Hello community,
here is the log from the commit of package php5 for openSUSE:11.4
checked in at Thu Jan 5 16:25:50 CET 2012.
--------
--- old-versions/11.4/UPDATES/all/php5/php5.changes 2011-09-05 17:22:49.000000000 +0200
+++ 11.4/php5/php5.changes 2012-01-02 15:44:44.000000000 +0100
@@ -1,0 +2,21 @@
+Mon Jan 2 14:33:06 UTC 2012 - pgajdos@suse.com
+
+- security update:
+ * CVE-2011-4885 [bnc#738221] -- added max_input_vars directive
+ to prevent attacks based on hash collisions
+
+-------------------------------------------------------------------
+Tue Dec 20 14:53:08 UTC 2011 - pgajdos@suse.com
+
+- apache module conflicts with apache2-worker [bnc#728671]
+
+-------------------------------------------------------------------
+Fri Dec 9 11:37:06 UTC 2011 - pgajdos@suse.com
+
+- security update:
+ * CVE-2011-4566 [bnc#733590]
+ * CVE-2011-3182 [bnc#713652]
+ * CVE-2011-1466 [bnc#736169]
+ * CVE-2011-1072 [bnc#735613]
+
+-------------------------------------------------------------------
calling whatdependson for 11.4-i586
New:
----
php-5.3.5-CVE-2011-1466.patch
php-5.3.5-CVE-2011-3182.patch
php-5.3.5-CVE-2011-4566.patch
php-5.3.5-CVE-2011-4885.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ php5.spec ++++++
--- /var/tmp/diff_new_pack.07uwzj/_old 2012-01-05 16:16:34.000000000 +0100
+++ /var/tmp/diff_new_pack.07uwzj/_new 2012-01-05 16:16:34.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package php5
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -77,7 +77,7 @@
###
###
Version: 5.3.5
-Release: 5.<RELEASE16>
+Release: 5.<RELEASE18>
License: The PHP License, version 3.01
Group: Development/Languages/Other
Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter
@@ -136,6 +136,10 @@
Patch44: php-5.3.5-CVE-2011-3267.patch
Patch45: php-5.3.5-CVE-2011-3268.patch
Patch46: php-5.3.5-64-bit-post-large-files.patch
+Patch47: php-5.3.5-CVE-2011-4566.patch
+Patch48: php-5.3.5-CVE-2011-3182.patch
+Patch49: php-5.3.5-CVE-2011-1466.patch
+Patch50: php-5.3.5-CVE-2011-4885.patch
Url: http://www.php.net
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: PHP5 Core Files
@@ -220,6 +224,7 @@
Requires: apache2-prefork %{apache2_mmn} %{name} = %{version}
PreReq: apache2
Conflicts: apache2-mod_php4
+Conflicts: apache2-worker
Provides: mod_php_any php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter
%description -n apache2-mod_php5
@@ -1265,6 +1270,10 @@
%patch44
%patch45
%patch46 -p1
+%patch47
+%patch48
+%patch49
+%patch50
# we build three SAPI
%{__mkdir_p} build-apache2 build-fpm
++++++ install-pear-nozlib.phar ++++++
++++ 8646 lines (skipped)
++++ between install-pear-nozlib.phar
++++ and 11.4/php5/install-pear-nozlib.phar
++++++ php-5.3.5-CVE-2011-1466.patch ++++++
http://svn.php.net/viewvc/?view=revision&revision=306475
http://svn.php.net/viewvc/?view=revision&revision=317360
http://svn.php.net/viewvc/?view=revision&revision=317387
Index: ext/calendar/gregor.c
===================================================================
--- ext/calendar/gregor.c.orig
+++ ext/calendar/gregor.c
@@ -127,6 +127,7 @@
**************************************************************************/
#include "sdncal.h"
+#include
#define GREGOR_SDN_OFFSET 32045
#define DAYS_PER_5_MONTHS 153
@@ -146,21 +147,12 @@ void SdnToGregorian(
long int temp;
int dayOfYear;
- if (sdn <= 0) {
- *pYear = 0;
- *pMonth = 0;
- *pDay = 0;
- return;
+ if (sdn <= 0 ||
+ sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) {
+ goto fail;
}
temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1;
- if (temp < 0) {
- *pYear = 0;
- *pMonth = 0;
- *pDay = 0;
- return;
- }
-
/* Calculate the century (year/100). */
century = temp / DAYS_PER_400_YEARS;
@@ -190,6 +182,10 @@ void SdnToGregorian(
*pYear = year;
*pMonth = month;
*pDay = day;
+fail:
+ *pYear = 0;
+ *pMonth = 0;
+ *pDay = 0;
}
long int GregorianToSdn(
Index: ext/calendar/julian.c
===================================================================
--- ext/calendar/julian.c.orig
+++ ext/calendar/julian.c
@@ -146,6 +146,7 @@
**************************************************************************/
#include "sdncal.h"
+#include
#define JULIAN_SDN_OFFSET 32083
#define DAYS_PER_5_MONTHS 153
