Hello community, here is the log from the commit of package php5 for openSUSE:Factory checked in at 2011-11-08 09:31:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/php5 (Old) and /work/SRC/openSUSE:Factory/.php5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "php5", Maintainer is "PGajdos@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/php5/php5.changes 2011-09-23 12:39:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.php5.new/php5.changes 2011-11-08 09:32:00.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Nov 7 13:36:25 UTC 2011 - pgajdos@suse.com + +- security update: + CVE-2011-3379 [bnc#728350] + +------------------------------------------------------------------- New: ---- php-5.3.8-CVE-2011-3379.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.RtnuPS/_old 2011-11-08 09:32:02.000000000 +0100 +++ /var/tmp/diff_new_pack.RtnuPS/_new 2011-11-08 09:32:02.000000000 +0100 @@ -136,6 +136,7 @@ %endif %endif Patch34: php5-2g-crash.patch +Patch35: php-5.3.8-CVE-2011-3379.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1244,6 +1245,7 @@ %endif %endif %patch34 +%patch35 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test "x${vapi}" != "x%{apiver}"; then ++++++ php-5.3.8-CVE-2011-3379.patch ++++++ http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/Zend/zend_builtin_functions.c?r1=314527&r2=317183 --- Zend/zend_builtin_functions.c 2011/08/08 14:54:50 314527 +++ Zend/zend_builtin_functions.c 2011/09/23 09:52:09 317183 @@ -816,13 +816,19 @@ int class_name_len; zend_class_entry *instance_ce; zend_class_entry **ce; + zend_bool allow_string = only_subclass; zend_bool retval; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "zs", &obj, &class_name, &class_name_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "zs|b", &obj, &class_name, &class_name_len, &allow_string) == FAILURE) { return; } - - if (Z_TYPE_P(obj) == IS_STRING) { + /* + allow_string - is_a default is no, is_subclass_of is yes. + if it's allowed, then the autoloader will be called if the class does not exist. + default behaviour is different, as 'is_a' usage is normally to test mixed return values + */ + + if (allow_string && Z_TYPE_P(obj) == IS_STRING) { zend_class_entry **the_ce; if (zend_lookup_class(Z_STRVAL_P(obj), Z_STRLEN_P(obj), &the_ce TSRMLS_CC) == FAILURE) { RETURN_FALSE; @@ -848,7 +854,7 @@ } -/* {{{ proto bool is_subclass_of(object object, string class_name) +/* {{{ proto bool is_subclass_of(mixed object_or_string, string class_name [, bool allow_string=true]) Returns true if the object has this class as one of its parents */ ZEND_FUNCTION(is_subclass_of) { @@ -857,8 +863,8 @@ /* }}} */ -/* {{{ proto bool is_a(object object, string class_name) - Returns true if the object is of this class or has this class as one of its parents */ +/* {{{ proto bool is_a(mixed object_or_string, string class_name [, bool allow_string=false]) + Returns true if the first argument is an object and is this class or has this class as one of its parents, */ ZEND_FUNCTION(is_a) { is_a_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0); -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org