Hello community,
here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-01-05 17:06:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old)
and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "php5", Maintainer is "PGajdos@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-05 17:06:40.000000000 +0100
+++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-01-05 17:06:41.000000000 +0100
@@ -1,0 +2,19 @@
+Mon Jan 2 14:36:39 UTC 2012 - pgajdos@suse.com
+
+- security update:
+ * CVE-2011-4885 [bnc#738221] -- added max_input_vars directive
+ to prevent attacks based on hash collisions
+
+-------------------------------------------------------------------
+Tue Dec 20 12:58:50 UTC 2011 - pgajdos@suse.com
+
+- apache module conflicts with apache2-worker [bnc#728671]
+
+-------------------------------------------------------------------
+Fri Dec 9 11:35:56 UTC 2011 - pgajdos@suse.com
+
+- security update:
+ * CVE-2011-4566 [bnc#733590]
+ * CVE-2011-1466 [bnc#736169]
+
+-------------------------------------------------------------------
New:
----
php-5.3.8-CVE-2011-1466.patch
php-5.3.8-CVE-2011-4566.patch
php-5.3.8-CVE-2011-4885.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ php5.spec ++++++
--- /var/tmp/diff_new_pack.00es7w/_old 2012-01-05 17:06:41.000000000 +0100
+++ /var/tmp/diff_new_pack.00es7w/_new 2012-01-05 17:06:41.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package php5
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -137,6 +137,9 @@
%endif
Patch34: php5-2g-crash.patch
Patch35: php-5.3.8-CVE-2011-3379.patch
+Patch36: php-5.3.8-CVE-2011-4566.patch
+Patch37: php-5.3.8-CVE-2011-1466.patch
+Patch38: php-5.3.8-CVE-2011-4885.patch
Url: http://www.php.net
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: PHP5 Core Files
@@ -219,6 +222,7 @@
Requires: apache2-prefork %{apache2_mmn} %{name} = %{version}
PreReq: apache2
Conflicts: apache2-mod_php4
+Conflicts: apache2-worker
Provides: mod_php_any php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter
%description -n apache2-mod_php5
@@ -1246,6 +1250,9 @@
%endif
%patch34
%patch35
+%patch36
+%patch37
+%patch38
# Safety check for API version change.
vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h`
if test "x${vapi}" != "x%{apiver}"; then
++++++ php-5.3.8-CVE-2011-1466.patch ++++++
http://svn.php.net/viewvc/?view=revision&revision=306475
http://svn.php.net/viewvc/?view=revision&revision=317360
http://svn.php.net/viewvc/?view=revision&revision=317387
Index: ext/calendar/gregor.c
===================================================================
--- ext/calendar/gregor.c.orig
+++ ext/calendar/gregor.c
@@ -127,6 +127,7 @@
**************************************************************************/
#include "sdncal.h"
+#include
#define GREGOR_SDN_OFFSET 32045
#define DAYS_PER_5_MONTHS 153
@@ -146,21 +147,12 @@ void SdnToGregorian(
long int temp;
int dayOfYear;
- if (sdn <= 0) {
- *pYear = 0;
- *pMonth = 0;
- *pDay = 0;
- return;
+ if (sdn <= 0 ||
+ sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) {
+ goto fail;
}
temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1;
- if (temp < 0) {
- *pYear = 0;
- *pMonth = 0;
- *pDay = 0;
- return;
- }
-
/* Calculate the century (year/100). */
century = temp / DAYS_PER_400_YEARS;
@@ -190,6 +182,10 @@ void SdnToGregorian(
*pYear = year;
*pMonth = month;
*pDay = day;
+fail:
+ *pYear = 0;
+ *pMonth = 0;
+ *pDay = 0;
}
long int GregorianToSdn(
++++++ php-5.3.8-CVE-2011-4566.patch ++++++
http://svn.php.net/viewvc/?view=revision&revision=319535
--- ext/exif/exif.c 2011/11/19 04:41:03 319534
+++ ext/exif/exif.c 2011/11/19 04:49:36 319535
@@ -2874,11 +2874,11 @@
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an offset. */
value_ptr = offset_base+offset_val;
- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
+ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
/* It is important to check for IMAGE_FILETYPE_TIFF
* JPEG does not use absolute pointers instead its pointers are
* relative to the start of the TIFF header in APP1 section. */
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
+ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */
++++++ php-5.3.8-CVE-2011-4885.patch ++++++
http://svn.php.net/viewvc?view=revision&revision=321038
http://svn.php.net/viewvc?view=revision&revision=321040
Index: php.ini-development
===================================================================
--- php.ini-development.orig
+++ php.ini-development
@@ -453,6 +453,9 @@ max_input_time = 60
; http://php.net/max-input-nesting-level
;max_input_nesting_level = 64
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
Index: php.ini-production
===================================================================
--- php.ini-production.orig
+++ php.ini-production
@@ -453,6 +453,9 @@ max_input_time = 60
; http://php.net/max-input-nesting-level
;max_input_nesting_level = 64
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
Index: main/main.c
===================================================================
--- main/main.c.orig
+++ main/main.c
@@ -512,6 +512,7 @@ PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
Index: main/php_globals.h
===================================================================
--- main/php_globals.h.orig
+++ main/php_globals.h
@@ -170,6 +170,8 @@ struct _php_core_globals {
char *mail_log;
zend_bool in_error_log;
+
+ long max_input_vars;
};
Index: main/php_variables.c
===================================================================
--- main/php_variables.c.orig
+++ main/php_variables.c
@@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(cha
}
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@@ -236,6 +239,9 @@ plain_var:
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
if (escaped_index != index) {
++++++ php-suse-addons.tar.bz2 ++++++
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org