--- php5-5.2.4.orig/debian/php5-dev.files +++ php5-5.2.4/debian/php5-dev.files @@ -0,0 +1,6 @@ +usr/bin/php-config +usr/bin/phpize +usr/share/man/man1/php-config.1 +usr/share/man/man1/phpize.1 +usr/include +usr/lib/php5/build --- php5-5.2.4.orig/debian/NEWS +++ php5-5.2.4/debian/NEWS @@ -0,0 +1,18 @@ +php5 (5.2.3-2) unstable; urgency=low + + The suhosin patch is now enabled by default! + + For more information, see + . + + Special thanks to Blars Blarson for providing a sparc machine for testing + that the patch seems to work okay on that architecture. If you experience + otherwise let us know! + + Suggestions are welcome for default configuration options, examples, + documentation, etc. + + In any event please report successes and/or failures to us at + pkg-php-maint@lists.alioth.debian.org. + + -- sean finney Thu, 12 Jul 2007 23:38:43 +0200 --- php5-5.2.4.orig/debian/php5-cli.dirs +++ php5-5.2.4/debian/php5-cli.dirs @@ -0,0 +1,3 @@ +/etc/php5/cli +/usr/bin +/usr/share/man/man1 --- php5-5.2.4.orig/debian/php5-common.php5.cron.d +++ php5-5.2.4/debian/php5-common.php5.cron.d @@ -0,0 +1,8 @@ +# /etc/cron.d/php5: crontab fragment for php5 +# This purges session files older than X, where X is defined in seconds +# as the largest value of session.gc_maxlifetime from all your php.ini +# files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime + +# Look for and purge old sessions every 30 minutes +09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete + --- php5-5.2.4.orig/debian/php5-cgi.postinst +++ php5-5.2.4/debian/php5-cgi.postinst @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "configure" ]; then + exit 0 +fi + +phpini="/etc/php5/cgi/php.ini" +# LEGACY SUPPORT +# previous versions of php did not ship $phpini as a conffile nor did +# they use anything like ucf. as a result, we need to help transition +# those files into ucf a little more easily by updating unmodified +# ini files before registering them +# +# if we're upgrading from a pre-ucf version of php: +if dpkg --compare-versions "$2" le-nl "5.1.6-4"; then + # if the SAPI config file already exists and is unmodified + if [ -f "$phpini" ]; then + oldmd5=`md5sum $phpini | cut -d' ' -f1` + if [ "$oldmd5" = "c85605baab79fbcd3c289e442eb3caa2" ]; then + # then silently update it before registering via ucf + cp /usr/share/php5/php.ini-dist $phpini + fi + fi +fi +# END LEGACY SUPPORT + +ucf /usr/share/php5/php.ini-dist $phpini + +update-alternatives \ + --install /usr/bin/php-cgi php-cgi /usr/bin/php5-cgi 50 \ + --slave /usr/share/man/man1/php-cgi.1.gz php-cgi.1.gz /usr/share/man/man1/php5-cgi.1.gz + +update-alternatives \ + --install /usr/lib/cgi-bin/php php-cgi-bin /usr/lib/cgi-bin/php5 50 + +exit 0 --- php5-5.2.4.orig/debian/libapache2-mod-php5.dirs +++ php5-5.2.4/debian/libapache2-mod-php5.dirs @@ -0,0 +1,3 @@ +/etc/apache2/mods-available +/etc/php5/apache2 +/usr/lib/apache2/modules --- php5-5.2.4.orig/debian/php5-cgi.dirs +++ php5-5.2.4/debian/php5-cgi.dirs @@ -0,0 +1,4 @@ +/etc/php5/cgi +/usr/lib/cgi-bin +/usr/bin +/usr/share/man/man1 --- php5-5.2.4.orig/debian/libapache2-mod-php5.postinst +++ php5-5.2.4/debian/libapache2-mod-php5.postinst @@ -0,0 +1,58 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "configure" ]; then + exit 0 +fi + +phpini="/etc/php5/apache2/php.ini" + +# LEGACY SUPPORT +# previous versions of php did not ship $phpini as a conffile nor did +# they use anything like ucf. as a result, we need to help transition +# those files into ucf a little more easily by updating unmodified +# ini files before registering them +# +# if we're upgrading from a pre-ucf version of php: +if dpkg --compare-versions "$2" le-nl "5.1.6-4"; then + # if the SAPI config file already exists and is unmodified + if [ -f "$phpini" ]; then + oldmd5=`md5sum $phpini | cut -d' ' -f1` + if [ "$oldmd5" = "c85605baab79fbcd3c289e442eb3caa2" ]; then + # then silently update it before registering via ucf + cp /usr/share/php5/php.ini-dist $phpini + fi + fi +fi +# END LEGACY SUPPORT + +ucf /usr/share/php5/php.ini-dist $phpini + +reload_apache() +{ + if apache2ctl configtest 2>/dev/null; then + invoke-rc.d apache2 force-reload || true + else + echo "Your apache2 configuration is broken, so we're not restarting it for you." + fi +} + +if [ -n "$2" ]; then +# we're upgrading. test if we're enabled, and if so, restart to reload the module. + if [ -e /etc/apache2/mods-enabled/php5.load ]; then + reload_apache + fi + exit 0 +fi + +if [ -e /etc/apache2/apache2.conf ]; then +# Enable the module, but hide a2enmod's misleading message about apachectl +# and force-reload the thing ourselves. + a2enmod php5 >/dev/null || true + reload_apache +fi + +exit 0 --- php5-5.2.4.orig/debian/php5-sybase.postrm +++ php5-5.2.4/debian/php5-sybase.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +NEW_CONFFILE=/etc/php5/conf.d/mssql.ini +if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt 5.2.3-2 +then + rm $NEW_CONFFILE +fi + +#DEBHELPER# --- php5-5.2.4.orig/debian/control +++ php5-5.2.4/debian/control @@ -0,0 +1,333 @@ +Source: php5 +Section: web +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian PHP Maintainers +Uploaders: Adam Conrad , Steve Langasek , Jeroen van Wolffelaar , Ondřej Surý , sean finney +Build-Depends: apache2-prefork-dev (>= 2.0.53-3), autoconf, automake1.4, bison, chrpath, debhelper (>= 3), flex (>= 2.5.4), freetds-dev, libapr1-dev (>= 1.2.7-8), libbz2-dev (>= 1.0.0), libcurl4-openssl-dev | libcurl-dev, libdb-dev, libedit-dev (>= 2.9.cvs.20050518-1), libexpat1-dev (>= 1.95.2-2.1), libfreetype6-dev, libgcrypt11-dev, libgd2-xpm-dev (>= 2.0.28-3), libgmp3-dev, libjpeg62-dev, libkrb5-dev, libldap2-dev, libmhash-dev (>= 0.8.8), libmysqlclient15-dev, libncurses5-dev, libpam0g-dev, libpcre3-dev (>= 6.6), libpng12-dev, libpq-dev | postgresql-dev, libpspell-dev, librecode-dev, libsasl2-dev, libsnmp-dev, libsqlite0-dev, libssl-dev (>= 0.9.6), libt1-dev, libtidy-dev, libtool (>= 1.4.2-4), libwrap0-dev, libxmltok1-dev, libxml2-dev (>= 2.4.14), libxslt1-dev (>= 1.0.18), quilt, re2c, unixodbc-dev, zlib1g-dev (>= 1.0.9) +Build-Conflicts: bind-dev +Standards-Version: 3.7.2 + +Package: php5 +Architecture: all +Depends: libapache2-mod-php5 (>= ${source:Version}) | php5-cgi (>= ${source:Version}), php5-common (>= ${source:Version}) +Description: server-side, HTML-embedded scripting language (meta-package) + This package is a meta-package that, when installed, guarantees that you + have at least one of the four server-side versions of the PHP5 interpreter + installed. Removing this package won't remove PHP5 from your system, however + it may remove other packages that depend on this one. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write dynamically + generated pages quickly. + . + Homepage: http://www.php.net/ + +Package: php5-common +Architecture: any +Depends: sed (>= 4.1.1-1) +Provides: php5-json +Conflicts: php5-json +Description: Common files for packages built from the php5 source + This package contains the documentation and example files relevant to all + the other packages built from the php5 source. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write dynamically + generated pages quickly. + . + Homepage: http://www.php.net/ + +Package: libapache2-mod-php5 +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support (>= 2.03-1), ${apache2:Depends}, php5-common (= ${binary:Version}), libmagic1, ucf +Conflicts: libapache2-mod-php4 +Provides: ${php:Provides} +Suggests: php-pear +Description: server-side, HTML-embedded scripting language (apache 2 module) + This package provides the PHP5 module for the Apache 2 webserver (as + found in the apache2-mpm-prefork package). Please note that this package + ONLY works with Apache's prefork MPM, as it is not compiled thread-safe. + . + ${php:Extensions} + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write dynamically + generated pages quickly. + . + Homepage: http://www.php.net/ + +Package: php5-cgi +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support (>= 2.03-1), php5-common (= ${binary:Version}), libmagic1, ucf +Provides: ${php:Provides} +Conflicts: php3 (<= 3.0.18-1) +Suggests: php-pear +Description: server-side, HTML-embedded scripting language (CGI binary) + This package provides the /usr/lib/cgi-bin/php5 CGI interpreter built + for use in apache 2 with mod_actions, or any other CGI httpd that + supports a similar mechanism. Note that MOST apache users probably + want the libapache2-mod-php5 package. + . + ${php:Extensions} + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write dynamically + generated pages quickly. + . + Homepage: http://www.php.net/ + +Package: php5-cli +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support (>= 2.03-1), php5-common (= ${binary:Version}), libmagic1, ucf +Provides: ${php:Provides} +Conflicts: php3 (<= 3.0.18-1) +Suggests: php-pear +Description: command-line interpreter for the php5 scripting language + This package provides the /usr/bin/php5 command interpreter, useful for + testing PHP scripts from a shell, or perhaps even performing general + shell scripting tasks, if you're frightened of perl and python. + . + ${php:Extensions} + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write dynamically + generated pages quickly. + . + Homepage: http://www.php.net/ + +Package: php5-dev +Depends: autoconf, automake1.4, libssl-dev, libtool, shtool, php5-common (>= ${binary:Version}) +Section: devel +Architecture: any +Description: Files for PHP5 module development + This package provides the files from the PHP5 source needed for compiling + additional modules. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php-pear +Architecture: all +Depends: php5-cli | php4-cli, php5-common (>= ${source:Version}) +Recommends: gnupg +Suggests: php5-dev | php4-dev +Replaces: php4-pear (<< 4:4.4.0-0) +Description: PEAR - PHP Extension and Application Repository + This package contains the base PEAR classes for PHP, as well as the PEAR + installer. Many PEAR classes are already packaged for Debian, and can be + easily identified by names beginning with "php-", such as php-db and + php-auth. Note: to build and install precompiled PECL extensions, you + will need one of the php development packages installed. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-curl +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: CURL module for php5 + CURL is a library for getting files from FTP, GOPHER, HTTP server. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-gd +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: GD module for php5 + This package provides a module for handling graphics directly from PHP + scripts. It supports the PNG, JPEG, XPM formats as well as Freetype/ttf fonts. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-gmp +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: GMP module for php5 + This package provides a module for arbitrary precision arithmetic via the + GNU Multiple Precision (GMP) Arithmetic Library. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-ldap +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: LDAP module for php5 + This package provides a module for LDAP functions in PHP scripts. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-mhash +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: MHASH module for php5 + This package provides a module for mhash functions in PHP scripts. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-mysql +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Conflicts: php5-mysqli +Replaces: php5-mysqli +Description: MySQL module for php5 + This package provides modules for MySQL database connections directly from + PHP scripts. It includes the generic "mysql" module which can be used + to connect to all versions of MySQL, an improved "mysqli" module for + MySQL version 4.1 or later, and the pdo_mysql module for use with + the PHP Data Object extension. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-odbc +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: ODBC module for php5 + This package provides a module for database access through ODBC drivers. + It uses the unixODBC library as an ODBC provider. It also contains the + pdo_odbc module, for use with the PHP Data Object extension. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-pgsql +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: PostgreSQL module for php5 + This package provides a module for PostgreSQL database connections + directly from PHP scripts. It also includes the pdo_pgsql module for + use with the PHP Data Object extension. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-pspell +Architecture: any +Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version}) +Description: pspell module for php5 + This package provides a module for pspell functions in PHP scripts. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-recode +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: recode module for php5 + This package provides a module for recode - character set recoding. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-snmp +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: SNMP module for php5 + This package provides a module for SNMP functions in PHP scripts. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-sqlite +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: SQLite module for php5 + This package provides a module allowing you to use the SQLite self-contained + database engine from within your PHP scripts, eliminating the need for a full + SQL server installation like MySQL or PostgreSQL. It also includes the + pdo_sqlite module, for use with the PHP Data Object extension. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-sybase +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Provides: php5-mssql +Description: Sybase / MS SQL Server module for php5 + This package provides a module for Sybase and Microsoft SQL Server + database connections directly from PHP scripts. It also includes the + pdo_dblib module for use with the PHP Data Object extension. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-tidy +Architecture: any +Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version}) +Description: tidy module for php5 + This package provides a module for tidy functions in PHP scripts. + . + Tidy is an extension based on Libtidy (http://tidy.sf.net/) and allows + a PHP developer to clean, repair, and traverse HTML, XHTML, and XML + documents -- including ones with embedded scripting languages such as PHP + or ASP within them using OO constructs. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-xmlrpc +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: XML-RPC module for php5 + This package provides a module for XML-RPC functions in PHP scripts. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + +Package: php5-xsl +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version}) +Description: XSL module for php5 + This package provides a module for XSL using the libxslt XSL parser. + . + PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed + from C, Java and Perl with a couple of unique PHP-specific features thrown + in. The goal of the language is to allow web developers to write + dynamically generated pages quickly. + --- php5-5.2.4.orig/debian/php5-sybase.prerm +++ php5-5.2.4/debian/php5-sybase.prerm @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +OLD_CONFFILE=/etc/php5/conf.d/sybase_ct.ini +NEW_CONFFILE=/etc/php5/conf.d/mssql.ini +if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt 5.2.3-2 +then + sed -e's/\(extension=[[:space:]]*\)mssql\.so/\1sybase_ct.so/' \ + $NEW_CONFFILE > $OLD_CONFFILE +fi + +#DEBHELPER# --- php5-5.2.4.orig/debian/rules +++ php5-5.2.4/debian/rules @@ -0,0 +1,515 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 by Joey Hess. +# +# This version is for a hypothetical package that builds an +# architecture-dependant package, as well as an architecture-independent +# package. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +# Set this flag to 'yes' if you want to disable all modifications breaking abi +# compatibility to upstream +PHP5_COMPAT=no + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +DEB_BUILD_ARCH ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH) + +PHP5_HOST_GNU_TYPE = $(subst gnulp,gnu,$(DEB_HOST_GNU_TYPE)) +PHP5_BUILD_GNU_TYPE = $(subst gnulp,gnu,$(DEB_BUILD_GNU_TYPE)) + +PHP5_HOST_GNU_TYPE := $(shell echo $(PHP5_HOST_GNU_TYPE) | sed 's/-gnu$$//') +PHP5_BUILD_GNU_TYPE := $(shell echo $(PHP5_BUILD_GNU_TYPE) | sed 's/-gnu$$//') + +PHP5_SOURCE_VERSION = $(shell dpkg-parsechangelog | grep ^Version | sed "s/Version: //") +PHP5_UPSTREAM_VERSION = $(shell echo $(PHP5_SOURCE_VERSION) | sed -e "s/-.*//" -e "s/.*://") +PHP5_DEBIAN_REVISION = $(shell echo $(PHP5_SOURCE_VERSION) | sed "s/.*-//") + + +PROG_SENDMAIL = /usr/sbin/sendmail +CFLAGS = -O2 -Wall -fsigned-char -fno-strict-aliasing +# LFS support +ifneq (yes,$(PHP5_COMPAT)) + CFLAGS += $(shell getconf LFS_CFLAGS) +endif + +# Enable IEEE-conformant floating point math on alphas (not the default) +ifeq (alpha-linux,$(PHP5_HOST_GNU_TYPE)) + CFLAGS += -mieee +endif + +ifeq ($(PHP5_HOST_GNU_TYPE), $(findstring $(PHP5_HOST_GNU_TYPE), ia64-linux powerpc64-linux)) + CFLAGS += -g +else + CFLAGS += -gstabs +endif + +ifneq (nostrip, $(findstring nostrip, $(DEB_BUILD_OPTIONS))) + install_strip = -s +endif + +# Old magic.mime location: +ifeq ($(wildcard /usr/share/misc/file/magic.mime), /usr/share/misc/file/magic.mime) +MAGIC_MIME = /usr/share/misc/file/magic.mime +endif +# New magic.mime location: +ifeq ($(wildcard /usr/share/file/magic.mime), /usr/share/file/magic.mime) +MAGIC_MIME = /usr/share/file/magic.mime +endif + +COMMON_CONFIG=--build=$(PHP5_BUILD_GNU_TYPE)-gnu \ + --host=$(PHP5_HOST_GNU_TYPE)-gnu \ + --mandir=/usr/share/man \ + --enable-memory-limit \ + --disable-debug \ + --with-regex=php \ + --disable-rpath \ + --disable-static \ + --with-pic \ + --with-layout=GNU \ + --with-pear=/usr/share/php \ + --enable-calendar \ + --enable-sysvsem \ + --enable-sysvshm \ + --enable-sysvmsg \ + --enable-track-vars \ + --enable-trans-sid \ + --enable-bcmath \ + --with-bz2 \ + --enable-ctype \ + --with-db4 \ + --without-gdbm \ + --with-iconv \ + --enable-exif \ + --enable-filepro \ + --enable-ftp \ + --with-gettext \ + --enable-mbstring \ + --with-pcre-regex=/usr \ + --enable-shmop \ + --enable-sockets \ + --enable-wddx \ + --with-libxml-dir=/usr \ + --with-zlib \ + --with-kerberos=/usr \ + --with-openssl=/usr \ + --enable-dbx \ + --enable-soap \ + --enable-zip \ + --with-mime-magic=$(MAGIC_MIME) \ + --with-exec-dir=/usr/lib/php5/libexec \ + --with-system-tzdata + +BUILTIN_EXTENSION_CHECK=$$e=get_loaded_extensions(); natcasesort($$e); \ + $$s="The following extensions are built in:"; \ + foreach($$e as $$i) { $$s .= " $$i"; } \ + echo("php:Extensions=" . wordwrap($$s . ".\n", 75, "\$${Newline} ")); + +# include the patch/unpatch rules from quilt +include /usr/share/quilt/quilt.make + +prepared: prepared-stamp +prepared-stamp: $(QUILT_STAMPFN) + dh_testdir + sed -i -e 's/EXTRA_VERSION=""/EXTRA_VERSION="-$(PHP5_DEBIAN_REVISION)"/' configure.in + rm -f aclocal.m4 config.sub config.guess ltmain.sh + ./buildconf --force + touch prepared-stamp + +unprepared: + dh_testdir + sed -i -e 's/EXTRA_VERSION="-$(PHP5_DEBIAN_REVISION)"/EXTRA_VERSION=""/' configure.in + rm -f configure aclocal.m4 config.sub config.guess ltmain.sh + rm -f build/libtool.m4 main/php_config.h.in + rm -f prepared-stamp + +test-results.txt: + mkdir -p temp_session_store + env NO_INTERACTION=1 TEST_PHP_CGI_EXECUTABLE=./cgi-build/sapi/cgi/cgi-bin.php5 TEST_PHP_EXECUTABLE=./apache2-build/sapi/cli/php ./apache2-build/sapi/cli/php run-tests.php > test-results.txt + rm -rf temp_session_store + cat test-results.txt + +build: build-apache2-stamp build-cgi-stamp build-cli-stamp build-pear-stamp test-results.txt + +build-apache2-stamp: configure-apache2-stamp + dh_testdir + cd apache2-build && $(MAKE) + + touch build-apache2-stamp + +build-cli-stamp: configure-cli-stamp + dh_testdir + cd cli-build && $(MAKE) + + touch build-cli-stamp + + +build-cgi-stamp: configure-cgi-stamp + dh_testdir + cd cgi-build && $(MAKE) && mv sapi/cgi/php-cgi sapi/cgi/cgi-bin.php5 + + # Dirty hack to not rebuild everything twice + cd cgi-build/main && \ + sed -i -e 's/FORCE_CGI_REDIRECT 1/FORCE_CGI_REDIRECT 0/' \ + -e 's/DISCARD_PATH 0/DISCARD_PATH 1/' php_config.h && \ + sed -i -e 's/--enable-force-cgi-redirect/--enable-discard-path/' build-defs.h && \ + touch ../../ext/standard/info.c && \ + touch ../../sapi/cgi/cgi_main.c + + cd cgi-build && $(MAKE) && mv sapi/cgi/php-cgi sapi/cgi/usr.bin.php5-cgi + + touch build-cgi-stamp + +build-pear-stamp: build-cgi-stamp + dh_testdir + -mkdir pear-build + cd cgi-build && make install-pear PHP_PEAR_PHP_BIN=/usr/bin/php PHP_PEAR_INSTALL_DIR=/usr/share/php PHP_PEAR_SYSCONF_DIR=/etc/pear PHP_PEAR_SIG_BIN=/usr/bin/gpg INSTALL_ROOT=$(CURDIR)/pear-build + sed -i -e 's/-d output_buffering=1 -d open_basedir="" -d safe_mode=0/-d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1"/' \ + $(CURDIR)/pear-build/usr/bin/pear && \ + sed -i -e 's/-d output_buffering=1 -d safe_mode=0/-d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1"/' \ + $(CURDIR)/pear-build/usr/bin/pecl && \ + sed -i -e 's/-d memory_limit="-1"//' \ + -e 's/-d output_buffering=1 -d open_basedir="" -d safe_mode=0/-d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1"/' \ + $(CURDIR)/pear-build/usr/bin/peardev + patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p0 -i $(CURDIR)/debian/patches/php5-pear-CVE-2011-1072.patch + patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p0 -i $(CURDIR)/debian/patches/php5-pear-CVE-2011-1144.patch + patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p0 -i $(CURDIR)/debian/patches/php5-pear-CVE-2011-1144-regression.patch + touch build-pear-stamp + +configure: configure-apache2-stamp configure-cli-stamp configure-cgi-stamp + +configure-apache2-stamp: prepared-stamp + dh_testdir + if [ -d apache2-build ]; then rm -rf apache2-build; fi + -mkdir apache2-build + cd apache2-build && \ + CFLAGS="$(CFLAGS)" PROG_SENDMAIL="$(PROG_SENDMAIL)" ../configure \ + --prefix=/usr --with-apxs2=/usr/bin/apxs2 \ + --with-config-file-path=/etc/php5/apache2 \ + --with-config-file-scan-dir=/etc/php5/apache2/conf.d \ + $(COMMON_CONFIG) \ + --without-mm \ + --with-curl=shared,/usr \ + --with-zlib-dir=/usr \ + --with-gd=shared,/usr --enable-gd-native-ttf \ + --with-gmp=shared,/usr \ + --with-jpeg-dir=shared,/usr \ + --with-xpm-dir=shared,/usr/X11R6 \ + --with-png-dir=shared,/usr \ + --with-freetype-dir=shared,/usr \ + --with-ttf=shared,/usr \ + --with-t1lib=shared,/usr \ + --with-ldap=shared,/usr \ + --with-ldap-sasl=/usr \ + --with-mhash=shared,/usr \ + --with-mysql=shared,/usr \ + --with-mysqli=shared,/usr/bin/mysql_config \ + --with-pspell=shared,/usr \ + --with-unixODBC=shared,/usr \ + --with-recode=shared,/usr \ + --with-xsl=shared,/usr \ + --with-snmp=shared,/usr \ + --with-sqlite=shared,/usr \ + --with-mssql=shared,/usr \ + --with-tidy=shared,/usr \ + --with-xmlrpc=shared \ + --with-pgsql=shared,/usr PGSQL_INCLUDE=`pg_config --includedir` \ + --enable-pdo=shared \ + --without-pdo-dblib \ + --with-pdo-mysql=shared,/usr \ + --with-pdo-odbc=shared,unixODBC,/usr \ + --with-pdo-pgsql=shared,/usr/bin/pg_config \ + --with-pdo-sqlite=shared,/usr \ + --with-pdo-dblib=shared,/usr + cd apache2-build && \ + cp ../Zend/zend_ini_scanner.c ../Zend/zend_language_scanner.c \ + ../Zend/zend_ini_parser.h ../Zend/zend_language_parser.h \ + ../Zend/zend_ini_parser.c ../Zend/zend_language_parser.c \ + Zend/ + touch configure-apache2-stamp + +configure-cgi-stamp: prepared-stamp + dh_testdir + if [ -d cgi-build ]; then rm -rf cgi-build; fi + -mkdir cgi-build + cd cgi-build && \ + CFLAGS="$(CFLAGS)" PROG_SENDMAIL="$(PROG_SENDMAIL)" ../configure \ + --prefix=/usr --enable-force-cgi-redirect --enable-fastcgi \ + --with-config-file-path=/etc/php5/cgi \ + --with-config-file-scan-dir=/etc/php5/cgi/conf.d \ + $(COMMON_CONFIG) \ + --without-mm \ + --disable-pdo \ + --without-mysql --without-sybase-ct --without-mssql \ + --without-sqlite + cd cgi-build && \ + cp ../Zend/zend_ini_scanner.c ../Zend/zend_language_scanner.c \ + ../Zend/zend_ini_parser.h ../Zend/zend_language_parser.h \ + ../Zend/zend_ini_parser.c ../Zend/zend_language_parser.c \ + Zend/ + touch configure-cgi-stamp + +configure-cli-stamp: prepared-stamp + dh_testdir + if [ -d cli-build ]; then rm -rf cli-build; fi + -mkdir cli-build + cd cli-build && \ + CFLAGS="$(CFLAGS)" PROG_SENDMAIL="$(PROG_SENDMAIL)" ../configure \ + --prefix=/usr --disable-cgi \ + --with-config-file-path=/etc/php5/cli \ + --with-config-file-scan-dir=/etc/php5/cli/conf.d \ + $(COMMON_CONFIG) \ + --with-libedit \ + --without-mm \ + --disable-pdo \ + --without-mysql --without-sybase-ct --without-sqlite \ + --without-mssql --enable-pcntl \ + --with-ncurses=/usr + cd cli-build && \ + cp ../Zend/zend_ini_scanner.c ../Zend/zend_language_scanner.c \ + ../Zend/zend_ini_parser.h ../Zend/zend_language_parser.h \ + ../Zend/zend_ini_parser.c ../Zend/zend_language_parser.c \ + Zend/ + touch configure-cli-stamp + +clean: unprepared unpatch + dh_testdir + dh_testroot + + + rm -f configure-apache2-stamp build-apache2-stamp + rm -f configure-cgi-stamp build-cgi-stamp + rm -f configure-cli-stamp build-cli-stamp + rm -f build-pear-stamp + rm -f install-stamp + rm -rf apache2-build + rm -rf cgi-build + rm -rf cli-build + rm -rf pear-build + rm -f debian/copyright + rm -f test-results.txt + dh_clean + # clean up autogenerated cruft + cat debian/modulelist | while read package extname dsoname; do \ + rm -f debian/php5-$$package.postinst; \ + done + for sapi in libapache2-mod-php5 php5-cgi php5-cli; do \ + for cruft in postrm links; do \ + rm -f debian/$${sapi}.$${cruft}; \ + done; \ + done + +install: DH_OPTIONS= +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + chmod 01733 debian/php5-common/var/lib/php5 + + # Add here commands to install the package into debian/php5. + # install apache2 DSO module + cp apache2-build/.libs/libphp5.so \ + debian/libapache2-mod-php5/`apxs2 -q LIBEXECDIR`/ + cp debian/libapache2-mod-php5.load \ + debian/libapache2-mod-php5/etc/apache2/mods-available/php5.load + cp debian/libapache2-mod-php5.conf \ + debian/libapache2-mod-php5/etc/apache2/mods-available/php5.conf + + # sanitize php.ini file + # memory_limit: 16M for cgi/apache; 32M for cli + cat php.ini-dist | tr "\t" " " | sed -e'/memory_limit =/ s/\b128M/16M/g' > debian/php5-common/usr/share/php5/php.ini-dist + cat php.ini-dist | tr "\t" " " | sed -e'/memory_limit =/ s/\b128M/32M/g' > debian/php5-common/usr/share/php5/php.ini-dist.cli + cat php.ini-dist | tr "\t" " " > debian/php5-common/usr/share/doc/php5-common/examples/php.ini-dist + cat php.ini-recommended | tr "\t" " " > debian/php5-common/usr/share/doc/php5-common/examples/php.ini-recommended + cat php.ini-paranoid | tr "\t" " " > debian/php5-common/usr/share/doc/php5-common/examples/php.ini-paranoid + cp test-results.txt debian/php5-common/usr/share/doc/php5-common/ + + # install the apache modules' files + cd apache2-build && make install-headers install-build install-modules install-programs INSTALL_ROOT=$(CURDIR)/debian/libapache2-mod-php5 + # remove netware and win32 headers that we don't want + cd debian/libapache2-mod-php5/usr/include/php5/ && \ + rm -f TSRM/readdir.h \ + TSRM/tsrm_config.{nw,w32}.h \ + TSRM/tsrm_{nw,win32}.h \ + Zend/zend_config.{nw,w32}.h \ + main/config.{nw,w32}.h \ + main/win95nt.h + + # install PEAR + cp -r pear-build/* debian/php-pear/ + + # install extensions + ext=`./debian/libapache2-mod-php5/usr/bin/php-config --extension-dir`;\ + for i in libapache2-mod-php5 php5-cgi php5-cli; do \ + mkdir -p debian/$$i/$${ext}; \ + done; \ + cat debian/modulelist debian/extramodulelist | while read package extname dsoname; do \ + if [ -z "$$dsoname" ]; then dsoname=$$package; fi; \ + mkdir -p debian/php5-$$package$${ext}; \ + chrpath debian/libapache2-mod-php5/$${ext}/$$dsoname.so; \ + chrpath -d debian/libapache2-mod-php5/$${ext}/$$dsoname.so; \ + install ${install_strip} -m 644 -o root -g root \ + debian/libapache2-mod-php5/$${ext}/$$dsoname.so \ + debian/php5-$$package$${ext}/$$dsoname.so; \ + rm debian/libapache2-mod-php5/$${ext}/$$dsoname.so; \ + done + + # install CGI + cp cgi-build/sapi/cgi/cgi-bin.php5 debian/php5-cgi/usr/lib/cgi-bin/php5 + cp cgi-build/sapi/cgi/usr.bin.php5-cgi debian/php5-cgi/usr/bin/php5-cgi + cp cli-build/sapi/cli/php.1 debian/php5-cgi/usr/share/man/man1/php5-cgi.1 + + # install CLI + cp cli-build/sapi/cli/php debian/php5-cli/usr/bin/php5 + cp cli-build/sapi/cli/php.1 debian/php5-cli/usr/share/man/man1/php5.1 + + # move and install -dev files + dh_movefiles --sourcedir=debian/libapache2-mod-php5 + rm -rf debian/libapache2-mod-php5/usr/lib/php5/build/ \ + debian/libapache2-mod-php5/usr/include/ \ + debian/libapache2-mod-php5/usr/bin/ + for i in Makefile.global acinclude.m4 mkdep.awk phpize.m4 scan_makefile_in.awk; do \ + chmod 644 debian/php5-dev/usr/lib/php5/build/$$i; \ + done + # shipping duplicate files from other packages is hell for security audits + rm debian/php5-dev/usr/lib/php5/build/config.guess && \ + ln -s ../../../share/misc/config.guess debian/php5-dev/usr/lib/php5/build/config.guess + rm debian/php5-dev/usr/lib/php5/build/config.sub && \ + ln -s ../../../share/misc/config.sub debian/php5-dev/usr/lib/php5/build/config.sub + rm debian/php5-dev/usr/lib/php5/build/libtool.m4 && \ + ln -s ../../../share/libtool/libtool.m4 debian/php5-dev/usr/lib/php5/build/libtool.m4 + rm debian/php5-dev/usr/lib/php5/build/ltmain.sh && \ + ln -s ../../../share/libtool/ltmain.sh debian/php5-dev/usr/lib/php5/build/ltmain.sh + rm debian/php5-dev/usr/lib/php5/build/shtool && \ + ln -s ../../../bin/shtool debian/php5-dev/usr/lib/php5/build/shtool + # make php-dev stuff versioned + for i in php-config phpize; do \ + mv debian/php5-dev/usr/bin/$$i debian/php5-dev/usr/bin/"$$i"5; \ + mv debian/php5-dev/usr/share/man/man1/"$$i".1 debian/php5-dev/usr/share/man/man1/"$$i"5.1; \ + done + + # install common files + install -m755 debian/maxlifetime debian/php5-common/usr/lib/php5 + + # install lintian overrides + cp debian/php5.lintian-overrides $(CURDIR)/debian/php5-common/usr/share/lintian/overrides/php5-common + + touch install-stamp + +# Build architecture-independent files here. +# Pass -i to all debhelper commands in this target to reduce clutter. +binary-indep: DH_OPTIONS=-i +binary-indep: build install + # Need this version of debhelper for DH_OPTIONS to work. + dh_testdir + dh_testroot + cat debian/copyright.header LICENSE Zend/LICENSE > debian/copyright + + dh_installdocs + + for package in php5 php-pear; do \ + rm -rf debian/$$package/usr/share/doc/$$package; \ + ln -s php5-common debian/$$package/usr/share/doc/$$package; \ + done + + dh_link + dh_compress -Xphp.ini + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install + # Need this version of debhelper for DH_OPTIONS to work. + dh_testdir + dh_testroot + # Do this first so we don't overwrite any debhelper-generated files + # + # generate the maintscripts for various php + # modules from the templates. + cat debian/modulelist | while read package extname dsoname; do \ + if [ -z "$$dsoname" ]; then dsoname=$$package; fi; \ + sed -e"s/@extname@/$$extname/g; s/@dsoname@/$$dsoname/g; \ + /#EXTRA#/ r debian/php5-$${package}.postinst.extra" \ + < debian/php5-module.postinst \ + | sed -e'/#EXTRA#/ d' \ + > debian/php5-$${package}.postinst; \ + done + + # generate the config snippets for various php + # modules from the templates. + cat debian/modulelist debian/extramodulelist | while read package extname dsoname; do \ + if [ -z "$$dsoname" ]; then dsoname=$$package; fi; \ + mkdir -p debian/php5-$$package/etc/php5/conf.d; \ + sed -e"s/@extname@/$$extname/g; s/@dsoname@/$$dsoname/g" \ + < debian/php5-module.ini \ + > debian/php5-$${package}/etc/php5/conf.d/$${dsoname}.ini; \ + done + + # likewise, for the different sapi implementations + for tmpl in postrm links; do \ + for sapi in apache2 cgi cli; do \ + sed -e "s/@sapi@/$$sapi/g" \ + < debian/php5-sapi.$$tmpl \ + > debian/php5-$${sapi}.$$tmpl; \ + done; \ + mv debian/php5-apache2.$$tmpl debian/libapache2-mod-php5.$$tmpl; \ + done + + cat debian/copyright.header LICENSE Zend/LICENSE > debian/copyright + dh_installdocs -s + + cat debian/modulelist | while read package extname dsoname; do \ + rm -rf debian/php5-$$package/usr/share/doc/php5-$$package; \ + ln -s php5-common debian/php5-$$package/usr/share/doc/php5-$$package; \ + done + + for package in php5-dev php5-cgi php5-cli libapache2-mod-php5; do \ + rm -rf debian/$$package/usr/share/doc/$$package; \ + ln -s php5-common debian/$$package/usr/share/doc/$$package; \ + done + dh_installcron -pphp5-common --name=php5 + dh_installchangelogs -pphp5-common NEWS + dh_strip -s + dh_link -s + dh_compress -s -Xphp.ini + dh_fixperms -s -X /var/lib/php5 + mkdir -p debian/php5-common/usr/share/linda/overrides + echo "Tag: non-standard-dir-perm" >> debian/php5-common/usr/share/linda/overrides/php5-common + echo "Data: /var/lib/php5.*" >> debian/php5-common/usr/share/linda/overrides/php5-common + dh_installdeb -s + dh_shlibdeps -s + + phpapi=`./debian/php5-dev/usr/bin/php-config5 --phpapi`; \ + for i in libapache2-mod-php5 php5-cgi php5-cli; do \ + echo "php:Provides=phpapi-$${phpapi}" >> debian/$$i.substvars; \ + done; \ + cat debian/modulelist | while read package extname dsoname; do \ + echo "php:Depends=phpapi-$${phpapi}" >> debian/php5-$$package.substvars; \ + done + + for i in cgi cli; do \ + "$$i"-build/sapi/cli/php -n -r '$(BUILTIN_EXTENSION_CHECK)' \ + >> debian/php5-"$$i".substvars; \ + done + for i in apache2; do \ + "$$i"-build/sapi/cli/php -n -r '$(BUILTIN_EXTENSION_CHECK)' \ + >> debian/lib"$$i"-mod-php5.substvars; \ + done + + echo "apache2:Depends=apache2-mpm-prefork (>> 2.0.52) | apache2-mpm-itk, apache2.2-common" >>debian/libapache2-mod-php5.substvars + dh_gencontrol -s + dh_md5sums -s + dh_builddeb -s + +binary: binary-arch binary-indep +.PHONY: build clean binary-indep binary-arch binary install configure --- php5-5.2.4.orig/debian/php5-cgi.prerm +++ php5-5.2.4/debian/php5-cgi.prerm @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "remove" -a "$1" != "purge" ]; then + exit 0 +fi + +update-alternatives --remove php-cgi /usr/bin/php5-cgi +update-alternatives --remove php-cgi-bin /usr/lib/cgi-bin/php5 + +exit 0 --- php5-5.2.4.orig/debian/php5-sapi.postrm +++ php5-5.2.4/debian/php5-sapi.postrm @@ -0,0 +1,18 @@ +#! /bin/sh + +set -e + +phpini=/etc/php5/@sapi@/php.ini + +case "$1" in +purge) + if which ucf >/dev/null 2>&1; then + ucf --purge $phpini + fi + rm -f $phpini + ;; +esac + +#DEBHELPER# + +exit 0 --- php5-5.2.4.orig/debian/README.Debian.security +++ php5-5.2.4/debian/README.Debian.security @@ -0,0 +1,22 @@ +the Debian stable security team does not provide security support +for certain configurations known to be inherently insecure. Most +specifically, the security team will not provide support for flaws in: + +- problems which are not flaws in the design of php but can be problematic + when used by sloppy developers (for example, not checking the contents + of a tar file before extracting it). + +- vulnerabilities involving register_globals being activated, unless + specifically the vulnerability activates this setting when it was + configured as deactivated. + +- vulnerabilities involving any kind of safe_mode or open_basedir + violation, as these are security models flawed by design and no longer + have upstream support either. + +- any "works as expected" vulnerabilities, such as "user can cause php + to crash by writing a malcious php script", unless such vulnerabilities + involve some kind of higher-level DoS or privilege escalation that would + not otherwise be available. + + -- sean finney Tue, 10 Oct 2006 12:42:06 +0200 --- php5-5.2.4.orig/debian/php5-common.README.Debian +++ php5-5.2.4/debian/php5-common.README.Debian @@ -0,0 +1,143 @@ +Table of Contents: +--------------------------------------------------------------------- +* Using php5 with threaded webservers (eg. apache2-mpm-worker, caudium) +* Problems starting apache2 with php5 +* Session storage +* Other caveats +* php5-cgi and apache2 +* Restarting your web server after installing modules +* Configuration layout +* Further documentation, errata, etc + + +Using php5 with threaded webservers (eg. apache2-mpm-worker, caudium) +--------------------------------------------------------------------- + + After much back-and-forth with upstream (and even building our + packages thread-safe for a while), we're currently admitting defeat + on that front, and are NOT building any thread-safe versions of + PHP for any webservers. Our recommendation is that, if you need + to use a threaded webserver, you should use php5-cgi in either + 'normal' CGI mode, or in FastCGI mode. + +Adam Conrad Sun, 06 Feb 2005 08:24:56 -0700 + + +Problems starting apache2 with php5 +---------------------------------- + + At the time of writing, there are no *known* incompatibilities + between any of the php5 modules we ship. However, there have been + many bug reports in the past due to dynamically-loaded extensions, + and it's possible there are still bugs in the released packages. If + Apache fails to start after you install php5, check your list of + enabled extensions at the bottom of /etc/php5/apache2/php.ini (and in + the per-sapi configuration directory), and try commenting out or + reordering the extensions until you find a combination that works. + + For example, in the past the mhash extension was incompatible with + some other common extensions. To work around this, you could list + the mhash extension first in php.ini. + + If you find an extension-related bug in the Debian packages, and you + are willing to help debug the problem, please send us a bug report + that lists all enabled PHP5 extensions (extension=), in the order + in which they appear in php.ini, as well as all enabled Apache modules + (LoadModule), with version numbers where possible. + +Steve Langasek Fri, 26 Apr 2002 13:39:00 -0500 + + +Session storage +--------------- + + Session files are stored in /var/lib/php5. For security purposes, this + directory is unreadable by non-root users. This means that php5 running + from apache2, for example, will not be able to clean up stale session + files. Instead, we have a cron job run every 30 mins that cleans up + stale session files; /etc/cron.d/php5. You may need to modify how + often this runs, if you've modified session.gc_maxlifetime in your + php.ini; otherwise, it may be too lax or overly aggressive in cleaning + out stale session files. + +Andres Salomon Fri, 03 Sep 2004 03:12:54 -0400 + + +Other caveats +------------- + + * extension_dir and include_path should be commented out, if you don't need + special settings for them so php will look in compiled-in paths. If you set + them, you should also add appropriate php install directories there. + +php5-cgi and apache2 +--------------------------- + +In 99% of cases, what you probably want isn't php5-cgi at all, but rather +the libapache2-mod-php5 package, which will configure themselves on +installation and Just Work(tm). If, however, you have a need to use +the CGI version of php5 with apache2, the following should help +get you going, though there are dozens of different ways to do this. + +Please note that this process will never be made automatic, as php5-cgi +is meant to be a webserver-agnostic package that can be used with any +httpd, and we don't want it to conflict with the httpd-specific packages +such as libapache2-mod-php5. If both were installed side-by-side and both +were automatically enabled, the results would be a bit confusing, obviously. + +To use php5-cgi with apache2 + 1) activate CGI (it's on by default in default debian setups) + a) If using the prefork MPM, use 'a2enmod cgi' + b) If using a threaded MPM, use 'a2enmod cgid' + 2) activate mod_actions (a2enmod actions) + 3) Add the following to a config snippet in /etc/apache2/conf.d + + Action application/x-httpd-php /cgi-bin/php5 + + +Adam Conrad Sat, 04 Sep 2004 23:04:26 -0600 + +Restarting your web server after installing modules +--------------------------------------------------------------------- + +Many of the php modules (php5-mysql, for example) require that you +restart your webserver after installation. This currently isn't +done automatically, so changes won't take affect until you run +/etc/init.d/apache2 reload or your webserver's equivalent (some cases +may need to use "restart" instead of "reload" too) + +sean finney Sat, 09 Dec 2006 12:42:21 +0100 + +Configuration Layout +--------------------------------------------------------------------- + +Each of the 3 SAPI's (apache2/cgi/cli) have a different +central configuration file /etc/php5/$SAPI/php.ini. + +Additionally, each SAPI is configured with the compile-time option + + --with-config-file-scan-dir=/etc/php5/$SAPI/conf.d + +which for all SAPI's is actually a symlink pointing to a central +directory /etc/php5/conf.d. Any file found in this directory ending +in .ini will be treated as a configuration file by the php SAPI. + +The rationale with this method is that each SAPI can thus be +identically configured with a minimal amount of conffile handling, +but at the same time if you want to have SAPI-specific configuration, +you can just remove the symlink. + +sean finney Thu, 19 Oct 2006 23:33:05 +0200 + +Further documentation, errata, etc +--------------------------------------------------------------------- + +Errata and other general information about PHP in Debian can be found +in the debian wiki at: + + http://wiki.debian.org/PHP + +If after reading the documentation in this file you still have unanswered +questions, that's a good next place to go. + +sean finney Thu, 19 Oct 2006 22:57:52 +0200 --- php5-5.2.4.orig/debian/php5-dev.postinst +++ php5-5.2.4/debian/php5-dev.postinst @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "configure" ]; then + exit 0 +fi + +for i in php-config phpize; do + update-alternatives \ + --install /usr/bin/"$i" $i /usr/bin/"$i"5 50 \ + --slave /usr/share/man/man1/"$i".1.gz "$i".1.gz /usr/share/man/man1/"$i"5.1.gz +done + +exit 0 --- php5-5.2.4.orig/debian/watch +++ php5-5.2.4/debian/watch @@ -0,0 +1,2 @@ +version=2 +http://www.php.net/downloads.php /get/php-(5\.[0-9\.]*)\.tar\.gz/from/a/mirror --- php5-5.2.4.orig/debian/php5.lintian-overrides +++ php5-5.2.4/debian/php5.lintian-overrides @@ -0,0 +1 @@ +php5-common: non-standard-dir-perm var/lib/php5/ 1733 != 0755 --- php5-5.2.4.orig/debian/php5-module.ini +++ php5-5.2.4/debian/php5-module.ini @@ -0,0 +1,2 @@ +# configuration for php @extname@ module +extension=@dsoname@.so --- php5-5.2.4.orig/debian/modulelist +++ php5-5.2.4/debian/modulelist @@ -0,0 +1,19 @@ +curl CURL +gd GD +gmp GMP +imap IMAP +interbase Interbase +ldap LDAP +mcrypt MCrypt +mhash MHASH +mysql MySQL +odbc ODBC +pgsql PostgreSQL +pspell pspell +recode recode +snmp SNMP +sqlite SQLite +sybase Sybase mssql +tidy tidy +xmlrpc XML-RPC +xsl XSL --- php5-5.2.4.orig/debian/php5-common.docs +++ php5-5.2.4/debian/php5-common.docs @@ -0,0 +1,10 @@ +CREDITS +EXTENSIONS +TODO +CODING_STANDARDS +README.CVS-RULES +README.EXT_SKEL +README.SELF-CONTAINED-EXTENSIONS +README.Zeus +README.PHP4-TO-PHP5-THIN-CHANGES +debian/README.Debian.security --- php5-5.2.4.orig/debian/libapache2-mod-php5.conf +++ php5-5.2.4/debian/libapache2-mod-php5.conf @@ -0,0 +1,4 @@ + + AddType application/x-httpd-php .php .phtml .php3 + AddType application/x-httpd-php-source .phps + --- php5-5.2.4.orig/debian/php5-common.postrm +++ php5-5.2.4/debian/php5-common.postrm @@ -0,0 +1,12 @@ +#! /bin/bash + +set -e + +if [ "$1" = "purge" ] +then + rm -rf /var/lib/php5 +fi + +#DEBHELPER# + +exit 0 --- php5-5.2.4.orig/debian/php5-sybase.postinst.extra +++ php5-5.2.4/debian/php5-sybase.postinst.extra @@ -0,0 +1,6 @@ +OLD_CONFFILE=/etc/php5/conf.d/sybase_ct.ini +if [ -e "$OLD_CONFFILE" ] && dpkg --compare-versions "$2" lt-nl 5.2.3-2 +then + rm $OLD_CONFFILE +fi + --- php5-5.2.4.orig/debian/extramodulelist +++ php5-5.2.4/debian/extramodulelist @@ -0,0 +1,8 @@ +mysql MySQL mysqli +mysql MySQL pdo_mysql +interbase InterBase/Firebird pdo_firebird +common PDO pdo +odbc ODBC pdo_odbc +pgsql PostgreSQL pdo_pgsql +sqlite SQLite pdo_sqlite +sybase Sybase pdo_dblib --- php5-5.2.4.orig/debian/libapache2-mod-php5.load +++ php5-5.2.4/debian/libapache2-mod-php5.load @@ -0,0 +1 @@ +LoadModule php5_module /usr/lib/apache2/modules/libphp5.so --- php5-5.2.4.orig/debian/php5-module.postinst +++ php5-5.2.4/debian/php5-module.postinst @@ -0,0 +1,27 @@ +#!/bin/sh + +set -e + +# here we test for upgrades from versions prior to the config-file-scan-dir +# migration. +# +# to avoid lots of scary warnings about duplicate-loaded modules, each +# module will remove its "extension=" line from each SAPI's php.ini file +# when upgrading from a "prior version". this will be the last time we +# ever muck with such files in maintainer scripts. really. promise :) + +if [ "$2" ] && dpkg --compare-versions "$2" lt "5.1.6-5"; then + extension_re='^[[:space:]]*extension[[:space:]]*=[[:space:]]*@dsoname@\.so$' + for SAPI in apache apache2 cgi cli; do + ini_file="/etc/php5/$SAPI/php.ini" + if [ -f "$ini_file" ]; then + if grep -q "$extension_re" $ini_file; then + sed -i -e "/$extension_re/d" $ini_file + fi + fi + done +fi + +#EXTRA# +#DEBHELPER# + --- php5-5.2.4.orig/debian/changelog +++ php5-5.2.4/debian/changelog @@ -0,0 +1,3311 @@ +php5 (5.2.4-2ubuntu5.26) hardy-security; urgency=low + + * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences + - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in + main/SAPI.c. + - CVE-2011-1398 + - CVE-2012-4388 + * SECURITY UPDATE: denial of service and possible code execution via + _php_stream_scandir function (LP: #1028064) + - debian/patches/CVE-2012-2688.patch: prevent overflow in + main/streams/streams.c. + - CVE-2012-2688 + * SECURITY UPDATE: denial of service via PDO extension crafted parameter + - debian/patches/CVE-2012-3450.patch: improve logic in + ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add + test to ext/pdo_mysql/tests/bug_61755.phpt. + - CVE-2012-3450 + + -- Marc Deslauriers Wed, 12 Sep 2012 11:51:06 -0400 + +php5 (5.2.4-2ubuntu5.25) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service via invalid tidy objects + - debian/patches/CVE-2012-0781.patch: track initialization in + ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt, + ext/tidy/tests/bug54682.phpt. + - CVE-2012-0781 + * SECURITY UPDATE: denial of service or possible directory traversal via + invalid filename. + - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in + main/rfc1867.c, add test to tests/basic/bug55500.phpt. + - CVE-2012-1172 + * SECURITY UPDATE: improve php5-cgi query string parameter parsing + - debian/patches/CVE-2012-233x.patch: improve parsing in + sapi/cgi/cgi_main.c. + - CVE-2012-2335 + - CVE-2012-2336 + + -- Marc Deslauriers Tue, 12 Jun 2012 16:02:25 -0400 + +php5 (5.2.4-2ubuntu5.24) hardy-security; urgency=low + + * SECURITY UPDATE: php5-cgi query string parameters parsing + vulnerability + - debian/patches/php5-CVE-2012-1823.patch: filter query strings that + are prefixed with '-' + - CVE-2012-1823 + - CVE-2012-2311 + + -- Steve Beattie Thu, 03 May 2012 15:33:40 -0700 + +php5 (5.2.4-2ubuntu5.23) hardy-security; urgency=low + + * debian/patches/php5-CVE-2012-0831-regression.patch: fix + magic_quotes_gpc ini setting regression introduced by patch for + CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115) + + -- Steve Beattie Fri, 10 Feb 2012 15:34:36 -0800 + +php5 (5.2.4-2ubuntu5.22) hardy-security; urgency=low + + * SECURITY UPDATE: memory allocation failure denial of service + - debian/patches/php5-CVE-2011-4153.patch: check result of + zend_strdup() and calloc() for failed allocations + - CVE-2011-4153 + * SECURITY UPDATE: predictable hash collision denial of service + - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars + directive with default limit of 1000 + - ATTENTION: this update changes previous php5 behavior by + limiting the number of external input variables to 1000. + This may be increased by adding a "max_input_vars" + directive to the php.ini configuration file. See + http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars + for more information. + - CVE-2011-4885 + * SECURITY UPDATE: remote code execution vulnerability introduced by + the fix for CVE-2011-4885 + - debian/patches/php5-CVE-2012-0830.patch: return rather than + continuing if max_input_vars limit is reached + - CVE-2012-0830 + * SECURITY UPDATE: XSLT arbitrary file overwrite attack + - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs + ini option to define forbidden operations within XSLT stylesheets + - CVE-2012-0057 + * SECURITY UPDATE: PDORow session denial of service + - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when + attempting to serialize PDORow instances + - CVE-2012-0788 + * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability + - debian/patches/php5-CVE-2012-0831.patch: always restore + magic_quote_gpc on request shutdown + - CVE-2012-0831 + + -- Steve Beattie Wed, 08 Feb 2012 17:31:25 -0800 + +php5 (5.2.4-2ubuntu5.19) hardy-security; urgency=low + + * SECURITY UPDATE: Denial of service and possible information disclosure + via exif integer overflow + - debian/patches/php5-CVE-2011-4566.patch: fix count checks in + ext/exif/exif.c. + - CVE-2011-4566 + + -- Marc Deslauriers Tue, 13 Dec 2011 11:51:52 -0500 + +php5 (5.2.4-2ubuntu5.18) hardy-security; urgency=low + + [ Angel Abad ] + * SECURITY UPDATE: File path injection vulnerability in RFC1867 File + upload filename (LP: #813115) + - debian/patches/php5-CVE-2011-2202.patch: + - CVE-2011-2202 + + [ Steve Beattie ] + * SECURITY UPDATE: DoS due to failure to check for memory allocation errors + - debian/patches/php5-CVE-2011-3182.patch: check the return values + of the malloc, calloc, and realloc functions + - CVE-2011-3182 + * SECURITY UPDATE: Information leak via strchr interrupt (LP: #852865) + - debian/patches/php5-CVE-2010-2484.patch: grab references before + converting to string + - CVE-2010-2484 + + -- Steve Beattie Fri, 14 Oct 2011 20:10:17 -0700 + +php5 (5.2.4-2ubuntu5.17) hardy-security; urgency=low + + * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix + mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452) + * debian/patches/php5-CVE-2010-4697-regression.patch: fix regression + in reference counting added by fix for CVE-2010-4697 (LP: #776642) + + -- Steve Beattie Wed, 04 May 2011 01:45:03 -0700 + +php5 (5.2.4-2ubuntu5.15) hardy-security; urgency=low + + * SECURITY UPDATE: arbitrary files removal via cronjob + - debian/php5-common.php5.cron.d: take greater care when removing + session files. + - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09 + - CVE-2011-0441 + * SECURITY UPDATE: symlink tmp races in pear install + - debian/patches/php5-pear-CVE-2011-1072.patch: improved + tempfile handling. + - debian/rules: apply patch manually after unpacking PEAR phar + archive. + - CVE-2011-1072 + * SECURITY UPDATE: more symlink races in pear install + - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save + file handler. + - debian/rules: apply patch manually after unpacking PEAR phar + archive. + - CVE-2011-1144 + * SECURITY UPDATE: use-after-free vulnerability + - debian/patches/php5-CVE-2010-4697.patch: retain reference to + object until getter/setter are done. + - CVE-2010-4697 + * SECURITY UPDATE: denial of service through application crash with + invalid images + - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing + steps are either 4 or 16. + - CVE-2010-4698 + * SECURITY UPDATE: denial of service through application crash + - debian/patches/php5-CVE-2011-0421.patch: fail operation gracefully + when handling zero sized zipfile with the FL_UNCHANGED argument + - CVE-2011-0421 + * SECURITY UPDATE: denial of service through application crash when + handling images with invalid exif tags + - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking + - CVE-2011-0708 + * SECURITY UPDATE: denial of service and possible data disclosure + through integer overflow + - debian/patches/php5-CVE-2011-1092.patch: better boundary + condition checks in shmop_read() + - CVE-2011-1092 + * SECURITY UPDATE: use-after-free vulnerability + - debian/patches/php5-CVE-2011-1148.patch: improve reference + counting + - CVE-2011-1148 + * SECURITY UPDATE: denial of service through buffer overflow crash + (code execution mitigated by compilation with Fortify Source) + - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision + to ensure fitting within MAX_BUF_SIZE + - CVE-2011-1464 + * SECURITY UPDATE: denial of service through application crash via + integer overflow. + - debian/patches/php5-CVE-2011-1466.patch: improve boundary + condition checking in SdnToJulian() + - CVE-2011-1466 + * SECURITY UPDATE: denial of service through application crash + when using HTTP proxy with the FTP wrapper + - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling + - CVE-2011-1469 + * SECURITY UPDATE: denial of service through application crash when + handling ziparchive streams + - debian/patches/php5-CVE-2011-1470.patch: set necessary elements of + the meta data structure + - CVE-2011-1470 + * SECURITY UPDATE: denial of service through application crash when + handling malformed zip files + - debian/patches/php5-CVE-2011-1471.patch: correct integer + signedness error when handling zip_fread() return value. + - CVE-2011-1471 + + -- Steve Beattie Thu, 28 Apr 2011 05:23:21 -0700 + +php5 (5.2.4-2ubuntu5.14) hardy-security; urgency=low + + * debian/patches/php5-CVE-2010-3436-regression.patch: update + main/fopen_wrappers.c to include fix for open_basedir restriction + regression (LP: #701896) + + -- Steve Beattie Wed, 12 Jan 2011 07:07:32 -0800 + +php5 (5.2.4-2ubuntu5.13) hardy-security; urgency=low + + * SECURITY UPDATE: overflow leading to xml decode bypass + - debian/patches/php5-CVE-2009-5016.patch: convert short to int to + prevent overflow in bit operations + - CVE-2009-5016 + * SECURITY UPDATE: xml decode bypass + - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding + - CVE-2010-3870 + * SECURITY UPDATE: open_basedir bypass + - debian/patches/php5-CVE-2010-3436.patch: more strict checking in + php_check_specific_open_basedir() + - CVE-2010-3436 + * SECURITY UPDATE: NULL pointer dereference crash + - debian/patches/php5-CVE-2010-3709.patch: check for NULL when + getting zip comment + - CVE-2010-3709 + * SECURITY UPDATE: memory consumption denial of service + - debian/patches/php5-CVE-2010-3710.patch: check for email address + longer than RFC 2821 allows + - CVE-2010-3710 + * SECURITY UPDATE: infinite loop/denial of service when dealing with + certain textual forms of MAX_FLOAT (LP: #697181) + - debian/patches/php5-CVE-2010-4645.patch: treat local doubles + as volatile to avoid x87 registers in zend_strtod() + - CVE-2010-4645 + + -- Steve Beattie Sat, 08 Jan 2011 06:52:44 -0800 + +php5 (5.2.4-2ubuntu5.12) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service via xmlrpc crafted argument + - debian/patches/CVE-2010-0397.patch: make sure method_name isn't empty + in ext/xmlrpc/xmlrpc-epi-php.c, add test to + ext/xmlrpc/tests/bug51288.phpt. + - CVE-2010-0397 + * SECURITY UPDATE: weak entropy in Linear Congruential Generator (LCG) + - debian/patches/CVE-2010-1128.patch: add more entropy in + ext/standard/lcg.c. + - CVE-2010-1128 + * SECURITY UPDATE: safe_mode bypass via trailing slash in dir pathnames + - debian/patches/CVE-2010-1129.patch: properly validate pathname in + ext/standard/file.c. + - CVE-2010-1129 + * SECURITY UPDATE: safe_mode bypass via semicolon in session_save_path + - debian/patches/CVE-2010-1130.patch: check for semicolon in + ext/session/session.c. + - CVE-2010-1130 + * SECURITY UPDATE: arbitrary code execution via empty SQL query + - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in + ext/sqlite/sqlite.c. + - CVE-2010-1868 + * SECURITY UPDATE: denial of service via fnmatch stack consumption + - debian/patches/CVE-2010-1917.patch: limit size of pattern in + ext/standard/file.c. + - CVE-2010-1917 + * SECURITY UPDATE: sensitive information disclosure or arbitrary code + execution via use-after-free in SplObjectStorage unserializer + - debian/patches/CVE-2010-2225.patch: fix logic in + ext/spl/spl_observer.c. + - CVE-2010-2225 + * SECURITY UPDATE: sensitive information disclosure via error messages + - debian/patches/CVE-2010-2531.patch: don't display data when flushing + output buffer in ext/standard/{var.c,php_var.h}. + - CVE-2010-2531 + * SECURITY UPDATE: arbitrary session variable modification via crafted + session variable name + - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in + ext/session/session.c. + - CVE-2010-3065 + + -- Marc Deslauriers Mon, 20 Sep 2010 08:13:12 -0400 + +php5 (5.2.4-2ubuntu5.10) hardy-security; urgency=low + + * SECURITY UPDATE: information disclosure and denial of service via + zend_restore_ini_entry_cb function. + - debian/patches/CVE-2009-2626.patch: make sure new_value exists in + main/main.c, gracefully handle failure in Zend/zend_ini.c. + - CVE-2009-2626 + * SECURITY UPDATE: Cross-site scripting via incomplete htmlspecialchars + filtering + - debian/patches/CVE-2009-4142.patch: rewrite handling logic in + ext/standard/html.c, add ext/standard/tests/strings/bug49785.phpt + test script. + - CVE-2009-4142 + * SECURITY UPDATE: restrictions bypass via incorrect session data + handling + - debian/patches/CVE-2009-4143.patch: protect from interrupt + corruption in ext/session/session.c. + - CVE-2009-4143 + + -- Marc Deslauriers Wed, 06 Jan 2010 09:39:23 -0500 + +php5 (5.2.4-2ubuntu5.9) hardy-security; urgency=low + + * SECURITY UPDATE: file truncation via key with null byte + - debian/patches/CVE-2008-7068.patch: make sure key and value are sane + in ext/dba/libinifile/inifile.c. + - CVE-2008-7068 + * SECURITY UPDATE: certificate spoofing via null-byte certs (LP: #446313) + - debian/patches/CVE-2009-3291.patch: validate certificate's CN length + in ext/openssl/openssl.c. + - CVE-2009-3291 + * SECURITY UPDATE: denial of service via malformed exif images + (LP: #446313) + - debian/patches/CVE-2009-3292.patch: check length, return codes, and + nesting level in ext/exif/exif.c. + - CVE-2009-3292 + * SECURITY UPDATE: safe_mode bypass via tempam function + - debian/patches/CVE-2009-3557.patch: check for safe_mode in + ext/standard/file.c. + - CVE-2009-3557 + * SECURITY UPDATE: open_basedir restrictions bypass via posix_mkfifo + - debian/patches/CVE-2009-3558.patch: check for open_basedir in + ext/posix/posix.c. + - CVE-2009-3558 + * SECURITY UPDATE: denial of service via large number of files in + form-data POST request. + - debian/patches/CVE-2009-4017.patch: introduce new "max_file_uploads" + directive and enforce in main/main.c, main/rfc1867.c. + - ATTENTION: this update changes previous php5 behaviour by limiting + the number of files in a POST request to 50. This may be increased + by adding a "max_file_uploads" directive to the php.ini configuration + file. + - CVE-2009-4017 + * SECURITY UPDATE: safe_mode_protected_env_vars bypass via proc_open() + - debian/patches/CVE-2009-4018.patch: add safe_mode check in + ext/standard/proc_open.c + - CVE-2009-4018 + + -- Marc Deslauriers Thu, 26 Nov 2009 08:07:41 -0500 + +php5 (5.2.4-2ubuntu5.7) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service via malformed JPEG image with + invalid offset fields + - debian/patches/131_SECURITY_CVE-2009-2687.patch: validate + offset_of_ifd in ext/exif/exif.c. + - CVE-2009-2687 + + -- Marc Deslauriers Fri, 21 Aug 2009 10:44:33 -0400 + +php5 (5.2.4-2ubuntu5.6) hardy-security; urgency=low + + * SECURITY UPDATE: cross-site scripting vulnerability when display_errors + is enabled. + - debian/patches/128_SECURITY_CVE-2008-5814.patch: don't print back + cookie names or values in ext/standard/head.c. + - CVE-2008-5814 + * SECURITY UPDATE: mbstring.func_overload setting in .htaccess affects + other virtual hosts. + - debian/patches/129_SECURITY_CVE-2009-0754.patch: don't terminate on + the first function that is not overloaded in ext/mbstring/mbstring.c. + - CVE-2009-0754 + * SECURITY UPDATE: denial of service via malformed string to the + json_decode API function. + - debian/patches/130_SECURITY_CVE-2009-1271.patch: add extra mode + checks in ext/json/JSON_parser.c. Add test to ext/json/tests/001.phpt. + - CVE-2009-1271 + + -- Marc Deslauriers Fri, 17 Apr 2009 08:13:48 -0400 + +php5 (5.2.4-2ubuntu5.5) hardy-security; urgency=low + + * SECURITY UPDATE: php_admin_value and php_admin_flag restrictions bypass via + ini_set. (LP: #228095) + - debian/patches/120_SECURITY_CVE-2007-5900.patch: add new + zend_alter_ini_entry_ex() function that extends zend_alter_ini_entry() by + making sure the entry can be modified in Zend/zend_ini.{c,h}, + Zend/zend_vm_def.h, and Zend/zend_vm_execute.h. + - CVE-2007-5900 + * SECURITY UPDATE: denial of service and possible arbitrary code execution + via crafted font file. (LP: #286851) + - debian/patches/121_SECURITY_CVE-2008-3658.patch: make sure font->nchars, + font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add + test script ext/gd/tests/imageloadfont_invalid.phpt. + - CVE-2008-3658 + * SECURITY UPDATE: denial of service and possible arbitrary code execution + via the delimiter argument to the explode function. (LP: #286851) + - debian/patches/122_SECURITY_CVE-2008-3659.patch: make sure needle_length + is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test + script ext/standard/tests/strings/explode_bug.phpt. + - CVE-2008-3659 + * SECURITY UPDATE: denial of service via a request with multiple dots + preceding the extension. (ex: foo..php) (LP: #286851) + - debian/patches/123_SECURITY_CVE-2008-3660.patch: improve .. cleaning with + a new is_valid_path() function in sapi/cgi/cgi_main.c. + - CVE-2008-3660 + * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted + string containing HTML entity. (LP: #317672) + - debian/patches/124_SECURITY_CVE-2008-5557.patch: improve + mbfl_filt_conv_html_dec_flush() error handling in + ext/mbstring/libmbfl/filters/mbfilter_htmlent.c. + - CVE-2008-5557 + * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable + settings. + - debian/patches/125_SECURITY_CVE-2008-5624.patch: make sure the page_uid + and page_gid get initialized properly in ext/standard/basic_functions.c. + Also, init server_context before processing config variables in + sapi/apache/mod_php5.c. + - CVE-2008-5624 + * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log" + entry in a .htaccess file. + - debian/patches/126_SECURITY_CVE-2008-5625.patch: enforce restrictions + when merging in dir entry in sapi/apache/mod_php5.c and + sapi/apache2handler/apache_config.c. + - CVE-2008-5625 + * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip + file with dot-dot filenames. + - debian/patches/127_SECURITY_CVE-2008-5658.patch: clean up filename paths + in ext/zip/php_zip.c with new php_zip_realpath_r(), + php_zip_virtual_file_ex() and php_zip_make_relative_path() functions. + - CVE-2008-5658 + + -- Marc Deslauriers Tue, 27 Jan 2009 14:22:51 -0500 + +php5 (5.2.4-2ubuntu5.4) hardy-proposed; urgency=low + + * debian/rules: + - Use system tzdata. + * debian/patches/use_embedded_timezonedb.patch + - Patch taken from intrepid, allows us to default to using the system + provided timezone database insteam of the one bundled with PHP. + (LP: #279980) + * debian/patches/fix-xmlrpc-datetime.diff + - Patch taken from php CVS, prevents stack smashing when using xmlrpc and datetime. + (LP: #239513) + + -- Chuck Short Wed, 22 Oct 2008 13:08:33 +0000 + +php5 (5.2.4-2ubuntu5.3) hardy-security; urgency=low + + [ Tormod Volden ] + * Backport security fixes from 5.2.6: (LP: #227464) + - debian/patches/SECURITY_CVE-2008-2050.patch + + Fixed possible stack buffer overflow in FastCGI SAPI + + Fixed sending of uninitialized paddings which may contain some + information + - debian/patches/SECURITY_CVE-2008-0599.patch + + Fixed security issue detailed in CVE-2008-0599 + - debian/patches/SECURITY_CVE-2007-4850.patch + + Fixed a safe_mode bypass in cURL identified by Maksymilian + Arciemowicz + - debian/patches/security526-pcre_compile.patch: + + avoid stack overflow (fix from pcre 7.6) + + [ Jamie Strandboge ] + * debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete + multibyte chars inside escapeshellcmd() (thanks Tormod Volden) + * Add debian/patches/SECURITY_CVE-2007-5898.patch: don't accept partial utf8 + sequences. Backported upstream fixes. + * Add debian/patches/SECURITY_CVE-2007-5899.patch: don't send session id to + remote forms. Backported upstream fixes. + * Add debian/patches/SECURITY_CVE-2008-2829.patch: unsafe usage of + deprecated imap functions (patch from Debian) + * Add debian/patches/SECURITY_CVE-2008-1384.patch: integer overflow in + printf() (patch from Debian) + * Add debian/patches/SECURITY_CVE-2008-2107+2108.patch: weak random number + seed. Backported upstream patches. + * Add debian/patches/SECURITY_CVE-2007-4782.patch: DoS via long string in + the fnmatch functions + * Add debian/patches/SECURITY_CVE-2008-2371.patch: buffer overflow. + Backported upstream patches. + * References + CVE-2008-2050 + CVE-2008-2051 + CVE-2008-0599 + CVE-2007-4850 + CVE-2007-5898 + CVE-2007-5899 + CVE-2008-2829 + CVE-2008-1384 + CVE-2008-2107 + CVE-2008-2108 + CVE-2007-4782 + CVE-2008-2371 + + -- Jamie Strandboge Fri, 18 Jul 2008 11:50:38 -0400 + +php5 (5.2.4-2ubuntu5.2) hardy-proposed; urgency=low + + * debian/patches/119-sybase-alias.patch. + - Fixes missing sybase support. (LP: #240519) + + -- Chuck Short Thu, 19 Jun 2008 13:51:19 -0400 + +php5 (5.2.4-2ubuntu5.1) hardy-proposed; urgency=low + + * debian/patches/043-recode_size_t.patch. + - Fix php-recode segfaulting on amd64. (LP: #219528). + + -- Chuck Short Wed, 30 Apr 2008 13:37:19 -0400 + +php5 (5.2.4-2ubuntu5) hardy; urgency=low + + * fixes strtotime support for 64 bit timestamps (LP: #194318) + - Upstream: http://bugs.php.net/bug.php?id=44209 + * Update tests to account for newly working timestamps + - Upstream: http://bugs.php.net/?id=44219 + + -- Dustin Kirkland Wed, 27 Feb 2008 13:00:18 -0500 + +php5 (5.2.4-2ubuntu4) hardy; urgency=low + + * No-change rebuild against libldap-2.4-2. + + -- Steve Langasek Fri, 25 Jan 2008 14:19:57 +0000 + +php5 (5.2.4-2ubuntu3) hardy; urgency=low + + * Rebuild again, some build dependency still pulled in db4.5 last time. + + -- Martin Pitt Fri, 04 Jan 2008 08:45:05 +0100 + +php5 (5.2.4-2ubuntu2) hardy; urgency=low + + * debian/patches/use-specific-libdb-version.patch: Support db4.6, too. + * debian/control: Build against db4.6. + + -- Martin Pitt Thu, 03 Jan 2008 11:13:25 +0100 + +php5 (5.2.4-2ubuntu1) hardy; urgency=low + + * Merge from Debian unstable (LP: #176011). Remaining Ubuntu changes: + - debian/control, debian/rules: Disable a few build dependencies and + accompanying binary packages which we do not want to support in main: + + firebird2-dev/php5-interbase (we have a separate php-interbase source) + + libc-client-dev/php5-imap (we have a separate php-imap source) + + libmcrypt-dev/php5-mcrypt (separate php-mcrypt source) + - debian/rules: Correctly mangle PHP5_* macros for lpia + - debian/control: DebianMaintainerField + * Builds php5-gmp (LP: #176013) + * Fixes sybase_ct for MS SQL (LP: #21995) + * New Ubuntu changes: + - debian/rules: use 32M memory_limit for CLI and 16M for cgi/libapache + (LP: #148871) + - debian/control, debian/rules: Configure CLI with --with-libedit for + readline support again, now that the libedit issue is fixed. + Extended debian/patches/027-readline_is_editline.patch (LP: #124846) + - Force build against db4.4 (by ignoring db4.5 if it is installed), + debian/patches/use-specific-libdb-version.patch (LP: #165247) + + -- dAniel hAhler Wed, 19 Dec 2007 10:48:04 +0100 + +php5 (5.2.4-2) unstable; urgency=low + + [ sean finney ] + * for posterity revised previous changelog to reference the CVE id's + of security issues resolved by the latest upstream release. + * lintian: use debian/compat instead of DH_COMPAT in debian/rules. + * lintian: use source:Version and binary:Version where appropriate, + instead of Source-Version + * lintian: remove a couple pieces of cruft in the changelog that were causing + false-postive wrong-bug-number-in-closes, but were generally useless + anyway. + + [ Raphael Geissert ] + * Using test-results.txt as a target + * cronjob now checks for existance of /usr/lib/php5/maxlifetime (Closes: #439286) + * Fixed memory limit of 1232M in php.ini for cli (Closes: #440624) + * Build the interbase extension using firebird2.0-dev (Closes: #433736) + * Unapply patches with debian/rules clean + + [ Steve Langasek ] + * Don't patch configure or php_config.h.in in suhosin.patch, as these are + auto-generated and including them in the patch results in a race + condition for the necessary build-time regeneration. Thanks to Daniel + Schepler for reporting, and to Damyan Ivanov for helping to sort out the + fix. Closes: #443637. + * Also remove the modified auto-generated files in the clean target, + which triggers a warning about disappearing files when building the + source package but avoids carrying irrelevant diffs to these files + in the Debian diff. + * Now that the testsuite is being run at build time, test failures cause + a bunch of junk files to be left around in the Debian diff. So clean up + several false-positive failures: + - 052-phpinfo_no_configure.patch: we're patching the output of phpinfo(), + so patch the test as well + - fix_broken_upstream_tests.patch: use a local directory for tests that + use sessions, skip the phpinfo test after all because it doesn't appear + to be compatible with current testsuite behavior, and disable the + moneyformat test if en_US locale is not available. + There are still several other failing tests, but these are not false + positives and remain enabled pending investigation. + + -- sean finney Wed, 24 Oct 2007 21:51:14 +0200 + +php5 (5.2.4-1) unstable; urgency=low + + * New upstream release. + * Security issues resolved in the latest release: + - CVE-2007-2519 - Directory traversal vulnerability in PEAR + + + [ sean finney ] + * patch from Jan Wagner to be able to conditionally disable any + patches that break binary-compatibility with official php + binary-only extensions. see debian/rules for more information. + * now incorporate the php unit tests into the build process. for + those interested the output is stored in the file + /usr/share/doc/php5-common/test-results.txt . + * by default we now ship with enable_dl = Off, as there are some + fairly significant ramifications security-wise to having it on. + * we shipping with the suhosin patch enabled by default. + special thanks to Blars Blarson for providing a sparc machine for + testing purposes with 5.2.3 (closes: #397179). + * new binary package php5-gmp, with the newly enabled gmp extension, + since whatever reason for not doing so either never existed or no + no longer exists (closes: #344137). Build-Depends added for libgmp3-dev. + + [ Steve Langasek ] + * php5-module.postinst: don't assume that the postinst is only relevant + when called with 'configure' as an argument, some future debhelper code + could apply in the case of other methods of invocation. + * Clean up build dependencies for recent library transitions: + - libsnmp-dev is now the real package name, and is supported as a virtual + package for backports. + - re-add firebird2-dev as an alternative to firebird1.5-dev, to support + backports. + - the curl -dev package name has changed from libcurl3-openssl-dev to + libcurl4-openssl-dev; update to the proper name, with libcurl-dev as + an alternative. + * Switch php5-sybase to use the mssql extension instead of the sybase_ct + extension. Closes: #418734, #329065. + + -- sean finney Sun, 16 Sep 2007 14:46:06 +0200 + +php5 (5.2.3-1ubuntu7) hardy; urgency=low + + * Rebuild for libsnmp10 -> libsnmp15 transition. + + -- Steve Kowalik Mon, 10 Dec 2007 20:33:11 +1100 + +php5 (5.2.3-1ubuntu6) gutsy; urgency=low + + * Trigger rebuild for hppa + + -- LaMont Jones Thu, 04 Oct 2007 12:18:16 -0600 + +php5 (5.2.3-1ubuntu5) gutsy; urgency=low + + * debian/rules: + - Fix broken memory_limit mangling for php5-cli. (LP: #109079) + - Don't clean out debian/copyright. (iz soyuz bug..) + * debian/php5-cli.postinst, debian/rules: + - Use same php.ini-dist for all flavours. The only difference used to be + cli having a higher memory_limit value, but upstream has changed this to + 128MB, which is higher than both of the previous values. + + -- Soren Hansen Mon, 03 Sep 2007 08:51:34 +0200 + +php5 (5.2.3-1ubuntu4) gutsy; urgency=low + + * debian/rules: Correctly mangle PHP5_* macros for lpia. + + -- Matthias Klose Fri, 10 Aug 2007 08:20:08 +0000 + +php5 (5.2.3-1ubuntu2) gutsy; urgency=low + + * Rebuild for the libcurl transition mess. + + -- Steve Kowalik Thu, 5 Jul 2007 00:12:51 +1000 + +php5 (5.2.3-1ubuntu1) gutsy; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/changelog: Add some missing CVEs. + - debian/control: DebianMaintainerField + - debian/control, debian/rules: Disable a few build dependencies and + accompanying binary packages which we do not want to support in main: + + firebird2-dev/php5-interbase (we have a separate php-interbase source) + + libc-client-dev/php5-imap (we have a separate php-imap source) + + libmcrypt-dev/php5-mcrypt (separate php-mcrypt source) + + -- Soren Hansen Mon, 11 Jun 2007 20:32:54 +0200 + +php5 (5.2.3-1) unstable; urgency=low + + * new upstream release. + * upstream has incorporated the last of the recent CVE fixes, so + the patches have been removed. + * change build dependencies for firebird2-dev -> firebird1.5-dev, + as the firebird maintainer has changed names in order to provide + more clarity since there's also a firebird2.0 now (closes: #427181). + * now include, but do not apply by default, the suhosin patch. see + NEWS.Debian for more information. + + -- sean finney Mon, 04 Jun 2007 22:02:10 +0200 + +php5 (5.2.2-2) unstable; urgency=low + + [sean finney] + - build with --with-ldap-sasl and modify build-depends to include + libsasl2-dev in order to get the ldap_sasl_bind function (closes: #422490). + - the json extension is now on by default in php builds, so there's + no need for the php5-json package. added a Provides/Conflicts to + help set an upgrade path. + - apache 1.x support is soon disappearing. as a consequence we are + no longer building the libapache-mod-php5 module. the php5 metapackage + should as a result bring in libapache2-mod-php5 by default for those who + already have it installed. + + -- sean finney Sun, 20 May 2007 21:59:56 +0200 + +php5 (5.2.2-1ubuntu1) gutsy; urgency=low + + * Merge to Debian unstable; remaining Ubuntu changes: + - debian/changelog: Add some missing CVEs. + - debian/control, debian/rules: Disable a few build dependencies and + accompanying binary packages which we do not want to support in main: + + apache-dev/libapache-mod-php5 (die, Apache 1, die!) + + firebird2-dev/php5-interbase (we have a separate php-interbase source) + + libc-client-dev/php5-imap (we have a separate php-imap source) + + libmcrypt-dev/php5-mcrypt (separate php-mcrypt source) + - Add missing libsqlite3-dev build dependency. + + -- Martin Pitt Tue, 15 May 2007 16:15:43 +0200 + +php5 (5.2.2-1) unstable; urgency=low + + [ sean finney ] + * new upstream release (closes: #422405). + * /most/ of the previous CVE patches have been committed upstream, though: + - the patch for MOPB-41 was fixed in a different way and we'll be keeping + our fix for the time being. + - it doesn't seem like MOPB-45 has been fixed yet. + * remove build-dependency option on libmysqlclient12-dev, since the mysqli + option requires it, and 15 is in stable now anyway. thanks to + Henk van de kamer for finding this (closes: #422224). + * now includes requested fix for mysql row counts (closes: #418471). + * needle/haystack issues are reported fixed (closes: #399924). + * oh yeah, because we're using quilt now: (closes: #338315). + * update build-deps to libdb4.5-dev | libdb4.4-dev (closes: #421929). + note that the resulting php packages won't actually build against + libdb4.5 until all of our build-dependant packages do too. + + -- sean finney Sat, 05 May 2007 19:56:30 +0200 + +php5 (5.2.0-12) unstable; urgency=high + + [ sean finney ] + * modify the build-depends to play more nicely when the net-snmp + maintainers decide to change their package names (closes: #421061). + + -- sean finney Tue, 01 May 2007 14:24:01 +0200 + +php5 (5.2.0-11) unstable; urgency=high + + [ sean finney ] + * The following security issues are addressed with this update: + - CVE-2007-0910/MOPB-32 session_decode() Double Free Vulnerability + * note that this is an update to the previous version of the upstream + fix for CVE-2007-0910, which introduced a seperate exploit path. + - CVE-2007-1286/MOPB-04 unserialize() ZVAL Reference Counter Overflow + - CVE-2007-1380/MOPB-10 php_binary Session Deserialization Information Leak + - CVE-2007-1375/MOPB-14 substr_compare() Information Leak Vulnerability + - CVE-2007-1376/MOPB-15 shmop Functions Resource Verification Vulnerability + - CVE-2007-1453/MOPB-18 ext/filter HTML Tag Stripping Bypass Vulnerability + - CVE-2007-1453/MOPB-19 ext/filter Space Trimming Buffer Underflow Vuln. + - CVE-2007-1521/MOPB-22 session_regenerate_id() Double Free Vulnerability + - CVE-2007-1583/MOPB-26 mb_parse_str() register_globals Activation Vuln. + - CVE-2007-1700/MOPB-30 _SESSION unset() Vulnerability + - CVE-2007-1718/MOPB-34 mail() Header Injection + - CVE-2007-1777/MOPB-35 zip_entry_read() Integer Overflow Vulnerability + - CVE-2007-1887-1888/MOPB-41 sqlite_udf_decode_binary() Buffer Overflow + - CVE-2007-1824/MOPB-42 php_stream_filter_create() Off By One Vulnerablity + - CVE-2007-1889/MOPB-44 Memory Manager Signed Comparision Vulnerability + - CVE-2007-1900/MOPB-45 ext/filter Email Validation Vulnerability + * The other security issues resulting from the "Month of PHP bugs" either + did not affect the version of php5 shipped in unstable, or did not merit + a security update according to the established security policy for php + in debian. You are encouraged to verify that your configuration is not + affected by any of the other vulnerabilities by visiting: + http://www.php-security.org/ + * other, less interesting changes: + - now use quilt for managing local patches. + - massage all of the patches, eliminating fuzz and offsets. + + -- sean finney Mon, 23 Apr 2007 19:02:51 +0200 + +php5 (5.2.0-10) unstable; urgency=high + + [ sean finney ] + * The php security update contained a regression in the streams + module. this version contains an updated version of the patch + for CVE-2007-0906 (116-CVE-2007-0906_streams.patch), which should + fix the regression. Thanks to Martin Pitt for noticing this. + * Fix the patch names in the previous changelog entry, and fix a factual + inaccuracy that was accidentally pasted from the php4 changelog. + * The previous update was missing two fixes from CVE-2007-0906: + * interbase: (116-CVE-2007-0906_interbase.patch) + * zip: (116-CVE-2007-0906_zip.patch) + + -- sean finney Wed, 07 Mar 2007 23:11:29 +0100 + +php5 (5.2.0-9) unstable; urgency=high + + [ sean finney ] + * The following security issues are addressed with this update: + - CVE-2007-0906: Multiple buffer overflows in various code: + * session (116-CVE-2007-0906_session.patch) + * imap (116-CVE-2007-0906_imap.patch) + * str_replace: (116-CVE-2007-0906_string.patch) + * the sqlite and mail related vulnerabilities in this CVE do not + affect the php5 source packages. + - CVE-2007-0907: sapi_header_op buffer underflow (116-CVE-2007-0907.patch) + - CVE-2007-0908: wddx information disclosure (116-CVE-2007-0908.patch) + - CVE-2007-0909: More buffer overflows: + * the odbc_result_all function (116-CVE-2007-0909_odbc.patch) + * various formatted print functions (116-CVE-2007-0909_print.patch) + - CVE-2007-0910: Clobbering of super-globals (116-CVE-2007-0910.patch) + - CVE-2007-0988: 64bit unserialize DoS (116-CVE-2007-0988.patch) + Closes: #410995. + * The package maintainers would like to thank Joe Orton from redhat and + Martin Pitt from ubuntu for their help in preparation of this update. + * backport upstream fix for AUTH PLAIN support in imap extension + Closes: #401712. + + -- sean finney Sat, 03 Mar 2007 11:13:33 +0100 + +php5 (5.2.0-8) unstable; urgency=high + + [ sean finney ] + * Update package information to say simply "Apache 2" instead + of "Apache 2.0" (ref: #400306). + * Update package description for php-pear to mention needing + phpN-dev for building PECL extensions (closes: #401825). + * Add mention of Freetype fonts to php5-gd package description, + thanks to Ole Laursen for the suggestion (closes: #387881). + * Include a backported version of upstream's fix for + alignment calculatations which cause FTBFS problems for + some arches. Thanks to Roman Zippel for finding this (closes: #401129). + patch: 114-zend_alloc.c_m68k_alignment.patch + * Remove --enable-yp, as it's no longer used and seperately + packaged. Thanks to Martijn Grendelman for mentioning this + (closes: #402161). + * Add mention to README.Debian of needing to restart apache when + installing modules (closes: #392249). + * Don't strip the DSO modules if building with DEB_BUILD_OPTIONS + containing nostrip + * Backported a patch from upstream CVS to fix a rather nasty + memory leak in zend_alloc (closes: #402506). + patch: 115-zend_alloc.c_memleak.patch + * The memleak and FTBFS are targeted at etch, and there aren't + any other significant changes, so priority=high. + + -- sean finney Sun, 17 Dec 2006 16:49:35 +0100 + +php5 (5.2.0-7ubuntu2) feisty; urgency=low + + * debian/control: Add missing build dependency libsqlite3-dev to fix FTBFS. + + -- Martin Pitt Wed, 6 Dec 2006 16:27:03 +0100 + +php5 (5.2.0-7ubuntu1) feisty; urgency=low + + * Merge to Debian unstable; remaining Ubuntu changes: + - debian/control, debian/rules: Disable apache-dev build dependency and + remove libapache-mod-php5 package, since we do not support apache 1.3. + - debian/control: Build with db4.3, as long as our apache needs it. + - debian/changelog: Add some missing CVEs. + * debian/control: + - Remove firebird2-dev build dependency and php5-interbase package, since + we don't support Firebird and keep the separate php-interbase source. + - Remove libc-client-dev build dependency and php5-imap package, since + uw-imapd is in universe and we keep the separate php-imap source. + - Remove libmcrypt-dev build dependency and php5-mcrypt package, since + it is in universe and we keep the separate php-mcrypt source. + - libapr1-dev -> libapr0-dev, as long as we still have Apache 2.0. + * debian/rules: Disable above modules, and fix up dependency generation for + Apache 2.0 instead of 2.2. + + -- Martin Pitt Wed, 6 Dec 2006 12:55:44 +0100 + +php5 (5.2.0-7) unstable; urgency=high + + [ Steve Langasek ] + * Also disable firebird in the PDO config for archs other than + i386/amd64. + + -- sean finney Fri, 24 Nov 2006 15:20:53 +0100 + +php5 (5.2.0-6) unstable; urgency=high + + [ sean finney ] + * firebird2-dev (and thus php5-interbase) is only available on + i386/amd64, so update the control/rules information accordingly. + thanks to Bastian Blank for reporting this (closes: #399558). + + -- sean finney Wed, 22 Nov 2006 19:04:04 +0100 + +php5 (5.2.0-5) unstable; urgency=high + + [ sean finney ] + * bring some of the mainline php4 modules back into the php source + package instead of distributing them in independant source packages: + - php5-imap + - php5-interbase + - php5-mcrypt + - php5-pspell + - php5-tidy + these modules are still provided in the same binary packages as + before, but will now be built in tandem with the core php packages. + * fix for pdo.so duplicate loading warnings, thanks to Jan Wagner + (closes: #398367, #399248). + + -- sean finney Mon, 20 Nov 2006 12:41:37 +0100 + +php5 (5.2.0-4) unstable; urgency=high + + * Re-re-enable LFS support, forward-porting vorlon's fixes in + the php4 tree. + * Add a bit of support in upgrade scripts to avoid unnecessary + ucf prompting during upgrades (closes: #398363). + * Update build-dependencies to reflect that libpcre3-dev >= 6.6 + is required. Thanks to Jan Wagner for pointing this out. + * loosen dependencys for libapache2-mod-php5 to allow usage with + apache2-mpm-itk as an alternative to prefork. + Closes: #398580, #398481. + + -- sean finney Wed, 15 Nov 2006 08:33:28 +0100 + +php5 (5.2.0-3) unstable; urgency=high + + * Unify PHP options for pear binaries to: + -d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1" + (Closes: #397625) + * [debian/rules]: Enable PDO building only in apache2 build. + + -- Ondřej Surý Fri, 10 Nov 2006 14:09:00 +0100 + +php5 (5.2.0-2) unstable; urgency=high + + [ Ondřej Surý ] + * Revert Large File Support for this moment. We will try to found + root of the problem for etch, but we do not promise anything. + (Closes: #397465) + + -- Ondřej Surý Wed, 8 Nov 2006 01:13:48 +0100 + +php5 (5.2.0-1) unstable; urgency=high + + [ sean finney ] + * new upstream release. since this means the 5.1 series is deadware + in the eyes of its developers, we better get on this train before + it's too late. Note: this also fixes the htmlentities() exploit. + Reference: CVE-2006-5465. + Closes: #396766. + * s/postinst/postrm/ on one critical line in debian/rules. whoops. + Thanks to Bart Martens for finding this (closes: #396873). + * as a pennance i've enabled LFS support (closes: #359686). + * new version now includes all mbstring headers (closes: #391368). + * enable new built-in zip support. + * enable pdo support for currently supported db types, and place the + extensions in the respective extension packages. future db + types will be added, but probably post-etch as they will probably + introduce new packages/dependencies (closes: #348882). + * move the mysqli module into the mysql module's package, and remove + the no longer necessary mysqli package. + * massaging/removal of various patches to upstream changes: + D patches/106-strptime_xopen.patch + D patches/110-CVE-2006-4812_zend_alloc.patch + M patches/006-debian_quirks.patch + D patches/111-mbstring-headers.patch + M patches/053-extension_api.patch + + [ Ondřej Surý ] + * Package checked, upload to unstable. + + -- Ondřej Surý Tue, 7 Nov 2006 09:26:51 +0100 + +php5 (5.1.6-6) unstable; urgency=high + + [ sean finney ] + * add notes to php.ini(-dist) about "unsupported" security features. + patch: 113-php.ini_securitynotes.patch + + [ Ondřej Surý ] + * SECURITY: include patch for html buffer overflows in ext/standard/html.c + Reference: CVE-2006-5465 + Patch: 114-CVE-2006-5465_htmlentities.patch + Closes: #396766 + + -- Ondřej Surý Fri, 3 Nov 2006 12:32:50 +0100 + +php5 (5.1.6-5) unstable; urgency=high + + [sean finney] + * add a README.Debian.security to clarify how we handle/respond + to security problems in stable releases. + * SECURITY: include patch for integer overflow in zend_alloc.c. + Reference: CVE-2006-04812 (closes: #391586). + patch: 110-CVE-2006-4812_zend_alloc.patch + * bump the debhelper compatibility level to 4. + * remove cyclic depends for mysql/mysqli. + * the long overdue rework of configuration file handling. this also + removes the need for debconf and template translations + (closes: #361211, #393788, #388697). + * start using ucf to manage the the various SAPI php.ini files. + * cleanup and consolidation of a few things in the ./debian dir + * bump the memory limit to 32M for the cli API (closes: #375070, #340586). + * include a fix for missing mbstring headers reported by Jan Wagner + (closes: #391368). + patch: 111-mbstring-headers.patch. + * include support for PTY's in proc_open, as reported by Eike Dehling. + according to php's BTS (http://bugs.php.net/bug.php?id=39224) the + feature was disabled only because the configure script couldn't + accurately determine whether the feature was available, and we know + it is :) (closes: #381438). + patch: 112-proc_open.patch. + * update standards-version to 3.7.2 + + -- sean finney Sat, 28 Oct 2006 14:29:44 +0200 + +php5 (5.1.6-4) unstable; urgency=high + + [sean finney] + * no longer build against GPL'd gdbm library (closes: #390452). + * updated apache2 module dependencies to build against and coexist + with apache2.2 (closes: #390455). + + -- sean finney Sat, 07 Oct 2006 12:06:09 +0200 + +php5 (5.1.6-3) unstable; urgency=low + + [ sean finney ] + * php5 was building against db4.3 even though db4.4 headers were + installed. fix applied to ./ext/dba/config.m4 while we wait + for a real fix from upstream (closes: #388601). + + -- sean finney Mon, 02 Oct 2006 17:42:50 +0200 + +php5 (5.1.6-2) unstable; urgency=low + + [ sean finney ] + * enable the mysqli extension (closes: #320835). + + -- sean finney Tue, 19 Sep 2006 19:31:27 +0200 + +php5 (5.1.6-1ubuntu3) feisty; urgency=low + + * Rebuild for ldbl128 change on powerpc and sparc. + + -- Matthias Klose Thu, 2 Nov 2006 10:00:32 +0000 + +php5 (5.1.6-1ubuntu2) edgy; urgency=low + + * SECURITY UPDATE: Safe mode bypass, remote arbitrary code execution. + * Fix/add CVE numbers in/to 5.1.4-0.1 and 5.1.6-1 changelogs. + * Add debian/patches/CVE-2006-4625.patch: + - Fix open_basedir/safe_mode bypass with ini_restore(). + - Ported from upstream CVS: + http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?r1=1.39.2.2&r2=1.39.2.3 + * Add debian/patches/CVE-2006-4812.patch: + - Fix integer overflow in Zend's ecalloc(). + - Ported from upstream CVS: + http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.161&r2=1.162 + + -- Martin Pitt Tue, 10 Oct 2006 18:25:01 +0200 + +php5 (5.1.6-1ubuntu1) edgy; urgency=low + + * Merge from Debian unstable, bringing in a myriad of security fixes. + * Revert libdb4.3->libdb4.4 migration until we're ready to do this. + + -- Adam Conrad Wed, 13 Sep 2006 23:11:09 +1000 + +php5 (5.1.6-1) unstable; urgency=high + + [ Adam Conrad ] + * Drop 041-shut_up_snmp.patch, which was no longer needed as of 5.1.0. + + [ Ondřej Surý ] + * Acknowledge NMU. + * New upstream release (Closes: #383596) + - Added missing safe_mode/open_basedir checks inside the