diff -u php5-5.4.6/debian/changelog php5-5.4.6/debian/changelog
--- php5-5.4.6/debian/changelog
+++ php5-5.4.6/debian/changelog
@@ -1,3 +1,13 @@
+php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
+    PE executable
+    - debian/patches/CVE-2014-2270.patch: check bounds in
+      ext/fileinfo/libmagic/softmagic.c.
+    - CVE-2014-2270
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 03 Apr 2014 15:18:45 -0400
+
 php5 (5.4.6-1ubuntu1.7) quantal-security; urgency=medium
 
   * SECURITY UPDATE: denial of service via crafted indirect offset value
diff -u php5-5.4.6/debian/patches/series php5-5.4.6/debian/patches/series
--- php5-5.4.6/debian/patches/series
+++ php5-5.4.6/debian/patches/series
@@ -69,0 +70 @@
+CVE-2014-2270.patch
only in patch2:
unchanged:
--- php5-5.4.6.orig/debian/patches/CVE-2014-2270.patch
+++ php5-5.4.6/debian/patches/CVE-2014-2270.patch
@@ -0,0 +1,160 @@
+Backport of:
+
+From: Remi Collet <remi@php.net>
+Date: Tue, 4 Mar 2014 19:32:52 +0000 (+0100)
+Subject: Fixed Bug #66820 out-of-bounds memory access in fileinfo
+X-Git-Tag: php-5.4.27RC1~14
+X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=a33759fd275b32ed0bbe89796fe2953b3cb0b41f
+
+Fixed Bug #66820 out-of-bounds memory access in fileinfo
+
+Upstream fix:
+https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
+
+Notice, test changed, with upstream agreement:
+-define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >= ((n) - (o)))
++define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >  ((n) - (o)))
+---
+
+Index: php5-5.4.6/ext/fileinfo/libmagic/softmagic.c
+===================================================================
+--- php5-5.4.6.orig/ext/fileinfo/libmagic/softmagic.c	2014-04-03 15:18:05.450297282 -0400
++++ php5-5.4.6/ext/fileinfo/libmagic/softmagic.c	2014-04-03 15:18:05.450297282 -0400
+@@ -65,6 +65,8 @@
+ private void cvt_32(union VALUETYPE *, const struct magic *);
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
++#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
++
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -1056,7 +1058,7 @@
+ 		}
+ 		switch (m->in_type) {
+ 		case FILE_BYTE:
+-			if (nbytes < (offset + 1))
++			if (OFFSET_OOB(nbytes, offset, 1))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1091,7 +1093,7 @@
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_BESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1143,7 +1145,7 @@
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1195,7 +1197,7 @@
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_SHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1232,7 +1234,7 @@
+ 			break;
+ 		case FILE_BELONG:
+ 		case FILE_BEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1303,7 +1305,7 @@
+ 			break;
+ 		case FILE_LELONG:
+ 		case FILE_LEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1373,7 +1375,7 @@
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_MELONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1443,7 +1445,7 @@
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1507,14 +1509,14 @@
+ 	/* Verify we have enough data to match magic type */
+ 	switch (m->type) {
+ 	case FILE_BYTE:
+-		if (nbytes < (offset + 1)) /* should alway be true */
++		if (OFFSET_OOB(nbytes, offset, 1))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_SHORT:
+ 	case FILE_BESHORT:
+ 	case FILE_LESHORT:
+-		if (nbytes < (offset + 2))
++		if (OFFSET_OOB(nbytes, offset, 2))
+ 			return 0;
+ 		break;
+ 
+@@ -1533,26 +1535,26 @@
+ 	case FILE_FLOAT:
+ 	case FILE_BEFLOAT:
+ 	case FILE_LEFLOAT:
+-		if (nbytes < (offset + 4))
++		if (OFFSET_OOB(nbytes, offset, 4))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_DOUBLE:
+ 	case FILE_BEDOUBLE:
+ 	case FILE_LEDOUBLE:
+-		if (nbytes < (offset + 8))
++		if (OFFSET_OOB(nbytes, offset, 8))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_STRING:
+ 	case FILE_PSTRING:
+ 	case FILE_SEARCH:
+-		if (nbytes < (offset + m->vallen))
++		if (OFFSET_OOB(nbytes, offset, m->vallen))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_REGEX:
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		break;
+ 
+@@ -1562,7 +1564,7 @@
+ 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+ 		    file_printf(ms, "%s", m->desc) == -1)
+ 			return -1;
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		return file_softmagic(ms, s + offset, nbytes - offset,
+ 		    recursion_level, BINTEST, text);