Hello community,
here is the log from the commit of package php5
checked in at Tue Apr 18 16:11:07 CEST 2006.
--------
--- php5/php5.changes 2006-03-27 17:39:47.000000000 +0200
+++ STABLE/php5/php5.changes 2006-04-12 16:54:30.000000000 +0200
@@ -1,0 +2,10 @@
+Wed Apr 12 15:24:24 CEST 2006 - postadal@suse.cz
+
+- fixed security problem in copy() and tempname()
+ [#164845] (CVE-2006-1494-1608.patch)
+- fixed phpinfo() XSS [#164804] (CVE-2006-0996.patch)
+- fixed memory leak in html_entity_decode [#161718] (CVE-2006-1490.patch)
+- fixed multiple imap safemode and open_basedir restriction bypass
+ [#154317] (CVE-2006-1017.patch)
+
+-------------------------------------------------------------------
New:
----
php-5.1.2-CVE-2006-0996.patch
php-5.1.2-CVE-2006-1017.patch
php-5.1.2-CVE-2006-1490.patch
php-5.1.2-CVE-2006-1494-1608.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ php5.spec ++++++
--- /var/tmp/diff_new_pack.5YS5Xm/_old 2006-04-18 16:09:37.000000000 +0200
+++ /var/tmp/diff_new_pack.5YS5Xm/_new 2006-04-18 16:09:37.000000000 +0200
@@ -30,7 +30,7 @@
###
###
Version: 5.1.2
-Release: 18
+Release: 21
License: Other uncritical OpenSource License, Other License(s), see package
Group: Productivity/Networking/Web/Servers
Provides: php zend php-xml php-spl php-simplexml php-session php-pcre
@@ -82,6 +82,10 @@
Patch43: php-%{version}-phpbug-36420.patch
Patch44: php-%{version}-mysqli-64bit.patch
Patch45: php-%{version}-ftp_fopen_wrapper.patch
+Patch46: php-%{version}-CVE-2006-1494-1608.patch
+Patch47: php-%{version}-CVE-2006-0996.patch
+Patch48: php-%{version}-CVE-2006-1490.patch
+Patch49: php-%{version}-CVE-2006-1017.patch
URL: http://www.php.net
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Icon: php5.xpm
@@ -1457,6 +1461,10 @@
%patch43
%patch44
%patch45
+%patch46
+%patch47
+%patch48
+%patch49
# we build three SAPI
mkdir -p build-apache2
mkdir -p build-fastcgi/sapi/cgi/libfcgi
@@ -1995,6 +2003,13 @@
%config(noreplace) %{php_sysconf}/conf.d/zlib.ini
%changelog -n php5
+* Wed Apr 12 2006 - postadal@suse.cz
+- fixed security problem in copy() and tempname()
+ [#164845] (CVE-2006-1494-1608.patch)
+- fixed phpinfo() XSS [#164804] (CVE-2006-0996.patch)
+- fixed memory leak in html_entity_decode [#161718] (CVE-2006-1490.patch)
+- fixed multiple imap safemode and open_basedir restriction bypass
+ [#154317] (CVE-2006-1017.patch)
* Mon Mar 27 2006 - postadal@suse.cz
- fixed buffer overrun in ftp_fopen_wrapper (ftp_fopen_wrapper.patch)
* Tue Mar 14 2006 - postadal@suse.cz
++++++ php-5.1.2-CVE-2006-0996.patch ++++++
--- ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
+++ ext/standard/info.c 2006/03/31 11:11:12 1.249.2.10
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: info.c,v 1.249.2.7 2006/01/01 12:50:15 sniper Exp $ */
+/* $Id: info.c,v 1.249.2.10 2006/03/31 11:11:12 tony2001 Exp $ */
#include "php.h"
#include "php_ini.h"
@@ -58,6 +58,23 @@
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+ int new_len, written;
+ char *elem_esc;
+
+ TSRMLS_FETCH();
+
+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+ efree(elem_esc);
+
+ return written;
+}
+
/* {{{ _display_module_info
*/
@@ -135,30 +152,13 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
-
- MAKE_STD_ZVAL(tmp3);
-
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
-
- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
-
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
- if (!sapi_module.phpinfo_as_text) {
- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
- PUTS(elem_esc);
- efree(elem_esc);
+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
PUTS("</pre>");
} else {
- PUTS(Z_STRVAL_P(tmp3));
+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
}
- zval_ptr_dtor(&tmp3);
-
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