error_log(), + file_exists(), imap_open() and imap_reopen() functions. + - Fixed overflows inside str_repeat() and wordwrap() functions on 64bit + systems. + - Fixed possible open_basedir/safe_mode bypass in cURL extension and + with realpath cache. (CVE-2006-2563) (Closes: #370165) + - Fixed overflow in GD extension on invalid GIF images. + - Fixed a buffer overflow inside sscanf() function. (CVE-2006-4020) + (Closes: #382256) + - Fixed an out of bounds read inside stripos() function. + - Fixed memory_limit restriction on 64 bit system (really with 5.1.6). + * Bump libdb build-dep from libdb4.3 to libdb4.4, to match with apache. + + -- Ondřej Surý Sat, 19 Aug 2006 14:41:43 +0200 + +php5 (5.1.4-0.1ubuntu1) edgy; urgency=low + + * Merge from debian unstable. + + -- Fabio M. Di Nitto Wed, 12 Jul 2006 17:06:38 +0200 + +php5 (5.1.4-0.1) unstable; urgency=high + + * Non-maintainer upload. + * New upstream release. (Closes: #366109) + * Fixes information leak in html_entity_decode() (CVE-2006-1490). + (Closes: #359907) + * Fixes phpinfo() XSS (CVE-2006-0996). (Closes: #361914) + * Fixes copy() safe mode bypass (CVE-2006-1608). (Closes: #361915) + * Fixes tempnam() open_basedir bypass (CVE-2006-1494). (Closes: #361916) + * Fixes wordwrap() buffer overflow (CVE-2006-1990). (Closes: #365312) + * Fixes substr_compare() DoS condition (CVE-2006-1991). + * Fixes crash during too deep recursion (CVE-2006-1549). (Closes: #361917) + * Fixes injection in mb_send_mail() (CVE-2006-1014, CVE-2006-1015); not + mentioned in upstream changelog. (Closes: #368595) + * 044-strtod_arm_fix.patch: Adapted for new upstream; pulled in from + Piotr Roszatycki's packages. + * 108-64bit_datetime.patch: Patch to fix possible segfault on systems where + sizeof(void*) > sizeof(int); patch from David Mosberger-Tang. + + -- Steinar H. Gunderson Tue, 13 Jun 2006 22:38:33 +0200 + +php5 (5.1.2-1ubuntu3) dapper; urgency=low + + * Enable the mysqli extension, which is required for full functionality + of the ubuntu-server LAMP stack for dapper (launchpad.net/27904) + * Make php5-{mysql,mysqli} depend on each other to ease the pain of the + planned transition for Etch/Edgy where both will be packaged together. + * Comment out the EXTRA_VERSION hack, since it served its purpose when + we were providing CVS snapshots, but is now just a cause of complaints. + + -- Adam Conrad Thu, 18 May 2006 12:12:27 +1000 + +php5 (5.1.2-1ubuntu2) dapper; urgency=low + + * Rebuild against the new libmysqlclient15off with correct symbols. + + -- Adam Conrad Thu, 6 Apr 2006 12:48:51 +1000 + +php5 (5.1.2-1ubuntu1) dapper; urgency=low + + * Resynchronise with Debian, bringing in security fixes and PEAR fix. + + -- Adam Conrad Wed, 18 Jan 2006 18:09:55 +1100 + +php5 (5.1.2-1) unstable; urgency=low + + * New upstream bugfix and security update release (closes: #347894) + - Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208 + - Resolves multiple HTTP response splitting vulnerabilities, allowing + arbitrary header injection via Set-Cookie headers; see CVE-2006-0207 + - While we don't currently build it, this release also fixes a format + string vulnerability in the mysqli extension; see CVE-2006-0200 + - Includes a new version of the PEAR installer that seems to have a + slightly better clue about the difference between INSTALL_ROOT and + PHP_PEAR_INSTALL_DIR, fixing pear.conf (closes: #346479, #346501) + * While the above is partially true, the PEAR installer is still a bit + broken (it won't install correctly under fakeroot anymore, YAY), so + shuffle debian/rules to have a build-pear-stamp target, as a stopgap. + * Add 106-strptime_xopen.patch, moving the _XOPEN_SOURCE definition down + in ext/standard/datetime.c, below the php.h include (closes: #346550) + * Add 107-reflection_is_ext.patch, munging ext/reflection/config.m4 to + properly call the PHP_ARG_ENABLE macro for an extension, not built-in. + * Stop php-pear from Replacing and Conflicting with php-html-template-it, + as we only now ship the bare essential to make the pear installer go. + + -- Adam Conrad Mon, 16 Jan 2006 16:12:31 +1100 + +php5 (5.1.1-1ubuntu1) dapper; urgency=low + + * Resynchronise with Debian, bringing in a myriad of security fixes. + + -- Adam Conrad Sun, 8 Jan 2006 02:07:20 +1100 + +php5 (5.1.1-1) unstable; urgency=low + + * New upstream bugfix release, skipping the problematic 5.1.0 release: + - Fixes a zend.ze1_compatibility_mode segfault (closes: #333374) + - Remove libtool patch from acinclude.m4, now integrated upstream. + - Remove 038-round_test_fix.patch, now integrated upstream. + - Remove 049-exported-headers.patch, as upstream's build system has + gotten more clever about what they should and shouldn't export. + - Remove 054-open_basedir_slash.patch, now integrated upstream. + - Remove 055-gd_safe_mode_checks.patch, fixed differently upstream. + - Mangle 101-sqlite_is_shared.patch, to deal with upstream changes. + - Remove 104-64_bit_serialize.patch, now integrated upstream. + - Remove 105-64_bit_imagettftext.patch, now integrated upstream. + * Many security vulnerabilities fixed (closes: #341368, #336005, #336654): + - Resolves a local denial of service in the apache2 SAPI, which can + be triggered by using session.save_path in .htaccess; CVE-2005-3319 + - Resolves an infinite loop in the exif_read_data function which can + be triggered with a specially-crafted JPEG image; CVE-2005-3353 + - Resolves a vulnerability in the parse_str function whereby a remote + attacker can fool PHP into turning on register_globals, thus making + applications vulnerable to global variable injections; CVE-2005-3389 + - Resolves a vulnerability in the RFC1867 file upload feature where, if + register_globals is enabled, a remote attacker can modify the GLOBALS + array with a multipart/form-data POST request; see CVE-2005-3390 + - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391 + - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode + and open_basedir bypasses between virtual hosts; CVE-2005-3392 + - Resolves a CRLF injection vulnerability in the mb_send_mail function, + allowing injection of arbitrary mail headers; see CVE-2005-3883 + - Includes PEAR 1.4.5, resolving a vulnerability in the pear installer + which could lead to arbitrary code execution; see CVE-2005-4154 + * Bump libdb build-dep from libdb4.2 to libdb4.3, to match with apache. + * Bump our MySQL build-dep to 5.0's libmysqlclient15-dev (closes: #343793) + * Automate the process of getting the list of built-in modules into the + package descriptions, so it stays fresh in the future (closes: #341867) + * Intentionally disable PDO support until I've sorted out the best way to + deal with shipping this shiny new feature that won't break the world. + * The new PEAR happens to fix the Command.php greedy match bug filed in + Debian as part of the fix for the wider security issue (closes: #334969) + * Create 056-mime_magic_strings.patch, making the mime_magic extension + more liberal about what mime-types is accepts, as well as making it skip + over ones it dislikes, rather than disabling itself (closes: #335674) + * Add 057-no_apache_installed.patch, to stop spewing a mess of errors in + configure because we don't have the apache binaries in the build chroot. + * Fix small typo in the php5-xsl package description (closes: #344816) + + -- Adam Conrad Thu, 15 Dec 2005 14:46:56 +1100 + +php5 (5.0.5-3) unstable; urgency=low + + * Build-Depend on libcurl3-openssl-dev, since libcurl3-dev is going away + soon. Keep libcurl3-dev as an alternate for backporting (see: #334367) + * Switch from libmysqlclient12 to libmysqlclient14; this puts us on the + *other* side of the line regarding which combinations of DSOs cause + segfaults, so hopefully the others catch up with us soon (closes: #332453) + * Look for magic.mime in /usr/share/file now instead of /usr/share/misc/file, + as the path has been changed to comply with the FHS (see: #334510) + * Make the above backportable as well, by searching for both files, and + picking the one that's currently installed on the user's system. + * Include swedish debconf translation from Daniel Nylander (closes: #330763) + * Make pear use '/usr/bin/php' instead of just 'php' to make sure we don't + get some random binary on $PATH that won't work right (closes: #329415) + * Set PHP_PEAR_SIG_BIN to /usr/bin/gpg, and have php-pear Recommends: gnupg + + -- Adam Conrad Fri, 21 Oct 2005 02:30:19 +1000 + +php5 (5.0.5-2ubuntu1) breezy; urgency=low + + * Resync with Debian, bringing in two security fixes, a file conflict fix, + and two 64-bit memory corruption and segfault fixes (no other changes). + + -- Adam Conrad Sun, 9 Oct 2005 03:14:32 +1000 + +php5 (5.0.5-2) unstable; urgency=medium + + * Remove Andres Salomon from the Uploaders field, at his request. Thanks + for all your work on the PHP packages, Andres, now fix our kernel bugs. + * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir + is set to "/foo/", users can access files in "/foobar/", which is not the + documented behaviour; this addresses CAN-2005-3054 (see: #323585) + * Add 104-64_bit_serialize.patch from Joe Orton, resolving a segfault when + serializing objects on all 64-bit architectures (closes: #329768) + * Add 105-64_bit_imagettftext.patch, fixing a type mismatch in the GD + extension, causing memory corruption on 64-bit arches (closes: #331001) + * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode + checks to the _php_image_output and _php_image_output_ctx GD functions. + * Make php-pear Provide, Replace, and Conflict php-html-template-it, which + we appear to have absorbed into the main PEAR packaging (closes: #332393) + + -- Adam Conrad Tue, 27 Sep 2005 16:09:29 +1000 + +php5 (5.0.5-1ubuntu1) breezy; urgency=low + + * Resync with Debian, lowering libsnmp-dev build-dep to libsnmp5-dev. + * This new upstream includes a fixed XML_RPC class in php-pear, which + addresses CAN-2005-2498 and closes Ubuntu bug #13701. + + -- Adam Conrad Tue, 13 Sep 2005 14:52:10 +1000 + +php5 (5.0.5-1) unstable; urgency=low + + * New upstream release, adjust patch offsets and fuzz, and drop patches: + - Drop 009-snmp-int-sizes.patch, finally fixed upstream. + - Drop 051-gcc-4.0.patch, fixed differently upstream. + - Drop 102-php_streams.patch, fixed upstream. + - Drop 103-catch_segv.patch, also fixed upstream. + - Includes PEAR XML_RPC fix for CAN-2005-2498. + - Includes phpinfo() XSS fix for CVE-2005-3388. + * Distribute the shiny new manpages for php-config and phpize. + + -- Adam Conrad Mon, 12 Sep 2005 02:29:24 +1000 + +php5 (5.0.4-4) unstable; urgency=low + + * Ondřej Surý : + - Add patch from CVS to fix regression in PHP 5.0.4, where file related + functions all stop reading at 2,000,000 bytes (closes: #321930) + * Adam Conrad : + - Enable support for gdbm files in the dba handler; half the base system + already appears to depend on libgdm, so we can't make things worse. + - Add another patch from CVS to fix a segfault in the catch/throw + handler under interesting nesting cases (closes: #322507) + - Rebuild against libsnmp9-dev for new libsnmp SOVER (closes: #327107) + + -- Adam Conrad Thu, 8 Sep 2005 00:36:36 +1000 + +php5 (5.0.4-3ubuntu1) breezy; urgency=low + + * Resync with Debian, bringing in important changes to php5-dev and the + dependency relationships between php5 SAPIs and php5 extensions, as + well as making sure that php5 is backportable to hoary without changes. + + -- Adam Conrad Mon, 1 Aug 2005 09:54:24 +1000 + +php5 (5.0.4-3) unstable; urgency=low + + * And fix the module/extension API situation one last time, this time + we read ZEND_EXTENSION_API_NO, ZEND_MODULE_API_NO, and PHP_API_VERSION, + pick the most recent of the three, assume things broke in ways we're + not willing to cope with, and both change the extension directory to + use that value, as well as setting it to the provides/depends for the + various SAPI and extension packages. + * Add a new option to php-config, 'php-config --phpapi', which extension + packagers should now be using to get the current phpapi they're building + against and set their dependencies accordingly. + * Strip the -gnu off the end of the DEB_*_* variables and drop the + versioned dpkg-dev build-dep to ease backporting to sarge and hoary; + doing so in such a way as to still allow for easy cross-compiling. + * Add postgresql-dev build-dep alternate for easy hoary/sarge backports. + * Make libapache2-mod-php5 the default alternate dependency for the php5 + metapackage, since we really do want to encourage the apache upgrade. + * Make php5-dev stop shipping copies of files from autotools-dev, shtool, + and libtool, and instead symlink to them and depend on those packages, + thus avoiding the shtool issues from CAN-2005-1751 and CAN-2005-1759. + + -- Adam Conrad Sun, 31 Jul 2005 03:05:08 +1000 + +php5 (5.0.4-2) unstable; urgency=low + + * We now have a mailing list. Set the maintainer to the list, and move + myself to Uploaders where, apparently, I belong. + * Use ZEND_MODULE_API_NO rather than PHP_API_VERSION for extension deps, + as recent upstream ABI breakage in 4.4.0 leads me to believe this is + the only constant they actually bother to update on ABI changes. + * Bring back some concflicts that went missing (libapache-mod-php5 needs + to conflict with libapache-mod-php4 and older versions of php4, while + the two libapache2-mod-php[45] modules also need to conflict). + * Adjust debian/watch to not match on upstream's alpha/beta/rc releases. + + -- Adam Conrad Wed, 27 Jul 2005 22:30:42 +1000 + +php5 (5.0.4-1ubuntu2) breezy; urgency=low + + * libapache2-mod-php5 needs to conflict with libapache2-mod-php4 to + prevent people from shooting their own feet and breaking apache2. + + -- Adam Conrad Wed, 27 Jul 2005 22:29:14 +1000 + +php5 (5.0.4-1ubuntu1) breezy; urgency=low + + * Upload to breezy, disabling the libapache-mod-php5 build. + + -- Adam Conrad Wed, 27 Jul 2005 02:22:23 +1000 + +php5 (5.0.4-1) unstable; urgency=low + + * Initial PHP5 release; packaging forked from php4 4:4.3.11-1. + - Closes: #262977, #293832 + * Ondrej Sury : + - Removed some obsolete cruft, since there wasn't any previous php5 + packages there is no need, to check /usr/share/doc/*, etc. + - Removed apache2 IfModule hack, it's been fixed in php5. + - Updated patches to php5, removing those which are obsolete. + - Changes xslt extension to xsl (using libxslt). + - Updated debian/* including changelog. + - Raised update-alternatives priority to 50. + * Adam Conrad : + - Merged with php4 4:4.4.0-1 packaging. + - Re-roll upstream tarball to include PEAR::XML_RPC 1.3.3, which + includes a security fix for CVE CAN-2005-1921. + - Bump to Standards-Version 3.6.2, with no source changes. + - Stop distributing the phpextdist binary, as upstream has stopped. + - Drop the ext_skel binary and skeleton dir from php5-dev, as it has + been deemed obsolete upstream and the version in the tarball is not + considered useful anymore. PEAR::PECL_Gen upstream will replace it. + - Fix longstanding broken shebang lines in debconf config scripts. + - Remove lintian overrides for modules; lintian no longer complains + about missing shlibs for libraries outside the linker path. + - Add a linda override for the non-standard directory permissions on + /var/lib/php5 in php5-common. + - Rename php5-pear to php-pear, have it replace php4-pear, and depend + on php5-cli OR php4-cli; make sure it works with both. + - Compile in SOAP extension (closes: #307580) + - Enable SQLite extension as shared, make the xmlrpc extension shared. + - Enabled the pgsql extension, and disabled the imap extension (which + will be moving to another source package and become the example + package for out-of-tree builds). + + -- Adam Conrad Sat, 16 Jul 2005 23:42:36 +1000 + +php4 (4:4.3.11-1) unstable; urgency=low + + * New upstream release (closes: #304052) + - Drop CVS patches, we're back in step with upstream versions. + - Remove 048-x509_multiple_orgUnits.patch, incorporated in 4.3.11. + - Remove 050-4.3.11_file_copy_fix.patch, incorporated in 4.3.11. + - Remove 040-curl_open_basedir.patch, as upstream has solved this + in a different fashion. + - Adjust patches for offset and fuzz. + - Remove bits from debian/rules dealing with the DB PEAR extension, + since it's no longer shipped in the php4-pear package. + * Rebuild against newer version of freetds library (closes: #317369) + * Add 052-phpinfo_no_configure.patch, which disables the display of our + "Configure Command" in phpinfo(), which was the source of many bogus + bug reports over the years, due to people misinterpreting its meaning. + * New translations to Vietnamese and Russian (closes: #316821, #310199) + - vi.po contributed by Clytie Siddall + - ru.po contributed by Yuriy Talakan' + * Mention FastCGI in the description of php4-cgi (closes: #310810) + + -- Adam Conrad Mon, 4 Jul 2005 17:47:32 +1000 + +php4 (4:4.3.10-15) unstable; urgency=low + + * Bring back the shipping of /usr/share/doc symlinks in our packages, + as this, in concert with moving the migration detection from preinst + to postinst (which was done in the last upload), seems to give us the + sanest upgrade path. Thanks to Steve Langasek for smacking me around + with unpack/upgrade scenarios for a while to convince me of this. + + -- Adam Conrad Mon, 9 May 2005 02:13:19 -0600 + +php4 (4:4.3.10-14) unstable; urgency=high + + * Revert the directory->symlink magic to work how it used to, since the + new behaviour broke hideously on upgrades from Woody, causing certain + files (like the changelog) to mysteriously go missing (closes: #307591) + * Move our template php.ini to /usr/share/php4, so we stop violating + policy by using files from /usr/share/doc (as seen in #307591) + * Remove 'readline' from the php4-cli package description, since we don't + actually build with readline support enabled anymore (closes: #306571) + + -- Adam Conrad Wed, 4 May 2005 01:48:19 -0600 + +php4 (4:4.3.10-13) unstable; urgency=low + + * Update email address for Andres Salomon + * Add Portuguese translation from Miguel Figueiredo (closes: #305038) + * Include 051-gcc-4.0.patch, which resolves a build failure in + libxmlrpc (from the xmlrpc extension) with gcc-4.0 (closes: #287956) + + -- Adam Conrad Mon, 18 Apr 2005 00:29:54 -0600 + +php4 (4:4.3.10-12) unstable; urgency=low + + * Add 050-4.3.11_file_copy_fix.patch, which reverts a broken 'fix' + made to the copy() function, causing it to fail in particularly + spectacular ways when used on remote files (closes: #304601) + * Use -g instead of -gstabs on powerpc64-linux (closes: #301571) + + -- Adam Conrad Thu, 14 Apr 2005 03:53:27 -0600 + +php4 (4:4.3.10-11) unstable; urgency=medium + + * Address an FTBFS waiting to happen in the php4-dev package: + - Remove Win32 and Netware specific headers. + - Stop shipping php4-pgsql headers. + - Stop shipping the expat headers, since we don't even + use the bundled expat library. + - Make php4-dev depend on libssl-dev, since it wants to include + ssl.h when you use it to build network-using extensions. + * Stop building extensions twice; we don't need two copies. + + -- Adam Conrad Tue, 12 Apr 2005 03:14:03 -0600 + +php4 (4:4.3.10-10) unstable; urgency=low + + * Update to 200503131325 CVS (AKA: 4.3.11RC1), fixing several bugs + including a segfault in mysql_fetch_field() (closes: #299608) + * Remove 042-remove_windows_paths.patch, incorporated upstream. + * Add 048-x509_multiple_orgUnits.patch to bring the openssl extension + in line with the upcoming 4.3.11 behaviour of listing multiple + Organisational Units in an x509 cert as an array, rather than only + listing the last in the list. + * After much talk with upstream, revert the ZTS changes. We are no + longer building a thread-safe PHP. (closes: #299820, #297223, #297679) + * ZTS was breaking file search paths, leading to errors loading files + from the cwd (closes: #298282, #298518, #299089, #299356) + * Stop building caudium-php4 (closes: #294718, #297702, #295100) + - We can't link against the GPL pike7.2, which we've been doing. Oops. + - Even if the above weren't true, upstream has insisted that ZTS is a + horribly broken solution, slated for eventual removal, and should + never, ever be used. In light of that, caudium users should instead + use php4-cgi, either as a plain CGI, or as a FastCGI backend. + - Not even attempting to provide an upgrade path, as it would be + needlessly complex, and caudium-php4 in previous stable releases + was nothing more than a useless toy, given that it had nearly no + useful extensions built-in or supported. + * Rewrite 041-shut_up_snmp.patch to take a different approach, this time + regrettably reverting a fix for a memory leak, in the name of making + things work properly, including squashing the putenv() intecaction + bug between PHP and other apache modules (closes: #298511, #300628) + * On sidegrades from distributions where different modules may be built + from their own source, and thus have their own doc directories, bad + things happen when we try to replace those with symlinks, so now we + check for this in preinst, and fix stuff up magically to Just Work. + * Add Jeroen van Wolffelaar to Uploaders. + * Fix up modules regexes to use "\.so" instead of ".so" (cf: #300998) + + -- Adam Conrad Wed, 16 Mar 2005 22:46:05 -0700 + +php4 (4:4.3.10-9) unstable; urgency=low + + * Update 040-curl_open_basedir.patch once more to make sure it doesn't + segfault when fed a null or uninitialised URL (closes: #295447) + * Add 047-zts_with_dl.patch, courtesy of Steve Langasek to re-enable the + dl() function in our builds, despite upstream's claim that it "might + not be threadsafe on all platforms"; it is on ours (closes: #297839) + * Make the php4-dev binaries versioned with alternatives (closes: #295903) + * Update build-deps to libmysqlclient12-dev (closes: #290989, #227549) + + -- Adam Conrad Sun, 6 Mar 2005 07:30:35 -0700 + +php4 (4:4.3.10-8) unstable; urgency=high + + * Add 046-zend_plist_buggery.patch which unrolls the changes made to + zend.c in CVS post-4.3.10. The memory leaks fixed by these changes + seem to not have been hurting us terribly so far, while the "fix" + (breaking persistent lists) was, uhm, bad (closes: #295998, #296694) + * Revise 041-shut_up_snmp.patch to call init_snmp with 'snmpapp' as the + appname, rather than 'php', to maintain backward compatibility, and to + wrap our setenv/unsetenv magic only around snmp_shutdown, which seems to + solve a segfault when php4-snmp is loaded with mod_perl (closes: #296282) + * Fix 042-remove_windows_paths.patch to catch both cases where windows + path stripping should occur (closes: #296406) + + -- Adam Conrad Tue, 22 Feb 2005 07:49:32 -0700 + +php4 (4:4.3.10-7) unstable; urgency=high + + * Rewrite 040-curl_open_basedir.patch, so it now does what it's supposed + to (addressing CAN-2004-1392) and no longer segfaults (closes: #295447) + + -- Adam Conrad Thu, 17 Feb 2005 00:06:36 -0700 + +php4 (4:4.3.10-6) unstable; urgency=high + + * Add 044-strtod_arm_fix.patch to fix the FPU confusion FTBFS on arm. + * Add 045-exif_nesting_level.patch to bump the exif header parsing max + nesting level to something that actually works with most JPEG images. + + -- Adam Conrad Mon, 14 Feb 2005 16:04:28 -0700 + +php4 (4:4.3.10-5) unstable; urgency=low + + * Add 043-recode_size_t.patch to fix 32/64-bit issues causing the recode + extension to segfault on alpha/amd64/ia64 (closes: #294986) + * Move the ./buildconf stuff in the unpatch target inside the test + for patch-stamp, as it's uselss unless we're unpatching. + + -- Adam Conrad Sun, 13 Feb 2005 19:09:39 -0700 + +php4 (4:4.3.10-4) unstable; urgency=medium + + * Make php4-dev arch:any, as it contains some arch-specific defines. + * Add 042-remove_windows_paths.patch, a patch to rfc1867.c to strip Windows + paths from uploaded filenames, like it used to. (closes: #294305) + * Fix up caudium description to reflect the fact that caudium it is no + longer restricted from sharing extensions with other SAPIs. + * Build-dep on apache2-threaded-dev (>= 2.0.53-3) to make sure we + get a version with non-broken headers. + + -- Adam Conrad Wed, 9 Feb 2005 11:52:10 -0700 + +php4 (4:4.3.10-3) unstable; urgency=medium + + * Update to CVS, as of 200502060530 (closes: #288672) + - Fixes two vulnerabilities in exif.c, CAN-2005-1042 and CAN-2005-1043 + - Fixes two vulnerabilities in image.c, CAN-2005-0524 and CAN-2005-0525 + - File uploads with "'" in them aren't cut off anymore (closes: #288679) + - unserialize() is no longer ridiculously slow (closes: #291392) + - Add 000-200502060530_CVS.patch + - Adapt debian/rules to the realities of upstream's new buildconf + - Add 033-we_WANT_libtool.patch, to force relibtoolizing with Debian's + libtool, rather than using upstream's broken bundled libtool + - Drop 031_zend_strtod_1.1.2.10.patch and 032_zend_strtod_debian.patch + - Adjust patches for offsets and fuzz + - Force --with-pic, as policy demands it, and the build system doesn't + * Added several patches, yanked from the Fedora PHP sources: + - 034-apache2_umask_fix.patch, fixes umask not being properly reset + after each request (closes: #286225) + - 036-fd_setsize_fix.patch, fixes misuse of FD_SET() + - 038-round_test_fix.patch, makes the rounding test work on gcc-3.3 + * Removed --with-libedit, as being able to background php is more useful, + in my opinion, than using readline functions (see #286356) + * Include zip support in all SAPIs (closes: #288534, #288909) + * Enable Zend Thread Safety for all SAPIs, meaning that our modules + are now compiled for ZTS APIs as well. (closes: #278212, #264015) + - Make sure caudium-php4 now provides phpapi-$(ver), and modules can + be configured with the caudium SAPI. + - Add 039-reentrant_libs.patch to link to the reentrant versions of + libldap and libmysqlclient + * Stop suggesting phpdoc, as it's undistributable anyway. + * Add 040-curl_open_basedir.patch, to make php4-curl respect the value + of open_basedir, thanks to Martin Pitt (closes: #291410) + * Add 041-shut_up_snmp.patch, to prevent libsnmp5 from attempting (and + failing) to write persistent data every time it shuts down. Ugh. + + -- Adam Conrad Sun, 6 Feb 2005 05:32:11 -0700 + +php4 (4:4.3.10-2) unstable; urgency=high + + * Patch Zend/zend_strtod.c twice: + - Patch from upstream CVS to fix FTBFS on Sparc/Linux systems + - Patch from me to fix FTBFS on __mc68000__, __ia64__, and __s390__ + + -- Adam Conrad Sat, 18 Dec 2004 19:35:30 -0700 + +php4 (4:4.3.10-1) unstable; urgency=high + + * New upstream release, including the following security fixes: + - CAN-2004-1018 - shmop_write() out of bounds memory write access. + - CAN-2004-1018 - integer overflow/underflow in pack() and unpack() + functions. + - CAN-2004-1019 - possible information disclosure, double free and + negative reference index array underflow in deserialization code. + - CAN-2004-1020 - addslashes() not escaping \0 correctly. + - CAN-2004-1063 - safe_mode execution directory bypass. + - CAN-2004-1064 - arbitrary file access through path truncation. + - CAN-2004-1065 - exif_read_data() overflow on long sectionname. + - magic_quotes_gpc could lead to one level directory traversal with + file uploads. + * Adjust patch offsets for new upstream, fix 013-force_getaddrinfo.patch + to match with new configure.in and drop 026-4.3.10_session_fixes.patch + which is included in 4.3.10. + + -- Adam Conrad Wed, 15 Dec 2004 17:17:40 -0700 + +php4 (4:4.3.9-2) unstable; urgency=low + + * Adam Conrad : + - Add -fno-strict-aliasing to CFLAGS, as the (several thousand) + warnings I'm getting from GCC are frightening me a tad. + - Remove the php-cgi alternative in php4-cgi's prerm, to avoid + leaving dangling symlinks (closes: #275962, #282315) + - Include 030-imap_getacl.patch, adding the imap_getacl() function + required by the GOsa project (closes: #282484) + - Include php.ini-paranoid in doc/examples, provided and maintained + by Javier Fernández-Sanguino Peña (closes: #274374) + - Make /cgi-bin/php4 an alternative for /cgi-bin/php (closes: #282464) + - Remove obsolete info from README.Debian relating to session_mm, + since we stopped building with libmm a while back. + - Reintroduce /usr/lib/php4/libexec that went missing in a previous + upload, since the build uses it as the default safe_mode exec dir. + * Andres Salomon : + - Add patch to include gd headers in php4-dev, as some PECL modules + (notably, pdflib) expect it; 028-export_gd_headers.patch. + - Lintian fix: Add missing #DEBHELPER# token to php4-common.postrm. + + -- Adam Conrad Wed, 01 Dec 2004 18:48:13 -0700 + +php4 (4:4.3.9-1) unstable; urgency=high + + * New upstream release, removed the following patches fixed upstream: + 014-apache2handler_CVS_fixes.patch, 015-gdNewDynamicCtx_Add_Ex.patch, + 018-unix_socket_fd_leak.patch, 020-4.3.9_overflow_fixes.patch, + 021-4.3.9_sybase_ct_fixes.patch, 022-4.3.9_sprintf_fixes.patch, + 023-4.3.9_array_fixes.patch, 024-4.3.9_glob_fix.patch, + and 025-4.3.9_domxml_segfaults.patch + * Resolves undiscolsed vulnerabilities in GPC processing and rfc1867 + handling of file uploads via the $_FILES array; these have since + been assigned CVE CAN-2004-0958 and CAN-2004-0959 (closes: #274206) + * After some fairly heavy testing from several users and developers, + finally update php4-snmp to use libsnmp5 (closes: #195929) + * Add 026-4.3.10_session_fixes.patch from CVS, which prevents PHP + from segfaulting when a nonexistant or unsupported save_handler or + serialize_handler is specified in php.ini. + * Add /etc/apache/conf.d/php4.conf, setting up our mime-types, on the + off chance that the user's /etc/mime.types is broken (closes: #271171) + * Reintroduce a CGI binary at /usr/bin/php4-cgi, so people who can't + make use of the --force-cgi-redirect CGI binary in /usr/lib/cgi-bin + can instead use #!/usr/bin/php4-cgi scripts (closes: #273143) + * Enable FastCGI for both CGI binaries, now that it no longer conflicts + with, but rather complements, the CGI SAPI (closes: #233849) + * Bump libgd2 build-dep a notch to make sure we build against a version + that actually has XPM support built in (closes: #270435) + * Finally drop the bogus libapache-mod-ssl dependency from the apache1.3 + php4 module, as glibc (>= 2.3.2.ds1-17) has fixed the dlopen refcount + bug that we were hacking around (closes: #205553, #230956, #271000) + * Remove the mm session handler from the apache1.3 build. Since the + files handler now works on all arches, and is configured to be secure + by default, mm seems to have outlived its usefulness. + (closes: #119902, #149430, #166811, #272463, #232840) + * Rename sapi/apache2handler/sapi_apache2.c to mod_php4.c so that + directives aren't ambiguous between php4 and php5. + * Add Czech translation, thanks to Miroslav Kure (closes: #274038) + * Configure CLI with --with-libedit for readline support, and add + 027-readline_is_editline.patch, since Debian's libedit headers are + not installed in /usr/include/readline (closes: #274031) + * libcurl grew a new SONAME somewhere along the way, and upgrading + doesn't seem to cause regressions in php4-curl, so upgrade we shall, + changing build-deps accordingly (closes: #260389) + + -- Adam Conrad Mon, 4 Oct 2004 22:57:37 -0600 + +php4 (4:4.3.8-12) unstable; urgency=high + + * On new php4-cli installations, if php4-cgi is installed, we copy its + php.ini as a starting reference, so that command line scripts that + used to work don't start mysteriously failing (closes: #270153) + * php4-common has grown a postrm script to make sure we completely + clean out and remove /var/lib/php4 during the purge phase. + * Optimize garbage collection cronjob to use 'xargs -r -0 rm', so we + aren't forking for every session file we delete (closes: #268918) + + -- Adam Conrad Sun, 5 Sep 2004 19:17:42 -0600 + +php4 (4:4.3.8-11) unstable; urgency=high + + * Andres Salomon : + - Fix bashism in maxlifetime script (closes: #270015) + * Adam Conrad : + - Clarify setup instructions in README.Debian for using php4-cgi + with the apache and apache2 packages (closes: #228342, #228343) + + -- Adam Conrad Sat, 04 Sep 2004 23:21:21 -0600 + +php4 (4:4.3.8-10) unstable; urgency=high + + * Andres Salomon : + - Change frequency of session file cleansing, based on the maximum value + of session.gc_maxlifetime from all php.ini files (closes: #269688). + - Update README.Debian to mention session cleaning cron job. + * Adam Conrad : + - Drop php4-cgi from the list of alternate dependencies for the php4 + metpackage to smooth upgrades for woody users who have both php4 and + php4-cgi installed (closes: #269628, #269348, #269377) + - Fix cut-n-paste issue in php4-cli postinst (closes: #269466) + - Add 023-4.3.9_array_fixes.patch, which fixes problems with the + extract() function misbehaving with multiple element references. + - Add 024-4.3.9_glob_fix.patch to fix broken return values from glob() + when it succeeds with no matches (closes: #269287) + - Add 025-4.3.9_domxml_segfaults.patch, fixing segfaults in the domxml + extension when it shares memory space with other libxml2-using libs. + - Update the comments in php.ini to point out that, due to dilinger's + changes above, session.gc_maxlifetime is honoured by the gc cronjob. + + -- Adam Conrad Fri, 03 Sep 2004 20:42:56 -0600 + +php4 (4:4.3.8-9) unstable; urgency=high + + * Re-introduce the changelog.Debian that went missing in the last + upload due to the php4-common move from arch:all to arch:any + * Clean up lintian warnings regarding scripts that weren't executable + and executables that weren't scripts. + * Add a lintian override for the non-standard-dir-perm of /var/lib/php4 + * Update to Standards-Version 3.6.1 (no changes, other than the above) + + -- Adam Conrad Thu, 26 Aug 2004 21:53:27 -0600 + +php4 (4:4.3.8-8) unstable; urgency=low + + * Default session.save_path is now compiled in to php4, allowing + us to, again, comment out the value in php.ini. + * Comment out session.gc_probability in the default php.ini, as we've + now compiled in a default of 0, allowing the cronjob to do the + garbage collection for us instead. (closes: #267720) + * Make the 5 SAPI postinsts smarter, allowing them to poke around in + people's configs and make sure that sessions won't be broken + after we upgraded them from a perfectly functional system. + * Add 022-4.3.9_sprintf_fixes.patch, fixing incorrect formatting of + floats with padding by sprintf(). + * Make php4-common arch:any, and loosen up some of the other any->all + package dependencies to make sure binNMUs won't break. + + -- Adam Conrad Tue, 24 Aug 2004 03:09:43 -0600 + +php4 (4:4.3.8-7) unstable; urgency=high + + * Back out LFS support AGAIN, as we're disabling LFS in apache2 for + the Sarge release. (closes: #266869) + * Add 021-4.3.9_sybase_ct_fixes.patch, backporting several fixes + for the sybase_ct extension from 4.3.9rc1. + * Tidy up descriptions a fair bit: + - Disambiguate short descriptions of SAPIs. (closes: #244571) + - Refresh the (now much longer) lists of built-in modules for each SAPI. + - Explain why caudium-php4 can't use any loadable extensions. + - Remove silly advertising blurb for Zend, since very few people are + still using php3, and those who are can't be convinced to upgrade + just by telling them "Hey, it's faster!". + - Add Homepage URI to each SAPI description. + - Fix typo in php4-domxml description. (closes: #146124) + * Make caudium-php4 provide php4-mysql and php4-pgsql, so it can be used + with packages that depend on something like "php4, php4-mysql". + * Enable --with-mime-magic and make sure all SAPIs depend on libmagic1 + to pull in /usr/share/misc/file/magic.mime (closes: #175136) + + -- Adam Conrad Thu, 19 Aug 2004 18:27:17 -0600 + +php4 (4:4.3.8-6) unstable; urgency=high + + * Add libgcrypt11-dev to the build-depends, as something seems to be + pulling it in and causing an FTBFS (closes: #265952) + * Add 020-4.3.9_overflow_fixes, backporting fix for integer overflows + in array_slice(), array_splice(), substr(), substr_replace(), + strspn() and strcspn(). + * Bump the apache2 build-dep to (>= 2.0.50-9) to ensure we're building + against the new ABI-incompatble libapr0, which brings in proper + large file support. Bump the apache2 binary dependency as well. + (closes: #266210, #266192) + * Enable large file support on all SAPIs except for caudium, as I'm not + sure how caudium will react to the change, and I don't want to + destabilise anything just before release. This change has been + heavily tested with apache2/apache/cgi/cli, and all is well there. + * Re-enable 019-z_off_t_as_long.patch, which is needed to make sure + that LFS-enabled SAPIs can still use zlib file functions correctly. + * Rework the apache2 restarting logic to only restart apache2 if + apache2ctl configtest succeeds, otherwise kick out a warning to + the user. Even then, we run force-reload with ||true, in case + apache2 fails to start for other reasons (closes: #264958) + * Make php4-gd Provide php4-gd2, so packages which still depend on + php4-gd2 are installable (and so packaging frontends can take the + provides/conflicts/replaces hint and DTRT with it) + * Split php4-cgi to php4-cgi and php4-cli (closes: #227915) + - Add php4-cli to debian/control, replaces older php4-cgi versions + - php4-cgi depends on php4-cli for smooth transitions + - php4-pear now depends on php4-cli (closes: #243214, #221434) + - Add php4-cli to list of SAPIs configurable for modules + - Munge php.1 manpage to include -cli info + - Enable pcntl and ncurses in -cli (closes: #135861, #190947, #241806) + * Move all of php4's files to libapache-mod-php4, and make php4 a + metapackage that depends on libapache-mod-php4 | libapache2-mod-php4 | + php4-cgi | caudium-php4 (closes: #244573, #246654, #244571, #266517) + * Include skeleton directory in php4-dev (closes: #95832, #211338) + * Include php.ini-recommended in php4-common's examples (closes: #181396) + * Move /var/lib/php4 to php4-common and install a cronjob that cleans + out old sessions every 30 minutes (closes: #256831, #257111) + * Move the libapache-mod-ssl dependency from php4-imap to + libapache-mod-php4 to stop irritating users of other SAPIs + (closes: #240003, #246887, #263381) + * Compile pgsql and mysql support into the caudium SAPI, so it's + slightly less useless (closes: #181175) + + -- Adam Conrad Sun, 15 Aug 2004 19:56:14 -0600 + +php4 (4:4.3.8-5) unstable; urgency=low + + * Build-depend on chrpath and use it to nuke rpath from modules + during the install target of debian/rules. + * Add 018-unix_socket_fd_leak.patch to get rid of UNIX socket file + descriptor leak on failed fsockopen() calls. (closes: #257269) + * It would seem that if we want LFS support, all SAPIs and all extensions + that do file access need to be built with LFS support, and since + apache2 currently doesn't have LFS, this presents a problem. As + such, I'm disabling LFS accross the board until apache2 supports it. + (closes: #263962) + * Add 019-z_off_t_as_long.patch, including local headers for zlib, + forcing off_t = long for gzip file functions, however disable it + for now, as we'll only need it if we reenable LFS (closes: #208608) + * Add the Debian package revision as EXTRAVERSION to PHP, so one can + more easily tell what version is currently running (for instance, + if a user fails to restart Apache after an upgrade of php4, this + would become obvious to them in the version banner and in phpinfo() + * Fixed up debian/patches, adjusting offsets and adding newlines, + so patch stops complaining and applies them cleanly. + * libapache2-mod-php4 postinst now forces a reload of apache2, which + should get the module properly working in all cases where people + previously thought 'apachectl graceful' would cut it. + (closes: #241352, #263424, #228343) + * debian/rules explicitly sets PROG_SENDMAIL during configure so + that builds on buildds with no sendmail installed don't get the + mail() function disabled. (closes: #180734) + * Enable XMLRPC-EPI support for all SAPIs (closes: #228825, #249368) + * Enable sysvmsg support for all SAPIs (closes: #236190) + * Enable dbx support for all SAPIs (closes: #229508, #249797) + * Nuke aclocal.m4 before we run ./buildconf to ensure we get it + regenerated correctly, and we get an up-to-date libtoolization. + + -- Adam Conrad Mon, 9 Aug 2004 07:47:46 -0600 + +php4 (4:4.3.8-4) unstable; urgency=low + + * Drop 016-pread_pwrite_XOPEN_SOURCE_500.patch, as it didn't seem to + solve anything, really, and add 017-pread_pwrite_disable.patch, + wich completely disables pread/pwrite usage, fixing session support + on sparc, and pread/pwrite usage on amd64. (closes: #261311) + + -- Adam Conrad Mon, 26 Jul 2004 06:15:59 -0600 + +php4 (4:4.3.8-3) unstable; urgency=low + + * Steve Langasek : + - Give php4-pear a versioned dependency on php4-cgi, due to + backwards-compatibility issues (closes: #260924). + + * Adam Conrad : + - Added a debian/watch file for the curious, or people running + automated uscan scripts over the entire archive. + - Bump libgd2 build-dep to 2.0.28 to buy us guaranteed GIF + support in php4-gd (closes: #66293) + - Add 015-gdNewDynamicCtx_Add_Ex.patch, which fixes three double-free + errors in php4-gd. This, in concert with the librrd0 update + (see #261323) should clear up all known segfaults in php4-gd + (closes: #220196, #234571, #241270, #246833, #251220, #260790) + Thanks to Klaus Reimer for the tip. + - Add 016-pread_pwrite_XOPEN_SOURCE_500.patch, which fixes use of + pread/pwrite in conjunction with LFS64. This should fix the files + session handler on sparc, as well as the amd64 build failure. + (closes: #234766, #239420, #261311, #248765) + - Clean up debian/rules to remove a bunch of obsolete cruft, as well + as introducing an LFSFLAGS, allowing us to easily turn LFS support + on and off for each SAPI. + - Re-enable LFS for apache 1.3, as it was enable in Woody and we should + remain backward compatible. + + -- Adam Conrad Sun, 25 Jul 2004 18:49:31 -0600 + +php4 (4:4.3.8-2) unstable; urgency=high + + * Urgency "high" to make up for the last upload which contained + security fixes but was uploaded urgency "low". + + * Adam Conrad : + - Bump debhelper build-dep to >= 3, as we were using DH_COMPAT=3 + in debian/rules. Not sure how this was missed for so long. + - Add 014-apache2handler_CVS_fixes.patch, which fixes a memory + leak in the apache2handler SAPI, as well as a logical mishandling + of fatal errors during activation. + + * Steve Langasek : + - Revert large file support, which appears to cause + ABI-incompatibilities (and therefore segfaults) for apache2 + (closes: #259659). + + -- Adam Conrad Mon, 19 Jul 2004 20:44:00 -0600 + +php4 (4:4.3.8-1) unstable; urgency=low + + * Adam Conrad : + - New upstream release (4.3.8). Fixes several security issues: + + Fixed strip_tags() to correctly handle '\0' characters. + + Improved stability during startup when memory_limit is used. + + Replace alloca() with emalloc() for better stack protection. + + Added missing safe_mode checks inside ftok and itpc. + + Fixed address allocation routine in IMAP extension. + + Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL. + + Fixes DoS in readfile() function, see CAN-2005-0596. + - php4-pear now includes PEAR::Mail 1.1.3 (closes: #257688) + - debian/control: change libpng3-dev build-dep to libpng12-dev + - Add Turkish debconf translation, thanks to Osman Yuksel. + (closes: #252940) + + * Andres Salomon : + - New upstream release (4.3.7). The following patches are dropped: + 007-dba_fix.patch + 008-xbithack.patch + 011-curl_api_update.patch + 012-curl_deprecated_opts.patch. + - Add 013-force_getaddrinfo.patch, so that getaddrinfo support is + always enabled (instead of doing check during build). + + * Steve Langasek : + - Enumerate supported SAPIs in both the module postinst and the module + config script, to avoid "question not found" errors from debconf. + This doesn't give us automatic support for new SAPIs as they're + added, but it avoids trying to configure SAPIs that we don't support + (e.g., caudium), and it also sidesteps shell syntax errors caused by + strangely-named subdirectories. + - Remove apache2 from the TODO list, because it's done + (closes: #243793). + - Add /var/lib/php4 to the list of directories for the apache2 module, + so we don't end up with a missing session dir (closes: #240962). + - s/modules-config/apache-modconf/, now that the canonical name of the + apache-common tool has changed + - Drop references to php3 in README.Debian, and document the + simplified process for enabling php4 in apache 1.3 (closes: #244564). + - Enable large files support for all SAPIs (closes: #249500). + - Fix commented-out default include path in php.ini (closes: #250274). + + -- Adam Conrad Wed, 14 Jul 2004 18:06:42 -0600 + +php4 (4:4.3.4-4) unstable; urgency=low + + * Drop apache2 work-around patch and add build-dep on apache2 2.0.48-8, + now that #228840 is fixed. + * Fix FTBFS problem caused by curl api changes, adding patches 011 and + 012 (closes: #239159). + * Add phpapi Provides for libapache2-mod-php4 (closes: #240386). + * Add versioned build-dep for pcre, as apache2 has proven that pcre-3.9 + and older won't work (closes: #215069). + * Tighten build-dep versions to match upstream's autoconf version checks + (closes: #214060). + + -- Andres Salomon Fri, 26 Mar 2004 23:27:27 -0500 + +php4 (4:4.3.4-3) unstable; urgency=low + + * Andres Salomon : + - Fix incorrect php.ini path in CLI manpage (closes: #233757). + - Add libapache2-mod-php4 module (closes: #214611). + * Updated Japanese debconf translation; thanks to Kenshi Muto + (closes: #222424). + * Build php4-gd against libgd2-xpm, removing the need for a separate + php4-gd2 package (closes: #235390, #206045, #135664). + * Add new Catalan debconf translation; thanks to Aleix Badia i Bosch + (closes: #236630). + * Add new Spanish debconf translation; thanks to Carlos Valdivia + Yagüe (closes: #235052). + + -- Steve Langasek Sat, 28 Feb 2004 12:11:57 -0600 + +php4 (4:4.3.4-2) unstable; urgency=low + + * Add build-depends on autoconf, missed earlier (closes: #235012). + * Minor updates to README.Debian list of supported extensions. + * Fix integer size mismatch in snmp extension affecting 64-bit + platforms + + -- Steve Langasek Thu, 26 Feb 2004 22:25:27 -0600 + +php4 (4:4.3.4-1) unstable; urgency=low + + * New upstream version. Update local patch set accordingly, with help + from Andres Salomon . + - includes fix for snmpget() not closing its socket + (closes: #207363). + * Update build-depends to libdb4.2-dev, to match apache-dev + (closes: #231692). + * Drop translations of stale templates, and add new German debconf + translation; thanks to Alwin Meschede + (closes: #232270). + * Add new Danish debconf translation; thanks to Claus Hindsgaul + (closes: #233887). + * Move local patches into debian/patches/ for easier management, and + add debian/rules targets for build-time application of patches. + * Fix a problem with PHP "xbithack" causing ini scope leakage + (closes: #230047). + * Re-enable the openssl extension statically, since we now know for + sure that the php4-imap problems are a glibc bug (closes: #197450). + * Fix pear to set /usr/bin/php4 instead of /usr/bin/php for the value + of php_bin, so PEAR-managed scripts work correctly + (closes: #228381). In addition, use alternatives for /usr/bin/php + for the benefit of user scripts (closes: #185283). + * Set the default session save_path to /var/lib/php4 instead of to + /tmp, and create this directory such that all users (for php4-cgi) + can create files there and access their own files once created, but + not see the names of other files in the directory (closes: #139810). + * Drop our override of upstream's register_globals default + (closes: #230878). + + -- Steve Langasek Sat, 14 Feb 2004 10:23:24 -0600 + +php4 (4:4.3.3-5) unstable; urgency=low + + * Have php4-pear Suggest: php4-dev, for PECL extensions + (closes: #225969). + * Recompiled against the new version of libxslt, to get rid of the + dependency on libxsltbreakpoint (closes: #224806). + * Also recompiled against the new version of libc-client (closes: #227347). + * Fix pear to not expect to be able to twiddle locks when running as + non-root, which also seems to fix a memory utilization problem + (closes: #225026). + * Make php4-imap depend on libapache-mod-ssl, since this seems to be + the only reliable way of getting apache to stop segfaulting. + * Build-depend on libt1-dev, which replaces t1lib-dev. + + -- Steve Langasek Mon, 5 Jan 2004 22:53:18 -0600 + +php4 (4:4.3.3-4) unstable; urgency=low + + * Fix prerm script to remove mod_php4, *not* mod_perl, from the + config (Closes: #216889). + * Use /etc/$i/httpd.conf instead of /etc/$i to decide whether to + call modules-config. + * Don't invoke debconf unless we have to in the postinst, to reduce + the risk of interactions between modules-config and our questions. + * Add Dutch debconf translation; thanks to Tim Dijkstra + (closes: #221439). + * Sync dba lock handling against upstream CVS HEAD, to fix a bug with + truncating db4 files when opening with 'c' (create). + (Closes: #221559). + + -- Steve Langasek Tue, 21 Oct 2003 16:49:03 -0500 + +php4 (4:4.3.3-3) unstable; urgency=low + + * Disable -gstabs on ia64, since this debugging symbol type is + apparently unknown there; we should now have clean builds (with + appropriate debugging symbols) on all archs. + + -- Steve Langasek Mon, 20 Oct 2003 19:07:40 -0500 + +php4 (4:4.3.3-2) unstable; urgency=low + + * Don't call db_stop in the postinst, as this seems to cause problems + for modules-config (closes: #215663, #215584). + * Remove duplicate -prefer-pic flag on caudium build, in hope of + making libtool do something sensible on ia64,hppa (closes: #216020). + * Always build with debugging symbols, per current policy. + * Unconditionally call dh_strip, which knows about DEB_BUILD_OPTIONS; + and call install -s when installing shared extensions by hand. + * Fix upstream build rules to not call libtool --silent. + + -- Steve Langasek Wed, 15 Oct 2003 23:19:55 -0500 + +php4 (4:4.3.3-1) unstable; urgency=low + + * New upstream release. + * Add Japanese debconf translation; thanks to Kenshi Muto + (closes: #211961). + * Fix caudium handling to always grab the current pike version from + dpkg when constructing include paths (closes: #212585). + * Bump the c-client build dependencies to use the new -dev package + name. + * Convert php4 postinst/prerm scripts to use the new apache + modules-config interface. + + -- Steve Langasek Sun, 21 Sep 2003 17:26:31 -0500 + +php4 (4:4.3.2+rc3-6) unstable; urgency=low + + * Add Brazilian Portuguese debconf translation; thanks to André Luís + Lopes (closes: #207078). + * Catch debian/control up with debian/rules for the zendapi -> phpapi + transition. + + -- Steve Langasek Sun, 31 Aug 2003 20:35:57 -0500 + +php4 (4:4.3.2+rc3-5) unstable; urgency=low + + * Kill the lintian warning on the grammar in the copyright file. + * Redirect apacheconfig I/O to /dev/tty, to work around debconf + behavior (for real this time). Closes: #207468, #206404. + * Replace 'zendapi' with 'phpapi', since the former does not + accurately describe the ABI changes that affect modules and can + leave some packages installable but broken (closes: #208020). Also, + remove the versioned conflicts with php4-{mysql,pgsql}, since this + now supersedes. + * Add French debconf translation; thanks to Michel Grentzinger + (closes: #207662). + + -- Steve Langasek Sat, 23 Aug 2003 21:43:24 -0500 + +php4 (4:4.3.2+rc3-4) unstable; urgency=low + + * Have all php extensions automatically detect and configure for any + installed SAPIs (closes: #143436). + * Remove spurious dependencies from php4-dev, and replace autoconf2.13 + with autoconf (closes: #180497). + * Conflict with old php4-pgsql as we do with php4-mysql, as it + manifests the same bug. + * Add preliminary rules for building apache2 SAPI, but don't enable. + * Call db_stop before trying to run apacheconfig (closes: #206404). + * Check for the existence of /etc/php4 before trying to rmdir it, + since there are apparently those who remove such directories + prematurely (closes: #206120). + + -- Steve Langasek Sun, 17 Aug 2003 00:19:38 -0500 + +php4 (4:4.3.2+rc3-3) unstable; urgency=low + + * Fixes for spurious package dependencies + * Fix the paths emitted by php-config, so we can build php4-pgsql et al. + + -- Steve Langasek Fri, 15 Aug 2003 23:44:55 -0500 + +php4 (4:4.3.2+rc3-2) unstable; urgency=low + + * Make sure pear.conf is properly marked as a conffile, by bumping + DH_COMPAT to 3. + * Generate all per-extension postinsts/prerms at build time, instead + of managing them by hand. + * Get rid of bogus, non-FHS directories from the caudium build. + * Install the upstream php manpage in the php4-cgi package + (closes: #175836). + * Prevent null dereferencing in ldap_explode_dn() (closes: #205405). + * Hard-code /usr/share/pear at the end of the include path, for + backwards compatibility. + * Debconf support for PHP extension registration, including + po-debconf support (closes: #122353). + * Fix interpreter path in /usr/bin/pear. + * Make php4-pear depends: php4-cgi (closes: #182393). + + -- Steve Langasek Wed, 13 Aug 2003 22:39:08 -0500 + +php4 (4:4.3.2+rc3-1) unstable; urgency=low + + * New upstream version. + - includes fix for buffer overflow crashes in imap module + (closes: #191640) + - includes fix for dysfunctional open_basedir directive + (closes: #197803) + - include fix for various XSS vulnerabilities (closes: #200736) + * Recompile against newest libc-client libs, following another soname + change (closes: #199049) + * Replace db2 with db4. + * Trim down the cgi sapi rules, since it will now build both cli and + cgi for us by default. + * Kludge the caudium sapi, by hard-coding the include path we need for + pike headers. + * Copy the lex/yacc-generated .c and .h files into the build + directories, since generating them at build time gives wildly + different, and undisputably broken, results. + * Update the install rules so they're compatible with current upstream + handling of pear and the various SAPIs. + * Add '=shared' to the --enable-xslt option, to get the right results + for that extension. + * Move PEAR extensions from /usr/share/pear to /usr/share/php. + * Conflict with php4-mysql=4:4.2.3-14, due to bizarre Zend errors. + + -- Steve Langasek Wed, 6 Aug 2003 22:43:28 -0500 + +php4 (4:4.2.3-14) unstable; urgency=low + + * Disable openssl extensions AGAIN. It appears that this double-linking mess + is still causing nasty segfaults. + (closes: #188014, #188025, #188058, #189202, #189653) + + -- Adam Conrad Sun, 20 Apr 2003 17:31:59 -0600 + +php4 (4:4.2.3-13) unstable; urgency=low + + * Revert NET-SNMP patch and build php4-snmp against UCD-SNMP again + (closes: #185534) + * Build against libmm13, as libmm12 no longer exists (closes: #187401) + * Rebuild caudium-php4 against latest caudium-dev + * Re-enable openssl linking and functions, now that our glibc 2.3 + problems appear to be ironed out. + * Enable xslt and exslt support in php4-domxml (closes: #172881) + + -- Adam Conrad Thu, 3 Apr 2003 05:53:24 -0700 + +php4 (4:4.2.3-12) unstable; urgency=low + + * Rebuild php4-sybase against libct1 (closes: #184461) + + -- Steve Langasek Sat, 8 Mar 2003 20:03:33 -0600 + +php4 (4:4.2.3-11) unstable; urgency=low + + * Remove pike header location detection from debian/rules and do it + properly in sapi/caudium/config.m4, using pike7.2-config --version + + -- Adam Conrad Mon, 3 Mar 2003 23:33:26 -0700 + +php4 (4:4.2.3-10) unstable; urgency=low + + * Added patch to build with NET-SNMP 5.x + * Updated build-dep for libc-client to 2003debian + (closes: #181565, #182854, #169886) + * Updated build-dep for libcurl to libcurl2-dev (closes: #179722) + * Added -mieee to alpha build to solve FPE errors (closes: #180656) + * Removed arch-specific logic to build with gcc-3.2 on arm, since gcc-3.2 + is now the default compiler on all architectures. + * Add libwrap0-dev to the end of the build-depends to work around #183041. + Someone remember to remove this later when the bug is fixed. :) + * Build against newer libsablot0-dev (closes: #179886, #181550) + * Introduce ugly hack in debian/rules to get the pike includes + directory right for the caudium SAPI. + + -- Adam Conrad Sun, 2 Mar 2003 12:49:07 -0700 + +php4 (4:4.2.3-9) unstable; urgency=low + + * Fix caudium-php4 to not conflict with php4-pear (closes: #175415). + + -- Steve Langasek Sun, 5 Jan 2003 16:40:20 -0600 + +php4 (4:4.2.3-8) unstable; urgency=low + + * Fix typo in debian/rules + * Rebuild to bring in sync with latest caudium packages + + -- Adam Conrad Wed, 25 Dec 2002 20:00:59 -0700 + +php4 (4:4.2.3-7) unstable; urgency=low + + * Set a sane default for safe_mode_exec_dir (closes: #122920). + * Rebuild against libmm-dev on i386, instead of against the + no-longer-available libmm11-dev which Provides: the same + (closes: #173509). + + -- Steve Langasek Mon, 16 Dec 2002 22:48:40 -0600 + +php4 (4:4.2.3-6) unstable; urgency=low + + * Build with PEAR for all SAPIs, so that the built-in include_path is + set correctly (overkill?). Closes: #169786, #172321 + * Change section of php4-dev package to devel. + * Add libkrb5-dev to build-depends, since libc-client2002-dev doesn't + pull it in (closes: #173313). + * Depend on coreutils instead of fileutils, since the latter is now an + empty package (closes: #171265). + + -- Steve Langasek Sun, 15 Dec 2002 23:20:30 -0600 + +php4 (4:4.2.3-5) unstable; urgency=low + + * Fix (snip, snip) the upstream build scripts, so that libphp4.so + isn't worthlessly linked against the problematic openssl libs + (closes: #165699, #165718, #165719, #166414). + * Update config.{sub,guess} so that the package builds on mips + platforms (closes #173218) + * Replace libc-client-ssl2001-dev with libc-client2002-dev in build + dependencies, fixing various php4-imap segfaults (closes: #169610, + #169769). + + -- Steve Langasek Sun, 15 Dec 2002 19:42:43 -0600 + +php4 (4:4.2.3-4) unstable; urgency=low + + * Remove build dependency on non-extant libmagick5-dev, which is no + longer used anyway (closes: #169829, #172402). + * Add myself to the Uploaders: field of the control file. + + -- Steve Langasek Sat, 14 Dec 2002 12:52:06 -0600 + +php4 (4:4.2.3-3) unstable; urgency=low + + * Backport a patch from CVS to sanitize control characters in php_url_parse() + to prevent ASCII control injection in fopen() calls. + + -- Adam Conrad Thu, 12 Sep 2002 16:29:46 -0600 + +php4 (4:4.2.3-2) unstable; urgency=low + + * I'm a moron (thanks to James Troup for pointing this out). + * Change gcc-3.1 references in debian/rules to gcc-3.2. + * Change GD build-dep to libgd-xpm-dev until GD package mess is worked out. + + -- Adam Conrad Tue, 10 Sep 2002 12:18:21 -0600 + +php4 (4:4.2.3-1) unstable; urgency=low + + * New upstream version + * Added a patch from Ginger Alliance to eliminate warnings in xslt compile + * Messed with the php4-imap build: + - compiling with SSL support (closes: #122700) + - commented out the static-on-i386 hack, libc-client is now linked dynamically + * Sessions should finally be fixed, however I won't tag the bugs "woody" + until I know for sure. (if you were affected, please test and send + followups to me) + * Updated arm build-dep to use gcc-3.2 since gcc-3.1 is gone now. + + -- Adam Conrad Tue, 10 Sep 2002 09:02:51 -0600 + +php4 (4:4.2.2-3) unstable; urgency=low + + * Fix typo resulting in php4-odbc not having a postinst + (closes: #157116, #157927) + * Build against latest caudium-dev to made caudium-php4 installable + again. (closes: #158247) + * Update build-deps to swap libpng3 for libpng2. (closes: #158908) + + -- Adam Conrad Sat, 7 Sep 2002 01:22:57 -0600 + +php4 (4:4.2.2-2) unstable; urgency=low + + * Pulled --with-ndbm out of ./configure, as libc6 no longer ships with + headers or the library for db1 (closes: #156141, #155889) + * Update build deps to build against libmm12 (closes: #155042) + * php4-curl no longer depends on libcurl2-ssl (closes: #155015) + + -- Adam Conrad Sat, 10 Aug 2002 01:12:47 -0600 + +php4 (4:4.2.2-1) unstable; urgency=medium + + * New upstream + * Fixes input validation vulnerability in rfc1867.c (closes: #153850) + * Added missing prerm/postinst for php4-xslt (oops) + + -- Adam Conrad Mon, 22 Jul 2002 11:58:53 -0600 + +php4 (4:4.2.1-3) unstable; urgency=low + + * Yet more build fixes. This time, bump the arm build-dep from gcc-3.0 to + gcc-3.1 to avoid compiler errors. I love the arm toolchain. No, really. + + -- Adam Conrad Wed, 29 May 2002 17:40:30 -0600 + +php4 (4:4.2.1-2) unstable; urgency=low + + * Applied small patch to fix building on non-32-bit architectures + (closes: #148231) + * Added still /more/ documentation about the unserializer, sessions, + and the session.save_handler php.ini option. + + -- Adam Conrad Sun, 26 May 2002 14:43:55 -0600 + +php4 (4:4.2.1-1) unstable; urgency=low + + * The "When is Debian going to have new software like XF^H^HPHP 4.2?" release. + * Probably the last update (barring huge packaging bugs or plain broken + binaries) before starting on a complete reorg of the PHP packages. + * Deserializer now works on big-endian architectures (addresses bug #121391 + and probably others) + * This release probably fixes a whole bunch of bugs. Will be going through + the bug list and playing the reproducibility game after the upload. + * Default include_path in php.ini now set to include pear. + * Upstream default for register_globals HAS CHANGED. In the Debian php.ini + we are still using "register_globals = On" for compatibility reasons, + however our packages will change too. This is a warning for anyone + packaging PHP scripts and applications to make sure you'll be compatible + with the new default once it's set. + + -- Adam Conrad Sun, 26 May 2002 06:24:21 -0600 + +php4 (4:4.1.2-4) unstable; urgency=high + + * No binaries were harmed in the making up this upload. + * Updated README.Debian and changelog. All other files untouched, + as the binaries were merely unpacked and repacked. + - Added a note to README.Debian about how to properly set up + Apache for use with php4, if the installation didn't (and it usually + doesn't ) get it right. + - Added a note to README.Debian about the unserializer (and sessions) + being messed up on big endian architectures. It's too late to try + to get a proper fix in for this, so we're just going to have to cope. + + -- Adam Conrad Fri, 26 Apr 2002 12:27:40 -0600 + +php4 (4:4.1.2-3.1) unstable; urgency=low + + * The 'I broke it, I have to take credit for it' release. + * Rebuild the package to get proper binary dependencies on alpha. + + -- Steve Langasek Sun, 31 Mar 2002 17:13:09 -0600 + +php4 (4:4.1.2-3) unstable; urgency=low + + * Switched to --with-regex=php (from =system). This fixes all the + problems with eregi/parse_url/fopen/etc on Alpha. + * Cleaned up long descriptions (closes: #130977, #130954) + + -- Adam Conrad Wed, 27 Mar 2002 15:11:43 -0700 + +php4 (4:4.1.2-2) unstable; urgency=low + + * New maintainer (closes: #132980) + * Enabling unixodbc support (closes: #107201) + * Changed the install-modules target in build/rules_pear.mk so that + it will error out in the case of an empty modules directory or + failure to install modules (closes: #135304) + + -- Adam Conrad Tue, 12 Mar 2002 00:25:41 -0700 + +php4 (4:4.1.2-1) unstable; urgency=high + + * New upstream version with a security fix. This + supercedes 4.1.1-2.2 from Steve Langasek: + * Fix an error in the handling of MIME file upload headers, which left + open a potential security hole. (Closes: #136063) + * Fixed gcc-3.0 fix :-) + * Thanks for fixing apache-common fix + * This version should fix session bugs with upstream fix (closes: #133877) + * With a brutal change to main/SAPI.c try to fix(?) authorize bugs + + -- Petr Cech Thu, 28 Feb 2002 11:14:26 +0100 + +php4 (4:4.1.1-2.1) unstable; urgency=low + + * Non-maintainer upload. + * loosen apache-common dependency to make us forwards-compatible, as + recommended by the apache maintainer. + * use gcc-3.0 when building on arm, because the default toolchain on + that arch has Issues (closes: #135906, #135913). + + -- Steve Langasek Tue, 26 Feb 2002 09:59:49 -0600 + +php4 (4:4.1.1-2) unstable; urgency=medium + + * Rebuild with apache 1.3.23. + * This package is in maintainer change mode. Though I orphaned it I'm not + going to change maintainer to QA, because we already have fresh blood. + * ext/gd/gd.c: s/HAVE_GD_GIF/HAVE_GD_GIF_CREATE/ to build correctly with + libgd which has GIF support (fixed included upstream) + * debian/control: + - Build-Depends: s/libgd1g-dev/libgd-dev/ + also libc-client at least version 4:2001adebian-6 to fix some segfaults + * ext/standard/head.c: make the setcookie() thingie test more simple + + -- Petr Cech Mon, 11 Feb 2002 20:07:22 +0100 + +php4 (4:4.1.1-1) unstable; urgency=high + + * New upstream bugfix release. + * debian/control: php4-gd - Conflicts/Replaces: php4-gd2 if I ever get + to upload it + * debian/rules: Correctly supply modified CFLAGS to build process + + -- Petr Cech Fri, 28 Dec 2001 23:23:47 +0100 + +php4 (4:4.1.0-2) unstable; urgency=low + + * debian/php4-cgi.README.Debian: fix typo (closes: #123866) + * debian/rules: remove --enable-mbstr-enc-trans as it breaks parametr + parsing (closes: #121403) + * debian/README.Debian: document shmmax increase (closes: #119688) + + -- Petr Cech Fri, 14 Dec 2001 09:59:59 +0100 + +php4 (4:4.1.0-1) unstable; urgency=high + + * Finally final 4.1.0 + * Urgency to reflect previous version + * debian/control: php4-pear depends on php4-cgi + + -- Petr Cech Thu, 13 Dec 2001 23:09:54 +0100 + +php4 (3:4.1-2) unstable; urgency=high + + * FIxes from CSV 4.1.0RC5. Looks like it was not the release after all. + * ext/exif/exif.c: MFH + * ext/ldap/ldap.c: small crash fix from HEAD + * and misc tiny changes. Really :-) + * ext/imap/php_imap.c: HIGH. fix from CVS (imap_rfc822_parse_adrlist) changing + the argument + + -- Petr Cech Sun, 9 Dec 2001 00:01:37 +0100 + +php4 (3:4.1-1) unstable; urgency=medium + + * Final 4.1.0 (not released) + * NEWS: s/4.0/4.1/ + * Build with GD1. It should fix some GD bugs, as gd 2.0.1 is supposed to be + a beta version with known bugs. How should I know. + * sablot extension removed upstream. So use XSLT (C/R in place) + * Apply fix for file_exists() from tilo (closes: #114409) + * "Cannot redeclare" were fixed in previous RCs (closes: #112341) + * previous version is build in hppa and ia64, so I assume it + (closes: #115391) + * Add note to sybase_ct, that it conflicts with mod_gzip folowing a user + report. + * This should fix the "final HTML> stripped" bug that was introduced + in 4.0.6-3. (closes: #110415). + * add --enable-ucd-snmp-hack to try to fix segfaults with ucd-snmp + + -- Petr Cech Mon, 26 Nov 2001 14:56:50 +0100 + +php4 (3:4.0.100-1) unstable; urgency=low + + * Really a 4.1.0RC2 + * Remove hack for apache 1.3.14, as we build-depends on 1.3.22 anyway + * Build-depends: libexpat1 (>= 1.95.2-2.1) for the .1 + * Added Provides: zendapi-$version to php4 and php4-cgi + * Made modules depend on zendapi-$version instead of php4|php4-cgi. + Please use this in your php4-$module packages + * Apply c-client hack only to i386 most architectures don't support linking + both PIC and non-PIC code. I'm still affrai to do this on i386, as it + crashes a lot more :( + * Apply some CVS patches + + -- Petr Cech Wed, 14 Nov 2001 20:50:19 +0100 + +php4 (3:4.0.99-4) unstable; urgency=medium + + * Recompile because of new version of caudium. + (I really hope this gets into testing soon as php in testing + now doesn't do apache 1.3.22) + + -- Petr Cech Fri, 9 Nov 2001 11:11:46 +0100 + +php4 (3:4.0.99-3) unstable; urgency=medium + + * Recompile for new libexpat1 (closes: #116623 and others) + * upstream: ext/gd/gd.c, ext/iconv/iconv.c + * crypt(): defalt to using DES crypt() (closes: #117092) + * debian/rules: disable libmm in -cgi build. Will lesser the impact + of the infamous /tmp/session_mm.reg + * apply patch to Zend, which should fix the "cannot redeclare" error. + It's still a bug in your code though (use include_once). More changes + to this are comming (upstream). + * Add some documentation to sybase + + -- Petr Cech Mon, 22 Oct 2001 11:20:46 +0200 + +php4 (3:4.0.99-2) unstable; urgency=low + + * "Some days are just no good" release. + * Recompile with apache 1.3.22 from Incoming + * Deal with automake going to 1:1.4 and automake1.5 + + -- Petr Cech Fri, 19 Oct 2001 15:02:00 +0200 + +php4 (3:4.0.99-1) unstable; urgency=low + + * This is really 4.1.0RC1, but ... + * Applied setcookie(), which is not in upstream yet + + -- Petr Cech Fri, 19 Oct 2001 12:05:20 +0200 + +php4 (3:4.0.6.7rc3-3) unstable; urgency=medium + + * Fix dependency in caudium-php4. Sorry for this + + -- Petr Cech Fri, 19 Oct 2001 11:28:07 +0200 + +php4 (3:4.0.6.7rc3-2) unstable; urgency=medium + + * Recompile with recent caudium/pike. Please, no new version so it can get + into testing :) + * debian/control: move php4-pear to suggests + * Fix setcookie() again. I really hate this bug + * Build-Depends: re2c - it's usually not needed, but if you make some + strange changes to the parser ... + * FIx automake 1.5 build problems (I hope) + + -- Petr Cech Thu, 18 Oct 2001 12:03:39 +0200 + +php4 (3:4.0.6.7rc3-1) unstable; urgency=low + + * New upstream test release. + + -- Petr Cech Fri, 5 Oct 2001 09:23:35 +0000 + +php4 (3:4.0.6.7rc2-3) unstable; urgency=low + + * "Let's try to fix some bugs" release. + * Add some patches: ldap (does this fix things?), pgsql, + domxml + * Build-Conflicts: automake (>= 1.5) for now + + -- Petr Cech Tue, 2 Oct 2001 10:55:23 +0200 + +php4 (3:4.0.6.7rc2-2) unstable; urgency=low + + * Enable recode extension (the library is LGPL) - shared + * Enable iconv extension - in main php4. Experimental + * Build-Depends: s/libgd-dev/libgd2-dev/ + * Build-Depends: libxml2-dev (>= 2.4.2) (Closes: #112304) + and fix autoconf macros (Closes: #113980) + * Improve?? description of PEAR (Closes: #112432) + + -- Petr Cech Sat, 22 Sep 2001 10:37:42 +0200 + +php4 (3:4.0.6.7rc2-1) unstable; urgency=medium + + * 2nd release candidate + * ext/mbstring: fix compile (cp1252) + * ext/standard/url_scanner_ex: off by one + * WARNING: caudium builds with Zend Threading enabled, but other + modules don't. So you cannot safely use DSO with caudium + * Added some Build-Conflicts - with broken libmysqlclient + - with libtool 1.4b + + -- Petr Cech Mon, 10 Sep 2001 18:04:27 +0200 + +php4 (3:4.0.6-6) unstable; urgency=medium + + * The "Paul Hampson fixes release". + * Closed those atexit() bugs. Now to find out, how to make libtool link with + gcc instead of ld :(( + * ext/standard/head.c: Fix setcookie("bla) (closes: #109524, #109697) + Thanks to Paul Hampson for finding the cause, though I've used another + fix - fixed changes in CVS made in -3 I think. Silly me to think, that + all "small" changes are fixes. + * libc-client2001 was fixed in -5, so add a (closes: #109202) here + * Conflicts: only with libtool 1.4b-{1,2,3}. libtool 1.4.1 is OK + + -- Petr Cech Sat, 1 Sep 2001 20:59:40 +0200 + +php4 (3:4.0.6-5) unstable; urgency=low + + * Recompile for libc-client2001 (I hope it doesn't break anything else) + And many other libraries. + * ATTENTION. php4 still doesn't work with autoconf 2.52 and thus libtool 1.4b!! + You have to get libtool 1.4 to be able to use phpize. + + -- Petr Cech Wed, 22 Aug 2001 23:26:08 +0200 + +php4 (3:4.0.6-4) unstable; urgency=high + + * Add pear/CODING_STANDARDS into php4-pear (fixes 105574. closed too early. sorry) + * Fix the nasty segfaults with mail(). That'll teach me taking upstream + changes without looking. Thanks Cvetan Ivanov for the correct fix (also upstream now) + (closes: #105686, #105878). + + -- Petr Cech Fri, 20 Jul 2001 23:07:30 +0200 + +php4 (3:4.0.6-3) unstable; urgency=high + + * ext/standard/mail.c: security fix + * debian/control: Build-Depends: libtool (>= 1.4) + * ext/curl/curl.c: fix typo + * ext/gd/config.m4: fix typo + * ext/mcrypt/mcrypt.c: upstream buffer overflow fix + * ext/mhash/mhash.c: upstream buffer overflow fix + * ext/pgsql/pgsql.c: fix + * ext/posix/config.m4: check for getpgid + * ext/sablot/sablot.c: fix leaks + * ext/standard/url* : fixes + * ext/sysvshm/sysvshm.c: fixes + * Zend/*: small fixes + + -- Petr Cech Fri, 13 Jul 2001 16:21:04 +0200 + +php4 (3:4.0.6-2) unstable; urgency=low + + * pear/Makefile.in: add IT_Error.php to installed files (closes: #103087) + * debian/control: - allow also libcurl-ssl-dev as Build-Depends (closes: #103618) + - libfreetype6-dev to Build-Depends + - add auto* suite to php4-dev depends (closes: #104199) + * debian/rules: - build gd module with freetype2 support + - move common ./configure flags to COMMON_CONFIG + - build with mbstring support + + -- Petr Cech Fri, 13 Jul 2001 08:22:02 +0200 + +php4 (3:4.0.6-1) unstable; urgency=medium + + * New upstream release. + * NOTE: new extension will probably be in another upload, to get this + into testing ... + + -- Petr Cech Mon, 25 Jun 2001 20:43:24 +0200 + +php4 (3:4.0.5.6rc3-3) unstable; urgency=low + + * The "I hate sablot release". Recompile with 0.60 + * debian/php4-domxml.postrm: also fix the :: (closes: #101306) + * debian/rules: --enable-ctype - still EXPERIMENTAL!!! Bug upstream + + -- Petr Cech Mon, 18 Jun 2001 09:46:17 +0200 + +php4 (3:4.0.5.6rc3-2) unstable; urgency=low + + * ext/sablot/config.m4: link sablot.so with -lsablot, not main php4 + * build/ ... : upstream fix for building with automake 1.4-pX + * don't fail, when libssl-dev is not installed. sigh + + -- Petr Cech Thu, 14 Jun 2001 23:36:34 +0200 + +php4 (3:4.0.5.6rc3-1) unstable; urgency=low + + * New upstream test release. + * Recompile with apache 1.3.20 + * debian/control: + - php4-dev: Depends: bison, flex (closes: #100634) + - Build-Depends: libcurl-dev (>=7.8) + * debian/rules: + - add --enable-bcmath to all rules (closes: #100491) + * Zend/zend.c: apply upstream fix to allow building of caudium + + -- Petr Cech Tue, 12 Jun 2001 22:27:26 +0200 + +php4 (3:4.0.5.6rc2-1) unstable; urgency=low + + * New upstream test release. + * FIx regex/regex.h (int regoff_t) + * fix php4-cgi build with pcre - don't use supplied pcre + * Fix wddx support (closes: #99468) + * Add missing $(INSTALL_ROOT) to sapi/caudium/config.m4 + + -- Petr Cech Fri, 8 Jun 2001 11:37:07 +0200 + +php4 (3:4.0.5.6rc1-1) unstable; urgency=low + + * New upstream test release with new bugs :)) + * moved pear from /usr/lib/php4 to /usr/share/php4 + * Whups. Sorry about the epoch 3: . It somehow slipped in, so I'll + have to live with it + + -- Petr Cech Wed, 16 May 2001 14:14:04 +0200 + +php4 (3:4.0.5-2) unstable; urgency=low + + * Build-Depend on newer libmhash-dev, as it supposedly doesn't + compile on current woody (closes: #96555) + * Build-Depends: s/freetype2/libttf-dev/ + * Stop building php4-pgsql - move to non-US + * Build-Deps on new libsablot0 + + -- Petr Cech Thu, 10 May 2001 10:43:02 +0200 + +php4 (3:4.0.5-1) unstable; urgency=medium + + * New upstream release. + * recompile with new sablot - how I hate this (closes: #95401) + * Merge XML into main php4 + * Reword README.Debian (closes: #89667) + * Enable wddx + * debian/*.postinst: * only ask upon first install, not upgrade (closes: #93452) + * fix typos (closes: #94118) + * Added support for Sybase/MS SQL Server (using FreeTDS) + using patch from: + http://rpms.arvin.dk/php/source/patches/php-sybase_ct.patch + thanks to Bradley Bell for the patch + * ext/pcre : two upstream fixes + * ext/sablot/sablot.c: small upstream fix + * build/buildcheck.sh : fixes to allow compile with libtool 1.4 + * ext/standard/exec.c: upstream fixes + * sapi/apache/mod_php4.c: off by one fix + * sapi/cgi/cgi_main.c: fix POST bug + * main/snprintf.c: upstream fix + + -- Petr Cech Wed, 3 May 2001 22:17:10 +0200 + +php4 (4.0.4.5rc6-2) unstable; urgency=low + + * Build-depends: libcurl-dev will pull libcurl2 (closes: #92994) + * TSRM/TSRM.c: upstream fix + * ext/pgsql: upstream fix + + -- Petr Cech Thu, 5 Apr 2001 17:51:09 +0200 + +php4 (4.0.4.5rc6-1) unstable; urgency=low + + * New upstream test release. + * Don't mention CGI support, as it's not so for a long time. + + -- Petr Cech Wed, 4 Apr 2001 13:47:45 +0200 + +php4 (4.0.4.5rc5-1) unstable; urgency=low + + * New upstream test release. + * ask about /etc/php4/cgi/php.ini also + * It's really recompiled for 1.3.19 (closes: #91901, #91822) + * problems with modules documented (closes: #81141, #82611) + + -- Petr Cech Mon, 2 Apr 2001 09:38:16 +0200 + +php4 (4.0.4.5rc3-1) unstable; urgency=low + + * New upstream RC release + * debian/rules: s/with-yp/enable-yp/ to really enable YP support. Discovered + on broken potato upload. -0potato2 is fixed + * Looks like there was a bug in latest build, this should fix it (closes: #92018) + * remove libmcal0 workaround + + -- Petr Cech Wed, 28 Mar 2001 21:15:36 +0200 + +php4 (4.0.4.5rc2-1) unstable; urgency=low + + * New upstream release test release 4.0.5RC2. + * debian/rules: Add lintian overrides + * debian/control: * add libexpat1-dev to Build-Depends + * add libmcal0 to Build-Depends since libmcal0-dev is + missing this dependancy :(( Bug filled + * ext/socket/socket.c: minor upstream patch + + -- Petr Cech Mon, 26 Mar 2001 20:43:49 +0200 + +php4 (4.0.4pl1-6) unstable; urgency=low + + * NEVER RELEASED + * Build-depends on libcurl1-dev (>= 7.6.1-5), which fixes the libcurl1 or + libcurl1-ssl problem. + * remove dh_testversion and use versioned Build-depends instead + + -- Petr Cech Tue, 13 Mar 2001 23:20:58 +0100 + +php4 (4.0.4pl1-5) unstable; urgency=low + + * Add lintian overrides + * Rebuild with correct libgd-dev installed. Sorry + (closes: #88490, #88255, #88371, #88619, #88635) + * Closed by fixed libjpeg (closes: #85865, #88141) + + -- Petr Cech Tue, 6 Mar 2001 17:26:41 +0100 + +php4 (4.0.4pl1-4) unstable; urgency=low + + * The "Enable what you can" release. + * Enable sablot extension (many files) (closes: #84073) + * Enable mcal extension (finaly closes: #65688, #85925) + * Build-Conflicts: bind-dev - this supposedly causes unresolved symbols. + Why? + * ext/pgsql/pgsql.c: apply tiny patch, which should fix postgres + problems. There is a better patch in CVS, but it needs changes to Zend + * pear/pear.in: binary is php4 no php (closes: #87848) + * ext/domxml/config.m4: link with -lxml2 (closes: #87457) + * debian/README.Debian: add notes about ldap, imap and mhash extensions + * debian/{control,rules}: activate bz2 extension + * php4.ini-dist: comment out include_path so php will use compiled in + path (closes 2nd part of 87848) + + -- Petr Cech Wed, 28 Feb 2001 10:18:11 +0100 + +php4 (4.0.4pl1-3) unstable; urgency=medium + + * Fixed postrm issues. Sorry + + -- Petr Cech Sun, 4 Feb 2001 06:13:00 +0100 + +php4 (4.0.4pl1-2) unstable; urgency=medium + + * debian/control: Build-depends: xlibs-dev (seems it's missing and causes + failed builds for arm, m68k and powerpc) + s/libsnmp4.1/libsnmp4.2/ (closes: #84139) + * debian/php4.*: make LoadModule matching case insensitive (fixes 83641 + for unstable) + + -- Petr Cech Wed, 31 Jan 2001 10:14:29 +0100 + +php4 (4.0.4pl1-1) unstable; urgency=high + + * New upstream version. + * This release fixes some security problems. + * Some patches from previous versions are not here. + * debian/control: Build-depends on newer libcurl1-dev, remove librecode-dev + * debian/control: add libjpeg62-dev to build-depends from powerpc buildlog + (hmm. Where ir Roman?) + * debian/php4{,-cgi}.postinst: don't mark php.ini as conffile and install it + when it doesn't already exist. I should find a way to check, that the default + php.ini changed and user should update it. + * debian/php4{,-cgi}.postrm: cleanup the /etc/php4 dir after purge + * fix xml.so not working with php4-cgi + + -- Petr Cech Thu, 23 Jan 2001 11:12:59 +0100 + +php4 (4.0.4final-6) unstable; urgency=medium + + * OK. Now also fix the prerm issues (closes: #81418) and to ease + that thanks for submiting bugs (closes: #81818, #81819) + * some upstream updates: browsercap, php-config + + -- Petr Cech Wed, 10 Jan 2001 14:04:19 +0100 + +php4 (4.0.4final-5) unstable; urgency=medium + + * OK. Take a deep breath and fix those bloody postinst + bugs - fix it and rewrite from ed -> sed, because ed is not essential :( + closes: #80801. + * apply some upstream fixes. + * disable ctype extension - not yet ready + + -- Petr Cech Tue, 2 Jan 2001 13:40:35 +0100 + +php4 (4.0.4final-4) unstable; urgency=low + + * debian/libc-client.la: add -lpam -ldl -lcrypt + * fix php4-cgi.postinst bugs (closes: #80817, #80805, #80801) + + -- Petr Cech Fri, 29 Dec 2000 11:40:43 +0100 + +php4 (4.0.4final-3) unstable; urgency=low + + * Brown Xmas Sock Release + * Grr. correctly fix the php4 postinst error + (closes: #80303, #80324, #80326, #80359) + NMU by Wichert Akkerman (closes: #80381) + * also fix php4-cgi. NMU by Marcelo E. Magallon + (closes: #80406). + * fix fix for php4-cgi postinst s/apache/cgi/ + * apply some upstream fixes to ext/session/ + * domxml/config.m4: fix my -Lshared,/usr/lib error + * debian/rules: + * add --enable-ctype to both targets + * --diable-pear to CGI target + * generate Depends: php4 (=ver) | php4-cgi (=ver) + + -- Petr Cech Wed, 27 Dec 2000 15:29:56 +0100 + +php4 (4.0.4final-2) unstable; urgency=low + + * Run apacheconfig with --force-modules. + * Fix stupid bug in php4 and php4-cgi postinst. + * ext/sysvshm/sysvshm.c : upstream fix + + -- Petr Cech Thu, 21 Dec 2000 22:58:27 +0100 + +php4 (4.0.4final-1) unstable; urgency=low + + * New upstream version. + * Sorry for the version, but da-katie doesn't allow overwriting of files, notably + .orig.tar.gz. It's my fault I know, but it worked till now. + + -- Petr Cech Wed, 20 Dec 2000 01:32:34 +0100 + +php4 (4.0.4-0RC6.1) unstable; urgency=low + + * OK. Final final RC for 4.0.4. + * Build-depends on libxml2-dev (>= 2.2.7) because php needs this. + * Activate ndbm dba driver. + + -- Petr Cech Sun, 17 Dec 2000 19:43:51 +0100 + +php4 (4.0.4-0RC5.1) unstable; urgency=low + + * UNRELEASED. + * Final RC for 4.0.4. + * Some mods to README.Debian and TODO + + -- Petr Cech Wed, 13 Dec 2000 00:01:08 +0100 + +php4 (4.0.4-0RC4.1) unstable; urgency=low + + * New upstream beta release. Let's stabilize things now and add new + modules after final release of 4.0.4. + + -- Petr Cech Thu, 7 Dec 2000 10:12:11 +0100 + +php4 (4.0.4-0RC3.2) unstable; urgency=low + + * recompile with new libc-client200-dev. + * fix source recompile + * depend on fixed apache 1.3.14-2 + + -- Petr Cech Thu, 7 Dec 2000 00:49:14 +0100 + +php4 (4.0.4-0RC3.1) unstable; urgency=low + + * New upstream beta release. + * Add libxml2-dev to build-depends (closes: #78479). + * implement DEB_BUILD_OPTIONS + * fix apache build wrt. apxs + * fix typo in description of curl modules (closes: #78828) + + -- Petr Cech Tue, 5 Dec 2000 14:22:30 +0100 + +php4 (4.0.3pl1-7) unstable; urgency=low + + * Rebuild with apache 1.3.14-1 + + -- Petr Cech Fri, 1 Dec 2000 01:41:41 +0100 + +php4 (4.0.3pl1-6) unstable; urgency=low + + * add --enable-memory-limit + * add --enable-exif per request from William Ono. + * Add Suggests: phpdoc (yes. it's here). + * ext/standard/crypt.c - fix from CVS. + * ext/ftp/ftp.{c,h} - fix mkdir() and RETR, STOR + * ext/gd/gd.c - add format string + - add XBM to phpinfo() + * ext/imap/php_imap.{c,h} - CVS fixes + * main/main.c - fix CGI crash + - add HTTP_SERVER_VARS in CGI mode + * and many more. Taken from php4.srpm (thanks :)) + * recompile with apache 1.3.12-2.2 + * and hack large files support into DSO module. php4 doesn't use it now :(( + + -- Petr Cech Thu, 30 Nov 2000 00:01:39 +0100 + +php4 (4.0.3pl1-5) unstable; urgency=low + + * Back out changes about --enable-versioning + * ext/domxml/php_domxml.c : fix compilation with recent libxml2 (>=2.2.7) + + -- Petr Cech Tue, 21 Nov 2000 18:03:56 +0100 + +php4 (4.0.3pl1-4) unstable; urgency=low + + * Clarify README.Debian about the DB change a bit (dbm_ -> dba_*) + * Remove aliasing hack - deprecated upstream. (closes: #76558) + * Compile with libgd-dev again (Write 100x always reinstall libgd-dev). + * --enable-versioning and tweak debian/control a bit, let's see, what breaks + + -- Petr Cech Tue, 14 Nov 2000 10:00:54 +0100 + +php4 (4.0.3pl1-3) unstable; urgency=low + + * Activate curl module. + * Really enable shmop module. + * Fix include paths in phpize. Now everyone should be able to easilly build + php4 extension modules (php4-dbase anyone?). + + -- Petr Cech Mon, 6 Nov 2000 23:17:41 +0100 + +php4 (4.0.3pl1-2) unstable; urgency=low + + * Build with libgd-dev installed (NOT libgd-gif). + + -- Petr Cech Tue, 17 Oct 2000 02:08:36 +0200 + +php4 (4.0.3pl1-1) unstable; urgency=medium + + * New upstream bugfix release. + * Depend on libopenldap1 as with the newer ldap module crashes php&apache. + + -- Petr Cech Mon, 16 Oct 2000 15:30:55 +0200 + +php4 (4.0.3-2) unstable; urgency=high + + * Urgency=high because last upload didn't have it ad it fixes some + security holes. + * ext/domxml/config.m4: don't try to build then --without-domxml + + -- Petr Cech Thu, 12 Oct 2000 12:50:17 +0200 + +php4 (4.0.3-1) unstable; urgency=low + + * New upstream release. + - fixes also some string format bugs + * Build with fixed libmysqlclient10-dev. + + -- Petr Cech Thu, 12 Oct 2000 00:00:07 +0200 + +php4 (4.0.2-7) unstable; urgency=low + + * Really, really install libldap2-dev. + * Workaround broken libmysqlclient9-dev. It has broken (again) .so symlink. + + -- Petr Cech Tue, 10 Oct 2000 22:28:48 +0200 + +php4 (4.0.2-6) unstable; urgency=low + + * Again fix description a little bit. + * Correct build-depends. + * Sic. Recompile, because I've busted (libopenldap-dev instead of + libldap2-dev was installed). + * While at it install also new apache glibc NMU and recompile with it. + * Move PEAR from php4-dev to php4 and install ALL of PEAR. + * add --prefix=/usr + * debhelper v2 + * prepare for CURL module + * Updated README.Debian + * updated XML module from php4 CVS to close: #72360 + + -- Petr Cech Mon, 2 Oct 2000 14:36:35 +0200 + +php4 (4.0.2-5) unstable; urgency=low + + * Correct build-depends (libgd1-dev -> libgd-dev). Where is Roman? :) + * Add libdb2-dev (>= 2:2.7.7-2.1) to build-depends for glibc 2.1.94. + * and recompile with glibc 2.1.94 to fix it. + + -- Petr Cech Wed, 27 Sep 2000 09:00:27 +0200 + +php4 (4.0.2-4) unstable; urgency=low + + * Tweak description a little bit more. + + -- Petr Cech Sun, 24 Sep 2000 23:58:15 +0200 + +php4 (4.0.2-3) unstable; urgency=low + + * Add info about what modules and why are enabled/disabled + into README.Debian. + * Install not so many docs (only in -dev now). + * Enable calendar and sockets modules. + * Rearange package descriptions so module-specific comments + go first. + * Create domxml module aka xmlv2. + * Fix spelling wan't -> want (closes: #70544). + * Add libraries for gd module only when linking this one + and not globaly (closes: #71623). + * Say that we wait for ENTER (closes: #71769). + * Fix logic in prerm script (closes: #71770). + + -- Petr Cech Sun, 24 Sep 2000 17:54:52 +0000 + +php4 (4.0.2-2) unstable; urgency=low + + * Add info about what modules and why are enabled/disabled + into README.Debian. + * Install not so many docs (only in -dev now). + * Enable calendar and sockets modules. + * Rearange package descriptions so module-specific comments + go first. + * Create domxml module aka xmlv2. + * Fix building (small typo). + * Compile with libmysqlclient9-dev installed. + + -- Petr Cech Mon, 18 Sep 2000 23:46:40 +0200 + +php4 (4.0.2-1) unstable; urgency=low + + * The "Back from vacation" release. + * New upstream fixed (and bugs). + * Correct postm script (only cosmetic) closes: #67350, #68541 + * build with libpcre3, libldap2 + * Use modified patch from -3 (remove #define XML_... php_XML_...) + + -- Petr Cech Thu, 7 Sep 2000 23:17:59 +0200 + +php4 (4.0.1pl2-3) unstable; urgency=low + + * UNRELEASED + * Fixed the XML packages. + + -- Norman Jordan Thu, 10 Aug 2000 21:45:15 +0000 + +php4 (4.0.1pl2-2) unstable; urgency=low + + * Fix source archive. + + -- Petr Cech Tue, 11 Jul 2000 11:04:48 +0000 + +php4 (4.0.1pl2-1) unstable; urgency=low + + * New upstream bug fix release (variation of the patches in -2) + * Build with new libgd1 library (maybe still in Incoming) + * Move PEAR stuff to php4 package (closes: #66897). + + -- Petr Cech Sun, 9 Jul 2000 09:01:06 +0000 + +php4 (4.0.1-2) unstable; urgency=low + + * Apply some CVS diffs in an attempt to fix opendir() problems. + + -- Petr Cech Fri, 30 Jun 2000 09:04:24 +0000 + +php4 (4.0.1-1) unstable; urgency=low + + * New upstream release (taken from CVS tag php_4_0_1). + * --with-regex=system else it plays havoc. Dunno why ... + * remove autoconf,automake,aclocal from configure rules. + * Fix description of XML --help message (no, it's not MySQL). + + -- Petr Cech Wed, 28 Jun 2000 22:55:16 +0200 + +php4 (4.0.0-4) unstable; urgency=low + + * Add -dev package (closes: #65907). + * Add -cgi and -cgi-* packages (closes: #51097, #52855). + * --enable-filepro + * Tweak copyright file a bit. + * Generate mhash module (closes part of 63186). + * Ask to remove libphp4 from httpd.conf upon remove/purge. + * Fixed build-depends, thanks to Roman Hodek (closes: #65938). + (I told you the first time it won't work :)) + * Mark /etc/php4/cgi/php.ini as conffile. + * Every module now ask if it should be enabled on install + (if it's not already) and disabled on remove/purge. + + -- Petr Cech Tue, 20 Jun 2000 14:29:01 +0200 + +php4 (4.0.0-3) unstable; urgency=low + + * Ship correct php.ini (extension_dir=/usr/lib/php4/apache). + * Don't use included libmysqlclient and use system one (fixes + wrong location of mysqld.sock) + * link XML module dynamicly with system xmlparse and xmltok. + + -- Petr Cech Wed, 14 Jun 2000 22:30:07 +0000 + +php4 (4.0.0-2) unstable; urgency=low + + * fix the IS_SLASH bug (closes: #65625 and probably others as well). + * Really change the maintainer field. + + -- Petr Cech Wed, 14 Jun 2000 07:44:05 +0000 + +php4 (4.0.0-1) unstable; urgency=low + + * New maintainer. + * New upstream release. + * Fix dynamic module loading. + * Added Build-Depends (I wonder, if I got them right) + * Standards-Version: 3.1.1 + + -- Petr Cech Tue, 13 Jun 2000 13:40:56 +0000 + +php4 (4.0rc1-2) unstable; urgency=low + + * Compile with latest apache and libraries from woody + (Closes: #62631, #62640) + + -- Gergely Madarasz Wed, 19 Apr 2000 14:39:25 +0200 + +php4 (4.0rc1-1) unstable; urgency=low + + * New upstream version + * Fix db2 support (Closes: #61709) + * Fix gd support (Closes: #61708) + * Remove ucd-snmp-hack from config options + + -- Gergely Madarasz Sun, 16 Apr 2000 17:04:05 +0200 + +php4 (4.0b4pl1-2) unstable; urgency=low + + * Build with --disable-debug so it should work with the zend + optimizer (Closes: #60265) + * Build with --enable-trans-sid (Closes: #60430) + * Write some more about php4/php3 differences in the description + (Closes: #60155) + + -- Gergely Madarasz Fri, 17 Mar 2000 17:35:29 +0100 + +php4 (4.0b4pl1-1) unstable; urgency=low + + * New upstream version + * Upstream reorganized the build system quite a bit, lots of patches + removed + + -- Gergely Madarasz Wed, 23 Feb 2000 17:16:00 +0100 + +php4 (4.0b3-4) unstable; urgency=low + + * Add /etc/php4/apache/php.ini to conffiles (Closes: #54194) + * Add info file for apacheconfig + * Offer to run apacheconfig and/or apache-sslconfig in postinst + * Comment out sendmail_path from php.ini so the default sendmail path + should work (Closes: #51355) + + -- Gergely Madarasz Thu, 6 Jan 2000 14:38:20 +0100 + +php4 (4.0b3-3) unstable; urgency=low + + * Compile with libgd instead of libgd-gif + + -- Gergely Madarasz Tue, 4 Jan 2000 18:07:56 +0100 + +php4 (4.0b3-2) unstable; urgency=low + + * Build imap and ldap modules + * Fix rm -f in rules file (Closes: #51623) + + -- Gergely Madarasz Mon, 3 Jan 2000 16:54:19 +0100 + +php4 (4.0b3-1) unstable; urgency=low + + * Initial Release. + + -- Gergely Madarasz Tue, 16 Nov 1999 19:33:42 +0100 + --- php5-5.2.4.orig/debian/php5-dev.prerm +++ php5-5.2.4/debian/php5-dev.prerm @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "remove" -a "$1" != "purge" ]; then + exit 0 +fi + +for i in php-config phpize; do + update-alternatives --remove $i /usr/bin/"$i"5 +done + +exit 0 --- php5-5.2.4.orig/debian/libapache2-mod-php5.prerm +++ php5-5.2.4/debian/libapache2-mod-php5.prerm @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "remove" -a "$1" != "purge" ]; then + exit 0 +fi + +if [ -e /etc/apache2/apache2.conf ]; then + a2dismod php5 || true +fi + +exit 0 --- php5-5.2.4.orig/debian/patches/CVE-2012-1172.patch +++ php5-5.2.4/debian/patches/CVE-2012-1172.patch @@ -0,0 +1,95 @@ +Description: fix denial of service or directory traversal via invalid filename. +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=95dcd799fb6fdccbc60d3bba3cd759f6b421ee69 +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=baeaafd3951451c7dadf949c7677e90141c1e17a +Bug: https://bugs.php.net/bug.php?id=55500 +Bug: https://bugs.php.net/bug.php?id=54374 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663760 + +Index: php5-5.2.4/main/rfc1867.c +=================================================================== +--- php5-5.2.4.orig/main/rfc1867.c 2012-06-12 15:53:32.276997712 -0400 ++++ php5-5.2.4/main/rfc1867.c 2012-06-12 15:53:58.096997464 -0400 +@@ -1020,6 +1020,10 @@ + } + tmp++; + } ++ /* Brackets should always be closed */ ++ if(c != 0) { ++ skip_upload = 1; ++ } + } + + total_bytes = cancel_upload = 0; +Index: php5-5.2.4/tests/basic/bug55500.