From 7444253457e8e5581b3e48f173531f8119363fa4 Mon Sep 17 00:00:00 2001 From: "fan.xin" Date: Mon, 14 Dec 2015 13:37:53 +0900 Subject: php: Upgrade 5.6.12 -> 5.6.16 Fix CVE-2015-7803, CVE-2015-7804 and other bugs http://php.net/ChangeLog-5.php Signed-off-by: Fan Xin Signed-off-by: Martin Jansa (cherry picked from commit ecaad588c79437be3209d987c49928ecbd907d8e) dropped several security patch included in this update. Signed-off-by: Armin Kuster --- .../php/php-5.6.12/CVE-2015-7803.patch | 85 ---------------------- .../php/php-5.6.12/CVE-2015-7804.patch | 64 ---------------- .../php/php-5.6.12/CVE-2016-1903.patch | 55 -------------- .../change-AC_TRY_RUN-to-AC_TRY_LINK.patch | 56 -------------- .../change-AC_TRY_RUN-to-AC_TRY_LINK.patch | 56 ++++++++++++++ meta-oe/recipes-devtools/php/php_5.6.12.bb | 9 --- meta-oe/recipes-devtools/php/php_5.6.16.bb | 5 ++ 7 files changed, 61 insertions(+), 269 deletions(-) delete mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch delete mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7804.patch delete mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch delete mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/change-AC_TRY_RUN-to-AC_TRY_LINK.patch create mode 100644 meta-oe/recipes-devtools/php/php-5.6.16/change-AC_TRY_RUN-to-AC_TRY_LINK.patch delete mode 100644 meta-oe/recipes-devtools/php/php_5.6.12.bb create mode 100644 meta-oe/recipes-devtools/php/php_5.6.16.bb diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch deleted file mode 100644 index 223b9958b6..0000000000 --- a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7803.patch +++ /dev/null @@ -1,85 +0,0 @@ -From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 28 Sep 2015 15:51:59 -0700 -Subject: [PATCH] Fix bug #69720: Null pointer dereference in - phar_get_fp_offset() - -Upstream-Status: Backport - -https://git.php.net/?p=php-src.git;a=patch;h=d698f0ae51f67c9cce870b09c59df3d6ba959244 - -excluded the binary part of the test - -CVE: CVE-2015-7803 -Signed-off-by: Armin Kuster - ---- - ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes - ext/phar/tests/bug69720.phpt | 40 ++++++++++++++++++++++++++++++++++++++++ - ext/phar/util.c | 6 +++++- - 3 files changed, 45 insertions(+), 1 deletion(-) - create mode 100644 ext/phar/tests/bug69720.phar - create mode 100644 ext/phar/tests/bug69720.phpt - -Index: php-5.6.12/ext/phar/tests/bug69720.phpt -=================================================================== ---- /dev/null -+++ php-5.6.12/ext/phar/tests/bug69720.phpt -@@ -0,0 +1,40 @@ -+--TEST-- -+Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset() -+--SKIPIF-- -+ -+--FILE-- -+getMetadata(); -+ foreach (new RecursiveIteratorIterator($p) as $file) { -+ // $file is a PharFileInfo class, and inherits from SplFileInfo -+ $temp=""; -+ $temp= $file->getFileName() . "\n"; -+ $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents -+ var_dump($file->getMetadata()); -+ } -+} -+ catch (Exception $e) { -+ echo 'Could not open Phar: ', $e; -+} -+?> -+--EXPECTF-- -+ -+MY_METADATA_NULL -+ -+Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d -+array(1) { -+ ["whatever"]=> -+ int(123) -+} -+object(DateTime)#2 (3) { -+ ["date"]=> -+ string(26) "2000-01-01 00:00:00.000000" -+ ["timezone_type"]=> -+ int(3) -+ ["timezone"]=> -+ string(3) "UTC" -+} -Index: php-5.6.12/ext/phar/util.c -=================================================================== ---- php-5.6.12.orig/ext/phar/util.c -+++ php-5.6.12/ext/phar/util.c -@@ -494,7 +494,11 @@ really_get_entry: - (*ret)->is_tar = entry->is_tar; - (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC); - if (entry->link) { -- (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC); -+ phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC); -+ if(!link) { -+ return FAILURE; -+ } -+ (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC); - } else { - (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC); - } diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7804.