diff -u php5-5.3.10/debian/changelog php5-5.3.10/debian/changelog --- php5-5.3.10/debian/changelog +++ php5-5.3.10/debian/changelog @@ -1,3 +1,233 @@ +php5 (5.3.10-1ubuntu3.23) precise-security; urgency=medium + + * SECURITY UPDATE: heap corruption in tar/zip/phar parser + - debian/patches/CVE-2016-4342.patch: remove UMR when size is 0 in + ext/phar/phar_object.c. + - CVE-2016-4342 + * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream() + - debian/patches/CVE-2016-4343.patch: check lengths in + ext/phar/dirstream.c, ext/phar/tar.c. + - CVE-2016-4343 + * SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_ + definition + - debian/patches/CVE-2016-4537.patch: properly detect scale in + ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt. + - CVE-2016-4537 + - CVE-2016-4538 + * SECURITY UPDATE: xml_parse_into_struct segmentation fault + - debian/patches/CVE-2016-4539.patch: check parser->level in + ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt. + - CVE-2016-4539 + * SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and + zif_grapheme_strpos with negative offset + - debian/patches/CVE-2016-4540.patch: check bounds in + ext/intl/grapheme/grapheme_string.c, added test to + ext/intl/tests/bug72061.phpt. + - CVE-2016-4540 + - CVE-2016-4541 + * SECURITY UPDATE: out of bounds heap read access in exif header + processing + - debian/patches/CVE-2016-4542.patch: check sizes and length in + ext/exif/exif.c. + - CVE-2016-4542 + - CVE-2016-4543 + - CVE-2016-4544 + + -- Marc Deslauriers Thu, 19 May 2016 12:54:58 -0400 + +php5 (5.3.10-1ubuntu3.22) precise-security; urgency=medium + + * SECURITY UPDATE: directory traversal in ZipArchive::extractTo + - debian/patches/CVE-2014-9767.patch: use proper path in + ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt. + - CVE-2014-9767 + * SECURITY UPDATE: type confusion issue in SoapClient + - debian/patches/CVE-2015-8835.patch: check types in + ext/soap/php_http.c. + - CVE-2015-8835 + - CVE-2016-3185 + * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM + - debian/patches/CVE-2015-8838.patch: fix ssl handling in + ext/mysqlnd/mysqlnd.c. + - CVE-2015-8838 + * SECURITY UPDATE: stack overflow when decompressing tar archives + - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames + in ext/phar/tar.c. + - CVE-2016-2554 + * SECURITY UPDATE: use-after-free in WDDX + - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c, + added test to ext/wddx/tests/bug71587.phpt. + - CVE-2016-3141 + * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile() + - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c. + - CVE-2016-3142 + * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between + threads + - debian/patches/bug64938.patch: enable entity loader in + ext/libxml/libxml.c. + - No CVE number + * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically + secure + - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated + RAND_pseudo_bytes in ext/openssl/openssl.c. + - No CVE number + * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic + file + - debian/patches/bug71527.patch: properly calculate length in + ext/fileinfo/libmagic/funcs.c, added test to + ext/fileinfo/tests/bug71527.magic. + - CVE number pending + * SECURITY UPDATE: integer overflow in php_raw_url_encode + - debian/patches/bug71798.patch: use size_t in ext/standard/url.c. + - CVE number pending + * SECURITY UPDATE: invalid memory write in phar on filename containing + NULL + - debian/patches/bug71860.patch: require valid paths in + ext/phar/phar.c, ext/phar/phar_object.c. + - CVE number pending + * SECURITY UPDATE: invalid negative size in mbfl_strcut + - debian/patches/bug71906.patch: fix length checks in + ext/mbstring/libmbfl/mbfl/mbfilter.c. + - CVE number pending + + -- Marc Deslauriers Tue, 19 Apr 2016 16:55:56 -0400 + +php5 (5.3.10-1ubuntu3.21) precise-security; urgency=medium + + * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset() + - debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c. + - CVE-2015-7803 + * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream() + - debian/patches/CVE-2015-7804.patch: check filename length in + ext/phar/util.c, ext/phar/zip.c. + - CVE-2015-7804 + + -- Marc Deslauriers Tue, 27 Oct 2015 16:59:36 -0400 + +php5 (5.3.10-1ubuntu3.20) precise-security; urgency=medium + + * debian/patches/bug65481.patch: backport bugfix to get new + var_push_dtor_no_addref function. + * SECURITY UPDATE: phar segfault on invalid file + - debian/patches/CVE-2015-5589-1.patch: check stream before closing in + ext/phar/phar_object.c. + - debian/patches/CVE-2015-5589-2.patch: add better checks in + ext/phar/phar_object.c. + - CVE-2015-5589 + * SECURITY UPDATE: phar buffer overflow in phar_fix_filepath + - debian/patches/CVE-2015-5590.patch: properly handle path in + ext/phar/phar.c. + - CVE-2015-5590 + * SECURITY UPDATE: multiple use-after-free issues in unserialize() + - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in + ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt. + - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in + ext/spl/spl_observer.c. + - CVE-2015-6831 + * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject + items + - debian/patches/CVE-2015-6832.patch: fix dangling pointer in + ext/spl/spl_array.c. + - CVE-2015-6832 + * SECURITY UPDATE: phar files extracted outside of destination dir + - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given + directory in ext/phar/phar_object.c. + - CVE-2015-6833 + * SECURITY UPDATE: multiple vulnerabilities in unserialize() + - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in + ext/standard/var.c, ext/standard/var_unserializer.*. + - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in + ext/spl/spl_observer.c. + - CVE-2015-6834 + * SECURITY UPDATE: use after free in session deserializer + - debian/patches/CVE-2015-6835-1.patch: fix use after free in + ext/session/session.c, ext/standard/var_unserializer.* + fixed tests in ext/session/tests/session_decode_error2.phpt, + ext/session/tests/session_decode_variation3.phpt. + - CVE-2015-6835 + * SECURITY UPDATE: SOAP serialize_function_call() type confusion + - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c, + added test to ext/soap/tests/bug70388.phpt. + - CVE-2015-6836 + * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class + - debian/patches/CVE-2015-6837-6838.patch: fix logic in + ext/xsl/xsltprocessor.c. + - CVE-2015-6837 + - CVE-2015-6838 + + -- Marc Deslauriers Tue, 29 Sep 2015 12:51:49 -0400 + +php5 (5.3.10-1ubuntu3.19) precise-security; urgency=medium + + * SECURITY UPDATE: missing file path null byte checks + - debian/patches/CVE-2015-3411.patch: add missing checks to + ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c, + ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/streamsfuncs.c, + ext/xmlwriter/php_xmlwriter.c, ext/zlib/zlib.c, add tests to + ext/fileinfo/tests/finfo_file_basic.phpt, + ext/hash/tests/hash_hmac_file_error.phpt, + backport CHECK_NULL_PATH to Zend/zend_API.h. + - CVE-2015-3411 + - CVE-2015-3412 + * SECURITY UPDATE: denial of service via crafted tar archive + - debian/patches/CVE-2015-4021.patch: handle empty strings in + ext/phar/tar.c. + - CVE-2015-4021 + * SECURITY UPDATE: arbitrary code execution via ftp server long reply to + a LIST command + - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c. + - CVE-2015-4022 + * SECURITY UPDATE: denial of service via crafted form data + - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings + in main/rfc1867.c. + - CVE-2015-4024 + * SECURITY UPDATE: more missing file path null byte checks + - debian/patches/CVE-2015-4025.patch: add missing checks to + ext/pcntl/pcntl.c, ext/standard/dir.c. + - CVE-2015-4025 + - CVE-2015-4026 + * SECURITY UPDATE: arbitrary code execution via crafted serialized data + with unexpected data type + - debian/patches/CVE-2015-4147.patch: check variable types in + ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c. + - CVE-2015-4147 + - CVE-2015-4148 + - CVE-2015-4600 + - CVE-2015-4601 + * SECURITY UPDATE: more missing file path null byte checks + - debian/patches/CVE-2015-4598.patch: add missing checks to + ext/dom/document.c, ext/gd/gd.c. + - CVE-2015-4598 + * SECURITY UPDATE: denial of service or information leak via type + confusion with crafted serialized data + - debian/patches/CVE-2015-4599.patch: use proper types in + ext/soap/soap.c. + - CVE-2015-4599 + * SECURITY UPDATE: denial of service or information leak via type + confusion with crafted serialized data + - debian/patches/CVE-2015-4602.patch: check for proper type in + ext/standard/incomplete_class.c. + - CVE-2015-4602 + * SECURITY UPDATE: denial of service or information leak via type + confusion with crafted serialized data + - debian/patches/CVE-2015-4603.patch: check type in + Zend/zend_exceptions.c, add test to + ext/standard/tests/serialize/bug69152.phpt. + - CVE-2015-4603 + * SECURITY UPDATE: arbitrary code execution via ftp server long reply to + a LIST command + - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in + ext/ftp/ftp.c. + - CVE-2015-4643 + * SECURITY UPDATE: denial of service via php_pgsql_meta_data + - debian/patches/CVE-2015-4644.patch: check return value in + ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt. + - CVE-2015-4644 + * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced + by CVE-2015-2783 security update. + + -- Marc Deslauriers Thu, 02 Jul 2015 07:42:32 -0400 + php5 (5.3.10-1ubuntu3.18) precise-security; urgency=medium * SECURITY UPDATE: potential remote code execution vulnerability when diff -u php5-5.3.10/debian/patches/series php5-5.3.10/debian/patches/series --- php5-5.3.10/debian/patches/series +++ php5-5.3.10/debian/patches/series @@ -109,0 +110,46 @@ +CVE-2015-2783-memleak.patch +CVE-2015-3411.patch +CVE-2015-4021.patch +CVE-2015-4022.patch +CVE-2015-4024.patch +CVE-2015-4025.patch +CVE-2015-4147.patch +CVE-2015-4598.patch +CVE-2015-4599.patch +CVE-2015-4602.patch +CVE-2015-4603.patch +CVE-2015-4643.patch +CVE-2015-4644.patch +bug65481.patch +CVE-2015-5589-1.patch +CVE-2015-5589-2.patch +CVE-2015-5590.patch +CVE-2015-6831-1.patch +CVE-2015-6831-2.patch +CVE-2015-6832.patch +CVE-2015-6833-1.patch +CVE-2015-6834-1.patch +CVE-2015-6834-2.patch +CVE-2015-6835-1.patch +CVE-2015-6836.patch +CVE-2015-6837-6838.patch +CVE-2015-7803.patch +CVE-2015-7804.patch +CVE-2014-9767.patch +CVE-2015-8835.patch +CVE-2015-8838.patch +CVE-2016-2554.patch +CVE-2016-3141.patch +CVE-2016-3142.patch +bug64938.patch +bug70014.patch +bug71527.patch +bug71798.patch +bug71860.patch +bug71906.patch +CVE-2016-4342.patch +CVE-2016-4343.patch +CVE-2016-4537.patch +CVE-2016-4539.patch +CVE-2016-4540.patch +CVE-2016-4542.patch only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-7803.patch +++ php5-5.3.10/debian/patches/CVE-2015-7803.patch @@ -0,0 +1,23 @@ +Description: fix null pointer dereference in phar_get_fp_offset() +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=d698f0ae51f67c9cce870b09c59df3d6ba959244 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=f98ab19dc0c978e3caaa2614579e4a61f2c317f5 +Bug: https://bugs.php.net/bug.php?id=69720 + +Index: php5-5.3.10/ext/phar/util.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/util.c 2015-10-27 16:56:39.174358303 -0400 ++++ php5-5.3.10/ext/phar/util.c 2015-10-27 16:56:39.166358219 -0400 +@@ -719,7 +719,12 @@ + (*ret)->is_tar = entry->is_tar; + (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC); + if (entry->link) { +- (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC); ++ phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC); ++ if(!link) { ++ efree(*ret); ++ return FAILURE; ++ } ++ (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC); + } else { + (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC); + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6831-1.patch +++ php5-5.3.10/debian/patches/CVE-2015-6831-1.patch @@ -0,0 +1,76 @@ +Backport of: + +From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 1 Aug 2015 21:45:19 -0700 +Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in + unserialize() with SPLArrayObject + +--- + ext/spl/spl_array.c | 3 +++ + ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+) + create mode 100644 ext/spl/tests/bug70166.phpt + +Index: php5-5.3.10/ext/spl/spl_array.c +=================================================================== +--- php5-5.3.10.orig/ext/spl/spl_array.c 2015-09-29 12:30:19.221447856 -0400 ++++ php5-5.3.10/ext/spl/spl_array.c 2015-09-29 12:30:19.217447881 -0400 +@@ -1755,6 +1755,7 @@ + goto outexcept; + } + ++ var_push_dtor(var_hash_p, &pflags); + --p; /* for ';' */ + flags = Z_LVAL_P(pflags); + zval_ptr_dtor(&pflags); +@@ -1779,6 +1780,7 @@ + if (!php_var_unserialize(&intern->array, &p, s + buf_len, var_hash_p TSRMLS_CC)) { + goto outexcept; + } ++ var_push_dtor(var_hash_p, &intern->array); + } + if (*p != ';') { + goto outexcept; +@@ -1797,6 +1799,7 @@ + goto outexcept; + } + ++ var_push_dtor(var_hash_p, &pmembers); + /* copy members */ + zend_hash_copy(intern->std.properties, Z_ARRVAL_P(pmembers), (copy_ctor_func_t) zval_add_ref, (void *) NULL, sizeof(zval *)); + zval_ptr_dtor(&pmembers); +Index: php5-5.3.10/ext/spl/tests/bug70166.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/spl/tests/bug70166.phpt 2015-09-29 12:30:19.217447881 -0400 +@@ -0,0 +1,29 @@ ++--TEST-- ++SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++array(2) { ++ [0]=> ++ object(ArrayObject)#%d (1) { ++ ["storage":"ArrayObject":private]=> ++ array(0) { ++ } ++ } ++ [1]=> ++ array(0) { ++ } ++} ++===DONE=== only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4342.patch +++ php5-5.3.10/debian/patches/CVE-2016-4342.patch @@ -0,0 +1,27 @@ +Backport of: + +From 13ad4d3e971807f9a58ab5933182907dc2958539 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 13 Jan 2016 16:32:29 -0800 +Subject: [PATCH] Fix bug #71354 - remove UMR when size is 0 + +--- + ext/phar/phar_object.c | 1 + + ext/phar/tests/bug71354.phpt | 13 +++++++++++++ + ext/phar/tests/bug71354.tar | Bin 0 -> 1536 bytes + 3 files changed, 14 insertions(+) + create mode 100644 ext/phar/tests/bug71354.phpt + create mode 100644 ext/phar/tests/bug71354.tar + +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2016-05-19 12:46:08.276814815 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2016-05-19 12:47:10.901651008 -0400 +@@ -5165,6 +5165,7 @@ + + phar_seek_efp(link, 0, SEEK_SET, 0, 0 TSRMLS_CC); + Z_TYPE_P(return_value) = IS_STRING; ++ Z_STRVAL_P(return_value) = NULL; + #if PHP_MAJOR_VERSION >= 6 + Z_STRLEN_P(return_value) = php_stream_copy_to_mem(fp, (void **) &(Z_STRVAL_P(return_value)), link->uncompressed_filesize, 0); + #else only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4147.patch +++ php5-5.3.10/debian/patches/CVE-2015-4147.patch @@ -0,0 +1,330 @@ +Description: fix arbitrary code execution via crafted serialized data + with unexpected data type +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=d5248f67b58ac3107fec82c5b937fc3f4c89784a +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=c8eaca013a3922e8383def6158ece2b63f6ec483 +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=75f40ae1f3a7ca837d230f099627d121f9b3a32f +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=ff70b40dc978f3f4c457f72a71bb43fd17ee360b +Bug: https://bugs.php.net/bug.php?id=69085 +Bug: https://bugs.php.net/bug.php?id=69293 (regression) + +Index: php5-5.3.10/ext/soap/php_encoding.c +=================================================================== +--- php5-5.3.10.orig/ext/soap/php_encoding.c 2015-06-26 13:38:22.646141764 -0400 ++++ php5-5.3.10/ext/soap/php_encoding.c 2015-06-26 13:38:22.642141719 -0400 +@@ -405,12 +405,15 @@ + encodePtr enc = NULL; + HashTable *ht = Z_OBJPROP_P(data); + +- if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { ++ if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || ++ Z_TYPE_PP(ztype) != IS_LONG) { + soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); + } + +- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { +- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && ++ Z_TYPE_PP(zstype) == IS_STRING) { ++ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && ++ Z_TYPE_PP(zns) == IS_STRING) { + enc = get_encoder(SOAP_GLOBAL(sdl), Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); + } else { + zns = NULL; +@@ -446,8 +449,10 @@ + } + + if (style == SOAP_ENCODED || (SOAP_GLOBAL(sdl) && encode != enc)) { +- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { +- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && ++ Z_TYPE_PP(zstype) == IS_STRING) { ++ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && ++ Z_TYPE_PP(zns) == IS_STRING) { + set_ns_and_type_ex(node, Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); + } else { + set_ns_and_type_ex(node, NULL, Z_STRVAL_PP(zstype)); +@@ -455,10 +460,12 @@ + } + } + +- if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS && ++ Z_TYPE_PP(zname) == IS_STRING) { + xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname))); + } +- if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS) { ++ if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS && ++ Z_TYPE_PP(znamens) == IS_STRING) { + xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens)); + xmlSetNs(node, nsp); + } +@@ -3671,18 +3678,21 @@ + Z_OBJCE_PP(tmp) == soap_var_class_entry) { + zval **ztype; + +- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || ++ Z_TYPE_PP(ztype) != IS_LONG) { + soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); + } + cur_type = Z_LVAL_PP(ztype); + +- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS && ++ Z_TYPE_PP(ztype) == IS_STRING) { + cur_stype = Z_STRVAL_PP(ztype); + } else { + cur_stype = NULL; + } + +- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS && ++ Z_TYPE_PP(ztype) == IS_STRING) { + cur_ns = Z_STRVAL_PP(ztype); + } else { + cur_ns = NULL; +Index: php5-5.3.10/ext/soap/php_http.c +=================================================================== +--- php5-5.3.10.orig/ext/soap/php_http.c 2015-06-26 13:38:22.646141764 -0400 ++++ php5-5.3.10/ext/soap/php_http.c 2015-06-26 13:38:22.642141719 -0400 +@@ -36,14 +36,16 @@ + { + zval **login, **password; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS && ++ Z_TYPE_PP(login) == IS_STRING) { + unsigned char* buf; + int len; + smart_str auth = {0}; + + smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); + smart_str_appendc(&auth, ':'); +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS && ++ Z_TYPE_PP(password) == IS_STRING) { + smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); + } + smart_str_0(&auth); +@@ -62,14 +64,16 @@ + zval **login, **password; + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS && +- !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { ++ Z_TYPE_PP(login) == IS_STRING && ++ !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { + unsigned char* buf; + int len; + smart_str auth = {0}; + + smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); + smart_str_appendc(&auth, ':'); +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS && ++ Z_TYPE_PP(password) == IS_STRING) { + smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); + } + smart_str_0(&auth); +@@ -667,7 +671,8 @@ + } + + /* Send cookies along with request */ +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && ++ Z_TYPE_PP(cookies) == IS_ARRAY) { + zval **data; + char *key; + int i, n; +@@ -768,7 +773,7 @@ + smart_str_append_const(&soap_headers, "\r\n"); + smart_str_0(&soap_headers); + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1); + } + smart_str_appendl(&soap_headers, request, request_size); +@@ -813,7 +818,7 @@ + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1); + } + +@@ -862,7 +867,8 @@ + char *eqpos, *sempos; + zval **cookies; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || ++ Z_TYPE_PP(cookies) != IS_ARRAY) { + zval *tmp_cookies; + MAKE_STD_ZVAL(tmp_cookies); + array_init(tmp_cookies); +Index: php5-5.3.10/ext/soap/soap.c +=================================================================== +--- php5-5.3.10.orig/ext/soap/soap.c 2015-06-26 13:38:22.646141764 -0400 ++++ php5-5.3.10/ext/soap/soap.c 2015-06-26 13:40:41.067732055 -0400 +@@ -2727,7 +2727,7 @@ + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); + } + +@@ -2767,7 +2767,7 @@ + } + ret = FALSE; + } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && +- Z_LVAL_PP(trace) > 0) { ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); + } + xmlFree(buf); +@@ -2806,13 +2806,13 @@ + + SOAP_CLIENT_BEGIN_CODE(); + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS +- && Z_LVAL_PP(trace) > 0) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && ++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); + zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); + } +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS +- && Z_LVAL_PP(tmp) == SOAP_1_2) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) { + soap_version = SOAP_1_2; + } else { + soap_version = SOAP_1_1; +@@ -2908,7 +2908,7 @@ + zval **uri; + smart_str action = {0}; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) { + add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC); + } else if (location == NULL) { + add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC); +@@ -3057,7 +3057,8 @@ + } + + /* Add default headers */ +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS && ++ Z_TYPE_PP(tmp) == IS_ARRAY) { + HashTable *default_headers = Z_ARRVAL_P(*tmp); + if (soap_headers) { + if (!free_soap_headers) { +@@ -3178,7 +3179,8 @@ + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3196,7 +3198,8 @@ + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3214,7 +3217,8 @@ + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3232,7 +3236,8 @@ + return; + } + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + } + RETURN_NULL(); +@@ -3288,13 +3293,15 @@ + } + + if (val == NULL) { +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && ++ Z_TYPE_PP(cookies) == IS_ARRAY) { + zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1); + } + } else { + zval *zcookie; + +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || ++ Z_TYPE_PP(cookies) != IS_ARRAY) { + zval *tmp_cookies; + + MAKE_STD_ZVAL(tmp_cookies); +@@ -4125,7 +4132,8 @@ + } + + if (version == SOAP_1_1) { +- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { ++ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + int new_len; + xmlNodePtr node = xmlNewNode(NULL, BAD_CAST("faultcode")); + char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); +@@ -4150,7 +4158,8 @@ + } + detail_name = "detail"; + } else { +- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { ++ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && ++ Z_TYPE_PP(tmp) == IS_STRING) { + int new_len; + xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Code"), NULL); + char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); +@@ -4382,7 +4391,8 @@ + } + } + } else { +- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) { ++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS && ++ Z_TYPE_PP(zstyle) == IS_LONG) { + style = Z_LVAL_PP(zstyle); + } else { + style = SOAP_RPC; +@@ -4405,7 +4415,7 @@ + } + + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS && +- Z_LVAL_PP(zuse) == SOAP_LITERAL) { ++ Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) { + use = SOAP_LITERAL; + } else { + use = SOAP_ENCODED; +@@ -4566,6 +4576,7 @@ + zval **param_data; + + if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS && ++ Z_TYPE_PP(param_name) == IS_STRING && + zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) { + param_val = *param_data; + name = Z_STRVAL_PP(param_name); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug71860.patch +++ php5-5.3.10/debian/patches/bug71860.patch @@ -0,0 +1,258 @@ +Backport of: + +From 72281f29dd4691b2f741362d3581162fcf85f502 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 20 Mar 2016 20:54:09 -0700 +Subject: [PATCH] Fix bug #71860: Require valid paths for phar filenames + +--- + ext/phar/phar.c | 4 +++ + ext/phar/phar_object.c | 40 ++++++++++++++-------------- + ext/phar/tests/badparameters.phpt | 18 ++++++------- + ext/phar/tests/bug64931/bug64931.phpt | 5 ++-- + ext/phar/tests/create_path_error.phpt | 3 +-- + ext/phar/tests/phar_extract.phpt | 2 +- + ext/phar/tests/phar_isvalidpharfilename.phpt | 2 +- + ext/phar/tests/phar_unlinkarchive.phpt | 2 +- + ext/phar/tests/pharfileinfo_construct.phpt | 2 +- + 9 files changed, 41 insertions(+), 37 deletions(-) + +Index: php5-5.3.10/ext/phar/phar.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar.c 2016-04-19 22:41:12.489499162 -0400 ++++ php5-5.3.10/ext/phar/phar.c 2016-04-19 22:41:12.481499073 -0400 +@@ -2264,6 +2264,10 @@ + #endif + int ext_len, free_filename = 0; + ++ if (CHECK_NULL_PATH(filename, filename_len)) { ++ return FAILURE; ++ } ++ + if (!strncasecmp(filename, "phar://", 7)) { + filename += 7; + filename_len -= 7; +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2016-04-19 22:41:12.489499162 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2016-04-19 22:41:12.485499118 -0400 +@@ -574,6 +574,14 @@ + return; + } + ++ if (path_len && (strlen(path) != path_len)) { ++ return; ++ } ++ ++ if (actual_len && (strlen(actual) != actual_len)) { ++ return; ++ } ++ + fname = zend_get_executed_filename(TSRMLS_C); + fname_len = strlen(fname); + +@@ -1095,6 +1103,14 @@ + return; + } + ++ if (index_len && (strlen(index) != index_len)) { ++ return; ++ } ++ ++ if (webindex_len && (strlen(webindex) != webindex_len)) { ++ return; ++ } ++ + stub = phar_create_default_stub(index, webindex, &stub_len, &error TSRMLS_CC); + + if (error) { +@@ -1139,6 +1155,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + phar_request_initialize(TSRMLS_C); + + RETVAL_BOOL(phar_open_from_filename(fname, fname_len, alias, alias_len, REPORT_ERRORS, NULL, &error TSRMLS_CC) == SUCCESS); +@@ -1218,6 +1238,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + is_executable = executable; + RETVAL_BOOL(phar_detect_phar_fname_ext(fname, fname_len, &ext_str, &ext_len, is_executable, 2, 1 TSRMLS_CC) == SUCCESS); + } +@@ -1298,6 +1322,10 @@ + } + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + if (phar_obj->arc.archive) { + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Cannot call constructor twice"); + return; +@@ -1465,6 +1493,10 @@ + RETURN_FALSE; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ RETURN_FALSE; ++ } ++ + if (!fname_len) { + zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "Unknown phar archive \"\""); + return; +@@ -1946,6 +1978,10 @@ + RETURN_FALSE; + } + ++ if (dir_len && (strlen(dir) != dir_len)) { ++ RETURN_FALSE; ++ } ++ + MAKE_STD_ZVAL(iter); + + if (SUCCESS != object_init_ex(iter, spl_ce_RecursiveDirectoryIterator)) { +@@ -2816,6 +2852,10 @@ + RETURN_FALSE; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ RETURN_FALSE; ++ } ++ + if (phar_obj->arc.archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->arc.archive) TSRMLS_CC)) { + zend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, "phar \"%s\" is persistent, unable to copy on write", phar_obj->arc.archive->fname); + return; +@@ -3628,6 +3668,14 @@ + return; + } + ++ if (oldfile_len && (strlen(oldfile) != oldfile_len)) { ++ return; ++ } ++ ++ if (newfile_len && (strlen(newfile) != newfile_len)) { ++ return; ++ } ++ + if (PHAR_G(readonly) && !phar_obj->arc.archive->is_data) { + zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, + "Cannot copy \"%s\" to \"%s\", phar is read-only", oldfile, newfile); +@@ -3738,6 +3786,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + if (zend_hash_exists(&phar_obj->arc.archive->manifest, fname, (uint) fname_len)) { + if (SUCCESS == zend_hash_find(&phar_obj->arc.archive->manifest, fname, (uint) fname_len, (void**)&entry)) { + if (entry->is_deleted) { +@@ -3775,6 +3827,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + /* security is 0 here so that we can get a better error message than "entry doesn't exist" */ + if (!(entry = phar_get_entry_info_dir(phar_obj->arc.archive, fname, fname_len, 1, &error, 0 TSRMLS_CC))) { + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Entry %s does not exist%s%s", fname, error?", ":"", error?error:""); +@@ -3924,6 +3980,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + if (fname_len == sizeof(".phar/stub.php")-1 && !memcmp(fname, ".phar/stub.php", sizeof(".phar/stub.php")-1)) { + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Cannot set stub \".phar/stub.php\" directly in phar \"%s\", use setStub", phar_obj->arc.archive->fname); + return; +@@ -3962,6 +4022,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + if (zend_hash_exists(&phar_obj->arc.archive->manifest, fname, (uint) fname_len)) { + if (SUCCESS == zend_hash_find(&phar_obj->arc.archive->manifest, fname, (uint) fname_len, (void**)&entry)) { + if (entry->is_deleted) { +@@ -4009,6 +4073,10 @@ + return; + } + ++ if (dirname_len && (strlen(dirname) != dirname_len)) { ++ return; ++ } ++ + if (dirname_len >= sizeof(".phar")-1 && !memcmp(dirname, ".phar", sizeof(".phar")-1)) { + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Cannot create a directory in magic \".phar\" directory"); + return; +@@ -4034,6 +4102,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + #if PHP_API_VERSION < 20100412 + if (PG(safe_mode) && (!php_checkuid(fname, NULL, CHECKUID_ALLOW_ONLY_FILE))) { + zend_throw_exception_ex(spl_ce_RuntimeException, 0 TSRMLS_CC, "phar error: unable to open file \"%s\" to add to phar archive, safe_mode restrictions prevent this", fname); +@@ -4078,6 +4150,10 @@ + return; + } + ++ if (localname_len && (strlen(localname) != localname_len)) { ++ return; ++ } ++ + phar_add_file(&(phar_obj->arc.archive), localname, localname_len, cont_str, cont_len, NULL TSRMLS_CC); + } + /* }}} */ +@@ -4504,6 +4580,10 @@ + return; + } + ++ if (pathto_len && (strlen(pathto) != pathto_len)) { ++ return; ++ } ++ + fp = php_stream_open_wrapper(phar_obj->arc.archive->fname, "rb", IGNORE_URL|STREAM_MUST_SEEK, &actual); + + if (!fp) { +@@ -4653,6 +4733,10 @@ + return; + } + ++ if (fname_len && (strlen(fname) != fname_len)) { ++ return; ++ } ++ + entry_obj = (phar_entry_object*)zend_object_store_get_object(getThis() TSRMLS_CC); + + if (entry_obj->ent.entry) { +Index: php5-5.3.10/ext/phar/tests/create_path_error.phpt +=================================================================== +--- php5-5.3.10.orig/ext/phar/tests/create_path_error.phpt 2016-04-18 14:43:02.000000000 -0400 ++++ php5-5.3.10/ext/phar/tests/create_path_error.phpt 2016-04-19 22:42:18.854234752 -0400 +@@ -58,5 +58,4 @@ + Error: file_put_contents(phar://%s/.): failed to open stream: phar error: file "" in phar "%s" cannot be empty + Error: file_put_contents(phar://%s/../): failed to open stream: phar error: file "" in phar "%s" cannot be empty + Error: file_put_contents(phar://%s/a/..): failed to open stream: phar error: file "" in phar "%s" cannot be empty +-Exception: Entry a does not exist and cannot be created: phar error: invalid path "a" contains illegal character + ===DONE=== only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6831-2.patch +++ php5-5.3.10/debian/patches/CVE-2015-6831-2.patch @@ -0,0 +1,32 @@ +From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 1 Aug 2015 21:12:38 -0700 +Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in + unserialize() with SplObjectStorage + +--- + ext/spl/spl_observer.c | 68 +++++++++++++++++++++++---------------------- + ext/spl/tests/bug70168.phpt | 19 +++++++++++++ + 2 files changed, 54 insertions(+), 33 deletions(-) + create mode 100644 ext/spl/tests/bug70168.phpt + +Index: php5-5.3.10/ext/spl/spl_observer.c +=================================================================== +--- php5-5.3.10.orig/ext/spl/spl_observer.c 2015-09-29 12:30:29.525383812 -0400 ++++ php5-5.3.10/ext/spl/spl_observer.c 2015-09-29 12:31:27.517028534 -0400 +@@ -743,6 +743,7 @@ + goto outexcept; + } + ++ var_push_dtor(&var_hash, &pcount); + --p; /* for ';' */ + count = Z_LVAL_P(pcount); + zval_ptr_dtor(&pcount); +@@ -806,6 +807,7 @@ + goto outexcept; + } + ++ var_push_dtor(&var_hash, &pmembers); + /* copy members */ + zend_hash_copy(intern->std.properties, Z_ARRVAL_P(pmembers), (copy_ctor_func_t) zval_add_ref, (void *) NULL, sizeof(zval *)); + zval_ptr_dtor(&pmembers); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6832.patch +++ php5-5.3.10/debian/patches/CVE-2015-6832.patch @@ -0,0 +1,49 @@ +Backport of: + +From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 26 Jul 2015 17:25:25 -0700 +Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of + ArrayObject items) + +--- + ext/spl/spl_array.c | 90 +++++++++++++++++++++++---------------------- + ext/spl/tests/bug70068.phpt | 9 +++++ + 2 files changed, 56 insertions(+), 43 deletions(-) + create mode 100644 ext/spl/tests/bug70068.phpt + +Index: php5-5.3.10/ext/spl/spl_array.c +=================================================================== +--- php5-5.3.10.orig/ext/spl/spl_array.c 2015-09-29 18:21:20.612164371 -0400 ++++ php5-5.3.10/ext/spl/spl_array.c 2015-09-29 18:21:43.812004104 -0400 +@@ -1751,14 +1751,12 @@ + + ALLOC_INIT_ZVAL(pflags); + if (!php_var_unserialize(&pflags, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { +- zval_ptr_dtor(&pflags); + goto outexcept; + } + + var_push_dtor(var_hash_p, &pflags); + --p; /* for ';' */ + flags = Z_LVAL_P(pflags); +- zval_ptr_dtor(&pflags); + /* flags needs to be verified and we also need to verify whether the next + * thing we get is ';'. After that we require an 'm' or somethign else + * where 'm' stands for members and anything else should be an array. If +@@ -1805,9 +1803,15 @@ + zval_ptr_dtor(&pmembers); + + /* done reading $serialized */ ++ if (pflags) { ++ zval_ptr_dtor(&pflags); ++ } + return; + + outexcept: ++ if (pflags) { ++ zval_ptr_dtor(&pflags); ++ } + zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - (char *)buf), buf_len); + return; + only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2014-9767.patch +++ php5-5.3.10/debian/patches/CVE-2014-9767.patch @@ -0,0 +1,66 @@ +From f9c2bf73adb2ede0a486b0db466c264f2b27e0bb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 30 Aug 2015 00:38:08 -0700 +Subject: [PATCH] Fixed bug #70350: ZipArchive::extractTo allows for directory + traversal when creating directories + +--- + ext/zip/php_zip.c | 78 ++++++++++++++++++++++----------------------- + ext/zip/tests/bug70350.phpt | 33 +++++++++++++++++++ + 2 files changed, 72 insertions(+), 39 deletions(-) + create mode 100644 ext/zip/tests/bug70350.phpt + +Note: +Also includes http://git.php.net/?p=php-src.git;a=commit;h=906f19f1365488f90f7473e833a7a13f2c1387ac + +Index: php5-5.3.10/ext/zip/php_zip.c +=================================================================== +--- php5-5.3.10.orig/ext/zip/php_zip.c 2016-04-18 09:45:17.387392277 -0400 ++++ php5-5.3.10/ext/zip/php_zip.c 2016-04-18 09:45:17.379396242 -0400 +@@ -173,7 +173,7 @@ + + /* it is a directory only, see #40228 */ + if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { +- len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); ++ len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned); + is_dir_only = 1; + } else { + memcpy(file_dirname, path_cleaned, path_cleaned_len); +Index: php5-5.3.10/ext/zip/tests/bug70350.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/zip/tests/bug70350.phpt 2016-04-18 09:45:17.383394259 -0400 +@@ -0,0 +1,33 @@ ++--TEST-- ++Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories) ++--SKIPIF-- ++ ++--FILE-- ++open("$dir/a.zip",ZipArchive::CREATE); ++$archive->addEmptyDir("../down2/"); ++$archive->close(); ++ ++$archive2 = new ZipArchive(); ++$archive2->open("$dir/a.zip"); ++$archive2->extractTo($dir); ++$archive2->close(); ++var_dump(file_exists("$dir/down2/")); ++var_dump(file_exists("../down2/")); ++?> ++--CLEAN-- ++ ++--EXPECT-- ++bool(true) ++bool(false) only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6837-6838.patch +++ php5-5.3.10/debian/patches/CVE-2015-6837-6838.patch @@ -0,0 +1,49 @@ +From 1744be2d17befc69bf00033993f4081852a747d6 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 16 Aug 2015 17:16:15 -0700 +Subject: [PATCH] Fix for bug #69782 + +--- + ext/xsl/xsltprocessor.c | 142 +++++++++++++++++++++++++----------------------- + 1 file changed, 73 insertions(+), 69 deletions(-) + +Index: php5-5.3.10/ext/xsl/xsltprocessor.c +=================================================================== +--- php5-5.3.10.orig/ext/xsl/xsltprocessor.c 2015-09-29 12:47:40.096026511 -0400 ++++ php5-5.3.10/ext/xsl/xsltprocessor.c 2015-09-29 12:48:24.011830722 -0400 +@@ -210,15 +210,17 @@ + } + } + } +- ++ + if (error == 1) { + for (i = nargs - 1; i >= 0; i--) { + obj = valuePop(ctxt); +- xmlXPathFreeObject(obj); ++ if (obj) { ++ xmlXPathFreeObject(obj); ++ } + } + return; + } +- ++ + fci.param_count = nargs - 1; + if (fci.param_count > 0) { + fci.params = safe_emalloc(fci.param_count, sizeof(zval**), 0); +@@ -290,9 +292,11 @@ + fci.function_table = EG(function_table); + + obj = valuePop(ctxt); +- if (obj->stringval == NULL) { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string"); +- xmlXPathFreeObject(obj); ++ if (obj == NULL || obj->stringval == NULL) { ++ if (obj) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string"); ++ xmlXPathFreeObject(obj); ++ } + if (fci.param_count > 0) { + for (i = 0; i < nargs - 1; i++) { + zval_ptr_dtor(&args[i]); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug71798.patch +++ php5-5.3.10/debian/patches/bug71798.patch @@ -0,0 +1,23 @@ +From 95433e8e339dbb6b5d5541473c1661db6ba2c451 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 27 Mar 2016 14:22:19 -0700 +Subject: [PATCH] Fix bug #71798 - Integer Overflow in php_raw_url_encode + +--- + ext/standard/url.c | 2 +- + main/php_version.h | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +Index: php5-5.3.10/ext/standard/url.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/url.c 2016-04-18 11:14:46.576350346 -0400 ++++ php5-5.3.10/ext/standard/url.c 2016-04-18 11:14:46.572350306 -0400 +@@ -596,7 +596,7 @@ + */ + PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) + { +- register int x, y; ++ register size_t x, y; + unsigned char *str; + + str = (unsigned char *) safe_emalloc(3, len, 1); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6836.patch +++ php5-5.3.10/debian/patches/CVE-2015-6836.patch @@ -0,0 +1,82 @@ +From e201f01ac17243a1e5fb6a3911ed8e21b1619ac1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 31 Aug 2015 21:06:03 -0700 +Subject: [PATCH] Fix bug #70388 - SOAP serialize_function_call() type + confusion + +--- + ext/soap/soap.c | 96 ++++++++++++++++++++++++-------------------- + ext/soap/tests/bug70388.phpt | 17 ++++++++ + 2 files changed, 69 insertions(+), 44 deletions(-) + create mode 100644 ext/soap/tests/bug70388.phpt + +Index: php5-5.3.10/ext/soap/soap.c +=================================================================== +--- php5-5.3.10.orig/ext/soap/soap.c 2015-09-29 12:47:27.916081140 -0400 ++++ php5-5.3.10/ext/soap/soap.c 2015-09-29 12:47:27.916081140 -0400 +@@ -3076,8 +3076,10 @@ + } + zend_hash_internal_pointer_reset(default_headers); + while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) { +- Z_ADDREF_PP(tmp); +- zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); ++ if(Z_TYPE_PP(tmp) == IS_OBJECT) { ++ Z_ADDREF_PP(tmp); ++ zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); ++ } + zend_hash_move_forward(default_headers); + } + } else { +@@ -4473,11 +4475,18 @@ + if (head) { + zval** header; + +- zend_hash_internal_pointer_reset(soap_headers); +- while (zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS) { +- HashTable *ht = Z_OBJPROP_PP(header); ++ for(zend_hash_internal_pointer_reset(soap_headers); ++ zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS; ++ zend_hash_move_forward(soap_headers) ++ ) { ++ HashTable *ht; + zval **name, **ns, **tmp; + ++ if (Z_TYPE_PP(header) != IS_OBJECT) { ++ continue; ++ } ++ ++ ht = Z_OBJPROP_PP(header); + if (zend_hash_find(ht, "name", sizeof("name"), (void**)&name) == SUCCESS && + Z_TYPE_PP(name) == IS_STRING && + zend_hash_find(ht, "namespace", sizeof("namespace"), (void**)&ns) == SUCCESS && +@@ -4547,7 +4556,6 @@ + } + } + } +- zend_hash_move_forward(soap_headers); + } + } + +Index: php5-5.3.10/ext/soap/tests/bug70388.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/soap/tests/bug70388.phpt 2015-09-29 12:47:27.916081140 -0400 +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #70388 (SOAP serialize_function_call() type confusion / RCE) ++--SKIPIF-- ++ ++--FILE-- ++notexisting()); ++} catch(Exception $e) { ++ var_dump($e->getMessage()); ++ var_dump(get_class($e)); ++} ++?> ++--EXPECTF-- ++string(%d) "%s" ++string(9) "SoapFault" +\ No newline at end of file only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-5590.patch +++ php5-5.3.10/debian/patches/CVE-2015-5590.patch @@ -0,0 +1,64 @@ +From 6dedeb40db13971af45276f80b5375030aa7e76f Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 4 Jul 2015 23:47:48 -0700 +Subject: [PATCH] Fix bug #69923 - Buffer overflow and stack smashing error in + phar_fix_filepath + +--- + ext/phar/phar.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +Index: php5-5.3.10/ext/phar/phar.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar.c 2015-09-29 12:30:09.729507105 -0400 ++++ php5-5.3.10/ext/phar/phar.c 2015-09-29 12:30:09.729507105 -0400 +@@ -2144,7 +2144,7 @@ + */ + char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */ + { +- char newpath[MAXPATHLEN]; ++ char *newpath; + int newpath_len; + char *ptr; + char *tok; +@@ -2152,8 +2152,10 @@ + + if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') { + newpath_len = PHAR_G(cwd_len); ++ newpath = emalloc(strlen(path) + newpath_len + 1); + memcpy(newpath, PHAR_G(cwd), newpath_len); + } else { ++ newpath = emalloc(strlen(path) + 2); + newpath[0] = '/'; + newpath_len = 1; + } +@@ -2176,6 +2178,7 @@ + if (*tok == '.') { + efree(path); + *new_len = 1; ++ efree(newpath); + return estrndup("/", 1); + } + break; +@@ -2183,9 +2186,11 @@ + if (tok[0] == '.' && tok[1] == '.') { + efree(path); + *new_len = 1; ++ efree(newpath); + return estrndup("/", 1); + } + } ++ efree(newpath); + return path; + } + +@@ -2234,7 +2239,8 @@ + + efree(path); + *new_len = newpath_len; +- return estrndup(newpath, newpath_len); ++ newpath[newpath_len] = '\0'; ++ return erealloc(newpath, newpath_len + 1); + } + /* }}} */ + only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4603.patch +++ php5-5.3.10/debian/patches/CVE-2015-4603.patch @@ -0,0 +1,46 @@ +From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 17:30:59 -0700 +Subject: [PATCH] More fixes for bug #69152 + +--- + Zend/zend_exceptions.c | 3 +++ + ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 ext/standard/tests/serialize/bug69152.phpt + +Index: php5-5.3.10/Zend/zend_exceptions.c +=================================================================== +--- php5-5.3.10.orig/Zend/zend_exceptions.c 2015-06-26 13:49:07.685378367 -0400 ++++ php5-5.3.10/Zend/zend_exceptions.c 2015-06-26 13:49:07.681378324 -0400 +@@ -499,6 +499,9 @@ + str = &res; + + trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); ++ if(Z_TYPE_P(trace) != IS_ARRAY) { ++ RETURN_FALSE; ++ } + zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); + + s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); +Index: php5-5.3.10/ext/standard/tests/serialize/bug69152.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/standard/tests/serialize/bug69152.phpt 2015-06-26 13:49:07.681378324 -0400 +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() ++--FILE-- ++test(); ++ ++?> ++--EXPECTF-- ++exception 'Exception' in %s:%d ++Stack trace: ++#0 {main} ++ ++Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug64938.patch +++ php5-5.3.10/debian/patches/bug64938.patch @@ -0,0 +1,39 @@ +Backport of: + +From de31324c221c1791b26350ba106cc26bad23ace9 Mon Sep 17 00:00:00 2001 +From: Martin Jansen +Date: Thu, 22 Jan 2015 20:58:15 +0100 +Subject: [PATCH] Fix bug #64938: libxml_disable_entity_loader setting is + shared between threads + +The availability of entity loading is stored in a module global which +previously was only initialized in the GINIT constructor. This had the +effect that disabling the entity loader in one request caused +subsequent requests hitting the same Apache child process to also have +the loader disabled. + +With this change the loader is explicitely enabled in the request init +phase. +--- + NEWS | 4 ++++ + ext/libxml/libxml.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +Index: php5-5.3.10/ext/libxml/libxml.c +=================================================================== +--- php5-5.3.10.orig/ext/libxml/libxml.c 2016-04-18 11:00:19.183403242 -0400 ++++ php5-5.3.10/ext/libxml/libxml.c 2016-04-18 11:01:02.863945057 -0400 +@@ -644,6 +644,13 @@ + xmlSetGenericErrorFunc(NULL, php_libxml_error_handler); + xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename); + xmlOutputBufferCreateFilenameDefault(php_libxml_output_buffer_create_filename); ++ ++ /* Enable the entity loader by default. This ensure that ++ * other threads/requests that might have disable the loader ++ * do not affect the current request. ++ */ ++ LIBXML(entity_loader_disabled) = 0; ++ + return SUCCESS; + } + only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug65481.patch +++ php5-5.3.10/debian/patches/bug65481.patch @@ -0,0 +1,159 @@ +Backport of: + +From 1ac4d8f2c632f5be5a02d49c1e0d3b1fb515e4a8 Mon Sep 17 00:00:00 2001 +From: Michael Wallner +Date: Mon, 29 Jul 2013 17:59:35 +0200 +Subject: [PATCH] fix bug #65481 (shutdown segfault due to serialize) + +--- + NEWS | 1 + + ext/standard/php_var.h | 1 + + ext/standard/tests/serialize/bug65481.phpt | 40 ++++++++++ + ext/standard/var_unserializer.c | 117 ++++++++++++++++++----------- + ext/standard/var_unserializer.re | 53 +++++++++---- + 5 files changed, 154 insertions(+), 58 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug65481.phpt + +Index: php5-5.3.10/ext/standard/php_var.h +=================================================================== +--- php5-5.3.10.orig/ext/standard/php_var.h 2015-09-30 07:59:15.357572656 -0400 ++++ php5-5.3.10/ext/standard/php_var.h 2015-09-30 07:59:15.357572656 -0400 +@@ -63,6 +63,7 @@ + + PHPAPI void var_replace(php_unserialize_data_t *var_hash, zval *ozval, zval **nzval); + PHPAPI void var_push_dtor(php_unserialize_data_t *var_hash, zval **val); ++PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval); + PHPAPI void var_destroy(php_unserialize_data_t *var_hash); + + #define PHP_VAR_UNSERIALIZE_ZVAL_CHANGED(var_hash, ozval, nzval) \ +Index: php5-5.3.10/ext/standard/tests/serialize/bug65481.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/standard/tests/serialize/bug65481.phpt 2015-09-30 07:59:15.357572656 -0400 +@@ -0,0 +1,40 @@ ++--TEST-- ++Bug #65481 (shutdown segfault due to serialize) ++--FILE-- ++e[] = $e; ++ $e->e = $c->e; ++ } ++ ++ return serialize(array(serialize($c))); ++ } ++ ++ public function unserialize($str) ++ { ++ $r = unserialize($str); ++ $r = unserialize($r[0]); ++ } ++} ++ ++$token = new Token; ++$token = serialize($token); ++ ++?