Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-01-30 20:40:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "php5", Maintainer is "PGajdos@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-20 19:08:10.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-01-30 20:40:47.000000000 +0100 @@ -1,0 +2,9 @@ +Tue Jan 24 09:18:43 UTC 2012 - pgajdos@suse.com + +- security update: + * CVE-2012-0781 [bnc#742273] + * CVE-2012-0788 [bnc#742806] + * memory corruption in parse_ini_string() [bnc#742806] + * CVE-2012-0789 [bnc#742806] + +------------------------------------------------------------------- New: ---- php-5.3.8-CVE-2012-0781.patch php-5.3.8-CVE-2012-0788.patch php-5.3.8-CVE-2012-0789.patch php-5.3.8-memory-corruption-parse_ini_string.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.QBW3MA/_old 2012-01-30 20:40:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QBW3MA/_new 2012-01-30 20:40:48.000000000 +0100 @@ -162,6 +162,10 @@ Patch36: php-5.3.8-CVE-2011-4566.patch Patch37: php-5.3.8-CVE-2011-1466.patch Patch38: php-5.3.8-CVE-2011-4885.patch +Patch39: php-5.3.8-CVE-2012-0781.patch +Patch40: php-5.3.8-CVE-2012-0788.patch +Patch41: php-5.3.8-memory-corruption-parse_ini_string.patch +Patch42: php-5.3.8-CVE-2012-0789.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1276,6 +1280,10 @@ %patch36 %patch37 %patch38 +%patch39 +%patch40 +%patch41 +%patch42 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test "x${vapi}" != "x%{apiver}"; then ++++++ php-5.3.8-CVE-2011-1466.patch ++++++ --- /var/tmp/diff_new_pack.QBW3MA/_old 2012-01-30 20:40:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QBW3MA/_new 2012-01-30 20:40:48.000000000 +0100 @@ -39,10 +39,11 @@ /* Calculate the century (year/100). */ century = temp / DAYS_PER_400_YEARS; -@@ -190,6 +182,10 @@ void SdnToGregorian( +@@ -190,6 +182,11 @@ void SdnToGregorian( *pYear = year; *pMonth = month; *pDay = day; ++ return; +fail: + *pYear = 0; + *pMonth = 0; ++++++ php-5.3.8-CVE-2012-0781.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=319254 --- ext/tidy/tidy.c 2011/11/15 14:20:13 319253 +++ ext/tidy/tidy.c 2011/11/15 15:16:20 319254 @@ -1288,7 +1288,7 @@ { TIDY_FETCH_OBJECT; - if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { + if (tidyStatus(obj->ptdoc->doc) != 0 && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { tidy_doc_update_properties(obj TSRMLS_CC); RETURN_TRUE; } ++++++ php-5.3.8-CVE-2012-0788.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=317272 --- ext/pdo/pdo_stmt.c 2011/09/25 12:14:09 317271 +++ ext/pdo/pdo_stmt.c 2011/09/25 12:39:05 317272 @@ -2351,6 +2351,7 @@ } zend_object_handlers pdo_dbstmt_object_handlers; +static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC); void pdo_stmt_init(TSRMLS_D) { @@ -2374,6 +2375,7 @@ pdo_row_ce = zend_register_internal_class(&ce TSRMLS_CC); pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ pdo_row_ce->create_object = pdo_row_new; + pdo_row_ce->serialize = pdo_row_serialize; } static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) @@ -2796,6 +2798,12 @@ retval.handlers = &pdo_row_object_handlers; return retval; +} + +static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC) +{ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "PDORow instances may not be serialized"); + return FAILURE; } /* }}} */ ++++++ php-5.3.8-CVE-2012-0789.patch ++++++ http://svn.php.net/viewvc/?view=revision&revision=320481 Modified: ext/date/lib/parse_date.re =================================================================== Index: ext/date/lib/parse_date.re =================================================================== --- ext/date/lib/parse_date.re.orig +++ ext/date/lib/parse_date.re @@ -775,7 +775,7 @@ static long timelib_lookup_zone(char **p return value; } -static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb) +static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_wrapper) { timelib_tzinfo *res; long retval = 0; @@ -824,7 +824,7 @@ static long timelib_get_zone(char **ptr, #endif /* If we have a TimeZone identifier to start with, use it */ if (strstr(tz_abbr, "/") || strcmp(tz_abbr, "UTC") == 0) { - if ((res = timelib_parse_tzfile(tz_abbr, tzdb)) != NULL) { + if ((res = tz_wrapper(tz_abbr, tzdb)) != NULL) { t->tz_info = res; t->zone_type = TIMELIB_ZONETYPE_ID; found++; @@ -853,7 +853,7 @@ static long timelib_get_zone(char **ptr, } \ } -static int scan(Scanner *s) +static int