Hello community, here is the log from the commit of package php5 checked in at Mon Nov 12 22:05:43 CET 2007. -------- --- php5/php5.changes 2007-08-30 03:54:12.000000000 +0200 +++ /mounts/work_src_done/STABLE/php5/php5.changes 2007-11-12 22:04:16.630097000 +0100 @@ -1,0 +2,70 @@ +Mon Nov 12 06:40:39 CET 2007 - crrodriguez@suse.de + +- update to PHP 5.2.5 + * Fixed dl() to only accept filenames. reported by Laurent Gaffie. + * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). + * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. + * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. + * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. + * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). + * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). + * Upgraded PCRE to version 7.3 (Nuno) + * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) + * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) + * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) + * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) + * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) + * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) + * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) + * Fixed PDO crash when driver returns empty LOB stream. (Stas) + * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) + * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) + * Fixed leaks with multiple connects on one mysqli object. (Andrey) + * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) + * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) + * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) + * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) + * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) + * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) + * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) + * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) + * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) + * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) + * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) + * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) + * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) + * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) + * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) + * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) + * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) + * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) + * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) + * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) + * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) + * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) + * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) + * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) + * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) + * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) + * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) + * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) + * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) + * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) + * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) + * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) + * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) + * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) + * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) + * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) + * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) + * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) + * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) + * Fixed bug #42326 (SoapServer crash). (Dmitry) + * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) + * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) + * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) + * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) + * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) + * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) + +------------------------------------------------------------------- Old: ---- php-5.2.4.tar.bz2 suhosin-patch-5.2.4-0.9.6.2.patch New: ---- php-5.2.5.tar.bz2 suhosin-patch-5.2.5-0.9.6.2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.ps2190/_old 2007-11-12 22:04:42.000000000 +0100 +++ /var/tmp/diff_new_pack.ps2190/_new 2007-11-12 22:04:42.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package php5 (Version 5.2.4) +# spec file for package php5 (Version 5.2.5) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -68,13 +68,13 @@ %define apache2_serverroot %(%{apxs2} -q PREFIX) ### ### -Version: 5.2.4 +Version: 5.2.5 Release: 1 License: The PHP License, version 3.01 Group: Development/Languages/Other Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter Provides: php-dbx php-dio php-fam php-filepro php-yp -Autoreqprov: on +AutoReqProv: on PreReq: update-alternatives #extensions that are no longer here Obsoletes: php-dbx php-dio php-fam php-filepro php-yp @@ -98,7 +98,7 @@ # compiler warnings Patch9: php5-warnings.patch #please use patch30 and up for security fixes -URL: http://www.php.net +Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1402,7 +1402,7 @@ # fix deadlock %{__cp} %{S:5} %{buildroot}/%{peardir}/PEAR # reminder: Will be removed when upstream fixes deadlock in pear -test %version = 5.2.4 +test %version = 5.2.5 # for pear XML files %{__install} -d -m 0755 %{buildroot}/var/lib/pear # provide compat symlink @@ -1792,8 +1792,74 @@ %defattr(644,root,root,755) %{extension_dir}/zlib.so %config(noreplace) %{php_sysconf}/conf.d/zlib.ini - %changelog +* Mon Nov 12 2007 - crrodriguez@suse.de +- update to PHP 5.2.5 + * Fixed dl() to only accept filenames. reported by Laurent Gaffie. + * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). + * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. + * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. + * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. + * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). + * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). + * Upgraded PCRE to version 7.3 (Nuno) + * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) + * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) + * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) + * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) + * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) + * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) + * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) + * Fixed PDO crash when driver returns empty LOB stream. (Stas) + * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) + * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) + * Fixed leaks with multiple connects on one mysqli object. (Andrey) + * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) + * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) + * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) + * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) + * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) + * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) + * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) + * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) + * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) + * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) + * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) + * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) + * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) + * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) + * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) + * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) + * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) + * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) + * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) + * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) + * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) + * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) + * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) + * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) + * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) + * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) + * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) + * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) + * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) + * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) + * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) + * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) + * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) + * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) + * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) + * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) + * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) + * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) + * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) + * Fixed bug #42326 (SoapServer crash). (Dmitry) + * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) + * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) + * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) + * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) + * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) + * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) * Thu Aug 30 2007 - crrodriguez@suse.de - update to PHP 5.2.4, no relevant changes since RC3. * Fri Aug 24 2007 - crrodriguez@suse.de ++++++ php-5.2.4.tar.bz2 -> php-5.2.5.tar.bz2 ++++++ php5/php-5.2.4.tar.bz2 /mounts/work_src_done/STABLE/php5/php-5.2.5.tar.bz2 differ: byte 11, line 1 ++++++ php5-warnings.patch ++++++ --- /var/tmp/diff_new_pack.ps2190/_old 2007-11-12 22:04:42.000000000 +0100 +++ /var/tmp/diff_new_pack.ps2190/_new 2007-11-12 22:04:42.000000000 +0100 @@ -32,31 +32,3 @@ int use_cache; int use_relative_path = 0; TSRMLS_FETCH(); ---- ext/mysqli/mysqli_prop.c.orig -+++ ext/mysqli/mysqli_prop.c -@@ -86,8 +86,8 @@ static int __func(mysqli_object *obj, zv - ZVAL_LONG(*retval, l);\ - } else { \ - char *ret; \ -- int l = spprintf(&ret, 0, MYSQLI_LLU_SPEC, (my_ulonglong)l); \ -- ZVAL_STRINGL(*retval, ret, l, 0); \ -+ int len = spprintf(&ret, 0, MYSQLI_LLU_SPEC, (my_ulonglong)l); \ -+ ZVAL_STRINGL(*retval, ret, len, 0); \ - } \ - }\ - return SUCCESS;\ ---- main/output.c.orig -+++ main/output.c -@@ -430,9 +430,12 @@ static int php_ob_init_named(uint initia - tmp_buf.chunk_size = chunk_size; - tmp_buf.status = 0; - tmp_buf.internal_output_handler = NULL; -+ tmp_buf.internal_output_handler_buffer = NULL; -+ tmp_buf.internal_output_handler_buffer_size = 0; - tmp_buf.handler_name = estrdup(handler_name&&handler_name[0]?handler_name:OB_DEFAULT_HANDLER_NAME); - tmp_buf.erase = erase; - -+ - if (OG(ob_nesting_level)>0) { - #if HAVE_ZLIB && !defined(COMPILE_DL_ZLIB) - if (!strncmp(handler_name, "ob_gzhandler", sizeof("ob_gzhandler")) && php_ob_gzhandler_check(TSRMLS_C)) { ++++++ Registry.php ++++++ --- php5/Registry.php 2007-07-25 09:31:03.000000000 +0200 +++ /mounts/work_src_done/STABLE/php5/Registry.php 2007-11-12 06:39:27.000000000 +0100 @@ -17,7 +17,7 @@ * @author Greg Beaver <cellog@php.net> * @copyright 1997-2006 The PHP Group * @license http://www.php.net/license/3_0.txt PHP License 3.0 - * @version CVS: $Id: Registry.php,v 1.166 2007/06/16 18:41:59 cellog Exp $ + * @version CVS: $Id: Registry.php,v 1.167.2.1 2007/09/08 15:02:49 cellog Exp $ * @link http://pear.php.net/package/PEAR * @since File available since Release 0.1 */ @@ -795,6 +795,7 @@ } if (!is_resource($this->lock_fp)) { + $this->lock_fp = null; return $this->raiseError("could not create lock file" . (isset($php_errormsg) ? ": " . $php_errormsg : "")); } @@ -807,6 +808,7 @@ } //is resource at this point, close it on error. fclose($this->lock_fp); + $this->lock_fp = null; return $this->raiseError("could not acquire $str lock ($this->lockfile)", PEAR_REGISTRY_ERROR_LOCK); } @@ -1769,13 +1771,10 @@ return $e; } $ret = &$this->_getChannel($channel, $noaliases); - $this->_unlock(); - if (!$ret) { return PEAR::raiseError('Unknown channel: ' . $channel); } - return $ret; } ++++++ suhosin-patch-5.2.4-0.9.6.2.patch -> suhosin-patch-5.2.5-0.9.6.2.patch ++++++ ++++ 1176 lines (skipped) ++++ between php5/suhosin-patch-5.2.4-0.9.6.2.patch ++++ and /mounts/work_src_done/STABLE/php5/suhosin-patch-5.2.5-0.9.6.2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org