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/tests/basic/bug55500.phpt 2012-06-12 15:53:58.096997464 -0400 +@@ -0,0 +1,68 @@ ++--TEST-- ++Bug #55500 (Corrupted $_FILES indices lead to security concern) ++--INI-- ++file_uploads=1 ++error_reporting=E_ALL&~E_NOTICE ++upload_max_filesize=1024 ++max_file_uploads=10 ++--POST_RAW-- ++Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; name="file[]"; filename="file1.txt" ++Content-Type: text/plain-file1 ++ ++1 ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; name="file[[type]"; filename="file2.txt" ++Content-Type: text/plain-file2 ++ ++2 ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; name="file[[name]"; filename="file3.txt" ++Content-Type: text/plain-file3 ++ ++3 ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; name="file[name]["; filename="file4.txt" ++Content-Type: text/plain-file3 ++ ++4 ++-----------------------------20896060251896012921717172737-- ++--FILE-- ++ ++--EXPECTF-- ++array(1) { ++ [%u|b%"file"]=> ++ array(5) { ++ [%u|b%"name"]=> ++ array(1) { ++ [0]=> ++ %unicode|string%(9) "file1.txt" ++ } ++ [%u|b%"type"]=> ++ array(1) { ++ [0]=> ++ %unicode|string%(16) "text/plain-file1" ++ } ++ [%u|b%"tmp_name"]=> ++ array(1) { ++ [0]=> ++ %unicode|string%(%d) "%s" ++ } ++ [%u|b%"error"]=> ++ array(1) { ++ [0]=> ++ int(0) ++ } ++ [%u|b%"size"]=> ++ array(1) { ++ [0]=> ++ int(1) ++ } ++ } ++} ++array(0) { ++} --- php5-5.2.4.orig/debian/patches/fix_64bit_time.patch +++ php5-5.2.4/debian/patches/fix_64bit_time.patch @@ -0,0 +1,106 @@ +Index: php5-5.2.4/ext/date/lib/parse_date.c +=================================================================== +--- php5-5.2.4.orig/ext/date/lib/parse_date.c 2008-02-27 12:58:25.768431881 -0500 ++++ php5-5.2.4/ext/date/lib/parse_date.c 2008-02-27 12:58:58.973467615 -0500 +@@ -668,7 +668,7 @@ + long value = 0; + const timelib_tz_lookup_table *tp; + +- while (**ptr != '\0' && **ptr != ')') { ++ while (**ptr != '\0' && **ptr != ')' && **ptr != ' ') { + ++*ptr; + } + end = *ptr; +Index: php5-5.2.4/ext/date/lib/parse_date.re +=================================================================== +--- php5-5.2.4.orig/ext/date/lib/parse_date.re 2008-02-27 12:58:25.800458866 -0500 ++++ php5-5.2.4/ext/date/lib/parse_date.re 2008-02-27 12:58:58.981470555 -0500 +@@ -667,7 +667,7 @@ + long value = 0; + const timelib_tz_lookup_table *tp; + +- while (**ptr != '\0' && **ptr != ')') { ++ while (**ptr != '\0' && **ptr != ')' && **ptr != ' ') { + ++*ptr; + } + end = *ptr; +Index: php5-5.2.4/ext/date/lib/timelib.h +=================================================================== +--- php5-5.2.4.orig/ext/date/lib/timelib.h 2008-02-27 12:58:25.868430735 -0500 ++++ php5-5.2.4/ext/date/lib/timelib.h 2008-02-27 12:58:58.905465712 -0500 +@@ -22,6 +22,9 @@ + #define __TIMELIB_H__ + + #include "timelib_structs.h" ++#if HAVE_LIMITS_H ++#include ++#endif + + #define TIMELIB_NONE 0x00 + #define TIMELIB_OVERRIDE_TIME 0x01 +Index: php5-5.2.4/ext/date/tests/bug41523.phpt +=================================================================== +--- php5-5.2.4.orig/ext/date/tests/bug41523.phpt 2008-02-27 12:58:25.936460995 -0500 ++++ php5-5.2.4/ext/date/tests/bug41523.phpt 2008-02-27 12:58:58.925463597 -0500 +@@ -1,5 +1,7 @@ + --TEST-- +-Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) ++Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) (32 bit) ++--SKIPIF-- ++ + --FILE-- + + --INI-- + error_reporting=2047 + --FILE-- +Index: php5-5.2.4/ext/date/tests/strtotime-mysql.phpt +=================================================================== +--- php5-5.2.4.orig/ext/date/tests/strtotime-mysql.phpt 2008-02-27 12:58:26.060432838 -0500 ++++ php5-5.2.4/ext/date/tests/strtotime-mysql.phpt 2008-02-27 12:58:58.949459635 -0500 +@@ -1,5 +1,7 @@ + --TEST-- +-strtotime() and mysql timestamps ++strtotime() and mysql timestamps (32 bit) ++--SKIPIF-- ++ + --FILE-- + + --FILE-- + ++ + --INI-- + precision=14 + --FILE-- --- php5-5.2.4.orig/debian/patches/php5-pear-CVE-2011-1144-regression.patch +++ php5-5.2.4/debian/patches/php5-pear-CVE-2011-1144-regression.patch @@ -0,0 +1,45 @@ +Subject: Bug #18340raiseErro typo +Origin: http://svn.php.net/viewvc?view=revision&revision=308983 + +Also includes http://svn.php.net/viewvc?view=revision&revision=309593 + + Fixed Bug #18388: Parenteses error in REST.php line 232 [dufuz] + +--- PEAR/REST.php.old 2011-03-18 16:33:00.000000000 -0300 ++++ PEAR/REST.php 2011-03-22 18:46:25.000000000 -0300 +@@ -102,7 +102,7 @@ + // reset the age of the cache if the server says it was unmodified + $result = $this->saveCache($url, $ret, null, true, $cacheId); + if (PEAR::isError($result)) { +- return PEAR::raiseErro($result->getMessage()); ++ return PEAR::raiseError($result->getMessage()); + } + } + +@@ -122,7 +122,7 @@ + if ($forcestring) { + $result = $this->saveCache($url, $content, $lastmodified, false, $cacheId); + if (PEAR::isError($result)) { +- return PEAR::raiseErro($result->getMessage()); ++ return PEAR::raiseError($result->getMessage()); + } + + return $content; +@@ -162,7 +162,7 @@ + + $result = $this->saveCache($url, $content, $lastmodified, false, $cacheId); + if (PEAR::isError($result)) { +- return PEAR::raiseErro($result->getMessage()); ++ return PEAR::raiseError($result->getMessage()); + } + + return $content; +@@ -229,7 +229,7 @@ + $cachefile = $d . 'rest.cachefile'; + + if (!is_dir($cache_dir)) { +- if (System::mkdir(array('-p', $cache_dir) === false)) { ++ if (System::mkdir(array('-p', $cache_dir)) === false) { + return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory and attempts to create the directory failed."); + } + } --- php5-5.2.4.orig/debian/patches/php5-CVE-2012-0831-regression.patch +++ php5-5.2.4/debian/patches/php5-CVE-2012-0831-regression.patch @@ -0,0 +1,81 @@ +Author: Ondřej Surý +Subject: Patch magic_quotes_gpc-regression for Variables related Bug #61043 +Bug: https://bugs.php.net/bug.php?id=61043 +Bug-Launchpad: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115 + +magic_quotes_gpc fix for regression introduced by CVE-2012-0831 fix. + +--- + main/php_variables.c | 13 +++++++++---- + sapi/cgi/cgi_main.c | 6 ++++-- + 2 files changed, 13 insertions(+), 6 deletions(-) + +Index: b/main/php_variables.c +=================================================================== +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -446,7 +446,7 @@ void _php_import_environment_variables(z + /* turn off magic_quotes while importing environment variables */ + int magic_quotes_gpc = PG(magic_quotes_gpc); + +- if (PG(magic_quotes_gpc)) { ++ if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } + +@@ -467,7 +467,10 @@ void _php_import_environment_variables(z + if (t != buf && t != NULL) { + efree(t); + } +- PG(magic_quotes_gpc) = magic_quotes_gpc; ++ ++ if (magic_quotes_gpc) { ++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); ++ } + } + + zend_bool php_std_auto_global_callback(char *name, uint name_len TSRMLS_DC) +@@ -591,7 +594,7 @@ static inline void php_register_server_v + zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); + } + PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; +- if (PG(magic_quotes_gpc)) { ++ if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } + +@@ -618,7 +621,9 @@ static inline void php_register_server_v + php_register_variable_ex("REQUEST_TIME", &new_entry, array_ptr TSRMLS_CC); + } + +- PG(magic_quotes_gpc) = magic_quotes_gpc; ++ if (magic_quotes_gpc) { ++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); ++ } + } + /* }}} */ + +Index: b/sapi/cgi/cgi_main.c +=================================================================== +--- a/sapi/cgi/cgi_main.c ++++ b/sapi/cgi/cgi_main.c +@@ -505,7 +505,7 @@ void cgi_php_import_environment_variable + int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; + + /* turn off magic_quotes while importing environment variables */ +- if (PG(magic_quotes_gpc)) { ++ if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } + for (zend_hash_internal_pointer_reset_ex(&request->env, &pos); +@@ -517,7 +517,9 @@ void cgi_php_import_environment_variable + php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC); + } + } +- PG(magic_quotes_gpc) = magic_quotes_gpc; ++ if (magic_quotes_gpc) { ++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); ++ } + } + } + #endif --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-1464.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-1464.patch @@ -0,0 +1,690 @@ +Subject: Fixed bug #54055 (buffer overrun with high values for precision ini setting). +Origin: http://svn.php.net/viewvc?view=revision&revision=308525 + +#This fix (for g/G/k/H modes) is done at a different level than that for the +#modes e/E/f/F, at a bit higher level and therefore with less coverage. I +#chose this because it addresses the problem where it is -- the calling function +#that passes a buffer too small to php_gcvt. + +CVE-2011-1464 + +Patch differs from upstream commit in that the NEWS file addition was +dropped to reduce patch conflicts. + +Index: ext/standard/tests/strings/bug54055.phpt +=================================================================== +--- ext/standard/tests/strings/bug54055.phpt (revision 0) ++++ ext/standard/tests/strings/bug54055.phpt (revision 308525) +@@ -0,0 +1,589 @@ ++--TEST-- ++Bug #54055: PHP crashes when executing strval when precision setting is very high ++--FILE-- ++ FORMAT_CONV_MAX_PRECISION) { ++ precision = FORMAT_CONV_MAX_PRECISION; ++ } + } else + adjust_precision = NO; + } else +Index: main/spprintf.c +=================================================================== +--- main/spprintf.c (revision 308524) ++++ main/spprintf.c (revision 308525) +@@ -285,10 +285,6 @@ + + /* + * Check if a precision was specified +- * +- * XXX: an unreasonable amount of precision may be specified +- * resulting in overflow of num_buf. Currently we +- * ignore this possibility. + */ + if (*fmt == '.') { + adjust_precision = YES; +@@ -302,6 +298,10 @@ + precision = 0; + } else + precision = 0; ++ ++ if (precision > FORMAT_CONV_MAX_PRECISION) { ++ precision = FORMAT_CONV_MAX_PRECISION; ++ } + } else + adjust_precision = NO; + } else +Index: main/snprintf.h +=================================================================== +--- main/snprintf.h (revision 308524) ++++ main/snprintf.h (revision 308525) +@@ -12,7 +12,7 @@ + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ +- | Author: Stig Sther Bakken | ++ | Author: Stig Sæther Bakken | + | Marcus Boerger | + +----------------------------------------------------------------------+ + */ +@@ -158,6 +158,17 @@ + extern char * ap_php_conv_p2(register u_wide_int num, register int nbits, + char format, char *buf_end, register int *len); + ++/* The maximum precision that's allowed for float conversion. Does not include ++ * decimal separator, exponent, sign, terminator. Currently does not affect ++ * the modes e/f, only g/k/H, as those have a different limit enforced at ++ * another level (see NDIG in php_conv_fp()). ++ * Applies to the formatting functions of both spprintf.c and snprintf.c, which ++ * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the ++ * call to php_gcvt(). ++ * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9 ++ * should be enough, but let's give some more space) */ ++#define FORMAT_CONV_MAX_PRECISION 500 ++ + #endif /* SNPRINTF_H */ + + /* --- php5-5.2.4.orig/debian/patches/suhosin.patch +++ php5-5.2.4/debian/patches/suhosin.patch @@ -0,0 +1,2622 @@ +Index: php5-5.2.4/configure.in +=================================================================== +--- php5-5.2.4.orig/configure.in 2007-09-16 14:45:15.000000000 +0200 ++++ php5-5.2.4/configure.in 2007-09-16 14:45:15.000000000 +0200 +@@ -227,6 +227,7 @@ + sinclude(TSRM/threads.m4) + sinclude(TSRM/tsrm.m4) + ++sinclude(main/suhosin_patch.m4) + + divert(2) + +@@ -1304,7 +1305,7 @@ + php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \ + strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \ + network.c php_open_temporary_file.c php_logos.c \ +- output.c ) ++ output.c suhosin_patch.c ) + + PHP_ADD_SOURCES(main/streams, streams.c cast.c memory.c filter.c \ + plain_wrapper.c userspace.c transports.c xp_socket.c mmap.c) +@@ -1330,7 +1331,7 @@ + zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \ + zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \ + zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \ +- zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c) ++ zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c ) + + if test -r "$abs_srcdir/Zend/zend_objects.c"; then + PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c \ +Index: php5-5.2.4/ext/standard/basic_functions.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/basic_functions.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/ext/standard/basic_functions.c 2007-09-16 14:45:15.000000000 +0200 +@@ -3570,7 +3570,9 @@ + PHP_FALIAS(socket_get_status, stream_get_meta_data, arginfo_stream_get_meta_data) + + #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS) +- PHP_FE(realpath, arginfo_realpath) ++#undef realpath ++ PHP_NAMED_FE(realpath, PHP_FN(real_path), arginfo_realpath) ++#define realpath real_path + #endif + + #ifdef HAVE_FNMATCH +Index: php5-5.2.4/ext/standard/dl.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/dl.c 2007-09-16 14:45:15.000000000 +0200 ++++ php5-5.2.4/ext/standard/dl.c 2007-09-16 14:45:15.000000000 +0200 +@@ -228,6 +228,19 @@ + RETURN_FALSE; + } + } ++#if SUHOSIN_PATCH ++ if (strncmp("suhosin", module_entry->name, sizeof("suhosin")-1) == 0) { ++ void *log_func; ++ /* sucessfully loaded suhosin extension, now check for logging function replacement */ ++ log_func = (void *) DL_FETCH_SYMBOL(handle, "suhosin_log"); ++ if (log_func == NULL) { ++ log_func = (void *) DL_FETCH_SYMBOL(handle, "_suhosin_log"); ++ } ++ if (log_func != NULL) { ++ zend_suhosin_log = log_func; ++ } ++ } ++#endif + RETURN_TRUE; + } + /* }}} */ +Index: php5-5.2.4/ext/standard/file.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/file.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/ext/standard/file.c 2007-09-16 14:45:15.000000000 +0200 +@@ -2361,7 +2361,7 @@ + #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS) + /* {{{ proto string realpath(string path) + Return the resolved path */ +-PHP_FUNCTION(realpath) ++PHP_FUNCTION(real_path) + { + zval **path; + char resolved_path_buff[MAXPATHLEN]; +Index: php5-5.2.4/ext/standard/file.h +=================================================================== +--- php5-5.2.4.orig/ext/standard/file.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/ext/standard/file.h 2007-09-16 14:45:15.000000000 +0200 +@@ -61,7 +61,7 @@ + PHP_FUNCTION(fd_set); + PHP_FUNCTION(fd_isset); + #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS) +-PHP_FUNCTION(realpath); ++PHP_FUNCTION(real_path); + #endif + #ifdef HAVE_FNMATCH + PHP_FUNCTION(fnmatch); +Index: php5-5.2.4/ext/standard/info.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/info.c 2007-09-16 14:45:15.000000000 +0200 ++++ php5-5.2.4/ext/standard/info.c 2007-09-16 14:45:15.000000000 +0200 +@@ -627,6 +627,31 @@ + + php_info_print_table_end(); + ++ /* Suhosin Patch */ ++ php_info_print_box_start(0); ++ if (expose_php && !sapi_module.phpinfo_as_text) { ++ PUTS("\"Suhosin\n"); ++ } ++ PUTS("This server is protected with the Suhosin Patch "); ++ if (sapi_module.phpinfo_as_text) { ++ PUTS(SUHOSIN_PATCH_VERSION); ++ } else { ++ zend_html_puts(SUHOSIN_PATCH_VERSION, strlen(SUHOSIN_PATCH_VERSION) TSRMLS_CC); ++ } ++ PUTS(!sapi_module.phpinfo_as_text?"
":"\n"); ++ if (sapi_module.phpinfo_as_text) { ++ PUTS("Copyright (c) 2006 Hardened-PHP Project\n"); ++ } else { ++ PUTS("Copyright (c) 2006 Hardened-PHP Project\n"); ++ } ++ php_info_print_box_end(); ++ + /* Zend Engine */ + php_info_print_box_start(0); + if (expose_php && !sapi_module.phpinfo_as_text) { +Index: php5-5.2.4/ext/standard/syslog.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/syslog.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/ext/standard/syslog.c 2007-09-16 14:45:15.000000000 +0200 +@@ -42,6 +42,7 @@ + */ + PHP_MINIT_FUNCTION(syslog) + { ++#if !SUHOSIN_PATCH + /* error levels */ + REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */ + REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */ +@@ -97,6 +98,7 @@ + /* AIX doesn't have LOG_PERROR */ + REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/ + #endif ++#endif + BG(syslog_device)=NULL; + + return SUCCESS; +Index: php5-5.2.4/main/fopen_wrappers.c +=================================================================== +--- php5-5.2.4.orig/main/fopen_wrappers.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/main/fopen_wrappers.c 2007-09-16 14:45:15.000000000 +0200 +@@ -111,7 +111,7 @@ + + /* normalize and expand path */ + if (expand_filepath(path, resolved_name TSRMLS_CC) == NULL) { +- return -1; ++ return -2; + } + + path_len = strlen(resolved_name); +@@ -180,6 +180,12 @@ + } + } + ++ if (resolved_name_len == resolved_basedir_len - 1) { ++ if (resolved_basedir[resolved_basedir_len - 1] == PHP_DIR_SEPARATOR) { ++ resolved_basedir_len--; ++ } ++ } ++ + /* Check the path */ + #if defined(PHP_WIN32) || defined(NETWARE) + if (strncasecmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) { +@@ -203,7 +209,7 @@ + } + } else { + /* Unable to resolve the real path, return -1 */ +- return -1; ++ return -3; + } + } + /* }}} */ +@@ -222,22 +228,44 @@ + char *pathbuf; + char *ptr; + char *end; ++ char path_copy[MAXPATHLEN]; ++ int path_len; ++ ++ /* Special case path ends with a trailing slash */ ++ path_len = strlen(path); ++ if (path_len >= MAXPATHLEN) { ++ errno = EPERM; /* we deny permission to open it */ ++ return -1; ++ } ++ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) { ++ memcpy(path_copy, path, path_len+1); ++ while (path_len > 1 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--; ++ path_copy[path_len] = '\0'; ++ path = (const char *)&path_copy; ++ } + + pathbuf = estrdup(PG(open_basedir)); + + ptr = pathbuf; + + while (ptr && *ptr) { ++ int res; + end = strchr(ptr, DEFAULT_DIR_SEPARATOR); + if (end != NULL) { + *end = '\0'; + end++; + } + +- if (php_check_specific_open_basedir(ptr, path TSRMLS_CC) == 0) { ++ res = php_check_specific_open_basedir(ptr, path TSRMLS_CC); ++ if (res == 0) { + efree(pathbuf); + return 0; + } ++ if (res == -2) { ++ efree(pathbuf); ++ errno = EPERM; ++ return -1; ++ } + + ptr = end; + } +Index: php5-5.2.4/main/main.c +=================================================================== +--- php5-5.2.4.orig/main/main.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/main/main.c 2007-09-16 14:45:15.000000000 +0200 +@@ -88,6 +88,9 @@ + + #include "SAPI.h" + #include "rfc1867.h" ++#if SUHOSIN_PATCH ++#include "suhosin_globals.h" ++#endif + /* }}} */ + + #ifndef ZTS +@@ -1347,7 +1350,7 @@ + + /* used to close fd's in the 3..255 range here, but it's problematic + */ +- shutdown_memory_manager(1, 1 TSRMLS_CC); ++ shutdown_memory_manager(1, 1 TSRMLS_CC); + } + /* }}} */ + +@@ -1388,6 +1391,9 @@ + + zend_try { + shutdown_memory_manager(CG(unclean_shutdown), 0 TSRMLS_CC); ++#if SUHOSIN_PATCH ++ suhosin_clear_mm_canaries(TSRMLS_C); ++#endif + } zend_end_try(); + + zend_try { +@@ -1480,6 +1486,9 @@ + /* 11. Free Willy (here be crashes) */ + zend_try { + shutdown_memory_manager(CG(unclean_shutdown) || !report_memleaks, 0 TSRMLS_CC); ++#if SUHOSIN_PATCH ++ suhosin_clear_mm_canaries(TSRMLS_C); ++#endif + } zend_end_try(); + + /* 12. Reset max_execution_time */ +@@ -1639,6 +1648,9 @@ + #ifdef ZTS + tsrm_ls = ts_resource(0); + #endif ++#if SUHOSIN_PATCH ++ suhosin_startup(); ++#endif + + module_shutdown = 0; + module_startup = 1; +@@ -1768,6 +1780,10 @@ + REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, strlen(PHP_CONFIG_FILE_PATH), CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS); ++#if SUHOSIN_PATCH ++ REGISTER_MAIN_LONG_CONSTANT("SUHOSIN_PATCH", 1, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_STRINGL_CONSTANT("SUHOSIN_PATCH_VERSION", SUHOSIN_PATCH_VERSION, sizeof(SUHOSIN_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS); ++#endif + REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS); +@@ -1817,7 +1833,9 @@ + module_startup = 0; + + shutdown_memory_manager(1, 0 TSRMLS_CC); +- ++#if SUHOSIN_PATCH ++ suhosin_clear_mm_canaries(TSRMLS_C); ++#endif + /* we're done */ + return SUCCESS; + } +@@ -1876,6 +1894,9 @@ + #ifndef ZTS + zend_ini_shutdown(TSRMLS_C); + shutdown_memory_manager(CG(unclean_shutdown), 1 TSRMLS_CC); ++#if SUHOSIN_PATCH ++ suhosin_clear_mm_canaries(TSRMLS_C); ++#endif + core_globals_dtor(&core_globals TSRMLS_CC); + #else + zend_ini_global_shutdown(TSRMLS_C); +Index: php5-5.2.4/main/php.h +=================================================================== +--- php5-5.2.4.orig/main/php.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/main/php.h 2007-09-16 14:45:15.000000000 +0200 +@@ -40,6 +40,13 @@ + #undef sprintf + #define sprintf php_sprintf + ++#if SUHOSIN_PATCH ++#if HAVE_REALPATH ++#undef realpath ++#define realpath php_realpath ++#endif ++#endif ++ + /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */ + #undef PHP_DEBUG + #define PHP_DEBUG ZEND_DEBUG +@@ -452,6 +459,10 @@ + #endif + #endif /* !XtOffsetOf */ + ++#if SUHOSIN_PATCH ++#include "suhosin_patch.h" ++#endif ++ + #endif + + /* +Index: php5-5.2.4/main/php_logos.c +=================================================================== +--- php5-5.2.4.orig/main/php_logos.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/main/php_logos.c 2007-09-16 14:45:15.000000000 +0200 +@@ -50,6 +50,10 @@ + return zend_hash_del(&phpinfo_logo_hash, logo_string, strlen(logo_string)); + } + ++#if SUHOSIN_PATCH ++#include "suhosin_logo.h" ++#endif ++ + int php_init_info_logos(void) + { + if(zend_hash_init(&phpinfo_logo_hash, 0, NULL, NULL, 1)==FAILURE) +@@ -58,6 +62,9 @@ + php_register_info_logo(PHP_LOGO_GUID , "image/gif", php_logo , sizeof(php_logo)); + php_register_info_logo(PHP_EGG_LOGO_GUID, "image/gif", php_egg_logo, sizeof(php_egg_logo)); + php_register_info_logo(ZEND_LOGO_GUID , "image/gif", zend_logo , sizeof(zend_logo)); ++#if SUHOSIN_PATCH ++ php_register_info_logo(SUHOSIN_LOGO_GUID, "image/jpeg", suhosin_logo, sizeof(suhosin_logo)); ++#endif + + return SUCCESS; + } +Index: php5-5.2.4/main/snprintf.c +=================================================================== +--- php5-5.2.4.orig/main/snprintf.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/main/snprintf.c 2007-09-16 14:45:15.000000000 +0200 +@@ -1079,7 +1079,11 @@ + + + case 'n': ++#if SUHOSIN_PATCH ++ zend_suhosin_log(S_MISC, "'n' specifier within format string"); ++#else + *(va_arg(ap, int *)) = cc; ++#endif + goto skip_output; + + /* +Index: php5-5.2.4/main/spprintf.c +=================================================================== +--- php5-5.2.4.orig/main/spprintf.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/main/spprintf.c 2007-09-16 14:45:15.000000000 +0200 +@@ -672,7 +672,11 @@ + + + case 'n': ++#if SUHOSIN_PATCH ++ zend_suhosin_log(S_MISC, "'n' specifier within format string"); ++#else + *(va_arg(ap, int *)) = xbuf->len; ++#endif + goto skip_output; + + /* +Index: php5-5.2.4/main/suhosin_globals.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/main/suhosin_globals.h 2007-09-16 14:45:15.000000000 +0200 +@@ -0,0 +1,61 @@ ++/* ++ +----------------------------------------------------------------------+ ++ | Suhosin-Patch for PHP | ++ +----------------------------------------------------------------------+ ++ | Copyright (c) 2004-2006 Stefan Esser | ++ +----------------------------------------------------------------------+ ++ | This source file is subject to version 2.02 of the PHP license, | ++ | that is bundled with this package in the file LICENSE, and is | ++ | available at through the world-wide-web at | ++ | http://www.php.net/license/2_02.txt. | ++ | If you did not receive a copy of the PHP license and are unable to | ++ | obtain it through the world-wide-web, please send a note to | ++ | license@php.net so we can mail you a copy immediately. | ++ +----------------------------------------------------------------------+ ++ | Author: Stefan Esser | ++ +----------------------------------------------------------------------+ ++ */ ++ ++#ifndef SUHOSIN_GLOBALS_H ++#define SUHOSIN_GLOBALS_H ++ ++typedef struct _suhosin_patch_globals suhosin_patch_globals_struct; ++ ++#ifdef ZTS ++# define SPG(v) TSRMG(suhosin_patch_globals_id, suhosin_patch_globals_struct *, v) ++extern int suhosin_patch_globals_id; ++#else ++# define SPG(v) (suhosin_patch_globals.v) ++extern struct _suhosin_patch_globals suhosin_patch_globals; ++#endif ++ ++ ++struct _suhosin_patch_globals { ++ /* logging */ ++ int log_syslog; ++ int log_syslog_facility; ++ int log_syslog_priority; ++ int log_sapi; ++ int log_script; ++ int log_phpscript; ++ char *log_scriptname; ++ char *log_phpscriptname; ++ zend_bool log_phpscript_is_safe; ++ zend_bool log_use_x_forwarded_for; ++ ++ /* memory manager canary protection */ ++ unsigned int canary_1; ++ unsigned int canary_2; ++ unsigned int canary_3; ++ unsigned int dummy; ++}; ++ ++ ++#endif /* SUHOSIN_GLOBALS_H */ ++ ++/* ++ * Local variables: ++ * tab-width: 4 ++ * c-basic-offset: 4 ++ * End: ++ */ +Index: php5-5.2.4/main/suhosin_logo.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/main/suhosin_logo.h 2007-09-16 14:45:15.000000000 +0200 +@@ -0,0 +1,178 @@ ++static unsigned char suhosin_logo[] = ++ "\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x01\x00\x48" ++ "\x00\x48\x00\x00\xff\xe1\x00\x16\x45\x78\x69\x66\x00\x00\x4d\x4d" ++ "\x00\x2a\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\xff\xdb\x00\x43" ++ "\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" ++ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" ++ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" ++ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" ++ "\x01\xff\xc0\x00\x0b\x08\x00\x27\x00\x71\x01\x01\x22\x00\xff\xc4" ++ "\x00\x1e\x00\x00\x02\x02\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00" ++ "\x00\x00\x00\x00\x09\x06\x08\x05\x07\x02\x03\x0a\x01\x04\xff\xc4" ++ "\x00\x32\x10\x00\x01\x04\x03\x00\x02\x00\x05\x01\x05\x09\x01\x00" ++ "\x00\x00\x00\x05\x02\x03\x04\x06\x01\x07\x08\x00\x09\x11\x12\x13" ++ "\x14\x21\x15\x0a\x16\x31\x56\x96\x17\x18\x19\x23\x32\x41\x58\x98" ++ "\xd4\xd6\xff\xda\x00\x08\x01\x01\x00\x00\x3f\x00\xf4\xc1\xe1\xe5" ++ "\x69\xe9\x3e\xb9\xd1\x7c\x8a\x2e\x9d\x66\xe8\x3b\x29\x4d\x7f\x46" ++ "\xba\x58\x55\x54\x8d\xb1\x5f\xaa\xd9\x8d\x51\x2b\xb6\x27\x5a\x69" ++ "\xd1\x43\xaf\x16\x1a\xf0\xb2\xb1\xe9\x6d\x9f\xc2\xa4\x36\x18\xb5" ++ "\x85\x10\x41\xbe\xfc\x09\xac\x49\x29\x11\xd4\x32\x97\xec\x08\x13" ++ "\xc1\x2d\x20\xc3\x59\xeb\x26\x05\xd8\x6b\x76\x31\x43\x8f\x57\xcf" ++ "\x84\x9f\x14\xa8\x53\x81\x0b\xc3\x64\x80\xa3\x02\x0a\x41\x75\xf8" ++ "\x44\x85\x93\x81\x22\x3c\xd8\x13\xe1\xbe\xf4\x59\x91\x1f\x6a\x44" ++ "\x77\x5c\x69\xc4\x2f\x39\x5f\x0f\x2a\x8d\xeb\xba\xf8\xc3\x56\x6c" ++ "\x3b\x36\xa7\xda\xbd\x4d\xa1\xb5\x4e\xc6\xa7\xa4\x3a\xec\x15\x2d" ++ "\xa5\xb3\xea\x5a\xdc\xac\x46\xac\x01\x60\xd8\x43\xc8\x8e\x8b\xb1" ++ "\x40\x4c\x95\x8b\x34\x41\x28\x52\x91\x28\x43\xd3\xa3\xb6\xa7\x55" ++ "\x15\xe7\x5a\x96\xcb\xf1\xda\xe5\x55\xee\xfe\x1e\xbd\xd9\x41\xd3" ++ "\x28\xfd\x97\xca\x57\x2b\x85\x9c\xa4\x30\x95\xaa\xa5\x57\xa2\x35" ++ "\x15\x86\xcb\x61\x34\x41\xe4\xc7\x80\x20\x18\x21\x17\x09\x85\x0b" ++ "\x14\x9d\x21\x68\x62\x1c\x08\x11\x64\x4b\x92\xf2\xd2\xd3\x2d\x2d" ++ "\x6a\xc2\x73\x6b\x3c\x3c\x8b\x9e\xbc\x52\xaa\xa4\xab\x81\x6c\xf6" ++ "\xfa\xbd\x70\xc5\xc6\x7b\xc2\xaa\x22\x4f\x58\x04\x87\x25\x6a\x27" ++ "\x1d\xa4\x3d\x20\x75\x72\x01\x09\x71\xe5\x1c\x9e\xc3\x2e\x36\xf3" ++ "\xd0\xc6\x35\x2a\x43\x4d\x2d\x0e\x2d\xb4\xa1\x49\xce\x65\x1e\x52" ++ "\x9e\xa1\xf6\x09\xcc\xdc\x63\x66\xa8\x01\xe9\x3b\x0d\xd7\x5a\x85" ++ "\xbb\xc5\x65\xc0\x7b\x2e\x46\xa9\xd9\x56\x1d\x4c\x92\x72\x26\x4e" ++ "\x86\xd5\x68\xae\xc4\xaa\x55\xce\xd7\x83\x59\xb3\x81\xee\xce\x74" ++ "\x39\x39\x31\x9f\x8a\x25\xe8\xa5\xa5\xe5\x81\xf2\x11\x23\xcb\xa1" ++ "\x1e\x43\x12\xe3\xb1\x2a\x2b\xcd\xc8\x8d\x25\x96\xa4\x47\x7d\x95" ++ "\xa5\xc6\x9f\x61\xe4\x25\xc6\x5e\x69\xc4\xe7\x29\x5b\x6e\xb6\xa4" ++ "\xad\x0b\x4e\x72\x95\x25\x58\x56\x33\x9c\x67\xce\xef\x0f\x17\xbf" ++ "\x4c\x7b\x2d\xe6\xfe\x76\x35\x27\x5a\x07\x97\x67\xe8\xae\x8d\x71" ++ "\x0f\xb2\x13\x99\xb9\xbc\x14\xad\xb3\xb7\xe6\x11\x6f\xe0\xda\x58" ++ "\xb1\x08\xac\xa6\x6c\x2d\x7f\x05\xb7\x56\xd2\xe6\xcf\xbb\x4d\x0c" ++ "\xe3\x50\xb2\xec\x91\xf0\x4a\xb8\xd6\x22\xb8\xa7\xf6\x67\xaf\xcf" ++ "\x63\x7e\xd7\xe7\x42\xd8\xbd\xc3\x71\xa1\xf2\x7e\x9b\xa8\x97\x83" ++ "\x6e\xd1\xdc\x4b\x06\x11\x2d\xae\x26\x61\x98\x72\x10\xf4\x42\x5d" ++ "\x20\x4a\xa3\x73\xd7\xf2\xcd\x3c\x48\x32\xe4\x03\x9f\x80\x37\x08" ++ "\x36\x11\xd0\xcb\x97\x6c\x08\xed\x6d\x33\x24\xa2\x1b\xb4\x77\xdf" ++ "\x61\x5d\x5f\xc1\x43\xc2\x82\xeb\x0f\x5d\x84\x08\x68\xaa\xa4\x01" ++ "\xe1\x19\xdf\xbc\x31\x65\xfe\xd1\xf5\x7d\x7a\xb2\x2a\x33\x50\x21" ++ "\x2a\x56\x9d\xb1\x81\xab\xdb\x35\x78\x30\x83\xd9\x89\x1d\x31\xac" ++ "\x96\x14\x07\x61\xbc\x20\x68\x42\x85\x33\x19\xac\xbe\xdb\x34\x56" ++ "\xf1\xd5\xfd\x29\xa9\x28\xdb\xcb\x4c\x5a\x23\xdc\xf5\x96\xc5\x10" ++ "\xa3\x35\x5b\x14\x68\xd3\x61\x62\x64\x76\x26\xcb\x17\x3e\x34\x98" ++ "\x04\xa3\xc4\x20\x38\x90\x92\xe3\xc8\x07\x2c\x36\x74\x66\x26\x0e" ++ "\x29\x02\x64\x29\x2d\x21\xe6\x16\x9c\x6b\xce\xa3\x89\xd9\x4f\xd3" ++ "\xc4\xbd\xc5\x87\x79\x9c\x65\xf6\x39\x45\x60\xe8\xce\x9e\xab\x6d" ++ "\x13\x15\x22\xe1\x5e\x4b\x38\x42\xc4\x1e\xd5\x76\xe0\xc5\xeb\x85" ++ "\x07\x2d\x0f\xb8\xb6\xa6\xd6\x6d\x71\x0d\xa2\x43\x4c\x25\xea\xfa" ++ "\xa1\xae\x4c\xe4\x7d\xbd\x76\xa9\xfb\x06\xc2\x83\x42\xeb\xad\xe7" ++ "\xe9\x5f\x68\x6f\xba\xfb\x2f\x07\xce\xb8\x13\xc1\x9b\xeb\xb0\x76" ++ "\x45\x57\x28\x7b\xea\xbe\x0f\xf4\x30\x7b\xa0\xed\xe4\x22\x93\x21" ++ "\xfc\xbc\xe0\xb9\x75\xc1\x4f\xfc\xef\xb6\xfa\xa1\xfc\x64\xa1\x4a" ++ "\x82\xc7\x33\xad\x75\xed\x82\xbd\x3d\xdb\xf7\xa8\xbe\x5e\xbb\x36" ++ "\x62\x04\x9a\x2e\xc5\xd9\x9e\x9c\x3a\x0b\x98\x0b\x57\xac\xf1\x24" ++ "\x62\x58\x83\x15\x5b\xa6\xf2\xda\x34\x70\x03\xce\x0f\x93\x1b\x12" ++ "\xc7\xce\x54\x87\x33\x15\xd6\x53\x25\x1f\x2a\x90\x87\x12\xe3\x78" ++ "\xef\x55\x77\x4d\x4a\xd8\x7e\xef\xd2\xfd\xd1\xaf\x3a\xaf\x55\xdb" ++ "\x6a\x2d\x3d\x42\xac\x51\x79\xee\x91\xab\xe1\x05\x2d\x3c\x80\xa2" ++ "\x43\xad\x22\x2e\xd5\x33\x13\xa4\x9e\x00\xe0\x04\x10\x84\xc8\xf2" ++ "\x19\x30\x92\x1f\xaa\xc3\x28\xc9\x76\x30\x3f\xe9\x10\x61\x5e\x79" ++ "\xd5\xf7\xdf\xd0\x54\xdb\xae\xb6\xae\xfa\xe8\xa3\x57\xe0\x6c\x2d" ++ "\xf7\xbd\x49\xd6\x6e\x76\x79\xcc\x54\x0c\x5f\xff\x00\xbb\x06\x98" ++ "\xa6\x9e\x89\x61\xb4\x6f\xc3\xe3\x6a\xc2\x4f\x59\x03\xc9\x80\x2c" ++ "\x59\x24\x44\x70\x38\xd5\x96\x6a\x9e\x8b\x81\x64\xe5\xbc\xa0\x3c" ++ "\x33\xaf\x17\x9d\xff\x00\x71\x1a\xd1\x3a\x80\x66\xb3\xd9\x31\x77" ++ "\x0d\x12\xbd\xae\x29\xb5\x6a\xd6\xcf\x8d\x68\x87\x75\xcd\xe8\x65" ++ "\x5a\xbe\x3c\x04\x7b\x34\xdb\x54\x19\xa4\x63\x9c\x2a\x5d\x23\xbe" ++ "\xf4\xb1\x1c\x4d\x90\xec\x92\x2f\x49\x71\xf7\x14\xf2\x97\x9f\x15" ++ "\x57\xed\x13\x21\x2a\xf5\x33\xd1\x2a\x52\x52\xac\xb7\x62\xd1\xcb" ++ "\x46\x73\x8c\x67\x28\x56\x77\x86\xbf\x6f\x2a\x4e\x73\xfe\x95\x65" ++ "\x0b\x5a\x3e\x38\xfc\xfc\xaa\x56\x3f\x86\x73\xe3\xb9\x4a\x52\x84" ++ "\xa5\x08\x4e\x12\x94\x27\x09\x4a\x53\x8c\x61\x29\x4a\x71\xf0\x4a" ++ "\x53\x8c\x7e\x31\x8c\x63\x18\xc6\x31\x8f\xc6\x31\xf8\xc7\x9f\x7c" ++ "\xd5\xbb\xae\x5e\xe2\x1f\xab\x6e\x24\x34\x00\x8a\x25\x83\x70\x40" ++ "\x1c\xcc\xda\x45\x7f\x66\x4e\x30\x2e\x94\x7e\x74\x49\xf0\xe4\x4e" ++ "\x06\x5c\xa8\x2f\x89\x21\x2e\x98\x0e\xd9\x21\xc2\x0b\x21\x0f\xc4" ++ "\x16\x6e\x48\xd9\xe4\xe3\x4a\x19\x1e\x64\x67\x54\xff\x00\x3a\x6d" ++ "\x4f\x62\xb5\x00\x4a\xaa\x51\xfd\x2d\xe8\x0e\x6c\xaf\xc6\x7d\x6d" ++ "\xc8\x88\xc7\x67\xea\x8a\x58\x02\x73\xe3\x65\x4d\xc9\x24\xc0\x3d" ++ "\x57\xa3\x2e\x53\x16\x99\x4f\xe5\xe7\x19\x97\x3e\x3b\xcf\xc9\x4b" ++ "\x99\x7f\x33\x25\xa5\xdf\xba\x77\x2b\xd3\x3e\xc2\x7b\x8b\x94\x07" ++ "\xe9\x52\x5b\x43\x87\x34\x14\x86\x37\xcf\x41\x6b\x8e\x6a\xa5\x22" ++ "\xab\xdb\x96\xa2\xcf\x46\xd8\x9b\x45\x93\xef\xd6\xdf\x3e\x99\x9c" ++ "\x7e\x29\x10\x6b\x6c\xa2\xb8\x43\x05\x09\x44\x70\x8c\xb8\xaa\x54" ++ "\x7c\x30\x36\x5e\x1c\x5e\x5b\x9f\x6c\x0d\x81\xee\xa0\x93\x8d\x67" ++ "\x55\xf3\x87\xaf\xaa\x6b\x58\xf9\xbe\xb2\x36\x07\x42\x6e\xbd\x96" ++ "\xe3\x9f\x1f\x8f\xc9\xf4\x9d\xae\x6a\x7d\x4c\x96\xbe\x5f\xc7\xcd" ++ "\xf3\xb2\xf7\xcd\xf0\xcf\xc3\xe4\xf8\xfe\x37\x4f\x1c\x4d\xf6\x40" ++ "\xf1\x6b\x7c\x4e\xe0\xa6\x71\xad\x56\xa7\x1c\x5c\x15\x6b\xfc\xf3" ++ "\x01\x5d\xac\xf1\x75\x9a\x72\x6b\xaa\x28\xc5\x88\x6d\xfb\x33\x85" ++ "\xe0\x4e\x61\xab\xeb\x31\x2c\x71\x08\x73\x11\x3b\xfc\xb5\xc0\x96" ++ "\xcc\x87\x24\x44\xb5\x9b\x9e\xb3\x71\xba\xe9\xed\xb1\x4e\xd7\x76" ++ "\x6c\xd2\xb6\x05\xb7\x5a\xde\xeb\x34\x5b\x96\x16\xfb\x59\xa9\x5c" ++ "\x4f\x55\xca\x8a\xac\x59\xb0\xe4\x54\x39\x25\xbc\x81\x37\x2a\x09" ++ "\x5f\x9e\x3b\x6b\x7d\x1f\x69\xf3\x34\x85\x39\x84\xa7\x28\x0b\xd3" ++ "\xfd\xfb\x4b\x7a\xea\xe7\xd2\x3c\xd3\xda\x15\x68\xbc\x73\xd3\x22" ++ "\x6f\xd7\x72\x5b\x2b\x66\xee\xa8\x0d\x54\xe8\x5b\xf9\x92\x96\x92" ++ "\x93\xea\x97\x4a\xc7\x43\x10\x46\x35\xc5\xc0\x60\x8a\xe4\xc1\xb5" ++ "\x36\xc6\xae\xed\xf7\x70\xa5\x86\x99\x3d\x91\xf8\xfd\x4e\x53\xeb" ++ "\xbb\xbd\x6d\xec\x8f\xd7\x89\x3d\x31\x7f\xd7\x78\xba\x50\xbb\x74" ++ "\x9d\xf6\xac\x4e\xb9\x03\x9c\x79\xd5\xe1\xbd\x17\x68\xd9\x13\x0b" ++ "\x45\x75\x88\x00\x1d\x1f\xae\x73\x6a\x1d\x5c\x6e\x44\x9f\xa6\xfa" ++ "\x4e\xd8\x25\x8b\xc0\xbc\xb2\x99\xe3\x17\x24\xb3\x23\xe2\x48\x8b" ++ "\xfa\x22\xe7\x7e\x8f\xe6\x3f\x5f\x55\x0d\x75\xd3\x51\x0b\xd7\xed" ++ "\xd3\x6f\x97\x3b\x85\x42\x80\x7e\x5f\xdc\x1b\xd6\xba\xee\xc4\x80" ++ "\xce\x06\xa9\x15\x8c\x97\x5f\x40\x69\xb2\x4d\xc5\xb2\x5c\x1e\x01" ++ "\x87\x7e\xe0\x36\x6d\x78\x80\x4e\x3c\x02\xec\x90\x1d\x11\x81\x74" ++ "\xa5\x8b\xa4\xa0\x56\x06\xd5\x79\x72\x85\x57\x3b\xb2\x2e\xae\x90" ++ "\x18\x8d\x91\xb2\x0e\x44\x19\xaa\xb4\xcc\x08\xed\x46\xfa\xd7\x2b" ++ "\x78\x58\x72\x5d\xbb\x5e\x49\xe7\xee\xf3\x8a\x9d\x22\xa4\x19\xc8" ++ "\xe7\x08\xc3\x90\x9b\x35\x9a\xa4\x25\x8c\x4b\x9b\xa7\xf8\xbf\x81" ++ "\xf5\xdf\x22\x66\xf1\x7e\x9f\x66\x3d\xbb\xfa\x73\x73\x4d\xfd\x67" ++ "\x7b\xf4\xce\xc3\x62\x2e\x6f\xbb\x0c\xa2\xdc\x69\xfc\x8a\x17\x0e" ++ "\x3a\x9e\x83\x46\xd7\xe3\x5e\x65\x86\xc0\x51\x00\xbb\x91\xe3\xe1" ++ "\xc1\x16\xc4\xe9\x65\x5c\x14\x3e\x44\x6a\x6b\xd1\x1e\xb0\x36\xdd" ++ "\x0b\x7d\x8a\xeb\xaf\x58\x5b\x64\x3f\x38\xed\x52\x76\xe8\x46\xf7" ++ "\x86\x84\xb3\x93\xb1\x0b\xe5\xfd\xfd\x0d\xe9\x6d\xe4\xf1\x1b\x1d" ++ "\x56\xb4\x34\xe4\x6a\xf5\xa4\x9c\x2c\xc9\x64\x94\xc1\xf5\x79\x6d" ++ "\x12\x96\xf3\x47\xc5\x48\xa8\xdb\xd8\x95\x64\x29\xcf\xf6\x88\xf1" ++ "\x95\x7a\x98\xe8\xbc\x27\x19\xce\x73\x61\xd1\xb8\xc6\x31\x8c\xe7" ++ "\x39\xce\x77\x9e\xbc\xc6\x31\x8c\x63\xf3\x9c\xe7\x39\xc6\x31\x8f" ++ "\xf7\xce\x7e\x1e\x3b\x7f\x0f\x0f\x0f\x13\x57\xb9\x0a\xe1\x0b\x64" ++ "\x5f\x58\x40\xc6\xc7\x7a\x4b\xf2\x3d\xbc\x71\xf4\xa7\xd2\xca\x14" ++ "\xe2\x98\x1a\x30\x1e\xe0\x26\x5a\x6a\xf0\x9c\x67\x38\x66\x00\xb8" ++ "\x72\xe6\xbe\xac\xfe\x12\xd3\x0b\x56\x73\x8c\x63\xc7\x2b\xe1\xe2" ++ "\xe8\xdd\x7b\xff\x00\xd8\xe5\x23\x6c\xce\xa8\x69\xcf\x5e\x3a\xef" ++ "\x77\xea\xe5\xab\x0e\x82\xdb\xd9\xed\x7a\x9e\xb8\x6d\x51\x32\xdb" ++ "\x79\xc3\x36\x9a\x2d\xa3\x50\x39\x65\x0a\x63\x0e\xe5\xd4\x39\x12" ++ "\xbf\x8b\x98\xa4\xa1\x2d\xad\xb3\xcf\x65\x6a\x43\x78\xb3\x3b\x07" ++ "\xd8\xd5\xea\xae\x76\xad\x6f\xf5\xff\x00\xca\x93\xab\x96\xb0\x64" ++ "\xeb\xd6\x4a\xd5\x87\xba\xec\x24\x60\x97\x06\x76\x03\xe3\x4c\x07" ++ "\x29\x11\x8e\x34\x25\x02\x64\x29\xf0\x25\x48\x85\x3a\x33\x8b\x7a" ++ "\x3c\x86\x1e\x75\xa5\x61\xc6\x97\x9f\x8d\x25\xf5\xc9\xcd\xde\xc9" ++ "\x7d\x77\xf2\xc8\x7e\x70\xaf\x73\x5f\x2d\xec\xa2\x51\x2d\x96\xfb" ++ "\x89\xad\x80\x57\xb2\x36\x1d\x7d\x83\x45\xac\xf3\xdb\xcc\x6c\x31" ++ "\x4f\xcf\x30\x58\xd0\x12\x28\x90\x50\x42\x86\xfb\x48\x16\x3c\xc5" ++ "\x9c\xf8\xe7\xcc\x29\x88\xb3\x4a\x4b\x4e\x6c\xbc\xdb\xc7\xbb\xe9" ++ "\xb6\xa0\x8b\x11\xa1\x7d\x73\xd7\xe9\xbf\x7e\xc2\x6c\x10\x8d\xee" ++ "\x9d\xef\x63\x3a\xe0\xf5\xbe\x8c\x3e\xa1\xc7\xc5\xd1\x00\x44\x1e" ++ "\xf3\x51\xf2\xe2\xb0\xe3\xb5\x13\x7f\x32\xf1\x8c\xa6\x22\xfe\x1f" ++ "\x49\x4d\xbb\xcf\x3a\x5d\xed\x4c\xd2\xfc\x85\xed\x23\xd6\xc7\x50" ++ "\xb6\x5b\x3a\x16\x83\xb8\x6f\xfd\x32\x3f\xaa\x36\x34\xbb\xf5\x96" ++ "\xa9\xab\xcf\x9f\x8f\xac\xc3\xca\xd5\x8b\xd8\x48\x9e\x79\xaa\x30" ++ "\x87\xca\x58\x4d\x59\x96\xb9\x4f\xc5\x1b\x1c\xd2\xda\x5b\xe6\x57" ++ "\x29\xa1\x28\x7a\x2b\x5b\xff\x00\x12\x2f\x5e\x3f\xf3\xbb\x8e\x7f" ++ "\xec\xc6\x98\xff\x00\xed\x3c\xa6\xdd\xa9\xdc\x7e\xa0\xf7\xd6\x99" ++ "\x31\xa2\xf7\xaf\x6b\xe9\x82\x74\x4b\x3d\x8f\x5e\x58\x0b\x33\xab" ++ "\xef\xc3\xaf\x84\x64\xb9\xae\xb6\x25\x5f\x62\x8f\x1c\xe3\xf4\x51" ++ "\xb7\x96\xe3\x0e\x30\x42\xa9\x18\x39\xbf\x9e\x2a\x1f\x74\x19\x02" ++ "\x2d\x43\x93\x06\x63\xb1\xa7\x47\x6a\xfa\x9b\x6c\xeb\xbd\xe9\xae" ++ "\x6a\x7b\x6f\x53\x5a\x60\x5d\xb5\xcd\xe8\x67\xeb\x35\x3b\x48\xc6" ++ "\xa6\xb3\x04\xc8\xdf\xb8\x7e\x26\x64\xb0\xc9\x18\xb0\xa7\x33\xf2" ++ "\x4a\x8b\x22\x3b\x8d\x4b\x89\x1d\xf6\x9d\x65\xc4\x38\xd2\x54\x9c" ++ "\xe3\xcd\x89\xe1\xe1\xe6\x3e\x70\x81\x45\x1d\x18\xf9\x31\x83\xc8" ++ "\xbe\x14\x82\x4b\x87\x7a\x74\x28\xd2\xdd\x12\x55\x30\xe6\x0e\x49" ++ "\x31\x8e\x48\x69\xc5\xc0\x20\x91\xe4\x48\x41\x4c\xd8\xb9\x6a\x4e" ++ "\x21\xce\x99\x1b\x0e\xfd\x09\x4f\xa1\x79\x0f\x0f\x0f\x0f\x0f\x0f" ++ "\x0f\x3f\x3c\xb8\x71\x27\xc7\x72\x24\xe8\xb1\xa6\xc5\x7b\x18\xc3" ++ "\xb1\xa5\xb0\xd4\x98\xee\xe3\x19\xc6\x71\x87\x19\x79\x2b\x6d\x78" ++ "\xc6\x71\x8c\xe3\x0a\x4e\x71\x8c\xe3\x19\xfe\x38\xf2\x3b\xfb\x8b" ++ "\x48\xfe\x4e\xaa\xff\x00\x4f\x08\xff\x00\xc7\xe1\xfb\x8b\x48\xfe" ++ "\x4e\xaa\xff\x00\x4f\x08\xff\x00\xc7\xe4\x95\x86\x18\x8a\xcb\x31" ++ "\xa3\x32\xd4\x78\xf1\xdb\x43\x2c\x47\x61\xb4\x32\xcb\x2c\xb4\x9c" ++ "\x21\xb6\x99\x69\xbc\x25\xb6\xdb\x6d\x18\xc2\x10\xda\x12\x94\xa1" ++ "\x38\xc2\x53\x8c\x63\x18\xc7\x9d\xbe\x7f\xff\xd9" ++ ; +Index: php5-5.2.4/main/suhosin_patch.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/main/suhosin_patch.c 2007-09-16 14:45:15.000000000 +0200 +@@ -0,0 +1,380 @@ ++/* ++ +----------------------------------------------------------------------+ ++ | Suhosin Patch for PHP | ++ +----------------------------------------------------------------------+ ++ | Copyright (c) 2004-2006 Stefan Esser | ++ +----------------------------------------------------------------------+ ++ | This source file is subject to version 2.02 of the PHP license, | ++ | that is bundled with this package in the file LICENSE, and is | ++ | available at through the world-wide-web at | ++ | http://www.php.net/license/2_02.txt. | ++ | If you did not receive a copy of the PHP license and are unable to | ++ | obtain it through the world-wide-web, please send a note to | ++ | license@php.net so we can mail you a copy immediately. | ++ +----------------------------------------------------------------------+ ++ | Author: Stefan Esser | ++ +----------------------------------------------------------------------+ ++ */ ++/* $Id: suhosin_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */ ++ ++#include "php.h" ++ ++#include ++#include ++ ++#if HAVE_UNISTD_H ++#include ++#endif ++#include "SAPI.h" ++#include "php_globals.h" ++ ++#if SUHOSIN_PATCH ++ ++#ifdef HAVE_SYS_SOCKET_H ++#include ++#endif ++ ++#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE) ++#undef AF_UNIX ++#endif ++ ++#if defined(AF_UNIX) ++#include ++#endif ++ ++#define SYSLOG_PATH "/dev/log" ++ ++#ifdef PHP_WIN32 ++static HANDLE log_source = 0; ++#endif ++ ++#include "snprintf.h" ++ ++#include "suhosin_patch.h" ++ ++#ifdef ZTS ++#include "suhosin_globals.h" ++int suhosin_patch_globals_id; ++#else ++struct _suhosin_patch_globals suhosin_patch_globals; ++#endif ++ ++static void php_security_log(int loglevel, char *fmt, ...); ++ ++static void suhosin_patch_globals_ctor(suhosin_patch_globals_struct *suhosin_patch_globals TSRMLS_DC) ++{ ++ memset(suhosin_patch_globals, 0, sizeof(*suhosin_patch_globals)); ++} ++ ++PHPAPI void suhosin_startup() ++{ ++#ifdef ZTS ++ ts_allocate_id(&suhosin_patch_globals_id, sizeof(suhosin_patch_globals_struct), (ts_allocate_ctor) suhosin_patch_globals_ctor, NULL); ++#else ++ suhosin_patch_globals_ctor(&suhosin_patch_globals TSRMLS_CC); ++#endif ++ zend_suhosin_log = php_security_log; ++} ++ ++/*PHPAPI void suhosin_clear_mm_canaries(TSRMLS_D) ++{ ++ zend_alloc_clear_mm_canaries(AG(heap)); ++ SPG(canary_1) = zend_canary(); ++ SPG(canary_2) = zend_canary(); ++ SPG(canary_3) = zend_canary(); ++}*/ ++ ++static char *loglevel2string(int loglevel) ++{ ++ switch (loglevel) { ++ case S_FILES: ++ return "FILES"; ++ case S_INCLUDE: ++ return "INCLUDE"; ++ case S_MEMORY: ++ return "MEMORY"; ++ case S_MISC: ++ return "MISC"; ++ case S_SESSION: ++ return "SESSION"; ++ case S_SQL: ++ return "SQL"; ++ case S_EXECUTOR: ++ return "EXECUTOR"; ++ case S_VARS: ++ return "VARS"; ++ default: ++ return "UNKNOWN"; ++ } ++} ++ ++static void php_security_log(int loglevel, char *fmt, ...) ++{ ++ int s, r, i=0; ++#if defined(AF_UNIX) ++ struct sockaddr_un saun; ++#endif ++#ifdef PHP_WIN32 ++ LPTSTR strs[2]; ++ unsigned short etype; ++ DWORD evid; ++#endif ++ char buf[4096+64]; ++ char error[4096+100]; ++ char *ip_address; ++ char *fname; ++ char *alertstring; ++ int lineno; ++ va_list ap; ++ TSRMLS_FETCH(); ++ ++ /*SDEBUG("(suhosin_log) loglevel: %d log_syslog: %u - log_sapi: %u - log_script: %u", loglevel, SPG(log_syslog), SPG(log_sapi), SPG(log_script));*/ ++ ++ if (SPG(log_use_x_forwarded_for)) { ++ ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC); ++ if (ip_address == NULL) { ++ ip_address = "X-FORWARDED-FOR not set"; ++ } ++ } else { ++ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC); ++ if (ip_address == NULL) { ++ ip_address = "REMOTE_ADDR not set"; ++ } ++ } ++ ++ ++ va_start(ap, fmt); ++ ap_php_vsnprintf(error, sizeof(error), fmt, ap); ++ va_end(ap); ++ while (error[i]) { ++ if (error[i] < 32) error[i] = '.'; ++ i++; ++ } ++ ++/* if (SPG(simulation)) { ++ alertstring = "ALERT-SIMULATION"; ++ } else { */ ++ alertstring = "ALERT"; ++/* }*/ ++ ++ if (zend_is_executing(TSRMLS_C)) { ++ if (EG(current_execute_data)) { ++ lineno = EG(current_execute_data)->opline->lineno; ++ fname = EG(current_execute_data)->op_array->filename; ++ } else { ++ lineno = zend_get_executed_lineno(TSRMLS_C); ++ fname = zend_get_executed_filename(TSRMLS_C); ++ } ++ ap_php_snprintf(buf, sizeof(buf), "%s - %s (attacker '%s', file '%s', line %u)", alertstring, error, ip_address, fname, lineno); ++ } else { ++ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC); ++ if (fname==NULL) { ++ fname = "unknown"; ++ } ++ ap_php_snprintf(buf, sizeof(buf), "%s - %s (attacker '%s', file '%s')", alertstring, error, ip_address, fname); ++ } ++ ++ /* Syslog-Logging disabled? */ ++ if (((SPG(log_syslog)|S_INTERNAL) & loglevel)==0) { ++ goto log_sapi; ++ } ++ ++#if defined(AF_UNIX) ++ ap_php_snprintf(error, sizeof(error), "<%u>suhosin[%u]: %s\n", (unsigned int)(SPG(log_syslog_facility)|SPG(log_syslog_priority)),getpid(),buf); ++ ++ s = socket(AF_UNIX, SOCK_DGRAM, 0); ++ if (s == -1) { ++ goto log_sapi; ++ } ++ ++ memset(&saun, 0, sizeof(saun)); ++ saun.sun_family = AF_UNIX; ++ strcpy(saun.sun_path, SYSLOG_PATH); ++ /*saun.sun_len = sizeof(saun);*/ ++ ++ r = connect(s, (struct sockaddr *)&saun, sizeof(saun)); ++ if (r) { ++ close(s); ++ s = socket(AF_UNIX, SOCK_STREAM, 0); ++ if (s == -1) { ++ goto log_sapi; ++ } ++ ++ memset(&saun, 0, sizeof(saun)); ++ saun.sun_family = AF_UNIX; ++ strcpy(saun.sun_path, SYSLOG_PATH); ++ /*saun.sun_len = sizeof(saun);*/ ++ ++ r = connect(s, (struct sockaddr *)&saun, sizeof(saun)); ++ if (r) { ++ close(s); ++ goto log_sapi; ++ } ++ } ++ send(s, error, strlen(error), 0); ++ ++ close(s); ++#endif ++#ifdef PHP_WIN32 ++ ap_php_snprintf(error, sizeof(error), "suhosin[%u]: %s", getpid(),buf); ++ ++ switch (SPG(log_syslog_priority)) { /* translate UNIX type into NT type */ ++ case 1: /*LOG_ALERT:*/ ++ etype = EVENTLOG_ERROR_TYPE; ++ break; ++ case 6: /*LOG_INFO:*/ ++ etype = EVENTLOG_INFORMATION_TYPE; ++ break; ++ default: ++ etype = EVENTLOG_WARNING_TYPE; ++ } ++ evid = loglevel; ++ strs[0] = error; ++ /* report the event */ ++ if (log_source == NULL) { ++ log_source = RegisterEventSource(NULL, "Suhosin-Patch-" SUHOSIN_PATCH_VERSION); ++ } ++ ReportEvent(log_source, etype, (unsigned short) SPG(log_syslog_priority), evid, NULL, 1, 0, strs, NULL); ++ ++#endif ++log_sapi: ++ /* SAPI Logging activated? */ ++ /*SDEBUG("(suhosin_log) log_syslog: %u - log_sapi: %u - log_script: %u - log_phpscript: %u", SPG(log_syslog), SPG(log_sapi), SPG(log_script), SPG(log_phpscript));*/ ++ if (((SPG(log_sapi)|S_INTERNAL) & loglevel)!=0) { ++ sapi_module.log_message(buf); ++ } ++ ++/*log_script:*/ ++ /* script logging activaed? */ ++ if (((SPG(log_script) & loglevel)!=0) && SPG(log_scriptname)!=NULL) { ++ char cmd[8192], *cmdpos, *bufpos; ++ FILE *in; ++ int space; ++ ++ ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", SPG(log_scriptname), loglevel2string(loglevel)); ++ space = sizeof(cmd) - strlen(cmd); ++ cmdpos = cmd + strlen(cmd); ++ bufpos = buf; ++ if (space <= 1) return; ++ while (space > 2 && *bufpos) { ++ if (*bufpos == '\'') { ++ if (space<=5) break; ++ *cmdpos++ = '\''; ++ *cmdpos++ = '\\'; ++ *cmdpos++ = '\''; ++ *cmdpos++ = '\''; ++ bufpos++; ++ space-=4; ++ } else { ++ *cmdpos++ = *bufpos++; ++ space--; ++ } ++ } ++ *cmdpos++ = '\''; ++ *cmdpos = 0; ++ ++ if ((in=VCWD_POPEN(cmd, "r"))==NULL) { ++ php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", SPG(log_scriptname)); ++ return; ++ } ++ /* read and forget the result */ ++ while (1) { ++ int readbytes = fread(cmd, 1, sizeof(cmd), in); ++ if (readbytes<=0) { ++ break; ++ } ++ } ++ pclose(in); ++ } ++/*log_phpscript:*/ ++ if ((SPG(log_phpscript) & loglevel)!=0 && EG(in_execution) && SPG(log_phpscriptname) && SPG(log_phpscriptname)[0]) { ++ zend_file_handle file_handle; ++ zend_op_array *new_op_array; ++ zval *result = NULL; ++ ++ /*long orig_execution_depth = SPG(execution_depth);*/ ++ zend_bool orig_safe_mode = PG(safe_mode); ++ char *orig_basedir = PG(open_basedir); ++ ++ char *phpscript = SPG(log_phpscriptname); ++/*SDEBUG("scriptname %s", SPG(log_phpscriptname));`*/ ++#ifdef ZEND_ENGINE_2 ++ if (zend_stream_open(phpscript, &file_handle TSRMLS_CC) == SUCCESS) { ++#else ++ if (zend_open(phpscript, &file_handle) == SUCCESS && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) { ++ file_handle.filename = phpscript; ++ file_handle.free_filename = 0; ++#endif ++ if (!file_handle.opened_path) { ++ file_handle.opened_path = estrndup(phpscript, strlen(phpscript)); ++ } ++ new_op_array = zend_compile_file(&file_handle, ZEND_REQUIRE TSRMLS_CC); ++ zend_destroy_file_handle(&file_handle TSRMLS_CC); ++ if (new_op_array) { ++ HashTable *active_symbol_table = EG(active_symbol_table); ++ zval *zerror, *zerror_class; ++ ++ if (active_symbol_table == NULL) { ++ active_symbol_table = &EG(symbol_table); ++ } ++ EG(return_value_ptr_ptr) = &result; ++ EG(active_op_array) = new_op_array; ++ ++ MAKE_STD_ZVAL(zerror); ++ MAKE_STD_ZVAL(zerror_class); ++ ZVAL_STRING(zerror, buf, 1); ++ ZVAL_LONG(zerror_class, loglevel); ++ ++ zend_hash_update(active_symbol_table, "SUHOSIN_ERROR", sizeof("SUHOSIN_ERROR"), (void **)&zerror, sizeof(zval *), NULL); ++ zend_hash_update(active_symbol_table, "SUHOSIN_ERRORCLASS", sizeof("SUHOSIN_ERRORCLASS"), (void **)&zerror_class, sizeof(zval *), NULL); ++ ++ /*SPG(execution_depth) = 0;*/ ++ if (SPG(log_phpscript_is_safe)) { ++ PG(safe_mode) = 0; ++ PG(open_basedir) = NULL; ++ } ++ ++ zend_execute(new_op_array TSRMLS_CC); ++ ++ /*SPG(execution_depth) = orig_execution_depth;*/ ++ PG(safe_mode) = orig_safe_mode; ++ PG(open_basedir) = orig_basedir; ++ ++#ifdef ZEND_ENGINE_2 ++ destroy_op_array(new_op_array TSRMLS_CC); ++#else ++ destroy_op_array(new_op_array); ++#endif ++ efree(new_op_array); ++#ifdef ZEND_ENGINE_2 ++ if (!EG(exception)) ++#endif ++ { ++ if (EG(return_value_ptr_ptr)) { ++ zval_ptr_dtor(EG(return_value_ptr_ptr)); ++ EG(return_value_ptr_ptr) = NULL; ++ } ++ } ++ } else { ++ php_security_log(S_INTERNAL, "Unable to execute logging PHP script: %s", SPG(log_phpscriptname)); ++ return; ++ } ++ } else { ++ php_security_log(S_INTERNAL, "Unable to execute logging PHP script: %s", SPG(log_phpscriptname)); ++ return; ++ } ++ } ++ ++} ++ ++ ++#endif ++ ++/* ++ * Local variables: ++ * tab-width: 4 ++ * c-basic-offset: 4 ++ * End: ++ * vim600: sw=4 ts=4 fdm=marker ++ * vim<600: sw=4 ts=4 ++ */ +Index: php5-5.2.4/main/suhosin_patch.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/main/suhosin_patch.h 2007-09-16 14:45:15.000000000 +0200 +@@ -0,0 +1,40 @@ ++/* ++ +----------------------------------------------------------------------+ ++ | Suhosin Patch for PHP | ++ +----------------------------------------------------------------------+ ++ | Copyright (c) 2004-2006 Stefan Esser | ++ +----------------------------------------------------------------------+ ++ | This source file is subject to version 2.02 of the PHP license, | ++ | that is bundled with this package in the file LICENSE, and is | ++ | available at through the world-wide-web at | ++ | http://www.php.net/license/2_02.txt. | ++ | If you did not receive a copy of the PHP license and are unable to | ++ | obtain it through the world-wide-web, please send a note to | ++ | license@php.net so we can mail you a copy immediately. | ++ +----------------------------------------------------------------------+ ++ | Author: Stefan Esser | ++ +----------------------------------------------------------------------+ ++ */ ++ ++#ifndef SUHOSIN_PATCH_H ++#define SUHOSIN_PATCH_H ++ ++#if SUHOSIN_PATCH ++ ++#include "zend.h" ++ ++PHPAPI void suhosin_startup(); ++#define SUHOSIN_PATCH_VERSION "0.9.6.2" ++ ++#define SUHOSIN_LOGO_GUID "SUHO8567F54-D428-14d2-A769-00DA302A5F18" ++ ++#endif ++ ++#endif /* SUHOSIN_PATCH_H */ ++ ++/* ++ * Local variables: ++ * tab-width: 4 ++ * c-basic-offset: 4 ++ * End: ++ */ +Index: php5-5.2.4/main/suhosin_patch.m4 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/main/suhosin_patch.m4 2007-09-16 14:45:15.000000000 +0200 +@@ -0,0 +1,8 @@ ++dnl ++dnl $Id: suhosin_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $ ++dnl ++dnl This file contains Suhosin Patch for PHP specific autoconf functions. ++dnl ++ ++AC_DEFINE(SUHOSIN_PATCH, 1, [Suhosin Patch]) ++ +Index: php5-5.2.4/sapi/apache/mod_php5.c +=================================================================== +--- php5-5.2.4.orig/sapi/apache/mod_php5.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/sapi/apache/mod_php5.c 2007-09-16 14:45:15.000000000 +0200 +@@ -951,7 +951,11 @@ + { + TSRMLS_FETCH(); + if (PG(expose_php)) { ++#if SUHOSIN_PATCH ++ ap_add_version_component("PHP/" PHP_VERSION " with Suhosin-Patch"); ++#else + ap_add_version_component("PHP/" PHP_VERSION); ++#endif + } + } + #endif +Index: php5-5.2.4/sapi/apache2filter/sapi_apache2.c +=================================================================== +--- php5-5.2.4.orig/sapi/apache2filter/sapi_apache2.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/sapi/apache2filter/sapi_apache2.c 2007-09-16 14:45:15.000000000 +0200 +@@ -562,7 +562,11 @@ + { + TSRMLS_FETCH(); + if (PG(expose_php)) { ++#if SUHOSIN_PATCH ++ ap_add_version_component(p, "PHP/" PHP_VERSION " with Suhosin-Patch"); ++#else + ap_add_version_component(p, "PHP/" PHP_VERSION); ++#endif + } + } + +Index: php5-5.2.4/sapi/apache2handler/sapi_apache2.c +=================================================================== +--- php5-5.2.4.orig/sapi/apache2handler/sapi_apache2.c 2007-09-16 14:45:14.000000000 +0200 ++++ php5-5.2.4/sapi/apache2handler/sapi_apache2.c 2007-09-16 14:45:15.000000000 +0200 +@@ -372,7 +372,11 @@ + { + TSRMLS_FETCH(); + if (PG(expose_php)) { ++#if SUHOSIN_PATCH ++ ap_add_version_component(p, "PHP/" PHP_VERSION " with Suhosin-Patch"); ++#else + ap_add_version_component(p, "PHP/" PHP_VERSION); ++#endif + } + } + +Index: php5-5.2.4/sapi/cgi/cgi_main.c +=================================================================== +--- php5-5.2.4.orig/sapi/cgi/cgi_main.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/sapi/cgi/cgi_main.c 2007-09-16 14:45:15.000000000 +0200 +@@ -1595,11 +1595,19 @@ + SG(headers_sent) = 1; + SG(request_info).no_headers = 1; + } ++#if SUHOSIN_PATCH ++#if ZEND_DEBUG ++ php_printf("PHP %s with Suhosin-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2007 The PHP Group\n%s", PHP_VERSION, SUHOSIN_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); ++#else ++ php_printf("PHP %s with Suhosin-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2007 The PHP Group\n%s", PHP_VERSION, SUHOSIN_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); ++#endif ++#else + #if ZEND_DEBUG + php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2007 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + #else + php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2007 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + #endif ++#endif + php_end_ob_buffers(1 TSRMLS_CC); + exit(0); + break; +Index: php5-5.2.4/sapi/cli/php_cli.c +=================================================================== +--- php5-5.2.4.orig/sapi/cli/php_cli.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/sapi/cli/php_cli.c 2007-09-16 14:45:15.000000000 +0200 +@@ -779,8 +779,14 @@ + } + + request_started = 1; +- php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2007 The PHP Group\n%s", +- PHP_VERSION, sapi_module.name, __DATE__, __TIME__, ++#if SUHOSIN_PATCH ++ php_printf("PHP %s with Suhosin-Patch %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2007 The PHP Group\n%s", ++ PHP_VERSION, SUHOSIN_PATCH_VERSION, ++#else ++ php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2007 The PHP Group\n%s", ++ PHP_VERSION, ++#endif ++ sapi_module.name, __DATE__, __TIME__, + #if ZEND_DEBUG && defined(HAVE_GCOV) + "(DEBUG GCOV)", + #elif ZEND_DEBUG +Index: php5-5.2.4/TSRM/TSRM.h +=================================================================== +--- php5-5.2.4.orig/TSRM/TSRM.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/TSRM/TSRM.h 2007-09-16 14:45:15.000000000 +0200 +@@ -38,6 +38,13 @@ + typedef unsigned long tsrm_uintptr_t; + #endif + ++#if SUHOSIN_PATCH ++# if HAVE_REALPATH ++# undef realpath ++# define realpath php_realpath ++# endif ++#endif ++ + /* Only compile multi-threading functions if we're in ZTS mode */ + #ifdef ZTS + +@@ -93,6 +100,7 @@ + + #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts + ++ + #ifdef __cplusplus + extern "C" { + #endif +Index: php5-5.2.4/TSRM/tsrm_virtual_cwd.c +=================================================================== +--- php5-5.2.4.orig/TSRM/tsrm_virtual_cwd.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/TSRM/tsrm_virtual_cwd.c 2007-09-16 14:45:15.000000000 +0200 +@@ -273,6 +273,177 @@ + } + /* }}} */ + ++#if SUHOSIN_PATCH ++CWD_API char *php_realpath(const char *path, char *resolved) ++{ ++ struct stat sb; ++ char *p, *q, *s; ++ size_t left_len, resolved_len; ++ unsigned symlinks; ++ int serrno, slen; ++ int is_dir = 1; ++ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX]; ++ ++ serrno = errno; ++ symlinks = 0; ++ if (path[0] == '/') { ++ resolved[0] = '/'; ++ resolved[1] = '\0'; ++ if (path[1] == '\0') ++ return (resolved); ++ resolved_len = 1; ++ left_len = strlcpy(left, path + 1, sizeof(left)); ++ } else { ++ if (getcwd(resolved, PATH_MAX) == NULL) { ++ strlcpy(resolved, ".", PATH_MAX); ++ return (NULL); ++ } ++ resolved_len = strlen(resolved); ++ left_len = strlcpy(left, path, sizeof(left)); ++ } ++ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ ++ /* ++ * Iterate over path components in `left'. ++ */ ++ while (left_len != 0) { ++ /* ++ * Extract the next path component and adjust `left' ++ * and its length. ++ */ ++ p = strchr(left, '/'); ++ s = p ? p : left + left_len; ++ if (s - left >= sizeof(next_token)) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ memcpy(next_token, left, s - left); ++ next_token[s - left] = '\0'; ++ left_len -= s - left; ++ if (p != NULL) ++ memmove(left, s + 1, left_len + 1); ++ if (resolved[resolved_len - 1] != '/') { ++ if (resolved_len + 1 >= PATH_MAX) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ resolved[resolved_len++] = '/'; ++ resolved[resolved_len] = '\0'; ++ } ++ if (next_token[0] == '\0') ++ continue; ++ else if (strcmp(next_token, ".") == 0) ++ continue; ++ else if (strcmp(next_token, "..") == 0) { ++ /* ++ * Strip the last path component except when we have ++ * single "/" ++ */ ++ if (!is_dir) { ++ errno = ENOENT; ++ return (NULL); ++ } ++ if (resolved_len > 1) { ++ resolved[resolved_len - 1] = '\0'; ++ q = strrchr(resolved, '/'); ++ *q = '\0'; ++ resolved_len = q - resolved; ++ } ++ continue; ++ } ++ ++ /* ++ * Append the next path component and lstat() it. If ++ * lstat() fails we still can return successfully if ++ * there are no more path components left. ++ */ ++ resolved_len = strlcat(resolved, next_token, PATH_MAX); ++ if (resolved_len >= PATH_MAX) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ if (lstat(resolved, &sb) != 0) { ++ if (errno == ENOENT) { ++ if (p == NULL) { ++ errno = serrno; ++ return (resolved); ++ } else if (strstr(left, "/.") == NULL && strstr(left, "./") == NULL) { ++ resolved_len = strlcat(resolved, "/", PATH_MAX); ++ resolved_len = strlcat(resolved, left, PATH_MAX); ++ if (resolved_len >= PATH_MAX) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ errno = serrno; ++ return (resolved); ++ } ++ } ++ return (NULL); ++ } ++ if (S_ISLNK(sb.st_mode)) { ++ if (symlinks++ > MAXSYMLINKS) { ++ errno = ELOOP; ++ return (NULL); ++ } ++ slen = readlink(resolved, symlink, sizeof(symlink) - 1); ++ if (slen < 0) ++ return (NULL); ++ symlink[slen] = '\0'; ++ if (symlink[0] == '/') { ++ resolved[1] = 0; ++ resolved_len = 1; ++ } else if (resolved_len > 1) { ++ /* Strip the last path component. */ ++ resolved[resolved_len - 1] = '\0'; ++ q = strrchr(resolved, '/'); ++ *q = '\0'; ++ resolved_len = q - resolved; ++ } ++ ++ /* ++ * If there are any path components left, then ++ * append them to symlink. The result is placed ++ * in `left'. ++ */ ++ if (p != NULL) { ++ if (symlink[slen - 1] != '/') { ++ if (slen + 1 >= sizeof(symlink)) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ symlink[slen] = '/'; ++ symlink[slen + 1] = 0; ++ } ++ left_len = strlcat(symlink, left, sizeof(left)); ++ if (left_len >= sizeof(left)) { ++ errno = ENAMETOOLONG; ++ return (NULL); ++ } ++ } ++ left_len = strlcpy(left, symlink, sizeof(left)); ++ } else { ++ if (S_ISDIR(sb.st_mode)) { ++ is_dir = 1; ++ } else { ++ is_dir = 0; ++ } ++ } ++ } ++ ++ /* ++ * Remove trailing slash except when the resolved pathname ++ * is a single "/". ++ */ ++ if (resolved_len > 1 && resolved[resolved_len - 1] == '/') ++ resolved[resolved_len - 1] = '\0'; ++ return (resolved); ++} ++#endif ++ ++ + CWD_API void virtual_cwd_startup(void) /* {{{ */ + { + char cwd[MAXPATHLEN]; +Index: php5-5.2.4/TSRM/tsrm_virtual_cwd.h +=================================================================== +--- php5-5.2.4.orig/TSRM/tsrm_virtual_cwd.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/TSRM/tsrm_virtual_cwd.h 2007-09-16 14:45:15.000000000 +0200 +@@ -139,6 +139,22 @@ + + typedef int (*verify_path_func)(const cwd_state *); + ++#ifndef HAVE_STRLCPY ++CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz); ++#undef strlcpy ++#define strlcpy php_strlcpy ++#endif ++ ++#ifndef HAVE_STRLCAT ++CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz); ++#undef strlcat ++#define strlcat php_strlcat ++#endif ++ ++ ++#if SUHOSIN_PATCH ++CWD_API char *php_realpath(const char *path, char *resolved); ++#endif + CWD_API void virtual_cwd_startup(void); + CWD_API void virtual_cwd_shutdown(void); + CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC); +Index: php5-5.2.4/win32/build/config.w32 +=================================================================== +--- php5-5.2.4.orig/win32/build/config.w32 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/win32/build/config.w32 2007-09-16 14:45:15.000000000 +0200 +@@ -299,7 +299,7 @@ + zend_sprintf.c zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c \ + zend_stream.c zend_iterators.c zend_interfaces.c zend_objects.c \ + zend_object_handlers.c zend_objects_API.c \ +- zend_default_classes.c zend_execute.c zend_strtod.c"); ++ zend_default_classes.c zend_execute.c zend_strtod.c zend_canary.c"); + + ADD_SOURCES("main", "main.c snprintf.c spprintf.c safe_mode.c fopen_wrappers.c \ + php_scandir.c php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \ +@@ -344,6 +344,8 @@ + AC_DEFINE('HAVE_USLEEP', 1); + AC_DEFINE('HAVE_STRCOLL', 1); + ++AC_DEFINE('SUHOSIN_PATCH', 1); ++ + /* For snapshot builders, where can we find the additional + * files that make up the snapshot template? */ + ARG_WITH("snapshot-template", "Path to snapshot builder template dir", "no"); +Index: php5-5.2.4/Zend/Makefile.am +=================================================================== +--- php5-5.2.4.orig/Zend/Makefile.am 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/Makefile.am 2007-09-16 14:45:15.000000000 +0200 +@@ -17,7 +17,7 @@ + zend_objects_API.c zend_ts_hash.c zend_stream.c \ + zend_default_classes.c \ + zend_iterators.c zend_interfaces.c zend_exceptions.c \ +- zend_strtod.c zend_multibyte.c ++ zend_strtod.c zend_multibyte.c zend_canary.c + + libZend_la_LDFLAGS = + libZend_la_LIBADD = @ZEND_EXTRA_LIBS@ +Index: php5-5.2.4/Zend/zend_alloc.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend_alloc.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_alloc.c 2007-09-16 14:45:15.000000000 +0200 +@@ -311,13 +311,26 @@ + #define MEM_BLOCK_GUARD 0x2A8FCC84 + #define MEM_BLOCK_LEAK 0x6C5E8F2D + ++#if SUHOSIN_PATCH ++# define CANARY_SIZE sizeof(size_t) ++#else ++# define CANARY_SIZE 0 ++#endif ++ + /* mm block type */ + typedef struct _zend_mm_block_info { + #if ZEND_MM_COOKIES + size_t _cookie; + #endif +- size_t _size; +- size_t _prev; ++#if SUHOSIN_PATCH ++ size_t canary_1; ++#endif ++ size_t _size; ++ size_t _prev; ++#if SUHOSIN_PATCH ++ size_t size; ++ size_t canary_2; ++#endif + } zend_mm_block_info; + + #if ZEND_DEBUG +@@ -422,6 +435,9 @@ + int miss; + } cache_stat[ZEND_MM_NUM_BUCKETS+1]; + #endif ++#if SUHOSIN_PATCH ++ size_t canary_1,canary_2,canary_3; ++#endif + }; + + #define ZEND_MM_SMALL_FREE_BUCKET(heap, index) \ +@@ -511,15 +527,15 @@ + #define ZEND_MM_ALIGNED_SIZE(size) ((size + ZEND_MM_ALIGNMENT - 1) & ZEND_MM_ALIGNMENT_MASK) + #define ZEND_MM_ALIGNED_HEADER_SIZE ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_block)) + #define ZEND_MM_ALIGNED_FREE_HEADER_SIZE ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_small_free_block)) +-#define ZEND_MM_MIN_ALLOC_BLOCK_SIZE ZEND_MM_ALIGNED_SIZE(ZEND_MM_ALIGNED_HEADER_SIZE + END_MAGIC_SIZE) ++#define ZEND_MM_MIN_ALLOC_BLOCK_SIZE ZEND_MM_ALIGNED_SIZE(ZEND_MM_ALIGNED_HEADER_SIZE + END_MAGIC_SIZE + CANARY_SIZE) + #define ZEND_MM_ALIGNED_MIN_HEADER_SIZE (ZEND_MM_MIN_ALLOC_BLOCK_SIZE>ZEND_MM_ALIGNED_FREE_HEADER_SIZE?ZEND_MM_MIN_ALLOC_BLOCK_SIZE:ZEND_MM_ALIGNED_FREE_HEADER_SIZE) + #define ZEND_MM_ALIGNED_SEGMENT_SIZE ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_segment)) + +-#define ZEND_MM_MIN_SIZE ((ZEND_MM_ALIGNED_MIN_HEADER_SIZE>(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)):0) ++#define ZEND_MM_MIN_SIZE ((ZEND_MM_ALIGNED_MIN_HEADER_SIZE>(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE+CANARY_SIZE))?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE+CANARY_SIZE)):0) + + #define ZEND_MM_MAX_SMALL_SIZE ((ZEND_MM_NUM_BUCKETS<>ZEND_MM_ALIGNMENT_LOG2)-(ZEND_MM_ALIGNED_MIN_HEADER_SIZE>>ZEND_MM_ALIGNMENT_LOG2)) + +@@ -581,6 +597,48 @@ + + #endif + ++#if SUHOSIN_PATCH ++ ++# define SUHOSIN_MM_CHECK_CANARIES(block, MFUNCTION) do { \ ++ size_t *p = SUHOSIN_MM_END_CANARY_PTR(block), check; \ ++ if (((block)->info.canary_1 != heap->canary_1) || ((block)->info.canary_2 != heap->canary_2)) { \ ++ canary_mismatch: \ ++ zend_suhosin_log(S_MEMORY, "canary mismatch on " MFUNCTION " - heap overflow detected"); \ ++ exit(1); \ ++ } \ ++ memcpy(&check, p, CANARY_SIZE); \ ++ if (check != heap->canary_3) { \ ++ zend_suhosin_log(S_MEMORY, "canary mismatch on " MFUNCTION " - heap overflow detected"); \ ++ exit(1); \ ++ goto canary_mismatch; \ ++ } \ ++ } while (0) ++ ++# define SUHOSIN_MM_SET_CANARIES(block) do { \ ++ (block)->info.canary_1 = heap->canary_1; \ ++ (block)->info.canary_2 = heap->canary_2; \ ++ } while (0) ++ ++# define SUHOSIN_MM_END_CANARY_PTR(block) \ ++ (size_t*)(((char*)(ZEND_MM_DATA_OF(block))) + ((zend_mm_block*)(block))->info.size + END_MAGIC_SIZE) ++ ++# define SUHOSIN_MM_SET_END_CANARY(block) do { \ ++ size_t *p = SUHOSIN_MM_END_CANARY_PTR(block); \ ++ memcpy(p, &heap->canary_3, CANARY_SIZE); \ ++ } while (0) ++ ++#else ++ ++# define SUHOSIN_MM_CHECK_CANARIES(block) ++ ++# define SUHOSIN_MM_SET_CANARIES(block) ++ ++# define SUHOSIN_MM_END_CANARY_PTR(block) ++ ++# define SUHOSIN_MM_SET_END_CANARY(block) ++ ++#endif ++ + + #if ZEND_MM_HEAP_PROTECTION + +@@ -779,6 +837,12 @@ + if (EXPECTED(prev == mm_block)) { + zend_mm_free_block **rp, **cp; + ++#if SUHOSIN_PATCH ++ if (next != mm_block) { ++ zend_suhosin_log(S_MEMORY, "heap corrupt on efree() - heap corruption detected"); ++ exit(1); ++ } ++#endif + #if ZEND_MM_SAFE_UNLINKING + if (UNEXPECTED(next != mm_block)) { + zend_mm_panic("zend_mm_heap corrupted"); +@@ -817,6 +881,12 @@ + } + } else { + ++#if SUHOSIN_PATCH ++ if (prev->next_free_block != mm_block || next->prev_free_block != mm_block) { ++ zend_suhosin_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); ++ exit(1); ++ } ++#endif + #if ZEND_MM_SAFE_UNLINKING + if (UNEXPECTED(prev->next_free_block != mm_block) || UNEXPECTED(next->prev_free_block != mm_block)) { + zend_mm_panic("zend_mm_heap corrupted"); +@@ -864,6 +934,11 @@ + heap->large_free_buckets[i] = NULL; + } + heap->rest_buckets[0] = heap->rest_buckets[1] = ZEND_MM_REST_BUCKET(heap); ++#if SUHOSIN_PATCH ++ heap->canary_1 = zend_canary(); ++ heap->canary_2 = zend_canary(); ++ heap->canary_3 = zend_canary(); ++#endif + } + + static void zend_mm_del_segment(zend_mm_heap *heap, zend_mm_segment *segment) +@@ -1741,6 +1816,11 @@ + best_fit = heap->cache[index]; + heap->cache[index] = best_fit->prev_free_block; + heap->cached -= true_size; ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_SET_CANARIES(best_fit); ++ ((zend_mm_block*)best_fit)->info.size = size; ++ SUHOSIN_MM_SET_END_CANARY(best_fit); ++#endif + ZEND_MM_CHECK_MAGIC(best_fit, MEM_BLOCK_CACHED); + ZEND_MM_SET_DEBUG_INFO(best_fit, size, 1, 0); + return ZEND_MM_DATA_OF(best_fit); +@@ -1875,6 +1955,12 @@ + + ZEND_MM_SET_DEBUG_INFO(best_fit, size, 1, 1); + ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_SET_CANARIES(best_fit); ++ ((zend_mm_block*)best_fit)->info.size = size; ++ SUHOSIN_MM_SET_END_CANARY(best_fit); ++#endif ++ + heap->size += true_size; + if (heap->peak < heap->size) { + heap->peak = heap->size; +@@ -1898,6 +1984,9 @@ + + mm_block = ZEND_MM_HEADER_OF(p); + size = ZEND_MM_BLOCK_SIZE(mm_block); ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_CHECK_CANARIES(mm_block, "efree()"); ++#endif + ZEND_MM_CHECK_PROTECTION(mm_block); + + #if ZEND_DEBUG || ZEND_MM_HEAP_PROTECTION +@@ -1960,6 +2049,9 @@ + mm_block = ZEND_MM_HEADER_OF(p); + true_size = ZEND_MM_TRUE_SIZE(size); + orig_size = ZEND_MM_BLOCK_SIZE(mm_block); ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_CHECK_CANARIES(mm_block, "erealloc()"); ++#endif + ZEND_MM_CHECK_PROTECTION(mm_block); + + if (UNEXPECTED(true_size < size)) { +@@ -1991,6 +2083,11 @@ + HANDLE_UNBLOCK_INTERRUPTIONS(); + } + ZEND_MM_SET_DEBUG_INFO(mm_block, size, 0, 0); ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_SET_CANARIES(mm_block); ++ ((zend_mm_block*)mm_block)->info.size = size; ++ SUHOSIN_MM_SET_END_CANARY(mm_block); ++#endif + return p; + } + +@@ -2010,13 +2107,18 @@ + heap->cache[index] = best_fit->prev_free_block; + ZEND_MM_CHECK_MAGIC(best_fit, MEM_BLOCK_CACHED); + ZEND_MM_SET_DEBUG_INFO(best_fit, size, 1, 0); ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_SET_CANARIES(best_fit); ++ ((zend_mm_block*)best_fit)->info.size = size; ++ SUHOSIN_MM_SET_END_CANARY(best_fit); ++#endif + + ptr = ZEND_MM_DATA_OF(best_fit); + + #if ZEND_DEBUG || ZEND_MM_HEAP_PROTECTION + memcpy(ptr, p, mm_block->debug.size); + #else +- memcpy(ptr, p, orig_size - ZEND_MM_ALIGNED_HEADER_SIZE); ++ memcpy(ptr, p, orig_size - ZEND_MM_ALIGNED_HEADER_SIZE - CANARY_SIZE); + #endif + + heap->cached -= true_size - orig_size; +@@ -2074,6 +2176,11 @@ + if (heap->peak < heap->size) { + heap->peak = heap->size; + } ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_SET_CANARIES(mm_block); ++ ((zend_mm_block*)mm_block)->info.size = size; ++ SUHOSIN_MM_SET_END_CANARY(mm_block); ++#endif + HANDLE_UNBLOCK_INTERRUPTIONS(); + return p; + } else if (ZEND_MM_IS_FIRST_BLOCK(mm_block) && +@@ -2177,6 +2284,11 @@ + } + + HANDLE_UNBLOCK_INTERRUPTIONS(); ++#if SUHOSIN_PATCH ++ SUHOSIN_MM_SET_CANARIES(mm_block); ++ ((zend_mm_block*)mm_block)->info.size = size; ++ SUHOSIN_MM_SET_END_CANARY(mm_block); ++#endif + return ZEND_MM_DATA_OF(mm_block); + } + +@@ -2184,7 +2296,7 @@ + #if ZEND_DEBUG || ZEND_MM_HEAP_PROTECTION + memcpy(ptr, p, mm_block->debug.size); + #else +- memcpy(ptr, p, orig_size - ZEND_MM_ALIGNED_HEADER_SIZE); ++ memcpy(ptr, p, orig_size - ZEND_MM_ALIGNED_HEADER_SIZE - CANARY_SIZE); + #endif + _zend_mm_free_int(heap, p ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); + return ptr; +@@ -2427,6 +2539,17 @@ + zend_mm_shutdown(AG(mm_heap), full_shutdown, silent); + } + ++#if SUHOSIN_PATCH ++ZEND_API void suhosin_clear_mm_canaries(TSRMLS_D) ++{ ++/* NOT HERE ++ ++ AG(mm_heap)->canary_1 = zend_canary(); ++ AG(mm_heap)->canary_2 = zend_canary(); ++ AG(mm_heap)->canary_3 = zend_canary(); */ ++} ++#endif ++ + static void alloc_globals_ctor(zend_alloc_globals *alloc_globals TSRMLS_DC) + { + char *tmp; +Index: php5-5.2.4/Zend/zend_alloc.h +=================================================================== +--- php5-5.2.4.orig/Zend/zend_alloc.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_alloc.h 2007-09-16 14:45:15.000000000 +0200 +@@ -128,6 +128,9 @@ + + ZEND_API void start_memory_manager(TSRMLS_D); + ZEND_API void shutdown_memory_manager(int silent, int full_shutdown TSRMLS_DC); ++#if SUHOSIN_PATCH ++ZEND_API void suhosin_clear_mm_canaries(TSRMLS_D); ++#endif + ZEND_API int is_zend_mm(TSRMLS_D); + + #if ZEND_DEBUG +Index: php5-5.2.4/Zend/zend.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend.c 2007-09-16 14:45:15.000000000 +0200 +@@ -57,7 +57,9 @@ + ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args); + int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap); + ZEND_API char *(*zend_getenv)(char *name, size_t name_len TSRMLS_DC); +- ++#if SUHOSIN_PATCH ++ZEND_API void (*zend_suhosin_log)(int loglevel, char *fmt, ...); ++#endif + void (*zend_on_timeout)(int seconds TSRMLS_DC); + + static void (*zend_message_dispatcher_p)(long message, void *data); +@@ -74,9 +76,88 @@ + return SUCCESS; + } + ++#if SUHOSIN_PATCH ++static ZEND_INI_MH(OnUpdateSuhosin_log_syslog) ++{ ++ if (!new_value) { ++ SPG(log_syslog) = S_ALL & ~S_SQL | S_MEMORY; ++ } else { ++ SPG(log_syslog) = atoi(new_value) | S_MEMORY; ++ } ++ return SUCCESS; ++} ++static ZEND_INI_MH(OnUpdateSuhosin_log_syslog_facility) ++{ ++ if (!new_value) { ++ SPG(log_syslog_facility) = LOG_USER; ++ } else { ++ SPG(log_syslog_facility) = atoi(new_value); ++ } ++ return SUCCESS; ++} ++static ZEND_INI_MH(OnUpdateSuhosin_log_syslog_priority) ++{ ++ if (!new_value) { ++ SPG(log_syslog_priority) = LOG_ALERT; ++ } else { ++ SPG(log_syslog_priority) = atoi(new_value); ++ } ++ return SUCCESS; ++} ++static ZEND_INI_MH(OnUpdateSuhosin_log_sapi) ++{ ++ if (!new_value) { ++ SPG(log_sapi) = S_ALL & ~S_SQL; ++ } else { ++ SPG(log_sapi) = atoi(new_value); ++ } ++ return SUCCESS; ++} ++static ZEND_INI_MH(OnUpdateSuhosin_log_script) ++{ ++ if (!new_value) { ++ SPG(log_script) = S_ALL & ~S_MEMORY; ++ } else { ++ SPG(log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL); ++ } ++ return SUCCESS; ++} ++static ZEND_INI_MH(OnUpdateSuhosin_log_scriptname) ++{ ++ if (SPG(log_scriptname)) { ++ pefree(SPG(log_scriptname),1); ++ } ++ SPG(log_scriptname) = NULL; ++ if (new_value) { ++ SPG(log_scriptname) = pestrdup(new_value,1); ++ } ++ return SUCCESS; ++} ++static ZEND_INI_MH(OnUpdateSuhosin_log_phpscript) ++{ ++ if (!new_value) { ++ SPG(log_phpscript) = S_ALL & ~S_MEMORY; ++ } else { ++ SPG(log_phpscript) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL); ++ } ++ return SUCCESS; ++} ++#endif + + ZEND_INI_BEGIN() + ZEND_INI_ENTRY("error_reporting", NULL, ZEND_INI_ALL, OnUpdateErrorReporting) ++#if SUHOSIN_PATCH ++ ZEND_INI_ENTRY("suhosin.log.syslog", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateSuhosin_log_syslog) ++ ZEND_INI_ENTRY("suhosin.log.syslog.facility", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateSuhosin_log_syslog_facility) ++ ZEND_INI_ENTRY("suhosin.log.syslog.priority", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateSuhosin_log_syslog_priority) ++ ZEND_INI_ENTRY("suhosin.log.sapi", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateSuhosin_log_sapi) ++ ZEND_INI_ENTRY("suhosin.log.script", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateSuhosin_log_script) ++ ZEND_INI_ENTRY("suhosin.log.script.name", NULL, ZEND_INI_SYSTEM, OnUpdateSuhosin_log_scriptname) ++ STD_ZEND_INI_BOOLEAN("suhosin.log.use-x-forwarded-for", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, log_use_x_forwarded_for, suhosin_patch_globals_struct, suhosin_patch_globals) ++ ZEND_INI_ENTRY("suhosin.log.phpscript", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateSuhosin_log_phpscript) ++ STD_ZEND_INI_ENTRY("suhosin.log.phpscript.name", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateString, log_phpscriptname, suhosin_patch_globals_struct, suhosin_patch_globals) ++ STD_ZEND_INI_BOOLEAN("suhosin.log.phpscript.is_safe", "0", ZEND_INI_SYSTEM, OnUpdateBool, log_phpscript_is_safe, suhosin_patch_globals_struct, suhosin_patch_globals) ++#endif + STD_ZEND_INI_BOOLEAN("zend.ze1_compatibility_mode", "0", ZEND_INI_ALL, OnUpdateBool, ze1_compatibility_mode, zend_executor_globals, executor_globals) + #ifdef ZEND_MULTIBYTE + STD_ZEND_INI_BOOLEAN("detect_unicode", "1", ZEND_INI_ALL, OnUpdateBool, detect_unicode, zend_compiler_globals, compiler_globals) +Index: php5-5.2.4/Zend/zend_canary.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/Zend/zend_canary.c 2007-09-16 14:45:15.000000000 +0200 +@@ -0,0 +1,64 @@ ++/* ++ +----------------------------------------------------------------------+ ++ | Suhosin-Patch for PHP | ++ +----------------------------------------------------------------------+ ++ | Copyright (c) 2004-2006 Stefan Esser | ++ +----------------------------------------------------------------------+ ++ | This source file is subject to version 2.02 of the PHP license, | ++ | that is bundled with this package in the file LICENSE, and is | ++ | available at through the world-wide-web at | ++ | http://www.php.net/license/2_02.txt. | ++ | If you did not receive a copy of the PHP license and are unable to | ++ | obtain it through the world-wide-web, please send a note to | ++ | license@php.net so we can mail you a copy immediately. | ++ +----------------------------------------------------------------------+ ++ | Author: Stefan Esser | ++ +----------------------------------------------------------------------+ ++ */ ++/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */ ++ ++#include "zend.h" ++ ++#include ++#include ++ ++ ++#if SUHOSIN_PATCH ++ ++static size_t last_canary = 0x73625123; ++ ++/* will be replaced later with more compatible method */ ++ZEND_API size_t zend_canary() ++{ ++ time_t t; ++ size_t canary; ++ int fd; ++ ++#ifndef PHP_WIN32 ++ fd = open("/dev/urandom", 0); ++ if (fd != -1) { ++ int r = read(fd, &canary, sizeof(canary)); ++ close(fd); ++ if (r == sizeof(canary)) { ++ return (canary); ++ } ++ } ++#endif ++ /* not good but we never want to do this */ ++ time(&t); ++ canary = *(unsigned int *)&t + getpid() << 16 + last_canary; ++ last_canary ^= (canary << 5) | (canary >> (32-5)); ++ return (canary); ++} ++ ++#endif ++ ++ ++/* ++ * Local variables: ++ * tab-width: 4 ++ * c-basic-offset: 4 ++ * End: ++ * vim600: sw=4 ts=4 fdm=marker ++ * vim<600: sw=4 ts=4 ++ */ +Index: php5-5.2.4/Zend/zend_compile.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend_compile.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_compile.c 2007-09-16 14:45:15.000000000 +0200 +@@ -54,7 +54,6 @@ + property_info->name = zend_strndup(property_info->name, property_info->name_length); + } + +- + static void zend_destroy_property_info(zend_property_info *property_info) + { + efree(property_info->name); +@@ -68,6 +67,10 @@ + { + free(property_info->name); + } ++#if SUHOSIN_PATCH ++void *suhosin_zend_destroy_property_info_internal = zend_destroy_property_info_internal; ++void *suhosin_zend_destroy_property_info = zend_destroy_property_info; ++#endif + + static void build_runtime_defined_function_key(zval *result, char *name, int name_length TSRMLS_DC) + { +Index: php5-5.2.4/Zend/zend_compile.h +=================================================================== +--- php5-5.2.4.orig/Zend/zend_compile.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_compile.h 2007-09-16 14:45:15.000000000 +0200 +@@ -564,6 +564,11 @@ + + int zendlex(znode *zendlval TSRMLS_DC); + ++#if SUHOSIN_PATCH ++extern void *suhosin_zend_destroy_property_info_internal; ++extern void *suhosin_zend_destroy_property_info; ++#endif ++ + /* BEGIN: OPCODES */ + + #include "zend_vm_opcodes.h" +@@ -686,6 +691,7 @@ + + #define ZEND_RETURNS_FUNCTION 1<<0 + ++ + END_EXTERN_C() + + #define ZEND_CLONE_FUNC_NAME "__clone" +Index: php5-5.2.4/Zend/zend_constants.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend_constants.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_constants.c 2007-09-16 14:45:15.000000000 +0200 +@@ -110,6 +110,75 @@ + REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS); + + REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS); ++#if SUHOSIN_PATCH ++ REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_MAIL", S_MAIL, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_SESSION", S_SESSION, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS); ++ REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS); ++ ++ /* error levels */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT); ++ /* facility: type of program logging the message */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT); ++#ifdef LOG_NEWS ++ /* No LOG_NEWS on HP-UX */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */ ++#endif ++#ifdef LOG_UUCP ++ /* No LOG_UUCP on HP-UX */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT); ++#endif ++#ifdef LOG_CRON ++ /* apparently some systems don't have this one */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT); ++#endif ++#ifdef LOG_AUTHPRIV ++ /* AIX doesn't have LOG_AUTHPRIV */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT); ++#endif ++#if !defined(PHP_WIN32) && !defined(NETWARE) ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT); ++#endif ++ /* options */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT); ++ REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT); ++#ifdef LOG_NOWAIT ++ REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT); ++#endif ++#ifdef LOG_PERROR ++ /* AIX doesn't have LOG_PERROR */ ++ REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/ ++#endif ++#endif + + /* true/false constants */ + { +Index: php5-5.2.4/Zend/Zend.dsp +=================================================================== +--- php5-5.2.4.orig/Zend/Zend.dsp 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/Zend.dsp 2007-09-16 14:45:15.000000000 +0200 +@@ -239,6 +239,10 @@ + # End Source File + # Begin Source File + ++SOURCE=.\zend_canary.c ++# End Source File ++# Begin Source File ++ + SOURCE=.\zend_ts_hash.c + # End Source File + # Begin Source File +Index: php5-5.2.4/Zend/zend_errors.h +=================================================================== +--- php5-5.2.4.orig/Zend/zend_errors.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_errors.h 2007-09-16 14:45:15.000000000 +0200 +@@ -39,6 +39,20 @@ + #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE | E_RECOVERABLE_ERROR) + #define E_CORE (E_CORE_ERROR | E_CORE_WARNING) + ++#if SUHOSIN_PATCH ++#define S_MEMORY (1<<0L) ++#define S_MISC (1<<1L) ++#define S_VARS (1<<2L) ++#define S_FILES (1<<3L) ++#define S_INCLUDE (1<<4L) ++#define S_SQL (1<<5L) ++#define S_EXECUTOR (1<<6L) ++#define S_MAIL (1<<7L) ++#define S_SESSION (1<<8L) ++#define S_INTERNAL (1<<29L) ++#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MAIL | S_SESSION | S_MISC | S_SQL | S_EXECUTOR) ++#endif ++ + #endif /* ZEND_ERRORS_H */ + + /* +Index: php5-5.2.4/Zend/zend.h +=================================================================== +--- php5-5.2.4.orig/Zend/zend.h 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend.h 2007-09-16 14:45:15.000000000 +0200 +@@ -520,6 +520,9 @@ + extern ZEND_API int (*zend_stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC); + extern int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap); + extern ZEND_API char *(*zend_getenv)(char *name, size_t name_len TSRMLS_DC); ++#if SUHOSIN_PATCH ++extern ZEND_API void (*zend_suhosin_log)(int loglevel, char *fmt, ...); ++#endif + + + ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3); +@@ -651,6 +654,13 @@ + #include "zend_operators.h" + #include "zend_variables.h" + ++#if SUHOSIN_PATCH ++#include "suhosin_globals.h" ++#include "php_syslog.h" ++ ++ZEND_API size_t zend_canary(); ++#endif ++ + #endif /* ZEND_H */ + + /* +Index: php5-5.2.4/Zend/zend_hash.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend_hash.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_hash.c 2007-09-16 14:45:15.000000000 +0200 +@@ -20,6 +20,7 @@ + /* $Id: zend_hash.c,v 1.121.2.4.2.8 2007/07/24 18:28:39 dmitry Exp $ */ + + #include "zend.h" ++#include "zend_compile.h" + + #define CONNECT_TO_BUCKET_DLLIST(element, list_head) \ + (element)->pNext = (list_head); \ +@@ -132,7 +133,189 @@ + (p)->pDataPtr=NULL; \ + } + ++#if SUHOSIN_PATCH ++#ifdef ZTS ++MUTEX_T zend_hash_dprot_mx_reader; ++MUTEX_T zend_hash_dprot_mx_writer; ++unsigned int zend_hash_dprot_reader; ++#endif ++unsigned int zend_hash_dprot_counter; ++unsigned int zend_hash_dprot_curmax; ++dtor_func_t *zend_hash_dprot_table = NULL; ++ ++static void zend_hash_dprot_begin_read() ++{ ++#ifdef ZTS ++ tsrm_mutex_lock(zend_hash_dprot_mx_reader); ++ if ((++(zend_hash_dprot_reader)) == 1) { ++ tsrm_mutex_lock(zend_hash_dprot_mx_writer); ++ } ++ tsrm_mutex_unlock(zend_hash_dprot_mx_reader); ++#endif ++} ++ ++static void zend_hash_dprot_end_read() ++{ ++#ifdef ZTS ++ tsrm_mutex_lock(zend_hash_dprot_mx_reader); ++ if ((--(zend_hash_dprot_reader)) == 0) { ++ tsrm_mutex_unlock(zend_hash_dprot_mx_writer); ++ } ++ tsrm_mutex_unlock(zend_hash_dprot_mx_reader); ++#endif ++} ++ ++static void zend_hash_dprot_begin_write() ++{ ++#ifdef ZTS ++ tsrm_mutex_lock(zend_hash_dprot_mx_writer); ++#endif ++} ++ ++static void zend_hash_dprot_end_write() ++{ ++#ifdef ZTS ++ tsrm_mutex_unlock(zend_hash_dprot_mx_writer); ++#endif ++} ++ ++/*ZEND_API void zend_hash_dprot_dtor() ++{ ++#ifdef ZTS ++ tsrm_mutex_free(zend_hash_dprot_mx_reader); ++ tsrm_mutex_free(zend_hash_dprot_mx_writer); ++#endif ++ free(zend_hash_dprot_table); ++}*/ ++ ++static void zend_hash_add_destructor(dtor_func_t pDestructor) ++{ ++ int left, right, mid; ++ zend_bool found = 0; ++ unsigned long value; ++ ++ if (pDestructor == NULL || pDestructor == ZVAL_PTR_DTOR || pDestructor == ZVAL_INTERNAL_PTR_DTOR ++ || pDestructor == ZEND_FUNCTION_DTOR || pDestructor == ZEND_CLASS_DTOR) { ++ return; ++ } ++ ++ if (zend_hash_dprot_table == NULL) { ++#ifdef ZTS ++ zend_hash_dprot_mx_reader = tsrm_mutex_alloc(); ++ zend_hash_dprot_mx_writer = tsrm_mutex_alloc(); ++ zend_hash_dprot_reader = 0; ++#endif ++ zend_hash_dprot_counter = 0; ++ zend_hash_dprot_curmax = 256; ++ zend_hash_dprot_table = (dtor_func_t *) malloc(256 * sizeof(dtor_func_t)); ++ } ++ ++ zend_hash_dprot_begin_write(); ++ ++ if (zend_hash_dprot_counter == 0) { ++ zend_hash_dprot_counter++; ++ zend_hash_dprot_table[0] = pDestructor; ++ } else { ++ value = (unsigned long) pDestructor; ++ left = 0; ++ right = zend_hash_dprot_counter-1; ++ mid = 0; ++ ++ while (left < right) { ++ mid = (right - left) >> 1; ++ mid += left; ++ if ((unsigned long)zend_hash_dprot_table[mid] == value) { ++ found = 1; ++ break; ++ } ++ if (value < (unsigned long)zend_hash_dprot_table[mid]) { ++ right = mid-1; ++ } else { ++ left = mid+1; ++ } ++ } ++ if ((unsigned long)zend_hash_dprot_table[left] == value) { ++ found = 1; ++ } ++ ++ if (!found) { ++ ++ if (zend_hash_dprot_counter >= zend_hash_dprot_curmax) { ++ zend_hash_dprot_curmax += 256; ++ zend_hash_dprot_table = (dtor_func_t *) realloc(zend_hash_dprot_table, zend_hash_dprot_curmax * sizeof(dtor_func_t)); ++ } ++ ++ if ((unsigned long)zend_hash_dprot_table[left] < value) { ++ memmove(zend_hash_dprot_table+left+2, zend_hash_dprot_table+left+1, (zend_hash_dprot_counter-left-1)*sizeof(dtor_func_t)); ++ zend_hash_dprot_table[left+1] = pDestructor; ++ } else { ++ memmove(zend_hash_dprot_table+left+1, zend_hash_dprot_table+left, (zend_hash_dprot_counter-left)*sizeof(dtor_func_t)); ++ zend_hash_dprot_table[left] = pDestructor; ++ } ++ ++ zend_hash_dprot_counter++; ++ } ++ } ++ ++ zend_hash_dprot_end_write(); ++} ++ ++static void zend_hash_check_destructor(dtor_func_t pDestructor) ++{ ++ unsigned long value; ++ ++ if (pDestructor == NULL || pDestructor == ZVAL_PTR_DTOR || pDestructor == ZVAL_INTERNAL_PTR_DTOR ++#ifdef ZEND_ENGINE_2 ++ || pDestructor == suhosin_zend_destroy_property_info_internal || pDestructor == suhosin_zend_destroy_property_info ++#endif ++ || pDestructor == ZEND_FUNCTION_DTOR || pDestructor == ZEND_CLASS_DTOR) { ++ return; ++ } ++ ++ zend_hash_dprot_begin_read(); ++ ++ if (zend_hash_dprot_counter > 0) { ++ int left, right, mid; ++ zend_bool found = 0; ++ ++ value = (unsigned long) pDestructor; ++ left = 0; ++ right = zend_hash_dprot_counter-1; ++ ++ while (left < right) { ++ mid = (right - left) >> 1; ++ mid += left; ++ if ((unsigned long)zend_hash_dprot_table[mid] == value) { ++ found = 1; ++ break; ++ } ++ if (value < (unsigned long)zend_hash_dprot_table[mid]) { ++ right = mid-1; ++ } else { ++ left = mid+1; ++ } ++ } ++ if ((unsigned long)zend_hash_dprot_table[left] == value) { ++ found = 1; ++ } ++ ++ if (!found) { ++ zend_hash_dprot_end_read(); ++ ++ zend_suhosin_log(S_MEMORY, "possible memory corruption detected - unknown Hashtable destructor"); ++ exit(1); ++ return; ++ } ++ ++ } ++ ++ zend_hash_dprot_end_read(); ++} + ++#else ++#define zend_hash_add_destructor(pDestructor) do {} while(0) ++#define zend_hash_check_destructor(pDestructor) do {} while(0) ++#endif + + ZEND_API int _zend_hash_init(HashTable *ht, uint nSize, hash_func_t pHashFunction, dtor_func_t pDestructor, zend_bool persistent ZEND_FILE_LINE_DC) + { +@@ -153,6 +336,7 @@ + + ht->nTableMask = ht->nTableSize - 1; + ht->pDestructor = pDestructor; ++ zend_hash_add_destructor(pDestructor); + ht->arBuckets = NULL; + ht->pListHead = NULL; + ht->pListTail = NULL; +@@ -230,6 +414,8 @@ + return FAILURE; + } + #endif ++ ++ zend_hash_check_destructor(ht->pDestructor); + if (ht->pDestructor) { + ht->pDestructor(p->pData); + } +@@ -295,6 +481,7 @@ + return FAILURE; + } + #endif ++ zend_hash_check_destructor(ht->pDestructor); + if (ht->pDestructor) { + ht->pDestructor(p->pData); + } +@@ -370,6 +557,7 @@ + return FAILURE; + } + #endif ++ zend_hash_check_destructor(ht->pDestructor); + if (ht->pDestructor) { + ht->pDestructor(p->pData); + } +@@ -493,6 +681,7 @@ + if (ht->pInternalPointer == p) { + ht->pInternalPointer = p->pListNext; + } ++ zend_hash_check_destructor(ht->pDestructor); + if (ht->pDestructor) { + ht->pDestructor(p->pData); + } +@@ -518,6 +707,8 @@ + + SET_INCONSISTENT(HT_IS_DESTROYING); + ++ zend_hash_check_destructor(ht->pDestructor); ++ + p = ht->pListHead; + while (p != NULL) { + q = p; +@@ -544,6 +735,8 @@ + + SET_INCONSISTENT(HT_CLEANING); + ++ zend_hash_check_destructor(ht->pDestructor); ++ + p = ht->pListHead; + while (p != NULL) { + q = p; +@@ -607,6 +800,7 @@ + ht->nNumOfElements--; + HANDLE_UNBLOCK_INTERRUPTIONS(); + ++ zend_hash_check_destructor(ht->pDestructor); + if (ht->pDestructor) { + ht->pDestructor(p->pData); + } +Index: php5-5.2.4/Zend/zend_llist.