diff -Nru php5-5.5.9+dfsg/debian/changelog php5-5.5.9+dfsg/debian/changelog --- php5-5.5.9+dfsg/debian/changelog 2016-04-07 21:28:57.000000000 +0000 +++ php5-5.5.9+dfsg/debian/changelog 2016-04-28 15:27:25.000000000 +0000 @@ -1,10 +1,84 @@ -php5 (5.5.9+dfsg-1ubuntu4.15) trusty; urgency=medium +php5 (5.5.9+dfsg-1ubuntu4.17~ppa1) trusty; urgency=medium * debian/patches/backport_2c204a55.patch: Fix Bug #66987. Closes LP: #1472407. -- Nishanth Aravamudan Thu, 07 Apr 2016 14:28:48 -0700 +php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium + + * SECURITY UPDATE: directory traversal in ZipArchive::extractTo + - debian/patches/CVE-2014-9767.patch: use proper path in + ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt. + - CVE-2014-9767 + * SECURITY UPDATE: type confusion issue in SoapClient + - debian/patches/CVE-2015-8835.patch: check types in + ext/soap/php_http.c. + - CVE-2015-8835 + - CVE-2016-3185 + * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM + - debian/patches/CVE-2015-8838.patch: fix ssl handling in + ext/mysqlnd/mysqlnd.c. + - CVE-2015-8838 + * SECURITY UPDATE: denial of service or memory disclosure in gd via large + bgd_color argument to imagerotate + - debian/patches/CVE-2016-1903.patch: check bgcolor in + ext/gd/libgd/gd_interpolation.c, added test to + ext/gd/tests/bug70976.phpt. + - CVE-2016-1903 + * SECURITY UPDATE: stack overflow when decompressing tar archives + - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames + in ext/phar/tar.c. + - CVE-2016-2554 + * SECURITY UPDATE: use-after-free in WDDX + - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c, + added test to ext/wddx/tests/bug71587.phpt. + - CVE-2016-3141 + * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile() + - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c. + - CVE-2016-3142 + * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between + threads + - debian/patches/bug64938.patch: enable entity loader in + ext/libxml/libxml.c. + - No CVE number + * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically + secure + - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated + RAND_pseudo_bytes in ext/openssl/openssl.c. + - No CVE number + * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic + file + - debian/patches/bug71527.patch: properly calculate length in + ext/fileinfo/libmagic/funcs.c, added test to + ext/fileinfo/tests/bug71527.magic. + - CVE number pending + * SECURITY UPDATE: php_snmp_error() format string Vulnerability + - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c. + - CVE number pending + * SECURITY UPDATE: integer overflow in php_raw_url_encode + - debian/patches/bug71798.patch: use size_t in ext/standard/url.c. + - CVE number pending + * SECURITY UPDATE: invalid memory write in phar on filename containing + NULL + - debian/patches/bug71860.patch: require valid paths in + ext/phar/phar.c, ext/phar/phar_object.c, fix tests in + ext/phar/tests/badparameters.phpt, + ext/phar/tests/create_path_error.phpt, + ext/phar/tests/phar_extract.phpt, + ext/phar/tests/phar_isvalidpharfilename.phpt, + ext/phar/tests/phar_unlinkarchive.phpt, + ext/phar/tests/pharfileinfo_construct.phpt. + - CVE number pending + * SECURITY UPDATE: invalid negative size in mbfl_strcut + - debian/patches/bug71906.patch: fix length checks in + ext/mbstring/libmbfl/mbfl/mbfilter.c. + - CVE number pending + * This package does _NOT_ contain the changes from php5 + (5.5.9+dfsg-1ubuntu4.15) in trusty-proposed. + + -- Marc Deslauriers Wed, 20 Apr 2016 09:52:09 -0400 + php5 (5.5.9+dfsg-1ubuntu4.14) trusty-security; urgency=medium * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset() diff -Nru php5-5.5.9+dfsg/debian/patches/bug64938.patch php5-5.5.9+dfsg/debian/patches/bug64938.patch --- php5-5.5.9+dfsg/debian/patches/bug64938.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug64938.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,39 @@ +From de31324c221c1791b26350ba106cc26bad23ace9 Mon Sep 17 00:00:00 2001 +From: Martin Jansen +Date: Thu, 22 Jan 2015 20:58:15 +0100 +Subject: [PATCH] Fix bug #64938: libxml_disable_entity_loader setting is + shared between threads + +The availability of entity loading is stored in a module global which +previously was only initialized in the GINIT constructor. This had the +effect that disabling the entity loader in one request caused +subsequent requests hitting the same Apache child process to also have +the loader disabled. + +With this change the loader is explicitely enabled in the request init +phase. +--- + NEWS | 4 ++++ + ext/libxml/libxml.