@@ -164,15 +165,22 @@ void SdnToJulian(
int dayOfYear;
if (sdn <= 0) {
- *pYear = 0;
- *pMonth = 0;
- *pDay = 0;
- return;
+ goto fail;
}
- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
+ /* Check for overflow */
+ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
+ goto fail;
+ }
+ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
/* Calculate the year and day of year (1 <= dayOfYear <= 366). */
- year = temp / DAYS_PER_4_YEARS;
+ {
+ long yearl = temp / DAYS_PER_4_YEARS;
+ if (yearl > INT_MAX || yearl < INT_MIN) {
+ goto fail;
+ }
+ year = (int) yearl;
+ }
dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
/* Calculate the month and day of month. */
@@ -196,6 +204,12 @@ void SdnToJulian(
*pYear = year;
*pMonth = month;
*pDay = day;
+ return;
+
+fail:
+ *pYear = 0;
+ *pMonth = 0;
+ *pDay = 0;
}
long int JulianToSdn(
++++++ php-5.3.5-CVE-2011-3182.patch ++++++
http://svn.php.net/viewvc?view=revision&revision=313826
http://svn.php.net/viewvc?view=revision&revision=313827
http://svn.php.net/viewvc?view=revision&revision=313828
http://svn.php.net/viewvc?view=revision&revision=313830
http://svn.php.net/viewvc?view=revision&revision=313831
http://svn.php.net/viewvc?view=revision&revision=313832
http://svn.php.net/viewvc?view=revision&revision=313833
http://svn.php.net/viewvc?view=revision&revision=313835
http://svn.php.net/viewvc?view=revision&revision=313903
https://bugzilla.redhat.com/show_bug.cgi?id=732516
Index: ext/curl/interface.c
===================================================================
--- ext/curl/interface.c.orig
+++ ext/curl/interface.c
@@ -803,6 +803,9 @@ PHP_MINIT_FUNCTION(curl)
int i, c = CRYPTO_num_locks();
php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T));
+ if (!php_curl_openssl_tsl) {
+ return FAILURE;
+ }
for (i = 0; i < c; ++i) {
php_curl_openssl_tsl[i] = tsrm_mutex_alloc();
Index: ext/com_dotnet/com_dotnet.c
===================================================================
--- ext/com_dotnet/com_dotnet.c.orig
+++ ext/com_dotnet/com_dotnet.c
@@ -129,6 +129,9 @@ static HRESULT dotnet_init(char **p_wher
char *where = "";
stuff = malloc(sizeof(*stuff));
+ if (!stuff) {
+ return S_FALSE;
+ }
memset(stuff, 0, sizeof(*stuff));
where = "CoCreateInstance";
Index: ext/pdo_odbc/pdo_odbc.c
===================================================================
--- ext/pdo_odbc/pdo_odbc.c.orig
+++ ext/pdo_odbc/pdo_odbc.c
@@ -98,6 +98,9 @@ PHP_MINIT_FUNCTION(pdo_odbc)
char *instance = INI_STR("pdo_odbc.db2_instance_name");
if (instance) {
char *env = malloc(sizeof("DB2INSTANCE=") + strlen(instance));
+ if (!env) {
+ return FAILURE;
+ }
strcpy(env, "DB2INSTANCE=");
strcat(env, instance);
putenv(env);
Index: ext/interbase/interbase.c
===================================================================
--- ext/interbase/interbase.c.orig
+++ ext/interbase/interbase.c
@@ -998,9 +998,12 @@ static void _php_ibase_connect(INTERNAL_
ZEND_REGISTER_RESOURCE(return_value, ib_link, le_link);
} else {
zend_rsrc_list_entry new_le;
-
+
ib_link = (ibase_db_link *) malloc(sizeof(ibase_db_link));
-
+ if (!ib_link) {
+ RETURN_FALSE;
+ }
+
/* hash it up */
Z_TYPE(new_le) = le_plink;
new_le.ptr = ib_link;
Index: ext/readline/readline.c
===================================================================
--- ext/readline/readline.c.orig
+++ ext/readline/readline.c
@@ -465,6 +465,9 @@ static char **_readline_completion_cb(co
matches = rl_completion_matches(text,_readline_command_generator);
} else {
matches = malloc(sizeof(char *) * 2);
+ if (!matches) {
+ return NULL;
+ }
matches[0] = strdup("");
matches[1] = '\0';
}
@@ -505,6 +508,10 @@ PHP_FUNCTION(readline_completion_functio
zval_copy_ctor(_readline_completion);
rl_attempted_completion_function = _readline_completion_cb;
+ if (rl_attempted_completion_function == NULL) {
+ efree(name);
+ RETURN_FALSE;
+ }
RETURN_TRUE;
}
Index: ext/standard/url_scanner_ex.re
===================================================================
--- ext/standard/url_scanner_ex.re.orig
+++ ext/standard/url_scanner_ex.re
@@ -55,9 +55,13 @@ static PHP_INI_MH(OnUpdateTags)
if (ctx->tags)
zend_hash_destroy(ctx->tags);
- else
+ else {
ctx->tags = malloc(sizeof(HashTable));
-
+ if (!ctx->tags) {
+ return FAILURE;