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend_llist.c 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/zend_llist.c 2007-09-16 14:45:15.000000000 +0200 +@@ -23,6 +23,184 @@ + #include "zend_llist.h" + #include "zend_qsort.h" + ++#if SUHOSIN_PATCH ++#ifdef ZTS ++MUTEX_T zend_llist_dprot_mx_reader; ++MUTEX_T zend_llist_dprot_mx_writer; ++unsigned int zend_llist_dprot_reader; ++#endif ++unsigned int zend_llist_dprot_counter; ++unsigned int zend_llist_dprot_curmax; ++llist_dtor_func_t *zend_llist_dprot_table = NULL; ++ ++static void zend_llist_dprot_begin_read() ++{ ++#ifdef ZTS ++ tsrm_mutex_lock(zend_llist_dprot_mx_reader); ++ if ((++(zend_llist_dprot_reader)) == 1) { ++ tsrm_mutex_lock(zend_llist_dprot_mx_writer); ++ } ++ tsrm_mutex_unlock(zend_llist_dprot_mx_reader); ++#endif ++} ++ ++static void zend_llist_dprot_end_read() ++{ ++#ifdef ZTS ++ tsrm_mutex_lock(zend_llist_dprot_mx_reader); ++ if ((--(zend_llist_dprot_reader)) == 0) { ++ tsrm_mutex_unlock(zend_llist_dprot_mx_writer); ++ } ++ tsrm_mutex_unlock(zend_llist_dprot_mx_reader); ++#endif ++} ++ ++static void zend_llist_dprot_begin_write() ++{ ++#ifdef ZTS ++ tsrm_mutex_lock(zend_llist_dprot_mx_writer); ++#endif ++} ++ ++static void zend_llist_dprot_end_write() ++{ ++#ifdef ZTS ++ tsrm_mutex_unlock(zend_llist_dprot_mx_writer); ++#endif ++} ++ ++/*ZEND_API void zend_llist_dprot_dtor() ++{ ++#ifdef ZTS ++ tsrm_mutex_free(zend_llist_dprot_mx_reader); ++ tsrm_mutex_free(zend_llist_dprot_mx_writer); ++#endif ++ free(zend_llist_dprot_table); ++}*/ ++ ++static void zend_llist_add_destructor(llist_dtor_func_t pDestructor) ++{ ++ int left, right, mid; ++ zend_bool found = 0; ++ unsigned long value; ++ ++ if (pDestructor == NULL || pDestructor == ZVAL_PTR_DTOR) { ++ return; ++ } ++ ++ if (zend_llist_dprot_table == NULL) { ++#ifdef ZTS ++ zend_llist_dprot_mx_reader = tsrm_mutex_alloc(); ++ zend_llist_dprot_mx_writer = tsrm_mutex_alloc(); ++ zend_llist_dprot_reader = 0; ++#endif ++ zend_llist_dprot_counter = 0; ++ zend_llist_dprot_curmax = 256; ++ zend_llist_dprot_table = (llist_dtor_func_t *) malloc(256 * sizeof(llist_dtor_func_t)); ++ } ++ ++ zend_llist_dprot_begin_write(); ++ ++ if (zend_llist_dprot_counter == 0) { ++ zend_llist_dprot_counter++; ++ zend_llist_dprot_table[0] = pDestructor; ++ } else { ++ value = (unsigned long) pDestructor; ++ left = 0; ++ right = zend_llist_dprot_counter-1; ++ mid = 0; ++ ++ while (left < right) { ++ mid = (right - left) >> 1; ++ mid += left; ++ if ((unsigned long)zend_llist_dprot_table[mid] == value) { ++ found = 1; ++ break; ++ } ++ if (value < (unsigned long)zend_llist_dprot_table[mid]) { ++ right = mid-1; ++ } else { ++ left = mid+1; ++ } ++ } ++ if ((unsigned long)zend_llist_dprot_table[left] == value) { ++ found = 1; ++ } ++ ++ if (!found) { ++ ++ if (zend_llist_dprot_counter >= zend_llist_dprot_curmax) { ++ zend_llist_dprot_curmax += 256; ++ zend_llist_dprot_table = (llist_dtor_func_t *) realloc(zend_llist_dprot_table, zend_llist_dprot_curmax * sizeof(llist_dtor_func_t)); ++ } ++ ++ if ((unsigned long)zend_llist_dprot_table[left] < value) { ++ memmove(zend_llist_dprot_table+left+2, zend_llist_dprot_table+left+1, (zend_llist_dprot_counter-left-1)*sizeof(llist_dtor_func_t)); ++ zend_llist_dprot_table[left+1] = pDestructor; ++ } else { ++ memmove(zend_llist_dprot_table+left+1, zend_llist_dprot_table+left, (zend_llist_dprot_counter-left)*sizeof(llist_dtor_func_t)); ++ zend_llist_dprot_table[left] = pDestructor; ++ } ++ ++ zend_llist_dprot_counter++; ++ } ++ } ++ ++ zend_llist_dprot_end_write(); ++} ++ ++static void zend_llist_check_destructor(llist_dtor_func_t pDestructor) ++{ ++ unsigned long value; ++ ++ if (pDestructor == NULL || pDestructor == ZVAL_PTR_DTOR) { ++ return; ++ } ++ ++ zend_llist_dprot_begin_read(); ++ ++ if (zend_llist_dprot_counter > 0) { ++ int left, right, mid; ++ zend_bool found = 0; ++ ++ value = (unsigned long) pDestructor; ++ left = 0; ++ right = zend_llist_dprot_counter-1; ++ ++ while (left < right) { ++ mid = (right - left) >> 1; ++ mid += left; ++ if ((unsigned long)zend_llist_dprot_table[mid] == value) { ++ found = 1; ++ break; ++ } ++ if (value < (unsigned long)zend_llist_dprot_table[mid]) { ++ right = mid-1; ++ } else { ++ left = mid+1; ++ } ++ } ++ if ((unsigned long)zend_llist_dprot_table[left] == value) { ++ found = 1; ++ } ++ ++ if (!found) { ++ zend_llist_dprot_end_read(); ++ ++ zend_suhosin_log(S_MEMORY, "possible memory corruption detected - unknown llist destructor"); ++ exit(1); ++ return; ++ } ++ ++ } ++ ++ zend_llist_dprot_end_read(); ++} ++#else ++#define zend_llist_add_destructor(pDestructor) do {} while(0) ++#define zend_llist_check_destructor(pDestructor) do {} while(0) ++#endif ++ + ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent) + { + l->head = NULL; +@@ -30,6 +208,7 @@ + l->count = 0; + l->size = size; + l->dtor = dtor; ++ zend_llist_add_destructor(dtor); + l->persistent = persistent; + } + +@@ -81,6 +260,7 @@ + } else {\ + (l)->tail = (current)->prev;\ + }\ ++ zend_llist_check_destructor((l)->dtor); \ + if ((l)->dtor) {\ + (l)->dtor((current)->data);\ + }\ +@@ -108,6 +288,7 @@ + { + zend_llist_element *current=l->head, *next; + ++ zend_llist_check_destructor(l->dtor); + while (current) { + next = current->next; + if (l->dtor) { +@@ -133,6 +314,7 @@ + zend_llist_element *old_tail; + void *data; + ++ zend_llist_check_destructor(l->dtor); + if ((old_tail = l->tail)) { + if (old_tail->prev) { + old_tail->prev->next = NULL; +Index: php5-5.2.4/Zend/ZendTS.dsp +=================================================================== +--- php5-5.2.4.orig/Zend/ZendTS.dsp 2007-09-16 14:45:09.000000000 +0200 ++++ php5-5.2.4/Zend/ZendTS.dsp 2007-09-16 14:45:15.000000000 +0200 +@@ -273,6 +273,10 @@ + # End Source File + # Begin Source File + ++SOURCE=.\zend_canary.c ++# End Source File ++# Begin Source File ++ + SOURCE=.\zend_ts_hash.c + # End Source File + # Begin Source File --- php5-5.2.4.orig/debian/patches/033-we_WANT_libtool.patch +++ php5-5.2.4/debian/patches/033-we_WANT_libtool.patch @@ -0,0 +1,16 @@ +Index: php5-5.2.0/build/build2.mk +=================================================================== +--- php5-5.2.0.orig/build/build2.mk 2007-03-18 22:57:00.000000000 +0100 ++++ php5-5.2.0/build/build2.mk 2007-03-18 22:58:41.000000000 +0100 +@@ -52,6 +52,11 @@ + + aclocal.m4: configure.in acinclude.m4 + @echo rebuilding $@ ++ @libtoolize=`./build/shtool path glibtoolize libtoolize`; \ ++ $$libtoolize --copy --automake --force; \ ++ ltpath=`dirname $$libtoolize`; \ ++ ltfile=`cd $$ltpath/../share/aclocal; pwd`/libtool.m4; \ ++ cp $$ltfile ./build/libtool.m4 + cat acinclude.m4 ./build/libtool.m4 > $@ + + configure: aclocal.m4 configure.in $(config_m4_files) --- php5-5.2.4.orig/debian/patches/CVE-2012-233x.patch +++ php5-5.2.4/debian/patches/CVE-2012-233x.patch @@ -0,0 +1,25 @@ +Description: improve php5-cgi query string parameter parsing +Origin: backport, http://git.php.net/?p=php-src.git;a=commitdiff;h=000e84aa88ce16deabbf61e7086fc8db63ca88aa + +Index: php5-5.2.4/sapi/cgi/cgi_main.c +=================================================================== +--- php5-5.2.4.orig/sapi/cgi/cgi_main.c 2012-06-12 15:53:32.000000000 -0400 ++++ php5-5.2.4/sapi/cgi/cgi_main.c 2012-06-12 15:54:53.120996941 -0400 +@@ -1264,10 +1264,15 @@ + } + #endif + +- if(query_string = getenv("QUERY_STRING")) { ++ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) { ++ /* we've got query string that has no = - apache CGI will pass it to command line */ ++ unsigned char *p; + decoded_query_string = strdup(query_string); + php_url_decode(decoded_query_string, strlen(decoded_query_string)); +- if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) { ++ for (p = decoded_query_string; *p && *p <= ' '; p++) { ++ /* skip all leading spaces */ ++ } ++ if(*p == '-') { + skip_getopt = 1; + } + free(decoded_query_string); --- php5-5.2.4.orig/debian/patches/CVE-2009-3557.patch +++ php5-5.2.4/debian/patches/CVE-2009-3557.patch @@ -0,0 +1,17 @@ +Description: fix safe_mode bypass via tempam function +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=288945 + +diff -Nur php5-5.2.4/ext/standard/file.c php5-5.2.4.new/ext/standard/file.c +--- php5-5.2.4/ext/standard/file.c 2009-11-25 14:41:44.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/file.c 2009-11-25 14:41:48.000000000 -0500 +@@ -815,6 +815,10 @@ + convert_to_string_ex(arg1); + convert_to_string_ex(arg2); + ++ if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) { ++ RETURN_FALSE; ++ } ++ + if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { + RETURN_FALSE; + } --- php5-5.2.4.orig/debian/patches/029-php.ini_paranoid.patch +++ php5-5.2.4/debian/patches/029-php.ini_paranoid.patch @@ -0,0 +1,1200 @@ +Index: php5-5.2.0/php.ini-paranoid +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.0/php.ini-paranoid 2007-03-18 22:58:41.000000000 +0100 +@@ -0,0 +1,1195 @@ ++[PHP] ++ ++;;;;;;;;;;;;;;;;;;; ++; About this file ; ++;;;;;;;;;;;;;;;;;;; ++; ++; This is the paranoid, PHP 4-style version of the php.ini-dist file. It ++; sets some non standard settings, that make PHP more efficient, more secure ++; in a very paranoid way. Note that these security settings will make some ++; applications not work properly. ++; ++; The price is that with these settings, PHP may be incompatible with some ++; applications, and sometimes, more difficult to develop with. Using this ++; file is recommended for production sites which want a high degree of ++; security. As all of the changes from the standard settings are thoroughly ++; documented, you can go over each one, ++; and decide whether you want to use it or not. ++; ++; For general information about the php.ini file, please consult the ++; php.ini-dist file, included in your PHP distribution. ++; ++; For further information see ++; http://www.php.net/features.safe-mode ++; http://www.phpsecure.info/ ++; ++; This file is different from the php.ini-dist file in the fact that it features ++; different values for several directives, in order to improve performance, while ++; possibly breaking compatibility with the standard out-of-the-box behavior of ++; PHP 3. Please make sure you read what's different, and modify your scripts ++; accordingly, if you decide to use this file instead. ++; ++; - safe_mode = On [Security, Performance loss] ++; Do UID checks when opening files. Enabling safe_mode also enables ++; other functions related to this mode. For more information read: ++; http://www.php.net/features.safe-mode ++; Worthwhile reading, however, is also ++; http://ilia.ws/archives/18_PHPs_safe_mode_or_how_not_to_implement_security.html ++; Bottomline: Do not trust that safe_mode will drive all your security vulnerabilities ++; away. ++; ++; - safe_mode_protected_env_vars = LD_LIBRARY_PATH PATH [Security] ++; Environment variables that users will not be able to modify through ++; putenv() ++; ++; - open_basedir = /var/www/:/usr/lib/php4/ [Security, Performance loss] ++; Limits the files that PHP can access to the directories specified. ++; This includes the webroot and the usual location of PHP libraries ++; (e.g. PEAR). Since all file locations are checked against this list ++; before any access is allowed, this impacts in the performance of all ++; file operations. ++; ++; - disable_functions = dl, phpinfo, system, .... [Security] ++; Some functions can be used by attackers and can be malversed by ++; applications, the list (not complete) of functions disabled includes ++; functions which might have a severe impact to the system if wrongly used ++; in scripts or subverted remotely by attackers. ++; ++; - expose_php = Off [?Security?] ++; Not exposing that PHP is used in the site (nor its version) can affect ++; how some dumb worms attempt to attack the site. Many might ++; not check this and attempt to compromise the server nevertheless, ++; however. This setting is just 'security by obscurity' so no real ++; security at all (save vs. the dumbest attackers) ++; ++; - error_log = syslog [Security, Performance log] ++; All errors are reported to syslog so that the errors can be easily ++; sent outsite the site to a syslog server. This prevents an intruder ++; from tampering with them in an attempt to hide his tracks since the ++; logs are stored in a different location. It also helps in forensic ++; investigation or when using automatic tools to produce reports or ++; generate alarms based on the syslog information. ++; ++; - register_globals = Off [Security, Performance] ++; Global variables are no longer registered for input data (POST, GET, cookies, ++; environment and other server variables). Instead of using $foo, you must use ++; you can use $_REQUEST["foo"] (includes any variable that arrives through the ++; request, namely, POST, GET and cookie variables), or use one of the specific ++; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending ++; on where the input originates. Also, you can look at the ++; import_request_variables() function. ++; Note that register_globals is going to be depracated (i.e., turned off by ++; default) in the next version of PHP, because it often leads to security bugs. ++; Read http://php.net/manual/en/security.registerglobals.php for further ++; information. ++; - display_errors = Off [Security] ++; With this directive set to off, errors that occur during the execution of ++; scripts will no longer be displayed as a part of the script output, and thus, ++; will no longer be exposed to remote users. With some errors, the error message ++; content may expose information about your script, web server, or database ++; server that may be exploitable for hacking. Production sites should have this ++; directive set to off. ++; - log_errors = On [Security] ++; This directive complements the above one. Any errors that occur during the ++; execution of your script will be logged (typically, to your server's error log, ++; but can be configured in several ways). Along with setting display_errors to off, ++; this setup gives you the ability to fully understand what may have gone wrong, ++; without exposing any sensitive information to remote users. ++; - output_buffering = 4096 [Performance] ++; Set a 4KB output buffer. Enabling output buffering typically results in less ++; writes, and sometimes less packets sent on the wire, which can often lead to ++; better performance. The gain this directive actually yields greatly depends ++; on which Web server you're working with, and what kind of scripts you're using. ++; - register_argc_argv = Off [Performance] ++; Disables registration of the somewhat redundant $argv and $argc global ++; variables. ++; - magic_quotes_gpc = On [Security] ++; Input data is escaped with slashes so that applications that do ++; not use addslashes() are not so easily subjected to SQL injection ++; when talking to SQL databases. ++; ++; - variables_order = "GPCS" [Performance] ++; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access ++; environment variables, you can use getenv() instead. ++; - error_reporting = E_ALL [Code Cleanliness, Security(?)] ++; By default, PHP surpresses errors of type E_NOTICE. These error messages ++; are emitted for non-critical errors, but that could be a symptom of a bigger ++; problem. Most notably, this will cause error messages about the use ++; of uninitialized variables to be displayed. ++; - allow_call_time_pass_reference = Off [Code cleanliness] ++; It's not possible to decide to force a variable to be passed by reference ++; when calling a function. The PHP 4 style to do this is by making the ++; function require the relevant argument by reference. ++; ++; - enable_dl = Off [Security] ++; The dl() function is not needed in most environments and does introduce ++; a number of security issues. ++; - file_uploads = Off [Security] ++; File uploads should not be allowed to the server. ++; - allow_url_fopen = Off [Security] ++; File calls should not transparently retrieve files from the network ++; since this could be subverted by attackers in poorly coded scripts ++; by forcing them to download (and execute) malicious remote content ++; from compromised hosts. This behaviour has been observed in automatic ++; worms/tools that use it to scan and propagate through badly written ++; applications (in conjuntion with other unsafe features) ++; http://myhost/myapplication.php?include=http://roguesever/rogueapp.php ++ ++ ++;;;;;;;;;;;;;;;;;;;; ++; Language Options ; ++;;;;;;;;;;;;;;;;;;;; ++ ++; Enable the PHP scripting language engine under Apache. ++engine = On ++ ++; Allow the tags are recognized. ++; NOTE: Using short tags should be avoided when developing applications or ++; libraries that are meant for redistribution, or deployment on PHP ++; servers which are not under your control, because short tags may not ++; be supported on the target server. For portable, redistributable code, ++; be sure not to use short tags. ++short_open_tag = On ++ ++; Allow ASP-style <% %> tags. ++asp_tags = Off ++ ++; The number of significant digits displayed in floating point numbers. ++precision = 14 ++ ++; Enforce year 2000 compliance (will cause problems with non-compliant browsers) ++y2k_compliance = On ++ ++; Output buffering allows you to send header lines (including cookies) even ++; after you send body content, at the price of slowing PHP's output layer a ++; bit. You can enable output buffering during runtime by calling the output ++; buffering functions. You can also enable output buffering for all files by ++; setting this directive to On. If you wish to limit the size of the buffer ++; to a certain size - you can use a maximum number of bytes instead of 'On', as ++; a value for this directive (e.g., output_buffering=4096). ++output_buffering = 4096 ++ ++; You can redirect all of the output of your scripts to a function. For ++; example, if you set output_handler to "mb_output_handler", character ++; encoding will be transparently converted to the specified encoding. ++; Setting any output handler automatically turns on output buffering. ++; Note: People who wrote portable scripts should not depend on this ini ++; directive. Instead, explicitly set the output handler using ob_start(). ++; Using this ini directive may cause problems unless you know what script ++; is doing. ++; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" ++; and you cannot use both "ob_gzhandler" and "zlib.output_compression". ++;output_handler = ++ ++; Transparent output compression using the zlib library ++; Valid values for this option are 'off', 'on', or a specific buffer size ++; to be used for compression (default is 4KB) ++; Note: Resulting chunk size may vary due to nature of compression. PHP ++; outputs chunks that are few handreds bytes each as a result of compression. ++; If you want larger chunk size for better performence, enable output_buffering ++; also. ++; Note: output_handler must be empty if this is set 'On' !!!! ++; Instead you must use zlib.output_handler. ++zlib.output_compression = Off ++ ++; You cannot specify additional output handlers if zlib.output_compression ++; is activated here. This setting does the same as output_handler but in ++; a different order. ++;zlib.output_handler = ++ ++; Implicit flush tells PHP to tell the output layer to flush itself ++; automatically after every output block. This is equivalent to calling the ++; PHP function flush() after each and every call to print() or echo() and each ++; and every HTML block. Turning this option on has serious performance ++; implications and is generally recommended for debugging purposes only. ++implicit_flush = Off ++ ++; The unserialize callback function will be called (with the undefined class' ++; name as parameter), if the unserializer finds an undefined class ++; which should be instanciated. ++; A warning appears if the specified function is not defined, or if the ++; function doesn't include/implement the missing class. ++; So only set this entry, if you really want to implement such a ++; callback-function. ++unserialize_callback_func= ++ ++; When floats & doubles are serialized store serialize_precision significant ++; digits after the floating point. The default value ensures that when floats ++; are decoded with unserialize, the data will remain the same. ++serialize_precision = 100 ++ ++; Whether to enable the ability to force arguments to be passed by reference ++; at function call time. This method is deprecated and is likely to be ++; unsupported in future versions of PHP/Zend. The encouraged method of ++; specifying which arguments should be passed by reference is in the function ++; declaration. You're encouraged to try and turn this option Off and make ++; sure your scripts work properly with it in order to ensure they will work ++; with future versions of the language (you will receive a warning each time ++; you use this feature, and the argument will be passed by value instead of by ++; reference). ++allow_call_time_pass_reference = Off ++ ++; ++; Safe Mode ++; ++safe_mode = On ++ ++; By default, Safe Mode does a UID compare check when ++; opening files. If you want to relax this to a GID compare, ++; then turn on safe_mode_gid. ++safe_mode_gid = Off ++ ++; When safe_mode is on, UID/GID checks are bypassed when ++; including files from this directory and its subdirectories. ++; (directory must also be in include_path or full path must ++; be used when including) ++safe_mode_include_dir = ++ ++; When safe_mode is on, only executables located in the safe_mode_exec_dir ++; will be allowed to be executed via the exec family of functions. ++; ++; Note: This should be customised per site (if exec is permitted) ++safe_mode_exec_dir = ++ ++; Setting certain environment variables may be a potential security breach. ++; This directive contains a comma-delimited list of prefixes. In Safe Mode, ++; the user may only alter environment variables whose names begin with the ++; prefixes supplied here. By default, users will only be able to set ++; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). ++; ++; Note: If this directive is empty, PHP will let the user modify ANY ++; environment variable! ++safe_mode_allowed_env_vars = PHP_ ++ ++; This directive contains a comma-delimited list of environment variables that ++; the end user won't be able to change using putenv(). These variables will be ++; protected even if safe_mode_allowed_env_vars is set to allow to change them. ++safe_mode_protected_env_vars = LD_LIBRARY_PATH,PATH ++ ++; open_basedir, if set, limits all file operations to the defined directory ++; and below. This directive makes most sense if used in a per-directory ++; or per-virtualhost web server configuration file. This directive is ++; *NOT* affected by whether Safe Mode is turned On or Off. ++; ++; In Debian, the WebRoot is /var/www/ so we limit file operations to it. ++open_basedir = /var/www/:/usr/lib/php4/ ++ ++; This directive allows you to disable certain functions for security reasons. ++; It receives a comma-delimited list of function names. This directive is ++; *NOT* affected by whether Safe Mode is turned On or Off. ++; ++; Note: The list of functions disabled here might break some applications ++; however, they are considered dangerous and often subverted by attackers ++; remotely ++disable_functions = dl, phpinfo, system, mail, include, shell_exec, exec, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose, chown, disk_free_space, disk_total_space, diskfreespace, fileinode, max_execution_time, set_time_limit,highlight_file, show_source ++ ++; This directive allows you to disable certain classes for security reasons. ++; It receives a comma-delimited list of class names. This directive is ++; *NOT* affected by whether Safe Mode is turned On or Off. ++disable_classes = ++ ++; Colors for Syntax Highlighting mode. Anything that's acceptable in ++; would work. ++;highlight.string = #DD0000 ++;highlight.comment = #FF9900 ++;highlight.keyword = #007700 ++;highlight.bg = #FFFFFF ++;highlight.default = #0000BB ++;highlight.html = #000000 ++ ++ ++; ++; Misc ++; ++; Decides whether PHP may expose the fact that it is installed on the server ++; (e.g. by adding its signature to the Web server header). It is no security ++; threat in any way, but it makes it possible to determine whether you use PHP ++; on your server or not. ++expose_php = Off ++ ++ ++;;;;;;;;;;;;;;;;;;; ++; Resource Limits ; ++;;;;;;;;;;;;;;;;;;; ++ ++max_execution_time = 30 ; Maximum execution time of each script, in seconds ++max_input_time = 60 ; Maximum amount of time each script may spend parsing request data ++memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) ++ ++ ++;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ++; Error handling and logging ; ++;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ++ ++; error_reporting is a bit-field. Or each number up to get desired error ++; reporting level ++; E_ALL - All errors and warnings ++; E_ERROR - fatal run-time errors ++; E_WARNING - run-time warnings (non-fatal errors) ++; E_PARSE - compile-time parse errors ++; E_NOTICE - run-time notices (these are warnings which often result ++; from a bug in your code, but it's possible that it was ++; intentional (e.g., using an uninitialized variable and ++; relying on the fact it's automatically initialized to an ++; empty string) ++; E_CORE_ERROR - fatal errors that occur during PHP's initial startup ++; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's ++; initial startup ++; E_COMPILE_ERROR - fatal compile-time errors ++; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) ++; E_USER_ERROR - user-generated error message ++; E_USER_WARNING - user-generated warning message ++; E_USER_NOTICE - user-generated notice message ++; ++; Examples: ++; ++; - Show all errors, except for notices ++; ++;error_reporting = E_ALL & ~E_NOTICE ++; ++; - Show only errors ++; ++;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ++; ++; - Show all errors ++; ++error_reporting = E_ALL ++ ++; Print out errors (as a part of the output). For production web sites, ++; you're strongly encouraged to turn this feature off, and use error logging ++; instead (see below). Keeping display_errors enabled on a production web site ++; may reveal security information to end users, such as file paths on your Web ++; server, your database schema or other information. ++display_errors = Off ++ ++; Even when display_errors is on, errors that occur during PHP's startup ++; sequence are not displayed. It's strongly recommended to keep ++; display_startup_errors off, except for when debugging. ++display_startup_errors = Off ++ ++; Log errors into a log file (server-specific log, stderr, or error_log (below)) ++; As stated above, you're strongly advised to use error logging in place of ++; error displaying on production web sites. ++log_errors = On ++ ++; Set maximum length of log_errors. In error_log information about the source is ++; added. The default is 1024 and 0 allows to not apply any maximum length at all. ++log_errors_max_len = 1024 ++ ++; Do not log repeated messages. Repeated errors must occur in same file on same ++; line until ignore_repeated_source is set true. ++ignore_repeated_errors = Off ++ ++; Ignore source of message when ignoring repeated messages. When this setting ++; is On you will not log errors with repeated messages from different files or ++; sourcelines. ++ignore_repeated_source = Off ++ ++; If this parameter is set to Off, then memory leaks will not be shown (on ++; stdout or in the log). This has only effect in a debug compile, and if ++; error reporting includes E_WARNING in the allowed list ++report_memleaks = On ++ ++; Store the last error/warning message in $php_errormsg (boolean). ++track_errors = Off ++ ++; Disable the inclusion of HTML tags in error messages. ++html_errors = Off ++ ++; If html_errors is set On PHP produces clickable error messages that direct ++; to a page describing the error or function causing the error in detail. ++; You can download a copy of the PHP manual from http://www.php.net/docs.php ++; and change docref_root to the base URL of your local copy including the ++; leading '/'. You must also specify the file extension being used including ++; the dot. ++;docref_root = "/phpmanual/" ++;docref_ext = .html ++ ++; String to output before an error message. ++;error_prepend_string = "" ++ ++; String to output after an error message. ++;error_append_string = "" ++ ++; Log errors to specified file. ++;error_log = filename ++ ++; Log errors to syslog (Event Log on NT, not valid in Windows 95). ++error_log = syslog ++ ++ ++;;;;;;;;;;;;;;;;; ++; Data Handling ; ++;;;;;;;;;;;;;;;;; ++; ++; Note - track_vars is ALWAYS enabled as of PHP 4.0.3 ++ ++; The separator used in PHP generated URLs to separate arguments. ++; Default is "&". ++;arg_separator.output = "&" ++ ++; List of separator(s) used by PHP to parse input URLs into variables. ++; Default is "&". ++; NOTE: Every character in this directive is considered as separator! ++;arg_separator.input = ";&" ++ ++; This directive describes the order in which PHP registers GET, POST, Cookie, ++; Environment and Built-in variables (G, P, C, E & S respectively, often ++; referred to as EGPCS or GPC). Registration is done from left to right, newer ++; values override older values. ++variables_order = "GPCS" ++ ++; Whether or not to register the EGPCS variables as global variables. You may ++; want to turn this off if you don't want to clutter your scripts' global scope ++; with user data. This makes most sense when coupled with track_vars - in which ++; case you can access all of the GPC variables through the $HTTP_*_VARS[], ++; variables. ++; ++; You should do your best to write your scripts so that they do not require ++; register_globals to be on; Using form variables as globals can easily lead ++; to possible security problems, if the code is not very well thought of. ++register_globals = Off ++ ++; This directive tells PHP whether to declare the argv&argc variables (that ++; would contain the GET information). If you don't use these variables, you ++; should turn it off for increased performance. ++register_argc_argv = Off ++ ++; Maximum size of POST data that PHP will accept. ++post_max_size = 8M ++ ++; This directive is deprecated. Use variables_order instead. ++gpc_order = "GPC" ++ ++; Magic quotes ++; ++ ++; Magic quotes for incoming GET/POST/Cookie data. ++magic_quotes_gpc = On ++ ++; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. ++magic_quotes_runtime = Off ++ ++; Use Sybase-style magic quotes (escape ' with '' instead of \'). ++magic_quotes_sybase = Off ++ ++; Automatically add files before or after any PHP document. ++auto_prepend_file = ++auto_append_file = ++ ++; As of 4.0b4, PHP always outputs a character encoding by default in ++; the Content-type: header. To disable sending of the charset, simply ++; set it to be empty. ++; ++; PHP's built-in default is text/html ++default_mimetype = "text/html" ++;default_charset = "iso-8859-1" ++ ++; Always populate the $HTTP_RAW_POST_DATA variable. ++;always_populate_raw_post_data = On ++ ++ ++;;;;;;;;;;;;;;;;;;;;;;;;; ++; Paths and Directories ; ++;;;;;;;;;;;;;;;;;;;;;;;;; ++ ++; UNIX: "/path1:/path2" ++;include_path = ".:/php/includes" ++; ++; Windows: "\path1;\path2" ++;include_path = ".;c:\php\includes" ++ ++; The root of the PHP pages, used only if nonempty. ++; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root ++; if you are running php as a CGI under any web server (other than IIS) ++; see documentation for security issues. The alternate is to use the ++; cgi.force_redirect configuration below ++doc_root = ++ ++; The directory under which PHP opens the script using /~usernamem used only ++; if nonempty. ++user_dir = ++ ++; Directory in which the loadable extensions (modules) reside. ++extension_dir = "./" ++ ++; Whether or not to enable the dl() function. The dl() function does NOT work ++; properly in multithreaded servers, such as IIS or Zeus, and is automatically ++; disabled on them. ++; ++; The dl function also introduces security issues. ++enable_dl = Off ++ ++; cgi.force_redirect is necessary to provide security running PHP as a CGI under ++; most web servers. Left undefined, PHP turns this on by default. You can ++; turn it off here AT YOUR OWN RISK ++; **You CAN safely turn this off for IIS, in fact, you MUST.** ++; cgi.force_redirect = 1 ++ ++; if cgi.nph is enabled it will force cgi to always sent Status: 200 with ++; every request. ++; cgi.nph = 1 ++ ++; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape ++; (iPlanet) web servers, you MAY need to set an environment variable name that PHP ++; will look for to know it is OK to continue execution. Setting this variable MAY ++; cause security issues, KNOW WHAT YOU ARE DOING FIRST. ++; cgi.redirect_status_env = ; ++ ++; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ++; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ++; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting ++; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting ++; of zero causes PHP to behave as before. Default is zero. You should fix your scripts ++; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ++; cgi.fix_pathinfo=1 ++ ++; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate ++; security tokens of the calling client. This allows IIS to define the ++; security context that the request runs under. mod_fastcgi under Apache ++; does not currently support this feature (03/17/2002) ++; Set to 1 if running under IIS. Default is zero. ++; fastcgi.impersonate = 1; ++ ++; cgi.rfc2616_headers configuration option tells PHP what type of headers to ++; use when sending HTTP response code. If it's set 0 PHP sends Status: header that ++; is supported by Apache. When this option is set to 1 PHP will send ++; RFC2616 compliant header. ++; Default is zero. ++;cgi.rfc2616_headers = 0 ++ ++ ++;;;;;;;;;;;;;;;; ++; File Uploads ; ++;;;;;;;;;;;;;;;; ++ ++; Whether to allow HTTP file uploads. ++file_uploads = Off ++ ++; Temporary directory for HTTP uploaded files (will use system default if not ++; specified). ++;upload_tmp_dir = ++ ++; Maximum allowed size for uploaded files. ++upload_max_filesize = 2M ++ ++ ++;;;;;;;;;;;;;;;;;; ++; Fopen wrappers ; ++;;;;;;;;;;;;;;;;;; ++ ++; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ++; ++; This is turned off to avoid variable redefinition by remote attacker ++; that attempts to have the server download (and execute) a remote file ++; from a compromised host. This behaviour has been observed in automatic ++; scanning against badly written applications: ++; http://myhost/myapplication.php?include=http://roguesever/rogueapp.php ++allow_url_fopen = Off ++ ++; Define the anonymous ftp password (your email address) ++;from="john@doe.com" ++ ++; Define the user agent for php to send ++;user_agent="PHP" ++ ++; Default timeout for socket based streams (seconds) ++default_socket_timeout = 60 ++ ++; If your scripts have to deal with files from Macintosh systems, ++; or you are running on a Mac and need to deal with files from ++; unix or win32 systems, setting this flag will cause PHP to ++; automatically detect the EOL character in those files so that ++; fgets() and file() will work regardless of the source of the file. ++; auto_detect_line_endings = Off ++ ++ ++;;;;;;;;;;;;;;;;;;;;;; ++; Dynamic Extensions ; ++;;;;;;;;;;;;;;;;;;;;;; ++; ++; If you wish to have an extension loaded automatically, use the following ++; syntax: ++; ++; extension=modulename.extension ++; ++; For example, on Windows: ++; ++; extension=msql.dll ++; ++; ... or under UNIX: ++; ++; extension=msql.so ++; ++; Note that it should be the name of the module only; no directory information ++; needs to go here. Specify the location of the extension with the ++; extension_dir directive above. ++ ++ ++;Windows Extensions ++;Note that MySQL and ODBC support is now built in, so no dll is needed for it. ++; ++;extension=php_bz2.dll ++;extension=php_cpdf.dll ++;extension=php_crack.dll ++;extension=php_curl.dll ++;extension=php_db.dll ++;extension=php_dba.dll ++;extension=php_dbase.dll ++;extension=php_dbx.dll ++;extension=php_domxml.dll ++;extension=php_exif.dll ++;extension=php_fdf.dll ++;extension=php_filepro.dll ++;extension=php_gd2.dll ++;extension=php_gettext.dll ++;extension=php_hyperwave.dll ++;extension=php_iconv.dll ++;extension=php_ifx.dll ++;extension=php_iisfunc.dll ++;extension=php_imap.dll ++;extension=php_interbase.dll ++;extension=php_java.dll ++;extension=php_ldap.dll ++;extension=php_mbstring.dll ++;extension=php_mcrypt.dll ++;extension=php_mhash.dll ++;extension=php_mime_magic.dll ++;extension=php_ming.dll ++;extension=php_mssql.dll ++;extension=php_msql.dll ++;extension=php_oci8.dll ++;extension=php_openssl.dll ++;extension=php_oracle.dll ++;extension=php_pdf.dll ++;extension=php_pgsql.dll ++;extension=php_printer.dll ++;extension=php_shmop.dll ++;extension=php_snmp.dll ++;extension=php_sockets.dll ++;extension=php_sybase_ct.dll ++;extension=php_w32api.dll ++;extension=php_xmlrpc.dll ++;extension=php_xslt.dll ++;extension=php_yaz.dll ++;extension=php_zip.dll ++ ++ ++;;;;;;;;;;;;;;;;;;; ++; Module Settings ; ++;;;;;;;;;;;;;;;;;;; ++ ++[Syslog] ++; Whether or not to define the various syslog variables (e.g. $LOG_PID, ++; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In ++; runtime, you can define these variables by calling define_syslog_variables(). ++define_syslog_variables = Off ++ ++[mail function] ++; For Win32 only. ++SMTP = localhost ++smtp_port = 25 ++ ++; For Win32 only. ++;sendmail_from = me@example.com ++ ++; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). ++;sendmail_path = ++ ++[Java] ++;java.class.path = .\php_java.jar ++;java.home = c:\jdk ++;java.library = c:\jdk\jre\bin\hotspot\jvm.dll ++;java.library.path = .\ ++ ++[SQL] ++sql.safe_mode = On ++ ++[ODBC] ++;odbc.default_db = Not yet implemented ++;odbc.default_user = Not yet implemented ++;odbc.default_pw = Not yet implemented ++ ++; Allow or prevent persistent links. ++odbc.allow_persistent = On ++ ++; Check that a connection is still valid before reuse. ++odbc.check_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++odbc.max_persistent = -1 ++ ++; Maximum number of links (persistent + non-persistent). -1 means no limit. ++odbc.max_links = -1 ++ ++; Handling of LONG fields. Returns number of bytes to variables. 0 means ++; passthru. ++odbc.defaultlrl = 4096 ++ ++; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. ++; See the documentation on odbc_binmode and odbc_longreadlen for an explanation ++; of uodbc.defaultlrl and uodbc.defaultbinmode ++odbc.defaultbinmode = 1 ++ ++[MySQL] ++; Allow or prevent persistent links. ++mysql.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++mysql.max_persistent = -1 ++ ++; Maximum number of links (persistent + non-persistent). -1 means no limit. ++mysql.max_links = -1 ++ ++; Default port number for mysql_connect(). If unset, mysql_connect() will use ++; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the ++; compile-time value defined MYSQL_PORT (in that order). Win32 will only look ++; at MYSQL_PORT. ++mysql.default_port = ++ ++; Default socket name for local MySQL connects. If empty, uses the built-in ++; MySQL defaults. ++mysql.default_socket = ++ ++; Default host for mysql_connect() (doesn't apply in safe mode). ++mysql.default_host = ++ ++; Default user for mysql_connect() (doesn't apply in safe mode). ++mysql.default_user = ++ ++; Default password for mysql_connect() (doesn't apply in safe mode). ++; Note that this is generally a *bad* idea to store passwords in this file. ++; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") ++; and reveal this password! And of course, any users with read access to this ++; file will be able to reveal the password as well. ++mysql.default_password = ++ ++; Maximum time (in seconds) for connect timeout. -1 means no limit ++mysql.connect_timeout = 60 ++ ++; Trace mode. When trace_mode is active (=On), warnings for table/index scans and ++; SQL-Errors will be displayed. ++mysql.trace_mode = Off ++ ++[mSQL] ++; Allow or prevent persistent links. ++msql.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++msql.max_persistent = -1 ++ ++; Maximum number of links (persistent+non persistent). -1 means no limit. ++msql.max_links = -1 ++ ++[PostgresSQL] ++; Allow or prevent persistent links. ++pgsql.allow_persistent = On ++ ++; Detect broken persistent links always with pg_pconnect(). ++; Auto reset feature requires a little overheads. ++pgsql.auto_reset_persistent = Off ++ ++; Maximum number of persistent links. -1 means no limit. ++pgsql.max_persistent = -1 ++ ++; Maximum number of links (persistent+non persistent). -1 means no limit. ++pgsql.max_links = -1 ++ ++; Ignore PostgreSQL backends Notice message or not. ++; Notice message logging require a little overheads. ++pgsql.ignore_notice = 0 ++ ++; Log PostgreSQL backends Noitce message or not. ++; Unless pgsql.ignore_notice=0, module cannot log notice message. ++pgsql.log_notice = 0 ++ ++[Sybase] ++; Allow or prevent persistent links. ++sybase.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++sybase.max_persistent = -1 ++ ++; Maximum number of links (persistent + non-persistent). -1 means no limit. ++sybase.max_links = -1 ++ ++;sybase.interface_file = "/usr/sybase/interfaces" ++ ++; Minimum error severity to display. ++sybase.min_error_severity = 10 ++ ++; Minimum message severity to display. ++sybase.min_message_severity = 10 ++ ++; Compatability mode with old versions of PHP 3.0. ++; If on, this will cause PHP to automatically assign types to results according ++; to their Sybase type, instead of treating them all as strings. This ++; compatibility mode will probably not stay around forever, so try applying ++; whatever necessary changes to your code, and turn it off. ++sybase.compatability_mode = Off ++ ++[Sybase-CT] ++; Allow or prevent persistent links. ++sybct.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++sybct.max_persistent = -1 ++ ++; Maximum number of links (persistent + non-persistent). -1 means no limit. ++sybct.max_links = -1 ++ ++; Minimum server message severity to display. ++sybct.min_server_severity = 10 ++ ++; Minimum client message severity to display. ++sybct.min_client_severity = 10 ++ ++[dbx] ++; returned column names can be converted for compatibility reasons ++; possible values for dbx.colnames_case are ++; "unchanged" (default, if not set) ++; "lowercase" ++; "uppercase" ++; the recommended default is either upper- or lowercase, but ++; unchanged is currently set for backwards compatibility ++dbx.colnames_case = "lowercase" ++ ++[bcmath] ++; Number of decimal digits for all bcmath functions. ++bcmath.scale = 0 ++ ++[browscap] ++;browscap = extra/browscap.ini ++ ++[Informix] ++; Default host for ifx_connect() (doesn't apply in safe mode). ++ifx.default_host = ++ ++; Default user for ifx_connect() (doesn't apply in safe mode). ++ifx.default_user = ++ ++; Default password for ifx_connect() (doesn't apply in safe mode). ++ifx.default_password = ++ ++; Allow or prevent persistent links. ++ifx.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++ifx.max_persistent = -1 ++ ++; Maximum number of links (persistent + non-persistent). -1 means no limit. ++ifx.max_links = -1 ++ ++; If on, select statements return the contents of a text blob instead of its id. ++ifx.textasvarchar = 0 ++ ++; If on, select statements return the contents of a byte blob instead of its id. ++ifx.byteasvarchar = 0 ++ ++; Trailing blanks are stripped from fixed-length char columns. May help the ++; life of Informix SE users. ++ifx.charasvarchar = 0 ++ ++; If on, the contents of text and byte blobs are dumped to a file instead of ++; keeping them in memory. ++ifx.blobinfile = 0 ++ ++; NULL's are returned as empty strings, unless this is set to 1. In that case, ++; NULL's are returned as string 'NULL'. ++ifx.nullformat = 0 ++ ++[Session] ++; Handler used to store/retrieve data. ++session.save_handler = files ++ ++; Argument passed to save_handler. In the case of files, this is the path ++; where data files are stored. Note: Windows users have to change this ++; variable in order to use PHP's session functions. ++;session.save_path = /tmp ++ ++; Whether to use cookies. ++session.use_cookies = 1 ++ ++; This option enables administrators to make their users invulnerable to ++; attacks which involve passing session ids in URLs; defaults to 0. ++; session.use_only_cookies = 1 ++ ++; Name of the session (used as cookie name). ++session.name = PHPSESSID ++ ++; Initialize session on request startup. ++session.auto_start = 0 ++ ++; Lifetime in seconds of cookie or, if 0, until browser is restarted. ++session.cookie_lifetime = 0 ++ ++; The path for which the cookie is valid. ++session.cookie_path = / ++ ++; The domain for which the cookie is valid. ++session.cookie_domain = ++ ++; Handler used to serialize data. php is the standard serializer of PHP. ++session.serialize_handler = php ++ ++; Define the probability that the 'garbage collection' process is started ++; on every session initialization. ++; The probability is calculated by using gc_probability/gc_divisor, ++; e.g. 1/100 means there is a 1% chance that the GC process starts ++; on each request. ++ ++session.gc_probability = 1 ++session.gc_divisor = 1000 ++ ++; After this number of seconds, stored data will be seen as 'garbage' and ++; cleaned up by the garbage collection process. ++session.gc_maxlifetime = 1440 ++ ++; PHP 4.2 and less have an undocumented feature/bug that allows you to ++; to initialize a session variable in the global scope, albeit register_globals ++; is disabled. PHP 4.3 and later will warn you, if this feature is used. ++; You can disable the feature and the warning separately. At this time, ++; the warning is only displayed, if bug_compat_42 is enabled. ++ ++session.bug_compat_42 = 0 ++session.bug_compat_warn = 1 ++ ++; Check HTTP Referer to invalidate externally stored URLs containing ids. ++; HTTP_REFERER has to contain this substring for the session to be ++; considered as valid. ++session.referer_check = ++ ++; How many bytes to read from the file. ++session.entropy_length = 0 ++ ++; Specified here to create the session id. ++session.entropy_file = ++ ++;session.entropy_length = 16 ++ ++;session.entropy_file = /dev/urandom ++ ++; Set to {nocache,private,public,} to determine HTTP caching aspects. ++; or leave this empty to avoid sending anti-caching headers. ++session.cache_limiter = nocache ++ ++; Document expires after n minutes. ++session.cache_expire = 180 ++ ++; trans sid support is disabled by default. ++; Use of trans sid may risk your users security. ++; Use this option with caution. ++; - User may send URL contains active session ID ++; to other person via. email/irc/etc. ++; - URL that contains active session ID may be stored ++; in publically accessible computer. ++; - User may access your site with the same session ID ++; always using URL stored in browser's history or bookmarks. ++session.use_trans_sid = 0 ++ ++; The URL rewriter will look for URLs in a defined set of HTML tags. ++; form/fieldset are special; if you include them here, the rewriter will ++; add a hidden field with the info which is otherwise appended ++; to URLs. If you want XHTML conformity, remove the form entry. ++; Note that all valid entries require a "=", even if no value follows. ++url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" ++ ++[MSSQL] ++; Allow or prevent persistent links. ++mssql.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++mssql.max_persistent = -1 ++ ++; Maximum number of links (persistent+non persistent). -1 means no limit. ++mssql.max_links = -1 ++ ++; Minimum error severity to display. ++mssql.min_error_severity = 10 ++ ++; Minimum message severity to display. ++mssql.min_message_severity = 10 ++ ++; Compatability mode with old versions of PHP 3.0. ++mssql.compatability_mode = Off ++ ++; Connect timeout ++;mssql.connect_timeout = 5 ++ ++; Query timeout ++;mssql.timeout = 60 ++ ++; Valid range 0 - 2147483647. Default = 4096. ++;mssql.textlimit = 4096 ++ ++; Valid range 0 - 2147483647. Default = 4096. ++;mssql.textsize = 4096 ++ ++; Limits the number of records in each batch. 0 = all records in one batch. ++;mssql.batchsize = 0 ++ ++; Specify how datetime and datetim4 columns are returned ++; On => Returns data converted to SQL server settings ++; Off => Returns values as YYYY-MM-DD hh:mm:ss ++;mssql.datetimeconvert = On ++ ++; Use NT authentication when connecting to the server ++mssql.secure_connection = On ++ ++; Specify max number of processes. Default = 25 ++;mssql.max_procs = 25 ++ ++[Assertion] ++; Assert(expr); active by default. ++;assert.active = On ++ ++; Issue a PHP warning for each failed assertion. ++;assert.warning = On ++ ++; Don't bail out by default. ++;assert.bail = Off ++ ++; User-function to be called if an assertion fails. ++;assert.callback = 0 ++ ++; Eval the expression with current error_reporting(). Set to true if you want ++; error_reporting(0) around the eval(). ++;assert.quiet_eval = 0 ++ ++[Ingres II] ++; Allow or prevent persistent links. ++ingres.allow_persistent = On ++ ++; Maximum number of persistent links. -1 means no limit. ++ingres.max_persistent = -1 ++ ++; Maximum number of links, including persistents. -1 means no limit. ++ingres.max_links = -1 ++ ++; Default database (format: [node_id::]dbname[/srv_class]). ++ingres.default_database = ++ ++; Default user. ++ingres.default_user = ++ ++; Default password. ++ingres.default_password = ++ ++[Verisign Payflow Pro] ++; Default Payflow Pro server. ++pfpro.defaulthost = "test-payflow.verisign.com" ++ ++; Default port to connect to. ++pfpro.defaultport = 443 ++ ++; Default timeout in seconds. ++pfpro.defaulttimeout = 30 ++ ++; Default proxy IP address (if required). ++;pfpro.proxyaddress = ++ ++; Default proxy port. ++;pfpro.proxyport = ++ ++; Default proxy logon. ++;pfpro.proxylogon = ++ ++; Default proxy password. ++;pfpro.proxypassword = ++ ++[Sockets] ++; Use the system read() function instead of the php_read() wrapper. ++sockets.use_system_read = On ++ ++[com] ++; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs ++;com.typelib_file = ++; allow Distributed-COM calls ++;com.allow_dcom = true ++; autoregister constants of a components typlib on com_load() ++;com.autoregister_typelib = true ++; register constants casesensitive ++;com.autoregister_casesensitive = false ++; show warnings on duplicate constat registrations ++;com.autoregister_verbose = true ++ ++[Printer] ++;printer.default_printer = "" ++ ++[mbstring] ++; language for internal character representation. ++;mbstring.language = Japanese ++ ++; internal/script encoding. ++; Some encoding cannot work as internal encoding. ++; (e.g. SJIS, BIG5, ISO-2022-*) ++;mbstring.internal_encoding = EUC-JP ++ ++; http input encoding. ++;mbstring.http_input = auto ++ ++; http output encoding. mb_output_handler must be ++; registered as output buffer to function ++;mbstring.http_output = SJIS ++ ++; enable automatic encoding translation accoding to ++; mbstring.internal_encoding setting. Input chars are ++; converted to internal encoding by setting this to On. ++; Note: Do _not_ use automatic encoding translation for ++; portable libs/applications. ++;mbstring.encoding_translation = Off ++ ++; automatic encoding detection order. ++; auto means ++;mbstring.detect_order = auto ++ ++; substitute_character used when character cannot be converted ++; one from another ++;mbstring.substitute_character = none; ++ ++; overload(replace) single byte functions by mbstring functions. ++; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), ++; etc. Possible values are 0,1,2,4 or combination of them. ++; For example, 7 for overload everything. ++; 0: No overload ++; 1: Overload mail() function ++; 2: Overload str*() functions ++; 4: Overload ereg*() functions ++;mbstring.func_overload = 0 ++ ++[FrontBase] ++;fbsql.allow_persistent = On ++;fbsql.autocommit = On ++;fbsql.default_database = ++;fbsql.default_database_password = ++;fbsql.default_host = ++;fbsql.default_password = ++;fbsql.default_user = "_SYSTEM" ++;fbsql.generate_warnings = Off ++;fbsql.max_connections = 128 ++;fbsql.max_links = 128 ++;fbsql.max_persistent = -1 ++;fbsql.max_results = 128 ++;fbsql.batchSize = 1000 ++ ++[Crack] ++; Modify the setting below to match the directory location of the cracklib ++; dictionary files. Include the base filename, but not the file extension. ++; crack.default_dictionary = "c:\php\lib\cracklib_dict" ++ ++[exif] ++; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. ++; With mbstring support this will automatically be converted into the encoding ++; given by corresponding encode setting. When empty mbstring.internal_encoding ++; is used. For the decode settings you can distinguish between motorola and ++; intel byte order. A decode setting cannot be empty. ++;exif.encode_unicode = ISO-8859-15 ++;exif.decode_unicode_motorola = UCS-2BE ++;exif.decode_unicode_intel = UCS-2LE ++;exif.encode_jis = ++;exif.decode_jis_motorola = JIS ++;exif.decode_jis_intel = JIS ++ ++; Local Variables: ++; tab-width: 4 ++; End: --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-2107+2108.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-2107+2108.patch @@ -0,0 +1,12 @@ +diff -Nur php5-5.2.4/ext/standard/php_rand.h php5-5.2.4.new/ext/standard/php_rand.h +--- php5-5.2.4/ext/standard/php_rand.h 2007-01-01 04:36:08.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/php_rand.h 2008-07-15 17:06:07.000000000 -0400 +@@ -49,7 +49,7 @@ + #ifdef PHP_WIN32 + #define GENERATE_SEED() ((long) (time(0) * GetCurrentProcessId() * 1000000 * php_combined_lcg(TSRMLS_C))) + #else +-#define GENERATE_SEED() ((long) (time(0) * getpid() * 1000000 * php_combined_lcg(TSRMLS_C))) ++#define GENERATE_SEED() (((long) (time(0) * getpid())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) + #endif + + PHPAPI void php_srand(long seed TSRMLS_DC); --- php5-5.2.4.orig/debian/patches/131_SECURITY_CVE-2009-2687.patch +++ php5-5.2.4/debian/patches/131_SECURITY_CVE-2009-2687.patch @@ -0,0 +1,20 @@ +# +# Description: fix denial of service via malformed JPEG image with invalid offset fields +# Patch: http://svn.php.net/viewvc?view=revision&revision=281314 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535888 +# Upstream: http://bugs.php.net/bug.php?id=48378 +# +diff -Nur php5-5.2.4/ext/exif/exif.c php5-5.2.4.new/ext/exif/exif.c +--- php5-5.2.4/ext/exif/exif.c 2009-08-21 10:44:17.000000000 -0400 ++++ php5-5.2.4.new/ext/exif/exif.c 2009-08-21 10:44:27.000000000 -0400 +@@ -3210,6 +3210,10 @@ + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } ++ if (offset_of_ifd > length) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid IFD start"); ++ return; ++ } + + ImageInfo->sections_found |= FOUND_IFD0; + /* First directory starts at offset 8. Offsets starts at 0. */ --- php5-5.2.4.orig/debian/patches/127_SECURITY_CVE-2008-5658.patch +++ php5-5.2.4/debian/patches/127_SECURITY_CVE-2008-5658.patch @@ -0,0 +1,360 @@ +# +# Description: fix arbitrary file overwrite from directory traversal via zip +# file with dot-dot filenames. +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507857 +# Patch: http://patch-tracking.debian.net/patch/series/view/php5/5.2.6.dfsg.1-3/CVE-2008-5658.patch +# +diff -Nur php5-5.2.4/ext/zip/php_zip.c php5-5.2.4.new/ext/zip/php_zip.c +--- php5-5.2.4/ext/zip/php_zip.c 2007-08-06 18:02:32.000000000 -0400 ++++ php5-5.2.4.new/ext/zip/php_zip.c 2009-01-27 14:20:03.000000000 -0500 +@@ -81,6 +81,231 @@ + + /* }}} */ + ++static int php_zip_realpath_r(char *path, int start, int len, int *ll, time_t *t, int use_realpath, int is_dir, int *link_is_dir TSRMLS_DC) /* {{{ */ ++{ ++ int i, j; ++ int directory = 0; ++ struct stat st; ++ realpath_cache_bucket *bucket; ++ char *tmp; ++ ++ while (1) { ++ if (len <= start) { ++ return start; ++ } ++ ++ i = len; ++ while (i > start && !IS_SLASH(path[i-1])) { ++ i--; ++ } ++ ++ if (i == len || ++ (i == len - 1 && path[i] == '.')) { ++ /* remove double slashes and '.' */ ++ len = i - 1; ++ is_dir = 1; ++ continue; ++ } else if (i == len - 2 && path[i] == '.' && path[i+1] == '.') { ++ /* remove '..' and previous directory */ ++ if (i - 1 <= start) { ++ return start ? start : len; ++ } ++ j = php_zip_realpath_r(path, start, i-1, ll, t, use_realpath, 1, NULL TSRMLS_CC); ++ if (j > start) { ++ j--; ++ while (j > start && !IS_SLASH(path[j])) { ++ j--; ++ } ++ if (!start) { ++ /* leading '..' must not be removed in case of relative path */ ++ if (j == 0 && path[0] == '.' && path[1] == '.' && ++ IS_SLASH(path[2])) { ++ path[3] = '.'; ++ path[4] = '.'; ++ path[5] = DEFAULT_SLASH; ++ j = 5; ++ } else if (j > 0 && ++ path[j+1] == '.' && path[j+2] == '.' && ++ IS_SLASH(path[j+3])) { ++ j += 4; ++ path[j++] = '.'; ++ path[j++] = '.'; ++ path[j] = DEFAULT_SLASH; ++ } ++ } ++ } else if (!start && !j) { ++ /* leading '..' must not be removed in case of relative path */ ++ path[0] = '.'; ++ path[1] = '.'; ++ path[2] = DEFAULT_SLASH; ++ j = 2; ++ } ++ return j; ++ } ++ ++ path[len] = 0; ++ ++ tmp = tsrm_do_alloca(len+1); ++ memcpy(tmp, path, len+1); ++ ++ { ++ if (i - 1 <= start) { ++ j = start; ++ } else { ++ /* some leading directories may be unaccessable */ ++ j = php_zip_realpath_r(path, start, i-1, ll, t, use_realpath, 1, NULL TSRMLS_CC); ++ if (j > start) { ++ path[j++] = DEFAULT_SLASH; ++ } ++ } ++ if (j < 0 || j + len - i >= MAXPATHLEN-1) { ++ tsrm_free_alloca(tmp); ++ return -1; ++ } ++ memcpy(path+j, tmp+i, len-i+1); ++ j += (len-i); ++ } ++ ++ tsrm_free_alloca(tmp); ++ return j; ++ } ++} ++/* }}} */ ++ ++#define CWD_STATE_FREE(s) \ ++ free((s)->cwd); ++ ++ ++#define CWD_STATE_COPY(d, s) \ ++ (d)->cwd_length = (s)->cwd_length; \ ++ (d)->cwd = (char *) malloc((s)->cwd_length+1); \ ++ memcpy((d)->cwd, (s)->cwd, (s)->cwd_length+1); ++ ++/* Resolve path relatively to state and put the real path into state */ ++/* returns 0 for ok, 1 for error */ ++int php_zip_virtual_file_ex(cwd_state *state, const char *path, verify_path_func verify_path, int use_realpath) /* {{{ */ ++{ ++ int path_length = strlen(path); ++ char resolved_path[MAXPATHLEN]; ++ int start = 1; ++ int ll = 0; ++ time_t t; ++ int ret; ++ int add_slash; ++ TSRMLS_FETCH(); ++ ++ if (path_length == 0 || path_length >= MAXPATHLEN-1) { ++ return 1; ++ } ++ ++ /* cwd_length can be 0 when getcwd() fails. ++ * This can happen under solaris when a dir does not have read permissions ++ * but *does* have execute permissions */ ++ if (!IS_ABSOLUTE_PATH(path, path_length)) { ++ if (state->cwd_length == 0) { ++ /* resolve relative path */ ++ start = 0; ++ memcpy(resolved_path , path, path_length + 1); ++ } else { ++ int state_cwd_length = state->cwd_length; ++ ++ if (path_length + state_cwd_length + 1 >= MAXPATHLEN-1) { ++ return 1; ++ } ++ memcpy(resolved_path, state->cwd, state_cwd_length); ++ resolved_path[state_cwd_length] = DEFAULT_SLASH; ++ memcpy(resolved_path + state_cwd_length + 1, path, path_length + 1); ++ path_length += state_cwd_length + 1; ++ } ++ } else { ++ memcpy(resolved_path, path, path_length + 1); ++ } ++ ++ add_slash = (use_realpath != CWD_REALPATH) && path_length > 0 && IS_SLASH(resolved_path[path_length-1]); ++ t = CWDG(realpath_cache_ttl) ? 0 : -1; ++ path_length = php_zip_realpath_r(resolved_path, start, path_length, &ll, &t, use_realpath, 0, NULL TSRMLS_CC); ++ ++ if (path_length < 0) { ++ errno = ENOENT; ++ return 1; ++ } ++ ++ if (!start && !path_length) { ++ resolved_path[path_length++] = '.'; ++ } ++ if (add_slash && path_length && !IS_SLASH(resolved_path[path_length-1])) { ++ if (path_length >= MAXPATHLEN-1) { ++ return -1; ++ } ++ resolved_path[path_length++] = DEFAULT_SLASH; ++ } ++ resolved_path[path_length] = 0; ++ ++ if (verify_path) { ++ cwd_state old_state; ++ ++ CWD_STATE_COPY(&old_state, state); ++ state->cwd_length = path_length; ++ state->cwd = (char *) realloc(state->cwd, state->cwd_length+1); ++ memcpy(state->cwd, resolved_path, state->cwd_length+1); ++ if (verify_path(state)) { ++ CWD_STATE_FREE(state); ++ *state = old_state; ++ ret = 1; ++ } else { ++ CWD_STATE_FREE(&old_state); ++ ret = 0; ++ } ++ } else { ++ state->cwd_length = path_length; ++ state->cwd = (char *) realloc(state->cwd, state->cwd_length+1); ++ memcpy(state->cwd, resolved_path, state->cwd_length+1); ++ ret = 0; ++ } ++ return (ret); ++} ++/* }}} */ ++ ++/* Flatten a path by creating a relative path (to .) */ ++static char * php_zip_make_relative_path(char *path, int path_len) /* {{{ */ ++{ ++ char *path_begin = path; ++ int prev_is_slash = 0; ++ char *e = path + path_len - 1; ++ size_t pos = path_len - 1; ++ size_t i; ++ ++ if (IS_SLASH(path[0])) { ++ return path + 1; ++ } ++ ++ if (path_len < 1 || path == NULL) { ++ return NULL; ++ } ++ ++ i = path_len; ++ ++ while (1) { ++ while (i > 0 && !IS_SLASH(path[i])) { ++ i--; ++ } ++ ++ if (!i) { ++ return path; ++ } ++ ++ if (i >= 2 && (path[i -1] == '.' || path[i -1] == ':')) { ++ /* i is the position of . or :, add 1 for / */ ++ path_begin = path + i + 1; ++ break; ++ } ++ i--; ++ } ++ ++ return path_begin; ++} ++/* }}} */ ++ + /* {{{ php_zip_extract_file */ + /* TODO: Simplify it */ + static int php_zip_extract_file(struct zip * za, char *dest, char *file, int file_len TSRMLS_DC) +@@ -102,57 +327,80 @@ + char *file_basename; + size_t file_basename_len; + int is_dir_only = 0; ++ char *path_cleaned; ++ size_t path_cleaned_len; ++ cwd_state new_state; ++ ++ new_state.cwd = (char*)malloc(1); ++ new_state.cwd[0] = '\0'; ++ new_state.cwd_length = 0; ++ ++ /* Clean/normlize the path and then transform any path (absolute or relative) ++ to a path relative to cwd (../../mydir/foo.txt > mydir/foo.txt) ++ */ ++ if (php_zip_virtual_file_ex(&new_state, file, NULL, CWD_EXPAND) == 1) { ++ return 0; ++ } ++ path_cleaned = php_zip_make_relative_path(new_state.cwd, new_state.cwd_length); ++ path_cleaned_len = strlen(path_cleaned); + +- if (file_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) { ++ if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) { + return 0; + } + +- if (file_len > 1 && file[file_len - 1] == '/') { ++ /* it is a directory only, see #40228 */ ++ if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { + len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); + is_dir_only = 1; + } else { +- memcpy(file_dirname, file, file_len); +- dir_len = php_dirname(file_dirname, file_len); ++ memcpy(file_dirname, path_cleaned, path_cleaned_len); ++ dir_len = php_dirname(file_dirname, path_cleaned_len); + +- if (dir_len > 0) { +- len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file_dirname); +- } else { ++ if (dir_len <= 0 || (dir_len == 1 && file_dirname[0] == '.')) { + len = spprintf(&file_dirname_fullpath, 0, "%s", dest); ++ } else { ++ len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file_dirname); + } + +- php_basename(file, file_len, NULL, 0, &file_basename, (size_t *)&file_basename_len TSRMLS_CC); ++ php_basename(path_cleaned, path_cleaned_len, NULL, 0, &file_basename, (size_t *)&file_basename_len TSRMLS_CC); + + if (OPENBASEDIR_CHECKPATH(file_dirname_fullpath)) { + efree(file_dirname_fullpath); + efree(file_basename); ++ free(new_state.cwd); + return 0; + } + } + + /* let see if the path already exists */ + if (php_stream_stat_path(file_dirname_fullpath, &ssb) < 0) { +- ret = php_stream_mkdir(file_dirname_fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL); ++ ++ ret = php_stream_mkdir(file_dirname_fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE|REPORT_ERRORS, NULL); + if (!ret) { + efree(file_dirname_fullpath); ++ if (!is_dir_only) { + efree(file_basename); ++ free(new_state.cwd); ++ } + return 0; + } + } + + /* it is a standalone directory, job done */ +- if (file[file_len - 1] == '/') { ++ if (is_dir_only) { + efree(file_dirname_fullpath); +- if (!is_dir_only) { +- efree(file_basename); +- } ++ free(new_state.cwd); + return 1; + } + +- len = spprintf(&fullpath, 0, "%s/%s/%s", dest, file_dirname, file_basename); ++ len = spprintf(&fullpath, 0, "%s/%s", file_dirname_fullpath, file_basename); + if (!len) { + efree(file_dirname_fullpath); + efree(file_basename); ++ free(new_state.cwd); + return 0; ++ } else if (len > MAXPATHLEN) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + } + + /* check again the full path, not sure if it +@@ -163,6 +411,7 @@ + efree(fullpath); + efree(file_dirname_fullpath); + efree(file_basename); ++ free(new_state.cwd); + return 0; + } + +@@ -171,6 +420,7 @@ + efree(fullpath); + efree(file_dirname_fullpath); + efree(file_basename); ++ free(new_state.cwd); + return 0; + } + +@@ -185,6 +435,7 @@ + efree(fullpath); + efree(file_basename); + efree(file_dirname_fullpath); ++ free(new_state.cwd); + + if (n<0) { + return 0; --- php5-5.2.4.orig/debian/patches/CVE-2010-2225.patch +++ php5-5.2.4/debian/patches/CVE-2010-2225.patch @@ -0,0 +1,71 @@ +Description: fix sensitive information disclosure or arbitrary code + execution via use-after-free in SplObjectStorage unserializer +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=300843 + +diff -Nur php5-5.2.4/ext/spl/spl_observer.c php5-5.2.4.new/ext/spl/spl_observer.c +--- php5-5.2.4/ext/spl/spl_observer.c 2007-02-08 17:14:25.000000000 -0500 ++++ php5-5.2.4.new/ext/spl/spl_observer.c 2010-09-15 08:28:11.000000000 -0400 +@@ -182,6 +182,21 @@ + intern->index = 0; + } /* }}} */ + ++int spl_object_storage_contains(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */ ++{ ++#if HAVE_PACKED_OBJECT_VALUE ++ return zend_hash_exists(&intern->storage, (char*)&Z_OBJVAL_P(obj), sizeof(zend_object_value)); ++#else ++ { ++ zend_object_value zvalue; ++ memset(&zvalue, 0, sizeof(zend_object_value)); ++ zvalue.handle = Z_OBJ_HANDLE_P(obj); ++ zvalue.handlers = Z_OBJ_HT_P(obj); ++ return zend_hash_exists(&intern->storage, (char*)&zvalue, sizeof(zend_object_value)); ++ } ++#endif ++} /* }}} */ ++ + /* {{{ proto bool SplObjectStorage::contains($obj) + Determine whethe an object is contained in the storage */ + SPL_METHOD(SplObjectStorage, contains) +@@ -193,17 +208,7 @@ + return; + } + +-#if HAVE_PACKED_OBJECT_VALUE +- RETURN_BOOL(zend_hash_exists(&intern->storage, (char*)&Z_OBJVAL_P(obj), sizeof(zend_object_value))); +-#else +- { +- zend_object_value zvalue; +- memset(&zvalue, 0, sizeof(zend_object_value)); +- zvalue.handle = Z_OBJ_HANDLE_P(obj); +- zvalue.handlers = Z_OBJ_HT_P(obj); +- RETURN_BOOL(zend_hash_exists(&intern->storage, (char*)&zvalue, sizeof(zend_object_value))); +- } +-#endif ++ RETURN_BOOL(spl_object_storage_contains(intern, obj TSRMLS_CC)); + } /* }}} */ + + /* {{{ proto int SplObjectStorage::count() +@@ -362,11 +367,22 @@ + goto outexcept; + } + ++p; ++ if(*p != 'O' && *p != 'C' && *p != 'r') { ++ goto outexcept; ++ } + ALLOC_INIT_ZVAL(pentry); + if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) { + zval_ptr_dtor(&pentry); + goto outexcept; + } ++ if(Z_TYPE_P(pentry) != IS_OBJECT) { ++ zval_ptr_dtor(&pentry); ++ goto outexcept; ++ } ++ if(spl_object_storage_contains(intern, pentry TSRMLS_CC)) { ++ zval_ptr_dtor(&pentry); ++ continue; ++ } + spl_object_storage_attach(intern, pentry TSRMLS_CC); + zval_ptr_dtor(&pentry); + } --- php5-5.2.4.orig/debian/patches/php5-CVE-2012-0831.patch +++ php5-5.2.4/debian/patches/php5-CVE-2012-0831.patch @@ -0,0 +1,60 @@ +Origin: http://svn.php.net/viewvc?view=revision&revision=323016 +Subject: Always restore PG(magic_quote_gpc) on request shutdown + +CVE-2012-0831 + +--- + main/php_variables.c | 10 ++++++++-- + sapi/cgi/cgi_main.c | 4 +++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +Index: b/sapi/cgi/cgi_main.c +=================================================================== +--- a/sapi/cgi/cgi_main.c ++++ b/sapi/cgi/cgi_main.c +@@ -505,7 +505,9 @@ void cgi_php_import_environment_variable + int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; + + /* turn off magic_quotes while importing environment variables */ +- PG(magic_quotes_gpc) = 0; ++ if (PG(magic_quotes_gpc)) { ++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); ++ } + for (zend_hash_internal_pointer_reset_ex(&request->env, &pos); + zend_hash_get_current_key_ex(&request->env, &var, &var_len, &idx, 0, &pos) == HASH_KEY_IS_STRING && + zend_hash_get_current_data_ex(&request->env, (void **) &val, &pos) == SUCCESS; +Index: b/main/php_variables.c +=================================================================== +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -29,6 +29,7 @@ + #include "SAPI.h" + #include "php_logos.h" + #include "zend_globals.h" ++#include "php_ini.h" + + /* for systems that need to override reading of environment variables */ + void _php_import_environment_variables(zval *array_ptr TSRMLS_DC); +@@ -444,7 +445,10 @@ void _php_import_environment_variables(z + + /* turn off magic_quotes while importing environment variables */ + int magic_quotes_gpc = PG(magic_quotes_gpc); +- PG(magic_quotes_gpc) = 0; ++ ++ if (PG(magic_quotes_gpc)) { ++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); ++ } + + for (env = environ; env != NULL && *env != NULL; env++) { + p = strchr(*env, '='); +@@ -587,7 +591,9 @@ static inline void php_register_server_v + zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); + } + PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; +- PG(magic_quotes_gpc) = 0; ++ if (PG(magic_quotes_gpc)) { ++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); ++ } + + /* Server variables */ + if (sapi_module.register_server_variables) { --- php5-5.2.4.orig/debian/patches/002-static_openssl.patch +++ php5-5.2.4/debian/patches/002-static_openssl.patch @@ -0,0 +1,15 @@ +Index: php5-5.2.4/acinclude.m4 +=================================================================== +--- php5-5.2.4.orig/acinclude.m4 2007-09-10 20:45:23.000000000 +0200 ++++ php5-5.2.4/acinclude.m4 2007-09-10 20:45:32.000000000 +0200 +@@ -2364,9 +2364,7 @@ + + PHP_ADD_INCLUDE($OPENSSL_INCDIR) + +- PHP_CHECK_LIBRARY(crypto, CRYPTO_free, [ +- PHP_ADD_LIBRARY(crypto,,$1) +- ],[ ++ PHP_CHECK_LIBRARY(crypto, CRYPTO_free, [:],[ + AC_MSG_ERROR([libcrypto not found!]) + ],[ + -L$OPENSSL_LIBDIR --- php5-5.2.4.orig/debian/patches/129_SECURITY_CVE-2009-0754.patch +++ php5-5.2.4/debian/patches/129_SECURITY_CVE-2009-0754.patch @@ -0,0 +1,27 @@ +# +# Description: fix mbstring.func_overload setting in .htaccess affects +# other virtual hosts. +# Patch: http://cvsweb.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.276&r2=1.277 +# Upstream: http://bugs.php.net/bug.php?id=27421 +# +diff -Nur php5-5.2.4/ext/mbstring/mbstring.c php5-5.2.4.new/ext/mbstring/mbstring.c +--- php5-5.2.4/ext/mbstring/mbstring.c 2007-07-12 11:31:54.000000000 -0400 ++++ php5-5.2.4.new/ext/mbstring/mbstring.c 2009-04-15 13:31:19.000000000 -0400 +@@ -1020,9 +1020,14 @@ + /* clear overloaded function. */ + if (MBSTRG(func_overload)){ + p = &(mb_ovld[0]); +- while (p->type > 0 && zend_hash_find(EG(function_table), p->save_func, strlen(p->save_func)+1 , (void **)&orig) == SUCCESS) { +- zend_hash_update(EG(function_table), p->orig_func, strlen(p->orig_func)+1, orig, sizeof(zend_function), NULL); +- zend_hash_del(EG(function_table), p->save_func, strlen(p->save_func)+1); ++ while (p->type > 0) { ++ if ((MBSTRG(func_overload) & p->type) == p->type && ++ zend_hash_find(EG(function_table), p->save_func, ++ strlen(p->save_func)+1, (void **)&orig) == SUCCESS) { ++ ++ zend_hash_update(EG(function_table), p->orig_func, strlen(p->orig_func)+1, orig, sizeof(zend_function), NULL); ++ zend_hash_del(EG(function_table), p->save_func, strlen(p->save_func)+1); ++ } + p++; + } + } --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-4885.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-4885.patch @@ -0,0 +1,80 @@ +Origin: http://svn.php.net/viewvc?view=revision&revision=321038 + and http://svn.php.net/viewvc?view=revision&revision=321040 + and http://svn.php.net/viewvc?view=revision&revision=321335 +Subject: Added max_input_vars directive to prevent attacks based on + hash collisions + +Fixes CVE-2011-4885; note that this introduces CVE-2012-0830 + +Ubuntu Note: this patch differs upstream in that we drop the changes to +the default php.ini configuration files, to eliminate prompting of the +admin when upgrading the package. +--- + main/main.c | 1 + + main/php_globals.h | 2 ++ + main/php_variables.c | 20 ++++++++++++++++---- + 3 files changed, 19 insertions(+), 4 deletions(-) + +Index: b/main/php_globals.h +=================================================================== +--- a/main/php_globals.h ++++ b/main/php_globals.h +@@ -170,6 +170,8 @@ struct _php_core_globals { + #endif + long max_input_nesting_level; + zend_bool in_user_include; ++ ++ long max_input_vars; + }; + + +Index: b/main/php_variables.c +=================================================================== +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(cha + } + if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE + || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { +- MAKE_STD_ZVAL(gpc_element); +- array_init(gpc_element); +- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { ++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); ++ } ++ MAKE_STD_ZVAL(gpc_element); ++ array_init(gpc_element); ++ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ } + } + if (index != escaped_index) { + efree(escaped_index); +@@ -236,7 +241,14 @@ plain_var: + zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { + zval_ptr_dtor(&gpc_element); + } else { +- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { ++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); ++ } ++ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ } else { ++ zval_ptr_dtor(&gpc_element); ++ } + } + if (escaped_index != index) { + efree(escaped_index); +Index: b/main/main.c +=================================================================== +--- a/main/main.c ++++ b/main/main.c +@@ -503,6 +503,7 @@ PHP_INI_BEGIN() + STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) + STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) ++ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) + + STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) --- php5-5.2.4.orig/debian/patches/CVE-2012-0781.patch +++ php5-5.2.4/debian/patches/CVE-2012-0781.patch @@ -0,0 +1,84 @@ +Description: fix denial of service via invalid tidy objects +Origin: backport, http://svn.php.net/viewvc?view=revision&revision=323118 +Origin: backport, http://svn.php.net/viewvc?view=revision&revision=322536 +Bug: https://bugs.php.net/bug.php?id=54682 + +Index: php5-5.2.4/ext/tidy/tests/004.phpt +=================================================================== +--- php5-5.2.4.orig/ext/tidy/tests/004.phpt 2004-05-19 04:45:23.000000000 -0400 ++++ php5-5.2.4/ext/tidy/tests/004.phpt 2012-06-12 15:53:47.644997564 -0400 +@@ -4,14 +4,28 @@ + + --FILE-- + "); +- tidy_diagnose($a); +- echo tidy_get_error_buffer($a); ++$a = tidy_parse_string(''); ++var_dump(tidy_diagnose($a)); ++echo tidy_get_error_buffer($a); ++ ++$html = <<< HTML ++ ++ ++foo ++

hello

++ ++HTML; ++$a = tidy_parse_string($html); ++var_dump(tidy_diagnose($a)); ++echo tidy_get_error_buffer($a); + ?> + --EXPECT-- +- ++bool(true) + line 1 column 1 - Warning: missing declaration + line 1 column 7 - Warning: discarding unexpected + line 1 column 14 - Warning: inserting missing 'title' element + Info: Document content looks like HTML 3.2 +-3 warnings, 0 errors were found! +\ No newline at end of file ++3 warnings, 0 errors were found! ++bool(true) ++Info: Document content looks like HTML 3.2 ++No warnings or errors were found. +Index: php5-5.2.4/ext/tidy/tidy.c +=================================================================== +--- php5-5.2.4.orig/ext/tidy/tidy.c 2007-05-04 13:11:05.000000000 -0400 ++++ php5-5.2.4/ext/tidy/tidy.c 2012-06-12 15:53:47.700997565 -0400 +@@ -190,6 +190,7 @@ + TidyDoc doc; + TidyBuffer *errbuf; + unsigned int ref_count; ++ unsigned int initialized:1; + }; + + struct _PHPTidyObj { +@@ -598,6 +599,7 @@ + intern->ptdoc = emalloc(sizeof(PHPTidyDoc)); + intern->ptdoc->doc = tidyCreate(); + intern->ptdoc->ref_count = 1; ++ intern->ptdoc->initialized = 0; + intern->ptdoc->errbuf = emalloc(sizeof(TidyBuffer)); + tidyBufInit(intern->ptdoc->errbuf); + +@@ -937,7 +939,9 @@ + return FAILURE; + } + } +- ++ ++ obj->ptdoc->initialized = 1; ++ + tidyBufInit(&buf); + tidyBufAppend(&buf, string, len); + if (tidyParseBuffer(obj->ptdoc->doc, &buf) < 0) { +@@ -1185,7 +1189,7 @@ + { + TIDY_FETCH_OBJECT; + +- if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { ++ if (obj->ptdoc->initialized && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { + tidy_doc_update_properties(obj TSRMLS_CC); + RETURN_TRUE; + } --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-0599.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-0599.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.4/sapi/cgi/cgi_main.c +=================================================================== +--- php5-5.2.4.orig/sapi/cgi/cgi_main.c 2008-06-05 22:25:39.000000000 +0200 ++++ php5-5.2.4/sapi/cgi/cgi_main.c 2008-06-05 22:26:24.000000000 +0200 +@@ -906,7 +906,7 @@ + ) { + /* PATH_TRANSLATED = PATH_TRANSLATED - SCRIPT_NAME + PATH_INFO */ + int ptlen = strlen(pt) - strlen(env_script_name); +- int path_translated_len = ptlen + env_path_info ? strlen(env_path_info) : 0; ++ int path_translated_len = ptlen + (env_path_info ? strlen(env_path_info) : 0); + char *path_translated = NULL; + + path_translated = (char *) emalloc(path_translated_len + 1); --- php5-5.2.4.orig/debian/patches/CVE-2010-3065.patch +++ php5-5.2.4/debian/patches/CVE-2010-3065.patch @@ -0,0 +1,16 @@ +Description: fix arbitrary session variable modification via crafted + session variable name +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=298608 + +diff -Nur php5-5.2.4/ext/session/session.c php5-5.2.4.new/ext/session/session.c +--- php5-5.2.4/ext/session/session.c 2010-09-15 08:37:27.000000000 -0400 ++++ php5-5.2.4.new/ext/session/session.c 2010-09-15 08:37:33.000000000 -0400 +@@ -530,7 +530,7 @@ + + PS_ENCODE_LOOP( + smart_str_appendl(&buf, key, key_length); +- if (memchr(key, PS_DELIMITER, key_length)) { ++ if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) { + PHP_VAR_SERIALIZE_DESTROY(var_hash); + smart_str_free(&buf); + return FAILURE; --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-3710.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-3710.patch @@ -0,0 +1,53 @@ +Subject: Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data +Origin: http://svn.php.net/viewvc?view=revision&revision=303779 +Bug: http://bugs.php.net/bug.php?id=52929 + +CVE-2010-3710 + +[Ubuntu note: patch differs from upstream commit in that the change to + the NEWS file has been dropped to reduce conflicts - sbeattie] + +--- + ext/filter/logical_filters.c | 5 +++++ + ext/filter/tests/bug52929.phpt | 18 ++++++++++++++++++ + 2 files changed, 23 insertions(+) + +Index: b/ext/filter/tests/bug52929.phpt +=================================================================== +--- /dev/null ++++ b/ext/filter/tests/bug52929.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) ++--SKIPIF-- ++ ++--FILE-- ++ 320) { ++ RETURN_VALIDATION_FAILED ++ } ++ + re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC); + if (!re) { + RETURN_VALIDATION_FAILED --- php5-5.2.4.orig/debian/patches/126_SECURITY_CVE-2008-5625.patch +++ php5-5.2.4/debian/patches/126_SECURITY_CVE-2008-5625.patch @@ -0,0 +1,92 @@ +# +# Description: fix arbitrary file write by placing a "php_value error_log" +# entry in a .htaccess file. +# Patch: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?hideattic=0&r1=1.19.2.7.2.14&r2=1.19.2.7.2.15 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?hideattic=0&r1=1.7.2.1.2.5&r2=1.7.2.1.2.6 +# +diff -Nur php5-5.2.4/sapi/apache/mod_php5.c php5-5.2.4.new/sapi/apache/mod_php5.c +--- php5-5.2.4/sapi/apache/mod_php5.c 2009-01-27 14:19:37.000000000 -0500 ++++ php5-5.2.4.new/sapi/apache/mod_php5.c 2009-01-27 14:19:44.000000000 -0500 +@@ -729,11 +729,11 @@ + return 1; /* does not exist in dest, copy from source */ + } + +- if (new_per_dir_entry->type==PHP_INI_SYSTEM +- && orig_per_dir_entry->type!=PHP_INI_SYSTEM) { +- return 1; +- } else { ++ if (orig_per_dir_entry->type==PHP_INI_SYSTEM ++ && new_per_dir_entry->type!=PHP_INI_SYSTEM) { + return 0; ++ } else { ++ return 1; + } + } + /* }}} */ +@@ -770,9 +770,9 @@ + + /* need a copy of addv to merge */ + new = php_create_dir(p, "php_merge_dir"); +- zend_hash_copy(new, (HashTable *) addv, (copy_ctor_func_t) copy_per_dir_entry, NULL, sizeof(php_per_dir_entry)); ++ zend_hash_copy(new, (HashTable *) basev, (copy_ctor_func_t) copy_per_dir_entry, NULL, sizeof(php_per_dir_entry)); + +- zend_hash_merge_ex(new, (HashTable *) basev, (copy_ctor_func_t) copy_per_dir_entry, sizeof(php_per_dir_entry), (merge_checker_func_t) should_overwrite_per_dir_entry, NULL); ++ zend_hash_merge_ex(new, (HashTable *) addv, (copy_ctor_func_t) copy_per_dir_entry, sizeof(php_per_dir_entry), (merge_checker_func_t) should_overwrite_per_dir_entry, NULL); + return new; + } + /* }}} */ +diff -Nur php5-5.2.4/sapi/apache2handler/apache_config.c php5-5.2.4.new/sapi/apache2handler/apache_config.c +--- php5-5.2.4/sapi/apache2handler/apache_config.c 2007-08-03 05:33:17.000000000 -0400 ++++ php5-5.2.4.new/sapi/apache2handler/apache_config.c 2009-01-27 14:19:44.000000000 -0500 +@@ -117,6 +117,23 @@ + return NULL; + } + ++static zend_bool should_overwrite_per_dir_entry(HashTable *target_ht, php_dir_entry *new_per_dir_entry, zend_hash_key *hash_key, void *pData) ++{ ++ php_dir_entry *orig_per_dir_entry; ++ ++ if (zend_hash_find(target_ht, hash_key->arKey, hash_key->nKeyLength, (void **) &orig_per_dir_entry)==FAILURE) { ++ return 1; /* does not exist in dest, copy from source */ ++ } ++ ++ if (new_per_dir_entry->status >= orig_per_dir_entry->status) { ++ /* use new entry */ ++ phpapdebug((stderr, "ADDING/OVERWRITING %s (%d vs. %d)\n", hash_key->arKey, new_per_dir_entry->status, orig_per_dir_entry->status)); ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ + + void *merge_php_config(apr_pool_t *p, void *base_conf, void *new_conf) + { +@@ -128,9 +145,12 @@ + ulong num_index; + + n = create_php_config(p, "merge_php_config"); +- zend_hash_copy(&n->config, &e->config, NULL, NULL, sizeof(php_dir_entry)); +- ++ /* copy old config */ ++ zend_hash_copy(&n->config, &d->config, NULL, NULL, sizeof(php_dir_entry)); ++ /* merge new config */ + phpapdebug((stderr, "Merge dir (%p)+(%p)=(%p)\n", base_conf, new_conf, n)); ++ zend_hash_merge_ex(&n->config, &e->config, NULL, sizeof(php_dir_entry), (merge_checker_func_t) should_overwrite_per_dir_entry, NULL); ++#if STAS_0 + for (zend_hash_internal_pointer_reset(&d->config); + zend_hash_get_current_key_ex(&d->config, &str, &str_len, + &num_index, 0, NULL) == HASH_KEY_IS_STRING; +@@ -140,10 +160,10 @@ + if (zend_hash_find(&n->config, str, str_len, (void **) &pe) == SUCCESS) { + if (pe->status >= data->status) continue; + } +- zend_hash_update(&n->config, str, str_len, data, sizeof(*data), NULL); + phpapdebug((stderr, "ADDING/OVERWRITING %s (%d vs. %d)\n", str, data->status, pe?pe->status:-1)); ++ zend_hash_update(&n->config, str, str_len, data, sizeof(*data), NULL); + } +- ++#endif + return n; + } + --- php5-5.2.4.orig/debian/patches/CVE-2010-1917.patch +++ php5-5.2.4/debian/patches/CVE-2010-1917.patch @@ -0,0 +1,17 @@ +Description: fix denial of service via fnmatch stack consumption +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=298881 + +diff -Nur php5-5.2.4/ext/standard/file.c php5-5.2.4.new/ext/standard/file.c +--- php5-5.2.4/ext/standard/file.c 2010-09-15 08:27:53.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/file.c 2010-09-15 08:27:56.000000000 -0400 +@@ -2526,6 +2526,10 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN); + RETURN_FALSE; + } ++ if (pattern_len >= MAXPATHLEN) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); ++ RETURN_FALSE; ++ } + + RETURN_BOOL( ! fnmatch( pattern, filename, flags )); + } --- php5-5.2.4.orig/debian/patches/121_SECURITY_CVE-2008-3658.patch +++ php5-5.2.4/debian/patches/121_SECURITY_CVE-2008-3658.patch @@ -0,0 +1,64 @@ +# +# Description: fix denial of service and possible arbitrary code execution via crafted font file +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/286851 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499989 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?hideattic=1&r1=1.312.2.20.2.35&r2=1.312.2.20.2.36 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt?hideattic=1&r1=1.1.4.1&r2=1.1.4.2 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt?hideattic=1&r1=1.1.4.2&r2=1.1.4.3 +# +diff -Nur php5-5.2.4/ext/gd/gd.c php5-5.2.4.new/ext/gd/gd.c +--- php5-5.2.4/ext/gd/gd.c 2007-08-29 02:26:30.000000000 -0400 ++++ php5-5.2.4.new/ext/gd/gd.c 2009-01-27 14:13:22.000000000 -0500 +@@ -1636,6 +1636,22 @@ + font->nchars = FLIPWORD(font->nchars); + body_size = font->w * font->h * font->nchars; + } ++ ++ if (overflow2(font->nchars, font->h)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); ++ efree(font); ++ php_stream_close(stream); ++ RETURN_FALSE; ++ } ++ if (overflow2(font->nchars * font->h, font->w )) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); ++ efree(font); ++ php_stream_close(stream); ++ RETURN_FALSE; ++ } ++ ++ ++ + + if (body_size != body_size_check) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font"); +diff -Nur php5-5.2.4/ext/gd/tests/imageloadfont_invalid.phpt php5-5.2.4.new/ext/gd/tests/imageloadfont_invalid.phpt +--- php5-5.2.4/ext/gd/tests/imageloadfont_invalid.phpt 1969-12-31 19:00:00.000000000 -0500 ++++ php5-5.2.4.new/ext/gd/tests/imageloadfont_invalid.phpt 2009-01-27 14:13:22.000000000 -0500 +@@ -0,0 +1,26 @@ ++--TEST-- ++imageloadfont() function crashes ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++Warning: imageloadfont(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %simageloadfont_invalid.php on line %d ++ ++Warning: imageloadfont(): Error reading font, invalid font header in %simageloadfont_invalid.php on line %d --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-3436-regression.