> ++Done ++--EXPECT-- ++Test ++Done +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-09-30 07:59:15.357572656 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2015-09-30 08:01:46.400399520 -0400 +@@ -79,6 +80,29 @@ + var_hash->data[var_hash->used_slots++] = *rval; + } + ++PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) ++{ ++ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; ++ ++ while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { ++ prev = var_hash; ++ var_hash = var_hash->next; ++ } ++ ++ if (!var_hash) { ++ var_hash = emalloc(sizeof(var_entries)); ++ var_hash->used_slots = 0; ++ var_hash->next = 0; ++ ++ if (!var_hashx->first_dtor) ++ var_hashx->first_dtor = var_hash; ++ else ++ prev->next = var_hash; ++ } ++ ++ var_hash->data[var_hash->used_slots++] = *rval; ++} ++ + PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval) + { + long i; +@@ -1099,7 +1125,7 @@ + if (*rval == *rval_ref) return 0; + + if (*rval != NULL) { +- zval_ptr_dtor(rval); ++ var_push_dtor_no_addref(var_hash, rval); + } + *rval = *rval_ref; + Z_ADDREF_PP(rval); +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-09-30 07:59:15.357572656 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2015-09-30 08:02:19.484142568 -0400 +@@ -78,6 +79,29 @@ + var_hash->data[var_hash->used_slots++] = *rval; + } + ++PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) ++{ ++ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; ++ ++ while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { ++ prev = var_hash; ++ var_hash = var_hash->next; ++ } ++ ++ if (!var_hash) { ++ var_hash = emalloc(sizeof(var_entries)); ++ var_hash->used_slots = 0; ++ var_hash->next = 0; ++ ++ if (!var_hashx->first_dtor) ++ var_hashx->first_dtor = var_hash; ++ else ++ prev->next = var_hash; ++ } ++ ++ var_hash->data[var_hash->used_slots++] = *rval; ++} ++ + PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval) + { + long i; +@@ -447,7 +471,7 @@ + if (*rval == *rval_ref) return 0; + + if (*rval != NULL) { +- zval_ptr_dtor(rval); ++ var_push_dtor_no_addref(var_hash, rval); + } + *rval = *rval_ref; + Z_ADDREF_PP(rval); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-5589-1.patch +++ php5-5.3.10/debian/patches/CVE-2015-5589-1.patch @@ -0,0 +1,31 @@ +Backport of: + +From bf58162ddf970f63502837f366930e44d6a992cf Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 4 Jul 2015 21:01:50 -0700 +Subject: [PATCH] Fix bug #69958 - Segfault in Phar::convertToData on invalid + file + +--- + ext/phar/phar_object.c | 70 ++++++++++++++++++++++--------------------- + ext/phar/tests/bug69958.phpt | 14 +++++++++ + ext/phar/tests/bug69958.tar | Bin 0 -> 513 bytes + 3 files changed, 50 insertions(+), 34 deletions(-) + create mode 100644 ext/phar/tests/bug69958.phpt + create mode 100644 ext/phar/tests/bug69958.tar + +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2015-09-29 12:28:32.486128544 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2015-09-29 12:28:32.482128571 -0400 +@@ -2524,7 +2524,9 @@ + zend_hash_destroy(&(phar->manifest)); + zend_hash_destroy(&(phar->mounted_dirs)); + zend_hash_destroy(&(phar->virtual_dirs)); +- php_stream_close(phar->fp); ++ if (phar->fp) { ++ php_stream_close(phar->fp); ++ } + efree(phar->fname); + efree(phar); + return NULL; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6834-2.patch +++ php5-5.3.10/debian/patches/CVE-2015-6834-2.patch @@ -0,0 +1,32 @@ +From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 1 Sep 2015 00:14:15 -0700 +Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in + unserialize() with SplObjectStorage + +--- + ext/spl/spl_observer.c | 2 ++ + ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + create mode 100644 ext/spl/tests/bug70365.phpt + +Index: php5-5.3.10/ext/spl/spl_observer.c +=================================================================== +--- php5-5.3.10.orig/ext/spl/spl_observer.c 2015-09-29 12:41:38.165719335 -0400 ++++ php5-5.3.10/ext/spl/spl_observer.c 2015-09-29 12:41:38.161719354 -0400 +@@ -763,6 +763,7 @@ + zval_ptr_dtor(&pentry); + goto outexcept; + } ++ var_push_dtor(&var_hash, &pentry); + if(Z_TYPE_P(pentry) != IS_OBJECT) { + zval_ptr_dtor(&pentry); + goto outexcept; +@@ -774,6 +775,7 @@ + zval_ptr_dtor(&pinf); + goto outexcept; + } ++ var_push_dtor(&var_hash, &pinf); + } + + pelement = spl_object_storage_get(intern, pentry TSRMLS_CC); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4602.patch +++ php5-5.3.10/debian/patches/CVE-2015-4602.patch @@ -0,0 +1,25 @@ +From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 22 Mar 2015 18:17:47 -0700 +Subject: [PATCH] Check that the type is correct + +--- + ext/standard/incomplete_class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c +index 1816ac4..30c82e6 100644 +--- a/ext/standard/incomplete_class.c ++++ b/ext/standard/incomplete_class.c +@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) + + object_properties = Z_OBJPROP_P(object); + +- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { ++ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { + retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); + + if (nlen) { +-- +2.1.4 + only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-3411.patch +++ php5-5.3.10/debian/patches/CVE-2015-3411.patch @@ -0,0 +1,286 @@ +Backport of: + +From 4435b9142ff9813845d5c97ab29a5d637bedb257 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 16:01:24 -0700 +Subject: [PATCH] Fixed bug #69353 (Missing null byte checks for paths in + various PHP extensions) + +--- + ext/dom/document.c | 5 ++++- + ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 +++++ + ext/fileinfo/fileinfo.c | 5 +++++ + ext/fileinfo/tests/finfo_file_basic.phpt | 4 ++++ + ext/gd/gd.c | 8 ++++---- + ext/hash/hash.c | 7 ++++++- + ext/hash/tests/hash_hmac_file_error.phpt | 7 +++++++ + ext/pgsql/pgsql.c | 2 +- + ext/standard/link.c | 2 +- + ext/standard/streamsfuncs.c | 2 +- + ext/xmlwriter/php_xmlwriter.c | 4 ++-- + ext/zlib/zlib.c | 4 ++-- + 12 files changed, 42 insertions(+), 13 deletions(-) + +Index: php5-5.3.10/ext/dom/document.c +=================================================================== +--- php5-5.3.10.orig/ext/dom/document.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/dom/document.c 2015-07-02 09:08:47.575782022 -0400 +@@ -1573,6 +1573,9 @@ + xmlInitParser(); + + if (mode == DOM_LOAD_FILE) { ++ if (CHECK_NULL_PATH(source, source_len)) { ++ return NULL; ++ } + char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (file_dest) { + ctxt = xmlCreateFileParserCtxt(file_dest); +Index: php5-5.3.10/ext/fileinfo/fileinfo.c +=================================================================== +--- php5-5.3.10.orig/ext/fileinfo/fileinfo.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/fileinfo/fileinfo.c 2015-07-02 09:08:04.747330584 -0400 +@@ -495,6 +495,11 @@ + RETVAL_FALSE; + goto clean; + } ++ if (CHECK_NULL_PATH(buffer, buffer_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETVAL_FALSE; ++ goto clean; ++ } + + wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC); + +Index: php5-5.3.10/ext/fileinfo/tests/finfo_file_basic.phpt +=================================================================== +--- php5-5.3.10.orig/ext/fileinfo/tests/finfo_file_basic.phpt 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/fileinfo/tests/finfo_file_basic.phpt 2015-07-02 09:08:04.747330584 -0400 +@@ -19,6 +19,7 @@ + var_dump( finfo_file( $finfo, __FILE__) ); + var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); + var_dump( finfo_file( $finfo, $magicFile ) ); ++var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); + + ?> + ===DONE=== +@@ -27,4 +28,7 @@ + string(28) "text/x-php; charset=us-ascii" + string(15) "PHP script text" + string(32) "text/plain; charset=unknown-8bit" ++ ++Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d ++bool(false) + ===DONE=== +Index: php5-5.3.10/ext/gd/gd.c +=================================================================== +--- php5-5.3.10.orig/ext/gd/gd.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/gd/gd.c 2015-07-02 09:08:04.751330627 -0400 +@@ -1470,6 +1470,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(file) != file_name) { ++ RETURN_FALSE; ++ } ++ + stream = php_stream_open_wrapper(file, "rb", ENFORCE_SAFE_MODE | IGNORE_PATH | IGNORE_URL_WIN | REPORT_ERRORS, NULL); + if (stream == NULL) { + RETURN_FALSE; +@@ -2412,6 +2417,12 @@ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { + return; + } ++ ++ /* No nulls allowed in paths */ ++ if (strlen(file) != file_len) { ++ RETURN_FALSE; ++ } ++ + if (width < 1 || height < 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zero width or height not allowed"); + RETURN_FALSE; +@@ -2420,6 +2431,11 @@ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { + return; + } ++ ++ /* No nulls allowed in paths */ ++ if (strlen(file) != file_len) { ++ RETURN_FALSE; ++ } + } + + stream = php_stream_open_wrapper(file, "rb", ENFORCE_SAFE_MODE|REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); +@@ -4131,6 +4147,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(enc) != enc_len) { ++ RETURN_FALSE; ++ } ++ + ZEND_FETCH_RESOURCE(f_ind, int *, &fnt, -1, "Type 1 font", le_ps_font); + + if ((enc_vector = T1_LoadEncoding(enc)) == NULL) { +Index: php5-5.3.10/ext/hash/hash.c +=================================================================== +--- php5-5.3.10.orig/ext/hash/hash.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/hash/hash.c 2015-07-02 09:08:04.751330627 -0400 +@@ -136,6 +136,10 @@ + RETURN_FALSE; + } + if (isfilename) { ++ if (CHECK_NULL_PATH(data, data_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETURN_FALSE; ++ } + stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS | ENFORCE_SAFE_MODE, NULL, DEFAULT_CONTEXT); + if (!stream) { + /* Stream will report errors opening file */ +@@ -214,6 +218,10 @@ + RETURN_FALSE; + } + if (isfilename) { ++ if (CHECK_NULL_PATH(data, data_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); ++ RETURN_FALSE; ++ } + stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS | ENFORCE_SAFE_MODE, NULL, DEFAULT_CONTEXT); + if (!stream) { + /* Stream will report errors opening file */ +@@ -445,6 +453,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(filename) != filename_len) { ++ RETURN_FALSE; ++ } ++ + ZEND_FETCH_RESOURCE(hash, php_hash_data*, &zhash, -1, PHP_HASH_RESNAME, php_hash_le_hash); + context = php_stream_context_from_zval(zcontext, 0); + +Index: php5-5.3.10/ext/hash/tests/hash_hmac_file_error.phpt +=================================================================== +--- php5-5.3.10.orig/ext/hash/tests/hash_hmac_file_error.phpt 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/hash/tests/hash_hmac_file_error.phpt 2015-07-02 09:08:04.751330627 -0400 +@@ -28,6 +28,9 @@ + echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; + hash_hmac_file('foo', $file, $key, TRUE); + ++echo "\n-- Testing hash_hmac_file() function with bad path --\n"; ++hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); ++ + ?> + ===Done=== + --EXPECTF-- +@@ -51,4 +54,8 @@ + -- Testing hash_hmac_file() function with invalid hash algorithm -- + + Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d ++ ++-- Testing hash_hmac_file() function with bad path -- ++ ++Warning: hash_hmac_file(): Invalid path in %s on line %d + ===Done=== +\ No newline at end of file +Index: php5-5.3.10/ext/pgsql/pgsql.c +=================================================================== +--- php5-5.3.10.orig/ext/pgsql/pgsql.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/pgsql/pgsql.c 2015-07-02 09:08:04.751330627 -0400 +@@ -2873,6 +2873,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(z_filename) != z_filename_len) { ++ RETURN_FALSE; ++ } ++ + if (argc < 3) { + CHECK_DEFAULT_LINK(id); + } +Index: php5-5.3.10/ext/standard/streamsfuncs.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/streamsfuncs.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/standard/streamsfuncs.c 2015-07-02 09:08:04.751330627 -0400 +@@ -1501,6 +1501,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(filename) != filename_len) { ++ RETURN_FALSE; ++ } ++ + resolved_path = zend_resolve_path(filename, filename_len TSRMLS_CC); + + if (resolved_path) { +Index: php5-5.3.10/ext/xmlwriter/php_xmlwriter.c +=================================================================== +--- php5-5.3.10.orig/ext/xmlwriter/php_xmlwriter.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/xmlwriter/php_xmlwriter.c 2015-07-02 09:08:04.751330627 -0400 +@@ -1738,7 +1738,7 @@ + /* }}} */ + #endif + +-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) ++/* {{{ proto resource xmlwriter_open_uri(string source) + Create new xmlwriter using source uri for output */ + static PHP_FUNCTION(xmlwriter_open_uri) + { +@@ -1775,6 +1775,11 @@ + RETURN_FALSE; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(source) != source_len) { ++ RETURN_FALSE; ++ } ++ + valid_file = _xmlwriter_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to resolve file path"); +Index: php5-5.3.10/ext/zlib/zlib.c +=================================================================== +--- php5-5.3.10.orig/ext/zlib/zlib.c 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/ext/zlib/zlib.c 2015-07-02 09:08:04.755330669 -0400 +@@ -445,6 +445,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(filename) != filename_len) { ++ RETURN_FALSE; ++ } ++ + use_include_path = flags ? USE_PATH : 0; + + stream = php_stream_gzopen(NULL, filename, mode, use_include_path | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL, NULL STREAMS_CC TSRMLS_CC); +@@ -474,6 +479,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(filename) != filename_len) { ++ RETURN_FALSE; ++ } ++ + use_include_path = flags ? USE_PATH : 0; + + stream = php_stream_gzopen(NULL, filename, "rb", use_include_path | ENFORCE_SAFE_MODE, NULL, NULL STREAMS_CC TSRMLS_CC); +Index: php5-5.3.10/Zend/zend_API.h +=================================================================== +--- php5-5.3.10.orig/Zend/zend_API.h 2015-07-02 09:08:04.755330669 -0400 ++++ php5-5.3.10/Zend/zend_API.h 2015-07-02 09:08:04.755330669 -0400 +@@ -512,6 +512,8 @@ + #define CHECK_ZVAL_STRING_REL(z) + #endif + ++#define CHECK_NULL_PATH(p, l) (strlen(p) != l) ++ + #define ZVAL_RESOURCE(z, l) { \ + Z_TYPE_P(z) = IS_RESOURCE; \ + Z_LVAL_P(z) = l; \ only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4644.patch +++ php5-5.3.10/debian/patches/CVE-2015-4644.patch @@ -0,0 +1,55 @@ +Description: fix denial of service via php_pgsql_meta_data +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=3ee3066bd00b15b050c2f70ccf8d6a6373f51c09 +Bug: https://bugs.php.net/bug.php?id=69667 + +Index: php5-5.3.10/ext/pgsql/pg_insert_002.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/pgsql/pg_insert_002.phpt 2015-06-30 15:52:51.501987202 -0400 +@@ -0,0 +1,27 @@ ++--TEST-- ++PostgreSQL pg_select() - basic test using schema ++--SKIPIF-- ++ ++--FILE-- ++ 1, 'id2' => 1))); ++} ++?> ++Done ++--EXPECTF-- ++ ++Warning: pg_insert(): The table name must be specified in %s on line %d ++bool(false) ++ ++Warning: pg_insert(): The table name must be specified in %s on line %d ++bool(false) ++ ++Warning: pg_insert(): The table name must be specified in %s on line %d ++bool(false) ++Done +\ No newline at end of file +Index: php5-5.3.10/ext/pgsql/pgsql.c +=================================================================== +--- php5-5.3.10.orig/ext/pgsql/pgsql.c 2015-06-30 15:52:51.505987252 -0400 ++++ php5-5.3.10/ext/pgsql/pgsql.c 2015-06-30 15:52:51.501987202 -0400 +@@ -4868,7 +4868,11 @@ + + src = estrdup(table_name); + tmp_name = php_strtok_r(src, ".", &tmp_name2); +- ++ if (!tmp_name) { ++ efree(src); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The table name must be specified"); ++ return FAILURE; ++ } + if (!tmp_name2 || !*tmp_name2) { + /* Default schema */ + tmp_name2 = tmp_name; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4599.patch +++ php5-5.3.10/debian/patches/CVE-2015-4599.patch @@ -0,0 +1,26 @@ +From 51856a76f87ecb24fe1385342be43610fb6c86e4 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Thu, 19 Mar 2015 11:36:01 +0300 +Subject: [PATCH] Fixed bug #69152 + +--- + ext/soap/soap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: php5-5.3.10/ext/soap/soap.c +=================================================================== +--- php5-5.3.10.orig/ext/soap/soap.c 2015-06-26 13:48:54.165235346 -0400 ++++ php5-5.3.10/ext/soap/soap.c 2015-06-26 13:48:54.165235346 -0400 +@@ -1021,6 +1021,12 @@ + + zend_call_function(&fci, NULL TSRMLS_CC); + ++ convert_to_string(faultcode); ++ convert_to_string(faultstring); ++ convert_to_string(file); ++ convert_to_long(line); ++ convert_to_string(trace); ++ + len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", + Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), + Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6834-1.patch +++ php5-5.3.10/debian/patches/CVE-2015-6834-1.patch @@ -0,0 +1,143 @@ +Backport of: + +From e8429400d40e3c3aa4b22ba701991d698a2f3b2f Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 31 Aug 2015 21:28:11 -0700 +Subject: [PATCH] Fix bug #70172 - Use After Free Vulnerability in + unserialize() + +--- + ext/standard/tests/serialize/bug70172.phpt | 52 ++++++++++++++++++++ + ext/standard/var.c | 23 +++++++-- + ext/standard/var_unserializer.c | 76 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 12 +++-- + 4 files changed, 121 insertions(+), 42 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug70172.phpt + +Index: php5-5.3.10/ext/standard/var.