zval_copy_ctor(&tmp2);
++++++ php-5.1.2-CVE-2006-1017.patch ++++++
--- ext/imap/php_imap.c 2006/01/05 00:47:16 1.208.2.4
+++ ext/imap/php_imap.c 2006/01/28 08:07:20 1.208.2.7
@@ -26,7 +26,7 @@
| PHP 4.0 updates: Zeev Suraski |
+----------------------------------------------------------------------+
*/
-/* $Id: php_imap.c,v 1.208.2.4 2006/01/05 00:47:16 iliaa Exp $ */
+/* $Id: php_imap.c,v 1.208.2.7 2006/01/28 08:07:20 mike Exp $ */
#define IMAP41
@@ -36,6 +36,7 @@
#include "php.h"
#include "php_ini.h"
+#include "php_streams.h"
#include "ext/standard/php_string.h"
#include "ext/standard/info.h"
#include "ext/standard/file.h"
@@ -67,6 +68,9 @@
static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC);
static int _php_imap_address_size(ADDRESS *addresslist);
+/* the gets we use */
+static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md);
+
/* These function declarations are missing from the IMAP header files... */
void rfc822_date(char *date);
char *cpystr(const char *str);
@@ -93,6 +97,7 @@
PHP_FE(imap_body, NULL)
PHP_FE(imap_bodystruct, NULL)
PHP_FE(imap_fetchbody, NULL)
+ PHP_FE(imap_savebody, NULL)
PHP_FE(imap_fetchheader, NULL)
PHP_FE(imap_fetchstructure, NULL)
PHP_FE(imap_expunge, NULL)
@@ -418,6 +423,7 @@
imap_globals->quota_return = NIL;
imap_globals->imap_acl_list = NIL;
#endif
+ imap_globals->gets_stream = NIL;
}
/* }}} */
@@ -460,6 +466,9 @@
/* lets allow NIL */
REGISTER_LONG_CONSTANT("NIL", NIL, CONST_PERSISTENT | CONST_CS);
+ /* plug in our gets */
+ mail_parameters(NIL, SET_GETS, (void *) php_mail_gets);
+
/* set default timeout values */
mail_parameters(NIL, SET_OPENTIMEOUT, (void *) FG(default_socket_timeout));
mail_parameters(NIL, SET_READTIMEOUT, (void *) FG(default_socket_timeout));
@@ -650,6 +659,7 @@
{
IMAPG(imap_errorstack) = NIL;
IMAPG(imap_alertstack) = NIL;
+ IMAPG(gets_stream) = NIL;
return SUCCESS;
}
/* }}} */
@@ -1845,6 +1855,57 @@
/* }}} */
+/* {{{ proto bool imap_savebody(resource stream_id, string|resource file, int msg_no[, string section = ""[, int options = 0]])
+ Save a specific body section to a file */
+PHP_FUNCTION(imap_savebody)
+{
+ zval *stream, *out;
+ pils *imap_ptr = NULL;
+ php_stream *writer = NULL;
+ char *section = "";
+ int section_len = 0, close_stream = 1;
+ long msgno, flags = 0;
+
+ if (SUCCESS != zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rzl|sl", &stream, &out, &msgno, §ion, §ion_len, &flags)) {
+ RETURN_FALSE;
+ }
+
+ ZEND_FETCH_RESOURCE(imap_ptr, pils *, &stream, -1, "imap", le_imap);
+
+ if (!imap_ptr) {
+ RETURN_FALSE;
+ }
+
+ switch (Z_TYPE_P(out))
+ {
+ case IS_LONG:
+ case IS_RESOURCE:
+ close_stream = 0;
+ php_stream_from_zval(writer, &out);
+ break;
+
+ default:
+ convert_to_string_ex(&out);
+ writer = php_stream_open_wrapper(Z_STRVAL_P(out), "wb", REPORT_ERRORS|ENFORCE_SAFE_MODE, NULL);
+ break;
+ }
+
+ if (!writer) {
+ RETURN_FALSE;
+ }
+
+ IMAPG(gets_stream) = writer;
+ mail_fetchbody_full(imap_ptr->imap_stream, msgno, section, NULL, flags);
+ IMAPG(gets_stream) = NULL;
+
+ if (close_stream) {
+ php_stream_close(writer);
+ }
+
+ RETURN_TRUE;
+}
+/* }}} */
+
/* {{{ proto string imap_base64(string text)
Decode BASE64 encoded text */
PHP_FUNCTION(imap_base64)
@@ -4143,6 +4204,52 @@
RETURN_TRUE;
} else {
RETURN_FALSE;
+ }
+}
+/* }}} */
+
+#define GETS_FETCH_SIZE 8196LU
+/* {{{ php_mail_gets */
+static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md)
+{
+ TSRMLS_FETCH();
+
+ /* write to the gets stream if it is set,
+ otherwise forward to c-clients gets */
+ if (IMAPG(gets_stream)) {
+ char buf[GETS_FETCH_SIZE];
+
+ while (size) {
+ unsigned long read;
+
+ if (size > GETS_FETCH_SIZE) {
+ read = GETS_FETCH_SIZE;
+ size -=GETS_FETCH_SIZE;
+ } else {
+ read = size;
+ size = 0;
+ }
+