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-3436-regression.patch @@ -0,0 +1,32 @@ +Subject: fix regression introduced by fix for CVE-2010-3436 +Origin: http://svn.php.net/viewvc?view=revision&revision=305698 +Bug: http://bugs.php.net/bug.php?id=53352 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/701896 + +--- + main/fopen_wrappers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: b/main/fopen_wrappers.c +=================================================================== +--- a/main/fopen_wrappers.c ++++ b/main/fopen_wrappers.c +@@ -170,6 +170,9 @@ PHPAPI int php_check_specific_open_based + resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR; + resolved_basedir[++resolved_basedir_len] = '\0'; + } ++ } else { ++ resolved_basedir[resolved_basedir_len++] = PHP_DIR_SEPARATOR; ++ resolved_basedir[resolved_basedir_len] = '\0'; + } + + resolved_name_len = strlen(resolved_name); +@@ -193,7 +196,7 @@ PHPAPI int php_check_specific_open_based + if (strncmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) { + #endif + if (resolved_name_len > resolved_basedir_len && +- resolved_name[resolved_basedir_len] != PHP_DIR_SEPARATOR) { ++ resolved_name[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) { + return -1; + } else { + /* File is in the right directory */ --- php5-5.2.4.orig/debian/patches/013-force_getaddrinfo.patch +++ php5-5.2.4/debian/patches/013-force_getaddrinfo.patch @@ -0,0 +1,98 @@ +Index: php5-5.2.4/configure.in +=================================================================== +--- php5-5.2.4.orig/configure.in 2007-09-11 00:23:54.000000000 +0200 ++++ php5-5.2.4/configure.in 2007-09-11 00:24:00.000000000 +0200 +@@ -557,50 +557,50 @@ + + dnl Check for getaddrinfo, should be a better way, but... + dnl Also check for working getaddrinfo +-AC_CACHE_CHECK([for getaddrinfo], ac_cv_func_getaddrinfo, +-[AC_TRY_LINK([#include ], +- [struct addrinfo *g,h;g=&h;getaddrinfo("","",g,&g);], +- AC_TRY_RUN([ +-#include +-#include +-#ifndef AF_INET +-# include +-#endif +-int main(void) { +- struct addrinfo *ai, *pai, hints; +- +- memset(&hints, 0, sizeof(hints)); +- hints.ai_flags = AI_NUMERICHOST; +- +- if (getaddrinfo("127.0.0.1", 0, &hints, &ai) < 0) { +- exit(1); +- } +- +- if (ai == 0) { +- exit(1); +- } +- +- pai = ai; +- +- while (pai) { +- if (pai->ai_family != AF_INET) { +- /* 127.0.0.1/NUMERICHOST should only resolve ONE way */ +- exit(1); +- } +- if (pai->ai_addr->sa_family != AF_INET) { +- /* 127.0.0.1/NUMERICHOST should only resolve ONE way */ +- exit(1); +- } +- pai = pai->ai_next; +- } +- freeaddrinfo(ai); +- exit(0); +-} +- ],ac_cv_func_getaddrinfo=yes, ac_cv_func_getaddrinfo=no, ac_cv_func_getaddrinfo=no), +-ac_cv_func_getaddrinfo=no)]) +-if test "$ac_cv_func_getaddrinfo" = yes; then ++dnl AC_CACHE_CHECK([for getaddrinfo], ac_cv_func_getaddrinfo, ++dnl [AC_TRY_LINK([#include ], ++dnl [struct addrinfo *g,h;g=&h;getaddrinfo("","",g,&g);], ++dnl AC_TRY_RUN([ ++dnl #include ++dnl #include ++dnl #ifndef AF_INET ++dnl # include ++dnl #endif ++dnl int main(void) { ++dnl struct addrinfo *ai, *pai, hints; ++dnl ++dnl memset(&hints, 0, sizeof(hints)); ++dnl hints.ai_flags = AI_NUMERICHOST; ++dnl ++dnl if (getaddrinfo("127.0.0.1", 0, &hints, &ai) < 0) { ++dnl exit(1); ++dnl } ++dnl ++dnl if (ai == 0) { ++dnl exit(1); ++dnl } ++dnl ++dnl pai = ai; ++dnl ++dnl while (pai) { ++dnl if (pai->ai_family != AF_INET) { ++dnl /* 127.0.0.1/NUMERICHOST should only resolve ONE way */ ++dnl exit(1); ++dnl } ++dnl if (pai->ai_addr->sa_family != AF_INET) { ++dnl /* 127.0.0.1/NUMERICHOST should only resolve ONE way */ ++dnl exit(1); ++dnl } ++dnl pai = pai->ai_next; ++dnl } ++dnl freeaddrinfo(ai); ++dnl exit(0); ++dnl } ++dnl ],ac_cv_func_getaddrinfo=yes, ac_cv_func_getaddrinfo=no, ac_cv_func_getaddrinfo=no), ++dnl ac_cv_func_getaddrinfo=no)]) ++dnl if test "$ac_cv_func_getaddrinfo" = yes; then + AC_DEFINE(HAVE_GETADDRINFO,1,[Define if you have the getaddrinfo function]) +-fi ++dnl fi + + AC_REPLACE_FUNCS(strlcat strlcpy getopt) + AC_FUNC_UTIME_NULL --- php5-5.2.4.orig/debian/patches/119-sybase-alias.patch +++ php5-5.2.4/debian/patches/119-sybase-alias.patch @@ -0,0 +1,42 @@ +diff -Naur php-5.2.4.orig/ext/mssql/php_mssql.c php-5.2.4/ext/mssql/php_mssql.c +--- php-5.2.4.orig/ext/mssql/php_mssql.c 2007-02-23 21:17:25.000000000 -0500 ++++ php-5.2.4/ext/mssql/php_mssql.c 2008-06-20 08:58:56.000000000 -0400 +@@ -78,6 +78,38 @@ + PHP_FE(mssql_execute, NULL) + PHP_FE(mssql_free_statement, NULL) + PHP_FE(mssql_guid_string, NULL) ++#if !defined(PHP_WIN32) && !defined(HAVE_SYBASE_CT) ++ PHP_FALIAS(sybase_connect, mssql_connect, NULL) ++ PHP_FALIAS(sybase_pconnect, mssql_pconnect, NULL) ++ PHP_FALIAS(sybase_close, mssql_close, NULL) ++ PHP_FALIAS(sybase_select_db, mssql_select_db, NULL) ++ PHP_FALIAS(sybase_query, mssql_query, NULL) ++ PHP_FALIAS(sybase_fetch_batch, mssql_fetch_batch, NULL) ++ PHP_FALIAS(sybase_rows_affected, mssql_rows_affected, NULL) ++ PHP_FALIAS(sybase_free_result, mssql_free_result, NULL) ++ PHP_FALIAS(sybase_get_last_message, mssql_get_last_message, NULL) ++ PHP_FALIAS(sybase_num_rows, mssql_num_rows, NULL) ++ PHP_FALIAS(sybase_num_fields, mssql_num_fields, NULL) ++ PHP_FALIAS(sybase_fetch_field, mssql_fetch_field, NULL) ++ PHP_FALIAS(sybase_fetch_row, mssql_fetch_row, NULL) ++ PHP_FALIAS(sybase_fetch_array, mssql_fetch_array, NULL) ++ PHP_FALIAS(sybase_fetch_assoc, mssql_fetch_assoc, NULL) ++ PHP_FALIAS(sybase_fetch_object, mssql_fetch_object, NULL) ++ PHP_FALIAS(sybase_field_length, mssql_field_length, NULL) ++ PHP_FALIAS(sybase_field_name, mssql_field_name, NULL) ++ PHP_FALIAS(sybase_field_type, mssql_field_type, NULL) ++ PHP_FALIAS(sybase_data_seek, mssql_data_seek, NULL) ++ PHP_FALIAS(sybase_field_seek, mssql_field_seek, NULL) ++ PHP_FALIAS(sybase_result, mssql_result, NULL) ++ PHP_FALIAS(sybase_next_result, mssql_next_result, NULL) ++ PHP_FALIAS(sybase_min_error_severity, mssql_min_error_severity, NULL) ++ PHP_FALIAS(sybase_min_message_severity, mssql_min_message_severity, NULL) ++ PHP_FALIAS(sybase_init, mssql_init, NULL) ++ PHP_FALIAS(sybase_bind, mssql_bind, third_arg_force_ref) ++ PHP_FALIAS(sybase_execute, mssql_execute, NULL) ++ PHP_FALIAS(sybase_free_statement, mssql_free_statement, NULL) ++ PHP_FALIAS(sybase_guid_string, mssql_guid_string, NULL) ++#endif + {NULL, NULL, NULL} + }; + --- php5-5.2.4.orig/debian/patches/118-simplexml-segv.patch +++ php5-5.2.4/debian/patches/118-simplexml-segv.patch @@ -0,0 +1,51 @@ +Index: ext/simplexml/simplexml.c +=================================================================== +RCS file: /repository/php-src/ext/simplexml/simplexml.c,v +retrieving revision 1.151.2.22.2.21 +diff -u -p -d -r1.151.2.22.2.21 simplexml.c +--- old/ext/simplexml/simplexml.c 12 Feb 2007 21:06:29 -0000 1.151.2.22.2.21 ++++ new/ext/simplexml/simplexml.c 20 Feb 2007 12:47:46 -0000 +@@ -56,6 +56,7 @@ static php_sxe_object* php_sxe_object_ne + static zend_object_value php_sxe_register_object(php_sxe_object * TSRMLS_DC); + static xmlNodePtr php_sxe_reset_iterator(php_sxe_object *sxe, int use_data TSRMLS_DC); + static xmlNodePtr php_sxe_iterator_fetch(php_sxe_object *sxe, xmlNodePtr node, int use_data TSRMLS_DC); ++static zval *sxe_get_value(zval *z TSRMLS_DC); + + /* {{{ _node_as_zval() + */ +@@ -427,6 +428,7 @@ static void sxe_prop_dim_write(zval *obj + int is_attr = 0; + int nodendx = 0; + int test = 0; ++ int new_value = 0; + long cnt; + zval tmp_zv, trim_zv, value_copy; + +@@ -504,8 +506,17 @@ static void sxe_prop_dim_write(zval *obj + break; + case IS_STRING: + break; ++ case IS_OBJECT: ++ if (Z_OBJCE_P(value) == sxe_class_entry) { ++ value = sxe_get_value(value TSRMLS_CC); ++ INIT_PZVAL(value); ++ new_value = 1; ++ break; ++ } ++ /* break is missing intentionally */ + default: + php_error_docref(NULL TSRMLS_CC, E_WARNING, "It is not yet possible to assign complex types to %s", attribs ? "attributes" : "properties"); ++ return; + } + } + +@@ -594,6 +605,9 @@ next_iter: + if (value && value == &value_copy) { + zval_dtor(value); + } ++ if (new_value) { ++ zval_ptr_dtor(&value); ++ } + } + /* }}} */ + --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-4153.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-4153.patch @@ -0,0 +1,80 @@ +Origin: http://svn.php.net/viewvc?view=revision&revision=319457 + and http://svn.php.net/viewvc?view=revision&revision=319442 + and http://svn.php.net/viewvc?view=revision&revision=314527 +Subject: fixes for bug #55748 (fail to check zend_strndup for failures) + +fixes for bug #55748 +Sync to 5.3 and check additional cases for #55748 +Fix typo + +CVE-2011-4153 + +--- + Zend/zend_builtin_functions.c | 3 +++ + ext/com_dotnet/com_typeinfo.c | 4 ++++ + ext/oci8/oci8.c | 17 ++++++++++++++++- + ext/standard/syslog.c | 3 +++ + 4 files changed, 26 insertions(+), 1 deletion(-) + +Index: b/ext/oci8/oci8.c +=================================================================== +--- a/ext/oci8/oci8.c ++++ b/ext/oci8/oci8.c +@@ -2003,7 +2003,14 @@ php_oci_connection *php_oci_do_connect_e + connection->is_persistent = 0; + } else { + connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection)); ++ if (connection == NULL) { ++ return NULL; ++ } + connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len); ++ if (connection->hash_key == NULL) { ++ free(connection); ++ return NULL; ++ } + connection->is_persistent = 1; + } + } else { +Index: b/ext/standard/syslog.c +=================================================================== +--- a/ext/standard/syslog.c ++++ b/ext/standard/syslog.c +@@ -236,6 +236,9 @@ PHP_FUNCTION(openlog) + free(BG(syslog_device)); + } + BG(syslog_device) = zend_strndup(ident, ident_len); ++ if(BG(syslog_device) == NULL) { ++ RETURN_FALSE; ++ } + openlog(BG(syslog_device), option, facility); + RETURN_TRUE; + } +Index: b/ext/com_dotnet/com_typeinfo.c +=================================================================== +--- a/ext/com_dotnet/com_typeinfo.c ++++ b/ext/com_dotnet/com_typeinfo.c +@@ -187,6 +187,10 @@ PHPAPI int php_com_import_typelib(ITypeL + const_name = php_com_olestring_to_string(bstr_ids, &c.name_len, codepage TSRMLS_CC); + c.name = zend_strndup(const_name, c.name_len); + efree(const_name); ++ if(c.name == NULL) { ++ ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc); ++ continue; ++ } + c.name_len++; /* include NUL */ + SysFreeString(bstr_ids); + +Index: b/Zend/zend_builtin_functions.c +=================================================================== +--- a/Zend/zend_builtin_functions.c ++++ b/Zend/zend_builtin_functions.c +@@ -683,6 +683,9 @@ repeat: + } + c.flags = case_sensitive; /* non persistent */ + c.name = zend_strndup(Z_STRVAL_PP(var), Z_STRLEN_PP(var)); ++ if(c.name == NULL) { ++ RETURN_FALSE; ++ } + c.name_len = Z_STRLEN_PP(var)+1; + c.module_number = PHP_USER_CONSTANT; + if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { --- php5-5.2.4.orig/debian/patches/100-recode_is_shared.patch +++ php5-5.2.4/debian/patches/100-recode_is_shared.patch @@ -0,0 +1,12 @@ +Index: php5-5.2.0/ext/recode/config9.m4 +=================================================================== +--- php5-5.2.0.orig/ext/recode/config9.m4 2007-03-18 22:56:59.000000000 +0100 ++++ php5-5.2.0/ext/recode/config9.m4 2007-03-18 22:58:44.000000000 +0100 +@@ -8,6 +8,6 @@ + test "$PHP_MYSQL" != "no" && recode_conflict="$recode_conflict mysql" + + if test -n "$recode_conflict"; then +- AC_MSG_ERROR([recode extension can not be configured together with:$recode_conflict]) ++ AC_MSG_WARN([recode extension can not be used together with:$recode_conflict]) + fi + fi --- php5-5.2.4.orig/debian/patches/security526-pcre_compile.patch +++ php5-5.2.4/debian/patches/security526-pcre_compile.patch @@ -0,0 +1,39 @@ +Index: php5-5.2.4/ext/pcre/pcrelib/pcre_compile.c +=================================================================== +--- php5-5.2.4.orig/ext/pcre/pcrelib/pcre_compile.c 2008-06-05 22:37:12.000000000 +0200 ++++ php5-5.2.4/ext/pcre/pcrelib/pcre_compile.c 2008-06-05 22:37:44.000000000 +0200 +@@ -2175,6 +2175,7 @@ + BOOL class_utf8; + BOOL utf8 = (options & PCRE_UTF8) != 0; + uschar *class_utf8data; ++uschar *class_utf8data_base; + uschar utf8_char[6]; + #else + BOOL utf8 = FALSE; +@@ -2458,6 +2459,7 @@ + #ifdef SUPPORT_UTF8 + class_utf8 = FALSE; /* No chars >= 256 */ + class_utf8data = code + LINK_SIZE + 2; /* For UTF-8 items */ ++ class_utf8data_base = class_utf8data; /* For resetting in pass 1 */ + #endif + + /* Process characters until ] is reached. By writing this as a "do" it +@@ -2473,6 +2475,18 @@ + { /* Braces are required because the */ + GETCHARLEN(c, ptr, ptr); /* macro generates multiple statements */ + } ++ ++ /* In the pre-compile phase, accumulate the length of any UTF-8 extra ++ data and reset the pointer. This is so that very large classes that ++ contain a zillion UTF-8 characters no longer overwrite the work space ++ (which is on the stack). */ ++ ++ if (lengthptr != NULL) ++ { ++ *lengthptr += class_utf8data - class_utf8data_base; ++ class_utf8data = class_utf8data_base; ++ } ++ + #endif + + /* Inside \Q...\E everything is literal except \E */ --- php5-5.2.4.orig/debian/patches/CVE-2009-2626.patch +++ php5-5.2.4/debian/patches/CVE-2009-2626.patch @@ -0,0 +1,44 @@ +Description: fix information disclosure and denial of service via + zend_restore_ini_entry_cb function. +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=284157 +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=283946 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540605 + +diff -Nur php5-5.2.4/main/main.c php5-5.2.4.new/main/main.c +--- php5-5.2.4/main/main.c 2010-01-06 09:37:58.000000000 -0500 ++++ php5-5.2.4.new/main/main.c 2010-01-06 09:38:18.000000000 -0500 +@@ -305,8 +305,7 @@ + static PHP_INI_MH(OnUpdateErrorLog) + { + /* Only do the safemode/open_basedir check at runtime */ +- if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) && +- strcmp(new_value, "syslog")) { ++ if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) && new_value && strcmp(new_value, "syslog")) { + if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { + return FAILURE; + } +diff -Nur php5-5.2.4/Zend/zend_ini.c php5-5.2.4.new/Zend/zend_ini.c +--- php5-5.2.4/Zend/zend_ini.c 2010-01-06 09:37:58.000000000 -0500 ++++ php5-5.2.4.new/Zend/zend_ini.c 2010-01-06 09:38:18.000000000 -0500 +@@ -46,15 +46,20 @@ + + static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage TSRMLS_DC) + { ++ int result = FAILURE; + if (ini_entry->modified) { + if (ini_entry->on_modify) { + zend_try { + /* even if on_modify bails out, we have to continue on with restoring, + since there can be allocated variables that would be freed on MM shutdown + and would lead to memory corruption later ini entry is modified again */ +- ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC); ++ result = ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC); + } zend_end_try(); + } ++ if(stage == ZEND_INI_STAGE_RUNTIME && result == FAILURE) { ++ /* runtime failure is OK */ ++ return 1; ++ } + if (ini_entry->value != ini_entry->orig_value) { + efree(ini_entry->value); + } --- php5-5.2.4.orig/debian/patches/fix_broken_upstream_tests.patch +++ php5-5.2.4/debian/patches/fix_broken_upstream_tests.patch @@ -0,0 +1,61 @@ +Index: php-5.2.4/tests/basic/bug20539.phpt +=================================================================== +--- php-5.2.4.orig/tests/basic/bug20539.phpt ++++ php-5.2.4/tests/basic/bug20539.phpt +@@ -3,6 +3,7 @@ + --INI-- + session.auto_start=1 + session.save_handler=files ++session.save_path=temp_session_store + --FILE-- + ++--INI-- ++session.auto_start=1 ++session.save_handler=files ++session.save_path=temp_session_store + --FILE-- + + --FILE-- + Command Line Interface + Virtual Directory Support => %s + Configuration File (php.ini) Path => %s ++Loaded Configuration File => %s ++Scan this dir for additional .ini files => %s + PHP API => %d + PHP Extension => %d + Zend Extension => %d +Index: php-5.2.4/ext/standard/tests/strings/moneyformat.phpt +=================================================================== +--- php-5.2.4.orig/ext/standard/tests/strings/moneyformat.phpt ++++ php-5.2.4/ext/standard/tests/strings/moneyformat.phpt +@@ -5,6 +5,8 @@ + if (!function_exists('money_format') || !function_exists('setlocale')) { + die("SKIP money_format - not supported\n"); + } ++ if (!setlocale(LC_MONETARY, 'en_US')) ++ die("SKIP money_format - en_US locale not available\n"); + ?> + --FILE-- + Z_STRLEN_PP(tmp_str)) { +- f = Z_STRLEN_PP(tmp_str); ++ } else if (f > Z_STRLEN_P(orig_str)) { ++ f = Z_STRLEN_P(orig_str); + } + zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from); + } else { +@@ -2374,72 +2389,94 @@ + } else { + f = Z_LVAL_PP(from); + if (f < 0) { +- f = Z_STRLEN_PP(tmp_str) + f; ++ f = Z_STRLEN_P(orig_str) + f; + if (f < 0) { + f = 0; + } +- } else if (f > Z_STRLEN_PP(tmp_str)) { +- f = Z_STRLEN_PP(tmp_str); ++ } else if (f > Z_STRLEN_P(orig_str)) { ++ f = Z_STRLEN_P(orig_str); + } + } + + if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) { + if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) { +- convert_to_long_ex(tmp_len); ++ if(Z_TYPE_PP(tmp_len) != IS_LONG) { ++ zval dummy = **tmp_len; ++ zval_copy_ctor(&dummy); ++ convert_to_long(&dummy); ++ l = Z_LVAL(dummy); ++ } else { ++ l = Z_LVAL_PP(tmp_len); ++ } + + l = Z_LVAL_PP(tmp_len); + zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len); + } else { +- l = Z_STRLEN_PP(tmp_str); ++ l = Z_STRLEN_P(orig_str); + } + } else if (argc > 3) { + l = Z_LVAL_PP(len); + } else { +- l = Z_STRLEN_PP(tmp_str); ++ l = Z_STRLEN_P(orig_str); + } + + if (l < 0) { +- l = (Z_STRLEN_PP(tmp_str) - f) + l; ++ l = (Z_STRLEN_P(orig_str) - f) + l; + if (l < 0) { + l = 0; + } + } + +- if ((f + l) > Z_STRLEN_PP(tmp_str)) { +- l = Z_STRLEN_PP(tmp_str) - f; ++ if ((f + l) > Z_STRLEN_P(orig_str)) { ++ l = Z_STRLEN_P(orig_str) - f; + } + +- result_len = Z_STRLEN_PP(tmp_str) - l; ++ result_len = Z_STRLEN_P(orig_str) - l; + + if (Z_TYPE_PP(repl) == IS_ARRAY) { + if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) { +- convert_to_string_ex(tmp_repl); +- result_len += Z_STRLEN_PP(tmp_repl); ++ zval *repl_str; ++ zval zrepl; ++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { ++ zrepl = **tmp_repl; ++ repl_str = &zrepl; ++ zval_copy_ctor(repl_str); ++ convert_to_string(repl_str); ++ } else { ++ repl_str = *tmp_repl; ++ } ++ ++ result_len += Z_STRLEN_P(repl_str); + zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl); + result = emalloc(result_len + 1); + +- memcpy(result, Z_STRVAL_PP(tmp_str), f); +- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl)); +- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); ++ memcpy(result, Z_STRVAL_P(orig_str), f); ++ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str)); ++ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); ++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { ++ zval_dtor(repl_str); ++ } + } else { + result = emalloc(result_len + 1); + +- memcpy(result, Z_STRVAL_PP(tmp_str), f); +- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); ++ memcpy(result, Z_STRVAL_P(orig_str), f); ++ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); + } + } else { + result_len += Z_STRLEN_PP(repl); + + result = emalloc(result_len + 1); + +- memcpy(result, Z_STRVAL_PP(tmp_str), f); ++ memcpy(result, Z_STRVAL_P(orig_str), f); + memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl)); +- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); ++ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); + } + + result[result_len] = '\0'; + add_next_index_stringl(return_value, result, result_len, 0); +- ++ if(Z_TYPE_PP(tmp_str) != IS_STRING) { ++ zval_dtor(orig_str); ++ } + zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str); + } /*while*/ + } /* if */ +Index: ext/standard/tests/strings/bug54238.phpt +=================================================================== +--- ext/standard/tests/strings/bug54238.phpt (revision 0) ++++ ext/standard/tests/strings/bug54238.phpt (revision 310194) +@@ -0,0 +1,25 @@ ++--TEST-- ++Bug #54238 (use-after-free in substr_replace()) ++--INI-- ++error_reporting=E_ALL&~E_NOTICE ++--FILE-- ++ ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(9) "AArrayray" ++} ++array(1) { ++ [0]=> ++ array(2) { ++ [0]=> ++ string(1) "A" ++ [1]=> ++ string(1) "A" ++ } ++} --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2007-4850.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2007-4850.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.4/ext/curl/interface.c +=================================================================== +--- php5-5.2.4.orig/ext/curl/interface.c 2008-06-05 22:27:48.000000000 +0200 ++++ php5-5.2.4/ext/curl/interface.c 2008-06-05 22:33:14.000000000 +0200 +@@ -173,7 +173,7 @@ + php_curl_ret(__ret); \ + } \ + \ +- if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \ ++ if (tmp_url->host || !php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters.", str); \ + php_url_free(tmp_url); \ + php_curl_ret(__ret); \ --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-2371.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-2371.patch @@ -0,0 +1,12 @@ +diff -Nur php5-5.2.4/ext/pcre/pcrelib/pcre_compile.c php5-5.2.4.new/ext/pcre/pcrelib/pcre_compile.c +--- php5-5.2.4/ext/pcre/pcrelib/pcre_compile.c 2008-07-23 00:23:55.000000000 -0400 ++++ php5-5.2.4.new/ext/pcre/pcrelib/pcre_compile.c 2008-07-23 00:26:08.000000000 -0400 +@@ -4490,7 +4490,7 @@ + (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE)) + { + cd->external_options = newoptions; +- options = newoptions; ++ options = *optionsptr = newoptions; + } + else + { --- php5-5.2.4.orig/debian/patches/use-specific-libdb-version.patch +++ php5-5.2.4/debian/patches/use-specific-libdb-version.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.4/ext/dba/config.m4 +=================================================================== +--- php5-5.2.4.orig/ext/dba/config.m4 2007-12-19 04:18:56.000000000 +0100 ++++ php5-5.2.4/ext/dba/config.m4 2007-12-19 04:19:03.000000000 +0100 +@@ -301,7 +301,7 @@ + break + fi + done +- PHP_DBA_DB_CHECK(4, db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) ++ PHP_DBA_DB_CHECK(4, db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) + fi + PHP_DBA_STD_RESULT(db4,Berkeley DB4) + --- php5-5.2.4.orig/debian/patches/php5-CVE-2012-0057.patch +++ php5-5.2.4/debian/patches/php5-CVE-2012-0057.patch @@ -0,0 +1,290 @@ +Origin: http://svn.php.net/viewvc/?view=revision&revision=317759 + and http://svn.php.net/viewvc/?view=revision&revision=317801 + and http://svn.php.net/viewvc/?view=revision&revision=317953 +Subject: Added xsl.security_prefs ini option to define forbidden + operations within XSLT stylesheets + +Added xsl.security_prefs ini option to define forbidden +operations within XSLT stylesheets, default is not to enable +write operations. This option won't be in 5.4, since there's a new +method. Bug #54446 + +Added the xsl.security_prefs option to 5_4 and trunk and +mark it as deprecated for BC-reasons +Added tests for ini option and combination of both + +CVE-2012-0057 + +Ubuntu note: also initializes newdocp to NULL to prevent it from being +returned with random garbage. + +--- + ext/xsl/php_xsl.c | 17 ++++++ + ext/xsl/php_xsl.h | 10 +++ + ext/xsl/tests/bug54446_with_ini.phpt | 95 +++++++++++++++++++++++++++++++++++ + ext/xsl/xsltprocessor.c | 52 ++++++++++++++++++- + 4 files changed, 172 insertions(+), 2 deletions(-) + +Index: b/ext/xsl/php_xsl.h +=================================================================== +--- a/ext/xsl/php_xsl.h ++++ b/ext/xsl/php_xsl.h +@@ -38,6 +38,7 @@ extern zend_module_entry xsl_module_entr + #include + #include + #include ++#include + #if HAVE_XSL_EXSLT + #include + #include +@@ -49,6 +50,15 @@ extern zend_module_entry xsl_module_entr + #include + #include + ++#define XSL_SECPREF_NONE 0 ++#define XSL_SECPREF_READ_FILE 2 ++#define XSL_SECPREF_WRITE_FILE 4 ++#define XSL_SECPREF_CREATE_DIRECTORY 8 ++#define XSL_SECPREF_READ_NETWORK 16 ++#define XSL_SECPREF_WRITE_NETWORK 32 ++/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */ ++#define XSL_SECPREF_DEFAULT 44 ++ + typedef struct _xsl_object { + zend_object std; + void *ptr; +Index: b/ext/xsl/xsltprocessor.c +=================================================================== +--- a/ext/xsl/xsltprocessor.c ++++ b/ext/xsl/xsltprocessor.c +@@ -25,6 +25,7 @@ + + #include "php.h" + #include "php_xsl.h" ++#include "php_ini.h" + #include "ext/libxml/php_libxml.h" + + /* +@@ -415,7 +416,7 @@ PHP_FUNCTION(xsl_xsltprocessor_import_st + + static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStylesheetPtr style, zval *docp TSRMLS_DC) + { +- xmlDocPtr newdocp; ++ xmlDocPtr newdocp = NULL; + xmlDocPtr doc = NULL; + xmlNodePtr node = NULL; + xsltTransformContextPtr ctxt; +@@ -424,6 +425,9 @@ static xmlDocPtr php_xsl_apply_styleshee + int clone; + zval *doXInclude, *member; + zend_object_handlers *std_hnd; ++ int secPrefsError = 0; ++ int secPrefsValue; ++ xsltSecurityPrefsPtr secPrefs = NULL; + + node = php_libxml_import_node(docp TSRMLS_CC); + +@@ -469,9 +473,53 @@ static xmlDocPtr php_xsl_apply_styleshee + } + efree(member); + +- newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, NULL, ctxt); ++ ++ secPrefsValue = INI_INT("xsl.security_prefs"); ++ ++ /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */ ++ if (secPrefsValue != XSL_SECPREF_NONE) { ++ secPrefs = xsltNewSecurityPrefs(); ++ if (secPrefsValue & XSL_SECPREF_READ_FILE ) { ++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { ++ secPrefsError = 1; ++ } ++ } ++ if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { ++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { ++ secPrefsError = 1; ++ } ++ } ++ if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { ++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { ++ secPrefsError = 1; ++ } ++ } ++ if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { ++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { ++ secPrefsError = 1; ++ } ++ } ++ if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { ++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { ++ secPrefsError = 1; ++ } ++ } ++ ++ if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { ++ secPrefsError = 1; ++ } ++ } ++ ++ if (secPrefsError == 1) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons"); ++ } else { ++ newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, NULL, ctxt); ++ } + + xsltFreeTransformContext(ctxt); ++ if (secPrefs) { ++ xsltFreeSecurityPrefs(secPrefs); ++ } + + if (intern->node_list != NULL) { + zend_hash_destroy(intern->node_list); +Index: b/ext/xsl/php_xsl.c +=================================================================== +--- a/ext/xsl/php_xsl.c ++++ b/ext/xsl/php_xsl.c +@@ -137,6 +137,11 @@ zend_object_value xsl_objects_new(zend_c + } + /* }}} */ + ++PHP_INI_BEGIN() ++//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 ++PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) ++PHP_INI_END() ++ + /* {{{ PHP_MINIT_FUNCTION + */ + PHP_MINIT_FUNCTION(xsl) +@@ -163,6 +168,14 @@ PHP_MINIT_FUNCTION(xsl) + REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT); + ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT); ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT); ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT); ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); ++ REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT); ++ + REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); + REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); + +@@ -171,6 +184,8 @@ PHP_MINIT_FUNCTION(xsl) + REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); + #endif + ++ REGISTER_INI_ENTRIES(); ++ + return SUCCESS; + } + /* }}} */ +@@ -257,6 +272,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl) + + xsltCleanupGlobals(); + ++ UNREGISTER_INI_ENTRIES(); ++ + return SUCCESS; + } + /* }}} */ +Index: b/ext/xsl/tests/bug54446_with_ini.phpt +=================================================================== +--- /dev/null ++++ b/ext/xsl/tests/bug54446_with_ini.phpt +@@ -0,0 +1,95 @@ ++--TEST-- ++Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++EOT; ++ ++$xsl->loadXML( $sXsl ); ++ ++# START XSLT ++$proc->importStylesheet( $xsl ); ++ ++# TRASNFORM & PRINT ++print $proc->transformToXML( $dom ); ++ ++ ++if (file_exists($outputfile)) { ++ print "$outputfile exists, but shouldn't!\n"; ++} else { ++ print "OK, no file created\n"; ++} ++ ++#SET NO SECURITY PREFS ++ini_set("xsl.security_prefs", XSL_SECPREF_NONE); ++ ++# TRASNFORM & PRINT ++print $proc->transformToXML( $dom ); ++ ++ ++if (file_exists($outputfile)) { ++ print "OK, file exists\n"; ++} else { ++ print "$outputfile doesn't exist, but should!\n"; ++} ++ ++unlink($outputfile); ++ ++#SET SECURITY PREFS AGAIN ++ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); ++ ++# TRASNFORM & PRINT ++print $proc->transformToXML( $dom ); ++ ++if (file_exists($outputfile)) { ++ print "$outputfile exists, but shouldn't!\n"; ++} else { ++ print "OK, no file created\n"; ++} ++ ++ ++--EXPECTF-- ++Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d ++ ++Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s ++ ++Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d ++ ++Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d ++OK, no file created ++OK, file exists ++ ++Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d ++ ++Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s ++ ++Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d ++ ++Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d ++OK, no file created ++--CREDITS-- ++Christian Stocker, chregu@php.net ++ --- php5-5.2.4.orig/debian/patches/101-sqlite_is_shared.patch +++ php5-5.2.4/debian/patches/101-sqlite_is_shared.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.4/ext/sqlite/config.m4 +=================================================================== +--- php5-5.2.4.orig/ext/sqlite/config.m4 2007-07-03 19:25:35.000000000 +0200 ++++ php5-5.2.4/ext/sqlite/config.m4 2007-09-11 00:41:52.000000000 +0200 +@@ -84,7 +84,7 @@ + ]) + SQLITE_MODULE_TYPE=external + PHP_SQLITE_CFLAGS=$pdo_inc_path +- sqlite_extra_sources="libsqlite/src/encode.c" ++ sqlite_extra_sources="" + else + # use bundled library + PHP_PROG_LEMON --- php5-5.2.4.orig/debian/patches/CVE-2011-1398.patch +++ php5-5.2.4/debian/patches/CVE-2011-1398.patch @@ -0,0 +1,47 @@ +Description: fix HTTP response-splitting issue with %0D sequences +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=61088ce7296f2a3b4b53e60bdf413455b870664d +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=8e82bda330264d290a5e55580eea2eb875d4cb69 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=ca58cd01fc329f907a13b82370427715d9c5bf70 +Bug: https://bugs.php.net/bug.php?id=60227 + +Index: php5-5.2.4/main/SAPI.c +=================================================================== +--- php5-5.2.4.orig/main/SAPI.c 2007-05-25 05:20:01.000000000 -0400 ++++ php5-5.2.4/main/SAPI.c 2012-09-12 11:46:54.561310742 -0400 +@@ -568,17 +568,27 @@ + while(header_line_len && isspace(header_line[header_line_len-1])) + header_line[--header_line_len]='\0'; + +- /* new line safety check */ ++ /* new line/NUL character safety check */ + { +- char *s = header_line, *e = header_line + header_line_len, *p; +- while (s < e && (p = memchr(s, '\n', (e - s)))) { +- if (*(p + 1) == ' ' || *(p + 1) == '\t') { +- s = p + 1; +- continue; ++ int i; ++ for (i = 0; i < header_line_len; i++) { ++ /* RFC 2616 allows new lines if followed by SP or HT */ ++ int illegal_break = ++ (header_line[i+1] != ' ' && header_line[i+1] != '\t') ++ && ( ++ header_line[i] == '\n' ++ || (header_line[i] == '\r' && header_line[i+1] != '\n')); ++ if (illegal_break) { ++ efree(header_line); ++ sapi_module.sapi_error(E_WARNING, "Header may not contain " ++ "more than a single header, new line detected"); ++ return FAILURE; ++ } ++ if (header_line[i] == '\0') { ++ efree(header_line); ++ sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes"); ++ return FAILURE; + } +- efree(header_line); +- sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected."); +- return FAILURE; + } + } + --- php5-5.2.4.orig/debian/patches/php5-CVE-2012-1823.patch +++ php5-5.2.4/debian/patches/php5-CVE-2012-1823.patch @@ -0,0 +1,63 @@ +From: Rasmus Lerdorf +Subject: U#520827 - PHP-CGI query string parameter vulnerability +Bug: https://bugs.php.net/bug.php?id=61910 + +When PHP is used in a CGI-based setup (such as Apache's mod_cgid), +the php-cgi receives a processed query string parameter as command +line arguments which allows command-line switches, such as -s, -d +or -c to be passed to the php-cgi binary, which can be exploited to +disclose source code and obtain arbitrary code execution. + +CVE-2012-1823 + +Ubuntu note: this patch differs from the upstream fix in +that the *undecoded* string is examined for '=' rather than +the decoded string; elsewise queries that begin with '-' and +contain an encoded '=' will be passed along to php_getopt(); e.g. +http://localhost/test.php?-dallow_url_include%3dOn will set the +allow_url_include to On. This has been assigned CVE-2012-2311. + +--- + sapi/cgi/cgi_main.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +Index: b/sapi/cgi/cgi_main.c +=================================================================== +--- a/sapi/cgi/cgi_main.c ++++ b/sapi/cgi/cgi_main.c +@@ -62,6 +62,7 @@ + #include "php_main.h" + #include "fopen_wrappers.h" + #include "ext/standard/php_standard.h" ++#include "ext/standard/url.h" + #ifdef PHP_WIN32 + #include + #include +@@ -1206,6 +1207,9 @@ int main(int argc, char *argv[]) + int status = 0; + #endif + #endif /* PHP_FASTCGI */ ++ char *query_string; ++ char *decoded_query_string; ++ int skip_getopt = 0; + + #if 0 && defined(PHP_DEBUG) + /* IIS is always making things more difficult. This allows +@@ -1260,7 +1264,16 @@ int main(int argc, char *argv[]) + } + #endif + +- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) { ++ if(query_string = getenv("QUERY_STRING")) { ++ decoded_query_string = strdup(query_string); ++ php_url_decode(decoded_query_string, strlen(decoded_query_string)); ++ if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) { ++ skip_getopt = 1; ++ } ++ free(decoded_query_string); ++ } ++ ++ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) { + switch (c) { + case 'c': + if (cgi_sapi_module.php_ini_path_override) { --- php5-5.2.4.orig/debian/patches/series +++ php5-5.2.4/debian/patches/series @@ -0,0 +1,114 @@ +001-libtool_fixes.patch +002-static_openssl.patch +004-ldap_fix.patch +006-debian_quirks.patch +013-force_getaddrinfo.patch +017-pread_pwrite_disable.patch +019-z_off_t_as_long.patch +027-readline_is_editline.patch +029-php.ini_paranoid.patch +033-we_WANT_libtool.patch +034-apache2_umask_fix.patch +036-fd_setsize_fix.patch +043-recode_size_t.patch +044-strtod_arm_fix.patch +045-exif_nesting_level.patch +047-zts_with_dl.patch +052-phpinfo_no_configure.patch +053-extension_api.patch +056-mime_magic_liberal.patch +057-no_apache_installed.patch +100-recode_is_shared.patch +101-sqlite_is_shared.patch +107-reflection_is_ext.patch +108-64_bit_datetime.patch +112-proc_open.patch +113-php.ini_securitynotes.patch +disable_dl_by_default.patch +suhosin.patch +fix_broken_upstream_tests.patch +use-specific-libdb-version.patch +fix_64bit_time.patch +SECURITY_CVE-2008-2050.patch +SECURITY_CVE-2008-2051.patch +SECURITY_CVE-2008-0599.patch +SECURITY_CVE-2007-4850.patch +security526-pcre_compile.patch +SECURITY_CVE-2007-5898.patch +SECURITY_CVE-2007-5899.patch +SECURITY_CVE-2008-2829.patch +SECURITY_CVE-2008-1384.patch +SECURITY_CVE-2008-2107+2108.patch +SECURITY_CVE-2007-4782.patch +119-sybase-alias.patch +SECURITY_CVE-2008-2371.patch +use_embedded_timezonedb.patch +fix-xmlrpc-datetime.patch +120_SECURITY_CVE-2007-5900.patch +121_SECURITY_CVE-2008-3658.patch +122_SECURITY_CVE-2008-3659.patch +123_SECURITY_CVE-2008-3660.patch +124_SECURITY_CVE-2008-5557.patch +125_SECURITY_CVE-2008-5624.patch +126_SECURITY_CVE-2008-5625.patch +127_SECURITY_CVE-2008-5658.patch +128_SECURITY_CVE-2008-5814.patch +129_SECURITY_CVE-2009-0754.patch +130_SECURITY_CVE-2009-1271.patch +131_SECURITY_CVE-2009-2687.patch +CVE-2008-7068.patch +CVE-2009-3291.patch +CVE-2009-3292.patch +CVE-2009-3557.patch +CVE-2009-3558.patch +CVE-2009-4017.patch +CVE-2009-4018.patch +CVE-2009-2626.patch +CVE-2009-4142.patch +CVE-2009-4143.patch +CVE-2010-0397.patch +CVE-2010-1128.patch +CVE-2010-1129.patch +CVE-2010-1130.patch +CVE-2010-1868.patch +CVE-2010-1917.patch +CVE-2010-2225.patch +CVE-2010-2531.patch +CVE-2010-3065.patch +php5-CVE-2009-5016.patch +php5-CVE-2010-3436.patch +php5-CVE-2010-3709.patch +php5-CVE-2010-3710.patch +php5-CVE-2010-3870.patch +php5-CVE-2010-4645.patch +php5-CVE-2010-3436-regression.patch +php5-CVE-2010-4697.patch -p0 +php5-CVE-2010-4698.patch -p0 +php5-CVE-2011-0421.patch -p0 +php5-CVE-2011-0708.patch -p0 +php5-CVE-2011-1092.patch -p0 +php5-CVE-2011-1148.patch -p0 +php5-CVE-2011-1464.patch -p0 +php5-CVE-2011-1466.patch -p0 +php5-CVE-2011-1469.patch -p0 +php5-CVE-2011-1470.patch -p0 +php5-CVE-2011-1471.patch -p0 +php5-CVE-2010-4697-regression.patch +php5-CVE-2011-2202.patch +php5-CVE-2011-3182.patch +php5-CVE-2010-2484.patch +php5-CVE-2011-4566.patch +php5-CVE-2011-4153.patch +php5-CVE-2011-4885.patch +php5-CVE-2012-0057.patch +php5-CVE-2012-0788.patch +php5-CVE-2012-0830.patch +php5-CVE-2012-0831.patch +php5-CVE-2012-0831-regression.patch +php5-CVE-2012-1823.patch +CVE-2012-0781.patch +CVE-2012-1172.patch +CVE-2012-233x.patch +CVE-2011-1398.patch +CVE-2012-2688.patch +CVE-2012-3450.patch --- php5-5.2.4.orig/debian/patches/CVE-2012-3450.patch +++ php5-5.2.4/debian/patches/CVE-2012-3450.patch @@ -0,0 +1,473 @@ +Description: fix denial of service via PDO extension crafted parameter +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=1b78aef426a8f413ddd70854eb3fd5fbc95ef675 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=e946eaca0bc747615fabd0fedb8a92ea800ed158 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=c06ec6bde43a114af3bd84e986827839de1b1e4b +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683694 +Bug: https://bugs.php.net/bug.php?id=61755 + +Index: php5-5.2.4/ext/pdo_mysql/tests/bug_61755.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.4/ext/pdo_mysql/tests/bug_61755.phpt 2012-09-12 11:48:57.777313897 -0400 +@@ -0,0 +1,41 @@ ++--TEST-- ++Bug #61755 (A parsing bug in the prepared statements can lead to access violations) ++--SKIPIF-- ++ ++--FILE-- ++setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); ++ ++echo "NULL-Byte before first placeholder:\n"; ++$s = $db->prepare("SELECT \"a\0b\", ?"); ++$s->bindValue(1,"c"); ++$s->execute(); ++$r = $s->fetch(); ++echo "Length of item 0: ".strlen($r[0]).", Value of item 1: ".$r[1]."\n"; ++ ++echo "\nOpen comment:\n"; ++try { ++ $s = $db->prepare("SELECT /*"); ++ $s->execute(); ++} catch (Exception $e) { ++ echo "Error code: ".$e->getCode()."\n"; ++} ++ ++echo "\ndone!\n"; ++?> ++--EXPECTF-- ++NULL-Byte before first placeholder: ++Length of item 0: 3, Value of item 1: c ++ ++Open comment: ++Error code: 42000 ++ ++done! +Index: php5-5.2.4/ext/pdo/pdo_sql_parser.c +=================================================================== +--- php5-5.2.4.orig/ext/pdo/pdo_sql_parser.c 2007-08-29 19:39:22.000000000 -0400 ++++ php5-5.2.4/ext/pdo/pdo_sql_parser.c 2012-09-12 11:50:02.857315563 -0400 +@@ -1,4 +1,4 @@ +-/* Generated by re2c 0.11.0 on Tue Jun 5 18:45:24 2007 */ ++/* Generated by re2c 0.13.5 on Wed Sep 12 11:50:02 2012 */ + /* + +----------------------------------------------------------------------+ + | PHP Version 5 | +@@ -33,12 +33,12 @@ + + #define YYCTYPE unsigned char + #define YYCURSOR cursor +-#define YYLIMIT cursor ++#define YYLIMIT s->end + #define YYMARKER s->ptr +-#define YYFILL(n) ++#define YYFILL(n) { RET(PDO_PARSER_EOI); } + + typedef struct Scanner { +- char *ptr, *cur, *tok; ++ char *ptr, *cur, *tok, *end; + } Scanner; + + static int scan(Scanner *s) +@@ -46,127 +46,233 @@ + char *cursor = s->cur; + + s->tok = cursor; ++ + ++ ++{ ++ YYCTYPE yych; + +- { +- static unsigned char yybm[] = { +- 192, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 64, 200, 200, 200, 200, 128, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 232, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 208, 200, 200, 200, 200, 208, +- 200, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 232, 200, 200, 200, 200, 232, +- 200, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 232, 232, 232, 232, 232, 232, +- 232, 232, 232, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- 200, 200, 200, 200, 200, 200, 200, 200, +- }; +- +- { +- YYCTYPE yych; +- +- if((YYLIMIT - YYCURSOR) < 2) YYFILL(2); +- yych = *YYCURSOR; +- if(yybm[0+yych] & 8) { +- goto yy8; +- } +- if(yych <= 0x00) goto yy11; +- if(yych <= '&') goto yy2; +- if(yych <= '\'') goto yy4; +- if(yych <= '>') goto yy5; +- goto yy6; ++ if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); ++ yych = *YYCURSOR; ++ switch (yych) { ++ case 0x00: goto yy2; ++ case '"': goto yy3; ++ case '\'': goto yy5; ++ case ':': goto yy6; ++ case '?': goto yy7; ++ default: goto yy9; ++ } + yy2: +- yych = *++YYCURSOR; +- goto yy24; ++ YYCURSOR = YYMARKER; ++ goto yy4; + yy3: +- { SKIP_ONE(PDO_PARSER_TEXT); } ++ yych = *(YYMARKER = ++YYCURSOR); ++ goto yy23; + yy4: +- yych = *++YYCURSOR; +- goto yy20; ++ { SKIP_ONE(PDO_PARSER_TEXT); } + yy5: +- yych = *++YYCURSOR; +- if(yybm[0+yych] & 32) { +- goto yy16; +- } +- if(yych == ':') goto yy13; +- if(yych == '?') goto yy13; +- goto yy3; ++ yych = *(YYMARKER = ++YYCURSOR); ++ goto yy19; + yy6: +- ++YYCURSOR; +- if(yybm[0+(yych = *YYCURSOR)] & 16) { +- goto yy13; +- } +- { RET(PDO_PARSER_BIND_POS); } ++ yych = *++YYCURSOR; ++ switch (yych) { ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ case 'A': ++ case 'B': ++ case 'C': ++ case 'D': ++ case 'E': ++ case 'F': ++ case 'G': ++ case 'H': ++ case 'I': ++ case 'J': ++ case 'K': ++ case 'L': ++ case 'M': ++ case 'N': ++ case 'O': ++ case 'P': ++ case 'Q': ++ case 'R': ++ case 'S': ++ case 'T': ++ case 'U': ++ case 'V': ++ case 'W': ++ case 'X': ++ case 'Y': ++ case 'Z': ++ case '_': ++ case 'a': ++ case 'b': ++ case 'c': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'g': ++ case 'h': ++ case 'i': ++ case 'j': ++ case 'k': ++ case 'l': ++ case 'm': ++ case 'n': ++ case 'o': ++ case 'p': ++ case 'q': ++ case 'r': ++ case 's': ++ case 't': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'x': ++ case 'y': ++ case 'z': goto yy15; ++ case ':': ++ case '?': goto yy12; ++ default: goto yy4; ++ } ++yy7: ++ ++YYCURSOR; ++ switch ((yych = *YYCURSOR)) { ++ case ':': ++ case '?': goto yy12; ++ default: goto yy8; ++ } + yy8: +- ++YYCURSOR; +- if(YYLIMIT == YYCURSOR) YYFILL(1); +- yych = *YYCURSOR; +- if(yybm[0+yych] & 8) { +- goto yy8; +- } +- { RET(PDO_PARSER_TEXT); } ++ { RET(PDO_PARSER_BIND_POS); } ++yy9: ++ ++YYCURSOR; ++ if (YYLIMIT <= YYCURSOR) YYFILL(1); ++ yych = *YYCURSOR; ++ switch (yych) { ++ case 0x00: ++ case '"': ++ case '\'': ++ case ':': ++ case '?': goto yy11; ++ default: goto yy9; ++ } + yy11: +- ++YYCURSOR; +- { RET(PDO_PARSER_EOI); } +-yy13: +- ++YYCURSOR; +- if(YYLIMIT == YYCURSOR) YYFILL(1); +- yych = *YYCURSOR; +- if(yybm[0+yych] & 16) { +- goto yy13; +- } +- { RET(PDO_PARSER_TEXT); } +-yy16: +- ++YYCURSOR; +- if(YYLIMIT == YYCURSOR) YYFILL(1); +- yych = *YYCURSOR; +- if(yybm[0+yych] & 32) { +- goto yy16; +- } +- { RET(PDO_PARSER_BIND); } ++ { RET(PDO_PARSER_TEXT); } ++yy12: ++ ++YYCURSOR; ++ if (YYLIMIT <= YYCURSOR) YYFILL(1); ++ yych = *YYCURSOR; ++ switch (yych) { ++ case ':': ++ case '?': goto yy12; ++ default: goto yy14; ++ } ++yy14: ++ { RET(PDO_PARSER_TEXT); } ++yy15: ++ ++YYCURSOR; ++ if (YYLIMIT <= YYCURSOR) YYFILL(1); ++ yych = *YYCURSOR; ++ switch (yych) { ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ case 'A': ++ case 'B': ++ case 'C': ++ case 'D': ++ case 'E': ++ case 'F': ++ case 'G': ++ case 'H': ++ case 'I': ++ case 'J': ++ case 'K': ++ case 'L': ++ case 'M': ++ case 'N': ++ case 'O': ++ case 'P': ++ case 'Q': ++ case 'R': ++ case 'S': ++ case 'T': ++ case 'U': ++ case 'V': ++ case 'W': ++ case 'X': ++ case 'Y': ++ case 'Z': ++ case '_': ++ case 'a': ++ case 'b': ++ case 'c': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'g': ++ case 'h': ++ case 'i': ++ case 'j': ++ case 'k': ++ case 'l': ++ case 'm': ++ case 'n': ++ case 'o': ++ case 'p': ++ case 'q': ++ case 'r': ++ case 's': ++ case 't': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'x': ++ case 'y': ++ case 'z': goto yy15; ++ default: goto yy17; ++ } ++yy17: ++ { RET(PDO_PARSER_BIND); } ++yy18: ++ ++YYCURSOR; ++ if (YYLIMIT <= YYCURSOR) YYFILL(1); ++ yych = *YYCURSOR; + yy19: +- ++YYCURSOR; +- if(YYLIMIT == YYCURSOR) YYFILL(1); +- yych = *YYCURSOR; ++ switch (yych) { ++ case '\'': goto yy20; ++ default: goto yy18; ++ } + yy20: +- if(yybm[0+yych] & 64) { +- goto yy19; +- } +- ++YYCURSOR; +- { RET(PDO_PARSER_TEXT); } ++ ++YYCURSOR; ++ { RET(PDO_PARSER_TEXT); } ++yy22: ++ ++YYCURSOR; ++ if (YYLIMIT <= YYCURSOR) YYFILL(1); ++ yych = *YYCURSOR; + yy23: +- ++YYCURSOR; +- if(YYLIMIT == YYCURSOR) YYFILL(1); +- yych = *YYCURSOR; +-yy24: +- if(yybm[0+yych] & 128) { +- goto yy23; +- } +- ++YYCURSOR; +- { RET(PDO_PARSER_TEXT); } ++ switch (yych) { ++ case '"': goto yy24; ++ default: goto yy22; + } ++yy24: ++ ++YYCURSOR; ++ { RET(PDO_PARSER_TEXT); } + } + + } +@@ -197,6 +303,7 @@ + + ptr = *outquery; + s.cur = inquery; ++ s.end = inquery + inquery_len + 1; + + /* phase 1: look for args */ + while((t = scan(&s)) != PDO_PARSER_EOI) { +Index: php5-5.2.4/ext/pdo/pdo_sql_parser.re +=================================================================== +--- php5-5.2.4.orig/ext/pdo/pdo_sql_parser.re 2007-06-05 18:55:26.000000000 -0400 ++++ php5-5.2.4/ext/pdo/pdo_sql_parser.re 2012-09-12 11:49:22.369314527 -0400 +@@ -32,12 +32,12 @@ + + #define YYCTYPE unsigned char + #define YYCURSOR cursor +-#define YYLIMIT cursor ++#define YYLIMIT s->end + #define YYMARKER s->ptr +-#define YYFILL(n) ++#define YYFILL(n) { RET(PDO_PARSER_EOI); } + + typedef struct Scanner { +- char *ptr, *cur, *tok; ++ char *ptr, *cur, *tok, *end; + } Scanner; + + static int scan(Scanner *s) +@@ -50,7 +50,6 @@ + QUESTION = [?]; + SPECIALS = [:?"']; + MULTICHAR = [:?]; +- EOF = [\000]; + ANYNOEOF = [\001-\377]; + */ + +@@ -62,7 +61,6 @@ + QUESTION { RET(PDO_PARSER_BIND_POS); } + SPECIALS { SKIP_ONE(PDO_PARSER_TEXT); } + (ANYNOEOF\SPECIALS)+ { RET(PDO_PARSER_TEXT); } +- EOF { RET(PDO_PARSER_EOI); } + */ + } + +@@ -92,6 +90,7 @@ + + ptr = *outquery; + s.cur = inquery; ++ s.end = inquery + inquery_len + 1; + + /* phase 1: look for args */ + while((t = scan(&s)) != PDO_PARSER_EOI) { --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-3436.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-3436.patch @@ -0,0 +1,29 @@ +Subject: Fixed possible flaw in open_basedir allowing basedir bypass +Origin: http://svn.php.net/viewvc?view=revision&revision=303824 + +CVE-2010-3436 + +--- + main/fopen_wrappers.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +Index: b/main/fopen_wrappers.c +=================================================================== +--- a/main/fopen_wrappers.c ++++ b/main/fopen_wrappers.c +@@ -239,8 +239,13 @@ PHPAPI int php_check_specific_open_based + #else + if (strncmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) { + #endif +- /* File is in the right directory */ +- return 0; ++ if (resolved_name_len > resolved_basedir_len && ++ resolved_name[resolved_basedir_len] != PHP_DIR_SEPARATOR) { ++ return -1; ++ } else { ++ /* File is in the right directory */ ++ return 0; ++ } + } else { + /* /openbasedir/ and /openbasedir are the same directory */ + if (resolved_basedir_len == (resolved_name_len + 1) && resolved_basedir[resolved_basedir_len - 1] == PHP_DIR_SEPARATOR) { --- php5-5.2.4.orig/debian/patches/CVE-2010-1868.patch +++ php5-5.2.4/debian/patches/CVE-2010-1868.patch @@ -0,0 +1,24 @@ +Description: fix arbitrary code execution via empty SQL query +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=298697 + +diff -Nur php5-5.2.4/ext/sqlite/sqlite.c php5-5.2.4.new/ext/sqlite/sqlite.c +--- php5-5.2.4/ext/sqlite/sqlite.c 2007-05-19 13:58:22.000000000 -0400 ++++ php5-5.2.4.new/ext/sqlite/sqlite.c 2010-09-15 08:27:43.000000000 -0400 +@@ -2170,7 +2170,7 @@ + return; + } + +- rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); ++ rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); + sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC); + if (db->last_err_code != SQLITE_OK) { + if (rres) { +@@ -2286,7 +2286,7 @@ + return; + } + +- rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); ++ rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); + sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC); + if (db->last_err_code != SQLITE_OK) { + if (rres) { --- php5-5.2.4.orig/debian/patches/130_SECURITY_CVE-2009-1271.patch +++ php5-5.2.4/debian/patches/130_SECURITY_CVE-2009-1271.patch @@ -0,0 +1,50 @@ +# +# Description: fix denial of service via malformed string to the json_decode API function. +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15 +# +Index: php5-5.2.4/ext/json/JSON_parser.c +=================================================================== +--- php5-5.2.4.orig/ext/json/JSON_parser.c 2007-06-13 13:56:41.000000000 -0400 ++++ php5-5.2.4/ext/json/JSON_parser.c 2009-04-17 08:12:58.000000000 -0400 +@@ -494,9 +494,7 @@ + } + */ + case -7: +- if (type != -1 && +- (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT || +- JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)) ++ if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_OBJECT) + { + zval *mval; + smart_str_0(&buf); +@@ -566,9 +564,7 @@ + */ + case -5: + { +- if (type != -1 && +- (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT || +- JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)) ++ if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY) + { + zval *mval; + smart_str_0(&buf); +Index: php5-5.2.4/ext/json/tests/001.phpt +=================================================================== +--- php5-5.2.4.orig/ext/json/tests/001.phpt 2009-04-17 08:13:05.000000000 -0400 ++++ php5-5.2.4/ext/json/tests/001.phpt 2009-04-17 08:13:30.000000000 -0400 +@@ -16,6 +16,7 @@ + var_dump(json_decode("руссиш")); + var_dump(json_decode("blah")); + var_dump(json_decode(NULL)); ++var_dump(json_decode('[1}')); + var_dump(json_decode('{ "test": { "foo": "bar" } }')); + var_dump(json_decode('{ "test": { "foo": "" } }')); + var_dump(json_decode('{ "": { "foo": "" } }')); +@@ -38,6 +39,7 @@ + string(12) "руссиш" + string(4) "blah" + NULL ++NULL + object(stdClass)#1 (1) { + ["test"]=> + object(stdClass)#2 (1) { --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-4697-regression.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-4697-regression.patch @@ -0,0 +1,77 @@ +Subject: Fixed bug #46308 (Invalid write when changing property from inside getter) +Origin: http://svn.php.net/viewvc?view=revision&revision=267423 + +This patch fixes the regression introduced by CVE-2010-4697. It has been +modified from the original upstream commit to apply after the fix for +CVE-2010-4697, rather than before (as it is in the php svn tree). + +--- + Zend/zend_object_handlers.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: b/Zend/zend_object_handlers.c +=================================================================== +--- a/Zend/zend_object_handlers.c ++++ b/Zend/zend_object_handlers.c +@@ -328,12 +328,14 @@ zval *zend_std_read_property(zval *objec + zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && + !guard->in_get) { + /* have getter - try with it! */ ++ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } + guard->in_get = 1; /* prevent circular getting */ + rv = zend_std_call_getter(object, member TSRMLS_CC); + guard->in_get = 0; ++ zval_ptr_dtor(&object); + + if (rv) { + retval = &rv; +@@ -424,6 +426,7 @@ static void zend_std_write_property(zval + if (zobj->ce->__set && + zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && + !guard->in_set) { ++ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } +@@ -432,6 +435,7 @@ static void zend_std_write_property(zval + /* for now, just ignore it - __set should take care of warnings, etc. */ + } + guard->in_set = 0; ++ zval_ptr_dtor(&object); + } else if (property_info) { + zval **foo; + +@@ -605,12 +609,14 @@ static void zend_std_unset_property(zval + zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && + !guard->in_unset) { + /* have unseter - try with it! */ ++ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } + guard->in_unset = 1; /* prevent circular unsetting */ + zend_std_call_unsetter(object, member TSRMLS_CC); + guard->in_unset = 0; ++ zval_ptr_dtor(&object); + } + } + +@@ -1005,6 +1011,7 @@ static int zend_std_has_property(zval *o + zval *rv; + + /* have issetter - try with it! */ ++ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } +@@ -1025,6 +1032,7 @@ static int zend_std_has_property(zval *o + } + } + guard->in_isset = 0; ++ zval_ptr_dtor(&object); + } + } else { + switch (has_set_exists) { --- php5-5.2.4.orig/debian/patches/CVE-2010-1130.patch +++ php5-5.2.4/debian/patches/CVE-2010-1130.patch @@ -0,0 +1,21 @@ +Description: fix safe_mode bypass via semicolon in session_save_path +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=294272 + +diff -Nur php5-5.2.4/ext/session/session.c php5-5.2.4.new/ext/session/session.c +--- php5-5.2.4/ext/session/session.c 2010-09-15 08:27:26.000000000 -0400 ++++ php5-5.2.4.new/ext/session/session.c 2010-09-15 08:27:30.000000000 -0400 +@@ -158,8 +158,13 @@ + return FAILURE; + } + +- if ((p = zend_memrchr(new_value, ';', new_value_length))) { ++ /* we do not use zend_memrchr() since path can contain ; itself */ ++ if ((p = strchr(new_value, ';'))) { ++ char *p2; + p++; ++ if ((p2 = strchr(p, ';'))) { ++ p = p2 + 1; ++ } + } else { + p = new_value; + } --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-3182.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-3182.patch @@ -0,0 +1,218 @@ +Subject: check the return values of the malloc, calloc, and realloc + library functions +Origin: upstream commits r313782, r313826, r313827, r313828, r313830, + r313831, r313832, r313833, r313835, r313903 +Bug-upstream: http://svn.php.net/viewvc?view=revision&revision=313903 + +r313782 | pajoye | 2011-07-27 07:23:06 -0700 (Wed, 27 Jul 2011) | 1 line +- Fix #55295, check if malloc failed +r313826 | pajoye | 2011-07-28 03:31:34 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (curl part) check if malloc succeded +r313827 | pajoye | 2011-07-28 03:34:16 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (com_dotnet part) check if malloc succeded +r313828 | pajoye | 2011-07-28 03:37:04 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (pdo_odbc part) check if malloc succeded +r313830 | pajoye | 2011-07-28 03:39:19 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (interbase part) check if malloc succeded +r313831 | pajoye | 2011-07-28 03:42:45 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (readline part) check if malloc succeded +r313832 | pajoye | 2011-07-28 03:52:45 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (url scanner part) check if malloc succeded +r313833 | pajoye | 2011-07-28 03:57:31 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (sybase part) check if malloc succeded +r313835 | pajoye | 2011-07-28 04:01:04 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (mssql part) check if malloc succeded +r313903 | pajoye | 2011-07-28 14:16:51 -0700 (Thu, 28 Jul 2011) | 1 line +- Fix #55301 (sybase part, take #2) check if malloc succeded + +CVE-2011-3182 + +[Ubuntu note: patch adjusted to apply to php 5.2 --sbeattie] + +--- + TSRM/tsrm_win32.c | 4 ++++ + ext/com_dotnet/com_dotnet.c | 3 +++ + ext/curl/interface.c | 3 +++ + ext/interbase/interbase.c | 7 +++++-- + ext/mssql/php_mssql.c | 7 +++++++ + ext/pdo_odbc/pdo_odbc.c | 3 +++ + ext/readline/readline.c | 8 +++++++- + ext/standard/url_scanner_ex.c | 7 +++++-- + ext/standard/url_scanner_ex.re | 8 ++++++-- + ext/sybase_ct/php_sybase_ct.c | 4 ++++ + 10 files changed, 47 insertions(+), 7 deletions(-) + +Index: b/TSRM/tsrm_win32.c +=================================================================== +--- a/TSRM/tsrm_win32.c ++++ b/TSRM/tsrm_win32.c +@@ -218,6 +218,10 @@ TSRM_API FILE *popen_ex(const char *comm + } + + cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /c ")); ++ if (!cmd) { ++ return NULL; ++ } ++ + sprintf(cmd, "%s /c %s", TWG(comspec), command); + if (!CreateProcess(NULL, cmd, &security, &security, security.bInheritHandle, NORMAL_PRIORITY_CLASS|CREATE_NO_WINDOW, env, cwd, &startup, &process)) { + return NULL; +Index: b/ext/curl/interface.c +=================================================================== +--- a/ext/curl/interface.c ++++ b/ext/curl/interface.c +@@ -635,6 +635,9 @@ PHP_MINIT_FUNCTION(curl) + int i, c = CRYPTO_num_locks(); + + php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T)); ++ if (!php_curl_openssl_tsl) { ++ return FAILURE; ++ } + + for (i = 0; i < c; ++i) { + php_curl_openssl_tsl[i] = tsrm_mutex_alloc(); +Index: b/ext/com_dotnet/com_dotnet.c +=================================================================== +--- a/ext/com_dotnet/com_dotnet.c ++++ b/ext/com_dotnet/com_dotnet.c +@@ -129,6 +129,9 @@ static HRESULT dotnet_init(char **p_wher + char *where = ""; + + stuff = malloc(sizeof(*stuff)); ++ if (!stuff) { ++ return S_FALSE; ++ } + memset(stuff, 0, sizeof(*stuff)); + + where = "CoCreateInstance"; +Index: b/ext/pdo_odbc/pdo_odbc.c +=================================================================== +--- a/ext/pdo_odbc/pdo_odbc.c ++++ b/ext/pdo_odbc/pdo_odbc.c +@@ -98,6 +98,9 @@ PHP_MINIT_FUNCTION(pdo_odbc) + char *instance = INI_STR("pdo_odbc.db2_instance_name"); + if (instance) { + char *env = malloc(sizeof("DB2INSTANCE=") + strlen(instance)); ++ if (!env) { ++ return FAILURE; ++ } + strcpy(env, "DB2INSTANCE="); + strcat(env, instance); + putenv(env); +Index: b/ext/interbase/interbase.c +=================================================================== +--- a/ext/interbase/interbase.c ++++ b/ext/interbase/interbase.c +@@ -725,9 +725,12 @@ static void _php_ibase_connect(INTERNAL_ + ZEND_REGISTER_RESOURCE(return_value, ib_link, le_link); + } else { + zend_rsrc_list_entry new_le; +- ++ + ib_link = (ibase_db_link *) malloc(sizeof(ibase_db_link)); +- ++ if (!ib_link) { ++ RETURN_FALSE; ++ } ++ + /* hash it up */ + Z_TYPE(new_le) = le_plink; + new_le.ptr = ib_link; +Index: b/ext/readline/readline.c +=================================================================== +--- a/ext/readline/readline.c ++++ b/ext/readline/readline.c +@@ -428,6 +428,9 @@ static char **_readline_completion_cb(co + matches = rl_completion_matches(text,_readline_command_generator); + } else { + matches = malloc(sizeof(char *) * 2); ++ if (!matches) { ++ return NULL; ++ } + matches[0] = strdup(""); + matches[1] = '\0'; + } +@@ -465,7 +468,10 @@ PHP_FUNCTION(readline_completion_functio + zval_copy_ctor(_readline_completion); + + rl_attempted_completion_function = _readline_completion_cb; +- ++ if (rl_attempted_completion_function == NULL) { ++ efree(name); ++ RETURN_FALSE; ++ } + RETURN_TRUE; + } + +Index: b/ext/standard/url_scanner_ex.re +=================================================================== +--- a/ext/standard/url_scanner_ex.re ++++ b/ext/standard/url_scanner_ex.re +@@ -55,9 +55,13 @@ static PHP_INI_MH(OnUpdateTags) + + if (ctx->tags) + zend_hash_destroy(ctx->tags); +- else ++ else { + ctx->tags = malloc(sizeof(HashTable)); +- ++ if (!ctx->tags) { ++ return FAILURE; ++ } ++ } ++ + zend_hash_init(ctx->tags, 0, NULL, NULL, 1); + + for (key = php_strtok_r(tmp, ",", &lasts); +Index: b/ext/standard/url_scanner_ex.c +=================================================================== +--- a/ext/standard/url_scanner_ex.c ++++ b/ext/standard/url_scanner_ex.c +@@ -56,9 +56,12 @@ static PHP_INI_MH(OnUpdateTags) + + if (ctx->tags) + zend_hash_destroy(ctx->tags); +- else ++ else { + ctx->tags = malloc(sizeof(HashTable)); +- ++ if (!ctx->tags) { ++ return FAILURE; ++ } ++ } + zend_hash_init(ctx->tags, 0, NULL, NULL, 1); + + for (key = php_strtok_r(tmp, ",", &lasts); +Index: b/ext/sybase_ct/php_sybase_ct.c +=================================================================== +--- a/ext/sybase_ct/php_sybase_ct.c ++++ b/ext/sybase_ct/php_sybase_ct.c +@@ -712,6 +712,10 @@ static void php_sybase_do_connect(INTERN + } + + sybase_ptr = (sybase_link *) malloc(sizeof(sybase_link)); ++ if (!sybase_ptr) { ++ efree(hashed_details); ++ RETURN_FALSE; ++ } + if (!php_sybase_do_connect_internal(sybase_ptr, host, user, passwd, charset, appname TSRMLS_CC)) { + free(sybase_ptr); + efree(hashed_details); +Index: b/ext/mssql/php_mssql.c +=================================================================== +--- a/ext/mssql/php_mssql.c ++++ b/ext/mssql/php_mssql.c +@@ -596,6 +596,13 @@ static void php_mssql_do_connect(INTERNA + + /* hash it up */ + mssql_ptr = (mssql_link *) malloc(sizeof(mssql_link)); ++ if (!mssql_ptr) { ++ efree(hashed_details); ++ dbfreelogin(mssql.login); ++ dbclose(mssql.link); ++ RETURN_FALSE; ++ } ++ + memcpy(mssql_ptr, &mssql, sizeof(mssql_link)); + Z_TYPE(new_le) = le_plink; + new_le.ptr = mssql_ptr; --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-4645.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-4645.patch @@ -0,0 +1,78 @@ +Subject: Fixed Bug #53632 (infinite loop with x87 fpu). (Scott, Rasmus) +Origin: http://svn.php.net/viewvc?view=revision&revision=263637 + and http://svn.php.net/viewvc?view=revision&revision=307095 +Bug: http://bugs.php.net/53632 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/697181 + +[Ubuntu note: removed NEWS file change from commit diff to ease + application of patch. Hardy and prior were missing additional volatile + statements added in upstream rev 263637- sbeattie] + +--- + Zend/zend_strtod.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + + +Index: b/Zend/zend_strtod.c +=================================================================== +--- a/Zend/zend_strtod.c ++++ b/Zend/zend_strtod.c +@@ -984,9 +984,9 @@ static Bigint * diff(Bigint *a, Bigint * + + static double ulp (double _x) + { +- _double x; ++ volatile _double x; + register Long L; +- _double a; ++ volatile _double a; + + value(x) = _x; + L = (word0(x) & Exp_mask) - (P-1)*Exp_msk1; +@@ -1026,7 +1026,7 @@ b2d + { + ULong *xa, *xa0, w, y, z; + int k; +- _double d; ++ volatile _double d; + #ifdef VAX + ULong d0, d1; + #else +@@ -1092,7 +1092,7 @@ static Bigint * d2b(double _d, int *e, i + Bigint *b; + int de, i, k; + ULong *x, y, z; +- _double d; ++ volatile _double d; + #ifdef VAX + ULong d0, d1; + #endif +@@ -1213,7 +1213,7 @@ static Bigint * d2b(double _d, int *e, i + + static double ratio (Bigint *a, Bigint *b) + { +- _double da, db; ++ volatile _double da, db; + int k, ka, kb; + + value(da) = b2d(a, &ka); +@@ -1480,7 +1480,7 @@ ZEND_API char * zend_dtoa(double _d, int + Bigint *b, *b1, *delta, *mlo, *mhi, *S, *tmp; + double ds; + char *s, *s0; +- _double d, d2, eps; ++ volatile _double d, d2, eps; + + value(d) = _d; + +@@ -2042,8 +2042,8 @@ ZEND_API double zend_strtod (CONST char + int bb2, bb5, bbe, bd2, bd5, bbbits, bs2, c, dsign, + e, e1, esign, i, j, k, nd, nd0, nf, nz, nz0, sign; + CONST char *s, *s0, *s1; +- double aadj, aadj1, adj; +- _double rv, rv0; ++ volatile double aadj, aadj1, adj; ++ volatile _double rv, rv0; + Long L; + ULong y, z; + Bigint *bb, *bb1, *bd, *bd0, *bs, *delta, *tmp; --- php5-5.2.4.orig/debian/patches/php5-pear-CVE-2011-1144.patch +++ php5-5.2.4/debian/patches/php5-pear-CVE-2011-1144.patch @@ -0,0 +1,124 @@ +Subject: Introduce a time-of-check-time-of-use (TOCTOU) save file + handler, this makes sure that from the time we check it is available + until we get the file handler that no one attempted to put in a + soft / hard link instead of what we checked for. +Origin: http://svn.php.net/viewvc?view=revision&revision=309042 + +CVE-2011-1144 + +Index: PEAR/REST.php +=================================================================== +--- PEAR/REST.php (revision 309041) ++++ PEAR/REST.php (revision 309042) +@@ -214,58 +214,75 @@ + $cacheidfile = $d . 'rest.cacheid'; + $cachefile = $d . 'rest.cachefile'; + ++ if (!is_dir($cache_dir)) { ++ if (System::mkdir(array('-p', $cache_dir) === false)) { ++ return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory and attempts to create the directory failed."); ++ } ++ } ++ + if ($cacheid === null && $nochange) { + $cacheid = unserialize(implode('', file($cacheidfile))); + } + +- if (is_link($cacheidfile)) { +- return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack'); +- } ++ $idData = serialize(array( ++ 'age' => time(), ++ 'lastChange' => ($nochange ? $cacheid['lastChange'] : $lastmodified), ++ )); + +- if (is_link($cachefile)) { +- return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack'); ++ $result = $this->saveCacheFile($cacheidfile, $idData); ++ if (PEAR::isError($result)) { ++ return $result; ++ } elseif ($nochange) { ++ return true; + } + +- $cacheidfile_fp = @fopen($cacheidfile, 'wb'); +- if (!$cacheidfile_fp) { +- if (is_dir($cache_dir)) { +- return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory. "); +- } +- +- System::mkdir(array('-p', $cache_dir)); +- $cacheidfile_fp = @fopen($cacheidfile, 'wb'); +- if (!$cacheidfile_fp) { +- return PEAR::raiseError("Could not open $cacheidfile for writing."); ++ $result = $this->saveCacheFile($cachefile, serialize($contents)); ++ if (PEAR::isError($result)) { ++ if (file_exists($cacheidfile)) { ++ @unlink($cacheidfile); + } +- } +- +- if ($nochange) { +- fwrite($cacheidfile_fp, serialize(array( +- 'age' => time(), +- 'lastChange' => $cacheid['lastChange'], +- ))); + +- fclose($cacheidfile_fp); +- return true; ++ return $result; + } + +- fwrite($cacheidfile_fp, serialize(array( +- 'age' => time(), +- 'lastChange' => $lastmodified, +- )) +- ); +- fclose($cacheidfile_fp); ++ return true; ++ } + +- $cachefile_fp = @fopen($cachefile, 'wb'); +- if (!$cachefile_fp) { +- if (file_exists($cacheidfile)) { +- @unlink($cacheidfile); ++ function saveCacheFile($file, $contents) ++ { ++ $len = strlen($contents); ++ ++ $cachefile_fp = @fopen($file, 'xb'); // x is the O_CREAT|O_EXCL mode ++ if ($cachefile_fp !== false) { // create file ++ if (fwrite($cachefile_fp, $contents, $len) < $len) { ++ fclose($cachefile_fp); ++ return PEAR::raiseError("Could not write $file."); ++ } ++ } else { // update file ++ $cachefile_lstat = lstat($file); ++ $cachefile_fp = @fopen($file, 'wb'); ++ if (!$cachefile_fp) { ++ return PEAR::raiseError("Could not open $file for writing."); + } + +- return PEAR::raiseError("Could not open $cacheidfile for writing."); ++ $cachefile_fstat = fstat($cachefile_fp); ++ if ( ++ $cachefile_lstat['mode'] == $cachefile_fstat['mode'] && ++ $cachefile_lstat['ino'] == $cachefile_fstat['ino'] && ++ $cachefile_lstat['dev'] == $cachefile_fstat['dev'] && ++ $cachefile_fstat['nlink'] === 1 ++ ) { ++ if (fwrite($cachefile_fp, $contents, $len) < $len) { ++ fclose($cachefile_fp); ++ return PEAR::raiseError("Could not write $file."); ++ } ++ } else { ++ fclose($cachefile_fp); ++ $link = function_exists('readlink') ? readlink($file) : $file; ++ return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $file . ' as it is symlinked to ' . $link . ' - Possible symlink attack'); ++ } + } + +- fwrite($cachefile_fp, serialize($contents)); + fclose($cachefile_fp); + return true; + } --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-2050.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-2050.patch @@ -0,0 +1,23 @@ +Index: php5-5.2.4/sapi/cgi/fastcgi.c +=================================================================== +--- php5-5.2.4.orig/sapi/cgi/fastcgi.c 2007-07-09 07:48:39.000000000 -0400 ++++ php5-5.2.4/sapi/cgi/fastcgi.c 2008-07-15 13:56:25.000000000 -0400 +@@ -593,6 +593,9 @@ + hdr->reserved = 0; + hdr->type = type; + hdr->version = FCGI_VERSION_1; ++ if (pad) { ++ memset(((unsigned char*)hdr) + sizeof(fcgi_header) + len, 0, pad); ++ } + return pad; + } + +@@ -768,7 +771,7 @@ + { + int ret, n, rest; + fcgi_header hdr; +- unsigned char buf[8]; ++ unsigned char buf[255]; + + n = 0; + rest = len; --- php5-5.2.4.orig/debian/patches/CVE-2010-1129.patch +++ php5-5.2.4/debian/patches/CVE-2010-1129.patch @@ -0,0 +1,15 @@ +Description: fix safe_mode bypass via trailing slash in dir pathnames +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=294882 + +diff -Nur php5-5.2.4/ext/standard/file.c php5-5.2.4.new/ext/standard/file.c +--- php5-5.2.4/ext/standard/file.c 2010-09-15 08:27:16.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/file.c 2010-09-15 08:27:19.000000000 -0400 +@@ -815,7 +815,7 @@ + convert_to_string_ex(arg1); + convert_to_string_ex(arg2); + +- if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) { ++ if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_CHECK_FILE_AND_DIR))) { + RETURN_FALSE; + } + --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-2829.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-2829.patch @@ -0,0 +1,80 @@ +diff -Nur php5-5.2.4/ext/imap/php_imap.c php5-5.2.4.new/ext/imap/php_imap.c +--- php5-5.2.4/ext/imap/php_imap.c 2007-07-30 20:31:10.000000000 -0400 ++++ php5-5.2.4.new/ext/imap/php_imap.c 2008-07-10 16:38:44.000000000 -0400 +@@ -70,6 +70,7 @@ + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); + static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); + static int _php_imap_address_size(ADDRESS *addresslist); ++static void _php_rfc822_write_address_len (char *dest, ADDRESS *adr, int len); + + /* the gets we use */ + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); +@@ -2137,7 +2138,7 @@ + } + + string[0]='\0'; +- rfc822_write_address(string, addr); ++ _php_rfc822_write_address_len(string, addr, sizeof(string)); + RETVAL_STRING(string, 1); + } + /* }}} */ +@@ -2906,13 +2907,13 @@ + if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { + env->from->next=NULL; + address[0] = '\0'; +- rfc822_write_address(address, env->from); ++ _php_rfc822_write_address_len(address, env->from, sizeof(address)); + add_property_string(myoverview, "from", address, 1); + } + if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { + env->to->next = NULL; + address[0] = '\0'; +- rfc822_write_address(address, env->to); ++ _php_rfc822_write_address_len(address, env->to, sizeof(address)); + add_property_string(myoverview, "to", address, 1); + } + if (env->date) { +@@ -3883,6 +3884,34 @@ + /* }}} */ + + ++/* {{{ _php_rfc822_soutr ++ */ ++static long _php_rfc822_soutr (void *stream,char *string) ++{ ++ return NIL; ++} ++ ++/* }}} */ ++ ++ ++/* {{{ _php_rfc822_write_address_len ++ */ ++static void _php_rfc822_write_address_len ( char *dest, ADDRESS *adr, int len) ++{ ++ RFC822BUFFER buf; ++ ++ buf.beg = dest; ++ buf.cur = buf.beg; ++ buf.end = buf.beg + len - 1; ++ buf.s = NIL; ++ buf.f = _php_rfc822_soutr; ++ rfc822_output_address_list (&buf, adr, 0, NIL); ++ *buf.cur = '\0'; ++} ++ ++/* }}} */ ++ ++ + /* {{{ _php_imap_parse_address + */ + static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) +@@ -3897,7 +3926,7 @@ + if ((len = _php_imap_address_size(addresstmp))) { + tmpstr = (char *) pemalloc(len + 1, 1); + tmpstr[0] = '\0'; +- rfc822_write_address(tmpstr, addresstmp); ++ _php_rfc822_write_address_len(tmpstr, addresstmp, len); + *fulladdress = tmpstr; + } else { + *fulladdress = NULL; --- php5-5.2.4.orig/debian/patches/047-zts_with_dl.patch +++ php5-5.2.4/debian/patches/047-zts_with_dl.patch @@ -0,0 +1,17 @@ +Index: php5-5.2.2/ext/standard/dl.c +=================================================================== +--- php5-5.2.2.orig/ext/standard/dl.c 2007-02-23 01:37:35.000000000 +0100 ++++ php5-5.2.2/ext/standard/dl.c 2007-05-04 17:42:34.000000000 +0200 +@@ -76,12 +76,7 @@ + if ((strncmp(sapi_module.name, "cgi", 3)!=0) && + (strcmp(sapi_module.name, "cli")!=0) && + (strncmp(sapi_module.name, "embed", 5)!=0)) { +-#ifdef ZTS +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Not supported in multithreaded Web servers - use extension=%s in your php.ini", Z_STRVAL_PP(file)); +- RETURN_FALSE; +-#else + php_error_docref(NULL TSRMLS_CC, E_STRICT, "dl() is deprecated - use extension=%s in your php.ini", Z_STRVAL_PP(file)); +-#endif + } + + php_dl(*file, MODULE_TEMPORARY, return_value, 0 TSRMLS_CC); --- php5-5.2.4.orig/debian/patches/123_SECURITY_CVE-2008-3660.patch +++ php5-5.2.4/debian/patches/123_SECURITY_CVE-2008-3660.patch @@ -0,0 +1,83 @@ +# +# Description: fix denial of service via a request with multiple dots +# preceding the extension (ex: foo..php) +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/286851 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch +# +diff -Nur php5-5.2.4/sapi/cgi/cgi_main.c php5-5.2.4.new/sapi/cgi/cgi_main.c +--- php5-5.2.4/sapi/cgi/cgi_main.c 2009-01-27 14:15:19.000000000 -0500 ++++ php5-5.2.4.new/sapi/cgi/cgi_main.c 2009-01-27 14:17:48.000000000 -0500 +@@ -672,6 +672,39 @@ + } + /* }}} */ + ++/* {{{ is_valid_path ++ * ++ * some server configurations allow '..' to slip through in the ++ * translated path. We'll just refuse to handle such a path. ++ */ ++static int is_valid_path(const char *path) ++{ ++ const char *p; ++ ++ if (!path) { ++ return 0; ++ } ++ p = strstr(path, ".."); ++ if (p) { ++ if ((p == path || IS_SLASH(*(p-1))) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ while (1) { ++ p = strstr(p+1, ".."); ++ if (!p) { ++ break; ++ } ++ if (IS_SLASH(*(p-1)) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ } ++ } ++ return 1; ++} ++/* }}} */ ++ + /* {{{ init_request_info + + initializes request_info structure +@@ -950,9 +983,7 @@ + if (pt) { + efree(pt); + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + } else { +@@ -986,9 +1017,7 @@ + } else { + SG(request_info).request_uri = env_script_name; + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + if (real_path) { +@@ -1008,9 +1037,7 @@ + script_path_translated = env_path_translated; + } + #endif +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + #if ENABLE_PATHINFO_CHECK --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-3870.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-3870.patch @@ -0,0 +1,194 @@ +Subject: utf8_decode vulnerabilities and deficiencies in the number + of reported malformed sequences. (Gustavo) +Origin: http://svn.php.net/viewvc/?view=revision&revision=304959 +Bug: http://bugs.php.net/bug.php?id=49687 + +[Ubuntu note: patch differs from above commit in that the NEWS entry has + been removed to reduce conflicts when applying. Also, hardy and earlier + contained prior versions of this function, and so the patch was + modified to compensate. - sbeattie] + +--- + ext/xml/tests/bug49687.phpt | 24 ++++++++ + ext/xml/xml.c | 128 +++++++++++++++++++++++++++++++++++++------- + 2 files changed, 134 insertions(+), 18 deletions(-) + +Index: b/ext/xml/xml.c +=================================================================== +--- a/ext/xml/xml.c ++++ b/ext/xml/xml.c +@@ -554,10 +554,111 @@ PHPAPI char *xml_utf8_encode(const char + } + /* }}} */ + ++/* copied from trunk's implementation of get_next_char in ext/standard/html.c */ ++#define MB_FAILURE(pos, advance) do { \ ++ *cursor = pos + (advance); \ ++ *status = FAILURE; \ ++ return 0; \ ++} while (0) ++ ++#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need)) ++#define utf8_lead(c) ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4)) ++#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF) ++ ++/* {{{ php_next_utf8_char ++ */ ++static inline unsigned int php_next_utf8_char( ++ const unsigned char *str, ++ size_t str_len, ++ size_t *cursor, ++ int *status) ++{ ++ size_t pos = *cursor; ++ unsigned int this_char = 0; ++ unsigned char c; ++ ++ *status = SUCCESS; ++ ++ if (!CHECK_LEN(pos, 1)) ++ MB_FAILURE(pos, 1); ++ ++ /* We'll follow strategy 2. from section 3.6.1 of UTR #36: ++ * "In a reported illegal byte sequence, do not include any ++ * non-initial byte that encodes a valid character or is a leading ++ * byte for a valid sequence. */ ++ c = str[pos]; ++ if (c < 0x80) { ++ this_char = c; ++ pos++; ++ } else if (c < 0xc2) { ++ MB_FAILURE(pos, 1); ++ } else if (c < 0xe0) { ++ if (!CHECK_LEN(pos, 2)) ++ MB_FAILURE(pos, 1); ++ ++ if (!utf8_trail(str[pos + 1])) { ++ MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2); ++ } ++ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); ++ if (this_char < 0x80) { /* non-shortest form */ ++ MB_FAILURE(pos, 2); ++ } ++ pos += 2; ++ } else if (c < 0xf0) { ++ size_t avail = str_len - pos; ++ ++ if (avail < 3 || ++ !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) { ++ if (avail < 2 || utf8_lead(str[pos + 1])) ++ MB_FAILURE(pos, 1); ++ else if (avail < 3 || utf8_lead(str[pos + 2])) ++ MB_FAILURE(pos, 2); ++ else ++ MB_FAILURE(pos, 3); ++ } ++ ++ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); ++ if (this_char < 0x800) { /* non-shortest form */ ++ MB_FAILURE(pos, 3); ++ } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */ ++ MB_FAILURE(pos, 3); ++ } ++ pos += 3; ++ } else if (c < 0xf5) { ++ size_t avail = str_len - pos; ++ ++ if (avail < 4 || ++ !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) || ++ !utf8_trail(str[pos + 3])) { ++ if (avail < 2 || utf8_lead(str[pos + 1])) ++ MB_FAILURE(pos, 1); ++ else if (avail < 3 || utf8_lead(str[pos + 2])) ++ MB_FAILURE(pos, 2); ++ else if (avail < 4 || utf8_lead(str[pos + 3])) ++ MB_FAILURE(pos, 3); ++ else ++ MB_FAILURE(pos, 4); ++ } ++ ++ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); ++ if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */ ++ MB_FAILURE(pos, 4); ++ } ++ pos += 4; ++ } else { ++ MB_FAILURE(pos, 1); ++ } ++ ++ *cursor = pos; ++ return this_char; ++} ++/* }}} */ ++ ++ + /* {{{ xml_utf8_decode */ + PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding) + { +- int pos = len; ++ size_t pos = 0; + char *newbuf = emalloc(len + 1); + unsigned int c; + char (*decoder)(unsigned short) = NULL; +@@ -576,24 +677,15 @@ PHPAPI char *xml_utf8_decode(const XML_C + newbuf[*newlen] = '\0'; + return newbuf; + } +- while (pos > 0) { +- c = (unsigned char)(*s); +- if (c >= 0xf0) { /* four bytes encoded, 21 bits */ +- c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63); +- s += 4; +- pos -= 4; +- } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */ +- c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63); +- s += 3; +- pos -= 3; +- } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */ +- c = ((s[0]&63)<<6) | (s[1]&63); +- s += 2; +- pos -= 2; +- } else { +- s++; +- pos--; ++ ++ while (pos < (size_t)len) { ++ int status = FAILURE; ++ c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status); ++ ++ if (status == FAILURE || c > 0xFFU) { ++ c = '?'; + } ++ + newbuf[*newlen] = decoder ? decoder(c) : c; + ++*newlen; + } +Index: b/ext/xml/tests/bug49687.phpt +=================================================================== +--- /dev/null ++++ b/ext/xml/tests/bug49687.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #49687 Several utf8_decode deficiencies and vulnerabilities ++--SKIPIF-- ++ ++--FILE-- ++wrapperdata should hold an array zval (like its zval* type +#indicates...), it's not a place where the wrapper can drop an arbitrary +#pointer. For that, .wrapperthis should be used. +#Also, since the ftp dir wrapper defines its own stream type, it's more +#appropriate to use .abstract to store the stream instance specific data. + +CVE-2011-1469 + +Patch differs from upstream commit in that it drops the added NEWS file +entry to reduce patch conflicts, and adjusted for earlier versions of +php. + +Index: ext/standard/ftp_fopen_wrapper.c +=================================================================== +--- ext/standard/ftp_fopen_wrapper.c (revision 308733) ++++ ext/standard/ftp_fopen_wrapper.c (revision 308734) +@@ -72,6 +72,11 @@ + + #include "php_fopen_wrappers.h" + ++typedef struct _php_ftp_dirstream_data { ++ php_stream *datastream; ++ php_stream *controlstream; ++ php_stream *dirstream; ++} php_ftp_dirstream_data; + + static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC) + { +@@ -97,12 +103,12 @@ + php_stream *stream + TSRMLS_DC) + { +- php_stream *controlstream = (php_stream *)stream->wrapperdata; ++ php_stream *controlstream = stream->wrapperthis; + + if (controlstream) { + php_stream_write_string(controlstream, "QUIT\r\n"); + php_stream_close(controlstream); +- stream->wrapperdata = NULL; ++ stream->wrapperthis = NULL; + } + return 0; + } +@@ -584,7 +584,7 @@ + } + + /* remember control stream */ +- datastream->wrapperdata = (zval *)stream; ++ datastream->wrapperthis = stream; + + php_url_free(resource); + return datastream; +@@ -608,11 +608,13 @@ + static size_t php_ftp_dirstream_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) + { + php_stream_dirent *ent = (php_stream_dirent *)buf; +- php_stream *innerstream = (php_stream *)stream->abstract; ++ php_stream *innerstream; + size_t tmp_len; + char *basename; + size_t basename_len; + ++ innerstream = ((php_ftp_dirstream_data *)stream->abstract)->datastream; ++ + if (count != sizeof(php_stream_dirent)) { + return 0; + } +@@ -656,13 +658,18 @@ + */ + static int php_ftp_dirstream_close(php_stream *stream, int close_handle TSRMLS_DC) + { +- php_stream *innerstream = (php_stream *)stream->abstract; ++ php_ftp_dirstream_data *data = stream->abstract; + +- if (innerstream->wrapperdata) { +- php_stream_close((php_stream *)innerstream->wrapperdata); +- innerstream->wrapperdata = NULL; ++ /* close control connection */ ++ if (data->controlstream) { ++ php_stream_close(data->controlstream); ++ data->controlstream = NULL; + } +- php_stream_close((php_stream *)stream->abstract); ++ /* close data connection */ ++ php_stream_close(data->datastream); ++ data->datastream = NULL; ++ ++ efree(data); + stream->abstract = NULL; + + return 0; +@@ -688,6 +695,7 @@ + php_stream * php_stream_ftp_opendir(php_stream_wrapper *wrapper, char *path, char *mode, int options, char **opened_path, php_stream_context *context STREAMS_DC TSRMLS_DC) + { + php_stream *stream, *reuseid, *datastream = NULL; ++ php_ftp_dirstream_data *dirsdata; + php_url *resource = NULL; + int result = 0, use_ssl, use_ssl_on_data = 0; + char *hoststart = NULL, tmp_line[512]; +@@ -747,12 +755,15 @@ + goto opendir_errexit; + } + +- /* remember control stream */ +- datastream->wrapperdata = (zval *)stream; +- + php_url_free(resource); +- return php_stream_alloc(&php_ftp_dirstream_ops, datastream, 0, mode); + ++ dirsdata = emalloc(sizeof *dirsdata); ++ dirsdata->datastream = datastream; ++ dirsdata->controlstream = stream; ++ dirsdata->dirstream = php_stream_alloc(&php_ftp_dirstream_ops, dirsdata, 0, mode); ++ ++ return dirsdata->dirstream; ++ + opendir_errexit: + if (resource) { + php_url_free(resource); --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-0421.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-0421.patch @@ -0,0 +1,49 @@ +Subject: fix bug 53885 (ZipArchive segfault with FL_UNCHANGED on empty archive) +Origin: http://svn.php.net/viewvc/?view=revision&revision=307867 +Bug: http://bugs.php.net/bug.php?id=53885 + +CVE-2011-421 + +Patch has been modified from upstream commit to remove edits to NEWS, +to reduce conflicts when applying and backported to earlier versions +of php. + +Index: ext/zip/tests/bug53885.phpt +=================================================================== +--- ext/zip/tests/bug53885.phpt (revision 0) ++++ ext/zip/tests/bug53885.phpt (revision 307867) +@@ -0,0 +1,19 @@ ++--TEST-- ++Bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive) ++--SKIPIF-- ++ ++--FILE-- ++open($fname); ++$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED); ++$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED); ++?> ++==DONE== ++--EXPECTF-- ++==DONE== +Index: ext/zip/lib/zip_name_locate.c +=================================================================== +--- ext/zip/lib/zip_name_locate.c (revision 307866) ++++ ext/zip/lib/zip_name_locate.c (revision 307867) +@@ -60,6 +60,10 @@ + return -1; + } + ++ if((flags & ZIP_FL_UNCHANGED) && !za->cdir) { ++ return -1; ++ } ++ + cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp; + + n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; --- php5-5.2.4.orig/debian/patches/php5-CVE-2012-0830.patch +++ php5-5.2.4/debian/patches/php5-CVE-2012-0830.patch @@ -0,0 +1,53 @@ +Origin: http://svn.php.net/viewvc?view=revision&revision=323007 + and http://svn.php.net/viewvc?view=revision&revision=323013 +Subject: fix UMR in php_register_variable_ex, reported by Stefan Esser + +Fixed memory leaks + +CVE-2012-0830 + +--- + main/php_variables.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +Index: b/main/php_variables.c +=================================================================== +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -172,7 +172,11 @@ PHPAPI void php_register_variable_ex(cha + if (!index) { + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); +- zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) { ++ zval_ptr_dtor(&gpc_element); ++ zval_dtor(val); ++ return; ++ } + } else { + if (PG(magic_quotes_gpc)) { + escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); +@@ -188,6 +192,12 @@ PHPAPI void php_register_variable_ex(cha + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ } else { ++ if (index != escaped_index) { ++ efree(escaped_index); ++ } ++ zval_dtor(val); ++ return; + } + } + if (index != escaped_index) { +@@ -213,7 +223,9 @@ plain_var: + gpc_element->value = val->value; + Z_TYPE_P(gpc_element) = Z_TYPE_P(val); + if (!index) { +- zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); ++ if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) { ++ zval_ptr_dtor(&gpc_element); ++ } + } else { + if (PG(magic_quotes_gpc)) { + escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-1466.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-1466.patch @@ -0,0 +1,102 @@ +Subject: Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to segfault). +Origin: http://svn.php.net/viewvc?view=revision&revision=306475 + +CVE-2011-1466 + +Patch differs from upstream commit in that the edit to the NEWS file was +dropped to reduce patch conflicts. + +Index: ext/calendar/tests/bug53574.phpt +=================================================================== +--- ext/calendar/tests/bug53574.phpt (revision 0) ++++ ext/calendar/tests/bug53574.phpt (revision 306475) +@@ -0,0 +1,35 @@ ++--TEST-- ++Bug #53574 (Integer overflow in SdnToJulian; leads to segfault) ++--SKIPIF-- ++ ++--FILE-- ++ ++ string(5) "0/0/0" ++ ["month"]=> ++ int(0) ++ ["day"]=> ++ int(0) ++ ["year"]=> ++ int(0) ++ ["dow"]=> ++ int(3) ++ ["abbrevdayname"]=> ++ string(3) "Wed" ++ ["dayname"]=> ++ string(9) "Wednesday" ++ ["abbrevmonth"]=> ++ string(0) "" ++ ["monthname"]=> ++ string(0) "" ++} ++ +Index: ext/calendar/julian.c +=================================================================== +--- ext/calendar/julian.c (revision 306474) ++++ ext/calendar/julian.c (revision 306475) +@@ -146,6 +146,7 @@ + **************************************************************************/ + + #include "sdncal.h" ++#include + + #define JULIAN_SDN_OFFSET 32083 + #define DAYS_PER_5_MONTHS 153 +@@ -164,15 +165,22 @@ + int dayOfYear; + + if (sdn <= 0) { +- *pYear = 0; +- *pMonth = 0; +- *pDay = 0; +- return; ++ goto fail; + } +- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1; ++ /* Check for overflow */ ++ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) { ++ goto fail; ++ } ++ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1); + + /* Calculate the year and day of year (1 <= dayOfYear <= 366). */ +- year = temp / DAYS_PER_4_YEARS; ++ { ++ long yearl = temp / DAYS_PER_4_YEARS; ++ if (yearl > INT_MAX || yearl < INT_MIN) { ++ goto fail; ++ } ++ year = (int) yearl; ++ } + dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1; + + /* Calculate the month and day of month. */ +@@ -196,6 +204,12 @@ + *pYear = year; + *pMonth = month; + *pDay = day; ++ return; ++ ++fail: ++ *pYear = 0; ++ *pMonth = 0; ++ *pDay = 0; + } + + long int JulianToSdn( --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-2484.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-2484.patch @@ -0,0 +1,25 @@ +Subject: Fixed a possible memory corruption in strrchr(). +Origin: http://svn.php.net/viewvc?view=revision&revision=300916 + +(Reported by Péter Veres) + +CVE-2010-2484 + +--- + ext/standard/string.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: b/ext/standard/string.c +=================================================================== +--- a/ext/standard/string.c ++++ b/ext/standard/string.c +@@ -1938,6 +1938,9 @@ PHP_FUNCTION(strrchr) + FAILURE) { + WRONG_PARAM_COUNT; + } ++ if (PZVAL_IS_REF(*haystack)) { ++ SEPARATE_ZVAL(haystack); ++ } + convert_to_string_ex(haystack); + + if (Z_TYPE_PP(needle) == IS_STRING) { --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-1092.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-1092.patch @@ -0,0 +1,21 @@ +Subject: Fixed bug #54193 (Integer overflow in shmop_read()) +Origin: http://svn.php.net/viewvc/?view=revision&revision=309018 + +CVE-2011-1092 + +Patch differs from upstream commit in that the change to the NEWS file +was removed to reduce conflicts. + +Index: ext/shmop/shmop.c +=================================================================== +--- ext/shmop/shmop.c (revision 309017) ++++ ext/shmop/shmop.c (revision 309018) +@@ -256,7 +256,7 @@ + RETURN_FALSE; + } + +- if (start + count > shmop->size || count < 0) { ++ if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range"); + RETURN_FALSE; + } --- php5-5.2.4.orig/debian/patches/112-proc_open.patch +++ php5-5.2.4/debian/patches/112-proc_open.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.0/ext/standard/proc_open.c +=================================================================== +--- php5-5.2.0.orig/ext/standard/proc_open.c 2007-03-18 22:56:59.000000000 +0100 ++++ php5-5.2.0/ext/standard/proc_open.c 2007-03-18 22:58:45.000000000 +0100 +@@ -61,7 +61,7 @@ + * */ + #ifdef PHP_CAN_SUPPORT_PROC_OPEN + +-#if 0 && HAVE_PTSNAME && HAVE_GRANTPT && HAVE_UNLOCKPT && HAVE_SYS_IOCTL_H && HAVE_TERMIOS_H ++#if HAVE_PTSNAME && HAVE_GRANTPT && HAVE_UNLOCKPT && HAVE_SYS_IOCTL_H && HAVE_TERMIOS_H + # include + # include + # define PHP_CAN_DO_PTS 1 --- php5-5.2.4.orig/debian/patches/056-mime_magic_liberal.patch +++ php5-5.2.4/debian/patches/056-mime_magic_liberal.patch @@ -0,0 +1,38 @@ +Index: php5-5.2.2/ext/mime_magic/mime_magic.c +=================================================================== +--- php5-5.2.2.orig/ext/mime_magic/mime_magic.c 2007-02-15 01:05:42.000000000 +0100 ++++ php5-5.2.2/ext/mime_magic/mime_magic.c 2007-05-04 17:42:41.000000000 +0200 +@@ -501,7 +501,7 @@ + } while (*(++p) != '/'); + ++p; + do { +- if (!isalnum(*p) && (*p != '-') && (*p != '.') && !isspace(*p)) { ++ if (!isalnum(*p) && (*p != '-') && (*p != '.') && (*p != '+') && !isspace(*p)) { + return 0; + } + } while (*(++p)); +@@ -634,6 +634,15 @@ + else if (strncmp(l, "string", NSTRING) == 0) { + m->type = STRING; + l += NSTRING; ++ if (*l == '/') { ++ ++l; ++ if ((*l == 'B') || (*l == 'b') || (*l == 'c')) { ++ ++l; ++ if ((*l == 'B') || (*l == 'b') || (*l == 'c')) { ++ ++l; ++ } ++ } ++ } + } + else if (strncmp(l, "date", NDATE) == 0) { + m->type = DATE; +@@ -727,7 +736,7 @@ + if (!is_valid_mimetype(l, strlen(l))) { + if(MIME_MAGIC_G(debug)) + php_error_docref("http://www.php.net/mime_magic" TSRMLS_CC, E_WARNING, ": (%s:%d) '%s' is not a valid mimetype, entry skipped", MIME_MAGIC_G(magicfile), lineno, l); +- return -1; ++ return 0; + } + + strlcpy(m->desc, l, sizeof(m->desc)); --- php5-5.2.4.orig/debian/patches/CVE-2009-4142.patch +++ php5-5.2.4/debian/patches/CVE-2009-4142.patch @@ -0,0 +1,4493 @@ +Description: fix Cross-site scripting via incomplete htmlspecialchars filtering +Origin: upstream, http://svn.php.net/viewvc/?view=revision&revision=289411 +Origin: upstream, http://svn.php.net/viewvc/?view=revision&revision=289554 +Origin: upstream, http://svn.php.net/viewvc/?view=revision&revision=289565 +Origin: upstream, http://svn.php.net/viewvc/?view=revision&revision=289567 +Origin: upstream, http://svn.php.net/viewvc/?view=revision&revision=289605 +Origin: upstream, http://svn.php.net/viewvc/?view=revision&revision=291821 +Bug: http://bugs.php.net/bug.php?id=49785 + +diff -Nur php5-5.2.4/ext/standard/html.c php5-5.2.4.new/ext/standard/html.c +--- php5-5.2.4/ext/standard/html.c 2010-01-06 09:38:25.