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var.c 2015-09-30 08:04:55.906927662 -0400 ++++ php5-5.3.10/ext/standard/var.c 2015-09-30 08:04:55.906927662 -0400 +@@ -923,6 +923,8 @@ + int buf_len; + const unsigned char *p; + php_unserialize_data_t var_hash; ++ int oldlevel; ++ zval *old_rval = return_value; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { + RETURN_FALSE; +@@ -940,6 +942,19 @@ + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); + RETURN_FALSE; + } ++ if (return_value != old_rval) { ++ /* ++ * Terrible hack due to the fact that executor passes us zval *, ++ * but unserialize with r/R wants to replace it with another zval * ++ */ ++ zval_dtor(old_rval); ++ *old_rval = *return_value; ++ zval_copy_ctor(old_rval); ++ var_push_dtor_no_addref(&var_hash, &return_value); ++ var_push_dtor_no_addref(&var_hash, &old_rval); ++ } else { ++ var_push_dtor(&var_hash, &return_value); ++ } + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + } + /* }}} */ +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-09-30 08:04:55.906927662 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2015-09-30 08:04:55.906927662 -0400 +@@ -152,6 +152,9 @@ + + while (var_hash) { + for (i = 0; i < var_hash->used_slots; i++) { ++#if VAR_ENTRIES_DBG ++ fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); ++#endif + zval_ptr_dtor(&var_hash->data[i]); + } + next = var_hash->next; +@@ -579,6 +582,7 @@ + zval **args[1]; + zval *arg_func_name; + ++ if (!var_hash) return 0; + if (*start == 'C') { + custom_object = 1; + } +@@ -705,6 +709,7 @@ + if (yych != '"') goto yy18; + ++YYCURSOR; + { ++ if (!var_hash) return 0; + + INIT_PZVAL(*rval); + +@@ -735,6 +740,7 @@ + long elements = parse_iv(start + 2); + /* use iv() not uiv() in order to check data range */ + *p = YYCURSOR; ++ if (!var_hash) return 0; + + if (elements < 0) { + return 0; +@@ -1164,7 +1170,7 @@ + } + + if (*rval != NULL) { +- zval_ptr_dtor(rval); ++ var_push_dtor_no_addref(var_hash, rval); + } + *rval = *rval_ref; + Z_ADDREF_PP(rval); +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-09-30 08:04:55.906927662 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2015-09-30 08:04:55.906927662 -0400 +@@ -151,6 +151,9 @@ + + while (var_hash) { + for (i = 0; i < var_hash->used_slots; i++) { ++#if VAR_ENTRIES_DBG ++ fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); ++#endif + zval_ptr_dtor(&var_hash->data[i]); + } + next = var_hash->next; +@@ -447,7 +450,7 @@ + } + + if (*rval != NULL) { +- zval_ptr_dtor(rval); ++ var_push_dtor_no_addref(var_hash, rval); + } + *rval = *rval_ref; + Z_ADDREF_PP(rval); +@@ -606,6 +609,7 @@ + long elements = parse_iv(start + 2); + /* use iv() not uiv() in order to check data range */ + *p = YYCURSOR; ++ if (!var_hash) return 0; + + if (elements < 0) { + return 0; +@@ -623,6 +627,7 @@ + } + + "o:" iv ":" ["] { ++ if (!var_hash) return 0; + + INIT_PZVAL(*rval); + +@@ -645,6 +650,7 @@ + zval **args[1]; + zval *arg_func_name; + ++ if (!var_hash) return 0; + if (*start == 'C') { + custom_object = 1; + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6835-1.patch +++ php5-5.3.10/debian/patches/CVE-2015-6835-1.patch @@ -0,0 +1,882 @@ +Backport of: + +From df4bf28f9f104ca3ef78ed94b497859f15b004e5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 23 Aug 2015 13:27:59 -0700 +Subject: [PATCH] Fix bug #70219 (Use after free vulnerability in session + deserializer) + +--- + ext/session/session.c | 36 +- + ext/session/tests/session_decode_error2.phpt | 518 +++++------------------ + ext/session/tests/session_decode_variation3.phpt | 2 +- + ext/standard/tests/serialize/bug70219.phpt | 38 ++ + ext/standard/var_unserializer.c | 68 +-- + ext/standard/var_unserializer.re | 64 +-- + 6 files changed, 228 insertions(+), 498 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug70219.phpt + +Index: php5-5.3.10/ext/session/session.c +=================================================================== +--- php5-5.3.10.orig/ext/session/session.c 2015-09-30 08:05:47.134529790 -0400 ++++ php5-5.3.10/ext/session/session.c 2015-09-30 08:05:47.130529820 -0400 +@@ -276,16 +276,18 @@ + } + /* }}} */ + +-static void php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ ++static int php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ + { + if (!PS(serializer)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object"); +- return; ++ return FAILURE; + } + if (PS(serializer)->decode(val, vallen TSRMLS_CC) == FAILURE) { + php_session_destroy(TSRMLS_C); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode session object. Session has been destroyed"); ++ return FAILURE; + } ++ return SUCCESS; + } + /* }}} */ + +@@ -892,8 +894,11 @@ + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { + php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ } else { ++ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); ++ return FAILURE; + } +- zval_ptr_dtor(¤t); ++ var_push_dtor_no_addref(&var_hash, ¤t); + } + PS_ADD_VARL(name, namelen); + efree(name); +@@ -984,8 +989,13 @@ + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { + php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ } else { ++ var_push_dtor_no_addref(&var_hash, ¤t); ++ efree(name); ++ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); ++ return FAILURE; + } +- zval_ptr_dtor(¤t); ++ var_push_dtor_no_addref(&var_hash, ¤t); + } + PS_ADD_VARL(name, namelen); + skip: +@@ -1873,9 +1883,7 @@ + return; + } + +- php_session_decode(str, str_len TSRMLS_CC); +- +- RETURN_TRUE; ++ RETVAL_BOOL(php_session_decode(str, str_len TSRMLS_CC) == SUCCESS); + } + /* }}} */ + +Index: php5-5.3.10/ext/session/tests/session_decode_error2.phpt +=================================================================== +--- php5-5.3.10.orig/ext/session/tests/session_decode_error2.phpt 2015-09-30 08:05:47.134529790 -0400 ++++ php5-5.3.10/ext/session/tests/session_decode_error2.phpt 2015-09-30 08:05:47.130529820 -0400 +@@ -53,563 +53,247 @@ + } + + -- Iteration 4 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++ ++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/session_decode_error2.php on line %d ++bool(false) ++array(0) { + } + + -- Iteration 5 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 6 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 7 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 8 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 9 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 10 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 11 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 12 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 13 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 14 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 15 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 16 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 17 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 18 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 19 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 20 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 21 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 22 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 23 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 24 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 25 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 26 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 27 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 28 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 29 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 30 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 31 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 32 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 33 -- +-bool(true) +-array(1) { +- ["foo"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 34 -- +-bool(true) +-array(1) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 35 -- +-bool(true) +-array(1) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 36 -- +-bool(true) +-array(1) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 37 -- +-bool(true) +-array(1) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 38 -- +-bool(true) +-array(1) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 39 -- +-bool(true) +-array(2) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 40 -- +-bool(true) +-array(2) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 41 -- +-bool(true) +-array(2) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 42 -- +-bool(true) +-array(2) { +- ["foo"]=> +- array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 43 -- +-bool(true) +-array(2) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 44 -- +-bool(true) +-array(2) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 45 -- +-bool(true) +-array(2) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 46 -- +-bool(true) +-array(2) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 47 -- +-bool(true) +-array(2) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } ++bool(false) ++array(0) { + } + + -- Iteration 48 -- +-bool(true) +-array(3) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["blah"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 49 -- +-bool(true) +-array(3) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["blah"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 50 -- +-bool(true) +-array(3) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["blah"]=> +- NULL ++bool(false) ++array(0) { + } + + -- Iteration 51 -- +-bool(true) +-array(3) { +- ["foo"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["guff"]=> +- &array(3) { +- [0]=> +- int(1) +- [1]=> +- int(2) +- [2]=> +- int(3) +- } +- ["blah"]=> +- NULL ++bool(false) ++array(0) { + } +-bool(true) +-Done + ++Warning: session_destroy(): Trying to destroy uninitialized session in %s/session_decode_error2.php on line %d ++bool(false) ++Done +Index: php5-5.3.10/ext/session/tests/session_decode_variation3.phpt +=================================================================== +--- php5-5.3.10.orig/ext/session/tests/session_decode_variation3.phpt 2015-09-30 08:05:47.134529790 -0400 ++++ php5-5.3.10/ext/session/tests/session_decode_variation3.phpt 2015-09-30 08:05:47.130529820 -0400 +@@ -49,7 +49,7 @@ + } + + Warning: session_decode(): Unknown session.serialize_handler. Failed to decode session object in %s on line %d +-bool(true) ++bool(false) + array(3) { + ["foo"]=> + int(1234567890) +Index: php5-5.3.10/ext/standard/var_unserializer.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-09-30 08:05:47.134529790 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.c 2015-09-30 08:08:08.297433418 -0400 +@@ -81,7 +81,13 @@ + + PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) + { +- var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; ++ var_entries *var_hash, *prev = NULL; ++ ++ if (!var_hashx) { ++ return; ++ } ++ ++ var_hash = var_hashx->first_dtor; + + while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { + prev = var_hash; +@@ -285,24 +291,20 @@ + ALLOC_INIT_ZVAL(key); + + if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) { +- zval_dtor(key); +- FREE_ZVAL(key); ++ var_push_dtor_no_addref(var_hash, &key); + return 0; + } + + if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) { +- zval_dtor(key); +- FREE_ZVAL(key); ++ var_push_dtor_no_addref(var_hash, &key); + return 0; + } + + ALLOC_INIT_ZVAL(data); + + if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { +- zval_dtor(key); +- FREE_ZVAL(key); +- zval_dtor(data); +- FREE_ZVAL(data); ++ var_push_dtor_no_addref(var_hash, &key); ++ var_push_dtor_no_addref(var_hash, &data); + return 0; + } + +@@ -331,9 +333,7 @@ + sizeof data, NULL); + } + var_push_dtor(var_hash, &data); +- +- zval_dtor(key); +- FREE_ZVAL(key); ++ var_push_dtor_no_addref(var_hash, &key); + + if (elements && *(*p-1) != ';' && *(*p-1) != '}') { + (*p)--; +Index: php5-5.3.10/ext/standard/var_unserializer.re +=================================================================== +--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-09-30 08:05:47.134529790 -0400 ++++ php5-5.3.10/ext/standard/var_unserializer.re 2015-09-30 08:08:28.713274856 -0400 +@@ -80,7 +80,13 @@ + + PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) + { +- var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; ++ var_entries *var_hash, *prev = NULL; ++ ++ if (!var_hashx) { ++ return; ++ } ++ ++ var_hash = var_hashx->first_dtor; + + while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { + prev = var_hash; +@@ -291,24 +297,20 @@ + ALLOC_INIT_ZVAL(key); + + if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) { +- zval_dtor(key); +- FREE_ZVAL(key); ++ var_push_dtor_no_addref(var_hash, &key); + return 0; + } + + if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) { +- zval_dtor(key); +- FREE_ZVAL(key); ++ var_push_dtor_no_addref(var_hash, &key); + return 0; + } + + ALLOC_INIT_ZVAL(data); + + if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { +- zval_dtor(key); +- FREE_ZVAL(key); +- zval_dtor(data); +- FREE_ZVAL(data); ++ var_push_dtor_no_addref(var_hash, &key); ++ var_push_dtor_no_addref(var_hash, &data); + return 0; + } + +@@ -337,9 +339,7 @@ + sizeof data, NULL); + } + var_push_dtor(var_hash, &data); +- +- zval_dtor(key); +- FREE_ZVAL(key); ++ var_push_dtor_no_addref(var_hash, &key); + + if (elements && *(*p-1) != ';' && *(*p-1) != '}') { + (*p)--; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-6833-1.patch +++ php5-5.3.10/debian/patches/CVE-2015-6833-1.patch @@ -0,0 +1,137 @@ +From dda81f0505217a95db065e6bf9cc2d81eb902417 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 4 Aug 2015 14:00:29 -0700 +Subject: [PATCH] Fix bug #70019 - limit extracted files to given directory + +--- + ext/phar/phar_object.c | 50 +++++++++++++++++++++++++++++++++++++++---- + ext/phar/tests/bug70019.phpt | 22 +++++++++++++++++++ + ext/phar/tests/bug70019.zip | Bin 0 -> 184 bytes + 3 files changed, 68 insertions(+), 4 deletions(-) + create mode 100644 ext/phar/tests/bug70019.phpt + create mode 100644 ext/phar/tests/bug70019.zip + +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2015-09-29 12:39:27.062374111 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2015-09-29 12:39:27.062374111 -0400 +@@ -4304,6 +4304,9 @@ + php_stream *fp; + char *fullpath, *slash; + mode_t mode; ++ cwd_state new_state; ++ char *filename; ++ size_t filename_len; + + if (entry->is_mounted) { + /* silently ignore mounted entries */ +@@ -4313,8 +4316,39 @@ + if (entry->filename_len >= sizeof(".phar")-1 && !memcmp(entry->filename, ".phar", sizeof(".phar")-1)) { + return SUCCESS; + } ++ /* strip .. from path and restrict it to be under dest directory */ ++ new_state.cwd = (char*)malloc(2); ++ new_state.cwd[0] = DEFAULT_SLASH; ++ new_state.cwd[1] = '\0'; ++ new_state.cwd_length = 1; ++ if (virtual_file_ex(&new_state, entry->filename, NULL, CWD_EXPAND TSRMLS_CC) != 0 || ++ new_state.cwd_length <= 1) { ++ if (EINVAL == errno && entry->filename_len > 50) { ++ char *tmp = estrndup(entry->filename, 50); ++ spprintf(error, 4096, "Cannot extract \"%s...\" to \"%s...\", extracted filename is too long for filesystem", tmp, dest); ++ efree(tmp); ++ } else { ++ spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename); ++ } ++ free(new_state.cwd); ++ return FAILURE; ++ } ++ filename = new_state.cwd + 1; ++ filename_len = new_state.cwd_length - 1; ++#ifdef PHP_WIN32 ++ /* unixify the path back, otherwise non zip formats might be broken */ ++ { ++ int cnt = filename_len; ++ ++ do { ++ if ('\\' == filename[cnt]) { ++ filename[cnt] = '/'; ++ } ++ } while (cnt-- >= 0); ++ } ++#endif + +- len = spprintf(&fullpath, 0, "%s/%s", dest, entry->filename); ++ len = spprintf(&fullpath, 0, "%s/%s", dest, filename); + + if (len >= MAXPATHLEN) { + char *tmp; +@@ -4328,18 +4362,21 @@ + spprintf(error, 4096, "Cannot extract \"%s\" to \"%s...