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7804.patch deleted file mode 100644 index a159ac24d6..0000000000 --- a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2015-7804.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 28 Sep 2015 17:12:35 -0700 -Subject: [PATCH] FIx bug #70433 - Uninitialized pointer in phar_make_dirstream - when zip entry filename is "/" - -Upstream-Status: Backport - -https://git.php.net/?p=php-src.git;a=patch;h=e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 - -excluded the zip part of the original patch. Hand applied dirstream change - -CVE: CVE-2015-7804 -Signed-off-by: Armin Kuster - ---- - ext/phar/dirstream.c | 2 +- - ext/phar/tests/bug70433.phpt | 23 +++++++++++++++++++++++ - ext/phar/tests/bug70433.zip | Bin 0 -> 264 bytes - 3 files changed, 24 insertions(+), 1 deletion(-) - create mode 100644 ext/phar/tests/bug70433.phpt - create mode 100755 ext/phar/tests/bug70433.zip - -Index: php-5.6.12/ext/phar/dirstream.c -=================================================================== ---- php-5.6.12.orig/ext/phar/dirstream.c -+++ php-5.6.12/ext/phar/dirstream.c -@@ -198,7 +198,7 @@ static php_stream *phar_make_dirstream(c - zend_hash_internal_pointer_reset(manifest); - - while (FAILURE != zend_hash_has_more_elements(manifest)) { -- if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { -+ if (HASH_KEY_IS_STRING != zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { - break; - } - -Index: php-5.6.12/ext/phar/tests/bug70433.phpt -=================================================================== ---- /dev/null -+++ php-5.6.12/ext/phar/tests/bug70433.phpt -@@ -0,0 +1,23 @@ -+--TEST-- -+Phar - bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" -+--SKIPIF-- -+ -+--FILE-- -+getMetadata(); -+var_dump($meta); -+?> -+DONE -+--EXPECTF-- -+object(PharData)#1 (3) { -+ ["pathName":"SplFileInfo":private]=> -+ string(0) "" -+ ["glob":"DirectoryIterator":private]=> -+ bool(false) -+ ["subPathName":"RecursiveDirectoryIterator":private]=> -+ string(0) "" -+} -+NULL -+DONE diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch deleted file mode 100644 index a7c35fe439..0000000000 --- a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 7 Dec 2015 23:30:49 -0800 -Subject: [PATCH] Fix bug #70976: fix boundary check on - gdImageRotateInterpolated - -Upstream-Status: Backport - -https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8 - -CVE: CVE-2016-1903 -Signed-off-by: Armin Kuster - ---- - ext/gd/libgd/gd_interpolation.c | 2 +- - ext/gd/tests/bug70976.phpt | 13 +++++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - create mode 100644 ext/gd/tests/bug70976.phpt - -diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c -index f70169d..0f874ac 100644 ---- a/ext/gd/libgd/gd_interpolation.c -+++ b/ext/gd/libgd/gd_interpolation.c -@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in - { - const int angle_rounded = (int)floor(angle * 100); - -- if (bgcolor < 0) { -+ if (bgcolor < 0 || bgcolor >= gdMaxColors) { - return NULL; - } - -diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt -new file mode 100644 -index 0000000..23af4ee ---- /dev/null -+++ b/ext/gd/tests/bug70976.phpt -@@ -0,0 +1,13 @@ -+--TEST-- -+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds) -+--SKIPIF-- -+ -+--FILE-- -+ -+--EXPECTF-- -+bool(false) -\ No newline at end of file --- -2.3.5 - diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/change-AC_TRY_RUN-to-AC_TRY_LINK.patch b/meta-oe/recipes-devtools/php/php-5.6.12/change-AC_TRY_RUN-to-AC_TRY_LINK.patch