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/html.c 2010-01-06 09:38:39.000000000 -0500 +@@ -484,15 +484,31 @@ + } \ + mbseq[mbpos++] = (mbchar); } + ++/* skip one byte and return */ ++#define MB_FAILURE(pos) do { \ ++ *newpos = pos + 1; \ ++ *status = FAILURE; \ ++ return 0; \ ++} while (0) ++ + #define CHECK_LEN(pos, chars_need) \ +- if((str_len - (pos)) < chars_need) { \ +- *status = FAILURE; \ +- return 0; \ ++ if (chars_need < 1) { \ ++ if((str_len - (pos)) < chars_need) { \ ++ *newpos = pos; \ ++ *status = FAILURE; \ ++ return 0; \ ++ } \ ++ } else { \ ++ if((str_len - (pos)) < chars_need) { \ ++ *newpos = pos + 1; \ ++ *status = FAILURE; \ ++ return 0; \ ++ } \ + } + + /* {{{ get_next_char + */ +-inline static unsigned short get_next_char(enum entity_charset charset, ++inline static unsigned int get_next_char(enum entity_charset charset, + unsigned char * str, + int str_len, + int * newpos, +@@ -503,205 +519,191 @@ + int pos = *newpos; + int mbpos = 0; + int mbspace = *mbseqlen; +- unsigned short this_char = str[pos++]; ++ unsigned int this_char = 0; + unsigned char next_char; + + *status = SUCCESS; +- ++ + if (mbspace <= 0) { + *mbseqlen = 0; +- return this_char; ++ CHECK_LEN(pos, 1); ++ *newpos = pos + 1; ++ return str[pos]; + } +- +- MB_WRITE((unsigned char)this_char); +- ++ + switch (charset) { + case cs_utf_8: + { +- unsigned long utf = 0; +- int stat = 0; +- int more = 1; +- +- /* unpack utf-8 encoding into a wide char. +- * Code stolen from the mbstring extension */ +- +- do { +- if (this_char < 0x80) { +- more = 0; +- if(stat) { +- /* we didn't finish the UTF sequence correctly */ +- *status = FAILURE; +- } +- break; +- } else if (this_char < 0xc0) { +- switch (stat) { +- case 0x10: /* 2, 2nd */ +- case 0x21: /* 3, 3rd */ +- case 0x32: /* 4, 4th */ +- case 0x43: /* 5, 5th */ +- case 0x54: /* 6, 6th */ +- /* last byte in sequence */ +- more = 0; +- utf |= (this_char & 0x3f); +- this_char = (unsigned short)utf; +- break; +- case 0x20: /* 3, 2nd */ +- case 0x31: /* 4, 3rd */ +- case 0x42: /* 5, 4th */ +- case 0x53: /* 6, 5th */ +- /* penultimate char */ +- utf |= ((this_char & 0x3f) << 6); +- stat++; +- break; +- case 0x30: /* 4, 2nd */ +- case 0x41: /* 5, 3rd */ +- case 0x52: /* 6, 4th */ +- utf |= ((this_char & 0x3f) << 12); +- stat++; +- break; +- case 0x40: /* 5, 2nd */ +- case 0x51: +- utf |= ((this_char & 0x3f) << 18); +- stat++; +- break; +- case 0x50: /* 6, 2nd */ +- utf |= ((this_char & 0x3f) << 24); +- stat++; +- break; +- default: +- /* invalid */ +- *status = FAILURE; +- more = 0; +- } +- } +- /* lead byte */ +- else if (this_char < 0xe0) { +- stat = 0x10; /* 2 byte */ +- utf = (this_char & 0x1f) << 6; +- CHECK_LEN(pos, 1); +- } else if (this_char < 0xf0) { +- stat = 0x20; /* 3 byte */ +- utf = (this_char & 0xf) << 12; +- CHECK_LEN(pos, 2); +- } else if (this_char < 0xf8) { +- stat = 0x30; /* 4 byte */ +- utf = (this_char & 0x7) << 18; +- CHECK_LEN(pos, 3); +- } else if (this_char < 0xfc) { +- stat = 0x40; /* 5 byte */ +- utf = (this_char & 0x3) << 24; +- CHECK_LEN(pos, 4); +- } else if (this_char < 0xfe) { +- stat = 0x50; /* 6 byte */ +- utf = (this_char & 0x1) << 30; +- CHECK_LEN(pos, 5); +- } else { +- /* invalid; bail */ +- more = 0; +- *status = FAILURE; +- break; ++ unsigned char c; ++ CHECK_LEN(pos, 1); ++ c = str[pos]; ++ if (c < 0x80) { ++ MB_WRITE(c); ++ this_char = c; ++ pos++; ++ } else if (c < 0xc0) { ++ MB_FAILURE(pos); ++ } else if (c < 0xe0) { ++ CHECK_LEN(pos, 2); ++ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { ++ MB_FAILURE(pos); + } +- +- if (more) { +- this_char = str[pos++]; +- MB_WRITE((unsigned char)this_char); ++ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); ++ if (this_char < 0x80) { ++ MB_FAILURE(pos); + } +- } while (more); ++ MB_WRITE((unsigned char)c); ++ MB_WRITE((unsigned char)str[pos + 1]); ++ pos += 2; ++ } else if (c < 0xf0) { ++ CHECK_LEN(pos, 3); ++ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); ++ if (this_char < 0x800) { ++ MB_FAILURE(pos); ++ } else if (this_char >= 0xd800 && this_char <= 0xdfff) { ++ MB_FAILURE(pos); ++ } ++ MB_WRITE((unsigned char)c); ++ MB_WRITE((unsigned char)str[pos + 1]); ++ MB_WRITE((unsigned char)str[pos + 2]); ++ pos += 3; ++ } else if (c < 0xf8) { ++ CHECK_LEN(pos, 4); ++ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); ++ if (this_char < 0x10000) { ++ MB_FAILURE(pos); ++ } ++ MB_WRITE((unsigned char)c); ++ MB_WRITE((unsigned char)str[pos + 1]); ++ MB_WRITE((unsigned char)str[pos + 2]); ++ MB_WRITE((unsigned char)str[pos + 3]); ++ pos += 4; ++ } else { ++ MB_FAILURE(pos); ++ } + } + break; + case cs_big5: + case cs_gb2312: + case cs_big5hkscs: + { ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; + /* check if this is the first of a 2-byte sequence */ +- if (this_char >= 0xa1 && this_char <= 0xfe) { ++ if (this_char >= 0x81 && this_char <= 0xfe) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if ((next_char >= 0x40 && next_char <= 0x7e) || + (next_char >= 0xa1 && next_char <= 0xfe)) { + /* yes, this a wide char */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- ++ } else { ++ MB_WRITE(this_char); + } +- break; + } ++ break; + case cs_sjis: + { ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; + /* check if this is the first of a 2-byte sequence */ +- if ( (this_char >= 0x81 && this_char <= 0x9f) || +- (this_char >= 0xe0 && this_char <= 0xef) +- ) { ++ if ((this_char >= 0x81 && this_char <= 0x9f) || ++ (this_char >= 0xe0 && this_char <= 0xfc)) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if ((next_char >= 0x40 && next_char <= 0x7e) || + (next_char >= 0x80 && next_char <= 0xfc)) + { + /* yes, this a wide char */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- ++ } else { ++ MB_WRITE(this_char); + } + break; + } + case cs_eucjp: + { ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; + /* check if this is the first of a multi-byte sequence */ + if (this_char >= 0xa1 && this_char <= 0xfe) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if (next_char >= 0xa1 && next_char <= 0xfe) { + /* yes, this a jis kanji char */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- + } else if (this_char == 0x8e) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if (next_char >= 0xa1 && next_char <= 0xdf) { + /* JIS X 0201 kana */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- + } else if (this_char == 0x8f) { + /* peek at the next two char */ + unsigned char next2_char; + CHECK_LEN(pos, 2); + next_char = str[pos]; +- next2_char = str[pos+1]; ++ next2_char = str[pos + 1]; ++ pos += 2; + if ((next_char >= 0xa1 && next_char <= 0xfe) && + (next2_char >= 0xa1 && next2_char <= 0xfe)) { + /* JIS X 0212 hojo-kanji */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; +- this_char <<= 8; + MB_WRITE(next2_char); +- this_char |= next2_char; +- pos++; ++ this_char = (this_char << 16) | (next_char << 8) | next2_char; ++ } else { ++ MB_FAILURE(pos); + } +- ++ } else { ++ MB_WRITE(this_char); + } + break; + } + default: ++ /* single-byte charsets */ ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; ++ MB_WRITE(this_char); + break; + } + MB_RETURN; +@@ -1132,7 +1134,7 @@ + unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */ + int mbseqlen = sizeof(mbsequence); + int status = SUCCESS; +- unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); ++ unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); + + if(status == FAILURE) { + /* invalid MB sequence */ +diff -Nur php5-5.2.4/ext/standard/tests/strings/bug49785.phpt php5-5.2.4.new/ext/standard/tests/strings/bug49785.phpt +--- php5-5.2.4/ext/standard/tests/strings/bug49785.phpt 1969-12-31 19:00:00.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/tests/strings/bug49785.phpt 2010-01-06 09:38:39.000000000 -0500 +@@ -0,0 +1,4114 @@ ++--TEST-- ++Bug #49785 (insufficient input string validation of htmlspecialchars()) ++--FILE-- ++= 0x80 ++var_dump(_bin2hex(htmlspecialchars("\x80", ENT_QUOTES, 'Shift_JIS'))); ++foreach (array_map('chr', range(0xa0, 0xdf)) as $c) { ++ var_dump(_bin2hex(htmlspecialchars($c, ENT_QUOTES, 'Shift_JIS'))); ++} ++var_dump(_bin2hex(htmlspecialchars("\xfd", ENT_QUOTES, 'Shift_JIS'))); ++var_dump(_bin2hex(htmlspecialchars("\xfe", ENT_QUOTES, 'Shift_JIS'))); ++var_dump(_bin2hex(htmlspecialchars("\xff", ENT_QUOTES, 'Shift_JIS'))); ++ ++echo "--\n"; ++// Shift_JIS: incomplete / invalid multibyte sequences ++foreach (array_map('chr', array_merge(range(0x81, 0x9f), range(0xe0, 0xfc))) as $c) { ++ var_dump(_bin2hex(htmlspecialchars("$c", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x3f", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x40", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x7e", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x7f", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x80", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xfc", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xfd", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xfe", ENT_QUOTES, 'Shift_JIS'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xff", ENT_QUOTES, 'Shift_JIS'))); ++} ++ ++echo "--\n"; ++// EUC-JP: non-lead byte >= 0x80 ++foreach (array_map('chr', array_merge(range(0x80, 0x8d), range(0x90, 0x9f))) as $c) { ++ var_dump(_bin2hex(htmlspecialchars($c, ENT_QUOTES, 'EUC-JP'))); ++} ++var_dump(_bin2hex(htmlspecialchars("\xff", ENT_QUOTES, 'EUC-JP'))); ++ ++// EUC-JP: control codes that are virtually lead bytes ++var_dump(_bin2hex(htmlspecialchars("\x8e", ENT_QUOTES, 'EUC-JP'))); ++var_dump(_bin2hex(htmlspecialchars("\x8f", ENT_QUOTES, 'EUC-JP'))); ++var_dump(_bin2hex(htmlspecialchars("\x8e\xa1", ENT_QUOTES, 'EUC-JP'))); ++var_dump(_bin2hex(htmlspecialchars("\x8f\xa1", ENT_QUOTES, 'EUC-JP'))); ++var_dump(_bin2hex(htmlspecialchars("\x8e\xa1\xa3", ENT_QUOTES, 'EUC-JP'))); ++var_dump(_bin2hex(htmlspecialchars("\x8f\xa1\xa3", ENT_QUOTES, 'EUC-JP'))); ++ ++echo "--\n"; ++// EUC-JP: incomplete / invalid multibyte sequences ++foreach (array_map('chr', array_merge(range(0xa1, 0xfe))) as $c) { ++ var_dump(_bin2hex(htmlspecialchars("$c", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x26", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x80", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xa0", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xa1", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xfe", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xff", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c\x26", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c\x80", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c\xa0", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c\xa1", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c\xfe", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8e$c\xff", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c\x26", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c\x80", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c\xa0", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c\xa1", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c\xfe", ENT_QUOTES, 'EUC-JP'))); ++ var_dump(_bin2hex(htmlspecialchars("\x8f$c\xff", ENT_QUOTES, 'EUC-JP'))); ++} ++ ++echo "--\n"; ++// BIG5: non-lead byte >= 0x80 ++var_dump(_bin2hex(htmlspecialchars("\x80", ENT_QUOTES, 'BIG5'))); ++var_dump(_bin2hex(htmlspecialchars("\xff", ENT_QUOTES, 'BIG5'))); ++ ++echo "--\n"; ++// BIG5: incomplete / invalid multibyte sequences ++foreach (array_map('chr', range(0x81, 0xfe)) as $c) { ++ var_dump(_bin2hex(htmlspecialchars("$c", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x3f", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x40", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x7e", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x7f", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\x80", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xa0", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xa1", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xfe", ENT_QUOTES, 'BIG5'))); ++ var_dump(_bin2hex(htmlspecialchars("$c\xff", ENT_QUOTES, 'BIG5'))); ++} ++?> ++--EXPECT-- ++string(0) "" ++string(4) "c280" ++string(0) "" ++string(0) "" ++string(14) "26416c7068613b" ++string(14) "26616c7068613b" ++string(4) "dfbf" ++string(6) "e0a080" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(16) "266865617274733b" ++string(6) "efbfbf" ++string(0) "" ++string(0) "" ++string(0) "" ++string(8) "f0908080" ++string(8) "f7bfbfbf" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++-- ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "ecbfbf" ++string(0) "" ++string(0) "" ++string(6) "ee8080" ++string(2) "80" ++string(2) "a0" ++string(2) "a1" ++string(2) "a2" ++string(2) "a3" ++string(2) "a4" ++string(2) "a5" ++string(2) "a6" ++string(2) "a7" ++string(2) "a8" ++string(2) "a9" ++string(2) "aa" ++string(2) "ab" ++string(2) "ac" ++string(2) "ad" ++string(2) "ae" ++string(2) "af" ++string(2) "b0" ++string(2) "b1" ++string(2) "b2" ++string(2) "b3" ++string(2) "b4" ++string(2) "b5" ++string(2) "b6" ++string(2) "b7" ++string(2) "b8" ++string(2) "b9" ++string(2) "ba" ++string(2) "bb" ++string(2) "bc" ++string(2) "bd" ++string(2) "be" ++string(2) "bf" ++string(2) "c0" ++string(2) "c1" ++string(2) "c2" ++string(2) "c3" ++string(2) "c4" ++string(2) "c5" ++string(2) "c6" ++string(2) "c7" ++string(2) "c8" ++string(2) "c9" ++string(2) "ca" ++string(2) "cb" ++string(2) "cc" ++string(2) "cd" ++string(2) "ce" ++string(2) "cf" ++string(2) "d0" ++string(2) "d1" ++string(2) "d2" ++string(2) "d3" ++string(2) "d4" ++string(2) "d5" ++string(2) "d6" ++string(2) "d7" ++string(2) "d8" ++string(2) "d9" ++string(2) "da" ++string(2) "db" ++string(2) "dc" ++string(2) "dd" ++string(2) "de" ++string(2) "df" ++string(2) "fd" ++string(2) "fe" ++string(2) "ff" ++-- ++string(0) "" ++string(0) "" ++string(4) "8140" ++string(4) "817e" ++string(0) "" ++string(4) "8180" ++string(4) "81fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8240" ++string(4) "827e" ++string(0) "" ++string(4) "8280" ++string(4) "82fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8340" ++string(4) "837e" ++string(0) "" ++string(4) "8380" ++string(4) "83fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8440" ++string(4) "847e" ++string(0) "" ++string(4) "8480" ++string(4) "84fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8540" ++string(4) "857e" ++string(0) "" ++string(4) "8580" ++string(4) "85fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8640" ++string(4) "867e" ++string(0) "" ++string(4) "8680" ++string(4) "86fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8740" ++string(4) "877e" ++string(0) "" ++string(4) "8780" ++string(4) "87fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8840" ++string(4) "887e" ++string(0) "" ++string(4) "8880" ++string(4) "88fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8940" ++string(4) "897e" ++string(0) "" ++string(4) "8980" ++string(4) "89fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8a40" ++string(4) "8a7e" ++string(0) "" ++string(4) "8a80" ++string(4) "8afc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8b40" ++string(4) "8b7e" ++string(0) "" ++string(4) "8b80" ++string(4) "8bfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8c40" ++string(4) "8c7e" ++string(0) "" ++string(4) "8c80" ++string(4) "8cfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8d40" ++string(4) "8d7e" ++string(0) "" ++string(4) "8d80" ++string(4) "8dfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8e40" ++string(4) "8e7e" ++string(0) "" ++string(4) "8e80" ++string(4) "8efc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8f40" ++string(4) "8f7e" ++string(0) "" ++string(4) "8f80" ++string(4) "8ffc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9040" ++string(4) "907e" ++string(0) "" ++string(4) "9080" ++string(4) "90fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9140" ++string(4) "917e" ++string(0) "" ++string(4) "9180" ++string(4) "91fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9240" ++string(4) "927e" ++string(0) "" ++string(4) "9280" ++string(4) "92fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9340" ++string(4) "937e" ++string(0) "" ++string(4) "9380" ++string(4) "93fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9440" ++string(4) "947e" ++string(0) "" ++string(4) "9480" ++string(4) "94fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9540" ++string(4) "957e" ++string(0) "" ++string(4) "9580" ++string(4) "95fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9640" ++string(4) "967e" ++string(0) "" ++string(4) "9680" ++string(4) "96fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9740" ++string(4) "977e" ++string(0) "" ++string(4) "9780" ++string(4) "97fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9840" ++string(4) "987e" ++string(0) "" ++string(4) "9880" ++string(4) "98fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9940" ++string(4) "997e" ++string(0) "" ++string(4) "9980" ++string(4) "99fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9a40" ++string(4) "9a7e" ++string(0) "" ++string(4) "9a80" ++string(4) "9afc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9b40" ++string(4) "9b7e" ++string(0) "" ++string(4) "9b80" ++string(4) "9bfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9c40" ++string(4) "9c7e" ++string(0) "" ++string(4) "9c80" ++string(4) "9cfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9d40" ++string(4) "9d7e" ++string(0) "" ++string(4) "9d80" ++string(4) "9dfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9e40" ++string(4) "9e7e" ++string(0) "" ++string(4) "9e80" ++string(4) "9efc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9f40" ++string(4) "9f7e" ++string(0) "" ++string(4) "9f80" ++string(4) "9ffc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e040" ++string(4) "e07e" ++string(0) "" ++string(4) "e080" ++string(4) "e0fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e140" ++string(4) "e17e" ++string(0) "" ++string(4) "e180" ++string(4) "e1fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e240" ++string(4) "e27e" ++string(0) "" ++string(4) "e280" ++string(4) "e2fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e340" ++string(4) "e37e" ++string(0) "" ++string(4) "e380" ++string(4) "e3fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e440" ++string(4) "e47e" ++string(0) "" ++string(4) "e480" ++string(4) "e4fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e540" ++string(4) "e57e" ++string(0) "" ++string(4) "e580" ++string(4) "e5fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e640" ++string(4) "e67e" ++string(0) "" ++string(4) "e680" ++string(4) "e6fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e740" ++string(4) "e77e" ++string(0) "" ++string(4) "e780" ++string(4) "e7fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e840" ++string(4) "e87e" ++string(0) "" ++string(4) "e880" ++string(4) "e8fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e940" ++string(4) "e97e" ++string(0) "" ++string(4) "e980" ++string(4) "e9fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ea40" ++string(4) "ea7e" ++string(0) "" ++string(4) "ea80" ++string(4) "eafc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eb40" ++string(4) "eb7e" ++string(0) "" ++string(4) "eb80" ++string(4) "ebfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ec40" ++string(4) "ec7e" ++string(0) "" ++string(4) "ec80" ++string(4) "ecfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ed40" ++string(4) "ed7e" ++string(0) "" ++string(4) "ed80" ++string(4) "edfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ee40" ++string(4) "ee7e" ++string(0) "" ++string(4) "ee80" ++string(4) "eefc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ef40" ++string(4) "ef7e" ++string(0) "" ++string(4) "ef80" ++string(4) "effc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f040" ++string(4) "f07e" ++string(0) "" ++string(4) "f080" ++string(4) "f0fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f140" ++string(4) "f17e" ++string(0) "" ++string(4) "f180" ++string(4) "f1fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f240" ++string(4) "f27e" ++string(0) "" ++string(4) "f280" ++string(4) "f2fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f340" ++string(4) "f37e" ++string(0) "" ++string(4) "f380" ++string(4) "f3fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f440" ++string(4) "f47e" ++string(0) "" ++string(4) "f480" ++string(4) "f4fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f540" ++string(4) "f57e" ++string(0) "" ++string(4) "f580" ++string(4) "f5fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f640" ++string(4) "f67e" ++string(0) "" ++string(4) "f680" ++string(4) "f6fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f740" ++string(4) "f77e" ++string(0) "" ++string(4) "f780" ++string(4) "f7fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f840" ++string(4) "f87e" ++string(0) "" ++string(4) "f880" ++string(4) "f8fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f940" ++string(4) "f97e" ++string(0) "" ++string(4) "f980" ++string(4) "f9fc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fa40" ++string(4) "fa7e" ++string(0) "" ++string(4) "fa80" ++string(4) "fafc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fb40" ++string(4) "fb7e" ++string(0) "" ++string(4) "fb80" ++string(4) "fbfc" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fc40" ++string(4) "fc7e" ++string(0) "" ++string(4) "fc80" ++string(4) "fcfc" ++string(0) "" ++string(0) "" ++string(0) "" ++-- ++string(2) "80" ++string(2) "81" ++string(2) "82" ++string(2) "83" ++string(2) "84" ++string(2) "85" ++string(2) "86" ++string(2) "87" ++string(2) "88" ++string(2) "89" ++string(2) "8a" ++string(2) "8b" ++string(2) "8c" ++string(2) "8d" ++string(2) "90" ++string(2) "91" ++string(2) "92" ++string(2) "93" ++string(2) "94" ++string(2) "95" ++string(2) "96" ++string(2) "97" ++string(2) "98" ++string(2) "99" ++string(2) "9a" ++string(2) "9b" ++string(2) "9c" ++string(2) "9d" ++string(2) "9e" ++string(2) "9f" ++string(2) "ff" ++string(0) "" ++string(0) "" ++string(4) "8ea1" ++string(0) "" ++string(0) "" ++string(6) "8fa1a3" ++-- ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a1a1" ++string(4) "a1fe" ++string(0) "" ++string(4) "8ea1" ++string(14) "8ea126616d703b" ++string(6) "8ea180" ++string(6) "8ea1a0" ++string(0) "" ++string(0) "" ++string(6) "8ea1ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa1a1" ++string(6) "8fa1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a2a1" ++string(4) "a2fe" ++string(0) "" ++string(4) "8ea2" ++string(14) "8ea226616d703b" ++string(6) "8ea280" ++string(6) "8ea2a0" ++string(0) "" ++string(0) "" ++string(6) "8ea2ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa2a1" ++string(6) "8fa2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a3a1" ++string(4) "a3fe" ++string(0) "" ++string(4) "8ea3" ++string(14) "8ea326616d703b" ++string(6) "8ea380" ++string(6) "8ea3a0" ++string(0) "" ++string(0) "" ++string(6) "8ea3ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa3a1" ++string(6) "8fa3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a4a1" ++string(4) "a4fe" ++string(0) "" ++string(4) "8ea4" ++string(14) "8ea426616d703b" ++string(6) "8ea480" ++string(6) "8ea4a0" ++string(0) "" ++string(0) "" ++string(6) "8ea4ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa4a1" ++string(6) "8fa4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a5a1" ++string(4) "a5fe" ++string(0) "" ++string(4) "8ea5" ++string(14) "8ea526616d703b" ++string(6) "8ea580" ++string(6) "8ea5a0" ++string(0) "" ++string(0) "" ++string(6) "8ea5ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa5a1" ++string(6) "8fa5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a6a1" ++string(4) "a6fe" ++string(0) "" ++string(4) "8ea6" ++string(14) "8ea626616d703b" ++string(6) "8ea680" ++string(6) "8ea6a0" ++string(0) "" ++string(0) "" ++string(6) "8ea6ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa6a1" ++string(6) "8fa6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a7a1" ++string(4) "a7fe" ++string(0) "" ++string(4) "8ea7" ++string(14) "8ea726616d703b" ++string(6) "8ea780" ++string(6) "8ea7a0" ++string(0) "" ++string(0) "" ++string(6) "8ea7ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa7a1" ++string(6) "8fa7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a8a1" ++string(4) "a8fe" ++string(0) "" ++string(4) "8ea8" ++string(14) "8ea826616d703b" ++string(6) "8ea880" ++string(6) "8ea8a0" ++string(0) "" ++string(0) "" ++string(6) "8ea8ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa8a1" ++string(6) "8fa8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a9a1" ++string(4) "a9fe" ++string(0) "" ++string(4) "8ea9" ++string(14) "8ea926616d703b" ++string(6) "8ea980" ++string(6) "8ea9a0" ++string(0) "" ++string(0) "" ++string(6) "8ea9ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fa9a1" ++string(6) "8fa9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aaa1" ++string(4) "aafe" ++string(0) "" ++string(4) "8eaa" ++string(14) "8eaa26616d703b" ++string(6) "8eaa80" ++string(6) "8eaaa0" ++string(0) "" ++string(0) "" ++string(6) "8eaaff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8faaa1" ++string(6) "8faafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aba1" ++string(4) "abfe" ++string(0) "" ++string(4) "8eab" ++string(14) "8eab26616d703b" ++string(6) "8eab80" ++string(6) "8eaba0" ++string(0) "" ++string(0) "" ++string(6) "8eabff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8faba1" ++string(6) "8fabfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aca1" ++string(4) "acfe" ++string(0) "" ++string(4) "8eac" ++string(14) "8eac26616d703b" ++string(6) "8eac80" ++string(6) "8eaca0" ++string(0) "" ++string(0) "" ++string(6) "8eacff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8faca1" ++string(6) "8facfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ada1" ++string(4) "adfe" ++string(0) "" ++string(4) "8ead" ++string(14) "8ead26616d703b" ++string(6) "8ead80" ++string(6) "8eada0" ++string(0) "" ++string(0) "" ++string(6) "8eadff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fada1" ++string(6) "8fadfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aea1" ++string(4) "aefe" ++string(0) "" ++string(4) "8eae" ++string(14) "8eae26616d703b" ++string(6) "8eae80" ++string(6) "8eaea0" ++string(0) "" ++string(0) "" ++string(6) "8eaeff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8faea1" ++string(6) "8faefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "afa1" ++string(4) "affe" ++string(0) "" ++string(4) "8eaf" ++string(14) "8eaf26616d703b" ++string(6) "8eaf80" ++string(6) "8eafa0" ++string(0) "" ++string(0) "" ++string(6) "8eafff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fafa1" ++string(6) "8faffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b0a1" ++string(4) "b0fe" ++string(0) "" ++string(4) "8eb0" ++string(14) "8eb026616d703b" ++string(6) "8eb080" ++string(6) "8eb0a0" ++string(0) "" ++string(0) "" ++string(6) "8eb0ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb0a1" ++string(6) "8fb0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b1a1" ++string(4) "b1fe" ++string(0) "" ++string(4) "8eb1" ++string(14) "8eb126616d703b" ++string(6) "8eb180" ++string(6) "8eb1a0" ++string(0) "" ++string(0) "" ++string(6) "8eb1ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb1a1" ++string(6) "8fb1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b2a1" ++string(4) "b2fe" ++string(0) "" ++string(4) "8eb2" ++string(14) "8eb226616d703b" ++string(6) "8eb280" ++string(6) "8eb2a0" ++string(0) "" ++string(0) "" ++string(6) "8eb2ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb2a1" ++string(6) "8fb2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b3a1" ++string(4) "b3fe" ++string(0) "" ++string(4) "8eb3" ++string(14) "8eb326616d703b" ++string(6) "8eb380" ++string(6) "8eb3a0" ++string(0) "" ++string(0) "" ++string(6) "8eb3ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb3a1" ++string(6) "8fb3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b4a1" ++string(4) "b4fe" ++string(0) "" ++string(4) "8eb4" ++string(14) "8eb426616d703b" ++string(6) "8eb480" ++string(6) "8eb4a0" ++string(0) "" ++string(0) "" ++string(6) "8eb4ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb4a1" ++string(6) "8fb4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b5a1" ++string(4) "b5fe" ++string(0) "" ++string(4) "8eb5" ++string(14) "8eb526616d703b" ++string(6) "8eb580" ++string(6) "8eb5a0" ++string(0) "" ++string(0) "" ++string(6) "8eb5ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb5a1" ++string(6) "8fb5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b6a1" ++string(4) "b6fe" ++string(0) "" ++string(4) "8eb6" ++string(14) "8eb626616d703b" ++string(6) "8eb680" ++string(6) "8eb6a0" ++string(0) "" ++string(0) "" ++string(6) "8eb6ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb6a1" ++string(6) "8fb6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b7a1" ++string(4) "b7fe" ++string(0) "" ++string(4) "8eb7" ++string(14) "8eb726616d703b" ++string(6) "8eb780" ++string(6) "8eb7a0" ++string(0) "" ++string(0) "" ++string(6) "8eb7ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb7a1" ++string(6) "8fb7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b8a1" ++string(4) "b8fe" ++string(0) "" ++string(4) "8eb8" ++string(14) "8eb826616d703b" ++string(6) "8eb880" ++string(6) "8eb8a0" ++string(0) "" ++string(0) "" ++string(6) "8eb8ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb8a1" ++string(6) "8fb8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b9a1" ++string(4) "b9fe" ++string(0) "" ++string(4) "8eb9" ++string(14) "8eb926616d703b" ++string(6) "8eb980" ++string(6) "8eb9a0" ++string(0) "" ++string(0) "" ++string(6) "8eb9ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fb9a1" ++string(6) "8fb9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "baa1" ++string(4) "bafe" ++string(0) "" ++string(4) "8eba" ++string(14) "8eba26616d703b" ++string(6) "8eba80" ++string(6) "8ebaa0" ++string(0) "" ++string(0) "" ++string(6) "8ebaff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fbaa1" ++string(6) "8fbafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bba1" ++string(4) "bbfe" ++string(0) "" ++string(4) "8ebb" ++string(14) "8ebb26616d703b" ++string(6) "8ebb80" ++string(6) "8ebba0" ++string(0) "" ++string(0) "" ++string(6) "8ebbff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fbba1" ++string(6) "8fbbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bca1" ++string(4) "bcfe" ++string(0) "" ++string(4) "8ebc" ++string(14) "8ebc26616d703b" ++string(6) "8ebc80" ++string(6) "8ebca0" ++string(0) "" ++string(0) "" ++string(6) "8ebcff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fbca1" ++string(6) "8fbcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bda1" ++string(4) "bdfe" ++string(0) "" ++string(4) "8ebd" ++string(14) "8ebd26616d703b" ++string(6) "8ebd80" ++string(6) "8ebda0" ++string(0) "" ++string(0) "" ++string(6) "8ebdff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fbda1" ++string(6) "8fbdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bea1" ++string(4) "befe" ++string(0) "" ++string(4) "8ebe" ++string(14) "8ebe26616d703b" ++string(6) "8ebe80" ++string(6) "8ebea0" ++string(0) "" ++string(0) "" ++string(6) "8ebeff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fbea1" ++string(6) "8fbefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bfa1" ++string(4) "bffe" ++string(0) "" ++string(4) "8ebf" ++string(14) "8ebf26616d703b" ++string(6) "8ebf80" ++string(6) "8ebfa0" ++string(0) "" ++string(0) "" ++string(6) "8ebfff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fbfa1" ++string(6) "8fbffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c0a1" ++string(4) "c0fe" ++string(0) "" ++string(4) "8ec0" ++string(14) "8ec026616d703b" ++string(6) "8ec080" ++string(6) "8ec0a0" ++string(0) "" ++string(0) "" ++string(6) "8ec0ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc0a1" ++string(6) "8fc0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c1a1" ++string(4) "c1fe" ++string(0) "" ++string(4) "8ec1" ++string(14) "8ec126616d703b" ++string(6) "8ec180" ++string(6) "8ec1a0" ++string(0) "" ++string(0) "" ++string(6) "8ec1ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc1a1" ++string(6) "8fc1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c2a1" ++string(4) "c2fe" ++string(0) "" ++string(4) "8ec2" ++string(14) "8ec226616d703b" ++string(6) "8ec280" ++string(6) "8ec2a0" ++string(0) "" ++string(0) "" ++string(6) "8ec2ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc2a1" ++string(6) "8fc2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c3a1" ++string(4) "c3fe" ++string(0) "" ++string(4) "8ec3" ++string(14) "8ec326616d703b" ++string(6) "8ec380" ++string(6) "8ec3a0" ++string(0) "" ++string(0) "" ++string(6) "8ec3ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc3a1" ++string(6) "8fc3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c4a1" ++string(4) "c4fe" ++string(0) "" ++string(4) "8ec4" ++string(14) "8ec426616d703b" ++string(6) "8ec480" ++string(6) "8ec4a0" ++string(0) "" ++string(0) "" ++string(6) "8ec4ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc4a1" ++string(6) "8fc4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c5a1" ++string(4) "c5fe" ++string(0) "" ++string(4) "8ec5" ++string(14) "8ec526616d703b" ++string(6) "8ec580" ++string(6) "8ec5a0" ++string(0) "" ++string(0) "" ++string(6) "8ec5ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc5a1" ++string(6) "8fc5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c6a1" ++string(4) "c6fe" ++string(0) "" ++string(4) "8ec6" ++string(14) "8ec626616d703b" ++string(6) "8ec680" ++string(6) "8ec6a0" ++string(0) "" ++string(0) "" ++string(6) "8ec6ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc6a1" ++string(6) "8fc6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c7a1" ++string(4) "c7fe" ++string(0) "" ++string(4) "8ec7" ++string(14) "8ec726616d703b" ++string(6) "8ec780" ++string(6) "8ec7a0" ++string(0) "" ++string(0) "" ++string(6) "8ec7ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc7a1" ++string(6) "8fc7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c8a1" ++string(4) "c8fe" ++string(0) "" ++string(4) "8ec8" ++string(14) "8ec826616d703b" ++string(6) "8ec880" ++string(6) "8ec8a0" ++string(0) "" ++string(0) "" ++string(6) "8ec8ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc8a1" ++string(6) "8fc8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c9a1" ++string(4) "c9fe" ++string(0) "" ++string(4) "8ec9" ++string(14) "8ec926616d703b" ++string(6) "8ec980" ++string(6) "8ec9a0" ++string(0) "" ++string(0) "" ++string(6) "8ec9ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fc9a1" ++string(6) "8fc9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "caa1" ++string(4) "cafe" ++string(0) "" ++string(4) "8eca" ++string(14) "8eca26616d703b" ++string(6) "8eca80" ++string(6) "8ecaa0" ++string(0) "" ++string(0) "" ++string(6) "8ecaff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fcaa1" ++string(6) "8fcafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cba1" ++string(4) "cbfe" ++string(0) "" ++string(4) "8ecb" ++string(14) "8ecb26616d703b" ++string(6) "8ecb80" ++string(6) "8ecba0" ++string(0) "" ++string(0) "" ++string(6) "8ecbff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fcba1" ++string(6) "8fcbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cca1" ++string(4) "ccfe" ++string(0) "" ++string(4) "8ecc" ++string(14) "8ecc26616d703b" ++string(6) "8ecc80" ++string(6) "8ecca0" ++string(0) "" ++string(0) "" ++string(6) "8eccff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fcca1" ++string(6) "8fccfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cda1" ++string(4) "cdfe" ++string(0) "" ++string(4) "8ecd" ++string(14) "8ecd26616d703b" ++string(6) "8ecd80" ++string(6) "8ecda0" ++string(0) "" ++string(0) "" ++string(6) "8ecdff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fcda1" ++string(6) "8fcdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cea1" ++string(4) "cefe" ++string(0) "" ++string(4) "8ece" ++string(14) "8ece26616d703b" ++string(6) "8ece80" ++string(6) "8ecea0" ++string(0) "" ++string(0) "" ++string(6) "8eceff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fcea1" ++string(6) "8fcefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cfa1" ++string(4) "cffe" ++string(0) "" ++string(4) "8ecf" ++string(14) "8ecf26616d703b" ++string(6) "8ecf80" ++string(6) "8ecfa0" ++string(0) "" ++string(0) "" ++string(6) "8ecfff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fcfa1" ++string(6) "8fcffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d0a1" ++string(4) "d0fe" ++string(0) "" ++string(4) "8ed0" ++string(14) "8ed026616d703b" ++string(6) "8ed080" ++string(6) "8ed0a0" ++string(0) "" ++string(0) "" ++string(6) "8ed0ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd0a1" ++string(6) "8fd0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d1a1" ++string(4) "d1fe" ++string(0) "" ++string(4) "8ed1" ++string(14) "8ed126616d703b" ++string(6) "8ed180" ++string(6) "8ed1a0" ++string(0) "" ++string(0) "" ++string(6) "8ed1ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd1a1" ++string(6) "8fd1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d2a1" ++string(4) "d2fe" ++string(0) "" ++string(4) "8ed2" ++string(14) "8ed226616d703b" ++string(6) "8ed280" ++string(6) "8ed2a0" ++string(0) "" ++string(0) "" ++string(6) "8ed2ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd2a1" ++string(6) "8fd2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d3a1" ++string(4) "d3fe" ++string(0) "" ++string(4) "8ed3" ++string(14) "8ed326616d703b" ++string(6) "8ed380" ++string(6) "8ed3a0" ++string(0) "" ++string(0) "" ++string(6) "8ed3ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd3a1" ++string(6) "8fd3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d4a1" ++string(4) "d4fe" ++string(0) "" ++string(4) "8ed4" ++string(14) "8ed426616d703b" ++string(6) "8ed480" ++string(6) "8ed4a0" ++string(0) "" ++string(0) "" ++string(6) "8ed4ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd4a1" ++string(6) "8fd4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d5a1" ++string(4) "d5fe" ++string(0) "" ++string(4) "8ed5" ++string(14) "8ed526616d703b" ++string(6) "8ed580" ++string(6) "8ed5a0" ++string(0) "" ++string(0) "" ++string(6) "8ed5ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd5a1" ++string(6) "8fd5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d6a1" ++string(4) "d6fe" ++string(0) "" ++string(4) "8ed6" ++string(14) "8ed626616d703b" ++string(6) "8ed680" ++string(6) "8ed6a0" ++string(0) "" ++string(0) "" ++string(6) "8ed6ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd6a1" ++string(6) "8fd6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d7a1" ++string(4) "d7fe" ++string(0) "" ++string(4) "8ed7" ++string(14) "8ed726616d703b" ++string(6) "8ed780" ++string(6) "8ed7a0" ++string(0) "" ++string(0) "" ++string(6) "8ed7ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd7a1" ++string(6) "8fd7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d8a1" ++string(4) "d8fe" ++string(0) "" ++string(4) "8ed8" ++string(14) "8ed826616d703b" ++string(6) "8ed880" ++string(6) "8ed8a0" ++string(0) "" ++string(0) "" ++string(6) "8ed8ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd8a1" ++string(6) "8fd8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d9a1" ++string(4) "d9fe" ++string(0) "" ++string(4) "8ed9" ++string(14) "8ed926616d703b" ++string(6) "8ed980" ++string(6) "8ed9a0" ++string(0) "" ++string(0) "" ++string(6) "8ed9ff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fd9a1" ++string(6) "8fd9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "daa1" ++string(4) "dafe" ++string(0) "" ++string(4) "8eda" ++string(14) "8eda26616d703b" ++string(6) "8eda80" ++string(6) "8edaa0" ++string(0) "" ++string(0) "" ++string(6) "8edaff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fdaa1" ++string(6) "8fdafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dba1" ++string(4) "dbfe" ++string(0) "" ++string(4) "8edb" ++string(14) "8edb26616d703b" ++string(6) "8edb80" ++string(6) "8edba0" ++string(0) "" ++string(0) "" ++string(6) "8edbff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fdba1" ++string(6) "8fdbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dca1" ++string(4) "dcfe" ++string(0) "" ++string(4) "8edc" ++string(14) "8edc26616d703b" ++string(6) "8edc80" ++string(6) "8edca0" ++string(0) "" ++string(0) "" ++string(6) "8edcff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fdca1" ++string(6) "8fdcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dda1" ++string(4) "ddfe" ++string(0) "" ++string(4) "8edd" ++string(14) "8edd26616d703b" ++string(6) "8edd80" ++string(6) "8edda0" ++string(0) "" ++string(0) "" ++string(6) "8eddff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fdda1" ++string(6) "8fddfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dea1" ++string(4) "defe" ++string(0) "" ++string(4) "8ede" ++string(14) "8ede26616d703b" ++string(6) "8ede80" ++string(6) "8edea0" ++string(0) "" ++string(0) "" ++string(6) "8edeff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fdea1" ++string(6) "8fdefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dfa1" ++string(4) "dffe" ++string(0) "" ++string(4) "8edf" ++string(14) "8edf26616d703b" ++string(6) "8edf80" ++string(6) "8edfa0" ++string(0) "" ++string(0) "" ++string(6) "8edfff" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fdfa1" ++string(6) "8fdffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e0a1" ++string(4) "e0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe0a1" ++string(6) "8fe0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e1a1" ++string(4) "e1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe1a1" ++string(6) "8fe1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e2a1" ++string(4) "e2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe2a1" ++string(6) "8fe2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e3a1" ++string(4) "e3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe3a1" ++string(6) "8fe3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e4a1" ++string(4) "e4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe4a1" ++string(6) "8fe4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e5a1" ++string(4) "e5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe5a1" ++string(6) "8fe5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e6a1" ++string(4) "e6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe6a1" ++string(6) "8fe6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e7a1" ++string(4) "e7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe7a1" ++string(6) "8fe7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e8a1" ++string(4) "e8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe8a1" ++string(6) "8fe8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e9a1" ++string(4) "e9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fe9a1" ++string(6) "8fe9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eaa1" ++string(4) "eafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8feaa1" ++string(6) "8feafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eba1" ++string(4) "ebfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8feba1" ++string(6) "8febfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eca1" ++string(4) "ecfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8feca1" ++string(6) "8fecfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eda1" ++string(4) "edfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8feda1" ++string(6) "8fedfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eea1" ++string(4) "eefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8feea1" ++string(6) "8feefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "efa1" ++string(4) "effe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8fefa1" ++string(6) "8feffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f0a1" ++string(4) "f0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff0a1" ++string(6) "8ff0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f1a1" ++string(4) "f1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff1a1" ++string(6) "8ff1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f2a1" ++string(4) "f2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff2a1" ++string(6) "8ff2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f3a1" ++string(4) "f3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff3a1" ++string(6) "8ff3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f4a1" ++string(4) "f4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff4a1" ++string(6) "8ff4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f5a1" ++string(4) "f5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff5a1" ++string(6) "8ff5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f6a1" ++string(4) "f6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff6a1" ++string(6) "8ff6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f7a1" ++string(4) "f7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff7a1" ++string(6) "8ff7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f8a1" ++string(4) "f8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff8a1" ++string(6) "8ff8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f9a1" ++string(4) "f9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ff9a1" ++string(6) "8ff9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "faa1" ++string(4) "fafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ffaa1" ++string(6) "8ffafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fba1" ++string(4) "fbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ffba1" ++string(6) "8ffbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fca1" ++string(4) "fcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ffca1" ++string(6) "8ffcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fda1" ++string(4) "fdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ffda1" ++string(6) "8ffdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fea1" ++string(4) "fefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(6) "8ffea1" ++string(6) "8ffefe" ++string(0) "" ++-- ++string(2) "80" ++string(2) "ff" ++-- ++string(0) "" ++string(0) "" ++string(4) "8140" ++string(4) "817e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "81a1" ++string(4) "81fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8240" ++string(4) "827e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "82a1" ++string(4) "82fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8340" ++string(4) "837e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "83a1" ++string(4) "83fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8440" ++string(4) "847e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "84a1" ++string(4) "84fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8540" ++string(4) "857e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "85a1" ++string(4) "85fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8640" ++string(4) "867e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "86a1" ++string(4) "86fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8740" ++string(4) "877e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "87a1" ++string(4) "87fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8840" ++string(4) "887e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "88a1" ++string(4) "88fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8940" ++string(4) "897e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "89a1" ++string(4) "89fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8a40" ++string(4) "8a7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8aa1" ++string(4) "8afe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8b40" ++string(4) "8b7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8ba1" ++string(4) "8bfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8c40" ++string(4) "8c7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8ca1" ++string(4) "8cfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8d40" ++string(4) "8d7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8da1" ++string(4) "8dfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8e40" ++string(4) "8e7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8ea1" ++string(4) "8efe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8f40" ++string(4) "8f7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "8fa1" ++string(4) "8ffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9040" ++string(4) "907e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "90a1" ++string(4) "90fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9140" ++string(4) "917e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "91a1" ++string(4) "91fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9240" ++string(4) "927e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "92a1" ++string(4) "92fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9340" ++string(4) "937e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "93a1" ++string(4) "93fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9440" ++string(4) "947e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "94a1" ++string(4) "94fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9540" ++string(4) "957e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "95a1" ++string(4) "95fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9640" ++string(4) "967e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "96a1" ++string(4) "96fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9740" ++string(4) "977e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "97a1" ++string(4) "97fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9840" ++string(4) "987e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "98a1" ++string(4) "98fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9940" ++string(4) "997e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "99a1" ++string(4) "99fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9a40" ++string(4) "9a7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9aa1" ++string(4) "9afe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9b40" ++string(4) "9b7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9ba1" ++string(4) "9bfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9c40" ++string(4) "9c7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9ca1" ++string(4) "9cfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9d40" ++string(4) "9d7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9da1" ++string(4) "9dfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9e40" ++string(4) "9e7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9ea1" ++string(4) "9efe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9f40" ++string(4) "9f7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "9fa1" ++string(4) "9ffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a040" ++string(4) "a07e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a0a1" ++string(4) "a0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a140" ++string(4) "a17e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a1a1" ++string(4) "a1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a240" ++string(4) "a27e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a2a1" ++string(4) "a2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a340" ++string(4) "a37e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a3a1" ++string(4) "a3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a440" ++string(4) "a47e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a4a1" ++string(4) "a4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a540" ++string(4) "a57e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a5a1" ++string(4) "a5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a640" ++string(4) "a67e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a6a1" ++string(4) "a6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a740" ++string(4) "a77e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a7a1" ++string(4) "a7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a840" ++string(4) "a87e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a8a1" ++string(4) "a8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a940" ++string(4) "a97e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "a9a1" ++string(4) "a9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aa40" ++string(4) "aa7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aaa1" ++string(4) "aafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ab40" ++string(4) "ab7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aba1" ++string(4) "abfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ac40" ++string(4) "ac7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aca1" ++string(4) "acfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ad40" ++string(4) "ad7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ada1" ++string(4) "adfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ae40" ++string(4) "ae7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "aea1" ++string(4) "aefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "af40" ++string(4) "af7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "afa1" ++string(4) "affe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b040" ++string(4) "b07e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b0a1" ++string(4) "b0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b140" ++string(4) "b17e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b1a1" ++string(4) "b1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b240" ++string(4) "b27e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b2a1" ++string(4) "b2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b340" ++string(4) "b37e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b3a1" ++string(4) "b3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b440" ++string(4) "b47e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b4a1" ++string(4) "b4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b540" ++string(4) "b57e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b5a1" ++string(4) "b5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b640" ++string(4) "b67e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b6a1" ++string(4) "b6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b740" ++string(4) "b77e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b7a1" ++string(4) "b7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b840" ++string(4) "b87e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b8a1" ++string(4) "b8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b940" ++string(4) "b97e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "b9a1" ++string(4) "b9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ba40" ++string(4) "ba7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "baa1" ++string(4) "bafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bb40" ++string(4) "bb7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bba1" ++string(4) "bbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bc40" ++string(4) "bc7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bca1" ++string(4) "bcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bd40" ++string(4) "bd7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bda1" ++string(4) "bdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "be40" ++string(4) "be7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bea1" ++string(4) "befe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bf40" ++string(4) "bf7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "bfa1" ++string(4) "bffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c040" ++string(4) "c07e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c0a1" ++string(4) "c0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c140" ++string(4) "c17e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c1a1" ++string(4) "c1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c240" ++string(4) "c27e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c2a1" ++string(4) "c2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c340" ++string(4) "c37e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c3a1" ++string(4) "c3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c440" ++string(4) "c47e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c4a1" ++string(4) "c4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c540" ++string(4) "c57e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c5a1" ++string(4) "c5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c640" ++string(4) "c67e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c6a1" ++string(4) "c6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c740" ++string(4) "c77e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c7a1" ++string(4) "c7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c840" ++string(4) "c87e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c8a1" ++string(4) "c8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c940" ++string(4) "c97e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "c9a1" ++string(4) "c9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ca40" ++string(4) "ca7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "caa1" ++string(4) "cafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cb40" ++string(4) "cb7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cba1" ++string(4) "cbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cc40" ++string(4) "cc7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cca1" ++string(4) "ccfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cd40" ++string(4) "cd7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cda1" ++string(4) "cdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ce40" ++string(4) "ce7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cea1" ++string(4) "cefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cf40" ++string(4) "cf7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "cfa1" ++string(4) "cffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d040" ++string(4) "d07e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d0a1" ++string(4) "d0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d140" ++string(4) "d17e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d1a1" ++string(4) "d1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d240" ++string(4) "d27e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d2a1" ++string(4) "d2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d340" ++string(4) "d37e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d3a1" ++string(4) "d3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d440" ++string(4) "d47e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d4a1" ++string(4) "d4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d540" ++string(4) "d57e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d5a1" ++string(4) "d5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d640" ++string(4) "d67e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d6a1" ++string(4) "d6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d740" ++string(4) "d77e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d7a1" ++string(4) "d7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d840" ++string(4) "d87e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d8a1" ++string(4) "d8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d940" ++string(4) "d97e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "d9a1" ++string(4) "d9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "da40" ++string(4) "da7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "daa1" ++string(4) "dafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "db40" ++string(4) "db7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dba1" ++string(4) "dbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dc40" ++string(4) "dc7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dca1" ++string(4) "dcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dd40" ++string(4) "dd7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dda1" ++string(4) "ddfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "de40" ++string(4) "de7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dea1" ++string(4) "defe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "df40" ++string(4) "df7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "dfa1" ++string(4) "dffe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e040" ++string(4) "e07e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e0a1" ++string(4) "e0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e140" ++string(4) "e17e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e1a1" ++string(4) "e1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e240" ++string(4) "e27e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e2a1" ++string(4) "e2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e340" ++string(4) "e37e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e3a1" ++string(4) "e3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e440" ++string(4) "e47e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e4a1" ++string(4) "e4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e540" ++string(4) "e57e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e5a1" ++string(4) "e5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e640" ++string(4) "e67e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e6a1" ++string(4) "e6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e740" ++string(4) "e77e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e7a1" ++string(4) "e7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e840" ++string(4) "e87e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e8a1" ++string(4) "e8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e940" ++string(4) "e97e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "e9a1" ++string(4) "e9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ea40" ++string(4) "ea7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eaa1" ++string(4) "eafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eb40" ++string(4) "eb7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eba1" ++string(4) "ebfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ec40" ++string(4) "ec7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eca1" ++string(4) "ecfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ed40" ++string(4) "ed7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eda1" ++string(4) "edfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ee40" ++string(4) "ee7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "eea1" ++string(4) "eefe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "ef40" ++string(4) "ef7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "efa1" ++string(4) "effe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f040" ++string(4) "f07e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f0a1" ++string(4) "f0fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f140" ++string(4) "f17e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f1a1" ++string(4) "f1fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f240" ++string(4) "f27e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f2a1" ++string(4) "f2fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f340" ++string(4) "f37e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f3a1" ++string(4) "f3fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f440" ++string(4) "f47e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f4a1" ++string(4) "f4fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f540" ++string(4) "f57e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f5a1" ++string(4) "f5fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f640" ++string(4) "f67e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f6a1" ++string(4) "f6fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f740" ++string(4) "f77e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f7a1" ++string(4) "f7fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f840" ++string(4) "f87e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f8a1" ++string(4) "f8fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f940" ++string(4) "f97e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "f9a1" ++string(4) "f9fe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fa40" ++string(4) "fa7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "faa1" ++string(4) "fafe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fb40" ++string(4) "fb7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fba1" ++string(4) "fbfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fc40" ++string(4) "fc7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fca1" ++string(4) "fcfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fd40" ++string(4) "fd7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fda1" ++string(4) "fdfe" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fe40" ++string(4) "fe7e" ++string(0) "" ++string(0) "" ++string(0) "" ++string(4) "fea1" ++string(4) "fefe" ++string(0) "" --- php5-5.2.4.orig/debian/patches/122_SECURITY_CVE-2008-3659.patch +++ php5-5.2.4/debian/patches/122_SECURITY_CVE-2008-3659.patch @@ -0,0 +1,40 @@ +# +# Description: fix denial of service and possible arbitrary code execution +# via the delimiter argument to the explode function +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/286851 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499988 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/explode_bug.phpt?hideattic=1&r1=1.1&r2=1.1.2.1 +# +diff -Nur php5-5.2.4/ext/standard/tests/strings/explode_bug.phpt php5-5.2.4.new/ext/standard/tests/strings/explode_bug.phpt +--- php5-5.2.4/ext/standard/tests/strings/explode_bug.phpt 1969-12-31 19:00:00.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/tests/strings/explode_bug.phpt 2009-01-27 14:13:40.000000000 -0500 +@@ -0,0 +1,15 @@ ++--TEST-- ++Explode/memnstr bug ++--INI-- ++error_reporting=2047 ++memory_limit=256M ++--FILE-- ++ ++--EXPECTF-- ++array(1) { ++ [0]=> ++ string(1) "1" ++} +diff -Nur php5-5.2.4/Zend/zend_operators.h php5-5.2.4.new/Zend/zend_operators.h +--- php5-5.2.4/Zend/zend_operators.h 2007-07-20 20:35:14.000000000 -0400 ++++ php5-5.2.4.new/Zend/zend_operators.h 2009-01-27 14:13:40.000000000 -0500 +@@ -220,6 +220,9 @@ + char *p = haystack; + char ne = needle[needle_len-1]; + ++ if(needle_len > end-haystack) { ++ return NULL; ++ } + end -= needle_len; + + while (p <= end) { --- php5-5.2.4.orig/debian/patches/CVE-2009-3291.patch +++ php5-5.2.4/debian/patches/CVE-2009-3291.patch @@ -0,0 +1,36 @@ +Description: fix certificate spoofing via null-byte certs +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=288329 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/446313 + +diff -Nur php5-5.2.4/ext/openssl/openssl.c php5-5.2.4.new/ext/openssl/openssl.c +--- php5-5.2.4/ext/openssl/openssl.c 2007-08-08 02:29:46.000000000 -0400 ++++ php5-5.2.4.new/ext/openssl/openssl.c 2009-11-25 14:41:27.000000000 -0500 +@@ -3814,8 +3814,15 @@ + GET_VER_OPT_STRING("CN_match", cnmatch); + if (cnmatch) { + int match = 0; ++ int name_len = X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); + +- X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); ++ if (name_len == -1) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to locate peer certificate CN"); ++ return FAILURE; ++ } else if (name_len != strlen(buf)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer certificate CN=`%.*s' is malformed", name_len, buf); ++ return FAILURE; ++ } + + match = strcmp(cnmatch, buf) == 0; + if (!match && strlen(buf) > 3 && buf[0] == '*' && buf[1] == '.') { +@@ -3830,10 +3837,7 @@ + + if (!match) { + /* didn't match */ +- php_error_docref(NULL TSRMLS_CC, E_WARNING, +- "Peer certificate CN=`%s' did not match expected CN=`%s'", +- buf, cnmatch); +- ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Peer certificate CN=`%.*s' did not match expected CN=`%s'", name_len, buf, cnmatch); + return FAILURE; + } + } --- php5-5.2.4.orig/debian/patches/CVE-2012-2688.patch +++ php5-5.2.4/debian/patches/CVE-2012-2688.patch @@ -0,0 +1,38 @@ +Description: fix denial of service and possible code execution via + _php_stream_scandir function +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=fc74503792b1ee92e4b813690890f3ed38fa3ad5 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683274 +Bug-Ubuntu: https://launchpad.net/bugs/1028064 + +Index: php5-5.2.4/main/streams/streams.c +=================================================================== +--- php5-5.2.4.orig/main/streams/streams.c 2007-08-08 03:01:49.000000000 -0400 ++++ php5-5.2.4/main/streams/streams.c 2012-09-12 11:48:04.797312540 -0400 +@@ -2036,8 +2036,8 @@ + php_stream *stream; + php_stream_dirent sdp; + char **vector = NULL; +- int vector_size = 0; +- int nfiles = 0; ++ unsigned int vector_size = 0; ++ unsigned int nfiles = 0; + + if (!namelist) { + return FAILURE; +@@ -2053,9 +2053,14 @@ + if (vector_size == 0) { + vector_size = 10; + } else { ++ if(vector_size*2 < vector_size) { ++ /* overflow */ ++ efree(vector); ++ return FAILURE; ++ } + vector_size *= 2; + } +- vector = (char **) erealloc(vector, vector_size * sizeof(char *)); ++ vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0); + } + + vector[nfiles] = estrdup(sdp.d_name); --- php5-5.2.4.orig/debian/patches/124_SECURITY_CVE-2008-5557.patch +++ php5-5.2.4/debian/patches/124_SECURITY_CVE-2008-5557.patch @@ -0,0 +1,47 @@ +# +# Description: fix mbstring extension arbitrary code execution via crafted +# string containing HTML entity. +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/317672 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511493 +# Upstream: http://bugs.php.net/bug.php?id=45722 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?hideattic=0&r1=1.7&r2=1.8 +# +diff -Nur php5-5.2.4/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c php5-5.2.4.new/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c +--- php5-5.2.4/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 2005-02-21 05:12:43.000000000 -0500 ++++ php5-5.2.4.new/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 2009-01-27 14:18:42.000000000 -0500 +@@ -232,8 +232,7 @@ + mbfl_filt_conv_html_dec_flush(filter); + if (c=='&') + { +- filter->status = 1; +- buffer[0] = '&'; ++ buffer[filter->status++] = '&'; + } + } + } +@@ -244,17 +243,19 @@ + int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter) + { + int status, pos = 0; +- char *buffer; ++ unsigned char *buffer; ++ int err = 0; + +- buffer = (char*)filter->opaque; ++ buffer = (unsigned char*)filter->opaque; + status = filter->status; ++ filter->status = 0; + /* flush fragments */ + while (status--) { +- CK((*filter->output_function)(buffer[pos++], filter->data)); ++ int e = (*filter->output_function)(buffer[pos++], filter->data); ++ if (e != 0) ++ err = e; + } +- filter->status = 0; +- /*filter->buffer = 0; of cause NOT*/ +- return 0; ++ return err; + } + + --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-4697.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-4697.patch @@ -0,0 +1,91 @@ +Subject: Fixed bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early). +Author: mail_ben_schmidt at yahoo dot com dot au +Origin: http://svn.php.net/viewvc?view=revision&revision=303913 +Bug: http://bugs.php.net/52879 + +CVE-2010-4697 + +Patch is modified from upstream commit to remove edits to the NEWS file, +to reduce conflicts when applying patches and backported to apply to +earlier releases of php. + +Index: Zend/zend_object_handlers.c +=================================================================== +--- Zend/zend_object_handlers.c (revision 303912) ++++ Zend/zend_object_handlers.c (revision 303913) +@@ -329,6 +329,9 @@ + zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && + !guard->in_get) { + /* have getter - try with it! */ ++ if (PZVAL_IS_REF(object)) { ++ SEPARATE_ZVAL(&object); ++ } + guard->in_get = 1; /* prevent circular getting */ + rv = zend_std_call_getter(object, member TSRMLS_CC); + guard->in_get = 0; +@@ -418,20 +421,20 @@ + } + } + } else { +- int setter_done = 0; + zend_guard *guard; + + if (zobj->ce->__set && + zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && + !guard->in_set) { ++ if (PZVAL_IS_REF(object)) { ++ SEPARATE_ZVAL(&object); ++ } + guard->in_set = 1; /* prevent circular setting */ + if (zend_std_call_setter(object, member, value TSRMLS_CC) != SUCCESS) { + /* for now, just ignore it - __set should take care of warnings, etc. */ + } +- setter_done = 1; + guard->in_set = 0; +- } +- if (!setter_done && property_info) { ++ } else if (property_info) { + zval **foo; + + /* if we assign referenced variable, we should separate it */ +@@ -611,6 +614,9 @@ + zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && + !guard->in_unset) { + /* have unseter - try with it! */ ++ if (PZVAL_IS_REF(object)) { ++ SEPARATE_ZVAL(&object); ++ } + guard->in_unset = 1; /* prevent circular unsetting */ + zend_std_call_unsetter(object, member TSRMLS_CC); + guard->in_unset = 0; +@@ -1042,6 +1048,9 @@ + zval *rv; + + /* have issetter - try with it! */ ++ if (PZVAL_IS_REF(object)) { ++ SEPARATE_ZVAL(&object); ++ } + guard->in_isset = 1; /* prevent circular getting */ + rv = zend_std_call_issetter(object, member TSRMLS_CC); + if (rv) { +Index: Zend/tests/bug52879.phpt +=================================================================== +--- Zend/tests/bug52879.phpt (revision 0) ++++ Zend/tests/bug52879.phpt (revision 303913) +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early) ++--FILE-- ++myRef = $value; ++ } ++} ++$myGlobal=new MyClass($myGlobal); ++$myGlobal->myRef=&$myGlobal; ++$myGlobal->myNonExistentProperty="ok\n"; ++echo $myGlobal; ++--EXPECT-- ++ok --- php5-5.2.4.orig/debian/patches/017-pread_pwrite_disable.patch +++ php5-5.2.4/debian/patches/017-pread_pwrite_disable.patch @@ -0,0 +1,22 @@ +Index: php5-5.2.4/acinclude.m4 +=================================================================== +--- php5-5.2.4.orig/acinclude.m4 2007-09-10 20:45:32.000000000 +0200 ++++ php5-5.2.4/acinclude.m4 2007-09-11 00:24:05.000000000 +0200 +@@ -1210,7 +1210,7 @@ + } + + ],[ +- ac_cv_pwrite=yes ++ ac_cv_pwrite=no + ],[ + ac_cv_pwrite=no + ],[ +@@ -1239,7 +1239,7 @@ + exit(0); + } + ],[ +- ac_cv_pread=yes ++ ac_cv_pread=no + ],[ + ac_cv_pread=no + ],[ --- php5-5.2.4.orig/debian/patches/006-debian_quirks.patch +++ php5-5.2.4/debian/patches/006-debian_quirks.patch @@ -0,0 +1,376 @@ +Index: php5-5.2.4/configure.in +=================================================================== +--- php5-5.2.4.orig/configure.in 2007-09-10 20:45:26.000000000 +0200 ++++ php5-5.2.4/configure.in 2007-09-11 00:23:54.000000000 +0200 +@@ -934,7 +934,7 @@ + fi + + PHP_ARG_WITH(pear, [whether to install PEAR], +-[ --with-pear=DIR Install PEAR in DIR [PREFIX/lib/php] ++[ --with-pear=DIR Install PEAR in DIR [PREFIX/lib/php5] + --without-pear Do not install PEAR], DEFAULT, yes) + + if test "$PHP_PEAR" != "no"; then +@@ -968,7 +968,7 @@ + if test "$PHP_PEAR" = "DEFAULT" || test "$PHP_PEAR" = "yes"; then + case $PHP_LAYOUT in + GNU) PEAR_INSTALLDIR=$datadir/pear;; +- *) PEAR_INSTALLDIR=$libdir/php;; ++ *) PEAR_INSTALLDIR=$libdir/php5;; + esac + fi + +@@ -1023,12 +1023,12 @@ + + case $libdir in + '${exec_prefix}/lib') +- libdir=$libdir/php ++ libdir=$libdir/php5 + ;; + esac + case $datadir in + '${prefix}/share') +- datadir=$datadir/php ++ datadir=$datadir/php5 + ;; + *) ;; + esac +@@ -1094,7 +1094,7 @@ + EXPANDED_DATADIR=$datadir + EXPANDED_PHP_CONFIG_FILE_PATH=`eval echo "$PHP_CONFIG_FILE_PATH"` + EXPANDED_PHP_CONFIG_FILE_SCAN_DIR=`eval echo "$PHP_CONFIG_FILE_SCAN_DIR"` +-INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR ++INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:/usr/share/pear + + exec_prefix=$old_exec_prefix + libdir=$old_libdir +Index: php5-5.2.4/ext/ext_skel +=================================================================== +--- php5-5.2.4.orig/ext/ext_skel 2004-05-16 14:10:35.000000000 +0200 ++++ php5-5.2.4/ext/ext_skel 2007-09-11 00:23:54.000000000 +0200 +@@ -70,7 +70,7 @@ + fi + + if test -z "$skel_dir"; then +- skel_dir="skeleton" ++ skel_dir="/usr/lib/php5/skeleton" + fi + + ## convert skel_dir to full path +Index: php5-5.2.4/ext/session/session.c +=================================================================== +--- php5-5.2.4.orig/ext/session/session.c 2007-08-03 03:16:40.000000000 +0200 ++++ php5-5.2.4/ext/session/session.c 2007-09-11 00:23:54.000000000 +0200 +@@ -181,11 +181,11 @@ + PHP_INI_BEGIN() + STD_PHP_INI_BOOLEAN("session.bug_compat_42", "1", PHP_INI_ALL, OnUpdateBool, bug_compat, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.bug_compat_warn", "1", PHP_INI_ALL, OnUpdateBool, bug_compat_warn, php_ps_globals, ps_globals) +- STD_PHP_INI_ENTRY("session.save_path", "", PHP_INI_ALL, OnUpdateSaveDir,save_path, php_ps_globals, ps_globals) ++ STD_PHP_INI_ENTRY("session.save_path", "/var/lib/php5", PHP_INI_ALL, OnUpdateString, save_path, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.name", "PHPSESSID", PHP_INI_ALL, OnUpdateString, session_name, php_ps_globals, ps_globals) + PHP_INI_ENTRY("session.save_handler", "files", PHP_INI_ALL, OnUpdateSaveHandler) + STD_PHP_INI_BOOLEAN("session.auto_start", "0", PHP_INI_ALL, OnUpdateBool, auto_start, php_ps_globals, ps_globals) +- STD_PHP_INI_ENTRY("session.gc_probability", "1", PHP_INI_ALL, OnUpdateLong, gc_probability, php_ps_globals, ps_globals) ++ STD_PHP_INI_ENTRY("session.gc_probability", "0", PHP_INI_ALL, OnUpdateLong, gc_probability, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.gc_divisor", "100", PHP_INI_ALL, OnUpdateLong, gc_divisor, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.gc_maxlifetime", "1440", PHP_INI_ALL, OnUpdateLong, gc_maxlifetime, php_ps_globals, ps_globals) + PHP_INI_ENTRY("session.serialize_handler", "php", PHP_INI_ALL, OnUpdateSerializer) +Index: php5-5.2.4/php.ini-dist +=================================================================== +--- php5-5.2.4.orig/php.ini-dist 2007-08-22 01:24:18.000000000 +0200 ++++ php5-5.2.4/php.ini-dist 2007-09-11 00:23:54.000000000 +0200 +@@ -466,7 +466,7 @@ + ;;;;;;;;;;;;;;;;;;;;;;;;; + + ; UNIX: "/path1:/path2" +-;include_path = ".:/php/includes" ++;include_path = ".:/usr/share/php" + ; + ; Windows: "\path1;\path2" + ;include_path = ".;c:\php\includes" +@@ -483,7 +483,7 @@ + user_dir = + + ; Directory in which the loadable extensions (modules) reside. +-extension_dir = "./" ++; extension_dir = "./" + + ; Whether or not to enable the dl() function. The dl() function does NOT work + ; properly in multithreaded servers, such as IIS or Zeus, and is automatically +@@ -596,58 +596,6 @@ + ; extension_dir directive above. + + +-; Windows Extensions +-; Note that ODBC support is built in, so no dll is needed for it. +-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) +-; extension folders as well as the separate PECL DLL download (PHP 5). +-; Be sure to appropriately set the extension_dir directive. +- +-;extension=php_bz2.dll +-;extension=php_curl.dll +-;extension=php_dba.dll +-;extension=php_dbase.dll +-;extension=php_exif.dll +-;extension=php_fdf.dll +-;extension=php_gd2.dll +-;extension=php_gettext.dll +-;extension=php_gmp.dll +-;extension=php_ifx.dll +-;extension=php_imap.dll +-;extension=php_interbase.dll +-;extension=php_ldap.dll +-;extension=php_mbstring.dll +-;extension=php_mcrypt.dll +-;extension=php_mhash.dll +-;extension=php_mime_magic.dll +-;extension=php_ming.dll +-;extension=php_msql.dll +-;extension=php_mssql.dll +-;extension=php_mysql.dll +-;extension=php_mysqli.dll +-;extension=php_oci8.dll +-;extension=php_openssl.dll +-;extension=php_pdo.dll +-;extension=php_pdo_firebird.dll +-;extension=php_pdo_mssql.dll +-;extension=php_pdo_mysql.dll +-;extension=php_pdo_oci.dll +-;extension=php_pdo_oci8.dll +-;extension=php_pdo_odbc.dll +-;extension=php_pdo_pgsql.dll +-;extension=php_pdo_sqlite.dll +-;extension=php_pgsql.dll +-;extension=php_pspell.dll +-;extension=php_shmop.dll +-;extension=php_snmp.dll +-;extension=php_soap.dll +-;extension=php_sockets.dll +-;extension=php_sqlite.dll +-;extension=php_sybase_ct.dll +-;extension=php_tidy.dll +-;extension=php_xmlrpc.dll +-;extension=php_xsl.dll +-;extension=php_zip.dll +- + ;;;;;;;;;;;;;;;;;;; + ; Module Settings ; + ;;;;;;;;;;;;;;;;;;; +@@ -988,7 +936,7 @@ + ; + ; where MODE is the octal representation of the mode. Note that this + ; does not overwrite the process's umask. +-;session.save_path = "/tmp" ++;session.save_path = /var/lib/php5 + + ; Whether to use cookies. + session.use_cookies = 1 +@@ -1026,7 +974,10 @@ + ; e.g. 1/100 means there is a 1% chance that the GC process starts + ; on each request. + +-session.gc_probability = 1 ++; This is disabled in the Debian packages, due to the strict permissions ++; on /var/lib/php5. Instead of setting this here, see the cronjob at ++; /etc/cron.d/php5, which uses the session.gc_maxlifetime setting below ++;session.gc_probability = 0 + session.gc_divisor = 100 + + ; After this number of seconds, stored data will be seen as 'garbage' and +Index: php5-5.2.4/php.ini-recommended +=================================================================== +--- php5-5.2.4.orig/php.ini-recommended 2007-08-22 01:24:18.000000000 +0200 ++++ php5-5.2.4/php.ini-recommended 2007-09-11 00:23:54.000000000 +0200 +@@ -516,7 +516,7 @@ + ;;;;;;;;;;;;;;;;;;;;;;;;; + + ; UNIX: "/path1:/path2" +-;include_path = ".:/php/includes" ++;include_path = ".:/usr/share/php" + ; + ; Windows: "\path1;\path2" + ;include_path = ".;c:\php\includes" +@@ -533,7 +533,7 @@ + user_dir = + + ; Directory in which the loadable extensions (modules) reside. +-extension_dir = "./" ++;extension_dir = "./" + + ; Whether or not to enable the dl() function. The dl() function does NOT work + ; properly in multithreaded servers, such as IIS or Zeus, and is automatically +@@ -646,58 +646,6 @@ + ; extension_dir directive above. + + +-; Windows Extensions +-; Note that ODBC support is built in, so no dll is needed for it. +-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) +-; extension folders as well as the separate PECL DLL download (PHP 5). +-; Be sure to appropriately set the extension_dir directive. +- +-;extension=php_bz2.dll +-;extension=php_curl.dll +-;extension=php_dba.dll +-;extension=php_dbase.dll +-;extension=php_exif.dll +-;extension=php_fdf.dll +-;extension=php_gd2.dll +-;extension=php_gettext.dll +-;extension=php_gmp.dll +-;extension=php_ifx.dll +-;extension=php_imap.dll +-;extension=php_interbase.dll +-;extension=php_ldap.dll +-;extension=php_mbstring.dll +-;extension=php_mcrypt.dll +-;extension=php_mhash.dll +-;extension=php_mime_magic.dll +-;extension=php_ming.dll +-;extension=php_msql.dll +-;extension=php_mssql.dll +-;extension=php_mysql.dll +-;extension=php_mysqli.dll +-;extension=php_oci8.dll +-;extension=php_openssl.dll +-;extension=php_pdo.dll +-;extension=php_pdo_firebird.dll +-;extension=php_pdo_mssql.dll +-;extension=php_pdo_mysql.dll +-;extension=php_pdo_oci.dll +-;extension=php_pdo_oci8.dll +-;extension=php_pdo_odbc.dll +-;extension=php_pdo_pgsql.dll +-;extension=php_pdo_sqlite.dll +-;extension=php_pgsql.dll +-;extension=php_pspell.dll +-;extension=php_shmop.dll +-;extension=php_snmp.dll +-;extension=php_soap.dll +-;extension=php_sockets.dll +-;extension=php_sqlite.dll +-;extension=php_sybase_ct.dll +-;extension=php_tidy.dll +-;extension=php_xmlrpc.dll +-;extension=php_xsl.dll +-;extension=php_zip.dll +- + ;;;;;;;;;;;;;;;;;;; + ; Module Settings ; + ;;;;;;;;;;;;;;;;;;; +@@ -1038,7 +986,7 @@ + ; + ; where MODE is the octal representation of the mode. Note that this + ; does not overwrite the process's umask. +-;session.save_path = "/tmp" ++;session.save_path = /var/lib/php5 + + ; Whether to use cookies. + session.use_cookies = 1 +@@ -1076,7 +1024,10 @@ + ; e.g. 1/100 means there is a 1% chance that the GC process starts + ; on each request. + +-session.gc_probability = 1 ++; This is disabled in the Debian packages, due to the strict permissions ++; on /var/lib/php5. Instead of setting this here, see the cronjob at ++; /etc/cron.d/php5, which uses the session.gc_maxlifetime setting below ++;session.gc_probability = 0 + session.gc_divisor = 1000 + + ; After this number of seconds, stored data will be seen as 'garbage' and +Index: php5-5.2.4/sapi/caudium/config.m4 +=================================================================== +--- php5-5.2.4.orig/sapi/caudium/config.m4 2007-07-12 01:20:36.000000000 +0200 ++++ php5-5.2.4/sapi/caudium/config.m4 2007-09-11 00:23:54.000000000 +0200 +@@ -26,8 +26,8 @@ + AC_MSG_ERROR([Could not find a pike in $PHP_CAUDIUM/bin/]) + fi + if $PIKE -e 'float v; int rel;sscanf(version(), "Pike v%f release %d", v, rel);v += rel/10000.0; if(v < 7.0268) exit(1); exit(0);'; then +- PIKE_MODULE_DIR=`$PIKE --show-paths 2>&1| grep '^Module' | sed -e 's/.*: //'` +- PIKE_INCLUDE_DIR=`echo $PIKE_MODULE_DIR | sed -e 's,lib/pike/modules,include/pike,' -e 's,lib/modules,include/pike,' ` ++ PIKE_MODULE_DIR=`$PIKE --show-paths 2>&1| grep '^Master file' | sed -e 's/.*: //' -e 's/master.pike/modules/'` ++ PIKE_INCLUDE_DIR=`echo $PIKE_MODULE_DIR | sed -e 's,lib/modules,,' -e 's,modules,include,' ` + if test -z "$PIKE_INCLUDE_DIR" || test -z "$PIKE_MODULE_DIR"; then + AC_MSG_ERROR(Failed to figure out Pike module and include directories) + fi +@@ -84,7 +84,9 @@ + PIKE_VERSION=`$PIKE -e 'string v; int rel;sscanf(version(), "Pike v%s release %d", v, rel); write(v+"."+rel);'` + AC_DEFINE(HAVE_CAUDIUM,1,[Whether to compile with Caudium support]) + PHP_SELECT_SAPI(caudium, shared, caudium.c) +- INSTALL_IT="\$(INSTALL) -m 0755 $SAPI_SHARED $PHP_CAUDIUM/lib/$PIKE_VERSION/PHP5.so" ++ dnl FIXME: This is the ugliest hack in the world! ++ dnl INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)$PHP_CAUDIUM/lib/$PIKE_VERSION/ && \$(INSTALL) -m 0755 $SAPI_SHARED \$(INSTALL_ROOT)$PHP_CAUDIUM/lib/$PIKE_VERSION/php5.so" ++ INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)$PHP_CAUDIUM/lib/$PIKE_VERSION/ && \$(INSTALL) -m 0755 .$SAPI_SHARED \$(INSTALL_ROOT)$PHP_CAUDIUM/lib/$PIKE_VERSION/PHP5.so" + RESULT=" *** Pike binary used: $PIKE + *** Pike include dir(s) used: $PIKE_INCLUDE_DIR + *** Pike version: $PIKE_VERSION" +Index: php5-5.2.4/sapi/cli/php.1.in +=================================================================== +--- php5-5.2.4.orig/sapi/cli/php.1.in 2007-04-23 22:54:22.000000000 +0200 ++++ php5-5.2.4/sapi/cli/php.1.in 2007-09-11 00:23:54.000000000 +0200 +@@ -306,13 +306,14 @@ + .B name + .SH FILES + .TP 15 +-.B php\-cli.ini ++.B /etc/php5/cli/php.ini + The configuration file for the CLI version of PHP. + .TP +-.B php.ini +-The standard configuration file will only be used when +-.B php\-cli.ini +-cannot be found. ++.B /etc/php5/cgi/php.ini ++The configuration file for the CGI version of PHP. ++.TP ++.B /etc/php5/apache2/php.ini ++The configuration file for the version of PHP that apache2 uses. + .SH EXAMPLES + .TP 5 + \fIphp -r 'echo "Hello World\\n";'\fP +Index: php5-5.2.4/scripts/Makefile.frag +=================================================================== +--- php5-5.2.4.orig/scripts/Makefile.frag 2005-11-22 00:08:02.000000000 +0100 ++++ php5-5.2.4/scripts/Makefile.frag 2007-09-11 00:23:54.000000000 +0200 +@@ -3,8 +3,8 @@ + # Build environment install + # + +-phpincludedir = $(includedir)/php +-phpbuilddir = $(libdir)/build ++phpincludedir = $(includedir)/php5 ++phpbuilddir = $(prefix)/lib/php5/build + + BUILD_FILES = \ + scripts/phpize.m4 \ +Index: php5-5.2.4/scripts/php-config.in +=================================================================== +--- php5-5.2.4.orig/scripts/php-config.in 2007-08-24 13:44:10.000000000 +0200 ++++ php5-5.2.4/scripts/php-config.in 2007-09-11 00:23:54.000000000 +0200 +@@ -5,8 +5,8 @@ + exec_prefix="@exec_prefix@" + version="@PHP_VERSION@" + vernum="@PHP_VERSION_ID@" +-include_dir="@includedir@/php" +-includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib" ++include_dir="@includedir@/php5" ++includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib $(getconf LFS_CFLAGS)" + ldflags="@PHP_LDFLAGS@" + libs="@EXTRA_LIBS@" + extension_dir='@EXTENSION_DIR@' +Index: php5-5.2.4/scripts/phpize.in +=================================================================== +--- php5-5.2.4.orig/scripts/phpize.in 2007-06-29 03:10:35.000000000 +0200 ++++ php5-5.2.4/scripts/phpize.in 2007-09-11 00:23:54.000000000 +0200 +@@ -3,8 +3,8 @@ + # Variable declaration + prefix='@prefix@' + exec_prefix="`eval echo @exec_prefix@`" +-phpdir="`eval echo @libdir@`/build" +-includedir="`eval echo @includedir@`/php" ++phpdir="$prefix/lib/php5/build" ++includedir="$prefix/include/php5" + builddir="`pwd`" + SED="@SED@" + --- php5-5.2.4.orig/debian/patches/034-apache2_umask_fix.patch +++ php5-5.2.4/debian/patches/034-apache2_umask_fix.patch @@ -0,0 +1,46 @@ + +Save and restore umask across requests correctly. + +Index: php5-5.2.4/sapi/apache2handler/sapi_apache2.c +=================================================================== +--- php5-5.2.4.orig/sapi/apache2handler/sapi_apache2.c 2007-06-28 19:23:07.000000000 +0200 ++++ php5-5.2.4/sapi/apache2handler/sapi_apache2.c 2007-09-11 00:24:16.000000000 +0200 +@@ -434,6 +434,19 @@ + return APR_SUCCESS; + } + ++static int saved_umask; ++ ++static void php_save_umask(void) ++{ ++ saved_umask = umask(077); ++ umask(saved_umask); ++} ++ ++static void php_restore_umask(void) ++{ ++ umask(saved_umask); ++} ++ + static int php_apache_request_ctor(request_rec *r, php_struct *ctx TSRMLS_DC) + { + char *content_length; +@@ -622,6 +635,8 @@ + } else { + zend_file_handle zfd; + ++ php_save_umask(); ++ + zfd.type = ZEND_HANDLE_FILENAME; + zfd.filename = (char *) r->filename; + zfd.free_filename = 0; +@@ -633,6 +648,9 @@ + zend_execute_scripts(ZEND_INCLUDE TSRMLS_CC, NULL, 1, &zfd); + } + ++ php_restore_umask(); ++ ++ + apr_table_set(r->notes, "mod_php_memory_usage", + apr_psprintf(ctx->r->pool, "%u", zend_memory_peak_usage(1 TSRMLS_CC))); + } --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-0708.