\", extracted filename is too long for filesystem", entry->filename, fullpath); + } + efree(fullpath); ++ free(new_state.cwd); + return FAILURE; + } + + if (!len) { + spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename); + efree(fullpath); ++ free(new_state.cwd); + return FAILURE; + } + + if (PHAR_OPENBASEDIR_CHECKPATH(fullpath)) { + spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", openbasedir/safe mode restrictions in effect", entry->filename, fullpath); + efree(fullpath); ++ free(new_state.cwd); + return FAILURE; + } + +@@ -4347,14 +4384,15 @@ + if (!overwrite && SUCCESS == php_stream_stat_path(fullpath, &ssb)) { + spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", path already exists", entry->filename, fullpath); + efree(fullpath); ++ free(new_state.cwd); + return FAILURE; + } + + /* perform dirname */ +- slash = zend_memrchr(entry->filename, '/', entry->filename_len); ++ slash = zend_memrchr(filename, '/', filename_len); + + if (slash) { +- fullpath[dest_len + (slash - entry->filename) + 1] = '\0'; ++ fullpath[dest_len + (slash - filename) + 1] = '\0'; + } else { + fullpath[dest_len] = '\0'; + } +@@ -4364,23 +4402,27 @@ + if (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK, PHP_STREAM_MKDIR_RECURSIVE, NULL)) { + spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath); + efree(fullpath); ++ free(new_state.cwd); + return FAILURE; + } + } else { + if (!php_stream_mkdir(fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL)) { + spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath); + efree(fullpath); ++ free(new_state.cwd); + return FAILURE; + } + } + } + + if (slash) { +- fullpath[dest_len + (slash - entry->filename) + 1] = '/'; ++ fullpath[dest_len + (slash - filename) + 1] = '/'; + } else { + fullpath[dest_len] = '/'; + } + ++ filename = NULL; ++ free(new_state.cwd); + /* it is a standalone directory, job done */ + if (entry->is_dir) { + efree(fullpath); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-7804.patch +++ php5-5.3.10/debian/patches/CVE-2015-7804.patch @@ -0,0 +1,34 @@ +Description: fix uninitialized pointer in phar_make_dirstream() +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=1ddf72180a52d247db88ea42a3e35f824a8fbda1 +Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=d7fb43e30d662c7fff999521ebf15ddbb192c7ca +Bug: https://bugs.php.net/bug.php?id=70433 + +Index: php5-5.3.10/ext/phar/util.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/util.c 2015-10-27 16:56:47.050441132 -0400 ++++ php5-5.3.10/ext/phar/util.c 2015-10-27 16:56:47.018440796 -0400 +@@ -2227,7 +2227,7 @@ + + while ((s = zend_memrchr(filename, '/', filename_len))) { + filename_len = s - filename; +- if (FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { ++ if (!filename_len || FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { + break; + } + } +Index: php5-5.3.10/ext/phar/zip.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/zip.c 2015-10-27 16:56:47.050441132 -0400 ++++ php5-5.3.10/ext/phar/zip.c 2015-10-27 16:56:47.022440838 -0400 +@@ -396,7 +396,9 @@ + + if (entry.filename[entry.filename_len - 1] == '/') { + entry.is_dir = 1; +- entry.filename_len--; ++ if(entry.filename_len > 1) { ++ entry.filename_len--; ++ } + entry.flags |= PHAR_ENT_PERM_DEF_DIR; + } else { + entry.is_dir = 0; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4021.patch +++ php5-5.3.10/debian/patches/CVE-2015-4021.patch @@ -0,0 +1,24 @@ +From c27f012b7a447e59d4a704688971cbfa7dddaa74 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 29 Apr 2015 22:04:20 -0700 +Subject: [PATCH] Fix bug #69453 - don't try to cut empty string + +--- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug69453.phpt | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug69453.phpt + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index ca8eafc..d6d63e6 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -425,7 +425,7 @@ bail: + entry.filename_len = i; + entry.filename = pestrndup(hdr->name, i, myphar->is_persistent); + +- if (entry.filename[entry.filename_len - 1] == '/') { ++ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') { + /* some tar programs store directories with trailing slash */ + entry.filename[entry.filename_len - 1] = '\0'; + entry.filename_len--; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug71527.patch +++ php5-5.3.10/debian/patches/bug71527.patch @@ -0,0 +1,62 @@ +Backport of: + +From fe13566c93f118a15a96320a546c7878fd0cfc5e Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Mon, 28 Mar 2016 00:45:19 +0200 +Subject: [PATCH] Fixed bug #71527 Buffer over-write in finfo_open with + malformed magic file + +The actual fix is applying the upstream patch from +https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 +--- + ext/fileinfo/libmagic/funcs.c | 2 +- + ext/fileinfo/tests/bug71527.magic | 1 + + ext/fileinfo/tests/bug71527.phpt | 19 +++++++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/fileinfo/tests/bug71527.magic + create mode 100644 ext/fileinfo/tests/bug71527.phpt + +Index: php5-5.3.10/ext/fileinfo/tests/bug71527.magic +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/fileinfo/tests/bug71527.magic 2016-04-18 11:11:45.438619639 -0400 +@@ -0,0 +1 @@ ++>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +\ No newline at end of file +Index: php5-5.3.10/ext/fileinfo/tests/bug71527.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/fileinfo/tests/bug71527.phpt 2016-04-18 11:11:45.438619639 -0400 +@@ -0,0 +1,19 @@ ++--TEST-- ++Bug #71527 Buffer over-write in finfo_open with malformed magic file ++--SKIPIF-- ++ ++--EXPECTF-- ++Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d ++ ++Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d ++bool(false) +Index: php5-5.3.10/ext/fileinfo/libmagic/funcs.c +=================================================================== +--- php5-5.3.10.orig/ext/fileinfo/libmagic/funcs.c 2016-04-18 11:11:44.602612094 -0400 ++++ php5-5.3.10/ext/fileinfo/libmagic/funcs.c 2016-04-18 11:12:12.286864306 -0400 +@@ -407,7 +407,7 @@ + size_t len; + + if (level >= ms->c.len) { +- len = (ms->c.len += 20) * sizeof(*ms->c.li); ++ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li); + ms->c.li = (ms->c.li == NULL) ? emalloc(len) : erealloc(ms->c.li, len); + } + ms->c.li[level].got_match = 0; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4643.patch +++ php5-5.3.10/debian/patches/CVE-2015-4643.patch @@ -0,0 +1,23 @@ +From 0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 May 2015 17:23:06 -0700 +Subject: [PATCH] improve fix for Bug #69545 + +--- + NEWS | 4 ++++ + ext/ftp/ftp.c | 2 -- + 2 files changed, 4 insertions(+), 2 deletions(-) + +Index: php5-5.3.10/ext/ftp/ftp.c +=================================================================== +--- php5-5.3.10.orig/ext/ftp/ftp.c 2015-06-26 13:49:16.165468095 -0400 ++++ php5-5.3.10/ext/ftp/ftp.c 2015-06-26 13:49:16.161468052 -0400 +@@ -1648,8 +1648,6 @@ + for (ptr = data->buf; rcvd; rcvd--, ptr++) { + if (*ptr == '\n' && lastch == '\r') { + lines++; +- } else { +- size++; + } + lastch = *ptr; + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-8838.patch +++ php5-5.3.10/debian/patches/CVE-2015-8838.patch @@ -0,0 +1,63 @@ +Backport of: + +From 97aa752fee61fccdec361279adbfb17a3c60f3f4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Jul 2015 00:00:53 -0700 +Subject: [PATCH] Fix bug #69669 (mysqlnd is vulnerable to BACKRONYM) + +--- + ext/mysqlnd/mysqlnd.c | 65 +++++++++++++++++++++++++++++++-------------------- + 1 file changed, 40 insertions(+), 25 deletions(-) + +Index: php5-5.3.10/ext/mysqlnd/mysqlnd.c +=================================================================== +--- php5-5.3.10.orig/ext/mysqlnd/mysqlnd.c 2016-04-18 10:58:09.257808341 -0400 ++++ php5-5.3.10/ext/mysqlnd/mysqlnd.c 2016-04-18 10:58:09.257808341 -0400 +@@ -453,7 +453,7 @@ + } + + #ifdef MYSQLND_SSL_SUPPORTED +- if ((greet_packet->server_capabilities & CLIENT_SSL) && (mysql_flags & CLIENT_SSL)) { ++ if (mysql_flags & CLIENT_SSL) { + auth_packet->send_half_packet = TRUE; + } + #endif +@@ -489,20 +489,27 @@ + + #ifdef MYSQLND_SSL_SUPPORTED + if (auth_packet->send_half_packet) { +- zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; +- DBG_INF("Switching to SSL"); +- +- conn->net->m.set_client_option(conn->net, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char *) &verify TSRMLS_CC); +- +- if (FAIL == conn->net->m.enable_ssl(conn->net TSRMLS_CC)) { +- goto err; +- } +- +- auth_packet->send_half_packet = FALSE; +- if (!PACKET_WRITE(auth_packet, conn)) { ++ zend_bool server_has_ssl = (greet_packet->server_capabilities & CLIENT_SSL)? TRUE:FALSE; ++ if (server_has_ssl == FALSE) { + CONN_SET_STATE(conn, CONN_QUIT_SENT); + SET_CLIENT_ERROR(conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone); + goto err; ++ } else { ++ zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; ++ DBG_INF("Switching to SSL"); ++ ++ conn->net->m.set_client_option(conn->net, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char *) &verify TSRMLS_CC); ++ ++ if (FAIL == conn->net->m.enable_ssl(conn->net TSRMLS_CC)) { ++ goto err; ++ } ++ ++ auth_packet->send_half_packet = FALSE; ++ if (!PACKET_WRITE(auth_packet, conn)) { ++ CONN_SET_STATE(conn, CONN_QUIT_SENT); ++ SET_CLIENT_ERROR(conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone); ++ goto err; ++ } + } + } + #endif only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4024.patch +++ php5-5.3.10/debian/patches/CVE-2015-4024.patch @@ -0,0 +1,96 @@ +Backport of: + +From 4605d536d23b00813d11cc906bb48d39bdcf5f25 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 9 May 2015 23:04:25 -0700 +Subject: [PATCH] Fixed bug #69364 - use smart_str to assemble strings + +--- + main/rfc1867.c | 51 +++++++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 24 deletions(-) + +Index: php5-5.3.10/main/rfc1867.c +=================================================================== +--- php5-5.3.10.orig/main/rfc1867.c 2015-06-26 13:31:42.661564912 -0400 ++++ php5-5.3.10/main/rfc1867.c 2015-06-26 13:33:34.626843221 -0400 +@@ -33,6 +33,7 @@ + #include "php_variables.h" + #include "rfc1867.h" + #include "ext/standard/php_string.h" ++#include "ext/standard/php_smart_str.h" + + #define DEBUG_FILE_UPLOAD ZEND_DEBUG + +@@ -462,8 +463,9 @@ + static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC) + { + char *line; +- mime_header_entry prev_entry, entry; +- int prev_len, cur_len; ++ mime_header_entry entry = {0}; ++ smart_str buf_value = {0}; ++ char *key = NULL; + + /* didn't find boundary, abort */ + if (!find_boundary(self, self->boundary TSRMLS_CC)) { +@@ -475,7 +477,6 @@ + while( (line = get_line(self TSRMLS_CC)) && strlen(line) > 0 ) + { + /* add header to table */ +- char *key = line; + char *value = NULL; + + /* space in the beginning means same header */ +@@ -484,31 +485,33 @@ + } + + if (value) { +- *value = 0; +- do { value++; } while(isspace(*value)); +- +- entry.value = estrdup(value); +- entry.key = estrdup(key); +- +- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ +- +- prev_len = strlen(prev_entry.value); +- cur_len = strlen(line); ++ if(buf_value.c && key) { ++ /* new entry, add the old one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; ++ zend_llist_add_element(header, &entry); ++ buf_value.c = NULL; ++ key = NULL; ++ } + +- entry.value = emalloc(prev_len + cur_len + 1); +- memcpy(entry.value, prev_entry.value, prev_len); +- memcpy(entry.value + prev_len, line, cur_len); +- entry.value[cur_len + prev_len] = '\0'; +- +- entry.key = estrdup(prev_entry.key); ++ *value = '\0'; ++ do { value++; } while(isspace(*value)); + +- zend_llist_remove_tail(header); ++ key = estrdup(line); ++ smart_str_appends(&buf_value, value); ++ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */ ++ smart_str_appends(&buf_value, line); + } else { + continue; + } +- ++ } ++ if(buf_value.c && key) { ++ /* add the last one to the list */ ++ smart_str_0(&buf_value); ++ entry.key = key; ++ entry.value = buf_value.c; + zend_llist_add_element(header, &entry); +- prev_entry = entry; + } + + return 1; only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug71906.patch +++ php5-5.3.10/debian/patches/bug71906.patch @@ -0,0 +1,49 @@ +From 64f42c73efc58e88671ad76b6b6bc8e2b62713e1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 28 Mar 2016 01:22:37 -0700 +Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1) + in mbfl_strcut + +--- + ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +Index: php5-5.3.10/ext/mbstring/libmbfl/mbfl/mbfilter.c +=================================================================== +--- php5-5.3.10.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c 2016-04-18 11:15:06.188547806 -0400 ++++ php5-5.3.10/ext/mbstring/libmbfl/mbfl/mbfilter.c 2016-04-18 11:15:06.184547766 -0400 +@@ -1381,7 +1381,7 @@ + if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) { + from &= -2; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1390,14 +1390,14 @@ + } else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) { + from &= -4; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + + start = string->val + from; + end = start + (length & -4); + } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1419,7 +1419,7 @@ + start = p; + + /* search end position */ +- if ((start - string->val) + length >= (int)string->len) { ++ if (length >= (int)string->len - (start - string->val)) { + end = string->val + string->len; + } else { + for (q = p + length; p < q; p += (m = mbtab[*p])); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-2554.patch +++ php5-5.3.10/debian/patches/CVE-2016-2554.patch @@ -0,0 +1,79 @@ +Backport of: + +From 07c7df68bd68bbe706371fccc77c814ebb335d9e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 Jan 2016 19:37:56 -0800 +Subject: [PATCH] Fixed bug #71488: Stack overflow when decompressing tar + archives + +--- + ext/phar/tar.c | 22 ++++++++++++++++------ + ext/phar/tests/bug71488.phpt | 16 ++++++++++++++++ + ext/phar/tests/bug71488.tar | Bin 0 -> 10240 bytes + 3 files changed, 32 insertions(+), 6 deletions(-) + create mode 100644 ext/phar/tests/bug71488.phpt + create mode 100644 ext/phar/tests/bug71488.tar + +Index: php5-5.5.9+dfsg/ext/phar/tar.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tar.c 2016-04-15 13:25:09.268858120 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tar.c 2016-04-15 13:25:09.264858068 -0400 +@@ -192,6 +192,13 @@ + } + /* }}} */ + ++#if !HAVE_STRNLEN ++static size_t strnlen(const char *s, size_t maxlen) { ++ char *r = (char *)memchr(s, '\0', maxlen); ++ return r ? r-s : maxlen; ++} ++#endif ++ + int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */ + { + char buf[512], *actual_alias = NULL, *p; +@@ -201,6 +208,7 @@ + php_uint32 sum1, sum2, size, old; + phar_archive_data *myphar, **actual; + int last_was_longlink = 0; ++ int linkname_len; + + if (error) { + *error = NULL; +@@ -255,7 +263,7 @@ + size = entry.uncompressed_filesize = entry.compressed_filesize = + phar_tar_number(hdr->size, sizeof(hdr->size)); + +- if (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) { ++ if (((!old && hdr->prefix[0] == 0) || old) && strnlen(hdr->name, 100) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) { + off_t curloc; + + if (size > 511) { +@@ -465,20 +473,22 @@ + } + + entry.link = NULL; +- ++ /* link field is null-terminated unless it has 100 non-null chars. ++ * Thus we can not use strlen. */ ++ linkname_len = strnlen(hdr->linkname, 100); + if (entry.tar_type == TAR_LINK) { +- if (!zend_hash_exists(&myphar->manifest, hdr->linkname, strlen(hdr->linkname))) { ++ if (!zend_hash_exists(&myphar->manifest, hdr->linkname, linkname_len)) { + if (error) { +- spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%s\"", fname, hdr->linkname); ++ spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%.