diff -u php5-5.3.10/debian/changelog php5-5.3.10/debian/changelog --- php5-5.3.10/debian/changelog +++ php5-5.3.10/debian/changelog @@ -1,3 +1,40 @@ +php5 (5.3.10-1ubuntu3.23) precise-security; urgency=medium + + * SECURITY UPDATE: heap corruption in tar/zip/phar parser + - debian/patches/CVE-2016-4342.patch: remove UMR when size is 0 in + ext/phar/phar_object.c. + - CVE-2016-4342 + * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream() + - debian/patches/CVE-2016-4343.patch: check lengths in + ext/phar/dirstream.c, ext/phar/tar.c. + - CVE-2016-4343 + * SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_ + definition + - debian/patches/CVE-2016-4537.patch: properly detect scale in + ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt. + - CVE-2016-4537 + - CVE-2016-4538 + * SECURITY UPDATE: xml_parse_into_struct segmentation fault + - debian/patches/CVE-2016-4539.patch: check parser->level in + ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt. + - CVE-2016-4539 + * SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and + zif_grapheme_strpos with negative offset + - debian/patches/CVE-2016-4540.patch: check bounds in + ext/intl/grapheme/grapheme_string.c, added test to + ext/intl/tests/bug72061.phpt. + - CVE-2016-4540 + - CVE-2016-4541 + * SECURITY UPDATE: out of bounds heap read access in exif header + processing + - debian/patches/CVE-2016-4542.patch: check sizes and length in + ext/exif/exif.c. + - CVE-2016-4542 + - CVE-2016-4543 + - CVE-2016-4544 + + -- Marc Deslauriers Thu, 19 May 2016 12:54:58 -0400 + php5 (5.3.10-1ubuntu3.22) precise-security; urgency=medium * SECURITY UPDATE: directory traversal in ZipArchive::extractTo diff -u php5-5.3.10/debian/patches/series php5-5.3.10/debian/patches/series --- php5-5.3.10/debian/patches/series +++ php5-5.3.10/debian/patches/series @@ -149,0 +150,6 @@ +CVE-2016-4342.patch +CVE-2016-4343.patch +CVE-2016-4537.patch +CVE-2016-4539.patch +CVE-2016-4540.patch +CVE-2016-4542.patch only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4342.patch +++ php5-5.3.10/debian/patches/CVE-2016-4342.patch @@ -0,0 +1,27 @@ +Backport of: + +From 13ad4d3e971807f9a58ab5933182907dc2958539 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 13 Jan 2016 16:32:29 -0800 +Subject: [PATCH] Fix bug #71354 - remove UMR when size is 0 + +--- + ext/phar/phar_object.c | 1 + + ext/phar/tests/bug71354.phpt | 13 +++++++++++++ + ext/phar/tests/bug71354.tar | Bin 0 -> 1536 bytes + 3 files changed, 14 insertions(+) + create mode 100644 ext/phar/tests/bug71354.phpt + create mode 100644 ext/phar/tests/bug71354.tar + +Index: php5-5.3.10/ext/phar/phar_object.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_object.c 2016-05-19 12:46:08.276814815 -0400 ++++ php5-5.3.10/ext/phar/phar_object.c 2016-05-19 12:47:10.901651008 -0400 +@@ -5165,6 +5165,7 @@ + + phar_seek_efp(link, 0, SEEK_SET, 0, 0 TSRMLS_CC); + Z_TYPE_P(return_value) = IS_STRING; ++ Z_STRVAL_P(return_value) = NULL; + #if PHP_MAJOR_VERSION >= 6 + Z_STRLEN_P(return_value) = php_stream_copy_to_mem(fp, (void **) &(Z_STRVAL_P(return_value)), link->uncompressed_filesize, 0); + #else only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4539.patch +++ php5-5.3.10/debian/patches/CVE-2016-4539.patch @@ -0,0 +1,49 @@ +Backport of: + +From dccda88f27a084bcbbb30198ace12b4e7ae961cc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 23:50:57 -0700 +Subject: [PATCH] Fix bug #72099: xml_parse_into_struct segmentation fault + +--- + ext/xml/tests/bug72099.phpt | 17 +++++++ + ext/xml/xml.c | 106 ++++++++++++++++++++++---------------------- + 2 files changed, 70 insertions(+), 53 deletions(-) + create mode 100644 ext/xml/tests/bug72099.phpt + +Index: php5-5.3.10/ext/xml/tests/bug72099.