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-0708.patch @@ -0,0 +1,132 @@ +Subject: fix bug #54002, exif_read_data crashes on crafted tags +Origin: http://svn.php.net/viewvc?view=revision&revision=308316 +Bug: http://bugs.php.net/bug.php?id=54002 + +Patch also includes +http://svn.php.net/viewvc?view=revision&revision=308317 + + Bug #54002, fix windows build, use the relevant values in the + warnings + +and http://svn.php.net/viewvc?view=revision&revision=308362 + + fix the fix (Dmitry) and ensure that it builds everywhere, can + someone test on solaris&co pls? + +Patch is also modified to drop the added testcases as they contained +jpegs and not-representable in diffs. They have been added to the +lp:qa-regression-testing tree instead. + +Index: ext/exif/exif.c +=================================================================== +--- ext/exif/exif.c (revision 308315) ++++ ext/exif/exif.c (revision 308316) +@@ -40,6 +40,10 @@ + #include "php.h" + #include "ext/standard/file.h" + ++#ifdef PHP_WIN32 ++include "win32/php_stdint.h" ++#endif ++ + #if HAVE_EXIF + + /* When EXIF_DEBUG is defined the module generates a lot of debug messages +@@ -2821,6 +2825,7 @@ + int tag, format, components; + char *value_ptr, tagname[64], cbuf[32], *outside=NULL; + size_t byte_count, offset_val, fpos, fgot; ++ int64_t byte_count_signed; + xp_field_type *tmp_xp; + #ifdef EXIF_DEBUG + char *dump_data; +@@ -2845,13 +2850,20 @@ + /*return TRUE;*/ + } + +- byte_count = components * php_tiff_bytes_per_format[format]; ++ if (components < 0) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); ++ return FALSE; ++ } + +- if ((ssize_t)byte_count < 0) { ++ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; ++ ++ if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); + return FALSE; + } + ++ byte_count = (size_t)byte_count_signed; ++ + if (byte_count > 4) { + offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); + /* If its bigger than 4 bytes, the dir entry contains an offset. */ +@@ -2916,6 +2928,7 @@ + efree(dump_data); + } + #endif ++ + if (section_index==SECTION_THUMBNAIL) { + if (!ImageInfo->Thumbnail.data) { + switch(tag) { +Index: ext/exif/exif.c +=================================================================== +--- ext/exif/exif.c (revision 308316) ++++ ext/exif/exif.c (revision 308317) +@@ -41,7 +41,7 @@ + #include "ext/standard/file.h" + + #ifdef PHP_WIN32 +-include "win32/php_stdint.h" ++#include "win32/php_stdint.h" + #endif + + #if HAVE_EXIF +@@ -2851,14 +2851,14 @@ + } + + if (components < 0) { +- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components); + return FALSE; + } + + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + + if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { +- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count); ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); + return FALSE; + } + +Index: ext/exif/exif.c +=================================================================== +--- ext/exif/exif.c (revision 308361) ++++ ext/exif/exif.c (revision 308362) +@@ -40,8 +40,14 @@ + #include "php.h" + #include "ext/standard/file.h" + ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_INTTYPES_H ++# include ++#endif + #ifdef PHP_WIN32 +-#include "win32/php_stdint.h" ++# include "win32/php_stdint.h" + #endif + + #if HAVE_EXIF +@@ -2857,7 +2863,7 @@ + + byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format]; + +- if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) { ++ if (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC)); + return FALSE; + } --- php5-5.2.4.orig/debian/patches/CVE-2009-3292.patch +++ php5-5.2.4/debian/patches/CVE-2009-3292.patch @@ -0,0 +1,71 @@ +Description: fix denial of service via malformed exif images +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=287371 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/446313 + +diff -Nur php5-5.2.4/ext/exif/exif.c php5-5.2.4.new/ext/exif/exif.c +--- php5-5.2.4/ext/exif/exif.c 2009-11-25 14:41:33.000000000 -0500 ++++ php5-5.2.4.new/ext/exif/exif.c 2009-11-25 14:41:37.000000000 -0500 +@@ -3238,7 +3238,7 @@ + { + /* Check the APP1 for Exif Identifier Code */ + static const uchar ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; +- if (memcmp(CharBuf+2, ExifHeader, 6)) { ++ if (length <= 8 || memcmp(CharBuf+2, ExifHeader, 6)) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Incorrect APP1 Exif Identifier Code"); + return; + } +@@ -3321,8 +3321,14 @@ + } + + /* Read the length of the section. */ +- lh = php_stream_getc(ImageInfo->infile); +- ll = php_stream_getc(ImageInfo->infile); ++ if ((lh = php_stream_getc(ImageInfo->infile)) == EOF) { ++ EXIF_ERRLOG_CORRUPT(ImageInfo) ++ return FALSE; ++ } ++ if ((ll = php_stream_getc(ImageInfo->infile)) == EOF) { ++ EXIF_ERRLOG_CORRUPT(ImageInfo) ++ return FALSE; ++ } + + itemlen = (lh << 8) | ll; + +@@ -3522,6 +3528,10 @@ + int entry_tag , entry_type; + tag_table_type tag_table = exif_get_tag_table(section_index); + ++ if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { ++ return FALSE; ++ } ++ + if (ImageInfo->FileSize >= dir_offset+2) { + sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); + #ifdef EXIF_DEBUG +@@ -3665,6 +3675,7 @@ + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Next IFD: %s @x%04X", exif_get_sectionname(sub_section_index), entry_offset); + #endif ++ ImageInfo->ifd_nesting_level++; + exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC); + if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) { + if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN +@@ -3704,6 +3715,7 @@ + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) at x%04X", next_offset); + #endif ++ ImageInfo->ifd_nesting_level++; + exif_process_IFD_in_TIFF(ImageInfo, next_offset, SECTION_THUMBNAIL TSRMLS_CC); + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size); +@@ -3776,9 +3788,7 @@ + } else { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF file"); + } +- } +- else +- if (!memcmp(file_header, "MM\x00\x2a", 4)) { ++ } else if (!memcmp(file_header, "MM\x00\x2a", 4)) { + ImageInfo->FileType = IMAGE_FILETYPE_TIFF_MM; + ImageInfo->motorola_intel = 1; + #ifdef EXIF_DEBUG --- php5-5.2.4.orig/debian/patches/043-recode_size_t.patch +++ php5-5.2.4/debian/patches/043-recode_size_t.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.5/ext/recode/recode.c +=================================================================== +--- php5-5.2.5.orig/ext/recode/recode.c 2007-06-22 02:02:15.000000000 +0200 ++++ php5-5.2.5/ext/recode/recode.c 2008-02-21 00:46:54.000000000 +0100 +@@ -136,7 +136,7 @@ + int req_len, str_len; + char *req, *str; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &req, &req_len, &str, &str_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &req, &req_len, &str, &str_len) == FAILURE || str_len < 0) { + return; + } + --- php5-5.2.4.orig/debian/patches/120_SECURITY_CVE-2007-5900.patch +++ php5-5.2.4/debian/patches/120_SECURITY_CVE-2007-5900.patch @@ -0,0 +1,145 @@ +# +# Description: fix php_admin_value and php_admin_flag restrictions bypass via ini_set +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/228095 +# Upstream: http://bugs.php.net/bug.php?id=41561 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?hideattic=1&r1=1.39.2.2.2.8&r2=1.39.2.2.2.9 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?hideattic=1&r1=1.39.2.2.2.9&r2=1.39.2.2.2.10 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?hideattic=1&r1=1.39.2.2.2.13&r2=1.39.2.2.2.14 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?hideattic=1&r1=1.39.2.2.2.14&r2=1.39.2.2.2.15 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.h?hideattic=1&r1=1.34.2.1.2.4&r2=1.34.2.1.2.5 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.h?hideattic=1&r1=1.34.2.1.2.5&r2=1.34.2.1.2.6 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?hideattic=1&r1=1.59.2.29.2.47&r2=1.59.2.29.2.48 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?hideattic=1&r1=1.62.2.30.2.48&r2=1.62.2.30.2.49 +# Patch: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?hideattic=1&r1=1.39.2.2.2.26&r2=1.39.2.2.2.27 +# +diff -Nur php5-5.2.4/Zend/zend_ini.c php5-5.2.4.new/Zend/zend_ini.c +--- php5-5.2.4/Zend/zend_ini.c 2007-08-23 14:42:42.000000000 -0400 ++++ php5-5.2.4.new/Zend/zend_ini.c 2009-01-27 14:10:46.000000000 -0500 +@@ -63,6 +63,9 @@ + ini_entry->modified = 0; + ini_entry->orig_value = NULL; + ini_entry->orig_value_length = 0; ++ if (ini_entry->modifiable >= (1 << 3)) { ++ ini_entry->modifiable >>= 3; ++ } + } + return 0; + } +@@ -234,8 +237,14 @@ + + ZEND_API int zend_alter_ini_entry(char *name, uint name_length, char *new_value, uint new_value_length, int modify_type, int stage) + { ++ return zend_alter_ini_entry_ex(name, name_length, new_value, new_value_length, modify_type, stage, 0); ++} ++ ++ZEND_API int zend_alter_ini_entry_ex(char *name, uint name_length, char *new_value, uint new_value_length, int modify_type, int stage, int force_change) /* {{{ */ ++{ + zend_ini_entry *ini_entry; + char *duplicate; ++ zend_bool modifiable; + zend_bool modified; + TSRMLS_FETCH(); + +@@ -243,11 +252,19 @@ + return FAILURE; + } + +- if (!(ini_entry->modifiable & modify_type)) { +- return FAILURE; ++ modifiable = ini_entry->modifiable; ++ modified = ini_entry->modified; ++ ++ if (stage == ZEND_INI_STAGE_ACTIVATE && modify_type == ZEND_INI_SYSTEM) { ++ /* only touch lower bits */ ++ ini_entry->modifiable = (ini_entry->modifiable & (ZEND_INI_ALL << 3)) | ZEND_INI_SYSTEM; + } + +- modified = ini_entry->modified; ++ if (!force_change) { ++ if (!(ini_entry->modifiable & modify_type)) { ++ return FAILURE; ++ } ++ } + + if (!EG(modified_ini_directives)) { + ALLOC_HASHTABLE(EG(modified_ini_directives)); +@@ -256,6 +273,8 @@ + if (!modified) { + ini_entry->orig_value = ini_entry->value; + ini_entry->orig_value_length = ini_entry->value_length; ++ /* store orginial value in the upper bits */ ++ ini_entry->modifiable = (modifiable << 3) | ini_entry->modifiable; + ini_entry->modified = 1; + zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL); + } +diff -Nur php5-5.2.4/Zend/zend_ini.h php5-5.2.4.new/Zend/zend_ini.h +--- php5-5.2.4/Zend/zend_ini.h 2007-08-02 19:57:21.000000000 -0400 ++++ php5-5.2.4.new/Zend/zend_ini.h 2009-01-27 14:10:40.000000000 -0500 +@@ -96,6 +96,7 @@ + ZEND_API void zend_unregister_ini_entries(int module_number TSRMLS_DC); + ZEND_API void zend_ini_refresh_caches(int stage TSRMLS_DC); + ZEND_API int zend_alter_ini_entry(char *name, uint name_length, char *new_value, uint new_value_length, int modify_type, int stage); ++ZEND_API int zend_alter_ini_entry_ex(char *name, uint name_length, char *new_value, uint new_value_length, int modify_type, int stage, int force_change); + ZEND_API int zend_restore_ini_entry(char *name, uint name_length, int stage); + ZEND_API void display_ini_entries(zend_module_entry *module); + +diff -Nur php5-5.2.4/Zend/zend_vm_def.h php5-5.2.4.new/Zend/zend_vm_def.h +--- php5-5.2.4/Zend/zend_vm_def.h 2007-07-24 15:24:39.000000000 -0400 ++++ php5-5.2.4.new/Zend/zend_vm_def.h 2009-01-27 14:10:42.000000000 -0500 +@@ -3599,7 +3599,7 @@ + } + + if (EG(error_reporting)) { +- zend_alter_ini_entry("error_reporting", sizeof("error_reporting"), "0", 1, ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME); ++ zend_alter_ini_entry_ex("error_reporting", sizeof("error_reporting"), "0", 1, ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME, 1); + } + ZEND_VM_NEXT_OPCODE(); + } +@@ -3619,7 +3619,7 @@ + Z_TYPE(restored_error_reporting) = IS_LONG; + Z_LVAL(restored_error_reporting) = Z_LVAL(EX_T(opline->op1.u.var).tmp_var); + convert_to_string(&restored_error_reporting); +- zend_alter_ini_entry("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME); ++ zend_alter_ini_entry_ex("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME, 1); + zendi_zval_dtor(restored_error_reporting); + } + if (EX(old_error_reporting) == &EX_T(opline->op1.u.var).tmp_var) { +@@ -3811,7 +3811,7 @@ + Z_TYPE(restored_error_reporting) = IS_LONG; + Z_LVAL(restored_error_reporting) = Z_LVAL_P(EX(old_error_reporting)); + convert_to_string(&restored_error_reporting); +- zend_alter_ini_entry("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME); ++ zend_alter_ini_entry_ex("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME, 1); + zendi_zval_dtor(restored_error_reporting); + } + EX(old_error_reporting) = NULL; +diff -Nur php5-5.2.4/Zend/zend_vm_execute.h php5-5.2.4.new/Zend/zend_vm_execute.h +--- php5-5.2.4/Zend/zend_vm_execute.h 2007-07-24 15:24:39.000000000 -0400 ++++ php5-5.2.4.new/Zend/zend_vm_execute.h 2009-01-27 14:10:44.000000000 -0500 +@@ -442,7 +442,7 @@ + } + + if (EG(error_reporting)) { +- zend_alter_ini_entry("error_reporting", sizeof("error_reporting"), "0", 1, ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME); ++ zend_alter_ini_entry_ex("error_reporting", sizeof("error_reporting"), "0", 1, ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME, 1); + } + ZEND_VM_NEXT_OPCODE(); + } +@@ -592,7 +592,7 @@ + Z_TYPE(restored_error_reporting) = IS_LONG; + Z_LVAL(restored_error_reporting) = Z_LVAL_P(EX(old_error_reporting)); + convert_to_string(&restored_error_reporting); +- zend_alter_ini_entry("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME); ++ zend_alter_ini_entry_ex("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME, 1); + zendi_zval_dtor(restored_error_reporting); + } + EX(old_error_reporting) = NULL; +@@ -4922,7 +4922,7 @@ + Z_TYPE(restored_error_reporting) = IS_LONG; + Z_LVAL(restored_error_reporting) = Z_LVAL(EX_T(opline->op1.u.var).tmp_var); + convert_to_string(&restored_error_reporting); +- zend_alter_ini_entry("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME); ++ zend_alter_ini_entry_ex("error_reporting", sizeof("error_reporting"), Z_STRVAL(restored_error_reporting), Z_STRLEN(restored_error_reporting), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME, 1); + zendi_zval_dtor(restored_error_reporting); + } + if (EX(old_error_reporting) == &EX_T(opline->op1.u.var).tmp_var) { --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-1470.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-1470.patch @@ -0,0 +1,70 @@ +Subject: Fixed bug#53579 (stream_get_contents() segfaults on ziparchive streams) + Also added the filename being access to the stream_get_meta_data() array +Origin: http://svn.php.net/viewvc?view=revision&revision=306493 + +CVE-2011-1470 + +Patch differs from upstream commit in that it drops the added entry to +the NEWS file to reduce patch conflicts. + +Index: ext/zip/tests/bug53579.phpt +=================================================================== +--- ext/zip/tests/bug53579.phpt (revision 0) ++++ ext/zip/tests/bug53579.phpt (revision 306493) +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #53579 (stream_get_contents() segfaults on ziparchive streams) ++--SKIPIF-- ++ ++--FILE-- ++open($file)) { ++ exit('failed'); ++} ++$fp = $zip->getStream('foo'); ++ ++var_dump($fp); ++if(!$fp) exit("\n"); ++$contents = stream_get_contents($fp); ++ ++fclose($fp); ++$zip->close(); ++var_dump($contents); ++ ++ ++$fp = fopen('zip://' . dirname(__FILE__) . '/test_with_comment.zip#foo', 'rb'); ++if (!$fp) { ++ exit("cannot open\n"); ++} ++$contents = stream_get_contents($fp); ++var_dump($contents); ++fclose($fp); ++ ++?> ++--EXPECTF-- ++resource(%d) of type (stream) ++string(5) "foo ++ ++" ++string(5) "foo ++ ++" +Index: ext/zip/zip_stream.c +=================================================================== +--- ext/zip/zip_stream.c (revision 306492) ++++ ext/zip/zip_stream.c (revision 306493) +@@ -216,6 +216,7 @@ + self->stream = NULL; + self->cursor = 0; + stream = php_stream_alloc(&php_stream_zipio_ops, self, NULL, mode); ++ stream->orig_path = estrdup(path); + } else { + zip_close(stream_za); + } --- php5-5.2.4.orig/debian/patches/001-libtool_fixes.patch +++ php5-5.2.4/debian/patches/001-libtool_fixes.patch @@ -0,0 +1,28 @@ +Index: php5-5.2.4/TSRM/configure.in +=================================================================== +--- php5-5.2.4.orig/TSRM/configure.in 2007-09-10 20:45:24.000000000 +0200 ++++ php5-5.2.4/TSRM/configure.in 2007-09-10 20:45:26.000000000 +0200 +@@ -13,9 +13,6 @@ + TSRM_THREADS_CHECKS + + AM_PROG_LIBTOOL +-if test "$enable_debug" != "yes"; then +- AM_SET_LIBTOOL_VARIABLE([--silent]) +-fi + + dnl TSRM_PTHREAD + +Index: php5-5.2.4/configure.in +=================================================================== +--- php5-5.2.4.orig/configure.in 2007-09-10 20:45:24.000000000 +0200 ++++ php5-5.2.4/configure.in 2007-09-10 20:45:26.000000000 +0200 +@@ -1256,9 +1256,6 @@ + AC_DEFUN([AC_PROG_CXX], [])]) + AC_PROG_LIBTOOL + +-if test "$enable_debug" != "yes"; then +- PHP_SET_LIBTOOL_VARIABLE([--silent]) +-fi + + dnl libtool 1.4.3 needs this. + PHP_SET_LIBTOOL_VARIABLE([--preserve-dup-deps]) --- php5-5.2.4.orig/debian/patches/107-reflection_is_ext.patch +++ php5-5.2.4/debian/patches/107-reflection_is_ext.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.0/ext/reflection/config.m4 +=================================================================== +--- php5-5.2.0.orig/ext/reflection/config.m4 2007-03-18 22:56:59.000000000 +0100 ++++ php5-5.2.0/ext/reflection/config.m4 2007-03-18 22:58:44.000000000 +0100 +@@ -2,7 +2,7 @@ + dnl config.m4 for extension reflection + + PHP_ARG_ENABLE(reflection, whether to enable reflection support, +-[ --disable-reflection Disable reflection support], yes, no) ++[ --disable-reflection Disable reflection support], yes) + + if test "$PHP_REFLECTION" != "no"; then + AC_DEFINE(HAVE_REFLECTION, 1, [Whether Reflection is enabled]) --- php5-5.2.4.orig/debian/patches/027-readline_is_editline.patch +++ php5-5.2.4/debian/patches/027-readline_is_editline.patch @@ -0,0 +1,61 @@ +Index: php5-5.2.4/ext/readline/config.m4 +=================================================================== +--- php5-5.2.4.orig/ext/readline/config.m4 2005-11-29 00:04:01.000000000 +0100 ++++ php5-5.2.4/ext/readline/config.m4 2007-12-21 12:21:51.623149790 +0100 +@@ -12,7 +12,7 @@ + + if test "$PHP_READLINE" && test "$PHP_READLINE" != "no"; then + for i in $PHP_READLINE /usr/local /usr; do +- test -f $i/include/readline/readline.h && READLINE_DIR=$i && break ++ test -f $i/include/editline/readline.h && READLINE_DIR=$i && break + done + + if test -z "$READLINE_DIR"; then +@@ -64,7 +64,7 @@ + elif test "$PHP_LIBEDIT" != "no"; then + + for i in $PHP_LIBEDIT /usr/local /usr; do +- test -f $i/include/readline/readline.h && LIBEDIT_DIR=$i && break ++ test -f $i/include/editline/readline.h && LIBEDIT_DIR=$i && break + done + + if test -z "$LIBEDIT_DIR"; then +Index: php5-5.2.4/ext/readline/readline.c +=================================================================== +--- php5-5.2.4.orig/ext/readline/readline.c 2007-02-12 02:23:17.000000000 +0100 ++++ php5-5.2.4/ext/readline/readline.c 2007-12-21 12:23:25.336380666 +0100 +@@ -33,7 +33,7 @@ + #define rl_completion_matches completion_matches + #endif + +-#include ++#include + #ifndef HAVE_LIBEDIT + #include + #endif +Index: php5-5.2.4/sapi/cli/php_cli.c +=================================================================== +--- php5-5.2.4.orig/sapi/cli/php_cli.c 2007-08-09 01:51:24.000000000 +0200 ++++ php5-5.2.4/sapi/cli/php_cli.c 2007-12-21 12:21:51.627149842 +0100 +@@ -76,7 +76,7 @@ + #endif + + #if (HAVE_LIBREADLINE || HAVE_LIBEDIT) && !defined(COMPILE_DL_READLINE) +-#include ++#include + #if !HAVE_LIBEDIT + #include + #endif +Index: php5-5.2.4/sapi/cli/php_cli_readline.c +=================================================================== +--- php5-5.2.4.orig/sapi/cli/php_cli_readline.c 2007-06-04 11:47:54.000000000 +0200 ++++ php5-5.2.4/sapi/cli/php_cli_readline.c 2007-12-21 12:21:51.627149842 +0100 +@@ -49,7 +49,7 @@ + #include + #endif + +-#include ++#include + #if !HAVE_LIBEDIT + #include + #endif --- php5-5.2.4.orig/debian/patches/045-exif_nesting_level.patch +++ php5-5.2.4/debian/patches/045-exif_nesting_level.patch @@ -0,0 +1,13 @@ +Index: php5-5.2.2/ext/exif/exif.c +=================================================================== +--- php5-5.2.2.orig/ext/exif/exif.c 2007-02-27 04:04:40.000000000 +0100 ++++ php5-5.2.2/ext/exif/exif.c 2007-05-04 17:42:23.000000000 +0200 +@@ -99,7 +99,7 @@ + + #define EFREE_IF(ptr) if (ptr) efree(ptr) + +-#define MAX_IFD_NESTING_LEVEL 100 ++#define MAX_IFD_NESTING_LEVEL 250 + + /* {{{ arginfo */ + static --- php5-5.2.4.orig/debian/patches/CVE-2010-1128.patch +++ php5-5.2.4/debian/patches/CVE-2010-1128.patch @@ -0,0 +1,27 @@ +Description: fix weak entropy in Linear Congruential Generator (LCG) +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=293253 + +diff -Nur php5-5.2.4/ext/standard/lcg.c php5-5.2.4.new/ext/standard/lcg.c +--- php5-5.2.4/ext/standard/lcg.c 2007-05-17 02:38:13.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/lcg.c 2010-09-15 08:27:10.000000000 -0400 +@@ -78,7 +78,7 @@ + struct timeval tv; + + if (gettimeofday(&tv, NULL) == 0) { +- LCG(s1) = tv.tv_sec ^ (~tv.tv_usec); ++ LCG(s1) = tv.tv_sec ^ (tv.tv_usec<<11); + } else { + LCG(s1) = 1; + } +@@ -88,6 +88,11 @@ + LCG(s2) = (long) getpid(); + #endif + ++ /* Add entropy to s2 by calling gettimeofday() again */ ++ if (gettimeofday(&tv, NULL) == 0) { ++ LCG(s2) ^= (tv.tv_usec<<11); ++ } ++ + LCG(seeded) = 1; + } + --- php5-5.2.4.orig/debian/patches/057-no_apache_installed.patch +++ php5-5.2.4/debian/patches/057-no_apache_installed.patch @@ -0,0 +1,92 @@ +Index: php5-5.2.4/sapi/apache2handler/config.m4 +=================================================================== +--- php5-5.2.4.orig/sapi/apache2handler/config.m4 2007-07-12 01:20:36.000000000 +0200 ++++ php5-5.2.4/sapi/apache2handler/config.m4 2007-09-11 00:41:45.000000000 +0200 +@@ -59,13 +59,13 @@ + + APACHE_CFLAGS="$APACHE_CPPFLAGS -I$APXS_INCLUDEDIR $APR_CFLAGS $APU_CFLAGS" + +- # Test that we're trying to configure with apache 2.x +- PHP_AP_EXTRACT_VERSION($APXS_HTTPD) +- if test "$APACHE_VERSION" -le 2000000; then +- AC_MSG_ERROR([You have enabled Apache 2 support while your server is Apache 1.3. Please use the appropiate switch --with-apxs (without the 2)]) +- elif test "$APACHE_VERSION" -lt 2000044; then +- AC_MSG_ERROR([Please note that Apache version >= 2.0.44 is required]) +- fi ++dnl # Test that we're trying to configure with apache 2.x ++dnl PHP_AP_EXTRACT_VERSION($APXS_HTTPD) ++dnl if test "$APACHE_VERSION" -le 2000000; then ++dnl AC_MSG_ERROR([You have enabled Apache 2 support while your server is Apache 1.3. Please use the appropiate switch --with-apxs (without the 2)]) ++dnl elif test "$APACHE_VERSION" -lt 2000044; then ++dnl AC_MSG_ERROR([Please note that Apache version >= 2.0.44 is required]) ++dnl fi + + APXS_LIBEXECDIR='$(INSTALL_ROOT)'`$APXS -q LIBEXECDIR` + if test -z `$APXS -q SYSCONFDIR`; then +Index: php5-5.2.4/sapi/apache/config.m4 +=================================================================== +--- php5-5.2.4.orig/sapi/apache/config.m4 2007-07-12 01:20:36.000000000 +0200 ++++ php5-5.2.4/sapi/apache/config.m4 2007-09-11 00:41:45.000000000 +0200 +@@ -56,11 +56,11 @@ + APXS_HTTPD=`$APXS -q SBINDIR`/`$APXS -q TARGET` + APACHE_INCLUDE=-I$APXS_INCLUDEDIR + +- # Test that we're trying to configure with apache 1.x +- PHP_AP_EXTRACT_VERSION($APXS_HTTPD) +- if test "$APACHE_VERSION" -ge 2000000; then +- AC_MSG_ERROR([You have enabled Apache 1.3 support while your server is Apache 2. Please use the appropiate switch --with-apxs2]) +- fi ++dnl # Test that we're trying to configure with apache 1.x ++dnl PHP_AP_EXTRACT_VERSION($APXS_HTTPD) ++dnl if test "$APACHE_VERSION" -ge 2000000; then ++dnl AC_MSG_ERROR([You have enabled Apache 1.3 support while your server is Apache 2. Please use the appropiate switch --with-apxs2]) ++dnl fi + + for flag in $APXS_CFLAGS; do + case $flag in +Index: php5-5.2.4/sapi/apache2filter/config.m4 +=================================================================== +--- php5-5.2.4.orig/sapi/apache2filter/config.m4 2007-07-12 01:20:36.000000000 +0200 ++++ php5-5.2.4/sapi/apache2filter/config.m4 2007-09-11 00:41:45.000000000 +0200 +@@ -60,13 +60,13 @@ + + APACHE_CFLAGS="$APACHE_CPPFLAGS -I$APXS_INCLUDEDIR $APR_CFLAGS $APU_CFLAGS" + +- # Test that we're trying to configure with apache 2.x +- PHP_AP_EXTRACT_VERSION($APXS_HTTPD) +- if test "$APACHE_VERSION" -le 2000000; then +- AC_MSG_ERROR([You have enabled Apache 2 support while your server is Apache 1.3. Please use the appropiate switch --with-apxs (without the 2)]) +- elif test "$APACHE_VERSION" -lt 2000040; then +- AC_MSG_ERROR([Please note that Apache version >= 2.0.40 is required]) +- fi ++dnl # Test that we're trying to configure with apache 2.x ++dnl PHP_AP_EXTRACT_VERSION($APXS_HTTPD) ++dnl if test "$APACHE_VERSION" -le 2000000; then ++dnl AC_MSG_ERROR([You have enabled Apache 2 support while your server is Apache 1.3. Please use the appropiate switch --with-apxs (without the 2)]) ++dnl elif test "$APACHE_VERSION" -lt 2000040; then ++dnl AC_MSG_ERROR([Please note that Apache version >= 2.0.40 is required]) ++dnl fi + + APXS_LIBEXECDIR='$(INSTALL_ROOT)'`$APXS -q LIBEXECDIR` + if test -z `$APXS -q SYSCONFDIR`; then +Index: php5-5.2.4/sapi/apache_hooks/config.m4 +=================================================================== +--- php5-5.2.4.orig/sapi/apache_hooks/config.m4 2007-07-12 01:20:36.000000000 +0200 ++++ php5-5.2.4/sapi/apache_hooks/config.m4 2007-09-11 00:41:45.000000000 +0200 +@@ -57,11 +57,11 @@ + APXS_HTTPD=`$APXS -q SBINDIR`/`$APXS -q TARGET` + APACHE_INCLUDE=-I$APXS_INCLUDEDIR + +- # Test that we're trying to configure with apache 1.x +- PHP_AP_EXTRACT_VERSION($APXS_HTTPD) +- if test "$APACHE_VERSION" -ge 2000000; then +- AC_MSG_ERROR([You have enabled Apache 1.3 support while your server is Apache 2. Please use the appropiate switch --with-apxs2]) +- fi ++dnl # Test that we're trying to configure with apache 1.x ++dnl PHP_AP_EXTRACT_VERSION($APXS_HTTPD) ++dnl if test "$APACHE_VERSION" -ge 2000000; then ++dnl AC_MSG_ERROR([You have enabled Apache 1.3 support while your server is Apache 2. Please use the appropiate switch --with-apxs2]) ++dnl fi + + for flag in $APXS_CFLAGS; do + case $flag in --- php5-5.2.4.orig/debian/patches/php5-CVE-2012-0788.patch +++ php5-5.2.4/debian/patches/php5-CVE-2012-0788.patch @@ -0,0 +1,42 @@ +Origin: http://svn.php.net/viewvc?view=revision&revision=317272 +Subject: Fix bug #55776 (PDORow to session bug) + +CVE-2012-0788 + +--- + ext/pdo/pdo_stmt.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: b/ext/pdo/pdo_stmt.c +=================================================================== +--- a/ext/pdo/pdo_stmt.c ++++ b/ext/pdo/pdo_stmt.c +@@ -2345,6 +2345,7 @@ static zend_object_value dbstmt_clone_ob + } + + zend_object_handlers pdo_dbstmt_object_handlers; ++static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC); + + void pdo_stmt_init(TSRMLS_D) + { +@@ -2368,6 +2369,7 @@ void pdo_stmt_init(TSRMLS_D) + pdo_row_ce = zend_register_internal_class(&ce TSRMLS_CC); + pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ + pdo_row_ce->create_object = pdo_row_new; ++ pdo_row_ce->serialize = pdo_row_serialize; + } + + static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) +@@ -2791,6 +2793,12 @@ zend_object_value pdo_row_new(zend_class + + return retval; + } ++ ++static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC) ++{ ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "PDORow instances may not be serialized"); ++ return FAILURE; ++} + /* }}} */ + + /* --- php5-5.2.4.orig/debian/patches/019-z_off_t_as_long.patch +++ php5-5.2.4/debian/patches/019-z_off_t_as_long.patch @@ -0,0 +1,1536 @@ +Index: php5-5.2.0/ext/zlib/zconf.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.0/ext/zlib/zconf.h 2007-03-18 22:58:40.000000000 +0100 +@@ -0,0 +1,326 @@ ++/* zconf.h -- configuration of the zlib compression library ++ * Copyright (C) 1995-2003 Jean-loup Gailly. ++ * For conditions of distribution and use, see copyright notice in zlib.h ++ */ ++ ++/* @(#) $Id: 019-z_off_t_as_long.patch.disabled,v 1.3 2004/08/23 07:48:56 adconrad Exp $ */ ++ ++#ifndef ZCONF_H ++#define ZCONF_H ++ ++#warning Including local zconf.h instead of system zconf.h ++ ++/* ++ * If you *really* need a unique prefix for all types and library functions, ++ * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it. ++ */ ++#ifdef Z_PREFIX ++# define deflateInit_ z_deflateInit_ ++# define deflate z_deflate ++# define deflateEnd z_deflateEnd ++# define inflateInit_ z_inflateInit_ ++# define inflate z_inflate ++# define inflateEnd z_inflateEnd ++# define deflateInit2_ z_deflateInit2_ ++# define deflateSetDictionary z_deflateSetDictionary ++# define deflateCopy z_deflateCopy ++# define deflateReset z_deflateReset ++# define deflatePrime z_deflatePrime ++# define deflateParams z_deflateParams ++# define deflateBound z_deflateBound ++# define inflateInit2_ z_inflateInit2_ ++# define inflateSetDictionary z_inflateSetDictionary ++# define inflateSync z_inflateSync ++# define inflateSyncPoint z_inflateSyncPoint ++# define inflateCopy z_inflateCopy ++# define inflateReset z_inflateReset ++# define compress z_compress ++# define compress2 z_compress2 ++# define compressBound z_compressBound ++# define uncompress z_uncompress ++# define adler32 z_adler32 ++# define crc32 z_crc32 ++# define get_crc_table z_get_crc_table ++ ++# define Byte z_Byte ++# define uInt z_uInt ++# define uLong z_uLong ++# define Bytef z_Bytef ++# define charf z_charf ++# define intf z_intf ++# define uIntf z_uIntf ++# define uLongf z_uLongf ++# define voidpf z_voidpf ++# define voidp z_voidp ++#endif ++ ++#if defined(__MSDOS__) && !defined(MSDOS) ++# define MSDOS ++#endif ++#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2) ++# define OS2 ++#endif ++#if defined(_WINDOWS) && !defined(WINDOWS) ++# define WINDOWS ++#endif ++#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32) ++# define WIN32 ++#endif ++#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32) ++# if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__) ++# ifndef SYS16BIT ++# define SYS16BIT ++# endif ++# endif ++#endif ++ ++/* ++ * Compile with -DMAXSEG_64K if the alloc function cannot allocate more ++ * than 64k bytes at a time (needed on systems with 16-bit int). ++ */ ++#ifdef SYS16BIT ++# define MAXSEG_64K ++#endif ++#ifdef MSDOS ++# define UNALIGNED_OK ++#endif ++ ++#ifdef __STDC_VERSION__ ++# ifndef STDC ++# define STDC ++# endif ++# if __STDC_VERSION__ >= 199901L ++# ifndef STDC99 ++# define STDC99 ++# endif ++# endif ++#endif ++#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus)) ++# define STDC ++#endif ++#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__)) ++# define STDC ++#endif ++#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32)) ++# define STDC ++#endif ++#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__)) ++# define STDC ++#endif ++ ++#if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */ ++# define STDC ++#endif ++ ++#ifndef STDC ++# ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */ ++# define const /* note: need a more gentle solution here */ ++# endif ++#endif ++ ++/* Some Mac compilers merge all .h files incorrectly: */ ++#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__) ++# define NO_DUMMY_DECL ++#endif ++ ++/* Maximum value for memLevel in deflateInit2 */ ++#ifndef MAX_MEM_LEVEL ++# ifdef MAXSEG_64K ++# define MAX_MEM_LEVEL 8 ++# else ++# define MAX_MEM_LEVEL 9 ++# endif ++#endif ++ ++/* Maximum value for windowBits in deflateInit2 and inflateInit2. ++ * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files ++ * created by gzip. (Files created by minigzip can still be extracted by ++ * gzip.) ++ */ ++#ifndef MAX_WBITS ++# define MAX_WBITS 15 /* 32K LZ77 window */ ++#endif ++ ++/* The memory requirements for deflate are (in bytes): ++ (1 << (windowBits+2)) + (1 << (memLevel+9)) ++ that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values) ++ plus a few kilobytes for small objects. For example, if you want to reduce ++ the default memory requirements from 256K to 128K, compile with ++ make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7" ++ Of course this will generally degrade compression (there's no free lunch). ++ ++ The memory requirements for inflate are (in bytes) 1 << windowBits ++ that is, 32K for windowBits=15 (default value) plus a few kilobytes ++ for small objects. ++*/ ++ ++ /* Type declarations */ ++ ++#ifndef OF /* function prototypes */ ++# ifdef STDC ++# define OF(args) args ++# else ++# define OF(args) () ++# endif ++#endif ++ ++/* The following definitions for FAR are needed only for MSDOS mixed ++ * model programming (small or medium model with some far allocations). ++ * This was tested only with MSC; for other MSDOS compilers you may have ++ * to define NO_MEMCPY in zutil.h. If you don't need the mixed model, ++ * just define FAR to be empty. ++ */ ++#ifdef SYS16BIT ++# if defined(M_I86SM) || defined(M_I86MM) ++ /* MSC small or medium model */ ++# define SMALL_MEDIUM ++# ifdef _MSC_VER ++# define FAR _far ++# else ++# define FAR far ++# endif ++# endif ++# if (defined(__SMALL__) || defined(__MEDIUM__)) ++ /* Turbo C small or medium model */ ++# define SMALL_MEDIUM ++# ifdef __BORLANDC__ ++# define FAR _far ++# else ++# define FAR far ++# endif ++# endif ++#endif ++ ++#if defined(WINDOWS) || defined(WIN32) ++ /* If building or using zlib as a DLL, define ZLIB_DLL. ++ * This is not mandatory, but it offers a little performance increase. ++ */ ++# ifdef ZLIB_DLL ++# if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500)) ++# ifdef ZLIB_INTERNAL ++# define ZEXTERN extern __declspec(dllexport) ++# else ++# define ZEXTERN extern __declspec(dllimport) ++# endif ++# endif ++# endif /* ZLIB_DLL */ ++ /* If building or using zlib with the WINAPI/WINAPIV calling convention, ++ * define ZLIB_WINAPI. ++ * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI. ++ */ ++# ifdef ZLIB_WINAPI ++# ifdef FAR ++# undef FAR ++# endif ++# include ++ /* No need for _export, use ZLIB.DEF instead. */ ++ /* For complete Windows compatibility, use WINAPI, not __stdcall. */ ++# define ZEXPORT WINAPI ++# ifdef WIN32 ++# define ZEXPORTVA WINAPIV ++# else ++# define ZEXPORTVA FAR CDECL ++# endif ++# endif ++#endif ++ ++#if defined (__BEOS__) ++# ifdef ZLIB_DLL ++# ifdef ZLIB_INTERNAL ++# define ZEXPORT __declspec(dllexport) ++# define ZEXPORTVA __declspec(dllexport) ++# else ++# define ZEXPORT __declspec(dllimport) ++# define ZEXPORTVA __declspec(dllimport) ++# endif ++# endif ++#endif ++ ++#ifndef ZEXTERN ++# define ZEXTERN extern ++#endif ++#ifndef ZEXPORT ++# define ZEXPORT ++#endif ++#ifndef ZEXPORTVA ++# define ZEXPORTVA ++#endif ++ ++#ifndef FAR ++# define FAR ++#endif ++ ++#if !defined(__MACTYPES__) ++typedef unsigned char Byte; /* 8 bits */ ++#endif ++typedef unsigned int uInt; /* 16 bits or more */ ++typedef unsigned long uLong; /* 32 bits or more */ ++ ++#ifdef SMALL_MEDIUM ++ /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */ ++# define Bytef Byte FAR ++#else ++ typedef Byte FAR Bytef; ++#endif ++typedef char FAR charf; ++typedef int FAR intf; ++typedef uInt FAR uIntf; ++typedef uLong FAR uLongf; ++ ++#ifdef STDC ++ typedef void const *voidpc; ++ typedef void FAR *voidpf; ++ typedef void *voidp; ++#else ++ typedef Byte const *voidpc; ++ typedef Byte FAR *voidpf; ++ typedef Byte *voidp; ++#endif ++ ++#if 1 /* HAVE_UNISTD_H -- this line is updated by ./configure */ ++# include /* for off_t */ ++# include /* for SEEK_* and off_t */ ++# ifdef VMS ++# include /* for off_t */ ++# endif ++/* # define z_off_t off_t */ ++#endif ++#ifndef SEEK_SET ++# define SEEK_SET 0 /* Seek from beginning of file. */ ++# define SEEK_CUR 1 /* Seek from current position. */ ++# define SEEK_END 2 /* Set file pointer to EOF plus "offset" */ ++#endif ++#ifndef z_off_t ++# warning Defining z_off_t as 'long' rather than 'off_t' ++# define z_off_t long ++#endif ++ ++#if defined(__OS400__) ++#define NO_vsnprintf ++#endif ++ ++#if defined(__MVS__) ++# define NO_vsnprintf ++# ifdef FAR ++# undef FAR ++# endif ++#endif ++ ++/* MVS linker does not support external names larger than 8 bytes */ ++#if defined(__MVS__) ++# pragma map(deflateInit_,"DEIN") ++# pragma map(deflateInit2_,"DEIN2") ++# pragma map(deflateEnd,"DEEND") ++# pragma map(deflateBound,"DEBND") ++# pragma map(inflateInit_,"ININ") ++# pragma map(inflateInit2_,"ININ2") ++# pragma map(inflateEnd,"INEND") ++# pragma map(inflateSync,"INSY") ++# pragma map(inflateSetDictionary,"INSEDI") ++# pragma map(compressBound,"CMBND") ++# pragma map(inflate_table,"INTABL") ++# pragma map(inflate_fast,"INFA") ++# pragma map(inflate_copyright,"INCOPY") ++#endif ++ ++#endif /* ZCONF_H */ +Index: php5-5.2.0/ext/zlib/zlib.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.2.0/ext/zlib/zlib.h 2007-03-18 22:58:40.000000000 +0100 +@@ -0,0 +1,1200 @@ ++/* zlib.h -- interface of the 'zlib' general purpose compression library ++ version 1.2.1.1, January 9th, 2004 ++ ++ Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler ++ ++ This software is provided 'as-is', without any express or implied ++ warranty. In no event will the authors be held liable for any damages ++ arising from the use of this software. ++ ++ Permission is granted to anyone to use this software for any purpose, ++ including commercial applications, and to alter it and redistribute it ++ freely, subject to the following restrictions: ++ ++ 1. The origin of this software must not be misrepresented; you must not ++ claim that you wrote the original software. If you use this software ++ in a product, an acknowledgment in the product documentation would be ++ appreciated but is not required. ++ 2. Altered source versions must be plainly marked as such, and must not be ++ misrepresented as being the original software. ++ 3. This notice may not be removed or altered from any source distribution. ++ ++ Jean-loup Gailly Mark Adler ++ jloup@gzip.org madler@alumni.caltech.edu ++ ++ ++ The data format used by the zlib library is described by RFCs (Request for ++ Comments) 1950 to 1952 in the files http://www.ietf.org/rfc/rfc1950.txt ++ (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format). ++*/ ++ ++#ifndef ZLIB_H ++#define ZLIB_H ++ ++#include "zconf.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++#define ZLIB_VERSION "1.2.1.1" ++#define ZLIB_VERNUM 0x1211 ++ ++/* ++ The 'zlib' compression library provides in-memory compression and ++ decompression functions, including integrity checks of the uncompressed ++ data. This version of the library supports only one compression method ++ (deflation) but other algorithms will be added later and will have the same ++ stream interface. ++ ++ Compression can be done in a single step if the buffers are large ++ enough (for example if an input file is mmap'ed), or can be done by ++ repeated calls of the compression function. In the latter case, the ++ application must provide more input and/or consume the output ++ (providing more output space) before each call. ++ ++ The compressed data format used by the in-memory functions is the zlib ++ format, which is a zlib wrapper documented in RFC 1950, wrapped around a ++ deflate stream, which is itself documented in RFC 1951. ++ ++ The library also supports reading and writing files in gzip (.gz) format ++ with an interface similar to that of stdio using the functions that start ++ with "gz". The gzip format is different from the zlib format. gzip is a ++ gzip wrapper, documented in RFC 1952, wrapped around a deflate stream. ++ ++ The zlib format was designed to be compact and fast for use in memory ++ and on communications channels. The gzip format was designed for single- ++ file compression on file systems, has a larger header than zlib to maintain ++ directory information, and uses a different, slower check method than zlib. ++ ++ This library does not provide any functions to write gzip files in memory. ++ However such functions could be easily written using zlib's deflate function, ++ the documentation in the gzip RFC, and the examples in gzio.c. ++ ++ The library does not install any signal handler. The decoder checks ++ the consistency of the compressed data, so the library should never ++ crash even in case of corrupted input. ++*/ ++ ++typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size)); ++typedef void (*free_func) OF((voidpf opaque, voidpf address)); ++ ++struct internal_state; ++ ++typedef struct z_stream_s { ++ Bytef *next_in; /* next input byte */ ++ uInt avail_in; /* number of bytes available at next_in */ ++ uLong total_in; /* total nb of input bytes read so far */ ++ ++ Bytef *next_out; /* next output byte should be put there */ ++ uInt avail_out; /* remaining free space at next_out */ ++ uLong total_out; /* total nb of bytes output so far */ ++ ++ char *msg; /* last error message, NULL if no error */ ++ struct internal_state FAR *state; /* not visible by applications */ ++ ++ alloc_func zalloc; /* used to allocate the internal state */ ++ free_func zfree; /* used to free the internal state */ ++ voidpf opaque; /* private data object passed to zalloc and zfree */ ++ ++ int data_type; /* best guess about the data type: ascii or binary */ ++ uLong adler; /* adler32 value of the uncompressed data */ ++ uLong reserved; /* reserved for future use */ ++} z_stream; ++ ++typedef z_stream FAR *z_streamp; ++ ++/* ++ The application must update next_in and avail_in when avail_in has ++ dropped to zero. It must update next_out and avail_out when avail_out ++ has dropped to zero. The application must initialize zalloc, zfree and ++ opaque before calling the init function. All other fields are set by the ++ compression library and must not be updated by the application. ++ ++ The opaque value provided by the application will be passed as the first ++ parameter for calls of zalloc and zfree. This can be useful for custom ++ memory management. The compression library attaches no meaning to the ++ opaque value. ++ ++ zalloc must return Z_NULL if there is not enough memory for the object. ++ If zlib is used in a multi-threaded application, zalloc and zfree must be ++ thread safe. ++ ++ On 16-bit systems, the functions zalloc and zfree must be able to allocate ++ exactly 65536 bytes, but will not be required to allocate more than this ++ if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS, ++ pointers returned by zalloc for objects of exactly 65536 bytes *must* ++ have their offset normalized to zero. The default allocation function ++ provided by this library ensures this (see zutil.c). To reduce memory ++ requirements and avoid any allocation of 64K objects, at the expense of ++ compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h). ++ ++ The fields total_in and total_out can be used for statistics or ++ progress reports. After compression, total_in holds the total size of ++ the uncompressed data and may be saved for use in the decompressor ++ (particularly if the decompressor wants to decompress everything in ++ a single step). ++*/ ++ ++ /* constants */ ++ ++#define Z_NO_FLUSH 0 ++#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */ ++#define Z_SYNC_FLUSH 2 ++#define Z_FULL_FLUSH 3 ++#define Z_FINISH 4 ++#define Z_BLOCK 5 ++/* Allowed flush values; see deflate() and inflate() below for details */ ++ ++#define Z_OK 0 ++#define Z_STREAM_END 1 ++#define Z_NEED_DICT 2 ++#define Z_ERRNO (-1) ++#define Z_STREAM_ERROR (-2) ++#define Z_DATA_ERROR (-3) ++#define Z_MEM_ERROR (-4) ++#define Z_BUF_ERROR (-5) ++#define Z_VERSION_ERROR (-6) ++/* Return codes for the compression/decompression functions. Negative ++ * values are errors, positive values are used for special but normal events. ++ */ ++ ++#define Z_NO_COMPRESSION 0 ++#define Z_BEST_SPEED 1 ++#define Z_BEST_COMPRESSION 9 ++#define Z_DEFAULT_COMPRESSION (-1) ++/* compression levels */ ++ ++#define Z_FILTERED 1 ++#define Z_HUFFMAN_ONLY 2 ++#define Z_RLE 3 ++#define Z_DEFAULT_STRATEGY 0 ++/* compression strategy; see deflateInit2() below for details */ ++ ++#define Z_BINARY 0 ++#define Z_ASCII 1 ++#define Z_UNKNOWN 2 ++/* Possible values of the data_type field (though see inflate()) */ ++ ++#define Z_DEFLATED 8 ++/* The deflate compression method (the only one supported in this version) */ ++ ++#define Z_NULL 0 /* for initializing zalloc, zfree, opaque */ ++ ++#define zlib_version zlibVersion() ++/* for compatibility with versions < 1.0.2 */ ++ ++ /* basic functions */ ++ ++ZEXTERN const char * ZEXPORT zlibVersion OF((void)); ++/* The application can compare zlibVersion and ZLIB_VERSION for consistency. ++ If the first character differs, the library code actually used is ++ not compatible with the zlib.h header file used by the application. ++ This check is automatically made by deflateInit and inflateInit. ++ */ ++ ++/* ++ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level)); ++ ++ Initializes the internal stream state for compression. The fields ++ zalloc, zfree and opaque must be initialized before by the caller. ++ If zalloc and zfree are set to Z_NULL, deflateInit updates them to ++ use default allocation functions. ++ ++ The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9: ++ 1 gives best speed, 9 gives best compression, 0 gives no compression at ++ all (the input data is simply copied a block at a time). ++ Z_DEFAULT_COMPRESSION requests a default compromise between speed and ++ compression (currently equivalent to level 6). ++ ++ deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not ++ enough memory, Z_STREAM_ERROR if level is not a valid compression level, ++ Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible ++ with the version assumed by the caller (ZLIB_VERSION). ++ msg is set to null if there is no error message. deflateInit does not ++ perform any compression: this will be done by deflate(). ++*/ ++ ++ ++ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush)); ++/* ++ deflate compresses as much data as possible, and stops when the input ++ buffer becomes empty or the output buffer becomes full. It may introduce some ++ output latency (reading input without producing any output) except when ++ forced to flush. ++ ++ The detailed semantics are as follows. deflate performs one or both of the ++ following actions: ++ ++ - Compress more input starting at next_in and update next_in and avail_in ++ accordingly. If not all input can be processed (because there is not ++ enough room in the output buffer), next_in and avail_in are updated and ++ processing will resume at this point for the next call of deflate(). ++ ++ - Provide more output starting at next_out and update next_out and avail_out ++ accordingly. This action is forced if the parameter flush is non zero. ++ Forcing flush frequently degrades the compression ratio, so this parameter ++ should be set only when necessary (in interactive applications). ++ Some output may be provided even if flush is not set. ++ ++ Before the call of deflate(), the application should ensure that at least ++ one of the actions is possible, by providing more input and/or consuming ++ more output, and updating avail_in or avail_out accordingly; avail_out ++ should never be zero before the call. The application can consume the ++ compressed output when it wants, for example when the output buffer is full ++ (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK ++ and with zero avail_out, it must be called again after making room in the ++ output buffer because there might be more output pending. ++ ++ If the parameter flush is set to Z_SYNC_FLUSH, all pending output is ++ flushed to the output buffer and the output is aligned on a byte boundary, so ++ that the decompressor can get all input data available so far. (In particular ++ avail_in is zero after the call if enough output space has been provided ++ before the call.) Flushing may degrade compression for some compression ++ algorithms and so it should be used only when necessary. ++ ++ If flush is set to Z_FULL_FLUSH, all output is flushed as with ++ Z_SYNC_FLUSH, and the compression state is reset so that decompression can ++ restart from this point if previous compressed data has been damaged or if ++ random access is desired. Using Z_FULL_FLUSH too often can seriously degrade ++ the compression. ++ ++ If deflate returns with avail_out == 0, this function must be called again ++ with the same value of the flush parameter and more output space (updated ++ avail_out), until the flush is complete (deflate returns with non-zero ++ avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that ++ avail_out is greater than six to avoid repeated flush markers due to ++ avail_out == 0 on return. ++ ++ If the parameter flush is set to Z_FINISH, pending input is processed, ++ pending output is flushed and deflate returns with Z_STREAM_END if there ++ was enough output space; if deflate returns with Z_OK, this function must be ++ called again with Z_FINISH and more output space (updated avail_out) but no ++ more input data, until it returns with Z_STREAM_END or an error. After ++ deflate has returned Z_STREAM_END, the only possible operations on the ++ stream are deflateReset or deflateEnd. ++ ++ Z_FINISH can be used immediately after deflateInit if all the compression ++ is to be done in a single step. In this case, avail_out must be at least ++ the value returned by deflateBound (see below). If deflate does not return ++ Z_STREAM_END, then it must be called again as described above. ++ ++ deflate() sets strm->adler to the adler32 checksum of all input read ++ so far (that is, total_in bytes). ++ ++ deflate() may update data_type if it can make a good guess about ++ the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered ++ binary. This field is only for information purposes and does not affect ++ the compression algorithm in any manner. ++ ++ deflate() returns Z_OK if some progress has been made (more input ++ processed or more output produced), Z_STREAM_END if all input has been ++ consumed and all output has been produced (only when flush is set to ++ Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example ++ if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible ++ (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not ++ fatal, and deflate() can be called again with more input and more output ++ space to continue compressing. ++*/ ++ ++ ++ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm)); ++/* ++ All dynamically allocated data structures for this stream are freed. ++ This function discards any unprocessed input and does not flush any ++ pending output. ++ ++ deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the ++ stream state was inconsistent, Z_DATA_ERROR if the stream was freed ++ prematurely (some input or output was discarded). In the error case, ++ msg may be set but then points to a static string (which must not be ++ deallocated). ++*/ ++ ++ ++/* ++ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm)); ++ ++ Initializes the internal stream state for decompression. The fields ++ next_in, avail_in, zalloc, zfree and opaque must be initialized before by ++ the caller. If next_in is not Z_NULL and avail_in is large enough (the exact ++ value depends on the compression method), inflateInit determines the ++ compression method from the zlib header and allocates all data structures ++ accordingly; otherwise the allocation will be deferred to the first call of ++ inflate. If zalloc and zfree are set to Z_NULL, inflateInit updates them to ++ use default allocation functions. ++ ++ inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough ++ memory, Z_VERSION_ERROR if the zlib library version is incompatible with the ++ version assumed by the caller. msg is set to null if there is no error ++ message. inflateInit does not perform any decompression apart from reading ++ the zlib header if present: this will be done by inflate(). (So next_in and ++ avail_in may be modified, but next_out and avail_out are unchanged.) ++*/ ++ ++ ++ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush)); ++/* ++ inflate decompresses as much data as possible, and stops when the input ++ buffer becomes empty or the output buffer becomes full. It may introduce ++ some output latency (reading input without producing any output) except when ++ forced to flush. ++ ++ The detailed semantics are as follows. inflate performs one or both of the ++ following actions: ++ ++ - Decompress more input starting at next_in and update next_in and avail_in ++ accordingly. If not all input can be processed (because there is not ++ enough room in the output buffer), next_in is updated and processing ++ will resume at this point for the next call of inflate(). ++ ++ - Provide more output starting at next_out and update next_out and avail_out ++ accordingly. inflate() provides as much output as possible, until there ++ is no more input data or no more space in the output buffer (see below ++ about the flush parameter). ++ ++ Before the call of inflate(), the application should ensure that at least ++ one of the actions is possible, by providing more input and/or consuming ++ more output, and updating the next_* and avail_* values accordingly. ++ The application can consume the uncompressed output when it wants, for ++ example when the output buffer is full (avail_out == 0), or after each ++ call of inflate(). If inflate returns Z_OK and with zero avail_out, it ++ must be called again after making room in the output buffer because there ++ might be more output pending. ++ ++ The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH, ++ Z_FINISH, or Z_BLOCK. Z_SYNC_FLUSH requests that inflate() flush as much ++ output as possible to the output buffer. Z_BLOCK requests that inflate() stop ++ if and when it get to the next deflate block boundary. When decoding the zlib ++ or gzip format, this will cause inflate() to return immediately after the ++ header and before the first block. When doing a raw inflate, inflate() will ++ go ahead and process the first block, and will return when it gets to the end ++ of that block, or when it runs out of data. ++ ++ The Z_BLOCK option assists in appending to or combining deflate streams. ++ Also to assist in this, on return inflate() will set strm->data_type to the ++ number of unused bits in the last byte taken from strm->next_in, plus 64 ++ if inflate() is currently decoding the last block in the deflate stream, ++ plus 128 if inflate() returned immediately after decoding an end-of-block ++ code or decoding the complete header up to just before the first byte of the ++ deflate stream. The end-of-block will not be indicated until all of the ++ uncompressed data from that block has been written to strm->next_out. The ++ number of unused bits may in general be greater than seven, except when ++ bit 7 of data_type is set, in which case the number of unused bits will be ++ less than eight. ++ ++ inflate() should normally be called until it returns Z_STREAM_END or an ++ error. However if all decompression is to be performed in a single step ++ (a single call of inflate), the parameter flush should be set to ++ Z_FINISH. In this case all pending input is processed and all pending ++ output is flushed; avail_out must be large enough to hold all the ++ uncompressed data. (The size of the uncompressed data may have been saved ++ by the compressor for this purpose.) The next operation on this stream must ++ be inflateEnd to deallocate the decompression state. The use of Z_FINISH ++ is never required, but can be used to inform inflate that a faster approach ++ may be used for the single inflate() call. ++ ++ In this implementation, inflate() always flushes as much output as ++ possible to the output buffer, and always uses the faster approach on the ++ first call. So the only effect of the flush parameter in this implementation ++ is on the return value of inflate(), as noted below, or when it returns early ++ because Z_BLOCK is used. ++ ++ If a preset dictionary is needed after this call (see inflateSetDictionary ++ below), inflate sets strm-adler to the adler32 checksum of the dictionary ++ chosen by the compressor and returns Z_NEED_DICT; otherwise it sets ++ strm->adler to the adler32 checksum of all output produced so far (that is, ++ total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described ++ below. At the end of the stream, inflate() checks that its computed adler32 ++ checksum is equal to that saved by the compressor and returns Z_STREAM_END ++ only if the checksum is correct. ++ ++ inflate() will decompress and check either zlib-wrapped or gzip-wrapped ++ deflate data. The header type is detected automatically. Any information ++ contained in the gzip header is not retained, so applications that need that ++ information should instead use raw inflate, see inflateInit2() below, or ++ inflateBack() and perform their own processing of the gzip header and ++ trailer. ++ ++ inflate() returns Z_OK if some progress has been made (more input processed ++ or more output produced), Z_STREAM_END if the end of the compressed data has ++ been reached and all uncompressed output has been produced, Z_NEED_DICT if a ++ preset dictionary is needed at this point, Z_DATA_ERROR if the input data was ++ corrupted (input stream not conforming to the zlib format or incorrect check ++ value), Z_STREAM_ERROR if the stream structure was inconsistent (for example ++ if next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory, ++ Z_BUF_ERROR if no progress is possible or if there was not enough room in the ++ output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and ++ inflate() can be called again with more input and more output space to ++ continue decompressing. If Z_DATA_ERROR is returned, the application may then ++ call inflateSync() to look for a good compression block if a partial recovery ++ of the data is desired. ++*/ ++ ++ ++ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm)); ++/* ++ All dynamically allocated data structures for this stream are freed. ++ This function discards any unprocessed input and does not flush any ++ pending output. ++ ++ inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state ++ was inconsistent. In the error case, msg may be set but then points to a ++ static string (which must not be deallocated). ++*/ ++ ++ /* Advanced functions */ ++ ++/* ++ The following functions are needed only in some special applications. ++*/ ++ ++/* ++ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm, ++ int level, ++ int method, ++ int windowBits, ++ int memLevel, ++ int strategy)); ++ ++ This is another version of deflateInit with more compression options. The ++ fields next_in, zalloc, zfree and opaque must be initialized before by ++ the caller. ++ ++ The method parameter is the compression method. It must be Z_DEFLATED in ++ this version of the library. ++ ++ The windowBits parameter is the base two logarithm of the window size ++ (the size of the history buffer). It should be in the range 8..15 for this ++ version of the library. Larger values of this parameter result in better ++ compression at the expense of memory usage. The default value is 15 if ++ deflateInit is used instead. ++ ++ windowBits can also be -8..-15 for raw deflate. In this case, -windowBits ++ determines the window size. deflate() will then generate raw deflate data ++ with no zlib header or trailer, and will not compute an adler32 check value. ++ ++ windowBits can also be greater than 15 for optional gzip encoding. Add ++ 16 to windowBits to write a simple gzip header and trailer around the ++ compressed data instead of a zlib wrapper. The gzip header will have no ++ file name, no extra data, no comment, no modification time (set to zero), ++ no header crc, and the operating system will be set to 255 (unknown). ++ ++ The memLevel parameter specifies how much memory should be allocated ++ for the internal compression state. memLevel=1 uses minimum memory but ++ is slow and reduces compression ratio; memLevel=9 uses maximum memory ++ for optimal speed. The default value is 8. See zconf.h for total memory ++ usage as a function of windowBits and memLevel. ++ ++ The strategy parameter is used to tune the compression algorithm. Use the ++ value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a ++ filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no ++ string match), or Z_RLE to limit match distances to one (run-length ++ encoding). Filtered data consists mostly of small values with a somewhat ++ random distribution. In this case, the compression algorithm is tuned to ++ compress them better. The effect of Z_FILTERED is to force more Huffman ++ coding and less string matching; it is somewhat intermediate between ++ Z_DEFAULT and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as fast as ++ Z_HUFFMAN_ONLY, but give better compression for PNG image data. The strategy ++ parameter only affects the compression ratio but not the correctness of the ++ compressed output even if it is not set appropriately. ++ ++ deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough ++ memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid ++ method). msg is set to null if there is no error message. deflateInit2 does ++ not perform any compression: this will be done by deflate(). ++*/ ++ ++ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm, ++ const Bytef *dictionary, ++ uInt dictLength)); ++/* ++ Initializes the compression dictionary from the given byte sequence ++ without producing any compressed output. This function must be called ++ immediately after deflateInit, deflateInit2 or deflateReset, before any ++ call of deflate. The compressor and decompressor must use exactly the same ++ dictionary (see inflateSetDictionary). ++ ++ The dictionary should consist of strings (byte sequences) that are likely ++ to be encountered later in the data to be compressed, with the most commonly ++ used strings preferably put towards the end of the dictionary. Using a ++ dictionary is most useful when the data to be compressed is short and can be ++ predicted with good accuracy; the data can then be compressed better than ++ with the default empty dictionary. ++ ++ Depending on the size of the compression data structures selected by ++ deflateInit or deflateInit2, a part of the dictionary may in effect be ++ discarded, for example if the dictionary is larger than the window size in ++ deflate or deflate2. Thus the strings most likely to be useful should be ++ put at the end of the dictionary, not at the front. ++ ++ Upon return of this function, strm->adler is set to the adler32 value ++ of the dictionary; the decompressor may later use this value to determine ++ which dictionary has been used by the compressor. (The adler32 value ++ applies to the whole dictionary even if only a subset of the dictionary is ++ actually used by the compressor.) If a raw deflate was requested, then the ++ adler32 value is not computed and strm->adler is not set. ++ ++ deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a ++ parameter is invalid (such as NULL dictionary) or the stream state is ++ inconsistent (for example if deflate has already been called for this stream ++ or if the compression method is bsort). deflateSetDictionary does not ++ perform any compression: this will be done by deflate(). ++*/ ++ ++ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest, ++ z_streamp source)); ++/* ++ Sets the destination stream as a complete copy of the source stream. ++ ++ This function can be useful when several compression strategies will be ++ tried, for example when there are several ways of pre-processing the input ++ data with a filter. The streams that will be discarded should then be freed ++ by calling deflateEnd. Note that deflateCopy duplicates the internal ++ compression state which can be quite large, so this strategy is slow and ++ can consume lots of memory. ++ ++ deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not ++ enough memory, Z_STREAM_ERROR if the source stream state was inconsistent ++ (such as zalloc being NULL). msg is left unchanged in both source and ++ destination. ++*/ ++ ++ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm)); ++/* ++ This function is equivalent to deflateEnd followed by deflateInit, ++ but does not free and reallocate all the internal compression state. ++ The stream will keep the same compression level and any other attributes ++ that may have been set by deflateInit2. ++ ++ deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source ++ stream state was inconsistent (such as zalloc or state being NULL). ++*/ ++ ++ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm, ++ int level, ++ int strategy)); ++/* ++ Dynamically update the compression level and compression strategy. The ++ interpretation of level and strategy is as in deflateInit2. This can be ++ used to switch between compression and straight copy of the input data, or ++ to switch to a different kind of input data requiring a different ++ strategy. If the compression level is changed, the input available so far ++ is compressed with the old level (and may be flushed); the new level will ++ take effect only at the next call of deflate(). ++ ++ Before the call of deflateParams, the stream state must be set as for ++ a call of deflate(), since the currently available input may have to ++ be compressed and flushed. In particular, strm->avail_out must be non-zero. ++ ++ deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source ++ stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR ++ if strm->avail_out was zero. ++*/ ++ ++ZEXTERN uLong ZEXPORT deflateBound OF((z_streamp strm, ++ uLong sourceLen)); ++/* ++ deflateBound() returns an upper bound on the compressed size after ++ deflation of sourceLen bytes. It must be called after deflateInit() ++ or deflateInit2(). This would be used to allocate an output buffer ++ for deflation in a single pass, and so would be called before deflate(). ++*/ ++ ++ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm, ++ int bits, ++ int value)); ++/* ++ deflatePrime() inserts bits in the deflate output stream. The intent ++ is that this function is used to start off the deflate output with the ++ bits leftover from a previous deflate stream when appending to it. As such, ++ this function can only be used for raw deflate, and must be used before the ++ first deflate() call after a deflateInit2() or deflateReset(). bits must be ++ less than or equal to 16, and that many of the least significant bits of ++ value will be inserted in the output. ++ ++ deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source ++ stream state was inconsistent. ++*/ ++ ++/* ++ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm, ++ int windowBits)); ++ ++ This is another version of inflateInit with an extra parameter. The ++ fields next_in, avail_in, zalloc, zfree and opaque must be initialized ++ before by the caller. ++ ++ The windowBits parameter is the base two logarithm of the maximum window ++ size (the size of the history buffer). It should be in the range 8..15 for ++ this version of the library. The default value is 15 if inflateInit is used ++ instead. windowBits must be greater than or equal to the windowBits value ++ provided to deflateInit2() while compressing, or it must be equal to 15 if ++ deflateInit2() was not used. If a compressed stream with a larger window ++ size is given as input, inflate() will return with the error code ++ Z_DATA_ERROR instead of trying to allocate a larger window. ++ ++ windowBits can also be -8..-15 for raw inflate. In this case, -windowBits ++ determines the window size. inflate() will then process raw deflate data, ++ not looking for a zlib or gzip header, not generating a check value, and not ++ looking for any check values for comparison at the end of the stream. This ++ is for use with other formats that use the deflate compressed data format ++ such as zip. Those formats provide their own check values. If a custom ++ format is developed using the raw deflate format for compressed data, it is ++ recommended that a check value such as an adler32 or a crc32 be applied to ++ the uncompressed data as is done in the zlib, gzip, and zip formats. For ++ most applications, the zlib format should be used as is. Note that comments ++ above on the use in deflateInit2() applies to the magnitude of windowBits. ++ ++ windowBits can also be greater than 15 for optional gzip decoding. Add ++ 32 to windowBits to enable zlib and gzip decoding with automatic header ++ detection, or add 16 to decode only the gzip format (the zlib format will ++ return a Z_DATA_ERROR). ++ ++ inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough ++ memory, Z_STREAM_ERROR if a parameter is invalid (such as a negative ++ memLevel). msg is set to null if there is no error message. inflateInit2 ++ does not perform any decompression apart from reading the zlib header if ++ present: this will be done by inflate(). (So next_in and avail_in may be ++ modified, but next_out and avail_out are unchanged.) ++*/ ++ ++ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm, ++ const Bytef *dictionary, ++ uInt dictLength)); ++/* ++ Initializes the decompression dictionary from the given uncompressed byte ++ sequence. This function must be called immediately after a call of inflate ++ if this call returned Z_NEED_DICT. The dictionary chosen by the compressor ++ can be determined from the adler32 value returned by this call of ++ inflate. The compressor and decompressor must use exactly the same ++ dictionary (see deflateSetDictionary). ++ ++ inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a ++ parameter is invalid (such as NULL dictionary) or the stream state is ++ inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the ++ expected one (incorrect adler32 value). inflateSetDictionary does not ++ perform any decompression: this will be done by subsequent calls of ++ inflate(). ++*/ ++ ++ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm)); ++/* ++ Skips invalid compressed data until a full flush point (see above the ++ description of deflate with Z_FULL_FLUSH) can be found, or until all ++ available input is skipped. No output is provided. ++ ++ inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR ++ if no more input was provided, Z_DATA_ERROR if no flush point has been found, ++ or Z_STREAM_ERROR if the stream structure was inconsistent. In the success ++ case, the application may save the current current value of total_in which ++ indicates where valid compressed data was found. In the error case, the ++ application may repeatedly call inflateSync, providing more input each time, ++ until success or end of the input data. ++*/ ++ ++ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest, ++ z_streamp source)); ++/* ++ Sets the destination stream as a complete copy of the source stream. ++ ++ This function can be useful when randomly accessing a large stream. The ++ first pass through the stream can periodically record the inflate state, ++ allowing restarting inflate at those points when randomly accessing the ++ stream. ++ ++ inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not ++ enough memory, Z_STREAM_ERROR if the source stream state was inconsistent ++ (such as zalloc being NULL). msg is left unchanged in both source and ++ destination. ++*/ ++ ++ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm)); ++/* ++ This function is equivalent to inflateEnd followed by inflateInit, ++ but does not free and reallocate all the internal decompression state. ++ The stream will keep attributes that may have been set by inflateInit2. ++ ++ inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source ++ stream state was inconsistent (such as zalloc or state being NULL). ++*/ ++ ++/* ++ZEXTERN int ZEXPORT inflateBackInit OF((z_stream FAR *strm, int windowBits, ++ unsigned char FAR *window)); ++ ++ Initialize the internal stream state for decompression using inflateBack() ++ calls. The fields zalloc, zfree and opaque in strm must be initialized ++ before the call. If zalloc and zfree are Z_NULL, then the default library- ++ derived memory allocation routines are used. windowBits is the base two ++ logarithm of the window size, in the range 8..15. window is a caller ++ supplied buffer of that size. Except for special applications where it is ++ assured that deflate was used with small window sizes, windowBits must be 15 ++ and a 32K byte window must be supplied to be able to decompress general ++ deflate streams. ++ ++ See inflateBack() for the usage of these routines. ++ ++ inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of ++ the paramaters are invalid, Z_MEM_ERROR if the internal state could not ++ be allocated, or Z_VERSION_ERROR if the version of the library does not ++ match the version of the header file. ++*/ ++ ++typedef unsigned (*in_func) OF((void FAR *, unsigned char FAR * FAR *)); ++typedef int (*out_func) OF((void FAR *, unsigned char FAR *, unsigned)); ++ ++ZEXTERN int ZEXPORT inflateBack OF((z_stream FAR *strm, ++ in_func in, void FAR *in_desc, ++ out_func out, void FAR *out_desc)); ++/* ++ inflateBack() does a raw inflate with a single call using a call-back ++ interface for input and output. This is more efficient than inflate() for ++ file i/o applications in that it avoids copying between the output and the ++ sliding window by simply making the window itself the output buffer. This ++ function trusts the application to not change the output buffer passed by ++ the output function, at least until inflateBack() returns. ++ ++ inflateBackInit() must be called first to allocate the internal state ++ and to initialize the state with the user-provided window buffer. ++ inflateBack() may then be used multiple times to inflate a complete, raw ++ deflate stream with each call. inflateBackEnd() is then called to free ++ the allocated state. ++ ++ A raw deflate stream is one with no zlib or gzip header or trailer. ++ This routine would normally be used in a utility that reads zip or gzip ++ files and writes out uncompressed files. The utility would decode the ++ header and process the trailer on its own, hence this routine expects ++ only the raw deflate stream to decompress. This is different from the ++ normal behavior of inflate(), which expects either a zlib or gzip header and ++ trailer around the deflate stream. ++ ++ inflateBack() uses two subroutines supplied by the caller that are then ++ called by inflateBack() for input and output. inflateBack() calls those ++ routines until it reads a complete deflate stream and writes out all of the ++ uncompressed data, or until it encounters an error. The function's ++ parameters and return types are defined above in the in_func and out_func ++ typedefs. inflateBack() will call in(in_desc, &buf) which should return the ++ number of bytes of provided input, and a pointer to that input in buf. If ++ there is no input available, in() must return zero--buf is ignored in that ++ case--and inflateBack() will return a buffer error. inflateBack() will call ++ out(out_desc, buf, len) to write the uncompressed data buf[0..len-1]. out() ++ should return zero on success, or non-zero on failure. If out() returns ++ non-zero, inflateBack() will return with an error. Neither in() nor out() ++ are permitted to change the contents of the window provided to ++ inflateBackInit(), which is also the buffer that out() uses to write from. ++ The length written by out() will be at most the window size. Any non-zero ++ amount of input may be provided by in(). ++ ++ For convenience, inflateBack() can be provided input on the first call by ++ setting strm->next_in and strm->avail_in. If that input is exhausted, then ++ in() will be called. Therefore strm->next_in must be initialized before ++ calling inflateBack(). If strm->next_in is Z_NULL, then in() will be called ++ immediately for input. If strm->next_in is not Z_NULL, then strm->avail_in ++ must also be initialized, and then if strm->avail_in is not zero, input will ++ initially be taken from strm->next_in[0 .. strm->avail_in - 1]. ++ ++ The in_desc and out_desc parameters of inflateBack() is passed as the ++ first parameter of in() and out() respectively when they are called. These ++ descriptors can be optionally used to pass any information that the caller- ++ supplied in() and out() functions need to do their job. ++ ++ On return, inflateBack() will set strm->next_in and strm->avail_in to ++ pass back any unused input that was provided by the last in() call. The ++ return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR ++ if in() or out() returned an error, Z_DATA_ERROR if there was a format ++ error in the deflate stream (in which case strm->msg is set to indicate the ++ nature of the error), or Z_STREAM_ERROR if the stream was not properly ++ initialized. In the case of Z_BUF_ERROR, an input or output error can be ++ distinguished using strm->next_in which will be Z_NULL only if in() returned ++ an error. If strm->next is not Z_NULL, then the Z_BUF_ERROR was due to ++ out() returning non-zero. (in() will always be called before out(), so ++ strm->next_in is assured to be defined if out() returns non-zero.) Note ++ that inflateBack() cannot return Z_OK. ++*/ ++ ++ZEXTERN int ZEXPORT inflateBackEnd OF((z_stream FAR *strm)); ++/* ++ All memory allocated by inflateBackInit() is freed. ++ ++ inflateBackEnd() returns Z_OK on success, or Z_STREAM_ERROR if the stream ++ state was inconsistent. ++*/ ++ ++ZEXTERN uLong ZEXPORT zlibCompileFlags OF((void)); ++/* Return flags indicating compile-time options. ++ ++ Type sizes, two bits each, 00 = 16 bits, 01 = 32, 10 = 64, 11 = other: ++ 1.0: size of uInt ++ 3.2: size of uLong ++ 5.4: size of voidpf (pointer) ++ 7.6: size of z_off_t ++ ++ Compiler, assembler, and debug options: ++ 8: DEBUG ++ 9: ASMV or ASMINF -- use ASM code ++ 10: ZLIB_WINAPI -- exported functions use the WINAPI calling convention ++ 11: 0 (reserved) ++ ++ One-time table building (smaller code, but not thread-safe if true): ++ 12: BUILDFIXED -- build static block decoding tables when needed ++ 13: DYNAMIC_CRC_TABLE -- build CRC calculation tables when needed ++ 14,15: 0 (reserved) ++ ++ Library content (indicates missing functionality): ++ 16: NO_GZCOMPRESS -- gz* functions cannot compress (to avoid linking ++ deflate code when not needed) ++ 17: NO_GZIP -- deflate can't write gzip streams, and inflate can't detect ++ and decode gzip streams (to avoid linking crc code) ++ 18-19: 0 (reserved) ++ ++ Operation variations (changes in library functionality): ++ 20: PKZIP_BUG_WORKAROUND -- slightly more permissive inflate ++ 21: FASTEST -- deflate algorithm with only one, lowest compression level ++ 22,23: 0 (reserved) ++ ++ The sprintf variant used by gzprintf (zero is best): ++ 24: 0 = vs*, 1 = s* -- 1 means limited to 20 arguments after the format ++ 25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() not secure! ++ 26: 0 = returns value, 1 = void -- 1 means inferred string length returned ++ ++ Remainder: ++ 27-31: 0 (reserved) ++ */ ++ ++ ++ /* utility functions */ ++ ++/* ++ The following utility functions are implemented on top of the ++ basic stream-oriented functions. To simplify the interface, some ++ default options are assumed (compression level and memory usage, ++ standard memory allocation functions). The source code of these ++ utility functions can easily be modified if you need special options. ++*/ ++ ++ZEXTERN int ZEXPORT compress OF((Bytef *dest, uLongf *destLen, ++ const Bytef *source, uLong sourceLen)); ++/* ++ Compresses the source buffer into the destination buffer. sourceLen is ++ the byte length of the source buffer. Upon entry, destLen is the total ++ size of the destination buffer, which must be at least the value returned ++ by compressBound(sourceLen). Upon exit, destLen is the actual size of the ++ compressed buffer. ++ This function can be used to compress a whole file at once if the ++ input file is mmap'ed. ++ compress returns Z_OK if success, Z_MEM_ERROR if there was not ++ enough memory, Z_BUF_ERROR if there was not enough room in the output ++ buffer. ++*/ ++ ++ZEXTERN int ZEXPORT compress2 OF((Bytef *dest, uLongf *destLen, ++ const Bytef *source, uLong sourceLen, ++ int level)); ++/* ++ Compresses the source buffer into the destination buffer. The level ++ parameter has the same meaning as in deflateInit. sourceLen is the byte ++ length of the source buffer. Upon entry, destLen is the total size of the ++ destination buffer, which must be at least the value returned by ++ compressBound(sourceLen). Upon exit, destLen is the actual size of the ++ compressed buffer. ++ ++ compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough ++ memory, Z_BUF_ERROR if there was not enough room in the output buffer, ++ Z_STREAM_ERROR if the level parameter is invalid. ++*/ ++ ++ZEXTERN uLong ZEXPORT compressBound OF((uLong sourceLen)); ++/* ++ compressBound() returns an upper bound on the compressed size after ++ compress() or compress2() on sourceLen bytes. It would be used before ++ a compress() or compress2() call to allocate the destination buffer. ++*/ ++ ++ZEXTERN int ZEXPORT uncompress OF((Bytef *dest, uLongf *destLen, ++ const Bytef *source, uLong sourceLen)); ++/* ++ Decompresses the source buffer into the destination buffer. sourceLen is ++ the byte length of the source buffer. Upon entry, destLen is the total ++ size of the destination buffer, which must be large enough to hold the ++ entire uncompressed data. (The size of the uncompressed data must have ++ been saved previously by the compressor and transmitted to the decompressor ++ by some mechanism outside the scope of this compression library.) ++ Upon exit, destLen is the actual size of the compressed buffer. ++ This function can be used to decompress a whole file at once if the ++ input file is mmap'ed. ++ ++ uncompress returns Z_OK if success, Z_MEM_ERROR if there was not ++ enough memory, Z_BUF_ERROR if there was not enough room in the output ++ buffer, or Z_DATA_ERROR if the input data was corrupted or incomplete. ++*/ ++ ++ ++typedef voidp gzFile; ++ ++ZEXTERN gzFile ZEXPORT gzopen OF((const char *path, const char *mode)); ++/* ++ Opens a gzip (.gz) file for reading or writing. The mode parameter ++ is as in fopen ("rb" or "wb") but can also include a compression level ++ ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for ++ Huffman only compression as in "wb1h", or 'R' for run-length encoding ++ as in "wb1R". (See the description of deflateInit2 for more information ++ about the strategy parameter.) ++ ++ gzopen can be used to read a file which is not in gzip format; in this ++ case gzread will directly read from the file without decompression. ++ ++ gzopen returns NULL if the file could not be opened or if there was ++ insufficient memory to allocate the (de)compression state; errno ++ can be checked to distinguish the two cases (if errno is zero, the ++ zlib error is Z_MEM_ERROR). */ ++ ++ZEXTERN gzFile ZEXPORT gzdopen OF((int fd, const char *mode)); ++/* ++ gzdopen() associates a gzFile with the file descriptor fd. File ++ descriptors are obtained from calls like open, dup, creat, pipe or ++ fileno (in the file has been previously opened with fopen). ++ The mode parameter is as in gzopen. ++ The next call of gzclose on the returned gzFile will also close the ++ file descriptor fd, just like fclose(fdopen(fd), mode) closes the file ++ descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode). ++ gzdopen returns NULL if there was insufficient memory to allocate ++ the (de)compression state. ++*/ ++ ++ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy)); ++/* ++ Dynamically update the compression level or strategy. See the description ++ of deflateInit2 for the meaning of these parameters. ++ gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not ++ opened for writing. ++*/ ++ ++ZEXTERN int ZEXPORT gzread OF((gzFile file, voidp buf, unsigned len)); ++/* ++ Reads the given number of uncompressed bytes from the compressed file. ++ If the input file was not in gzip format, gzread copies the given number ++ of bytes into the buffer. ++ gzread returns the number of uncompressed bytes actually read (0 for ++ end of file, -1 for error). */ ++ ++ZEXTERN int ZEXPORT gzwrite OF((gzFile file, ++ voidpc buf, unsigned len)); ++/* ++ Writes the given number of uncompressed bytes into the compressed file. ++ gzwrite returns the number of uncompressed bytes actually written ++ (0 in case of error). ++*/ ++ ++ZEXTERN int ZEXPORTVA gzprintf OF((gzFile file, const char *format, ...)); ++/* ++ Converts, formats, and writes the args to the compressed file under ++ control of the format string, as in fprintf. gzprintf returns the number of ++ uncompressed bytes actually written (0 in case of error). The number of ++ uncompressed bytes written is limited to 4095. The caller should assure that ++ this limit is not exceeded. If it is exceeded, then gzprintf() will return ++ return an error (0) with nothing written. In this case, there may also be a ++ buffer overflow with unpredictable consequences, which is possible only if ++ zlib was compiled with the insecure functions sprintf() or vsprintf() ++ because the secure snprintf() or vsnprintf() functions were not available. ++*/ ++ ++ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s)); ++/* ++ Writes the given null-terminated string to the compressed file, excluding ++ the terminating null character. ++ gzputs returns the number of characters written, or -1 in case of error. ++*/ ++ ++ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len)); ++/* ++ Reads bytes from the compressed file until len-1 characters are read, or ++ a newline character is read and transferred to buf, or an end-of-file ++ condition is encountered. The string is then terminated with a null ++ character. ++ gzgets returns buf, or Z_NULL in case of error. ++*/ ++ ++ZEXTERN int ZEXPORT gzputc OF((gzFile file, int c)); ++/* ++ Writes c, converted to an unsigned char, into the compressed file. ++ gzputc returns the value that was written, or -1 in case of error. ++*/ ++ ++ZEXTERN int ZEXPORT gzgetc OF((gzFile file)); ++/* ++ Reads one byte from the compressed file. gzgetc returns this byte ++ or -1 in case of end of file or error. ++*/ ++ ++ZEXTERN int ZEXPORT gzungetc OF((int c, gzFile file)); ++/* ++ Push one character back onto the stream to be read again later. ++ Only one character of push-back is allowed. gzungetc() returns the ++ character pushed, or -1 on failure. gzungetc() will fail if a ++ character has been pushed but not read yet, or if c is -1. The pushed ++ character will be discarded if the stream is repositioned with gzseek() ++ or gzrewind(). ++*/ ++ ++ZEXTERN int ZEXPORT gzflush OF((gzFile file, int flush)); ++/* ++ Flushes all pending output into the compressed file. The parameter ++ flush is as in the deflate() function. The return value is the zlib ++ error number (see function gzerror below). gzflush returns Z_OK if ++ the flush parameter is Z_FINISH and all output could be flushed. ++ gzflush should be called only when strictly necessary because it can ++ degrade compression. ++*/ ++ ++ZEXTERN z_off_t ZEXPORT gzseek OF((gzFile file, ++ z_off_t offset, int whence)); ++/* ++ Sets the starting position for the next gzread or gzwrite on the ++ given compressed file. The offset represents a number of bytes in the ++ uncompressed data stream. The whence parameter is defined as in lseek(2); ++ the value SEEK_END is not supported. ++ If the file is opened for reading, this function is emulated but can be ++ extremely slow. If the file is opened for writing, only forward seeks are ++ supported; gzseek then compresses a sequence of zeroes up to the new ++ starting position. ++ ++ gzseek returns the resulting offset location as measured in bytes from ++ the beginning of the uncompressed stream, or -1 in case of error, in ++ particular if the file is opened for writing and the new starting position ++ would be before the current position. ++*/ ++ ++ZEXTERN int ZEXPORT gzrewind OF((gzFile file)); ++/* ++ Rewinds the given file. This function is supported only for reading. ++ ++ gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET) ++*/ ++ ++ZEXTERN z_off_t ZEXPORT gztell OF((gzFile file)); ++/* ++ Returns the starting position for the next gzread or gzwrite on the ++ given compressed file. This position represents a number of bytes in the ++ uncompressed data stream. ++ ++ gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR) ++*/ ++ ++ZEXTERN int ZEXPORT gzeof OF((gzFile file)); ++/* ++ Returns 1 when EOF has previously been detected reading the given ++ input stream, otherwise zero. ++*/ ++ ++ZEXTERN int ZEXPORT gzclose OF((gzFile file)); ++/* ++ Flushes all pending output if necessary, closes the compressed file ++ and deallocates all the (de)compression state. The return value is the zlib ++ error number (see function gzerror below). ++*/ ++ ++ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum)); ++/* ++ Returns the error message for the last error which occurred on the ++ given compressed file. errnum is set to zlib error number. If an ++ error occurred in the file system and not in the compression library, ++ errnum is set to Z_ERRNO and the application may consult errno ++ to get the exact error code. ++*/ ++ ++ZEXTERN void ZEXPORT gzclearerr OF((gzFile file)); ++/* ++ Clears the error and end-of-file flags for file. This is analogous to the ++ clearerr() function in stdio. This is useful for continuing to read a gzip ++ file that is being written concurrently. ++*/ ++ ++ /* checksum functions */ ++ ++/* ++ These functions are not related to compression but are exported ++ anyway because they might be useful in applications using the ++ compression library. ++*/ ++ ++ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len)); ++ ++/* ++ Update a running Adler-32 checksum with the bytes buf[0..len-1] and ++ return the updated checksum. If buf is NULL, this function returns ++ the required initial value for the checksum. ++ An Adler-32 checksum is almost as reliable as a CRC32 but can be computed ++ much faster. Usage example: ++ ++ uLong adler = adler32(0L, Z_NULL, 0); ++ ++ while (read_buffer(buffer, length) != EOF) { ++ adler = adler32(adler, buffer, length); ++ } ++ if (adler != original_adler) error(); ++*/ ++ ++ZEXTERN uLong ZEXPORT crc32 OF((uLong crc, const Bytef *buf, uInt len)); ++/* ++ Update a running crc with the bytes buf[0..len-1] and return the updated ++ crc. If buf is NULL, this function returns the required initial value ++ for the crc. Pre- and post-conditioning (one's complement) is performed ++ within this function so it shouldn't be done by the application. ++ Usage example: ++ ++ uLong crc = crc32(0L, Z_NULL, 0); ++ ++ while (read_buffer(buffer, length) != EOF) { ++ crc = crc32(crc, buffer, length); ++ } ++ if (crc != original_crc) error(); ++*/ ++ ++ ++ /* various hacks, don't look :) */ ++ ++/* deflateInit and inflateInit are macros to allow checking the zlib version ++ * and the compiler's view of z_stream: ++ */ ++ZEXTERN int ZEXPORT deflateInit_ OF((z_streamp strm, int level, ++ const char *version, int stream_size)); ++ZEXTERN int ZEXPORT inflateInit_ OF((z_streamp strm, ++ const char *version, int stream_size)); ++ZEXTERN int ZEXPORT deflateInit2_ OF((z_streamp strm, int level, int method, ++ int windowBits, int memLevel, ++ int strategy, const char *version, ++ int stream_size)); ++ZEXTERN int ZEXPORT inflateInit2_ OF((z_streamp strm, int windowBits, ++ const char *version, int stream_size)); ++ZEXTERN int ZEXPORT inflateBackInit_ OF((z_stream FAR *strm, int windowBits, ++ unsigned char FAR *window, ++ const char *version, ++ int stream_size)); ++#define deflateInit(strm, level) \ ++ deflateInit_((strm), (level), ZLIB_VERSION, sizeof(z_stream)) ++#define inflateInit(strm) \ ++ inflateInit_((strm), ZLIB_VERSION, sizeof(z_stream)) ++#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \ ++ deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\ ++ (strategy), ZLIB_VERSION, sizeof(z_stream)) ++#define inflateInit2(strm, windowBits) \ ++ inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream)) ++#define inflateBackInit(strm, windowBits, window) \ ++ inflateBackInit_((strm), (windowBits), (window), \ ++ ZLIB_VERSION, sizeof(z_stream)) ++ ++ ++#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL) ++ struct internal_state {int dummy;}; /* hack for buggy compilers */ ++#endif ++ ++ZEXTERN const char * ZEXPORT zError OF((int err)); ++ZEXTERN int ZEXPORT inflateSyncPoint OF((z_streamp z)); ++ZEXTERN const uLongf * ZEXPORT get_crc_table OF((void)); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* ZLIB_H */ --- php5-5.2.4.orig/debian/patches/053-extension_api.patch +++ php5-5.2.4/debian/patches/053-extension_api.patch @@ -0,0 +1,56 @@ +Index: php5-5.2.4/configure.in +=================================================================== +--- php5-5.2.4.orig/configure.in 2007-09-11 00:24:00.000000000 +0200 ++++ php5-5.2.4/configure.in 2007-09-11 00:40:32.000000000 +0200 +@@ -1048,8 +1048,13 @@ + + ZEND_MODULE_API_NO=`$EGREP '#define ZEND_MODULE_API_NO ' $srcdir/Zend/zend_modules.h|$SED 's/#define ZEND_MODULE_API_NO //'` + ++DEBIAN_PHP_API=`egrep -h '^#define ZEND_EXTENSION_API_NO|^#define ZEND_MODULE_API_NO|#define PHP_API_VERSION' $srcdir/Zend/zend_extensions.h $srcdir/Zend/zend_modules.h $srcdir/main/php.h | awk '{print $3}' | sed -e 's/^2200/200/' | sort -n | tail -n 1` ++if echo "$CPPFLAGS $CFLAGS" | grep -q -- -D_FILE_OFFSET_BITS=64; then ++ DEBIAN_PHP_API="${DEBIAN_PHP_API}+lfs" ++fi ++ + if test -z "$EXTENSION_DIR"; then +- extbasedir=$ZEND_MODULE_API_NO ++ extbasedir=$DEBIAN_PHP_API + if test "$oldstyleextdir" = "yes"; then + if test "$PHP_DEBUG" = "1"; then + part1=debug +@@ -1193,6 +1198,7 @@ + PHP_SUBST(CXXFLAGS) + PHP_SUBST(CXXFLAGS_CLEAN) + PHP_SUBST_OLD(DEBUG_CFLAGS) ++PHP_SUBST_OLD(DEBIAN_PHP_API) + PHP_SUBST_OLD(EXTENSION_DIR) + PHP_SUBST_OLD(EXTRA_LDFLAGS) + PHP_SUBST_OLD(EXTRA_LDFLAGS_PROGRAM) +Index: php5-5.2.4/scripts/php-config.in +=================================================================== +--- php5-5.2.4.orig/scripts/php-config.in 2007-09-11 00:23:54.000000000 +0200 ++++ php5-5.2.4/scripts/php-config.in 2007-09-11 00:41:21.000000000 +0200 +@@ -17,6 +17,7 @@ + php_cgi_binary=NONE + configure_options="@CONFIGURE_OPTIONS@" + php_sapis="@PHP_INSTALLED_SAPIS@" ++phpapi="@DEBIAN_PHP_API@" + + # Set php_cli_binary and php_cgi_binary if available + for sapi in $php_sapis; do +@@ -55,6 +56,8 @@ + echo $include_dir;; + --php-binary) + echo $php_binary;; ++--phpapi) ++ echo $phpapi;; + --php-sapis) + echo $php_sapis;; + --configure-options) +@@ -75,6 +78,7 @@ + --include-dir [$include_dir] + --php-binary [$php_binary] + --php-sapis [$php_sapis] ++ --phpapi [$phpapi] + --configure-options [$configure_options] + --version [$version] + --vernum [$vernum] --- php5-5.2.4.orig/debian/patches/CVE-2009-3558.patch +++ php5-5.2.4/debian/patches/CVE-2009-3558.patch @@ -0,0 +1,16 @@ +Description: fix open_basedir restrictions bypass via posix_mkfifo +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=288943 + +diff -Nur php5-5.2.4/ext/posix/posix.c php5-5.2.4.new/ext/posix/posix.c +--- php5-5.2.4/ext/posix/posix.c 2007-07-25 05:06:22.000000000 -0400 ++++ php5-5.2.4.new/ext/posix/posix.c 2009-11-25 14:42:00.000000000 -0500 +@@ -674,7 +674,8 @@ + RETURN_FALSE; + } + +- if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { ++ if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || ++ (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR)))) { + RETURN_FALSE; + } + --- php5-5.2.4.orig/debian/patches/CVE-2009-4018.patch +++ php5-5.2.4/debian/patches/CVE-2009-4018.patch @@ -0,0 +1,50 @@ +Description: fix safe_mode_protected_env_vars bypass via proc_open() +upstream, Origin: http://svn.php.net/viewvc/?view=revision&revision=286360 +Bug: http://bugs.php.net/bug.php?id=49026 + +diff -Nur php5-5.2.4/ext/standard/proc_open.c php5-5.2.4.new/ext/standard/proc_open.c +--- php5-5.2.4/ext/standard/proc_open.c 2009-11-25 14:42:25.