*s\"", fname, linkname_len, hdr->linkname); + } + pefree(entry.filename, entry.is_persistent); + php_stream_close(fp); + phar_destroy_phar_data(myphar TSRMLS_CC); + return FAILURE; + } +- entry.link = estrdup(hdr->linkname); ++ entry.link = estrndup(hdr->linkname, linkname_len); + } else if (entry.tar_type == TAR_SYMLINK) { +- entry.link = estrdup(hdr->linkname); ++ entry.link = estrndup(hdr->linkname, linkname_len); + } + phar_set_inode(&entry TSRMLS_CC); + zend_hash_add(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), (void **) &newentry); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4025.patch +++ php5-5.3.10/debian/patches/CVE-2015-4025.patch @@ -0,0 +1,50 @@ +Description: fix more missing file path null byte checks +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=be9b2a95adb504abd5acdc092d770444ad6f6854 +Bug: https://bugs.php.net/bug.php?id=69418 + +Index: php5-5.3.10/ext/pcntl/pcntl.c +=================================================================== +--- php5-5.3.10.orig/ext/pcntl/pcntl.c 2015-06-30 13:45:39.840977383 -0400 ++++ php5-5.3.10/ext/pcntl/pcntl.c 2015-06-30 13:45:39.836977338 -0400 +@@ -758,6 +758,11 @@ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|aa", &path, &path_len, &args, &envs) == FAILURE) { + return; + } ++ ++ /* No nulls allowed in paths */ ++ if (strlen(path) != path_len) { ++ RETURN_FALSE; ++ } + + if (ZEND_NUM_ARGS() > 1) { + /* Build argumnent list */ +Index: php5-5.3.10/ext/standard/dir.c +=================================================================== +--- php5-5.3.10.orig/ext/standard/dir.c 2015-06-30 13:45:39.840977383 -0400 ++++ php5-5.3.10/ext/standard/dir.c 2015-06-30 13:46:01.477222183 -0400 +@@ -219,6 +219,11 @@ + RETURN_NULL(); + } + ++ /* No nulls allowed in paths */ ++ if (strlen(dirname) != dir_len) { ++ RETURN_FALSE; ++ } ++ + context = php_stream_context_from_zval(zcontext, 0); + + dirp = php_stream_opendir(dirname, ENFORCE_SAFE_MODE|REPORT_ERRORS, context); +@@ -293,7 +298,12 @@ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { + RETURN_FALSE; + } +- ++ ++ /* No nulls allowed in paths */ ++ if (strlen(str) != str_len) { ++ RETURN_FALSE; ++ } ++ + ret = chroot(str); + if (ret != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4539.patch +++ php5-5.3.10/debian/patches/CVE-2016-4539.patch @@ -0,0 +1,49 @@ +Backport of: + +From dccda88f27a084bcbbb30198ace12b4e7ae961cc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 23:50:57 -0700 +Subject: [PATCH] Fix bug #72099: xml_parse_into_struct segmentation fault + +--- + ext/xml/tests/bug72099.phpt | 17 +++++++ + ext/xml/xml.c | 106 ++++++++++++++++++++++---------------------- + 2 files changed, 70 insertions(+), 53 deletions(-) + create mode 100644 ext/xml/tests/bug72099.phpt + +Index: php5-5.3.10/ext/xml/tests/bug72099.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/xml/tests/bug72099.phpt 2016-05-19 12:48:54.775040151 -0400 +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72099: xml_parse_into_struct segmentation fault ++--SKIPIF-- ++ ++--FILE-- ++level <= XML_MAXLEVEL) { ++ if (parser->level <= XML_MAXLEVEL && parser->level > 0) { + MAKE_STD_ZVAL(tag); + + array_init(tag); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-3142.patch +++ php5-5.3.10/debian/patches/CVE-2016-3142.patch @@ -0,0 +1,27 @@ +From a6fdc5bb27b20d889de0cd29318b3968aabb57bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 21 Feb 2016 16:51:05 -0800 +Subject: [PATCH] Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile() + +--- + ext/phar/tests/bug71488.phpt | 1 + + ext/phar/tests/bug71498.phpt | 17 +++++++++++++++++ + ext/phar/tests/bug71498.zip | Bin 0 -> 65677 bytes + ext/phar/zip.c | 6 +++--- + 4 files changed, 21 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug71498.phpt + create mode 100644 ext/phar/tests/bug71498.zip + +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index e4883d3..7f294c2 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, + } + + while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) { +- if (!memcmp(p + 1, "K\5\6", 3)) { ++ if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) { + memcpy((void *)&locator, (void *) p, sizeof(locator)); + if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) { + /* split archives not handled */ only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4343.patch +++ php5-5.3.10/debian/patches/CVE-2016-4343.patch @@ -0,0 +1,51 @@ +Backport of: + +From 4c2424eb24b0178456acc404dbfff528cdc44197 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 14 Jan 2016 22:58:40 -0800 +Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in + phar_make_dirstream() + +--- + ext/phar/dirstream.c | 3 ++- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug71331.phpt | 15 +++++++++++++++ + ext/phar/tests/bug71331.tar | Bin 0 -> 2560 bytes + 4 files changed, 18 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug71331.phpt + create mode 100644 ext/phar/tests/bug71331.tar + +Index: php5-5.3.10/ext/phar/dirstream.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/dirstream.c 2016-05-19 12:47:41.614061459 -0400 ++++ php5-5.3.10/ext/phar/dirstream.c 2016-05-19 12:48:12.358472574 -0400 +@@ -211,6 +211,7 @@ + zend_hash_internal_pointer_reset(manifest); + + while (FAILURE != zend_hash_has_more_elements(manifest)) { ++ keylen = 0; + if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) { + break; + } +@@ -218,7 +219,7 @@ + PHAR_STR(key, str_key); + + if (keylen <= (uint)dirlen) { +- if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { ++ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { + PHAR_STR_FREE(str_key); + if (SUCCESS != zend_hash_move_forward(manifest)) { + break; +Index: php5-5.3.10/ext/phar/tar.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/tar.c 2016-05-19 12:47:41.614061459 -0400 ++++ php5-5.3.10/ext/phar/tar.c 2016-05-19 12:47:41.606061352 -0400 +@@ -347,7 +347,7 @@ + entry.filename_len = entry.uncompressed_filesize; + + /* Check for overflow - bug 61065 */ +- if (entry.filename_len == UINT_MAX) { ++ if (entry.filename_len == UINT_MAX || entry.filename_len == 0) { + if (error) { + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4537.patch +++ php5-5.3.10/debian/patches/CVE-2016-4537.patch @@ -0,0 +1,139 @@ +From d650063a0457aec56364e4005a636dc6c401f9cd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 18:33:32 -0700 +Subject: [PATCH] Fix bug #72093: bcpowmod accepts negative scale and corrupts + _one_ definition + +We can not modify result since it can be copy of _zero_ or _one_, etc. and +"copy" in bcmath is just bumping the refcount. +--- + ext/bcmath/bcmath.c | 60 +++++++++++++++++++++++++++++------------- + ext/bcmath/tests/bug72093.phpt | 13 +++++++++ + main/php_version.h | 6 ++--- + 3 files changed, 57 insertions(+), 22 deletions(-) + create mode 100644 ext/bcmath/tests/bug72093.phpt + +diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c +index 02177e4..dd69115 100644 +--- a/ext/bcmath/bcmath.c ++++ b/ext/bcmath/bcmath.c +@@ -201,6 +201,21 @@ static void php_str2num(bc_num *num, char *str TSRMLS_DC) + } + /* }}} */ + ++/* {{{ split_bc_num ++ Convert to bc_num detecting scale */ ++static bc_num split_bc_num(bc_num num) { ++ bc_num newnum; ++ if (num->n_refs >= 1) { ++ return num; ++ } ++ newnum = _bc_new_num_ex(0, 0, 0); ++ *newnum = *num; ++ newnum->n_refs = 1; ++ num->n_refs--; ++ return newnum; ++} ++/* }}} */ ++ + /* {{{ proto string bcadd(string left_operand, string right_operand [, int scale]) + Returns the sum of two arbitrary precision numbers */ + PHP_FUNCTION(bcadd) +@@ -225,11 +240,12 @@ PHP_FUNCTION(bcadd) + php_str2num(&first, left TSRMLS_CC); + php_str2num(&second, right TSRMLS_CC); + bc_add (first, second, &result, scale); +- ++ + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } +- ++ + Z_STRVAL_P(return_value) = bc_num2str(result); + Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); + Z_TYPE_P(return_value) = IS_STRING; +@@ -266,6 +282,7 @@ PHP_FUNCTION(bcsub) + bc_sub (first, second, &result, scale); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -305,6 +322,7 @@ PHP_FUNCTION(bcmul) + bc_multiply (first, second, &result, scale TSRMLS_CC); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -345,6 +363,7 @@ PHP_FUNCTION(bcdiv) + switch (bc_divide(first, second, &result, scale TSRMLS_CC)) { + case 0: /* OK */ + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + Z_STRVAL_P(return_value) = bc_num2str(result); +@@ -424,8 +443,9 @@ PHP_FUNCTION(bcpowmod) + scale_int = (int) ((int)scale < 0) ? 0 : scale; + + if (bc_raisemod(first, second, mod, &result, scale_int TSRMLS_CC) != -1) { +- if (result->n_scale > scale) { +- result->n_scale = scale; ++ if (result->n_scale > scale_int) { ++ result = split_bc_num(result); ++ result->n_scale = scale_int; + } + Z_STRVAL_P(return_value) = bc_num2str(result); + Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); +@@ -468,6 +488,7 @@ PHP_FUNCTION(bcpow) + bc_raise (first, second, &result, scale TSRMLS_CC); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -494,16 +515,17 @@ PHP_FUNCTION(bcsqrt) + if (zend_parse_parameters(argc TSRMLS_CC, "s|l", &left, &left_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 2) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } + + bc_init_num(&result TSRMLS_CC); + php_str2num(&result, left TSRMLS_CC); +- ++ + if (bc_sqrt (&result, scale TSRMLS_CC) != 0) { + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + Z_STRVAL_P(return_value) = bc_num2str(result); +diff --git a/ext/bcmath/tests/bug72093.phpt b/ext/bcmath/tests/bug72093.phpt +new file mode 100644 +index 0000000..be664b8 +--- /dev/null ++++ b/ext/bcmath/tests/bug72093.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug 72093: bcpowmod accepts negative scale and corrupts _one_ definition ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++string(1) "1" ++bc math warning: non-zero scale in exponent ++string(3) "0.0" only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-2783-memleak.patch +++ php5-5.3.10/debian/patches/CVE-2015-2783-memleak.patch @@ -0,0 +1,21 @@ +From cee97220285fd7b955a58617b3e0300ec104ed87 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov +Date: Tue, 14 Apr 2015 15:47:26 +0300 +Subject: [PATCH] Fixed recently introduced memory leak + +--- + ext/phar/phar.c | 1 + + 1 file changed, 1 insertion(+) + +Index: php5-5.3.10/ext/phar/phar.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar.c 2015-06-26 13:24:33.544687742 -0400 ++++ php5-5.3.10/ext/phar/phar.c 2015-06-26 13:24:33.540687697 -0400 +@@ -1113,6 +1113,7 @@ + entry.metadata_len = 0; + } + if (len > endbuffer - buffer) { ++ pefree(entry.filename, entry.is_persistent); + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4598.patch +++ php5-5.3.10/debian/patches/CVE-2015-4598.patch @@ -0,0 +1,81 @@ +Description: fix more missing file path null byte checks +Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e +Bug: https://bugs.php.net/bug.php?id=69719 + +Index: php5-5.3.10/ext/dom/document.c +=================================================================== +--- php5-5.3.10.orig/ext/dom/document.c 2015-07-02 09:10:00.448550930 -0400 ++++ php5-5.3.10/ext/dom/document.c 2015-07-02 09:10:00.444550887 -0400 +@@ -1762,6 +1762,11 @@ + RETURN_FALSE; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(file) != file_len) { ++ RETURN_FALSE; ++ } ++ + DOM_GET_OBJ(docp, id, xmlDocPtr, intern); + + /* encoding handled by property on doc */ +@@ -1995,6 +2000,10 @@ + + switch (type) { + case DOM_LOAD_FILE: ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); ++ RETURN_FALSE; ++ } + valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); +@@ -2084,6 +2093,10 @@ + + switch (type) { + case DOM_LOAD_FILE: ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); ++ RETURN_FALSE; ++ } + valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + if (!valid_file) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); +@@ -2173,6 +2186,10 @@ + } + + if (mode == DOM_LOAD_FILE) { ++ if (CHECK_NULL_PATH(source, source_len)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); ++ RETURN_FALSE; ++ } + ctxt = htmlCreateFileParserCtxt(source, NULL); + } else { + source_len = xmlStrlen(source); +@@ -2266,6 +2283,11 @@ + RETURN_FALSE; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(file) != file_len) { ++ RETURN_FALSE; ++ } ++ + DOM_GET_OBJ(docp, id, xmlDocPtr, intern); + + +Index: php5-5.3.10/ext/gd/gd.c +=================================================================== +--- php5-5.3.10.orig/ext/gd/gd.c 2015-07-02 09:10:00.448550930 -0400 ++++ php5-5.3.10/ext/gd/gd.c 2015-07-02 09:10:00.448550930 -0400 +@@ -4040,6 +4040,11 @@ + return; + } + ++ /* No nulls allowed in paths */ ++ if (strlen(file) != file_len) { ++ RETURN_FALSE; ++ } ++ + #ifdef PHP_WIN32 + if (VCWD_STAT(file, &st) < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Font file not found (%s)", file); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-5589-2.patch +++ php5-5.3.10/debian/patches/CVE-2015-5589-2.patch @@ -0,0 +1,64 @@ +Backport of: + +From 885edfef0a0eb1016a906d197399f92375a795e4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 6 Jul 2015 22:58:28 -0700 +Subject: [PATCH] Better fix for bug #69958 + +--- + ext/phar/phar_object.c | 22 +++++++++++++--------- + ext/phar/tests/bug69958.phpt | 2 ++ + 2 files changed, 15 insertions(+), 9 deletions(-) + +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2015-09-29 12:28:51.042007869 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2015-09-29 12:29:33.853733262 -0400 +@@ -2199,9 +2199,10 @@ + } + /* }}} */ + +-static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool compress TSRMLS_DC) /* {{{ */ ++static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool compress TSRMLS_DC) /* {{{ */ + { + char *oldname = NULL, *oldpath = NULL; ++ phar_archive_data *phar = *sphar; + char *basename = NULL, *basepath = NULL; + char *newname = NULL, *newpath = NULL; + zval *ret, arg1; +@@ -2308,6 +2309,7 @@ + phar->fp = NULL; + phar_destroy_phar_data(phar TSRMLS_CC); + phar = *pphar; ++ *sphar = NULL; + phar->refcount++; + newpath = oldpath; + goto its_ok; +@@ -2518,17 +2520,19 @@ + phar_add_virtual_dirs(phar, newentry.filename, newentry.filename_len TSRMLS_CC); + } + +- if ((ret = phar_rename_archive(phar, ext, 0 TSRMLS_CC))) { ++ if ((ret = phar_rename_archive(&phar, ext, 0 TSRMLS_CC))) { + return ret; + } else { +- zend_hash_destroy(&(phar->manifest)); +- zend_hash_destroy(&(phar->mounted_dirs)); +- zend_hash_destroy(&(phar->virtual_dirs)); +- if (phar->fp) { +- php_stream_close(phar->fp); ++ if(phar != NULL) { ++ zend_hash_destroy(&(phar->manifest)); ++ zend_hash_destroy(&(phar->mounted_dirs)); ++ zend_hash_destroy(&(phar->virtual_dirs)); ++ if (phar->fp) { ++ php_stream_close(phar->fp); ++ } ++ efree(phar->fname); ++ efree(phar); + } +- efree(phar->fname); +- efree(phar); + return NULL; + } + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/bug70014.patch +++ php5-5.3.10/debian/patches/bug70014.patch @@ -0,0 +1,42 @@ +Backport of: + +From 16023f3e3b9c06cf677c3c980e8d574e4c162827 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 26 Jul 2015 17:43:16 -0700 +Subject: [PATCH] Fix bug #70014 - use RAND_bytes instead of deprecated + RAND_pseudo_bytes + +--- + ext/openssl/openssl.