+ }
+ }
+
zend_hash_init(ctx->tags, 0, NULL, NULL, 1);
for (key = php_strtok_r(tmp, ",", &lasts);
Index: ext/sybase_ct/php_sybase_ct.c
===================================================================
--- ext/sybase_ct/php_sybase_ct.c.orig
+++ ext/sybase_ct/php_sybase_ct.c
@@ -777,6 +777,10 @@ static void php_sybase_do_connect(INTERN
}
sybase_ptr = (sybase_link *) malloc(sizeof(sybase_link));
+ if (!sybase_ptr) {
+ efree(hashed_details);
+ RETURN_FALSE;
+ }
if (!php_sybase_do_connect_internal(sybase_ptr, host, user, passwd, charset, appname TSRMLS_CC)) {
free(sybase_ptr);
efree(hashed_details);
Index: ext/mssql/php_mssql.c
===================================================================
--- ext/mssql/php_mssql.c.orig
+++ ext/mssql/php_mssql.c
@@ -685,6 +685,13 @@ static void php_mssql_do_connect(INTERNA
/* hash it up */
mssql_ptr = (mssql_link *) malloc(sizeof(mssql_link));
+ if (!mssql_ptr) {
+ efree(hashed_details);
+ dbfreelogin(mssql.login);
+ dbclose(mssql.link);
+ RETURN_FALSE;
+ }
+
memcpy(mssql_ptr, &mssql, sizeof(mssql_link));
Z_TYPE(new_le) = le_plink;
new_le.ptr = mssql_ptr;
++++++ php-5.3.5-CVE-2011-4566.patch ++++++
http://svn.php.net/viewvc/?view=revision&revision=319535
Index: ext/exif/exif.c
===================================================================
--- ext/exif/exif.c.orig
+++ ext/exif/exif.c
@@ -2868,11 +2868,11 @@ static int exif_process_IFD_TAG(image_in
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an offset. */
value_ptr = offset_base+offset_val;
- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
+ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
/* It is important to check for IMAGE_FILETYPE_TIFF
* JPEG does not use absolute pointers instead its pointers are
* relative to the start of the TIFF header in APP1 section. */
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
+ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */
++++++ php-5.3.5-CVE-2011-4885.patch ++++++
http://svn.php.net/viewvc?view=revision&revision=321038
http://svn.php.net/viewvc?view=revision&revision=321040
Index: php.ini-development
===================================================================
--- php.ini-development.orig
+++ php.ini-development
@@ -453,6 +453,9 @@ max_input_time = 60
; http://php.net/max-input-nesting-level
;max_input_nesting_level = 64
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
Index: php.ini-production
===================================================================
--- php.ini-production.orig
+++ php.ini-production
@@ -453,6 +453,9 @@ max_input_time = 60
; http://php.net/max-input-nesting-level
;max_input_nesting_level = 64
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
Index: main/main.c
===================================================================
--- main/main.c.orig
+++ main/main.c
@@ -512,6 +512,7 @@ PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
Index: main/php_globals.h
===================================================================
--- main/php_globals.h.orig
+++ main/php_globals.h
@@ -170,6 +170,8 @@ struct _php_core_globals {
char *mail_log;
zend_bool in_error_log;
+
+ long max_input_vars;
};
Index: main/php_variables.c
===================================================================
--- main/php_variables.c.orig
+++ main/php_variables.c
@@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(cha
}
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@@ -236,6 +239,9 @@ plain_var:
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
if (escaped_index != index) {
++++++ php-suse-addons.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/php-suse-addons/README.SUSE new/php-suse-addons/README.SUSE
--- old/php-suse-addons/README.SUSE 2005-02-09 15:40:33.000000000 +0100
+++ new/php-suse-addons/README.SUSE 2011-12-20 15:55:28.000000000 +0100
@@ -41,6 +41,7 @@
Enabling/disabling the PHP5 module for Apache
=============================================
+ - do not use PHP module with Apache Worker
- in /etc/sysconfig/apache2, add "php5" to APACHE_MODULES,
or remove it to disable
- possibly include /etc/apache2/conf.d/mod_php5.conf in individual virtual
continue with "q"...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org