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/proc_open.c 2009-11-25 14:42:29.000000000 -0500 +@@ -30,6 +30,7 @@ + #include "php_string.h" + #include "safe_mode.h" + #include "ext/standard/head.h" ++#include "ext/standard/basic_functions.h" + #include "ext/standard/file.h" + #include "exec.h" + #include "php_globals.h" +@@ -152,6 +153,34 @@ + if (string_length == 0) { + continue; + } ++ if (PG(safe_mode)) { ++ /* Check the protected list */ ++ if (zend_hash_exists(&BG(sm_protected_env_vars), string_key, string_length - 1)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot override protected environment variable '%s'", string_key); ++ return env; ++ } ++ /* Check the allowed list */ ++ if (BG(sm_allowed_env_vars) && *BG(sm_allowed_env_vars)) { ++ char *allowed_env_vars = estrdup(BG(sm_allowed_env_vars)); ++ char *strtok_buf = NULL; ++ char *allowed_prefix = php_strtok_r(allowed_env_vars, ", ", &strtok_buf); ++ zend_bool allowed = 0; ++ ++ while (allowed_prefix) { ++ if (!strncmp(allowed_prefix, string_key, strlen(allowed_prefix))) { ++ allowed = 1; ++ break; ++ } ++ allowed_prefix = php_strtok_r(NULL, ", ", &strtok_buf); ++ } ++ efree(allowed_env_vars); ++ if (!allowed) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot set environment variable '%s' - it's not in the allowed list", string_key); ++ return env; ++ } ++ } ++ } ++ + l = string_length + el_len + 1; + memcpy(p, string_key, string_length); + strcat(p, "="); --- php5-5.2.4.orig/debian/patches/CVE-2010-2531.patch +++ php5-5.2.4/debian/patches/CVE-2010-2531.patch @@ -0,0 +1,243 @@ +Description: fix sensitive information disclosure via error messages +Origin: backport, http://svn.php.net/viewvc?view=revision&revision=301245 + +diff -Nur php5-5.2.4/ext/standard/php_var.h php5-5.2.4.new/ext/standard/php_var.h +--- php5-5.2.4/ext/standard/php_var.h 2007-05-22 10:34:22.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/php_var.h 2010-09-15 08:28:22.000000000 -0400 +@@ -33,6 +33,8 @@ + + PHPAPI void php_var_dump(zval **struc, int level TSRMLS_DC); + PHPAPI void php_var_export(zval **struc, int level TSRMLS_DC); ++PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC); ++ + PHPAPI void php_debug_zval_dump(zval **struc, int level TSRMLS_DC); + + /* typdef HashTable php_serialize_data_t; */ +diff -Nur php5-5.2.4/ext/standard/var.c php5-5.2.4.new/ext/standard/var.c +--- php5-5.2.4/ext/standard/var.c 2007-06-26 07:51:14.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/var.c 2010-09-15 08:37:08.000000000 -0400 +@@ -343,50 +343,79 @@ + } + /* }}} */ + ++#define buffer_append_spaces(buf, num_spaces) \ ++ do { \ ++ char *tmp_spaces; \ ++ int tmp_spaces_len; \ ++ tmp_spaces_len = spprintf(&tmp_spaces, 0,"%*c", num_spaces, ' '); \ ++ smart_str_appendl(buf, tmp_spaces, tmp_spaces_len); \ ++ efree(tmp_spaces); \ ++ } while(0); + /* {{{ php_var_export */ + + static int php_array_element_export(zval **zv, int num_args, va_list args, zend_hash_key *hash_key) + { + int level; ++ smart_str *buf; ++ + TSRMLS_FETCH(); + + level = va_arg(args, int); ++ buf = va_arg(args, smart_str *); + +- if (hash_key->nKeyLength==0) { /* numeric key */ +- php_printf("%*c%ld => ", level + 1, ' ', hash_key->h); ++ if (hash_key->nKeyLength == 0) { /* numeric key */ ++ buffer_append_spaces(buf, level+1); ++ smart_str_append_long(buf, hash_key->h); ++ smart_str_appendl(buf, " => ", 4); + } else { /* string key */ + char *key; + int key_len; + key = php_addcslashes(hash_key->arKey, hash_key->nKeyLength - 1, &key_len, 0, "'\\", 2 TSRMLS_CC); +- php_printf("%*c'", level + 1, ' '); +- PHPWRITE(key, key_len); +- php_printf("' => "); ++ ++ buffer_append_spaces(buf, level + 1); ++ ++ smart_str_appendc(buf, '\''); ++ smart_str_appendl(buf, key, key_len); ++ smart_str_appendl(buf, "' => ", 5); ++ + efree(key); + } +- php_var_export(zv, level + 2 TSRMLS_CC); +- PUTS (",\n"); ++ php_var_export_ex(zv, level + 2, buf TSRMLS_CC); ++ ++ smart_str_appendc(buf, ','); ++ smart_str_appendc(buf, '\n'); ++ + return 0; + } + + static int php_object_element_export(zval **zv, int num_args, va_list args, zend_hash_key *hash_key) + { + int level; ++ smart_str *buf; + char *prop_name, *class_name; + TSRMLS_FETCH(); + + level = va_arg(args, int); ++ buf = va_arg(args, smart_str *); + + if (hash_key->nKeyLength != 0) { +- php_printf("%*c", level + 1, ' '); ++ buffer_append_spaces(buf, level + 2); + zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength-1, &class_name, &prop_name); +- php_printf(" '%s' => ", prop_name); +- php_var_export(zv, level + 2 TSRMLS_CC); +- PUTS (",\n"); ++ ++ smart_str_appendc(buf, '\''); ++ smart_str_appends(buf, prop_name); ++ smart_str_appendc(buf, '\''); ++ ++ smart_str_appendl(buf, " => ", 4); ++ php_var_export_ex(zv, level + 2, buf TSRMLS_CC); ++ smart_str_appendc(buf, ','); ++ smart_str_appendc(buf, '\n'); ++ + } + return 0; + } + +-PHPAPI void php_var_export(zval **struc, int level TSRMLS_DC) ++PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC) /* {{{ */ + { + HashTable *myht; + char* tmp_str; +@@ -396,58 +425,83 @@ + + switch (Z_TYPE_PP(struc)) { + case IS_BOOL: +- php_printf("%s", Z_LVAL_PP(struc) ? "true" : "false"); ++ if (Z_LVAL_PP(struc)) { ++ smart_str_appendl(buf, "true", 4); ++ } else { ++ smart_str_appendl(buf, "false", 5); ++ } + break; + case IS_NULL: +- php_printf("NULL"); ++ smart_str_appendl(buf, "NULL", 4); + break; + case IS_LONG: +- php_printf("%ld", Z_LVAL_PP(struc)); ++ smart_str_append_long(buf, Z_LVAL_PP(struc)); + break; + case IS_DOUBLE: +- php_printf("%.*H", (int) EG(precision), Z_DVAL_PP(struc)); ++ tmp_len = spprintf(&tmp_str, 0,"%.*H", (int) EG(precision), Z_DVAL_PP(struc)); ++ smart_str_appendl(buf, tmp_str, tmp_len); ++ efree(tmp_str); + break; + case IS_STRING: + tmp_str = php_addcslashes(Z_STRVAL_PP(struc), Z_STRLEN_PP(struc), &tmp_len, 0, "'\\\0", 3 TSRMLS_CC); +- PUTS ("'"); +- PHPWRITE(tmp_str, tmp_len); +- PUTS ("'"); ++ ++ smart_str_appendc(buf, '\''); ++ smart_str_appendl(buf, tmp_str, tmp_len); ++ smart_str_appendc(buf, '\''); ++ + efree (tmp_str); + break; + case IS_ARRAY: + myht = Z_ARRVAL_PP(struc); + if (level > 1) { +- php_printf("\n%*c", level - 1, ' '); ++ smart_str_appendc(buf, '\n'); ++ buffer_append_spaces(buf, level - 1); + } +- PUTS ("array (\n"); +- zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_array_element_export, 1, level, (Z_TYPE_PP(struc) == IS_ARRAY ? 0 : 1)); ++ smart_str_appendl(buf, "array (\n", 8); ++ zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_array_element_export, 2, level, buf); ++ + if (level > 1) { +- php_printf("%*c", level - 1, ' '); ++ buffer_append_spaces(buf, level - 1); + } +- PUTS(")"); ++ smart_str_appendc(buf, ')'); ++ + break; + case IS_OBJECT: + myht = Z_OBJPROP_PP(struc); + if (level > 1) { +- php_printf("\n%*c", level - 1, ' '); ++ smart_str_appendc(buf, '\n'); ++ buffer_append_spaces(buf, level - 1); + } + Z_OBJ_HANDLER(**struc, get_class_name)(*struc, &class_name, &class_name_len, 0 TSRMLS_CC); +- php_printf ("%s::__set_state(array(\n", class_name); ++ ++ smart_str_appendl(buf, class_name, class_name_len); ++ smart_str_appendl(buf, "::__set_state(array(\n", 21); ++ + efree(class_name); + if (myht) { +- zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_object_element_export, 1, level); ++ zend_hash_apply_with_arguments(myht, (apply_func_args_t) php_object_element_export, 2, level, buf); + } + if (level > 1) { +- php_printf("%*c", level - 1, ' '); ++ buffer_append_spaces(buf, level - 1); + } +- php_printf ("))"); ++ smart_str_appendl(buf, "))", 2); ++ + break; + default: +- PUTS ("NULL"); ++ smart_str_appendl(buf, "NULL", 4); + break; + } + } + ++/* FOR BC reasons, this will always perform and then print */ ++PHPAPI void php_var_export(zval **struc, int level TSRMLS_DC) /* {{{ */ ++{ ++ smart_str buf = {0}; ++ php_var_export_ex(struc, level, &buf TSRMLS_CC); ++ smart_str_0 (&buf); ++ PHPWRITE(buf.c, buf.len); ++ smart_str_free(&buf); ++} + /* }}} */ + + /* {{{ proto mixed var_export(mixed var [, bool return]) +@@ -456,21 +510,21 @@ + { + zval *var; + zend_bool return_output = 0; +- ++ smart_str buf = {0}; ++ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|b", &var, &return_output) == FAILURE) { + return; + } +- +- if (return_output) { +- php_start_ob_buffer (NULL, 0, 1 TSRMLS_CC); +- } +- +- php_var_export(&var, 1 TSRMLS_CC); ++ ++ php_var_export_ex(&var, 1, &buf TSRMLS_CC); ++ smart_str_0 (&buf); + + if (return_output) { +- php_ob_get_buffer (return_value TSRMLS_CC); +- php_end_ob_buffer (0, 0 TSRMLS_CC); ++ RETVAL_STRINGL(buf.c, buf.len, 1); ++ } else { ++ PHPWRITE(buf.c, buf.len); + } ++ smart_str_free(&buf); + } + /* }}} */ + --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-2202.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-2202.patch @@ -0,0 +1,31 @@ +Description: Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename) +Reviewed-By: Angel Abad +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=312103 +Bug-Ubuntu: https://launchpad.net/bugs/813115 + +CVE-2011-2202 + +Patch differs from upstream commit in that it drops the added NEWS file +entry to reduce patch conflicts, and adjusted for earlier versions of +php. + +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -1228,7 +1228,7 @@ + #endif + + if (!is_anonymous) { +- if (s && s > filename) { ++ if (s && s >= filename) { + safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); + } else { + safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); +@@ -1241,7 +1241,7 @@ + } else { + snprintf(lbuf, llen, "%s[name]", param); + } +- if (s && s > filename) { ++ if (s && s >= filename) { + register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); + } else { + register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-1384.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-1384.patch @@ -0,0 +1,32 @@ +diff -Nur php5-5.2.4/ext/standard/formatted_print.c php5-5.2.4.new/ext/standard/formatted_print.c +--- php5-5.2.4/ext/standard/formatted_print.c 2007-06-03 05:12:04.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/formatted_print.c 2008-07-10 17:05:41.000000000 -0400 +@@ -76,6 +76,7 @@ + register int npad; + int req_size; + int copy_len; ++ int m_width; + + copy_len = (expprec ? MIN(max_width, len) : len); + npad = min_width - copy_len; +@@ -86,11 +87,19 @@ + + PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n", + *buffer, *pos, *size, add, min_width, padding, alignment)); ++ m_width = MAX(min_width, copy_len); + +- req_size = *pos + MAX(min_width, copy_len) + 1; ++ if(m_width > INT_MAX - *pos - 1) { ++ zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width); ++ } ++ ++ req_size = *pos + m_width + 1; + + if (req_size > *size) { + while (req_size > *size) { ++ if(*size > INT_MAX/2) { ++ zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); ++ } + *size <<= 1; + } + PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size)); --- php5-5.2.4.orig/debian/patches/php5-pear-CVE-2011-1072.patch +++ php5-5.2.4/debian/patches/php5-pear-CVE-2011-1072.patch @@ -0,0 +1,599 @@ +Subject: Fixed Bug #18056 [SECURITY]: Symlink attack in PEAR install [dufuz] +Origin: http://svn.php.net/viewvc?view=revision&revision=308687 + +This feature is implemented as a result of the above fix +* Implemented Request #16648: Use TMPDIR for builds instead of /var/tmp [dufuz] + +CVE-2011-1072 + +This patch differs from the upstream commit in that the packages.xml +and packages2.xml edits containing only information about the commits +were removed to reduce conflicts. It also has been backported to the +version of PEAR in hardy, during this, some whitespace changes were +dropped. + +Index: PEAR/PackageFile.php +=================================================================== +--- PEAR/PackageFile.php (revision 308686) ++++ PEAR/PackageFile.php (revision 308687) +@@ -46,11 +46,7 @@ + */ + var $_config; + var $_debug; +- /** +- * Temp directory for uncompressing tgz files. +- * @var string|false +- */ +- var $_tmpdir; ++ + var $_logger = false; + /** + * @var boolean +@@ -58,17 +54,23 @@ + var $_rawReturn = false; + + /** ++ * helper for extracting Archive_Tar errors ++ * @var array ++ * @access private ++ */ ++ var $_extractErrors = array(); ++ ++ /** + * + * @param PEAR_Config $config + * @param ? $debug + * @param string @tmpdir Optional temporary directory for uncompressing + * files + */ +- function PEAR_PackageFile(&$config, $debug = false, $tmpdir = false) ++ function PEAR_PackageFile(&$config, $debug = false) + { + $this->_config = $config; + $this->_debug = $debug; +- $this->_tmpdir = $tmpdir; + } + + /** +@@ -349,14 +351,18 @@ + break; + } + } +- if ($this->_tmpdir) { +- $tmpdir = $this->_tmpdir; +- } else { +- $tmpdir = System::mkTemp(array('-d', 'pear')); +- PEAR_PackageFile::addTempFile($tmpdir); ++ ++ $tmpdir = System::mktemp('-t ' . $this->_config->get('temp_dir') . ' -d pear'); ++ if ($tmpdir === false) { ++ $ret = PEAR::raiseError("there was a problem with getting the configured temp directory"); ++ return $ret; + } ++ ++ PEAR_PackageFile::addTempFile($tmpdir); ++ + $this->_extractErrors(); + PEAR::staticPushErrorHandling(PEAR_ERROR_CALLBACK, array($this, '_extractErrors')); ++ + if (!$xml || !$tar->extractList(array($xml), $tmpdir)) { + $extra = implode("\n", $this->_extractErrors()); + if ($extra) { +@@ -381,13 +380,6 @@ + } + + /** +- * helper for extracting Archive_Tar errors +- * @var array +- * @access private +- */ +- var $_extractErrors = array(); +- +- /** + * helper callback for extracting Archive_Tar errors + * + * @param PEAR_Error|null $err +Index: PEAR/Installer.php +=================================================================== +--- PEAR/Installer.php (revision 308686) ++++ PEAR/Installer.php (revision 308687) +@@ -1036,24 +1036,10 @@ + // }}} + // {{{ _parsePackageXml() + +- function _parsePackageXml(&$descfile, &$tmpdir) ++ function _parsePackageXml(&$descfile) + { +- if (substr($descfile, -4) == '.xml') { +- $tmpdir = false; +- } else { +- // {{{ Decompress pack in tmp dir ------------------------------------- +- +- // To allow relative package file names +- $descfile = realpath($descfile); +- +- if (PEAR::isError($tmpdir = System::mktemp('-d'))) { +- return $tmpdir; +- } +- $this->log(3, '+ tmp dir created at ' . $tmpdir); +- // }}} +- } + // Parse xml file ----------------------------------------------- +- $pkg = new PEAR_PackageFile($this->config, $this->debug, $tmpdir); ++ $pkg = new PEAR_PackageFile($this->config, $this->debug); + PEAR::staticPushErrorHandling(PEAR_ERROR_RETURN); + $p = &$pkg->fromAnyFile($descfile, PEAR_VALIDATE_INSTALLING); + PEAR::staticPopErrorHandling(); +@@ -1135,16 +1120,20 @@ + $pkg = $pkgfile->getPackageFile(); + $pkgfile = $pkg->getArchiveFile(); + $descfile = $pkg->getPackageFile(); +- $tmpdir = dirname($descfile); + } else { + $descfile = $pkgfile; +- $tmpdir = ''; +- if (PEAR::isError($pkg = &$this->_parsePackageXml($descfile, $tmpdir))) { ++ $pkg = $this->_parsePackageXml($descfile); ++ if (PEAR::isError($pkg)) { + return $pkg; + } + } + ++ $tmpdir = dirname($descfile); + if (realpath($descfile) != realpath($pkgfile)) { ++ // Use the temp_dir since $descfile can contain the download dir path ++ $tmpdir = $this->config->get('temp_dir', null, 'pear.php.net'); ++ $tmpdir = System::mktemp("-d -t $tmpdir"); ++ + $tar = new Archive_Tar($pkgfile); + if (!$tar->extract($tmpdir)) { + return $this->raiseError("unable to unpack $pkgfile"); +@@ -1373,9 +1361,8 @@ + } + } + +- $tmp_path = dirname($descfile); + if (substr($pkgfile, -4) != '.xml') { +- $tmp_path .= DIRECTORY_SEPARATOR . $pkgname . '-' . $pkg->getVersion(); ++ $tmpdir .= DIRECTORY_SEPARATOR . $pkgname . '-' . $pkg->getVersion(); + } + + $this->configSet('default_channel', $channel); +@@ -1401,11 +1388,11 @@ + foreach ($filelist as $file => $atts) { + if ($pkg->getPackagexmlVersion() == '1.0') { + $this->expectError(PEAR_INSTALLER_FAILED); +- $res = $this->_installFile($file, $atts, $tmp_path, $options); ++ $res = $this->_installFile($file, $atts, $tmpdir, $options); + $this->popExpect(); + } else { + $this->expectError(PEAR_INSTALLER_FAILED); +- $res = $this->_installFile2($pkg, $file, $atts, $tmp_path, $options); ++ $res = $this->_installFile2($pkg, $file, $atts, $tmpdir, $options); + $this->popExpect(); + } + if (PEAR::isError($res)) { +Index: PEAR/Downloader.php +=================================================================== +--- PEAR/Downloader.php (revision 308686) ++++ PEAR/Downloader.php (revision 308687) +@@ -189,8 +189,10 @@ + if (!class_exists('System')) { + require_once 'System.php'; + } ++ +- $a = $this->downloadHttp('http://' . $channel . '/channel.xml', $this->ui, +- System::mktemp(array('-d')), $callback, false); ++ $tmpdir = $this->config->get('temp_dir'); ++ $tmp = System::mktemp("-d -t $tmpdir"); ++ $a = $this->downloadHttp('http://' . $channel . '/channel.xml', $this->ui, $tmp, $callback, false); + PEAR::popErrorHandling(); + if (PEAR::isError($a)) { + return false; +@@ -493,13 +494,13 @@ + */ + function analyzeDependencies(&$params, $force = false) + { +- $hasfailed = $failed = false; + if (isset($this->_options['downloadonly'])) { + return; + } ++ + PEAR::staticPushErrorHandling(PEAR_ERROR_RETURN); + $redo = true; +- $reset = false; ++ $reset = $hasfailed = $failed = false; + while ($redo) { + $redo = false; + foreach ($params as $i => $param) { +@@ -771,29 +777,10 @@ + $this->_options = $options; + } + +- // }}} +- // {{{ setOptions() + function getOptions() + { + return $this->_options; + } +- +- // }}} +- +- /** +- * For simpler unit-testing +- * @param PEAR_Config +- * @param int +- * @param string +- */ +- function &getPackagefileObject(&$c, $d, $t = false) +- { +- if (!class_exists('PEAR_PackageFile')) { +- require_once 'PEAR/PackageFile.php'; +- } +- $a = &new PEAR_PackageFile($c, $d, $t); +- return $a; +- } + + // {{{ _getPackageDownloadUrl() + +@@ -1000,9 +990,21 @@ + return PEAR::raiseError('Package "' . $param . '" is not valid'); + } + return $info; +- } elseif ($chan->supportsREST($this->config->get('preferred_mirror')) && +- $base = $chan->getBaseURL('REST1.0', $this->config->get('preferred_mirror'))) { ++ } elseif ($chan->supportsREST($this->config->get('preferred_mirror')) ++ && ++ ( ++ ($base2 = $chan->getBaseURL('REST1.3', $this->config->get('preferred_mirror'))) ++ || ++ ($base = $chan->getBaseURL('REST1.0', $this->config->get('preferred_mirror'))) ++ ) ++ ) { +- $rest = &$this->config->getREST('1.0', $this->_options); ++ if ($base2) { ++ $base = $base2; ++ $rest = &$this->config->getREST('1.3', $this->_options); ++ } else { ++ $rest = &$this->config->getREST('1.0', $this->_options); ++ } ++ + $url = $rest->getDepDownloadURL($base, $xsdversion, $dep, $parr, + $state, $version); + if (PEAR::isError($url)) { +@@ -1707,6 +1708,10 @@ + } + } + $dest_file = $save_dir . DIRECTORY_SEPARATOR . $save_as; ++ if (is_link($dest_file)) { ++ return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $dest_file . ' as it is symlinked to ' . readlink($dest_file) . ' - Possible symlink attack'); ++ } ++ + if (!$wp = @fopen($dest_file, 'wb')) { + fclose($fp); + if ($callback) { +Index: PEAR/Downloader/Package.php +=================================================================== +--- PEAR/Downloader/Package.php (revision 308686) ++++ PEAR/Downloader/Package.php (revision 308687) +@@ -1376,6 +1376,9 @@ + if (!$fp) { + continue; + } ++ ++ // FIXME do symlink check ++ + fwrite($fp, $filecontents, strlen($filecontents)); + fclose($fp); + if ($s = $params[$i]->explicitState()) { +@@ -1497,13 +1499,12 @@ + * @param int + * @param string + */ +- function &getPackagefileObject(&$c, $d, $t = false) ++ function &getPackagefileObject(&$c, $d) + { +- $a = &new PEAR_PackageFile($c, $d, $t); ++ $a = &new PEAR_PackageFile($c, $d); + return $a; + } + +- + /** + * This will retrieve from a local file if possible, and parse out + * a group name as well. The original parameter will be modified to reflect this. +@@ -1527,16 +1528,7 @@ + if (@is_file($param)) { + $this->_type = 'local'; + $options = $this->_downloader->getOptions(); +- if (isset($options['downloadonly'])) { +- $pkg = &$this->getPackagefileObject($this->_config, +- $this->_downloader->_debug); +- } else { +- if (PEAR::isError($dir = $this->_downloader->getDownloadDir())) { +- return $dir; +- } +- $pkg = &$this->getPackagefileObject($this->_config, +- $this->_downloader->_debug, $dir); +- } ++ $pkg = &$this->getPackagefileObject($this->_config, $this->_downloader->_debug); + PEAR::pushErrorHandling(PEAR_ERROR_RETURN); + $pf = &$pkg->fromAnyFile($param, PEAR_VALIDATE_INSTALLING); + PEAR::popErrorHandling(); +@@ -1608,16 +1600,10 @@ + } + } + } ++ + // whew, download worked! +- if (isset($options['downloadonly'])) { +- $pkg = &$this->getPackagefileObject($this->_config, $this->_downloader->debug); +- } else { +- if (PEAR::isError($dir = $this->_downloader->getDownloadDir())) { +- return $dir; +- } +- $pkg = &$this->getPackagefileObject($this->_config, $this->_downloader->debug, +- $dir); +- } ++ $pkg = &$this->getPackagefileObject($this->_config, $this->_downloader->debug); ++ + PEAR::pushErrorHandling(PEAR_ERROR_RETURN); + $pf = &$pkg->fromAnyFile($file, PEAR_VALIDATE_INSTALLING); + PEAR::popErrorHandling(); +Index: PEAR/REST.php +=================================================================== +--- PEAR/REST.php (revision 308686) ++++ PEAR/REST.php (revision 308687) +@@ -102,8 +102,12 @@ + $ret = $this->getCache($url); + if (!PEAR::isError($ret) && $trieddownload) { + // reset the age of the cache if the server says it was unmodified +- $this->saveCache($url, $ret, null, true, $cacheId); ++ $result = $this->saveCache($url, $ret, null, true, $cacheId); ++ if (PEAR::isError($result)) { ++ return PEAR::raiseErro($result->getMessage()); ++ } + } ++ + return $ret; + } + if (is_array($file)) { +@@ -116,7 +120,11 @@ + $headers = array(); + } + if ($forcestring) { +- $this->saveCache($url, $content, $lastmodified, false, $cacheId); ++ $result = $this->saveCache($url, $content, $lastmodified, false, $cacheId); ++ if (PEAR::isError($result)) { ++ return PEAR::raiseErro($result->getMessage()); ++ } ++ + return $content; + } + if (isset($headers['content-type'])) { +@@ -142,7 +150,11 @@ + $parser->parse($content); + $content = $parser->getData(); + } +- $this->saveCache($url, $content, $lastmodified, false, $cacheId); ++ $result = $this->saveCache($url, $content, $lastmodified, false, $cacheId); ++ if (PEAR::isError($result)) { ++ return PEAR::raiseErro($result->getMessage()); ++ } ++ + return $content; + } + +@@ -197,51 +209,64 @@ + */ + function saveCache($url, $contents, $lastmodified, $nochange = false, $cacheid = null) + { +- $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR . +- md5($url) . 'rest.cacheid'; +- $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR . +- md5($url) . 'rest.cachefile'; ++ $cache_dir = $this->config->get('cache_dir'); ++ $d = $cache_dir . DIRECTORY_SEPARATOR . md5($url); ++ $cacheidfile = $d . 'rest.cacheid'; ++ $cachefile = $d . 'rest.cachefile'; ++ + if ($cacheid === null && $nochange) { + $cacheid = unserialize(implode('', file($cacheidfile))); + } + +- $fp = @fopen($cacheidfile, 'wb'); +- if (!$fp) { +- $cache_dir = $this->config->get('cache_dir'); +- if (!is_dir($cache_dir)) { +- System::mkdir(array('-p', $cache_dir)); +- $fp = @fopen($cacheidfile, 'wb'); +- if (!$fp) { +- return false; +- } +- } else { +- return false; ++ if (is_link($cacheidfile)) { ++ return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack'); ++ } ++ ++ if (is_link($cachefile)) { ++ return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack'); ++ } ++ ++ $cacheidfile_fp = @fopen($cacheidfile, 'wb'); ++ if (!$cacheidfile_fp) { ++ if (is_dir($cache_dir)) { ++ return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory. "); ++ } ++ ++ System::mkdir(array('-p', $cache_dir)); ++ $cacheidfile_fp = @fopen($cacheidfile, 'wb'); ++ if (!$cacheidfile_fp) { ++ return PEAR::raiseError("Could not open $cacheidfile for writing."); + } + } + + if ($nochange) { +- fwrite($fp, serialize(array( ++ fwrite($cacheidfile_fp, serialize(array( + 'age' => time(), + 'lastChange' => $cacheid['lastChange'], + ))); +- fclose($fp); ++ ++ fclose($cacheidfile_fp); + return true; +- } else { +- fwrite($fp, serialize(array( +- 'age' => time(), +- 'lastChange' => $lastmodified, +- ))); + } +- fclose($fp); +- $fp = @fopen($cachefile, 'wb'); +- if (!$fp) { ++ ++ fwrite($cacheidfile_fp, serialize(array( ++ 'age' => time(), ++ 'lastChange' => $lastmodified, ++ )) ++ ); ++ fclose($cacheidfile_fp); ++ ++ $cachefile_fp = @fopen($cachefile, 'wb'); ++ if (!$cachefile_fp) { + if (file_exists($cacheidfile)) { + @unlink($cacheidfile); + } +- return false; ++ ++ return PEAR::raiseError("Could not open $cacheidfile for writing."); + } +- fwrite($fp, serialize($contents)); +- fclose($fp); ++ ++ fwrite($cachefile_fp, serialize($contents)); ++ fclose($cachefile_fp); + return true; + } + +Index: PEAR/Builder.php +=================================================================== +--- PEAR/Builder.php (revision 308686) ++++ PEAR/Builder.php (revision 308687) +@@ -220,7 +220,7 @@ + /** + * Build an extension from source. Runs "phpize" in the source + * directory, but compiles in a temporary directory +- * (/var/tmp/pear-build-USER/PACKAGE-VERSION). ++ * (TMPDIR/pear-build-USER/PACKAGE-VERSION). + * + * @param string|PEAR_PackageFile_v* $descfile path to XML package description file, or + * a PEAR_PackageFile object +@@ -327,30 +333,31 @@ + // }}} end of interactive part + + // FIXME make configurable +- if(!$user=getenv('USER')){ ++ if (!$user=getenv('USER')) { + $user='defaultuser'; + } +- $build_basedir = "/var/tmp/pear-build-$user"; ++ ++ $tmpdir = $this->config->get('temp_dir'); ++ $build_basedir = System::mktemp(" -t $tmpdir -d pear-build-$user"); + $build_dir = "$build_basedir/$vdir"; + $inst_dir = "$build_basedir/install-$vdir"; + $this->log(1, "building in $build_dir"); + if (is_dir($build_dir)) { + System::rm(array('-rf', $build_dir)); + } ++ + if (!System::mkDir(array('-p', $build_dir))) { + return $this->raiseError("could not create build dir: $build_dir"); + } ++ + $this->addTempFile($build_dir); + if (!System::mkDir(array('-p', $inst_dir))) { + return $this->raiseError("could not create temporary install dir: $inst_dir"); + } + $this->addTempFile($inst_dir); + +- if (getenv('MAKE')) { +- $make_command = getenv('MAKE'); +- } else { +- $make_command = 'make'; +- } ++ $make_command = getenv('MAKE') ? getenv('MAKE') : 'make'; ++ + $to_run = array( + $configure_command, + $make_command, +Index: PEAR/Command/Remote.php +=================================================================== +--- PEAR/Command/Remote.php (revision 308686) ++++ PEAR/Command/Remote.php (revision 308687) +@@ -144,7 +144,7 @@ + 'shortcut' => 'cc', + 'options' => array(), + 'doc' => ' +-Clear the XML-RPC/REST cache. See also the cache_ttl configuration ++Clear the REST cache. See also the cache_ttl configuration + parameter. + ', + ), +Index: PEAR/Command/Package.php +=================================================================== +--- PEAR/Command/Package.php (revision 308686) ++++ PEAR/Command/Package.php (revision 308687) +@@ -314,7 +314,7 @@ + return $a; + } + +- function &getPackageFile($config, $debug = false, $tmpdir = null) ++ function &getPackageFile($config, $debug = false) + { + if (!class_exists('PEAR_Common')) { + require_once 'PEAR/Common.php'; +@@ -322,7 +322,7 @@ + if (!class_exists('PEAR/PackageFile.php')) { + require_once 'PEAR/PackageFile.php'; + } +- $a = &new PEAR_PackageFile($config, $debug, $tmpdir); ++ $a = &new PEAR_PackageFile($config, $debug); + $common = new PEAR_Common; + $common->ui = $this->ui; + $a->setLogger($common); +@@ -969,7 +969,9 @@ + return $this->raiseError($info); + } + $tar = new Archive_Tar($params[0]); +- $tmpdir = System::mktemp('-d pearsign'); ++ ++ $tmpdir = $this->config->get('temp_dir'); ++ $tmpdir = System::mktemp(" -t $tmpdir -d pearsign"); + if (!$tar->extractList('package2.xml package.xml package.sig', $tmpdir)) { + return $this->raiseError("failed to extract tar file"); + } +Index: PEAR/Command/Pickle.php +=================================================================== +--- PEAR/Command/Pickle.php (revision 308686) ++++ PEAR/Command/Pickle.php (revision 308687) +@@ -104,7 +104,7 @@ + * @param string|null $tmpdir + * @return PEAR_PackageFile + */ +- function &getPackageFile($config, $debug = false, $tmpdir = null) ++ function &getPackageFile($config, $debug = false) + { + if (!class_exists('PEAR_Common')) { + require_once 'PEAR/Common.php'; +@@ -114,7 +114,7 @@ + if (!class_exists('PEAR/PackageFile.php')) { + require_once 'PEAR/PackageFile.php'; + } +- $a = &new PEAR_PackageFile($config, $debug, $tmpdir); ++ $a = &new PEAR_PackageFile($config, $debug); + $common = new PEAR_Common; + $common->ui = $this->ui; + $a->setLogger($common); --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-4566.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-4566.patch @@ -0,0 +1,25 @@ +Description: fix denial of service and possible information disclosure + via exif integer overflow +Origin: backport, http://svn.php.net/viewvc?view=revision&revision=319535 +Bug: https://bugs.php.net/bug.php?id=60150 + +Index: php5-5.2.4/ext/exif/exif.c +=================================================================== +--- php5-5.2.4.orig/ext/exif/exif.c 2011-12-13 11:35:26.000000000 -0500 ++++ php5-5.2.4/ext/exif/exif.c 2011-12-13 11:51:20.657356161 -0500 +@@ -2870,13 +2870,13 @@ + offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); + /* If its bigger than 4 bytes, the dir entry contains an offset. */ + value_ptr = offset_base+offset_val; +- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) { ++ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { + /* + // It is important to check for IMAGE_FILETYPE_TIFF + // JPEG does not use absolute pointers instead its pointers are relative to the start + // of the TIFF header in APP1 section. + */ +- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { ++ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) { + if (value_ptr < dir_entry) { + /* we can read this if offset_val > 0 */ + /* some files have their values in other parts of the file */ --- php5-5.2.4.orig/debian/patches/125_SECURITY_CVE-2008-5624.patch +++ php5-5.2.4/debian/patches/125_SECURITY_CVE-2008-5624.patch @@ -0,0 +1,48 @@ +# +# Description: fix safe_mode restriction bypass via unrestricted variable settings. +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508021 +# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.725.2.31.2.78&r2=1.725.2.31.2.79&diff_format=u +# Patch: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?r1=1.19.2.7.2.15&r2=1.19.2.7.2.16&diff_format=u +# +diff -Nur php5-5.2.4/ext/standard/basic_functions.c php5-5.2.4.new/ext/standard/basic_functions.c +--- php5-5.2.4/ext/standard/basic_functions.c 2009-01-27 14:18:59.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/basic_functions.c 2009-01-27 14:19:05.000000000 -0500 +@@ -3914,6 +3914,8 @@ + memset(&BG(mblen_state), 0, sizeof(BG(mblen_state))); + #endif + BG(incomplete_class) = incomplete_class_entry; ++ BG(page_uid) = -1; ++ BG(page_gid) = -1; + } + + +@@ -4216,6 +4218,8 @@ + + PHP_RSHUTDOWN(user_filters)(SHUTDOWN_FUNC_ARGS_PASSTHRU); + ++ BG(page_uid) = -1; ++ BG(page_gid) = -1; + return SUCCESS; + } + +diff -Nur php5-5.2.4/sapi/apache/mod_php5.c php5-5.2.4.new/sapi/apache/mod_php5.c +--- php5-5.2.4/sapi/apache/mod_php5.c 2009-01-27 14:18:59.000000000 -0500 ++++ php5-5.2.4.new/sapi/apache/mod_php5.c 2009-01-27 14:19:05.000000000 -0500 +@@ -597,6 +597,8 @@ + return OK; + } + ++ SG(server_context) = r; ++ + zend_first_try { + + /* Make sure file exists */ +@@ -654,8 +656,6 @@ + /* Init timeout */ + hard_timeout("send", r); + +- SG(server_context) = r; +- + php_save_umask(); + add_common_vars(r); + add_cgi_vars(r); --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-3709.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-3709.patch @@ -0,0 +1,24 @@ +Subject: fix Fixed NULL pointer dereference in ZipArchive::getArchiveComment +Origin: http://svn.php.net/viewvc?view=revision&revision=304505 + +CVE-2010-3709 +report & patch from Maksymilian Arciemowicz + +--- + ext/zip/php_zip.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: b/ext/zip/php_zip.c +=================================================================== +--- a/ext/zip/php_zip.c ++++ b/ext/zip/php_zip.c +@@ -1961,6 +1961,9 @@ static ZIPARCHIVE_METHOD(getArchiveComme + } + + comment = zip_get_archive_comment(intern, &comment_len, (int)flags); ++ if(comment==NULL) { ++ RETURN_FALSE; ++ } + RETURN_STRINGL((char *)comment, (long)comment_len, 1); + } + /* }}} */ --- php5-5.2.4.orig/debian/patches/disable_dl_by_default.patch +++ php5-5.2.4/debian/patches/disable_dl_by_default.patch @@ -0,0 +1,29 @@ +Index: php5-5.2.4/php.ini-dist +=================================================================== +--- php5-5.2.4.orig/php.ini-dist 2007-09-11 00:42:09.000000000 +0200 ++++ php5-5.2.4/php.ini-dist 2007-09-11 00:42:13.000000000 +0200 +@@ -505,7 +505,8 @@ + ; Whether or not to enable the dl() function. The dl() function does NOT work + ; properly in multithreaded servers, such as IIS or Zeus, and is automatically + ; disabled on them. +-enable_dl = On ++; NOTE: this is a potential security hole and is disabled by default in debian ++enable_dl = Off + + ; cgi.force_redirect is necessary to provide security running PHP as a CGI under + ; most web servers. Left undefined, PHP turns this on by default. You can +Index: php5-5.2.4/php.ini-recommended +=================================================================== +--- php5-5.2.4.orig/php.ini-recommended 2007-09-11 00:23:54.000000000 +0200 ++++ php5-5.2.4/php.ini-recommended 2007-09-11 00:42:13.000000000 +0200 +@@ -538,7 +538,9 @@ + ; Whether or not to enable the dl() function. The dl() function does NOT work + ; properly in multithreaded servers, such as IIS or Zeus, and is automatically + ; disabled on them. +-enable_dl = On ++; NOTE: this is a potential security hole and is disabled by default in debian ++enable_dl = Off ++ + + ; cgi.force_redirect is necessary to provide security running PHP as a CGI under + ; most web servers. Left undefined, PHP turns this on by default. You can --- php5-5.2.4.orig/debian/patches/044-strtod_arm_fix.patch +++ php5-5.2.4/debian/patches/044-strtod_arm_fix.patch @@ -0,0 +1,56 @@ +Index: php5-5.2.4/Zend/zend_strtod.c +=================================================================== +--- php5-5.2.4.orig/Zend/zend_strtod.c 2007-07-23 18:17:10.000000000 +0200 ++++ php5-5.2.4/Zend/zend_strtod.c 2007-09-11 00:26:29.000000000 +0200 +@@ -142,14 +142,25 @@ + #define IEEE_LITTLE_ENDIAN + #endif + +-#if defined(__arm__) && !defined(__VFP_FP__) +-/* +- * * Although the CPU is little endian the FP has different +- * * byte and word endianness. The byte order is still little endian +- * * but the word order is big endian. +- * */ +-#define IEEE_BIG_ENDIAN ++#if defined(__arm__) || defined(__thumb__) ++/* ARM traditionally used big-endian words; and within those words the ++ byte ordering was big or little endian depending upon the target. ++ Modern floating-point formats are naturally ordered; in this case ++ __VFP_FP__ will be defined, even if soft-float. */ + #undef IEEE_LITTLE_ENDIAN ++#undef IEEE_BIG_ENDIAN ++#if defined(__VFP_FP__) || defined(__MAVERICK__) ++# ifdef __ARMEL__ ++# define IEEE_LITTLE_ENDIAN ++# else ++# define IEEE_BIG_ENDIAN ++# endif ++#else ++# define IEEE_BIG_ENDIAN ++# ifdef __ARMEL__ ++# define IEEE_BYTES_LITTLE_ENDIAN ++# endif ++#endif + #endif + + #ifdef __vax__ +@@ -256,8 +267,7 @@ + + #if defined(IEEE_LITTLE_ENDIAN) + defined(IEEE_BIG_ENDIAN) + defined(VAX) + \ + defined(IBM) != 1 +- Exactly one of IEEE_LITTLE_ENDIAN IEEE_BIG_ENDIAN, VAX, or +- IBM should be defined. ++#error "Exactly one of IEEE_LITTLE_ENDIAN IEEE_BIG_ENDIAN, VAX, or IBM should be defined." + #endif + + typedef union { +@@ -277,7 +287,7 @@ + * An alternative that might be better on some machines is + * #define Storeinc(a,b,c) (*a++ = b << 16 | c & 0xffff) + */ +-#if defined(IEEE_LITTLE_ENDIAN) + defined(VAX) + defined(__arm__) ++#if defined(IEEE_LITTLE_ENDIAN) + defined(VAX) + defined(IEEE_BYTES_LITTLE_ENDIAN) + #define Storeinc(a,b,c) (((unsigned short *)a)[1] = (unsigned short)b, \ + ((unsigned short *)a)[0] = (unsigned short)c, a++) + #else --- php5-5.2.4.orig/debian/patches/128_SECURITY_CVE-2008-5814.patch +++ php5-5.2.4/debian/patches/128_SECURITY_CVE-2008-5814.patch @@ -0,0 +1,22 @@ +# +# Description: fix cross-site scripting vulnerability when display_errors is enabled. +# Patch: http://viewcvs.php.net/viewvc.cgi/php-src/ext/standard/head.c?r1=1.84.2.1.2.8&r2=1.84.2.1.2.9&pathrev=PHP_5_2 +# +diff -Nur php5-5.2.4/ext/standard/head.c php5-5.2.4.new/ext/standard/head.c +--- php5-5.2.4/ext/standard/head.c 2007-02-25 21:12:36.000000000 -0500 ++++ php5-5.2.4.new/ext/standard/head.c 2009-04-15 13:31:00.000000000 -0400 +@@ -69,12 +69,12 @@ + int result; + + if (name && strpbrk(name, "=,; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ +- zend_error( E_WARNING, "Cookie names can not contain any of the folllowing '=,; \\t\\r\\n\\013\\014' (%s)", name ); ++ zend_error( E_WARNING, "Cookie names can not contain any of the folllowing '=,; \\t\\r\\n\\013\\014'" ); + return FAILURE; + } + + if (!url_encode && value && strpbrk(value, ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ +- zend_error( E_WARNING, "Cookie values can not contain any of the folllowing ',; \\t\\r\\n\\013\\014' (%s)", value ); ++ zend_error( E_WARNING, "Cookie values can not contain any of the folllowing ',; \\t\\r\\n\\013\\014'" ); + return FAILURE; + } + --- php5-5.2.4.orig/debian/patches/fix-xmlrpc-datetime.patch +++ php5-5.2.4/debian/patches/fix-xmlrpc-datetime.patch @@ -0,0 +1,78 @@ +diff -Naur php-5.2.4.orig/ext/xmlrpc/libxmlrpc/xmlrpc.c php-5.2.4/ext/xmlrpc/libxmlrpc/xmlrpc.c +--- php-5.2.4.orig/ext/xmlrpc/libxmlrpc/xmlrpc.c 2007-06-07 05:07:36.000000000 -0400 ++++ php-5.2.4/ext/xmlrpc/libxmlrpc/xmlrpc.c 2008-11-13 14:14:11.000000000 -0500 +@@ -161,11 +161,20 @@ + * Begin Time Functions * + ***********************/ + ++static time_t mkgmtime(struct tm *tm) ++{ ++ static const int mdays[12] = {0,31,59,90,120,151,181,212,243,273,304,334}; ++ ++ return ((((((tm->tm_year - 70) * 365) + mdays[tm->tm_mon] + tm->tm_mday-1 + ++ (tm->tm_year-68-1+(tm->tm_mon>=2))/4) * 24) + tm->tm_hour) * 60 + ++ tm->tm_min) * 60 + tm->tm_sec; ++} ++ + static int date_from_ISO8601 (const char *text, time_t * value) { + struct tm tm; + int n; + int i; +- char buf[18]; ++ char buf[30]; + + if (strchr (text, '-')) { + char *p = (char *) text, *p2 = buf; +@@ -175,6 +184,9 @@ + p2++; + } + p++; ++ if (p2-buf >= sizeof(buf)) { ++ return -1; ++ } + } + text = buf; + } +@@ -182,10 +194,6 @@ + + tm.tm_isdst = -1; + +- if(strlen(text) < 17) { +- return -1; +- } +- + n = 1000; + tm.tm_year = 0; + for(i = 0; i < 4; i++) { +@@ -238,7 +246,7 @@ + + static int date_to_ISO8601 (time_t value, char *buf, int length) { + struct tm *tm, tmbuf; +- tm = php_localtime_r(&value, &tmbuf); ++ tm = php_gmtime_r(&value, &tmbuf); + if (!tm) { + return 0; + } +@@ -1516,8 +1524,7 @@ + date_to_ISO8601(time, timeBuf, sizeof(timeBuf)); + + if(timeBuf[0]) { +- simplestring_clear(&value->str); +- simplestring_add(&value->str, timeBuf); ++ XMLRPC_SetValueDateTime_ISO8601 (value, timeBuf); + } + } + } +@@ -1693,8 +1700,11 @@ + if(value) { + time_t time_val = 0; + if(s) { ++ value->type = xmlrpc_datetime; + date_from_ISO8601(s, &time_val); +- XMLRPC_SetValueDateTime(value, time_val); ++ value->i = time_val; ++ simplestring_clear(&value->str); ++ simplestring_add(&value->str, s); + } + } + } --- php5-5.2.4.orig/debian/patches/004-ldap_fix.patch +++ php5-5.2.4/debian/patches/004-ldap_fix.patch @@ -0,0 +1,23 @@ +Index: php5-5.2.4/ext/ldap/ldap.c +=================================================================== +--- php5-5.2.4.orig/ext/ldap/ldap.c 2007-09-10 20:45:23.000000000 +0200 ++++ php5-5.2.4/ext/ldap/ldap.c 2007-09-10 20:45:39.000000000 +0200 +@@ -1334,7 +1334,7 @@ + } + + i=0; +- while (ldap_value[i] != NULL) i++; ++ while (ldap_value && ldap_value[i] != NULL) i++; + count = i; + + array_init(return_value); +@@ -1344,7 +1344,8 @@ + add_index_string(return_value, i, ldap_value[i], 1); + } + +- ldap_value_free(ldap_value); ++ if (ldap_value) ++ ldap_value_free(ldap_value); + } + /* }}} */ + --- php5-5.2.4.orig/debian/patches/php5-CVE-2010-4698.patch +++ php5-5.2.4/debian/patches/php5-CVE-2010-4698.patch @@ -0,0 +1,45 @@ +Subject: Fix #53492, fix crash if aa steps are invalid +Origin: http://svn.php.net/viewvc?view=revision&revision=306097 +Bug: http://bugs.php.net/53492 + +Patch also includes +http://svn.php.net/viewvc?view=revision&revision=306236 + + Merge from trunk: + * Fixed parameter check introduced with the recent fix for bug #53492. + * Improved the error message along the way. + +Patch is modified from upstream commits to remove edits to the NEWS +file, to reduce conflicts when patching. + +Index: ext/gd/gd.c +=================================================================== +--- ext/gd/gd.c (revision 306096) ++++ ext/gd/gd.c (revision 306097) +@@ -4593,6 +4593,11 @@ + return; + } + ++ if (aa_steps != 4 || aa_steps != 16) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "AA steps must be 4 or 16"); ++ RETURN_FALSE; ++ } ++ + ZEND_FETCH_RESOURCE(bg_img, gdImagePtr, &img, -1, "Image", le_gd); + ZEND_FETCH_RESOURCE(f_ind, int *, &fnt, -1, "Type 1 font", le_ps_font); + +Index: ext/gd/gd.c +=================================================================== +--- ext/gd/gd.c (revision 306235) ++++ ext/gd/gd.c (revision 306236) +@@ -4228,8 +4228,8 @@ + return; + } + +- if (aa_steps != 4 || aa_steps != 16) { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "AA steps must be 4 or 16"); ++ if (aa_steps != 4 && aa_steps != 16) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Antialias steps must be 4 or 16"); + RETURN_FALSE; + } + --- php5-5.2.4.orig/debian/patches/use_embedded_timezonedb.patch +++ php5-5.2.4/debian/patches/use_embedded_timezonedb.patch @@ -0,0 +1,655 @@ +diff -Naur php-5.2.4.orig/ext/date/lib/parse_tz.c php-5.2.4/ext/date/lib/parse_tz.c +--- php-5.2.4.orig/ext/date/lib/parse_tz.c 2007-01-25 14:38:45.000000000 +0000 ++++ php-5.2.4/ext/date/lib/parse_tz.c 2008-10-22 13:04:09.000000000 +0000 +@@ -20,6 +20,16 @@ + + #include "timelib.h" + ++#ifdef HAVE_SYSTEM_TZDATA ++#include ++#include ++#include ++#include ++#include ++ ++#include "php_scandir.h" ++#endif ++ + #include + + #ifdef HAVE_LOCALE_H +@@ -31,7 +41,10 @@ + #else + #include + #endif ++ ++#ifndef HAVE_SYSTEM_TZDATA + #include "timezonedb.h" ++#endif + + #ifdef WORDS_BIGENDIAN + #define timelib_conv_int(l) (l) +@@ -196,6 +209,195 @@ + } + } + ++#ifdef HAVE_SYSTEM_TZDATA ++ ++#ifdef HAVE_SYSTEM_TZDATA_PREFIX ++#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX ++#else ++#define ZONEINFO_PREFIX "/usr/share/zoneinfo" ++#endif ++ ++static const timelib_tzdb *timezonedb_system = NULL; ++ ++/* Filter out some non-tzdata files and the posix/right databases, if ++ * present. */ ++static int index_filter(const struct dirent *ent) ++{ ++ return strcmp(ent->d_name, ".") != 0 ++ && strcmp(ent->d_name, "..") != 0 ++ && strcmp(ent->d_name, "posix") != 0 ++ && strcmp(ent->d_name, "posixrules") != 0 ++ && strcmp(ent->d_name, "right") != 0 ++ && strstr(ent->d_name, ".tab") == NULL; ++} ++ ++/* Create the zone identifier index by trawling the filesystem. */ ++static void create_zone_index(timelib_tzdb *db) ++{ ++ size_t dirstack_size, dirstack_top; ++ size_t index_size, index_next; ++ timelib_tzdb_index_entry *db_index; ++ char **dirstack; ++ ++ /* LIFO stack to hold directory entres to scan; each slot is a ++ * directory name relative to the zoneinfo prefix. */ ++ dirstack_size = 32; ++ dirstack = malloc(dirstack_size * sizeof *dirstack); ++ dirstack_top = 1; ++ dirstack[0] = strdup(""); ++ ++ /* Index array. */ ++ index_size = 64; ++ db_index = malloc(index_size * sizeof *db_index); ++ index_next = 0; ++ ++ do { ++ struct dirent **ents; ++ char name[PATH_MAX], *top; ++ int count; ++ ++ /* Pop the top stack entry, and iterate through its contents. */ ++ top = dirstack[--dirstack_top]; ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); ++ ++ count = php_scandir(name, &ents, index_filter, php_alphasort); ++ ++ while (count > 0) { ++ struct stat st; ++ const char *leaf = ents[count - 1]->d_name; ++ ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", ++ top, leaf); ++ ++ if (strlen(name) && stat(name, &st) == 0) { ++ /* Name, relative to the zoneinfo prefix. */ ++ const char *root = top; ++ ++ if (root[0] == '/') root++; ++ ++ snprintf(name, sizeof name, "%s%s%s", root, ++ *root ? "/": "", leaf); ++ ++ if (S_ISDIR(st.st_mode)) { ++ if (dirstack_top == dirstack_size) { ++ dirstack_size *= 2; ++ dirstack = realloc(dirstack, ++ dirstack_size * sizeof *dirstack); ++ } ++ dirstack[dirstack_top++] = strdup(name); ++ } ++ else { ++ if (index_next == index_size) { ++ index_size *= 2; ++ db_index = realloc(db_index, ++ index_size * sizeof *db_index); ++ } ++ ++ db_index[index_next].id = strdup(name); ++ db_index[index_next++].pos = 0; ++ } ++ } ++ ++ free(ents[--count]); ++ } ++ ++ free(ents); ++ free(top); ++ } while (dirstack_top); ++ ++ db->index = db_index; ++ db->index_size = index_next; ++ ++ free(dirstack); ++} ++ ++/* Return the mmap()ed tzfile if found, else NULL. On success, the ++ * length of the mapped data is placed in *length. */ ++static char *map_tzfile(const char *timezone, size_t *length) ++{ ++ char fname[PATH_MAX]; ++ struct stat st; ++ char *p; ++ int fd; ++ ++ if (strstr(timezone, "..") != NULL) { ++ return NULL; ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", timezone); ++ ++ fd = open(fname, O_RDONLY); ++ if (fd == -1) { ++ return NULL; ++ } else if (fstat(fd, &st) != 0 || st.st_size < 21) { ++ close(fd); ++ return NULL; ++ } ++ ++ *length = st.st_size; ++ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); ++ close(fd); ++ ++ return p != MAP_FAILED ? p : NULL; ++} ++ ++const timelib_tzdb *timelib_builtin_db(void) ++{ ++ if (timezonedb_system == NULL) { ++ timelib_tzdb *tmp = malloc(sizeof *tmp); ++ ++ tmp->version = "0.system"; ++ tmp->data = NULL; ++ create_zone_index(tmp); ++ timezonedb_system = tmp; ++ } ++ ++ return timezonedb_system; ++} ++ ++const timelib_tzdb_index_entry *timelib_timezone_builtin_identifiers_list(int *count) ++{ ++ *count = timezonedb_system->index_size; ++ return timezonedb_system->index; ++} ++ ++int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) ++{ ++ char fname[PATH_MAX]; ++ ++ if (strstr(timezone, "..") != NULL) { ++ return 0; ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", timezone); ++ ++ return access(fname, R_OK) == 0 ? 1 : 0; ++} ++ ++timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb) ++{ ++ char *tzf, *orig; ++ timelib_tzinfo *tmp; ++ size_t len; ++ ++ orig = map_tzfile(timezone, &len); ++ if (orig == NULL) { ++ return NULL; ++ } ++ ++ tmp = timelib_tzinfo_ctor(timezone); ++ ++ tzf = orig + 20; ++ read_header(&tzf, tmp); ++ read_transistions(&tzf, tmp); ++ read_types(&tzf, tmp); ++ ++ munmap(orig, len); ++ ++ return tmp; ++} ++#else /* !HAVE_SYSTEM_TZDATA */ ++ + static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) + { + int left = 0, right = tzdb->index_size - 1; +@@ -269,6 +471,7 @@ + + return tmp; + } ++#endif + + static ttinfo* fetch_timezone_offset(timelib_tzinfo *tz, timelib_sll ts, timelib_sll *transition_time) + { +diff -Naur php-5.2.4.orig/ext/date/lib/parse_tz.c.orig php-5.2.4/ext/date/lib/parse_tz.c.orig +--- php-5.2.4.orig/ext/date/lib/parse_tz.c.orig 1970-01-01 00:00:00.000000000 +0000 ++++ php-5.2.4/ext/date/lib/parse_tz.c.orig 2007-01-25 14:38:45.000000000 +0000 +@@ -0,0 +1,395 @@ ++/* ++ +----------------------------------------------------------------------+ ++ | PHP Version 5 | ++ +----------------------------------------------------------------------+ ++ | Copyright (c) 1997-2007 The PHP Group | ++ +----------------------------------------------------------------------+ ++ | This source file is subject to version 3.01 of the PHP license, | ++ | that is bundled with this package in the file LICENSE, and is | ++ | available through the world-wide-web at the following url: | ++ | http://www.php.net/license/3_01.txt | ++ | If you did not receive a copy of the PHP license and are unable to | ++ | obtain it through the world-wide-web, please send a note to | ++ | license@php.net so we can mail you a copy immediately. | ++ +----------------------------------------------------------------------+ ++ | Authors: Derick Rethans | ++ +----------------------------------------------------------------------+ ++ */ ++ ++/* $Id: parse_tz.c,v 1.20.2.6.2.12 2007/01/25 14:38:45 tony2001 Exp $ */ ++ ++#include "timelib.h" ++ ++#include ++ ++#ifdef HAVE_LOCALE_H ++#include ++#endif ++ ++#ifdef HAVE_STRING_H ++#include ++#else ++#include ++#endif ++#include "timezonedb.h" ++ ++#ifdef WORDS_BIGENDIAN ++#define timelib_conv_int(l) (l) ++#else ++#define timelib_conv_int(l) ((l & 0x000000ff) << 24) + ((l & 0x0000ff00) << 8) + ((l & 0x00ff0000) >> 8) + ((l & 0xff000000) >> 24) ++#endif ++ ++static void read_header(char **tzf, timelib_tzinfo *tz) ++{ ++ uint32_t buffer[6]; ++ ++ memcpy(&buffer, *tzf, sizeof(buffer)); ++ tz->ttisgmtcnt = timelib_conv_int(buffer[0]); ++ tz->ttisstdcnt = timelib_conv_int(buffer[1]); ++ tz->leapcnt = timelib_conv_int(buffer[2]); ++ tz->timecnt = timelib_conv_int(buffer[3]); ++ tz->typecnt = timelib_conv_int(buffer[4]); ++ tz->charcnt = timelib_conv_int(buffer[5]); ++ *tzf += sizeof(buffer); ++} ++ ++static void read_transistions(char **tzf, timelib_tzinfo *tz) ++{ ++ int32_t *buffer = NULL; ++ uint32_t i; ++ unsigned char *cbuffer = NULL; ++ ++ if (tz->timecnt) { ++ buffer = (int32_t*) malloc(tz->timecnt * sizeof(int32_t)); ++ if (!buffer) { ++ return; ++ } ++ memcpy(buffer, *tzf, sizeof(int32_t) * tz->timecnt); ++ *tzf += (sizeof(int32_t) * tz->timecnt); ++ for (i = 0; i < tz->timecnt; i++) { ++ buffer[i] = timelib_conv_int(buffer[i]); ++ } ++ ++ cbuffer = (unsigned char*) malloc(tz->timecnt * sizeof(unsigned char)); ++ if (!cbuffer) { ++ return; ++ } ++ memcpy(cbuffer, *tzf, sizeof(unsigned char) * tz->timecnt); ++ *tzf += sizeof(unsigned char) * tz->timecnt; ++ } ++ ++ tz->trans = buffer; ++ tz->trans_idx = cbuffer; ++} ++ ++static void read_types(char **tzf, timelib_tzinfo *tz) ++{ ++ unsigned char *buffer; ++ int32_t *leap_buffer; ++ unsigned int i, j; ++ ++ buffer = (unsigned char*) malloc(tz->typecnt * sizeof(unsigned char) * 6); ++ if (!buffer) { ++ return; ++ } ++ memcpy(buffer, *tzf, sizeof(unsigned char) * 6 * tz->typecnt); ++ *tzf += sizeof(unsigned char) * 6 * tz->typecnt; ++ ++ tz->type = (ttinfo*) malloc(tz->typecnt * sizeof(struct ttinfo)); ++ if (!tz->type) { ++ return; ++ } ++ ++ for (i = 0; i < tz->typecnt; i++) { ++ j = i * 6; ++ tz->type[i].offset = (buffer[j] * 16777216) + (buffer[j + 1] * 65536) + (buffer[j + 2] * 256) + buffer[j + 3]; ++ tz->type[i].isdst = buffer[j + 4]; ++ tz->type[i].abbr_idx = buffer[j + 5]; ++ } ++ free(buffer); ++ ++ tz->timezone_abbr = (char*) malloc(tz->charcnt); ++ if (!tz->timezone_abbr) { ++ return; ++ } ++ memcpy(tz->timezone_abbr, *tzf, sizeof(char) * tz->charcnt); ++ *tzf += sizeof(char) * tz->charcnt; ++ ++ leap_buffer = (int32_t *) malloc(tz->leapcnt * 2 * sizeof(int32_t)); ++ if (!leap_buffer) { ++ return; ++ } ++ memcpy(leap_buffer, *tzf, sizeof(int32_t) * tz->leapcnt * 2); ++ *tzf += sizeof(int32_t) * tz->leapcnt * 2; ++ ++ tz->leap_times = (tlinfo*) malloc(tz->leapcnt * sizeof(tlinfo)); ++ if (!tz->leap_times) { ++ return; ++ } ++ for (i = 0; i < tz->leapcnt; i++) { ++ tz->leap_times[i].trans = timelib_conv_int(leap_buffer[i * 2]); ++ tz->leap_times[i].offset = timelib_conv_int(leap_buffer[i * 2 + 1]); ++ } ++ free(leap_buffer); ++ ++ buffer = (unsigned char*) malloc(tz->ttisstdcnt * sizeof(unsigned char)); ++ if (!buffer) { ++ return; ++ } ++ memcpy(buffer, *tzf, sizeof(unsigned char) * tz->ttisstdcnt); ++ *tzf += sizeof(unsigned char) * tz->ttisstdcnt; ++ ++ for (i = 0; i < tz->ttisstdcnt; i++) { ++ tz->type[i].isstdcnt = buffer[i]; ++ } ++ free(buffer); ++ ++ buffer = (unsigned char*) malloc(tz->ttisgmtcnt * sizeof(unsigned char)); ++ if (!buffer) { ++ return; ++ } ++ memcpy(buffer, *tzf, sizeof(unsigned char) * tz->ttisgmtcnt); ++ *tzf += sizeof(unsigned char) * tz->ttisgmtcnt; ++ ++ for (i = 0; i < tz->ttisgmtcnt; i++) { ++ tz->type[i].isgmtcnt = buffer[i]; ++ } ++ free(buffer); ++} ++ ++void timelib_dump_tzinfo(timelib_tzinfo *tz) ++{ ++ uint32_t i; ++ ++ printf("UTC/Local count: %lu\n", (unsigned long) tz->ttisgmtcnt); ++ printf("Std/Wall count: %lu\n", (unsigned long) tz->ttisstdcnt); ++ printf("Leap.sec. count: %lu\n", (unsigned long) tz->leapcnt); ++ printf("Trans. count: %lu\n", (unsigned long) tz->timecnt); ++ printf("Local types count: %lu\n", (unsigned long) tz->typecnt); ++ printf("Zone Abbr. count: %lu\n", (unsigned long) tz->charcnt); ++ ++ printf ("%8s (%12s) = %3d [%5ld %1d %3d '%s' (%d,%d)]\n", ++ "", "", 0, ++ (long int) tz->type[0].offset, ++ tz->type[0].isdst, ++ tz->type[0].abbr_idx, ++ &tz->timezone_abbr[tz->type[0].abbr_idx], ++ tz->type[0].isstdcnt, ++ tz->type[0].isgmtcnt ++ ); ++ for (i = 0; i < tz->timecnt; i++) { ++ printf ("%08X (%12d) = %3d [%5ld %1d %3d '%s' (%d,%d)]\n", ++ tz->trans[i], tz->trans[i], tz->trans_idx[i], ++ (long int) tz->type[tz->trans_idx[i]].offset, ++ tz->type[tz->trans_idx[i]].isdst, ++ tz->type[tz->trans_idx[i]].abbr_idx, ++ &tz->timezone_abbr[tz->type[tz->trans_idx[i]].abbr_idx], ++ tz->type[tz->trans_idx[i]].isstdcnt, ++ tz->type[tz->trans_idx[i]].isgmtcnt ++ ); ++ } ++ for (i = 0; i < tz->leapcnt; i++) { ++ printf ("%08X (%12ld) = %d\n", ++ tz->leap_times[i].trans, ++ (long) tz->leap_times[i].trans, ++ tz->leap_times[i].offset); ++ } ++} ++ ++static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) ++{ ++ int left = 0, right = tzdb->index_size - 1; ++#ifdef HAVE_SETLOCALE ++ char *cur_locale = NULL, *tmp; ++ ++ tmp = setlocale(LC_CTYPE, NULL); ++ if (tmp) { ++ cur_locale = strdup(tmp); ++ } ++ setlocale(LC_CTYPE, "C"); ++#endif ++ ++ do { ++ int mid = ((unsigned)left + right) >> 1; ++ int cmp = strcasecmp(timezone, tzdb->index[mid].id); ++ ++ if (cmp < 0) { ++ right = mid - 1; ++ } else if (cmp > 0) { ++ left = mid + 1; ++ } else { /* (cmp == 0) */ ++ (*tzf) = &(tzdb->data[tzdb->index[mid].pos + 20]); ++#ifdef HAVE_SETLOCALE ++ setlocale(LC_CTYPE, cur_locale); ++ if (cur_locale) free(cur_locale); ++#endif ++ return 1; ++ } ++ ++ } while (left <= right); ++ ++#ifdef HAVE_SETLOCALE ++ setlocale(LC_CTYPE, cur_locale); ++ if (cur_locale) free(cur_locale); ++#endif ++ return 0; ++} ++ ++const timelib_tzdb *timelib_builtin_db(void) ++{ ++ return &timezonedb_builtin; ++} ++ ++const timelib_tzdb_index_entry *timelib_timezone_builtin_identifiers_list(int *count) ++{ ++ *count = sizeof(timezonedb_idx_builtin) / sizeof(*timezonedb_idx_builtin); ++ return timezonedb_idx_builtin; ++} ++ ++int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) ++{ ++ const unsigned char *tzf; ++ return (seek_to_tz_position(&tzf, timezone, tzdb)); ++} ++ ++timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb) ++{ ++ const unsigned char *tzf; ++ timelib_tzinfo *tmp; ++ ++ if (seek_to_tz_position(&tzf, timezone, tzdb)) { ++ tmp = timelib_tzinfo_ctor(timezone); ++ ++ read_header((char**) &tzf, tmp); ++ read_transistions((char**) &tzf, tmp); ++ read_types((char**) &tzf, tmp); ++ } else { ++ tmp = NULL; ++ } ++ ++ return tmp; ++} ++ ++static ttinfo* fetch_timezone_offset(timelib_tzinfo *tz, timelib_sll ts, timelib_sll *transition_time) ++{ ++ uint32_t i; ++ ++ /* If there is no transistion time, we pick the first one, if that doesn't ++ * exist we return NULL */ ++ if (!tz->timecnt || !tz->trans) { ++ *transition_time = 0; ++ if (tz->typecnt == 1) { ++ return &(tz->type[0]); ++ } ++ return NULL; ++ } ++ ++ /* If the TS is lower than the first transistion time, then we scan over ++ * all the transistion times to find the first non-DST one, or the first ++ * one in case there are only DST entries. Not sure which smartass came up ++ * with this idea in the first though :) */ ++ if (ts < tz->trans[0]) { ++ uint32_t j; ++ ++ *transition_time = 0; ++ j = 0; ++ while (j < tz->timecnt && tz->type[j].isdst) { ++ ++j; ++ } ++ if (j == tz->timecnt) { ++ j = 0; ++ } ++ return &(tz->type[j]); ++ } ++ ++ /* In all other cases we loop through the available transtion times to find ++ * the correct entry */ ++ for (i = 0; i < tz->timecnt; i++) { ++ if (ts < tz->trans[i]) { ++ *transition_time = tz->trans[i - 1]; ++ return &(tz->type[tz->trans_idx[i - 1]]); ++ } ++ } ++ *transition_time = tz->trans[tz->timecnt - 1]; ++ return &(tz->type[tz->trans_idx[tz->timecnt - 1]]); ++} ++ ++static tlinfo* fetch_leaptime_offset(timelib_tzinfo *tz, timelib_sll ts) ++{ ++ int i; ++ ++ if (!tz->leapcnt || !tz->leap_times) { ++ return NULL; ++ } ++ ++ for (i = tz->leapcnt - 1; i > 0; i--) { ++ if (ts > tz->leap_times[i].trans) { ++ return &(tz->leap_times[i]); ++ } ++ } ++ return NULL; ++} ++ ++int timelib_timestamp_is_in_dst(timelib_sll ts, timelib_tzinfo *tz) ++{ ++ ttinfo *to; ++ timelib_sll dummy; ++ ++ if ((to = fetch_timezone_offset(tz, ts, &dummy))) { ++ return to->isdst; ++ } ++ return -1; ++} ++ ++timelib_time_offset *timelib_get_time_zone_info(timelib_sll ts, timelib_tzinfo *tz) ++{ ++ ttinfo *to; ++ tlinfo *tl; ++ int32_t offset = 0, leap_secs = 0; ++ char *abbr; ++ timelib_time_offset *tmp = timelib_time_offset_ctor(); ++ timelib_sll transistion_time; ++ ++ if ((to = fetch_timezone_offset(tz, ts, &transistion_time))) { ++ offset = to->offset; ++ abbr = &(tz->timezone_abbr[to->abbr_idx]); ++ tmp->is_dst = to->isdst; ++ tmp->transistion_time = transistion_time; ++ } else { ++ offset = 0; ++ abbr = tz->timezone_abbr; ++ tmp->is_dst = 0; ++ tmp->transistion_time = 0; ++ } ++ ++ if ((tl = fetch_leaptime_offset(tz, ts))) { ++ leap_secs = -tl->offset; ++ } ++ ++ tmp->offset = offset; ++ tmp->leap_secs = leap_secs; ++ tmp->abbr = abbr ? strdup(abbr) : strdup("GMT"); ++ ++ return tmp; ++} ++ ++timelib_sll timelib_get_current_offset(timelib_time *t) ++{ ++ timelib_time_offset *gmt_offset; ++ timelib_sll retval; ++ ++ switch (t->zone_type) { ++ case TIMELIB_ZONETYPE_ABBR: ++ case TIMELIB_ZONETYPE_OFFSET: ++ return t->z * 60; ++ ++ case TIMELIB_ZONETYPE_ID: ++ gmt_offset = timelib_get_time_zone_info(t->sse, t->tz_info); ++ retval = gmt_offset->offset; ++ timelib_time_offset_dtor(gmt_offset); ++ return retval; ++ ++ default: ++ return 0; ++ } ++} +diff -Naur php-5.2.4.orig/ext/date/lib/timelib.m4 php-5.2.4/ext/date/lib/timelib.m4 +--- php-5.2.4.orig/ext/date/lib/timelib.m4 2005-07-03 23:30:52.000000000 +0000 ++++ php-5.2.4/ext/date/lib/timelib.m4 2008-10-22 13:04:09.000000000 +0000 +@@ -78,3 +78,17 @@ + + dnl Check for strtoll, atoll + AC_CHECK_FUNCS(strtoll atoll strftime) ++ ++PHP_ARG_WITH(system-tzdata, for use of system timezone data, ++[ --with-system-tzdata[=DIR] to specify use of system timezone data], ++no, no) ++ ++if test "$PHP_SYSTEM_TZDATA" != "no"; then ++ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) ++ ++ if test "$PHP_SYSTEM_TZDATA" != "yes"; then ++ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", ++ [Define for location of system timezone data]) ++ fi ++fi ++ --- php5-5.2.4.orig/debian/patches/CVE-2009-4143.patch +++ php5-5.2.4/debian/patches/CVE-2009-4143.patch @@ -0,0 +1,30 @@ +Description: fix restrictions bypass via incorrect session data handling +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=291681 + +diff -Nur php5-5.2.4/ext/session/session.c php5-5.2.4.new/ext/session/session.c +--- php5-5.2.4/ext/session/session.c 2010-01-06 09:38:45.000000000 -0500 ++++ php5-5.2.4.new/ext/session/session.c 2010-01-06 09:38:50.000000000 -0500 +@@ -1725,7 +1725,10 @@ + + convert_to_string_ex(p_name); + +- PS_DEL_VARL(Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name)); ++ IF_SESSION_VARS() { ++ SEPARATE_ZVAL_IF_NOT_REF(&PS(http_session_vars)); ++ PS_DEL_VARL(Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name)); ++ } + + RETURN_TRUE; + } +@@ -1835,7 +1838,10 @@ + RETURN_FALSE; + + IF_SESSION_VARS() { +- HashTable *ht = Z_ARRVAL_P(PS(http_session_vars)); ++ HashTable *ht; ++ ++ SEPARATE_ZVAL_IF_NOT_REF(&PS(http_session_vars)); ++ ht = Z_ARRVAL_P(PS(http_session_vars)); + + if (PG(register_globals)) { + uint str_len; --- php5-5.2.4.orig/debian/patches/CVE-2009-4017.patch +++ php5-5.2.4/debian/patches/CVE-2009-4017.patch @@ -0,0 +1,59 @@ +Description: fix denial of service via large number of files in + form-data POST request. +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=289990 +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=290029 +upstream, Origin: http://svn.php.net/viewvc?view=revision&revision=290306 + +diff -Nur php5-5.2.4/main/main.c php5-5.2.4.new/main/main.c +--- php5-5.2.4/main/main.c 2009-11-25 14:42:12.000000000 -0500 ++++ php5-5.2.4.new/main/main.c 2009-11-25 14:42:17.000000000 -0500 +@@ -434,6 +434,7 @@ + PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) + PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) ++ PHP_INI_ENTRY("max_file_uploads", "50", PHP_INI_SYSTEM, NULL) + + STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) + STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) +diff -Nur php5-5.2.4/main/rfc1867.c php5-5.2.4.new/main/rfc1867.c +--- php5-5.2.4/main/rfc1867.c 2007-07-17 19:46:40.000000000 -0400 ++++ php5-5.2.4.new/main/rfc1867.c 2009-11-25 14:42:17.000000000 -0500 +@@ -32,6 +32,7 @@ + #include "php_globals.h" + #include "php_variables.h" + #include "rfc1867.h" ++#include "php_ini.h" + + #define DEBUG_FILE_UPLOAD ZEND_DEBUG + +@@ -795,6 +796,12 @@ + zend_llist header; + void *event_extra_data = NULL; + int llen = 0; ++ char *max_uploads = INI_STR("max_file_uploads"); ++ int upload_cnt = 0; ++ ++ if (max_uploads && *max_uploads) { ++ upload_cnt = atoi(max_uploads); ++ } + + if (SG(request_info).content_length > SG(post_max_size)) { + sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); +@@ -973,6 +980,9 @@ + /* If file_uploads=off, skip the file part */ + if (!PG(file_uploads)) { + skip_upload = 1; ++ } else if (upload_cnt <= 0) { ++ skip_upload = 1; ++ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); + } + + /* Return with an error if the posted data is garbled */ +@@ -1017,6 +1027,7 @@ + if (!skip_upload) { + /* Handle file */ + fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC); ++ upload_cnt--; + if (fd==-1) { + sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); + cancel_upload = UPLOAD_ERROR_E; --- php5-5.2.4.orig/debian/patches/php5-CVE-2009-5016.patch +++ php5-5.2.4/debian/patches/php5-CVE-2009-5016.patch @@ -0,0 +1,22 @@ +Subject: This needs to be larger to avoid an overflow on the bit-shifting in this function +Origin: http://svn.php.net/viewvc/?view=revision&revision=287790 +Bug: http://bugs.php.net/bug.php?id=49687 +CVE-2009-5016 + +--- + ext/xml/xml.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/ext/xml/xml.c +=================================================================== +--- a/ext/xml/xml.c ++++ b/ext/xml/xml.c +@@ -559,7 +559,7 @@ PHPAPI char *xml_utf8_decode(const XML_C + { + int pos = len; + char *newbuf = emalloc(len + 1); +- unsigned short c; ++ unsigned int c; + char (*decoder)(unsigned short) = NULL; + xml_encoding *enc = xml_get_encoding(encoding); + --- php5-5.2.4.orig/debian/patches/CVE-2008-7068.patch +++ php5-5.2.4/debian/patches/CVE-2008-7068.patch @@ -0,0 +1,18 @@ +Description: fix file truncation via key with null byte +upstream, Origin: http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?r1=1.14.2.1.2.4&r2=1.14.2.1.2.5 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507101 + +diff -Nur php5-5.2.4/ext/dba/libinifile/inifile.c php5-5.2.4.new/ext/dba/libinifile/inifile.c +--- php5-5.2.4/ext/dba/libinifile/inifile.c 2007-01-01 14:40:29.000000000 -0500 ++++ php5-5.2.4.new/ext/dba/libinifile/inifile.c 2009-11-25 14:41:12.000000000 -0500 +@@ -508,7 +508,9 @@ + + /* 5 */ + if (ret == SUCCESS) { +- ret = inifile_truncate(dba, append ? pos_grp_next : pos_grp_start TSRMLS_CC); /* writes error on fail */ ++ if (!value || (key->name && strlen(key->name))) { ++ ret = inifile_truncate(dba, append ? pos_grp_next : pos_grp_start TSRMLS_CC); /* writes error on fail */ ++ } + } + + if (ret == SUCCESS) { --- php5-5.2.4.orig/debian/patches/108-64_bit_datetime.patch +++ php5-5.2.4/debian/patches/108-64_bit_datetime.patch @@ -0,0 +1,14 @@ +Index: php5-5.2.4/ext/standard/datetime.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/datetime.c 2007-06-07 10:59:00.000000000 +0200 ++++ php5-5.2.4/ext/standard/datetime.c 2007-09-11 00:41:58.000000000 +0200 +@@ -20,6 +20,9 @@ + + /* $Id: datetime.c,v 1.134.2.2.2.4 2007/06/07 08:59:00 tony2001 Exp $ */ + ++#define _XOPEN_SOURCE /* needed to get strptime() declared */ ++#define _BSD_SOURCE /* needed to get ulong declared */ ++ + #include "php.h" + #include "zend_operators.h" + #include "datetime.h" --- php5-5.2.4.orig/debian/patches/113-php.ini_securitynotes.patch +++ php5-5.2.4/debian/patches/113-php.ini_securitynotes.patch @@ -0,0 +1,42 @@ +Index: php5-5.2.4/php.ini-dist +=================================================================== +--- php5-5.2.4.orig/php.ini-dist 2007-09-11 00:23:54.000000000 +0200 ++++ php5-5.2.4/php.ini-dist 2007-09-11 00:42:09.000000000 +0200 +@@ -166,6 +166,11 @@ + ; + ; Safe Mode + ; ++; NOTE: this is considered a "broken" security measure. ++; Applications relying on this feature will not recieve full ++; support by the security team. For more information please ++; see /usr/share/doc/php5-common/README.Debian.security ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when +@@ -202,6 +207,13 @@ + ; and below. This directive makes most sense if used in a per-directory + ; or per-virtualhost web server configuration file. This directive is + ; *NOT* affected by whether Safe Mode is turned On or Off. ++ ++; NOTE: this is considered a "broken" security measure. ++; Applications relying on this feature will not recieve full ++; support by the security team. For more information please ++; see /usr/share/doc/php5-common/README.Debian.security ++; ++ + ;open_basedir = + + ; This directive allows you to disable certain functions for security reasons. +@@ -411,6 +423,11 @@ + ; You should do your best to write your scripts so that they do not require + ; register_globals to be on; Using form variables as globals can easily lead + ; to possible security problems, if the code is not very well thought of. ++ ++; NOTE: applications relying on this feature will not recieve full ++; support by the security team. For more information please ++; see /usr/share/doc/php5-common/README.Debian.security ++; + register_globals = Off + + ; Whether or not to register the old-style input arrays, HTTP_GET_VARS --- php5-5.2.4.orig/debian/patches/052-phpinfo_no_configure.patch +++ php5-5.2.4/debian/patches/052-phpinfo_no_configure.patch @@ -0,0 +1,25 @@ +Index: php-5.2.4/ext/standard/info.c +=================================================================== +--- php-5.2.4.orig/ext/standard/info.c ++++ php-5.2.4/ext/standard/info.c +@@ -461,7 +461,7 @@ + php_info_print_table_start(); + php_info_print_table_row(2, "System", php_uname ); + php_info_print_table_row(2, "Build Date", __DATE__ " " __TIME__ ); +-#ifdef CONFIGURE_COMMAND ++#if 0 + php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); + #endif + if (sapi_module.pretty_name) { +Index: php-5.2.4/ext/standard/tests/general_functions/phpinfo.phpt +=================================================================== +--- php-5.2.4.orig/ext/standard/tests/general_functions/phpinfo.phpt ++++ php-5.2.4/ext/standard/tests/general_functions/phpinfo.phpt +@@ -20,7 +20,6 @@ + + System => %s + Build Date => %s +-Configure Command => %s + Server API => Command Line Interface + Virtual Directory Support => %s + Configuration File (php.ini) Path => %s --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2007-5899.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2007-5899.patch @@ -0,0 +1,104 @@ +diff -Nur php5-5.2.4/ext/standard/url_scanner_ex.c php5-5.2.4.new/ext/standard/url_scanner_ex.c +--- php5-5.2.4/ext/standard/url_scanner_ex.c 2007-08-29 19:39:22.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/url_scanner_ex.c 2008-07-10 16:28:59.000000000 -0400 +@@ -259,16 +259,29 @@ + + if (ctx->form_app.len > 0) { + switch (ctx->tag.len) { +- +-#define RECOGNIZE(x) do { \ +- case sizeof(x)-1: \ +- if (strncasecmp(ctx->tag.c, x, sizeof(x)-1) == 0) \ +- doit = 1; \ +- break; \ +-} while (0) +- +- RECOGNIZE("form"); +- RECOGNIZE("fieldset"); ++ case sizeof("form") - 1: ++ if (!strncasecmp(ctx->tag.c, "form", sizeof("form") - 1)) { ++ doit = 1; ++ } ++ if (doit && ctx->val.c && ctx->lookup_data && *ctx->lookup_data) { ++ char *e, *p = zend_memnstr(ctx->val.c, "://", sizeof("://") - 1, ctx->val.c + ctx->val.len); ++ if (p) { ++ e = memchr(p, '/', (ctx->val.c + ctx->val.len) - p); ++ if (!e) { ++ e = ctx->val.c + ctx->val.len; ++ } ++ if ((e - p) && strncasecmp(p, ctx->lookup_data, (e - p))) { ++ doit = 0; ++ } ++ } ++ } ++ break; ++ ++ case sizeof("fieldset") - 1: ++ if (!strncasecmp(ctx->tag.c, "fieldset", sizeof("fieldset") - 1)) { ++ doit = 1; ++ } ++ break; + } + + if (doit) +@@ -276,8 +289,6 @@ + } + } + +- +- + /* + * HANDLE_TAG copies the HTML Tag and checks whether we + * have that tag in our table. If we might modify it, +diff -Nur php5-5.2.4/ext/standard/url_scanner_ex.re php5-5.2.4.new/ext/standard/url_scanner_ex.re +--- php5-5.2.4/ext/standard/url_scanner_ex.re 2007-06-05 20:00:27.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/url_scanner_ex.re 2008-07-10 16:28:59.000000000 -0400 +@@ -205,16 +205,29 @@ + + if (ctx->form_app.len > 0) { + switch (ctx->tag.len) { +- +-#define RECOGNIZE(x) do { \ +- case sizeof(x)-1: \ +- if (strncasecmp(ctx->tag.c, x, sizeof(x)-1) == 0) \ +- doit = 1; \ +- break; \ +-} while (0) +- +- RECOGNIZE("form"); +- RECOGNIZE("fieldset"); ++ case sizeof("form") - 1: ++ if (!strncasecmp(ctx->tag.c, "form", sizeof("form") - 1)) { ++ doit = 1; ++ } ++ if (doit && ctx->val.c && ctx->lookup_data && *ctx->lookup_data) { ++ char *e, *p = zend_memnstr(ctx->val.c, "://", sizeof("://") - 1, ctx->val.c + ctx->val.len); ++ if (p) { ++ e = memchr(p, '/', (ctx->val.c + ctx->val.len) - p); ++ if (!e) { ++ e = ctx->val.c + ctx->val.len; ++ } ++ if ((e - p) && strncasecmp(p, ctx->lookup_data, (e - p))) { ++ doit = 0; ++ } ++ } ++ } ++ break; ++ ++ case sizeof("fieldset") - 1: ++ if (!strncasecmp(ctx->tag.c, "fieldset", sizeof("fieldset") - 1)) { ++ doit = 1; ++ } ++ break; + } + + if (doit) +@@ -222,8 +235,6 @@ + } + } + +- +- + /* + * HANDLE_TAG copies the HTML Tag and checks whether we + * have that tag in our table. If we might modify it, --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2008-2051.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2008-2051.patch @@ -0,0 +1,65 @@ +Index: php5-5.2.4/ext/standard/exec.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/exec.c 2007-01-01 04:36:08.000000000 -0500 ++++ php5-5.2.4/ext/standard/exec.c 2008-07-16 14:26:47.000000000 -0400 +@@ -25,6 +25,7 @@ + #include "safe_mode.h" + #include "ext/standard/head.h" + #include "ext/standard/file.h" ++#include "basic_functions.h" + #include "exec.h" + #include "php_globals.h" + #include "SAPI.h" +@@ -265,11 +266,25 @@ + register int x, y, l; + char *cmd; + char *p = NULL; ++ ++ TSRMLS_FETCH(); + + l = strlen(str); + cmd = safe_emalloc(2, l, 1); + + for (x = 0, y = 0; x < l; x++) { ++ int mb_len = php_mblen(str + x, (l - x)); ++ ++ /* skip non-valid multibyte characters */ ++ if (mb_len < 0) { ++ continue; ++ } else if (mb_len > 1) { ++ memcpy(cmd + y, str + x, mb_len); ++ y += mb_len; ++ x += mb_len - 1; ++ continue; ++ } ++ + switch (str[x]) { + case '"': + case '\'': +@@ -328,6 +343,7 @@ + char *php_escape_shell_arg(char *str) { + int x, y, l; + char *cmd; ++ TSRMLS_FETCH(); + + y = 0; + l = strlen(str); +@@ -341,6 +357,18 @@ + #endif + + for (x = 0; x < l; x++) { ++ int mb_len = php_mblen(str + x, (l - x)); ++ ++ /* skip non-valid multibyte characters */ ++ if (mb_len < 0) { ++ continue; ++ } else if (mb_len > 1) { ++ memcpy(cmd + y, str + x, mb_len); ++ y += mb_len; ++ x += mb_len - 1; ++ continue; ++ } ++ + switch (str[x]) { + #ifdef PHP_WIN32 + case '"': --- php5-5.2.4.orig/debian/patches/CVE-2010-0397.patch +++ php5-5.2.4/debian/patches/CVE-2010-0397.patch @@ -0,0 +1,56 @@ +Description: fix denial of service via xmlrpc crafted argument +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=296152 +Origin: upstream, http://svn.php.net/viewvc?view=revision&revision=296153 +Bug: http://bugs.php.net/bug.php?id=51288 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573573 + +diff -Nur php5-5.2.4/ext/xmlrpc/tests/bug51288.phpt php5-5.2.4.new/ext/xmlrpc/tests/bug51288.phpt +--- php5-5.2.4/ext/xmlrpc/tests/bug51288.phpt 1969-12-31 19:00:00.000000000 -0500 ++++ php5-5.2.4.new/ext/xmlrpc/tests/bug51288.phpt 2010-09-15 08:23:02.000000000 -0400 +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #51288 (CVE-2010-0397, NULL pointer deref when no in request) ++--FILE-- ++'; ++var_dump(xmlrpc_decode_request($req, $method)); ++var_dump($method); ++echo "Done\n"; ++?> ++--EXPECT-- ++NULL ++NULL ++Done +diff -Nur php5-5.2.4/ext/xmlrpc/xmlrpc-epi-php.c php5-5.2.4.new/ext/xmlrpc/xmlrpc-epi-php.c +--- php5-5.2.4/ext/xmlrpc/xmlrpc-epi-php.c 2007-01-12 07:32:15.000000000 -0500 ++++ php5-5.2.4.new/ext/xmlrpc/xmlrpc-epi-php.c 2010-09-15 08:25:20.000000000 -0400 +@@ -708,6 +708,7 @@ + zval* retval = NULL; + XMLRPC_REQUEST response; + STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; ++ const char *method_name; + opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT; + + /* generate XMLRPC_REQUEST from raw xml */ +@@ -718,10 +719,16 @@ + + if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { + if(method_name_out) { +- zval_dtor(method_name_out); +- Z_TYPE_P(method_name_out) = IS_STRING; +- Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); +- Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); ++ method_name = XMLRPC_RequestGetMethodName(response); ++ if (method_name) { ++ zval_dtor(method_name_out); ++ Z_TYPE_P(method_name_out) = IS_STRING; ++ Z_STRVAL_P(method_name_out) = estrdup(method_name); ++ Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); ++ } else if (retval) { ++ zval_ptr_dtor(&retval); ++ retval = NULL; ++ } + } + } + --- php5-5.2.4.orig/debian/patches/036-fd_setsize_fix.patch +++ php5-5.2.4/debian/patches/036-fd_setsize_fix.patch @@ -0,0 +1,26 @@ +Index: php5-5.2.4/ext/sockets/sockets.c +=================================================================== +--- php5-5.2.4.orig/ext/sockets/sockets.c 2007-07-24 13:35:08.000000000 +0200 ++++ php5-5.2.4/ext/sockets/sockets.c 2007-09-11 00:24:23.000000000 +0200 +@@ -566,6 +566,7 @@ + + php_sock = (php_socket*) zend_fetch_resource(element TSRMLS_CC, -1, le_socket_name, NULL, 1, le_socket); + if (!php_sock) continue; /* If element is not a resource, skip it */ ++ if (php_sock->bsd_socket > FD_SETSIZE) continue; /* must ignore it */ + + PHP_SAFE_FD_SET(php_sock->bsd_socket, fds); + if (php_sock->bsd_socket > *max_fd) { +Index: php5-5.2.4/ext/standard/streamsfuncs.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/streamsfuncs.c 2007-07-09 19:27:24.000000000 +0200 ++++ php5-5.2.4/ext/standard/streamsfuncs.c 2007-09-11 00:24:23.000000000 +0200 +@@ -592,6 +592,9 @@ + * is not displayed. + * */ + if (SUCCESS == php_stream_cast(stream, PHP_STREAM_AS_FD_FOR_SELECT | PHP_STREAM_CAST_INTERNAL, (void*)&this_fd, 1) && this_fd >= 0) { ++ if (this_fd > FD_SETSIZE) ++ continue; ++ + + PHP_SAFE_FD_SET(this_fd, fds); + --- php5-5.2.4.orig/debian/patches/php5-CVE-2011-1471.patch +++ php5-5.2.4/debian/patches/php5-CVE-2011-1471.patch @@ -0,0 +1,39 @@ +Subject: Fixed bug #49072 (feof never returns true for damaged file in zip). +Origin: http://svn.php.net/viewvc?view=revision&revision=307917 +Bug: http://bugs.php.net/bug.php?id=49072 + +CVE-2011-1471 + +Patch differs from upstream commit in that it drops the add NEWS file +entry to reduce patch conflicts and is backported to php 5.2.x. + +Index: ext/zip/zip_stream.c +=================================================================== +--- ext/zip/zip_stream.c (revision 307916) ++++ ext/zip/zip_stream.c (revision 307917) +@@ -30,19 +30,21 @@ + /* {{{ php_zip_ops_read */ + static size_t php_zip_ops_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) + { +- int n = 0; ++ ssize_t n = 0; + STREAM_DATA_FROM_STREAM(); + + if (self->za && self->zf) { +- n = (size_t)zip_fread(self->zf, buf, (int)count); ++ n = zip_fread(self->zf, buf, count); + +- if (n == 0) { ++ /* cast count to signed value to avoid possibly negative n ++ * being cast to unsigned value */ ++ if (n == 0 || n < (ssize_t)count) { + stream->eof = 1; + } else { + self->cursor += n; + } + } +- return n<1 ? 0 : n; ++ return (n < 1 ? 0 : (size_t)n); + } + /* }}} */ + --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2007-5898.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2007-5898.patch @@ -0,0 +1,155 @@ +Index: php5-5.2.4/ext/standard/html.c +=================================================================== +--- php5-5.2.4.orig/ext/standard/html.c 2007-05-27 11:57:11.000000000 -0400 ++++ php5-5.2.4/ext/standard/html.c 2008-07-22 23:22:20.000000000 -0400 +@@ -484,18 +484,29 @@ + } \ + mbseq[mbpos++] = (mbchar); } + ++#define CHECK_LEN(pos, chars_need) \ ++ if((str_len - (pos)) < chars_need) { \ ++ *status = FAILURE; \ ++ return 0; \ ++ } ++ + /* {{{ get_next_char + */ + inline static unsigned short get_next_char(enum entity_charset charset, + unsigned char * str, ++ int str_len, + int * newpos, + unsigned char * mbseq, +- int * mbseqlen) ++ int * mbseqlen, ++ int *status) + { + int pos = *newpos; + int mbpos = 0; + int mbspace = *mbseqlen; + unsigned short this_char = str[pos++]; ++ unsigned char next_char; ++ ++ *status = SUCCESS; + + if (mbspace <= 0) { + *mbseqlen = 0; +@@ -517,6 +528,10 @@ + do { + if (this_char < 0x80) { + more = 0; ++ if(stat) { ++ /* we didn't finish the UTF sequence correctly */ ++ *status = FAILURE; ++ } + break; + } else if (this_char < 0xc0) { + switch (stat) { +@@ -555,6 +570,7 @@ + break; + default: + /* invalid */ ++ *status = FAILURE; + more = 0; + } + } +@@ -562,21 +578,27 @@ + else if (this_char < 0xe0) { + stat = 0x10; /* 2 byte */ + utf = (this_char & 0x1f) << 6; ++ CHECK_LEN(pos, 1); + } else if (this_char < 0xf0) { + stat = 0x20; /* 3 byte */ + utf = (this_char & 0xf) << 12; ++ CHECK_LEN(pos, 2); + } else if (this_char < 0xf8) { + stat = 0x30; /* 4 byte */ + utf = (this_char & 0x7) << 18; ++ CHECK_LEN(pos, 3); + } else if (this_char < 0xfc) { + stat = 0x40; /* 5 byte */ + utf = (this_char & 0x3) << 24; ++ CHECK_LEN(pos, 4); + } else if (this_char < 0xfe) { + stat = 0x50; /* 6 byte */ + utf = (this_char & 0x1) << 30; ++ CHECK_LEN(pos, 5); + } else { + /* invalid; bail */ + more = 0; ++ *status = FAILURE; + break; + } + +@@ -594,7 +616,8 @@ + /* check if this is the first of a 2-byte sequence */ + if (this_char >= 0xa1 && this_char <= 0xfe) { + /* peek at the next char */ +- unsigned char next_char = str[pos]; ++ CHECK_LEN(pos, 1); ++ next_char = str[pos]; + if ((next_char >= 0x40 && next_char <= 0x7e) || + (next_char >= 0xa1 && next_char <= 0xfe)) { + /* yes, this a wide char */ +@@ -614,7 +637,8 @@ + (this_char >= 0xe0 && this_char <= 0xef) + ) { + /* peek at the next char */ +- unsigned char next_char = str[pos]; ++ CHECK_LEN(pos, 1); ++ next_char = str[pos]; + if ((next_char >= 0x40 && next_char <= 0x7e) || + (next_char >= 0x80 && next_char <= 0xfc)) + { +@@ -633,7 +657,8 @@ + /* check if this is the first of a multi-byte sequence */ + if (this_char >= 0xa1 && this_char <= 0xfe) { + /* peek at the next char */ +- unsigned char next_char = str[pos]; ++ CHECK_LEN(pos, 1); ++ next_char = str[pos]; + if (next_char >= 0xa1 && next_char <= 0xfe) { + /* yes, this a jis kanji char */ + this_char <<= 8; +@@ -644,7 +669,8 @@ + + } else if (this_char == 0x8e) { + /* peek at the next char */ +- unsigned char next_char = str[pos]; ++ CHECK_LEN(pos, 1); ++ next_char = str[pos]; + if (next_char >= 0xa1 && next_char <= 0xdf) { + /* JIS X 0201 kana */ + this_char <<= 8; +@@ -655,8 +681,10 @@ + + } else if (this_char == 0x8f) { + /* peek at the next two char */ +- unsigned char next_char = str[pos]; +- unsigned char next2_char = str[pos+1]; ++ unsigned char next2_char; ++ CHECK_LEN(pos, 2); ++ next_char = str[pos]; ++ next2_char = str[pos+1]; + if ((next_char >= 0xa1 && next_char <= 0xfe) && + (next2_char >= 0xa1 && next2_char <= 0xfe)) { + /* JIS X 0212 hojo-kanji */ +@@ -1103,8 +1131,18 @@ + while (i < oldlen) { + unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */ + int mbseqlen = sizeof(mbsequence); +- unsigned short this_char = get_next_char(charset, old, &i, mbsequence, &mbseqlen); ++ int status = SUCCESS; ++ unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); + ++ if(status == FAILURE) { ++ /* invalid MB sequence */ ++ efree(replaced); ++ if(!PG(display_errors)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid multibyte sequence in argument"); ++ } ++ *newlen = 0; ++ return STR_EMPTY_ALLOC(); ++ } + matches_map = 0; + + if (len + 16 > maxlen) --- php5-5.2.4.orig/debian/patches/SECURITY_CVE-2007-4782.patch +++ php5-5.2.4/debian/patches/SECURITY_CVE-2007-4782.patch @@ -0,0 +1,15 @@ +diff -Nur php5-5.2.4/ext/standard/file.c php5-5.2.4.new/ext/standard/file.c +--- php5-5.2.4/ext/standard/file.c 2008-07-16 09:56:05.000000000 -0400 ++++ php5-5.2.4.new/ext/standard/file.c 2008-07-16 09:56:18.000000000 -0400 +@@ -2518,6 +2518,11 @@ + == FAILURE) + return; + ++ if (filename_len >= MAXPATHLEN) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN); ++ RETURN_FALSE; ++ } ++ + RETURN_BOOL( ! fnmatch( pattern, filename, flags )); + } + /* }}} */ --- php5-5.2.4.orig/debian/compat +++ php5-5.2.4/debian/compat @@ -0,0 +1 @@ +4 --- php5-5.2.4.orig/debian/php5-common.dirs +++ php5-5.2.4/debian/php5-common.dirs @@ -0,0 +1,8 @@ +/usr/lib/php5/libexec +/usr/share/lintian/overrides +/usr/share/doc/php5-common/examples +/usr/share/doc/php5-common/PEAR +/usr/share/php5 +/var/lib/php5 +/usr/lib/php5 +/etc/php5/conf.d --- php5-5.2.4.orig/debian/php5-cli.prerm +++ php5-5.2.4/debian/php5-cli.prerm @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" = "remove" -o "$1" = "deconfigure" ]; then + update-alternatives --remove php /usr/bin/php5 +fi + +exit 0 --- php5-5.2.4.orig/debian/maxlifetime +++ php5-5.2.4/debian/maxlifetime @@ -0,0 +1,13 @@ +#!/bin/sh -e + +max=1440 + +for ini in /etc/php5/*/php.ini; do + cur=$(sed -n -e 's/^[[:space:]]*session.gc_maxlifetime[[:space:]]*=[[:space:]]*\([0-9]\+\).*$/\1/p' $ini 2>/dev/null || true); + [ -z "$cur" ] && cur=0 + [ "$cur" -gt "$max" ] && max=$cur +done + +echo $(($max/60)) + +exit 0 --- php5-5.2.4.orig/debian/php5-sapi.links +++ php5-5.2.4/debian/php5-sapi.links @@ -0,0 +1 @@ +etc/php5/conf.d etc/php5/@sapi@/conf.d --- php5-5.2.4.orig/debian/php5-common.TODO +++ php5-5.2.4/debian/php5-common.TODO @@ -0,0 +1,7 @@ +- Debconf: support removing of extension lines from php.ini on + dpkg-reconfigure, not just adding. Adjust wording of debconf template + to match. +- move default config files out of /usr/share/doc/php5/examples, per + policy +- more modules +- roxen support (oh my) --- php5-5.2.4.orig/debian/php5-sybase.preinst +++ php5-5.2.4/debian/php5-sybase.preinst @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +OLD_CONFFILE=/etc/php5/conf.d/sybase_ct.ini +NEW_CONFFILE=/etc/php5/conf.d/mssql.ini +if [ -e "$OLD_CONFFILE" ] && dpkg --compare-versions "$2" lt-nl 5.2.3-2 +then + sed -e's/\(extension=[[:space:]]*\)sybase_ct\.so/\1mssql.so/' \ + $OLD_CONFFILE > $NEW_CONFFILE +fi + +#DEBHELPER# --- php5-5.2.4.orig/debian/php5-dev.dirs +++ php5-5.2.4/debian/php5-dev.dirs @@ -0,0 +1 @@ +/usr/bin --- php5-5.2.4.orig/debian/copyright.header +++ php5-5.2.4/debian/copyright.header @@ -0,0 +1,20 @@ +This package was debianized by Gergely Madarasz on +Tue, 16 Nov 1999 19:33:42 +0100. + +The last maintainer was Petr Cech , who did a LOT of +work on these packages. + +The current maintainer is Adam Conrad , who gets a +significant chunk of input and help from Steve Langasek +and Andres Salomon . + +It was downloaded from www.php.net/version5/downloads +Changes: removed ext/dbase dir (non-free) + +Upstream Authors: The PHP group for PHP5, Andi Gutmans and Zeev Suraski +for libzend + +Two different licences apply to this package, one for PHP5, the other for +libzend. Both licences are shown here below. + + --- php5-5.2.4.orig/debian/php5-cli.postinst +++ php5-5.2.4/debian/php5-cli.postinst @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" != "configure" ]; then + exit 0 +fi + +phpini="/etc/php5/cli/php.ini" +# LEGACY SUPPORT +# previous versions of php did not ship $phpini as a conffile nor did +# they use anything like ucf. as a result, we need to help transition +# those files into ucf a little more easily by updating unmodified +# ini files before registering them +# +# if we're upgrading from a pre-ucf version of php: +if dpkg --compare-versions "$2" le-nl "5.1.6-4"; then + # if the SAPI config file already exists and is unmodified + if [ -f "$phpini" ]; then + oldmd5=`md5sum $phpini | cut -d' ' -f1` + if [ "$oldmd5" = "c85605baab79fbcd3c289e442eb3caa2" ]; then + # then silently update it before registering via ucf + cp /usr/share/php5/php.ini-dist.cli $phpini + fi + fi +fi +# END LEGACY SUPPORT + +ucf /usr/share/php5/php.ini-dist.cli $phpini + +update-alternatives \ + --install /usr/bin/php php /usr/bin/php5 50 \ + --slave /usr/share/man/man1/php.1.gz php.1.gz /usr/share/man/man1/php5.1.gz + +exit 0 --- php5-5.2.4.orig/main/php_version.h +++ php5-5.2.4/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 2 #define PHP_RELEASE_VERSION 4 -#define PHP_EXTRA_VERSION "" -#define PHP_VERSION "5.2.4" +#define PHP_EXTRA_VERSION "-2ubuntu1" +#define PHP_VERSION "5.2.4-2ubuntu1" #define PHP_VERSION_ID 50204