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/xml/tests/bug72099.phpt 2016-05-19 12:48:54.775040151 -0400 +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72099: xml_parse_into_struct segmentation fault ++--SKIPIF-- ++ ++--FILE-- ++level <= XML_MAXLEVEL) { ++ if (parser->level <= XML_MAXLEVEL && parser->level > 0) { + MAKE_STD_ZVAL(tag); + + array_init(tag); only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4343.patch +++ php5-5.3.10/debian/patches/CVE-2016-4343.patch @@ -0,0 +1,51 @@ +Backport of: + +From 4c2424eb24b0178456acc404dbfff528cdc44197 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 14 Jan 2016 22:58:40 -0800 +Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in + phar_make_dirstream() + +--- + ext/phar/dirstream.c | 3 ++- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug71331.phpt | 15 +++++++++++++++ + ext/phar/tests/bug71331.tar | Bin 0 -> 2560 bytes + 4 files changed, 18 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug71331.phpt + create mode 100644 ext/phar/tests/bug71331.tar + +Index: php5-5.3.10/ext/phar/dirstream.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/dirstream.c 2016-05-19 12:47:41.614061459 -0400 ++++ php5-5.3.10/ext/phar/dirstream.c 2016-05-19 12:48:12.358472574 -0400 +@@ -211,6 +211,7 @@ + zend_hash_internal_pointer_reset(manifest); + + while (FAILURE != zend_hash_has_more_elements(manifest)) { ++ keylen = 0; + if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) { + break; + } +@@ -218,7 +219,7 @@ + PHAR_STR(key, str_key); + + if (keylen <= (uint)dirlen) { +- if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { ++ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { + PHAR_STR_FREE(str_key); + if (SUCCESS != zend_hash_move_forward(manifest)) { + break; +Index: php5-5.3.10/ext/phar/tar.c +=================================================================== +--- php5-5.3.10.orig/ext/phar/tar.c 2016-05-19 12:47:41.614061459 -0400 ++++ php5-5.3.10/ext/phar/tar.c 2016-05-19 12:47:41.606061352 -0400 +@@ -347,7 +347,7 @@ + entry.filename_len = entry.uncompressed_filesize; + + /* Check for overflow - bug 61065 */ +- if (entry.filename_len == UINT_MAX) { ++ if (entry.filename_len == UINT_MAX || entry.filename_len == 0) { + if (error) { + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4537.patch +++ php5-5.3.10/debian/patches/CVE-2016-4537.patch @@ -0,0 +1,139 @@ +From d650063a0457aec56364e4005a636dc6c401f9cd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 18:33:32 -0700 +Subject: [PATCH] Fix bug #72093: bcpowmod accepts negative scale and corrupts + _one_ definition + +We can not modify result since it can be copy of _zero_ or _one_, etc. and +"copy" in bcmath is just bumping the refcount. +--- + ext/bcmath/bcmath.c | 60 +++++++++++++++++++++++++++++------------- + ext/bcmath/tests/bug72093.phpt | 13 +++++++++ + main/php_version.h | 6 ++--- + 3 files changed, 57 insertions(+), 22 deletions(-) + create mode 100644 ext/bcmath/tests/bug72093.phpt + +diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c +index 02177e4..dd69115 100644 +--- a/ext/bcmath/bcmath.c ++++ b/ext/bcmath/bcmath.c +@@ -201,6 +201,21 @@ static void php_str2num(bc_num *num, char *str TSRMLS_DC) + } + /* }}} */ + ++/* {{{ split_bc_num ++ Convert to bc_num detecting scale */ ++static bc_num split_bc_num(bc_num num) { ++ bc_num newnum; ++ if (num->n_refs >= 1) { ++ return num; ++ } ++ newnum = _bc_new_num_ex(0, 0, 0); ++ *newnum = *num; ++ newnum->n_refs = 1; ++ num->n_refs--; ++ return newnum; ++} ++/* }}} */ ++ + /* {{{ proto string bcadd(string left_operand, string right_operand [, int scale]) + Returns the sum of two arbitrary precision numbers */ + PHP_FUNCTION(bcadd) +@@ -225,11 +240,12 @@ PHP_FUNCTION(bcadd) + php_str2num(&first, left TSRMLS_CC); + php_str2num(&second, right TSRMLS_CC); + bc_add (first, second, &result, scale); +- ++ + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } +- ++ + Z_STRVAL_P(return_value) = bc_num2str(result); + Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); + Z_TYPE_P(return_value) = IS_STRING; +@@ -266,6 +282,7 @@ PHP_FUNCTION(bcsub) + bc_sub (first, second, &result, scale); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -305,6 +322,7 @@ PHP_FUNCTION(bcmul) + bc_multiply (first, second, &result, scale TSRMLS_CC); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -345,6 +363,7 @@ PHP_FUNCTION(bcdiv) + switch (bc_divide(first, second, &result, scale TSRMLS_CC)) { + case 0: /* OK */ + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + Z_STRVAL_P(return_value) = bc_num2str(result); +@@ -424,8 +443,9 @@ PHP_FUNCTION(bcpowmod) + scale_int = (int) ((int)scale < 0) ? 0 : scale; + + if (bc_raisemod(first, second, mod, &result, scale_int TSRMLS_CC) != -1) { +- if (result->n_scale > scale) { +- result->n_scale = scale; ++ if (result->n_scale > scale_int) { ++ result = split_bc_num(result); ++ result->n_scale = scale_int; + } + Z_STRVAL_P(return_value) = bc_num2str(result); + Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); +@@ -468,6 +488,7 @@ PHP_FUNCTION(bcpow) + bc_raise (first, second, &result, scale TSRMLS_CC); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -494,16 +515,17 @@ PHP_FUNCTION(bcsqrt) + if (zend_parse_parameters(argc TSRMLS_CC, "s|l", &left, &left_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 2) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } + + bc_init_num(&result TSRMLS_CC); + php_str2num(&result, left TSRMLS_CC); +- ++ + if (bc_sqrt (&result, scale TSRMLS_CC) != 0) { + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + Z_STRVAL_P(return_value) = bc_num2str(result); +diff --git a/ext/bcmath/tests/bug72093.phpt b/ext/bcmath/tests/bug72093.phpt +new file mode 100644 +index 0000000..be664b8 +--- /dev/null ++++ b/ext/bcmath/tests/bug72093.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug 72093: bcpowmod accepts negative scale and corrupts _one_ definition ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++string(1) "1" ++bc math warning: non-zero scale in exponent ++string(3) "0.0" only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4542.patch +++ php5-5.3.10/debian/patches/CVE-2016-4542.patch @@ -0,0 +1,75 @@ +Backport of: + +From 082aecfc3a753ad03be82cf14f03ac065723ec92 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 19:33:52 -0700 +Subject: [PATCH] Fix bug #72094 - Out of bounds heap read access in exif + header processing + +--- + ext/exif/exif.c | 17 ++++++++++-- + ext/exif/tests/bug72094.phpt | 61 ++++++++++++++++++++++++++++++++++++++++++ + ext/exif/tests/bug72094_1.jpg | Bin 0 -> 140 bytes + ext/exif/tests/bug72094_2.jpg | Bin 0 -> 140 bytes + ext/exif/tests/bug72094_3.jpg | Bin 0 -> 112 bytes + ext/exif/tests/bug72094_4.jpg | Bin 0 -> 32 bytes + 6 files changed, 76 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug72094.phpt + create mode 100644 ext/exif/tests/bug72094_1.jpg + create mode 100644 ext/exif/tests/bug72094_2.jpg + create mode 100644 ext/exif/tests/bug72094_3.jpg + create mode 100644 ext/exif/tests/bug72094_4.jpg + +Index: php5-5.3.10/ext/exif/exif.c +=================================================================== +--- php5-5.3.10.orig/ext/exif/exif.c 2016-05-19 12:52:28.589907636 -0400 ++++ php5-5.3.10/ext/exif/exif.c 2016-05-19 12:52:28.577907475 -0400 +@@ -2981,8 +2981,8 @@ + if (lengthCopyrightPhotographer = estrdup(value_ptr); +- ImageInfo->CopyrightEditor = estrdup(value_ptr+length+1); +- spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); ++ ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); ++ spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); + /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ + /* but we are not supposed to change this */ + /* keep in mind that image_info does not store editor value */ +@@ -3151,6 +3151,11 @@ + + ImageInfo->sections_found |= FOUND_IFD0; + ++ if ((dir_start + 2) >= (offset_base+IFDlength)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); ++ return FALSE; ++ } ++ + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); + + if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { +@@ -3174,6 +3179,10 @@ + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ ++ if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); ++ return FALSE; ++ } + NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); + if (NextDirOffset) { + /* the next line seems false but here IFDlength means length of all IFDs */ +@@ -3223,9 +3232,13 @@ + } + + /* Check the next two values for correctness. */ ++ if (length < 8) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); ++ return; ++ } + exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); + offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); +- if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { ++ if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } only in patch2: unchanged: --- php5-5.3.10.orig/debian/patches/CVE-2016-4540.patch +++ php5-5.3.10/debian/patches/CVE-2016-4540.patch @@ -0,0 +1,80 @@ +Backport of: + +From fd9689745c44341b1bd6af4756f324be8abba2fb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 12:49:01 -0700 +Subject: [PATCH] Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos + with negative offset + +--- + ext/intl/grapheme/grapheme_string.c | 12 +++++++----- + ext/intl/tests/bug72061.phpt | 15 +++++++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + create mode 100644 ext/intl/tests/bug72061.phpt + +Index: php5-5.3.10/ext/intl/grapheme/grapheme_string.c +=================================================================== +--- php5-5.3.10.orig/ext/intl/grapheme/grapheme_string.c 2016-05-19 12:49:07.103205195 -0400 ++++ php5-5.3.10/ext/intl/grapheme/grapheme_string.c 2016-05-19 12:49:36.859603713 -0400 +@@ -112,7 +112,7 @@ + int haystack_len, needle_len; + unsigned char *found; + long loffset = 0; +- int32_t offset = 0; ++ int32_t offset = 0, noffset = 0; + int ret_pos, uchar_pos; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", (char **)&haystack, &haystack_len, (char **)&needle, &needle_len, &loffset) == FAILURE) { +@@ -132,6 +132,7 @@ + + /* we checked that it will fit: */ + offset = (int32_t) loffset; ++ noffset = offset >= 0 ? offset : haystack_len + offset; + + /* the offset is 'grapheme count offset' so it still might be invalid - we'll check it later */ + +@@ -146,7 +147,7 @@ + /* quick check to see if the string might be there + * I realize that 'offset' is 'grapheme count offset' but will work in spite of that + */ +- found = (unsigned char *)php_memnstr((char *)haystack + offset, (char *)needle, needle_len, (char *)haystack + haystack_len); ++ found = (unsigned char *)php_memnstr((char *)haystack + noffset, (char *)needle, needle_len, (char *)haystack + haystack_len); + + /* if it isn't there the we are done */ + if (!found) { +@@ -214,12 +215,13 @@ + is_ascii = ( grapheme_ascii_check(haystack, haystack_len) >= 0 ); + + if ( is_ascii ) { ++ int32_t noffset = offset >= 0 ? offset : haystack_len + offset; + needle_dup = (unsigned char *)estrndup((char *)needle, needle_len); + php_strtolower((char *)needle_dup, needle_len); + haystack_dup = (unsigned char *)estrndup((char *)haystack, haystack_len); + php_strtolower((char *)haystack_dup, haystack_len); + +- found = (unsigned char*) php_memnstr((char *)haystack_dup + offset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); ++ found = (unsigned char*) php_memnstr((char *)haystack_dup + noffset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); + + efree(haystack_dup); + efree(needle_dup); +Index: php5-5.3.10/ext/intl/tests/bug72061.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.3.10/ext/intl/tests/bug72061.phpt 2016-05-19 12:49:07.099205142 -0400 +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECT-- ++int(65336) ++int(65336) ++DONE +\ No newline at end of file