+ if (!f(stream, read, buf)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to read from socket");
+ break;
+ } else if (read != php_stream_write(IMAPG(gets_stream), buf, read)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to write to stream");
+ break;
+ }
+ }
+ return NULL;
+ } else {
+ char *buf = malloc(size + 1);
+
+ if (f(stream, size, buf)) {
+ buf[size] = '\0';
+ } else {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to read from socket");
+ free(buf);
+ buf = NULL;
+ }
+ return buf;
}
}
/* }}} */
--- ext/imap/php_imap.h 2006/01/01 12:50:08 1.32.2.1
+++ ext/imap/php_imap.h 2006/01/27 19:46:11 1.32.2.2
@@ -27,7 +27,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_imap.h,v 1.32.2.1 2006/01/01 12:50:08 sniper Exp $ */
+/* $Id: php_imap.h,v 1.32.2.2 2006/01/27 19:46:11 mike Exp $ */
#ifndef PHP_IMAP_H
#define PHP_IMAP_H
@@ -114,6 +114,7 @@
PHP_FUNCTION(imap_body);
PHP_FUNCTION(imap_fetchstructure);
PHP_FUNCTION(imap_fetchbody);
+PHP_FUNCTION(imap_savebody);
PHP_FUNCTION(imap_expunge);
PHP_FUNCTION(imap_delete);
PHP_FUNCTION(imap_undelete);
@@ -205,6 +206,8 @@
zval **quota_return;
zval *imap_acl_list;
#endif
+ /* php_stream for php_mail_gets() */
+ php_stream *gets_stream;
ZEND_END_MODULE_GLOBALS(imap)
#ifdef ZTS
++++++ php-5.1.2-CVE-2006-1490.patch ++++++
--- ext/standard/html.c 2006/01/01 12:50:14 1.111.2.1
+++ ext/standard/html.c 2006/02/25 21:32:11 1.111.2.2
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: html.c,v 1.111.2.1 2006/01/01 12:50:14 sniper Exp $ */
+/* $Id: html.c,v 1.111.2.2 2006/02/25 21:32:11 rasmus Exp $ */
/*
* HTML entity resources:
@@ -884,7 +884,7 @@
unsigned char replacement[15];
int replacement_len;
- ret = estrdup(old);
+ ret = estrndup(old, oldlen);
retlen = oldlen;
if (!retlen) {
goto empty_source;
++++++ php-5.1.2-CVE-2006-1494-1608.patch ++++++
--- ext/standard/file.c 2006/01/01 12:50:14 1.409.2.3
+++ ext/standard/file.c 2006/04/06 02:39:55 1.409.2.6
@@ -21,7 +21,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: file.c,v 1.409.2.3 2006/01/01 12:50:14 sniper Exp $ */
+/* $Id: file.c,v 1.409.2.6 2006/04/06 02:39:55 iliaa Exp $ */
/* Synced with php 3.0 revision 1.218 1999-06-16 [ssb] */
@@ -773,8 +773,9 @@
zval **arg1, **arg2;
char *d;
char *opened_path;
- char p[64];
+ char *p;
int fd;
+ size_t p_len;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
WRONG_PARAM_COUNT;
@@ -787,7 +788,11 @@
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
- strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
+
+ php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC);
+ if (p_len > 64) {
+ p[63] = '\0';
+ }
if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
close(fd);
@@ -795,6 +800,7 @@
} else {
RETVAL_FALSE;
}
+ efree(p);
efree(d);
}
/* }}} */
@@ -1355,10 +1361,10 @@
/* {{{ proto int mkdir(char *dir int mode)
*/
-PHPAPI int php_mkdir(char *dir, long mode TSRMLS_DC)
+PHPAPI int php_mkdir_ex(char *dir, long mode, int options TSRMLS_DC)
{
int ret;
-
+
if (PG(safe_mode) && (!php_checkuid(dir, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
return -1;
}
@@ -1367,11 +1373,16 @@
return -1;
}
- if ((ret = VCWD_MKDIR(dir, (mode_t)mode)) < 0) {
+ if ((ret = VCWD_MKDIR(dir, (mode_t)mode)) < 0 && (options & REPORT_ERRORS)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", strerror(errno));
}
- return ret;
+ return ret;
+}
+
+PHPAPI int php_mkdir(char *dir, long mode TSRMLS_DC)
+{
+ return php_mkdir_ex(dir, mode, REPORT_ERRORS TSRMLS_CC);
}
/* }}} */
@@ -1756,7 +1767,7 @@
}
safe_to_copy:
- srcstream = php_stream_open_wrapper(src, "rb", STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS, NULL);
+ srcstream = php_stream_open_wrapper(src, "rb", ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!srcstream) {
return ret;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...