static int php_session_destroy(TSRMLS_D)
{
- zend_bool retval = SUCCESS;
+ int retval = SUCCESS;
if (PS(session_status) != php_session_active) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Trying to destroy
uninitialized session");
@@ -1472,7 +1502,7 @@
zend_bool del_ses = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &del_ses) ==
FAILURE) {
- WRONG_PARAM_COUNT;
+ return;
}
if (PS(session_status) == php_session_active) {
@@ -1763,6 +1793,10 @@
static void php_rshutdown_session_globals(TSRMLS_D)
{
+ if (PS(http_session_vars)) {
+ zval_ptr_dtor(&PS(http_session_vars));
+ PS(http_session_vars) = NULL;
+ }
if (PS(mod_data)) {
zend_try {
PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
Index: php.spec
===================================================================
RCS file: /cvs/dist/rpms/php/FC-6/php.spec,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- php.spec 15 Dec 2006 15:35:57 -0000 1.122
+++ php.spec 16 Feb 2007 16:10:59 -0000 1.123
@@ -6,7 +6,7 @@
Summary: The PHP HTML-embedded scripting language. (PHP: Hypertext
Preprocessor)
Name: php
Version: 5.1.6
-Release: 3.3%{?dist}
+Release: 3.4%{?dist}
License: The PHP License v3.01
Group: Development/Languages
URL: http://www.php.net/
@@ -14,6 +14,7 @@
Source0: http://www.php.net/distributions/php-%{version}.tar.gz
Source50: php.conf
Source51: php.ini
+Source52: macros.php
Patch1: php-5.1.4-gnusrc.patch
Patch2: php-5.1.4-warnings.patch
@@ -22,6 +23,7 @@
Patch7: php-4.3.2-libtool15.patch
Patch13: php-5.0.2-phpize64.patch
Patch14: php-5.1.6-ecalloc.patch
+Patch15: php-5.2.0-includedir.patch
# Fixes for extension modules
Patch21: php-4.3.1-odbc.patch
@@ -37,6 +39,14 @@
# Security fixes
Patch70: php-4.3.9-CVE-2006-5465.patch
+Patch71: php-5.1.6-CVE-2007-0906-imap.patch
+Patch72: php-4.3.9-CVE-2007-0906-strreplace.patch
+Patch73: php-4.3.9-CVE-2007-0907.patch
+Patch74: php-4.3.9-CVE-2007-0908.patch
+Patch75: php-4.3.9-CVE-2007-0909-odbc.patch
+Patch76: php-4.3.9-CVE-2007-0909-printf.patch
+Patch77: php-5.1.6-CVE-2007-0910.patch
+Patch78: php-4.3.9-CVE-2007-0988.patch
BuildRoot: %{_tmppath}/%{name}-root
@@ -49,7 +59,6 @@
Obsoletes: php-dbg, php3, phpfi, stronghold-php
# Enforce Apache module ABI compatibility
Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo
missing-httpd-devel)
-Requires: file >= 4.0
Provides: mod_php = %{version}-%{release}
Requires: php-common = %{version}-%{release}
# For backwards-compatibility, require php-cli for the time being:
@@ -81,6 +90,7 @@
Group: Development/Languages
Summary: Common files for PHP
Provides: php-api = %{apiver}, php-zend-abi = %{zendver}
+Provides: php(api) = %{apiver}, php(zend-abi) = %{zendver}
# Provides for all builtin modules:
Provides: php-bz2, php-calendar, php-ctype, php-curl, php-date, php-exif
Provides: php-ftp, php-gettext, php-gmp, php-hash, php-iconv, php-libxml
@@ -89,6 +99,8 @@
Provides: php-spl, php-sysvsem, php-sysvshm, php-sysvmsg, php-tokenizer
Provides: php-wddx, php-zlib
Obsoletes: php-openssl
+# For mime-magic
+Requires: file
%description common
The php-common package contains files used by both the php
@@ -299,6 +311,7 @@
%patch7 -p1 -b .libtool15
%patch13 -p1 -b .phpize64