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c +index 4b7a36a..5f0da89 100644 +--- a/ext/libxml/libxml.c ++++ b/ext/libxml/libxml.c +@@ -857,6 +857,12 @@ static PHP_RINIT_FUNCTION(libxml) + xmlSetGenericErrorFunc(NULL, php_libxml_error_handler); + xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename); + xmlOutputBufferCreateFilenameDefault(php_libxml_output_buffer_create_filename); ++ ++ /* Enable the entity loader by default. This ensure that ++ * other threads/requests that might have disable the loader ++ * do not affect the current request. ++ */ ++ LIBXML(entity_loader_disabled) = 0; + } + return SUCCESS; + } +-- +2.1.4 + diff -Nru php5-5.5.9+dfsg/debian/patches/bug70014.patch php5-5.5.9+dfsg/debian/patches/bug70014.patch --- php5-5.5.9+dfsg/debian/patches/bug70014.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug70014.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,48 @@ +From 16023f3e3b9c06cf677c3c980e8d574e4c162827 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 26 Jul 2015 17:43:16 -0700 +Subject: [PATCH] Fix bug #70014 - use RAND_bytes instead of deprecated + RAND_pseudo_bytes + +--- + ext/openssl/openssl.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +Index: php5-5.5.9+dfsg/ext/openssl/openssl.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/openssl/openssl.c 2016-04-15 13:26:39.990005785 -0400 ++++ php5-5.5.9+dfsg/ext/openssl/openssl.c 2016-04-15 13:26:39.990005785 -0400 +@@ -5107,7 +5107,6 @@ + long buffer_length; + unsigned char *buffer = NULL; + zval *zstrong_result_returned = NULL; +- int strong_result = 0; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l|z", &buffer_length, &zstrong_result_returned) == FAILURE) { + return; +@@ -5125,7 +5124,6 @@ + buffer = emalloc(buffer_length + 1); + + #ifdef PHP_WIN32 +- strong_result = 1; + /* random/urandom equivalent on Windows */ + if (php_win32_get_random_bytes(buffer, (size_t) buffer_length) == FAILURE){ + efree(buffer); +@@ -5135,7 +5133,7 @@ + RETURN_FALSE; + } + #else +- if ((strong_result = RAND_pseudo_bytes(buffer, buffer_length)) < 0) { ++ if (RAND_bytes(buffer, buffer_length) <= 0) { + efree(buffer); + if (zstrong_result_returned) { + ZVAL_BOOL(zstrong_result_returned, 0); +@@ -5148,7 +5146,7 @@ + RETVAL_STRINGL((char *)buffer, buffer_length, 0); + + if (zstrong_result_returned) { +- ZVAL_BOOL(zstrong_result_returned, strong_result); ++ ZVAL_BOOL(zstrong_result_returned, 1); + } + } + /* }}} */ diff -Nru php5-5.5.9+dfsg/debian/patches/bug71527.patch php5-5.5.9+dfsg/debian/patches/bug71527.patch --- php5-5.5.9+dfsg/debian/patches/bug71527.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug71527.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,65 @@ +From fe13566c93f118a15a96320a546c7878fd0cfc5e Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Mon, 28 Mar 2016 00:45:19 +0200 +Subject: [PATCH] Fixed bug #71527 Buffer over-write in finfo_open with + malformed magic file + +The actual fix is applying the upstream patch from +https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 +--- + ext/fileinfo/libmagic/funcs.c | 2 +- + ext/fileinfo/tests/bug71527.magic | 1 + + ext/fileinfo/tests/bug71527.phpt | 19 +++++++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/fileinfo/tests/bug71527.magic + create mode 100644 ext/fileinfo/tests/bug71527.phpt + +diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c +index 011ca42..def2f7b 100644 +--- a/ext/fileinfo/libmagic/funcs.c ++++ b/ext/fileinfo/libmagic/funcs.c +@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level) + size_t len; + + if (level >= ms->c.len) { +- len = (ms->c.len += 20) * sizeof(*ms->c.li); ++ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li); + ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ? + emalloc(len) : + erealloc(ms->c.li, len)); +diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic +new file mode 100644 +index 0000000..14d7781 +--- /dev/null ++++ b/ext/fileinfo/tests/bug71527.magic +@@ -0,0 +1 @@ ++>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +\ No newline at end of file +diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt +new file mode 100644 +index 0000000..f5b1d86 +--- /dev/null ++++ b/ext/fileinfo/tests/bug71527.phpt +@@ -0,0 +1,19 @@ ++--TEST-- ++Bug #71527 Buffer over-write in finfo_open with malformed magic file ++--SKIPIF-- ++ ++--EXPECTF-- ++Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d ++ ++Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d ++bool(false) +-- +2.1.4 + diff -Nru php5-5.5.9+dfsg/debian/patches/bug71704.patch php5-5.5.9+dfsg/debian/patches/bug71704.patch --- php5-5.5.9+dfsg/debian/patches/bug71704.