Hello community, here is the log from the commit of package php5 for openSUSE:11.4 checked in at Tue Feb 22 21:21:52 CET 2011. -------- --- old-versions/11.4/all/php5/php5.changes 2011-02-10 18:07:06.000000000 +0100 +++ 11.4/php5/php5.changes 2011-02-22 16:01:00.000000000 +0100 @@ -1,0 +2,7 @@ +Tue Feb 22 11:22:52 CET 2011 - pgajdos@suse.cz + +- security fixes + * CVE-2011-0420 [bnc#672933] + * CVE-2011-0708 [bnc#671710] + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- php-5.3.5-CVE-2011-0420.patch php-5.3.5-CVE-2011-0708.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.OEUoMv/_old 2011-02-22 21:21:29.000000000 +0100 +++ /var/tmp/diff_new_pack.OEUoMv/_new 2011-02-22 21:21:29.000000000 +0100 @@ -77,7 +77,7 @@ ### ### Version: 5.3.5 -Release: 5.<RELEASE2> +Release: 5.<RELEASE3> License: The PHP License, version 3.01 Group: Development/Languages/Other Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter @@ -120,6 +120,8 @@ Patch26: php-5.3.4-pts.patch Patch27: php-5.3.4-format-string-issues.patch Patch28: php-5.3.5-fopen_https_proxy_auth_fix.patch +Patch29: php-5.3.5-CVE-2011-0420.patch +Patch30: php-5.3.5-CVE-2011-0708.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1229,6 +1231,8 @@ %patch26 %patch27 %patch28 -p1 +%patch29 +%patch30 # we build three SAPI %{__mkdir_p} build-apache2 build-fpm ++++++ php-5.3.5-CVE-2011-0420.patch ++++++ --- ext/intl/grapheme/grapheme_string.c 2010/12/19 04:10:49 306448 +++ ext/intl/grapheme/grapheme_string.c 2010/12/19 05:07:31 306449 @@ -799,7 +799,7 @@ if ( NULL != next ) { if ( !PZVAL_IS_REF(next) ) { - intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: 'next' was not passed by reference", 0 TSRMLS_CC ); RETURN_FALSE; @@ -819,10 +819,16 @@ } if ( lstart > INT32_MAX || lstart < 0 || lstart >= str_len ) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: start not contained in string", 0 TSRMLS_CC ); + RETURN_FALSE; + } - intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: start not contained in string", 1 TSRMLS_CC ); - + if ( size > INT32_MAX || size < 0) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: size is invalid", 0 TSRMLS_CC ); RETURN_FALSE; + } + if (size == 0) { + RETURN_EMPTY_STRING(); } /* we checked that it will fit: */ ++++++ php-5.3.5-CVE-2011-0708.patch ++++++ Index: ext/exif/exif.c =================================================================== --- ext/exif/exif.c.orig +++ ext/exif/exif.c @@ -40,6 +40,10 @@ #include "php.h" #include "ext/standard/file.h" +#ifdef PHP_WIN32 +#include "win32/php_stdint.h" +#endif + #if HAVE_EXIF /* When EXIF_DEBUG is defined the module generates a lot of debug messages @@ -2821,6 +2825,7 @@ static int exif_process_IFD_TAG(image_in int tag, format, components; char *value_ptr, tagname[64], cbuf[32], *outside=NULL; size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; xp_field_type *tmp_xp; #ifdef EXIF_DEBUG char *dump_data; @@ -2845,13 +2850,20 @@ static int exif_process_IFD_TAG(image_in /*return TRUE;*/ } - byte_count = components * php_tiff_bytes_per_format[format]; + if (components < 0) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); + return FALSE; + } - if ((ssize_t)byte_count < 0) { - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); return FALSE; } + byte_count = (size_t)byte_count_signed; + if (byte_count > 4) { offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ @@ -2916,6 +2928,7 @@ static int exif_process_IFD_TAG(image_in efree(dump_data); } #endif + if (section_index==SECTION_THUMBNAIL) { if (!ImageInfo->Thumbnail.data) { switch(tag) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org