%patch14 -p1 -b .ecalloc
+%patch15 -p1 -b .includedir
%patch21 -p1 -b .odbc
%patch22 -p1 -b .shutdown
@@ -310,6 +323,14 @@
%patch51 -p1 -b .tests-wddx
%patch70 -p1 -b .cve5465
+%patch71 -p1 -b .cve0906-imap
+%patch72 -p1 -b .cve0906-strreplace
+%patch73 -p1 -b .cve0907
+%patch74 -p1 -b .cve0908
+%patch75 -p1 -b .cve0909-odbc
+%patch76 -p1 -b .cve0909-printf
+%patch77 -p1 -b .cve0910
+%patch78 -p1 -b .cve0988
# Prevent %%doc confusion over LICENSE files
cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -421,7 +442,7 @@
--enable-calendar \
--enable-dbx \
--enable-dio \
- --with-mime-magic=%{_sysconfdir}/httpd/conf/magic \
+ --with-mime-magic=%{_datadir}/file/magic \
--without-sqlite \
--with-libxml-dir=%{_prefix} \
--with-xml \
@@ -514,8 +535,9 @@
install -m 755 -d $RPM_BUILD_ROOT%{contentdir}/icons
install -m 644 *.gif $RPM_BUILD_ROOT%{contentdir}/icons/
-# For PEAR packaging:
-install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/php/pear
+# For third-party packaging:
+install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/php/pear \
+ $RPM_BUILD_ROOT%{_datadir}/php
# Use correct libdir
sed -i -e 's|%{_prefix}/lib|%{_libdir}|' $RPM_BUILD_ROOT%{_sysconfdir}/php.ini
@@ -561,6 +583,13 @@
# isn't useful at this time since rpm itself requires sqlite.
cat files.pdo_sqlite >> files.pdo
+# Install the macros file:
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/rpm
+sed -e
"s/@PHP_APIVER@/%{apiver}/;s/@PHP_ZENDVER@/%{zendver}/;s/@PHP_PDOVER@/%{pdover}/"
\
+ < $RPM_SOURCE_DIR/macros.php > macros.php
+install -m 644 -c macros.php \
+ $RPM_BUILD_ROOT%{_sysconfdir}/rpm/macros.php
+
# Remove unpackaged files
rm -rf $RPM_BUILD_ROOT%{_libdir}/php/modules/*.a \
$RPM_BUILD_ROOT%{_bindir}/{phptar} \
@@ -577,14 +606,14 @@
%defattr(-,root,root)
%{_libdir}/httpd/modules/libphp5.so
%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/session
-%config %{_sysconfdir}/httpd/conf.d/php.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/php.conf
%{contentdir}/icons/php.gif
%files common
%defattr(-,root,root)
%doc CODING_STANDARDS CREDITS EXTENSIONS INSTALL LICENSE NEWS README*
%doc Zend/ZEND_* gd_README TSRM_LICENSE regex_COPYRIGHT
-%config %{_sysconfdir}/php.ini
+%config(noreplace) %{_sysconfdir}/php.ini
%dir %{_sysconfdir}/php.d
%dir %{_libdir}/php
%dir %{_libdir}/php/modules
@@ -605,6 +634,7 @@
%{_libdir}/php/build
%{_mandir}/man1/php-config.1*
%{_mandir}/man1/phpize.1*
+%config %{_sysconfdir}/rpm/macros.php
%files pgsql -f files.pgsql
%files mysql -f files.mysql
@@ -623,6 +653,13 @@
%files pdo -f files.pdo
%changelog
+* Fri Feb 16 2007 Joe Orton <jorton@xxxxxxxxxx> 5.1.6-3.4.fc6
+- add security fixes for: CVE-2007-0906, CVE-2007-0907,
+ CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988 (#228011)
+- package /usr/share/php and append to default include_path (#225434)
+- add php(api), php(zend-abi) provides (#221302)
+- fix magic file used by mime-magic (Kir Kolyshkin, #177926)
+
* Fri Dec 15 2006 Joe Orton <jorton@xxxxxxxxxx> 5.1.6-3.3.fc6
- fix version for php-zend-abi (Remi Collet, #212804)
- provide php-readline from php-cli
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|