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +Index: php5-5.3.10/ext/openssl/openssl.c +=================================================================== +--- php5-5.3.10.orig/ext/openssl/openssl.c 2016-04-18 11:02:07.544751805 -0400 ++++ php5-5.3.10/ext/openssl/openssl.c 2016-04-18 11:03:41.161667300 -0400 +@@ -4986,7 +4986,6 @@ + long buffer_length; + unsigned char *buffer = NULL; + zval *zstrong_result_returned = NULL; +- int strong_result = 0; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l|z", &buffer_length, &zstrong_result_returned) == FAILURE) { + return; +@@ -5003,7 +5002,7 @@ + + buffer = emalloc(buffer_length + 1); + +- if ((strong_result = RAND_pseudo_bytes(buffer, buffer_length)) < 0) { ++ if (RAND_bytes(buffer, buffer_length) <= 0) { + efree(buffer); + RETURN_FALSE; + } +@@ -5012,7 +5011,7 @@ + RETVAL_STRINGL((char *)buffer, buffer_length, 0); + + if (zstrong_result_returned) { +- ZVAL_BOOL(zstrong_result_returned, strong_result); ++ ZVAL_BOOL(zstrong_result_returned, 1); + } + } + /* }}} */ only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-4022.patch +++ php5-5.3.10/debian/patches/CVE-2015-4022.patch @@ -0,0 +1,267 @@ +From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 29 Apr 2015 21:57:33 -0700 +Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list + +--- + ext/ftp/ftp.c | 82 +++++++++++++++++++++++++++++------------------------------ + 1 file changed, 41 insertions(+), 41 deletions(-) + +Index: php5-5.3.10/ext/ftp/ftp.c +=================================================================== +--- php5-5.3.10.orig/ext/ftp/ftp.c 2015-06-26 13:30:49.868962981 -0400 ++++ php5-5.3.10/ext/ftp/ftp.c 2015-06-26 13:30:49.868962981 -0400 +@@ -183,9 +183,9 @@ + if (ftp->ssl_active) { + SSL_shutdown(ftp->ssl_handle); + } +-#endif ++#endif + closesocket(ftp->fd); +- } ++ } + ftp_gc(ftp); + efree(ftp); + return NULL; +@@ -256,7 +256,7 @@ + if (!ftp_getresp(ftp)) { + return 0; + } +- ++ + if (ftp->resp != 234) { + if (!ftp_putcmd(ftp, "AUTH", "SSL")) { + return 0; +@@ -264,7 +264,7 @@ + if (!ftp_getresp(ftp)) { + return 0; + } +- ++ + if (ftp->resp != 334) { + return 0; + } else { +@@ -272,7 +272,7 @@ + ftp->use_ssl_for_data = 1; + } + } +- ++ + ctx = SSL_CTX_new(SSLv23_client_method()); + if (ctx == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create the SSL context"); +@@ -315,8 +315,8 @@ + if (!ftp_getresp(ftp)) { + return 0; + } +- +- ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); ++ ++ ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); + } + } + #endif +@@ -350,7 +350,7 @@ + { + if (ftp == NULL) { + return 0; +- } ++ } + + ftp_gc(ftp); + +@@ -385,7 +385,7 @@ + if (!ftp_putcmd(ftp, "SYST", NULL)) { + return NULL; + } +- if (!ftp_getresp(ftp) || ftp->resp != 215) { ++ if (!ftp_getresp(ftp) || ftp->resp != 215) { + return NULL; + } + syst = ftp->inbuf; +@@ -421,14 +421,14 @@ + if (!ftp_putcmd(ftp, "PWD", NULL)) { + return NULL; + } +- if (!ftp_getresp(ftp) || ftp->resp != 257) { ++ if (!ftp_getresp(ftp) || ftp->resp != 257) { + return NULL; + } + /* copy out the pwd from response */ +- if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { ++ if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { + return NULL; + } +- if ((end = strrchr(++pwd, '"')) == NULL) { ++ if ((end = strrchr(++pwd, '"')) == NULL) { + return NULL; + } + ftp->pwd = estrndup(pwd, end - pwd); +@@ -598,7 +598,7 @@ + if (!ftp_getresp(ftp) || ftp->resp != 200) { + return 0; + } +- ++ + return 1; + } + /* }}} */ +@@ -632,7 +632,7 @@ + return 0; + } + +- return 1; ++ return 1; + } + /* }}} */ + +@@ -664,7 +664,7 @@ + if (ftp == NULL) { + return 0; + } +- if (type == ftp->type) { ++ if (type == ftp->type) { + return 1; + } + if (type == FTPTYPE_ASCII) { +@@ -755,7 +755,7 @@ + if (!ftp_putcmd(ftp, "PASV", NULL)) { + return 0; + } +- if (!ftp_getresp(ftp) || ftp->resp != 227) { ++ if (!ftp_getresp(ftp) || ftp->resp != 227) { + return 0; + } + /* parse out the IP and port */ +@@ -798,7 +798,7 @@ + if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { + goto bail; + } +- ++ + ftp->data = data; + + if (resumepos > 0) { +@@ -896,7 +896,7 @@ + if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { + goto bail; + } +- ftp->data = data; ++ ftp->data = data; + + if (startpos > 0) { + if (startpos > 2147483647) { +@@ -1101,7 +1101,7 @@ + + if (strpbrk(cmd, "\r\n")) { + return 0; +- } ++ } + /* build the output buffer */ + if (args && args[0]) { + /* "cmd args\r\n\0" */ +@@ -1249,7 +1249,7 @@ + #if HAVE_OPENSSL_EXT + if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { + sent = SSL_write(ftp->ssl_handle, buf, size); +- } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { ++ } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { + sent = SSL_write(ftp->data->ssl_handle, buf, size); + } else { + #endif +@@ -1289,14 +1289,14 @@ + #if HAVE_OPENSSL_EXT + if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { + nr_bytes = SSL_read(ftp->ssl_handle, buf, len); +- } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { ++ } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { + nr_bytes = SSL_read(ftp->data->ssl_handle, buf, len); + } else { + #endif + nr_bytes = recv(s, buf, len, 0); + #if HAVE_OPENSSL_EXT + } +-#endif ++#endif + return (nr_bytes); + } + /* }}} */ +@@ -1512,7 +1512,7 @@ + + data_accepted: + #if HAVE_OPENSSL_EXT +- ++ + /* now enable ssl if we need to */ + if (ftp->use_ssl && ftp->use_ssl_for_data) { + ctx = SSL_CTX_new(SSLv23_client_method()); +@@ -1566,18 +1566,18 @@ + SSL_shutdown(data->ssl_handle); + data->ssl_active = 0; + } +-#endif ++#endif + closesocket(data->listener); +- } ++ } + if (data->fd != -1) { + #if HAVE_OPENSSL_EXT + if (data->ssl_active) { + SSL_shutdown(data->ssl_handle); + data->ssl_active = 0; + } +-#endif ++#endif + closesocket(data->fd); +- } ++ } + if (ftp) { + ftp->data = NULL; + } +@@ -1595,8 +1595,8 @@ + databuf_t *data = NULL; + char *ptr; + int ch, lastch; +- int size, rcvd; +- int lines; ++ size_t size, rcvd; ++ size_t lines; + char **ret = NULL; + char **entry; + char *text; +@@ -1614,7 +1614,7 @@ + if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { + goto bail; + } +- ftp->data = data; ++ ftp->data = data; + + if (!ftp_putcmd(ftp, cmd, path)) { + goto bail; +@@ -1638,7 +1638,7 @@ + lines = 0; + lastch = 0; + while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) { +- if (rcvd == -1) { ++ if (rcvd == -1 || rcvd > ((size_t)(-1))-size) { + goto bail; + } + +@@ -1854,7 +1854,7 @@ + if (!ftp_getresp(ftp) || (ftp->resp != 150 && ftp->resp != 125)) { + goto bail; + } +- if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { ++ if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { + goto bail; + } + ftp->data = data; +@@ -1910,7 +1910,7 @@ + goto bail; + } + ftp->data = data_close(ftp, ftp->data); +- ++ + if (!ftp_getresp(ftp) || (ftp->resp != 226 && ftp->resp != 250)) { + goto bail; + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-3141.patch +++ php5-5.3.10/debian/patches/CVE-2016-3141.patch @@ -0,0 +1,113 @@ +From b1bd4119bcafab6f9a8f84d92cd65eec3afeface Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 14 Feb 2016 22:34:39 -0800 +Subject: [PATCH] Fixed bug #71587 - Use-After-Free / Double-Free in WDDX + Deserialize + +--- + ext/wddx/tests/bug71587.phpt | 43 +++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 19 +++++++++++++++---- + 2 files changed, 58 insertions(+), 4 deletions(-) + create mode 100644 ext/wddx/tests/bug71587.phpt + +Index: php5-5.5.9+dfsg/ext/wddx/tests/bug71587.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.5.9+dfsg/ext/wddx/tests/bug71587.phpt 2016-04-15 13:25:55.489442998 -0400 +@@ -0,0 +1,43 @@ ++--TEST-- ++Bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ manhluat ++ ++ ++ ++ ++ ++EOF; ++ ++$wddx = wddx_deserialize($xml); ++var_dump($wddx); ++// Print mem leak ++foreach($wddx as $k=>$v) ++ printf("Key: %s\nValue: %s\n",bin2hex($k),bin2hex($v)); ++ ++?> ++DONE ++--EXPECTF-- ++array(2) { ++ [0]=> ++ string(8) "manhluat" ++ [1]=> ++ bool(true) ++} ++Key: 30 ++Value: 6d616e686c756174 ++Key: 31 ++Value: 31 ++DONE +Index: php5-5.5.9+dfsg/ext/wddx/wddx.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/wddx/wddx.c 2016-04-15 13:25:55.493443048 -0400 ++++ php5-5.5.9+dfsg/ext/wddx/wddx.c 2016-04-15 13:25:55.493443048 -0400 +@@ -933,6 +933,16 @@ + !strcmp(name, EL_DATETIME)) { + wddx_stack_top(stack, (void**)&ent1); + ++ if (!ent1->data) { ++ if (stack->top > 1) { ++ stack->top--; ++ } else { ++ stack->done = 1; ++ } ++ efree(ent1); ++ return; ++ } ++ + if (!strcmp(name, EL_BINARY)) { + int new_len=0; + unsigned char *new_str; +@@ -1028,6 +1038,7 @@ + } + } else if (!strcmp(name, EL_VAR) && stack->varname) { + efree(stack->varname); ++ stack->varname = NULL; + } else if (!strcmp(name, EL_FIELD)) { + st_entry *ent; + wddx_stack_top(stack, (void **)&ent); +@@ -1047,7 +1058,7 @@ + + if (!wddx_stack_is_empty(stack) && !stack->done) { + wddx_stack_top(stack, (void**)&ent); +- switch (Z_TYPE_P(ent)) { ++ switch (ent->type) { + case ST_STRING: + if (Z_STRLEN_P(ent->data) == 0) { + STR_FREE(Z_STRVAL_P(ent->data)); +@@ -1086,11 +1097,11 @@ + } else if (!strcmp(s, "false")) { + Z_LVAL_P(ent->data) = 0; + } else { +- stack->top--; + zval_ptr_dtor(&ent->data); +- if (ent->varname) ++ if (ent->varname) { + efree(ent->varname); +- efree(ent); ++ } ++ ent->data = NULL; + } + break; + only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4542.patch +++ php5-5.3.10/debian/patches/CVE-2016-4542.patch @@ -0,0 +1,75 @@ +Backport of: + +From 082aecfc3a753ad03be82cf14f03ac065723ec92 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 19:33:52 -0700 +Subject: [PATCH] Fix bug #72094 - Out of bounds heap read access in exif + header processing + +--- + ext/exif/exif.c | 17 ++++++++++-- + ext/exif/tests/bug72094.phpt | 61 ++++++++++++++++++++++++++++++++++++++++++ + ext/exif/tests/bug72094_1.jpg | Bin 0 -> 140 bytes + ext/exif/tests/bug72094_2.jpg | Bin 0 -> 140 bytes + ext/exif/tests/bug72094_3.jpg | Bin 0 -> 112 bytes + ext/exif/tests/bug72094_4.jpg | Bin 0 -> 32 bytes + 6 files changed, 76 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug72094.phpt + create mode 100644 ext/exif/tests/bug72094_1.jpg + create mode 100644 ext/exif/tests/bug72094_2.jpg + create mode 100644 ext/exif/tests/bug72094_3.jpg + create mode 100644 ext/exif/tests/bug72094_4.jpg + +Index: php5-5.3.10/ext/exif/exif.c +=================================================================== +--- php5-5.3.10.orig/ext/exif/exif.c 2016-05-19 12:52:28.589907636 -0400 ++++ php5-5.3.10/ext/exif/exif.c 2016-05-19 12:52:28.577907475 -0400 +@@ -2981,8 +2981,8 @@ + if (lengthCopyrightPhotographer = estrdup(value_ptr); +- ImageInfo->CopyrightEditor = estrdup(value_ptr+length+1); +- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); ++ ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); ++ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); + /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ + /* but we are not supposed to change this */ + /* keep in mind that image_info does not store editor value */ +@@ -3151,6 +3151,11 @@ + + ImageInfo->sections_found |= FOUND_IFD0; + ++ if ((dir_start + 2) >= (offset_base+IFDlength)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); ++ return FALSE; ++ } ++ + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); + + if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { +@@ -3174,6 +3179,10 @@ + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ ++ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); ++ return FALSE; ++ } + NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); + if (NextDirOffset) { + /* the next line seems false but here IFDlength means length of all IFDs */ +@@ -3223,9 +3232,13 @@ + } + + /* Check the next two values for correctness. */ ++ if (length < 8) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); ++ return; ++ } + exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); + offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); +- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { ++ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2015-8835.patch +++ php5-5.3.10/debian/patches/CVE-2015-8835.patch @@ -0,0 +1,37 @@ +From c96d08b27226193dd51f2b50e84272235c6aaa69 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 26 Jul 2015 16:44:18 -0700 +Subject: [PATCH] Fix bug #70081: check types for SOAP variables + +--- + ext/soap/php_http.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +Index: php5-5.3.10/ext/soap/php_http.c +=================================================================== +--- php5-5.3.10.orig/ext/soap/php_http.c 2016-04-18 10:57:21.217225941 -0400 ++++ php5-5.3.10/ext/soap/php_http.c 2016-04-18 10:57:21.213225893 -0400 +@@ -683,18 +683,21 @@ + zend_hash_internal_pointer_reset(Z_ARRVAL_PP(cookies)); + smart_str_append_const(&soap_headers, "Cookie: "); + for (i = 0; i < n; i++) { ++ ulong numindx; ++ int res = zend_hash_get_current_key(Z_ARRVAL_PP(cookies), &key, &numindx, FALSE); + zend_hash_get_current_data(Z_ARRVAL_PP(cookies), (void **)&data); +- zend_hash_get_current_key(Z_ARRVAL_PP(cookies), &key, NULL, FALSE); + +- if (Z_TYPE_PP(data) == IS_ARRAY) { ++ if (res == HASH_KEY_IS_STRING && Z_TYPE_PP(data) == IS_ARRAY) { + zval** value; + + if (zend_hash_index_find(Z_ARRVAL_PP(data), 0, (void**)&value) == SUCCESS && + Z_TYPE_PP(value) == IS_STRING) { + zval **tmp; + if ((zend_hash_index_find(Z_ARRVAL_PP(data), 1, (void**)&tmp) == FAILURE || ++ Z_TYPE_PP(tmp) != IS_STRING || + strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_PP(tmp),Z_STRLEN_PP(tmp)) == 0) && + (zend_hash_index_find(Z_ARRVAL_PP(data), 2, (void**)&tmp) == FAILURE || ++ Z_TYPE_PP(tmp) != IS_STRING || + in_domain(phpurl->host,Z_STRVAL_PP(tmp))) && + (use_ssl || zend_hash_index_find(Z_ARRVAL_PP(data), 3, (void**)&tmp) == FAILURE)) { + smart_str_appendl(&soap_headers, key, strlen(key)); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4540.patch +++ php5-5.3.10/debian/patches/CVE-2016-4540.patch @@ -0,0 +1,80 @@ +Backport of: + +From fd9689745c44341b1bd6af4756f324be8abba2fb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 12:49:01 -0700 +Subject: [PATCH] Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos + with negative offset + +--- + ext/intl/grapheme/grapheme_string.c | 12 +++++++----- + ext/intl/tests/bug72061.phpt | 15 +++++++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + create mode 100644 ext/intl/tests/bug72061.phpt + +Index: php5-5.3.10/ext/intl/grapheme/grapheme_string.c +=================================================================== +--- php5-5.3.10.orig/ext/intl/grapheme/grapheme_string.c 2016-05-19 12:49:07.103205195 -0400 ++++ php5-5.3.10/ext/intl/grapheme/grapheme_string.c 2016-05-19 12:49:36.859603713 -0400 +@@ -112,7 +112,7 @@ + int haystack_len, needle_len; + unsigned char *found; + long loffset = 0; +- int32_t offset = 0; ++ int32_t offset = 0, noffset = 0; + int ret_pos, uchar_pos; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", (char **)&haystack, &haystack_len, (char **)&needle, &needle_len, &loffset) == FAILURE) { +@@ -132,6 +132,7 @@ + + /* we checked that it will fit: */ + offset = (int32_t) loffset; ++ noffset = offset >= 0 ? offset : haystack_len + offset; + + /* the offset is 'grapheme count offset' so it still might be invalid - we'll check it later */ + +@@ -146,7 +147,7 @@ + /* quick check to see if the string might be there + * I realize that 'offset' is 'grapheme count offset' but will work in spite of that + */ +- found = (unsigned char *)php_memnstr((char *)haystack + offset, (char *)needle, needle_len, (char *)haystack + haystack_len); ++ found = (unsigned char *)php_memnstr((char *)haystack + noffset, (char *)needle, needle_len, (char *)haystack + haystack_len); + + /* if it isn't there the we are done */ + if (!found) { +@@ -214,12 +215,13 @@ + is_ascii = ( grapheme_ascii_check(haystack, haystack_len) >= 0 ); + + if ( is_ascii ) { ++ int32_t noffset = offset >= 0 ? offset : haystack_len + offset; + needle_dup = (unsigned char *)estrndup((char *)needle, needle_len); + php_strtolower((char *)needle_dup, needle_len); + haystack_dup = (unsigned char *)estrndup((char *)haystack, haystack_len); + php_strtolower((char *)haystack_dup, haystack_len); + +- found = (unsigned char*) php_memnstr((char *)haystack_dup + offset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); ++ found = (unsigned char*) php_memnstr((char *)haystack_dup + noffset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); + + efree(haystack_dup); + efree(needle_dup); +Index: php5-5.3.10/ext/intl/tests/bug72061.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/intl/tests/bug72061.phpt 2016-05-19 12:49:07.099205142 -0400 +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECT-- ++int(65336) ++int(65336) ++DONE +\ No newline at end of file