Hello community, here is the log from the commit of package php5 for openSUSE:11.4 checked in at Wed Sep 7 16:00:36 CEST 2011. -------- --- old-versions/11.4/UPDATES/all/php5/php5.changes 2011-05-26 16:45:15.000000000 +0200 +++ 11.4/php5/php5.changes 2011-09-05 17:22:49.000000000 +0200 @@ -1,0 +2,17 @@ +Mon Sep 5 11:02:16 UTC 2011 - pgajdos@suse.com + +- security update: + * CVE-2011-3267 [bnc#715640] + * CVE-2011-3268 [bnc#715646] +- allow uploading files bigger than 2GB for 64bit systems + [bnc#709549] + * 64-bit-post-large-files.patch + +------------------------------------------------------------------- +Thu Jun 30 14:15:05 UTC 2011 - pgajdos@novell.com + +- security update: + * CVE-2011-2483 [bnc#701491] + * CVE-2011-2202 [bnc#699711] + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- php-5.3.5-64-bit-post-large-files.patch php-5.3.5-CVE-2011-2202.patch php-5.3.5-CVE-2011-2483-standard.patch php-5.3.5-CVE-2011-2483-suhosin.patch php-5.3.5-CVE-2011-3267.patch php-5.3.5-CVE-2011-3268.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php5.spec ++++++ --- /var/tmp/diff_new_pack.LnczOA/_old 2011-09-07 15:55:24.000000000 +0200 +++ /var/tmp/diff_new_pack.LnczOA/_new 2011-09-07 15:55:24.000000000 +0200 @@ -77,7 +77,7 @@ ### ### Version: 5.3.5 -Release: 5.<RELEASE14> +Release: 5.<RELEASE16> License: The PHP License, version 3.01 Group: Development/Languages/Other Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter @@ -130,6 +130,12 @@ Patch38: php-5.3.5-CVE-2011-1469.patch Patch39: php-5.3.5-CVE-2011-1148.patch Patch40: php-5.3.5-CVE-2011-1938.patch +Patch41: php-5.3.5-CVE-2011-2483-standard.patch +Patch42: php-5.3.5-CVE-2011-2483-suhosin.patch +Patch43: php-5.3.5-CVE-2011-2202.patch +Patch44: php-5.3.5-CVE-2011-3267.patch +Patch45: php-5.3.5-CVE-2011-3268.patch +Patch46: php-5.3.5-64-bit-post-large-files.patch Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1253,6 +1259,12 @@ %patch38 %patch39 %patch40 +%patch41 +%patch42 +%patch43 +%patch44 +%patch45 +%patch46 -p1 # we build three SAPI %{__mkdir_p} build-apache2 build-fpm @@ -1308,8 +1320,8 @@ CFLAGS="$RPM_OPT_FLAGS -Wmissing-format-attribute -D_GNU_SOURCE -fno-strict-aliasing -pipe" CXXFLAGS="$RPM_OPT_FLAGS -Wmissing-format-attribute -D_GNU_SOURCE -fno-strict-aliasing -pipe" %if 0%{?suse_version} > 1000 -CFLAGS="$CFLAGS -fstack-protector" -CXXFLAGS="$CXXFLAGS -fstack-protector" +CFLAGS="$CFLAGS -fstack-protector -pthread" +CXXFLAGS="$CXXFLAGS -fstack-protector -pthread" %endif export CFLAGS export CXXFLAGS ++++++ php-5.3.5-64-bit-post-large-files.patch ++++++ Index: php-5.3.5/main/rfc1867.c =================================================================== --- php-5.3.5.orig/main/rfc1867.c +++ php-5.3.5/main/rfc1867.c @@ -764,7 +764,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ { char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL; - int boundary_len = 0, total_bytes = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; + long total_bytes = 0; int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; int max_file_size = 0, skip_upload = 0, anonindex = 0, is_anonymous; zval *http_post_files = NULL; HashTable *uploaded_files = NULL; Index: php-5.3.5/main/SAPI.h =================================================================== --- php-5.3.5.orig/main/SAPI.h +++ php-5.3.5/main/SAPI.h @@ -82,7 +82,7 @@ typedef struct { char *post_data, *raw_post_data; char *cookie_data; long content_length; - uint post_data_length, raw_post_data_length; + uint IGNORE_post_data_length, IGNORE_raw_post_data_length; char *path_translated; char *request_uri; @@ -113,6 +113,7 @@ typedef struct { int argc; char **argv; int proto_num; + long post_data_length, raw_post_data_length; } sapi_request_info; @@ -120,7 +121,7 @@ typedef struct _sapi_globals_struct { void *server_context; sapi_request_info request_info; sapi_headers_struct sapi_headers; - int read_post_bytes; + long read_post_bytes; unsigned char headers_sent; struct stat global_stat; char *default_mimetype; Index: php-5.3.5/sapi/apache/mod_php5.c =================================================================== --- php-5.3.5.orig/sapi/apache/mod_php5.c +++ php-5.3.5/sapi/apache/mod_php5.c @@ -533,7 +533,7 @@ static void init_request_info(TSRMLS_D) SG(request_info).request_uri = r->uri; SG(request_info).request_method = (char *)r->method; SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); SG(sapi_headers).http_response_code = r->status; SG(request_info).proto_num = r->proto_num; Index: php-5.3.5/sapi/apache2filter/sapi_apache2.c =================================================================== --- php-5.3.5.orig/sapi/apache2filter/sapi_apache2.c +++ php-5.3.5/sapi/apache2filter/sapi_apache2.c @@ -420,7 +420,7 @@ static void php_apache_request_ctor(ap_f efree(content_type); content_length = (char *) apr_table_get(f->r->headers_in, "Content-Length"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); apr_table_unset(f->r->headers_out, "Content-Length"); apr_table_unset(f->r->headers_out, "Last-Modified"); Index: php-5.3.5/sapi/apache2handler/sapi_apache2.c =================================================================== --- php-5.3.5.orig/sapi/apache2handler/sapi_apache2.c +++ php-5.3.5/sapi/apache2handler/sapi_apache2.c @@ -484,7 +484,7 @@ static int php_apache_request_ctor(reque r->no_local_copy = 1; content_length = (char *) apr_table_get(r->headers_in, "Content-Length"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); apr_table_unset(r->headers_out, "Content-Length"); apr_table_unset(r->headers_out, "Last-Modified"); Index: php-5.3.5/sapi/apache_hooks/mod_php5.c =================================================================== --- php-5.3.5.orig/sapi/apache_hooks/mod_php5.c +++ php-5.3.5/sapi/apache_hooks/mod_php5.c @@ -587,7 +587,7 @@ static void init_request_info(TSRMLS_D) SG(request_info).request_method = (char *)r->method; SG(request_info).proto_num = r->proto_num; SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); SG(sapi_headers).http_response_code = r->status; if (r->headers_in) { Index: php-5.3.5/sapi/cgi/cgi_main.c =================================================================== --- php-5.3.5.orig/sapi/cgi/cgi_main.c +++ php-5.3.5/sapi/cgi/cgi_main.c @@ -491,7 +491,7 @@ static int sapi_cgi_read_post(char *buff uint read_bytes = 0; int tmp_read_bytes; - count_bytes = MIN(count_bytes, (uint) SG(request_info).content_length - SG(read_post_bytes)); + count_bytes = MIN(count_bytes, SG(request_info).content_length - SG(read_post_bytes)); while (read_bytes < count_bytes) { if (fcgi_is_fastcgi()) { fcgi_request *request = (fcgi_request*) SG(server_context); @@ -1350,7 +1350,7 @@ static void init_request_info(TSRMLS_D) /* FIXME - Work out proto_num here */ SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING")-1 TSRMLS_CC); SG(request_info).content_type = (content_type ? content_type : "" ); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); /* The CGI RFC allows servers to pass on unvalidated Authorization data */ auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC); Index: php-5.3.5/ext/suhosin/rfc1867.c =================================================================== --- php-5.3.5.orig/ext/suhosin/rfc1867.c +++ php-5.3.5/ext/suhosin/rfc1867.c @@ -771,7 +771,7 @@ SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_p { char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL; char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL; - int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0; + long total_bytes=0; int boundary_len=0, cancel_upload=0, is_arr_upload=0, array_len=0; int max_file_size=0, skip_upload=0, anonindex=0, is_anonymous; zval *http_post_files=NULL; HashTable *uploaded_files=NULL; #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING) ++++++ php-5.3.5-CVE-2011-2202.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=312103 --- main/rfc1867.c 2011/06/12 15:03:18 312102 +++ main/rfc1867.c 2011/06/12 15:14:18 312103 @@ -1223,7 +1223,7 @@ #endif if (!is_anonymous) { - if (s && s > filename) { + if (s && s >= filename) { safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); } else { safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); @@ -1236,7 +1236,7 @@ } else { snprintf(lbuf, llen, "%s[name]", param); } - if (s && s > filename) { + if (s && s >= filename) { register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); } else { register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); ++++++ php-5.3.5-CVE-2011-2483-standard.patch ++++++ ++++ 750 lines (skipped) ++++++ php-5.3.5-CVE-2011-2483-suhosin.patch ++++++ ++++ 612 lines (skipped) ++++++ php-5.3.5-CVE-2011-3267.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=312417 --- ext/standard/basic_functions.c 2011/06/23 21:45:31 312416 +++ ext/standard/basic_functions.c 2011/06/23 21:48:15 312417 @@ -4678,7 +4678,7 @@ opt_err = erropt; } - if (opt_err == 3) { + if (opt_err == 3 && opt) { if (strlen(opt) != opt_len) { RETURN_FALSE; } ++++++ php-5.3.5-CVE-2011-3268.patch ++++++ http://svn.php.net/viewvc?view=revision&revision=312919 --- ext/standard/crypt.c 2011/01/01 02:19:59 306939 +++ ext/standard/crypt.c 2011/07/04 23:38:09 312919 @@ -179,6 +179,8 @@ salt[2] = '\0'; #endif salt_in_len = strlen(salt); + } else { + salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len); } /* Windows (win32/crypt) has a stripped down version of libxcrypt and ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org