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug71704.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,27 @@ +From 9c19a08b9daed6bae3071dd25742f59a59618823 Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Wed, 16 Mar 2016 09:48:40 +0100 +Subject: [PATCH] Fixed bug #71704 php_snmp_error() Format String Vulnerability + +Conflicts: + ext/snmp/snmp.c +--- + ext/snmp/snmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c +index f7c99c1..6c1da4c 100644 +--- a/ext/snmp/snmp.c ++++ b/ext/snmp/snmp.c +@@ -533,7 +533,7 @@ static void php_snmp_error(zval *object, const char *docref TSRMLS_DC, int type, + } + + if (object && (snmp_object->exceptions_enabled & type)) { +- zend_throw_exception_ex(php_snmp_exception_ce, type TSRMLS_CC, snmp_object->snmp_errstr); ++ zend_throw_exception_ex(php_snmp_exception_ce, type TSRMLS_CC, "%s", snmp_object->snmp_errstr); + } else { + va_start(args, format); + php_verror(docref, "", E_WARNING, format, args TSRMLS_CC); +-- +2.1.4 + diff -Nru php5-5.5.9+dfsg/debian/patches/bug71798.patch php5-5.5.9+dfsg/debian/patches/bug71798.patch --- php5-5.5.9+dfsg/debian/patches/bug71798.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug71798.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,23 @@ +From 95433e8e339dbb6b5d5541473c1661db6ba2c451 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 27 Mar 2016 14:22:19 -0700 +Subject: [PATCH] Fix bug #71798 - Integer Overflow in php_raw_url_encode + +--- + ext/standard/url.c | 2 +- + main/php_version.h | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +Index: php5-5.5.9+dfsg/ext/standard/url.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/standard/url.c 2016-04-15 13:27:03.230299574 -0400 ++++ php5-5.5.9+dfsg/ext/standard/url.c 2016-04-15 13:27:03.230299574 -0400 +@@ -600,7 +600,7 @@ + */ + PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) + { +- register int x, y; ++ register size_t x, y; + unsigned char *str; + + str = (unsigned char *) safe_emalloc(3, len, 1); diff -Nru php5-5.5.9+dfsg/debian/patches/bug71860.patch php5-5.5.9+dfsg/debian/patches/bug71860.patch --- php5-5.5.9+dfsg/debian/patches/bug71860.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug71860.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,322 @@ +Backport of: + +From 72281f29dd4691b2f741362d3581162fcf85f502 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 20 Mar 2016 20:54:09 -0700 +Subject: [PATCH] Fix bug #71860: Require valid paths for phar filenames + +--- + ext/phar/phar.c | 4 +++ + ext/phar/phar_object.c | 40 ++++++++++++++-------------- + ext/phar/tests/badparameters.phpt | 18 ++++++------- + ext/phar/tests/bug64931/bug64931.phpt | 5 ++-- + ext/phar/tests/create_path_error.phpt | 3 +-- + ext/phar/tests/phar_extract.phpt | 2 +- + ext/phar/tests/phar_isvalidpharfilename.phpt | 2 +- + ext/phar/tests/phar_unlinkarchive.phpt | 2 +- + ext/phar/tests/pharfileinfo_construct.phpt | 2 +- + 9 files changed, 41 insertions(+), 37 deletions(-) + +Index: php5-5.5.9+dfsg/ext/phar/phar.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/phar.c 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/phar.c 2016-04-15 15:06:27.286059261 -0400 +@@ -2260,6 +2260,10 @@ + #endif + int ext_len, free_filename = 0; + ++ if (CHECK_NULL_PATH(filename, filename_len)) { ++ return FAILURE; ++ } ++ + if (!strncasecmp(filename, "phar://", 7)) { + filename += 7; + filename_len -= 7; +Index: php5-5.5.9+dfsg/ext/phar/phar_object.