scan(Scanner *s, timelib_tz_get_wrapper tz_get_wrapper) { uchar *cursor = s->cur; char *str, *ptr = NULL; @@ -1186,7 +1186,7 @@ weekdayof = (reltextnumber|reltex } if (*ptr != '\0') { - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1227,7 +1227,7 @@ weekdayof = (reltextnumber|reltex s->time->h = timelib_get_nr((char **) &ptr, 2); s->time->i = timelib_get_nr((char **) &ptr, 2); s->time->s = 0; - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, s->tzdb, tz_get_wrapper); break; case 1: s->time->y = timelib_get_nr((char **) &ptr, 4); @@ -1252,7 +1252,7 @@ weekdayof = (reltextnumber|reltex s->time->s = timelib_get_nr((char **) &ptr, 2); if (*ptr != '\0') { - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1445,7 +1445,7 @@ weekdayof = (reltextnumber|reltex if (*ptr == '.') { s->time->f = timelib_get_frac_nr((char **) &ptr, 9); if (*ptr) { /* timezone is optional */ - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1545,7 +1545,7 @@ weekdayof = (reltextnumber|reltex s->time->h = timelib_get_nr((char **) &ptr, 2); s->time->i = timelib_get_nr((char **) &ptr, 2); s->time->s = timelib_get_nr((char **) &ptr, 2); - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1658,7 +1658,7 @@ weekdayof = (reltextnumber|reltex DEBUG_OUTPUT("tzcorrection | tz"); TIMELIB_INIT; TIMELIB_HAVE_TZ(); - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1711,7 +1711,7 @@ weekdayof = (reltextnumber|reltex } if (*ptr != '\0') { - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_error(s, "The timezone could not be found in the database"); } @@ -1757,7 +1757,7 @@ weekdayof = (reltextnumber|reltex /*!max:re2c */ -timelib_time* timelib_strtotime(char *s, int len, struct timelib_error_container **errors, const timelib_tzdb *tzdb) +timelib_time* timelib_strtotime(char *s, int len, struct timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper) { Scanner in; int t; @@ -1812,7 +1812,7 @@ timelib_time* timelib_strtotime(char *s, in.time->zone_type = 0; do { - t = scan(&in); + t = scan(&in, tz_get_wrapper); #ifdef DEBUG_PARSER printf("%d\n", t); #endif @@ -1867,7 +1867,7 @@ static void timelib_time_reset_unset_fie if (time->f == TIMELIB_UNSET ) time->f = 0.0; } -timelib_time *timelib_parse_from_format(char *format, char *string, int len, timelib_error_container **errors, const timelib_tzdb *tzdb) +timelib_time *timelib_parse_from_format(char *format, char *string, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper) { char *fptr = format; char *ptr = string; @@ -2033,7 +2033,7 @@ timelib_time *timelib_parse_from_format( case 'O': /* timezone */ { int tz_not_found; - s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb); + s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper); if (tz_not_found) { add_pbf_error(s, "The timezone could not be found in the database", string, begin); } Index: ext/date/lib/timelib.h =================================================================== --- ext/date/lib/timelib.h.orig +++ ext/date/lib/timelib.h @@ -52,6 +52,9 @@ #define strncasecmp strnicmp #endif +/* Function pointers */ +typedef timelib_tzinfo* (*timelib_tz_get_wrapper)(char *tzname, const timelib_tzdb *tzdb); + /* From dow.c */ timelib_sll timelib_day_of_week(timelib_sll y, timelib_sll m, timelib_sll d); timelib_sll timelib_iso_day_of_week(timelib_sll y, timelib_sll m, timelib_sll d); @@ -63,8 +66,8 @@ int timelib_valid_time(timelib_sll h, ti int timelib_valid_date(timelib_sll y, timelib_sll m, timelib_sll d); /* From parse_date.re */ -timelib_time *timelib_strtotime(char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb); -timelib_time *timelib_parse_from_format(char *format, char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb); +timelib_time *timelib_strtotime(char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper); +timelib_time *timelib_parse_from_format(char *format, char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper); void timelib_fill_holes(timelib_time *parsed, timelib_time *now, int options); char *timelib_timezone_id_from_abbr(const char *abbr, long gmtoffset, int isdst); const timelib_tz_lookup_table *timelib_timezone_abbreviations_list(void); Index: ext/date/php_date.c =================================================================== --- ext/date/php_date.c.orig +++ ext/date/php_date.c @@ -832,6 +832,12 @@ static timelib_tzinfo *php_date_parse_tz } return tzi; } + +timelib_tzinfo *php_date_parse_tzfile_wrapper(char *formal_tzname, const timelib_tzdb *tzdb) +{ + TSRMLS_FETCH(); + return php_date_parse_tzfile(formal_tzname, tzdb TSRMLS_CC); +} /* }}} */ /* {{{ Helper functions */ @@ -1367,7 +1373,7 @@ PHPAPI signed long php_parse_date(char * int error2; signed long retval; - parsed_time = timelib_strtotime(string, strlen(string), &error, DATE_TIMEZONEDB); + parsed_time = timelib_strtotime(string, strlen(string), &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); if (error->error_count) { timelib_error_container_dtor(error); return -1; @@ -1404,7 +1410,7 @@ PHP_FUNCTION(strtotime) initial_ts = emalloc(25); snprintf(initial_ts, 24, "@%ld UTC", preset_ts); - t = timelib_strtotime(initial_ts, strlen(initial_ts), NULL, DATE_TIMEZONEDB); /* we ignore the error here, as this should never fail */ + t = timelib_strtotime(initial_ts, strlen(initial_ts), NULL, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); /* we ignore the error here, as this should never fail */ timelib_update_ts(t, tzi); now->tz_info = tzi; now->zone_type = TIMELIB_ZONETYPE_ID; @@ -1426,7 +1432,7 @@ PHP_FUNCTION(strtotime) RETURN_FALSE; } - t = timelib_strtotime(times, time_len, &error, DATE_TIMEZONEDB); + t = timelib_strtotime(times, time_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); error1 = error->error_count; timelib_error_container_dtor(error); timelib_fill_holes(t, now, TIMELIB_NO_CLONE); @@ -2388,9 +2394,9 @@ PHPAPI int php_date_initialize(php_date_ timelib_time_dtor(dateobj->time); } if (format) { - dateobj->time = timelib_parse_from_format(format, time_str_len ? time_str : "", time_str_len ? time_str_len : 0, &err, DATE_TIMEZONEDB); + dateobj->time = timelib_parse_from_format(format, time_str_len ? time_str : "", time_str_len ? time_str_len : 0, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); } else { - dateobj->time = timelib_strtotime(time_str_len ? time_str : "now", time_str_len ? time_str_len : sizeof("now") -1, &err, DATE_TIMEZONEDB); + dateobj->time = timelib_strtotime(time_str_len ? time_str : "now", time_str_len ? time_str_len : sizeof("now") -1, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); } /* update last errors and warnings */ @@ -2724,7 +2730,7 @@ PHP_FUNCTION(date_parse) RETURN_FALSE; } - parsed_time = timelib_strtotime(date, date_len, &error, DATE_TIMEZONEDB); + parsed_time = timelib_strtotime(date, date_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); php_date_do_return_parsed_time(INTERNAL_FUNCTION_PARAM_PASSTHRU, parsed_time, error); } /* }}} */ @@ -2743,7 +2749,7 @@ PHP_FUNCTION(date_parse_from_format) RETURN_FALSE; } - parsed_time = timelib_parse_from_format(format, date, date_len, &error, DATE_TIMEZONEDB); + parsed_time = timelib_parse_from_format(format, date, date_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); php_date_do_return_parsed_time(INTERNAL_FUNCTION_PARAM_PASSTHRU, parsed_time, error); } /* }}} */ @@ -2785,7 +2791,7 @@ PHP_FUNCTION(date_modify) dateobj = (php_date_obj *) zend_object_store_get_object(object TSRMLS_CC); DATE_CHECK_INITIALIZED(dateobj->time, DateTime); - tmp_time = timelib_strtotime(modify, modify_len, &err, DATE_TIMEZONEDB); + tmp_time = timelib_strtotime(modify, modify_len, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); /* update last errors and warnings */ update_errors_warnings(err TSRMLS_CC); @@ -3623,7 +3629,7 @@ PHP_FUNCTION(date_interval_create_from_d php_date_instantiate(date_ce_interval, return_value TSRMLS_CC); - time = timelib_strtotime(time_str, time_str_len, &err, DATE_TIMEZONEDB); + time = timelib_strtotime(time_str, time_str_len, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); diobj = (php_interval_obj *) zend_object_store_get_object(return_value TSRMLS_CC); diobj->diff = timelib_rel_time_clone(&time->relative); diobj->initialized = 1; ++++++ php-5.3.8-memory-corruption-parse_ini_string.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=316285 http://svn.php.net/viewvc?view=revision&revision=317304 Index: ext/standard/basic_functions.c =================================================================== --- ext/standard/basic_functions.c.orig +++ ext/standard/basic_functions.c @@ -6032,6 +6032,10 @@ PHP_FUNCTION(parse_ini_string) RETURN_FALSE; } + if (INT_MAX - str_len < ZEND_MMAP_AHEAD) { + RETVAL_FALSE; + } + /* Set callback function */ if (process_sections) { BG(active_ini_file_section) = NULL; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org