deleted file mode 100644 index 39c334f39d..0000000000 --- a/meta-oe/recipes-devtools/php/php-5.6.12/change-AC_TRY_RUN-to-AC_TRY_LINK.patch +++ /dev/null @@ -1,56 +0,0 @@ -[PATCH] config.m4: change AC_TRY_RUN to AC_TRY_LINK - -Upstream-Status: Pending - -AC_TRY_RUN is not suitable for cross-compile - -Signed-off-by: Roy Li ---- - ext/fileinfo/config.m4 | 31 ++++++------------------------- - 1 file changed, 6 insertions(+), 25 deletions(-) - -diff --git a/ext/fileinfo/config.m4 b/ext/fileinfo/config.m4 -index 7e98d62..8a8ea0e 100644 ---- a/ext/fileinfo/config.m4 -+++ b/ext/fileinfo/config.m4 -@@ -14,31 +14,12 @@ if test "$PHP_FILEINFO" != "no"; then - libmagic/readcdf.c libmagic/softmagic.c" - - AC_MSG_CHECKING([for strcasestr]) -- AC_TRY_RUN([ --#include --#include --#include -- --int main(void) --{ -- char *s0, *s1, *ret; -- -- s0 = (char *) malloc(42); -- s1 = (char *) malloc(8); -- -- memset(s0, 'X', 42); -- s0[24] = 'Y'; -- s0[26] = 'Z'; -- s0[41] = '\0'; -- memset(s1, 'x', 8); -- s1[0] = 'y'; -- s1[2] = 'Z'; -- s1[7] = '\0'; -- -- ret = strcasestr(s0, s1); -- -- return !(NULL != ret); --} -+ AC_TRY_COMPILE([ -+ #include -+ #include -+ #include -+ ],[ -+ strcasestr(NULL, NULL); - ],[ - dnl using the platform implementation - AC_MSG_RESULT(yes) --- -1.9.1 - diff --git a/meta-oe/recipes-devtools/php/php-5.6.16/change-AC_TRY_RUN-to-AC_TRY_LINK.patch b/meta-oe/recipes-devtools/php/php-5.6.16/change-AC_TRY_RUN-to-AC_TRY_LINK.patch new file mode 100644 index 0000000000..39c334f39d --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.16/change-AC_TRY_RUN-to-AC_TRY_LINK.patch @@ -0,0 +1,56 @@ +[PATCH] config.m4: change AC_TRY_RUN to AC_TRY_LINK + +Upstream-Status: Pending + +AC_TRY_RUN is not suitable for cross-compile + +Signed-off-by: Roy Li +--- + ext/fileinfo/config.m4 | 31 ++++++------------------------- + 1 file changed, 6 insertions(+), 25 deletions(-) + +diff --git a/ext/fileinfo/config.m4 b/ext/fileinfo/config.m4 +index 7e98d62..8a8ea0e 100644 +--- a/ext/fileinfo/config.m4 ++++ b/ext/fileinfo/config.m4 +@@ -14,31 +14,12 @@ if test "$PHP_FILEINFO" != "no"; then + libmagic/readcdf.c libmagic/softmagic.c" + + AC_MSG_CHECKING([for strcasestr]) +- AC_TRY_RUN([ +-#include +-#include +-#include +- +-int main(void) +-{ +- char *s0, *s1, *ret; +- +- s0 = (char *) malloc(42); +- s1 = (char *) malloc(8); +- +- memset(s0, 'X', 42); +- s0[24] = 'Y'; +- s0[26] = 'Z'; +- s0[41] = '\0'; +- memset(s1, 'x', 8); +- s1[0] = 'y'; +- s1[2] = 'Z'; +- s1[7] = '\0'; +- +- ret = strcasestr(s0, s1); +- +- return !(NULL != ret); +-} ++ AC_TRY_COMPILE([ ++ #include ++ #include ++ #include ++ ],[ ++ strcasestr(NULL, NULL); + ],[ + dnl using the platform implementation + AC_MSG_RESULT(yes) +-- +1.9.1 + diff --git a/meta-oe/recipes-devtools/php/php_5.6.12.bb b/meta-oe/recipes-devtools/php/php_5.6.12.bb deleted file mode 100644 index bd9a5b601c..0000000000 --- a/meta-oe/recipes-devtools/php/php_5.6.12.bb +++ /dev/null @@ -1,9 +0,0 @@ -require php.inc - -SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \ - file://CVE-2015-7803.patch \ - file://CVE-2015-7804.patch \ - file://CVE-2016-1903.patch \ -" -SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b" -SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a" diff --git a/meta-oe/recipes-devtools/php/php_5.6.16.bb b/meta-oe/recipes-devtools/php/php_5.6.16.bb new file mode 100644 index 0000000000..822c0907c8 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php_5.6.16.bb @@ -0,0 +1,5 @@ +require php.inc + +SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch" +SRC_URI[md5sum] = "765b164b89af1f03ae2fdf39a4e4e1df" +SRC_URI[sha256sum] = "4fe6f40964c1bfaba05fc144ba20a2cdad33e11685f4f101ea5a48b98bbcd2ae" -- cgit 1.2.3-korg