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/phar_object.c 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/phar_object.c 2016-04-15 15:06:27.286059261 -0400 +@@ -478,7 +478,7 @@ + int fname_len, arch_len, entry_len, path_len, actual_len; + phar_archive_data **pphar; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &actual, &actual_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &path, &path_len, &actual, &actual_len) == FAILURE) { + return; + } + +@@ -959,7 +959,7 @@ + int index_len = 0, webindex_len = 0; + size_t stub_len; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|ss", &index, &index_len, &webindex, &webindex_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|pp", &index, &index_len, &webindex, &webindex_len) == FAILURE) { + return; + } + +@@ -1003,7 +1003,7 @@ + char *fname, *alias = NULL, *error; + int fname_len, alias_len = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) { + return; + } + +@@ -1082,7 +1082,7 @@ + int fname_len, ext_len, is_executable; + zend_bool executable = 1; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &fname, &fname_len, &executable) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|b", &fname, &fname_len, &executable) == FAILURE) { + return; + } + +@@ -1153,11 +1153,11 @@ + is_data = instanceof_function(Z_OBJCE_P(zobj), phar_ce_data TSRMLS_CC); + + if (is_data) { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) { + return; + } + } else { +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) { + return; + } + } +@@ -1325,7 +1325,7 @@ + int fname_len, zname_len, arch_len, entry_len; + phar_archive_data *phar; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + RETURN_FALSE; + } + +@@ -1755,7 +1755,7 @@ + return; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &dir, &dir_len, ®ex, ®ex_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s", &dir, &dir_len, ®ex, ®ex_len) == FAILURE) { + RETURN_FALSE; + } + +@@ -2626,7 +2626,7 @@ + return; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + RETURN_FALSE; + } + +@@ -3438,7 +3438,7 @@ + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) { + return; + } + +@@ -3544,7 +3544,7 @@ + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +@@ -3581,7 +3581,7 @@ + phar_entry_info *entry; + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +@@ -3729,8 +3729,8 @@ + return; + } + +- if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "sr", &fname, &fname_len, &zresource) == FAILURE +- && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) { ++ if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "pr", &fname, &fname_len, &zresource) == FAILURE ++ && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) { + return; + } + +@@ -3768,7 +3768,7 @@ + return; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +@@ -3815,7 +3815,7 @@ + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &dirname, &dirname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &dirname, &dirname_len) == FAILURE) { + return; + } + +@@ -3840,7 +3840,7 @@ + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) { + return; + } + +@@ -3884,7 +3884,7 @@ + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) { + return; + } + +@@ -4311,7 +4311,7 @@ + + PHAR_ARCHIVE_OBJECT(); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) { + return; + } + +@@ -4450,7 +4450,7 @@ + phar_archive_data *phar_data; + zval *zobj = getThis(), arg1; + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &fname, &fname_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &fname, &fname_len) == FAILURE) { + return; + } + +Index: php5-5.5.9+dfsg/ext/phar/tests/badparameters.phpt +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tests/badparameters.phpt 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tests/badparameters.phpt 2016-04-15 15:06:27.286059261 -0400 +@@ -126,19 +126,19 @@ + --EXPECTF-- + Warning: Phar::mungServer() expects parameter 1 to be array, %string given in %sbadparameters.php on line %d + +-Warning: Phar::createDefaultStub() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::createDefaultStub() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + +-Warning: Phar::loadPhar() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::loadPhar() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::canCompress() expects parameter 1 to be long, %string given in %sbadparameters.php on line %d + +-Warning: Phar::__construct() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::__construct() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::convertToExecutable() expects parameter 1 to be long, array given in %sbadparameters.php on line %d + + Warning: Phar::convertToData() expects parameter 1 to be long, array given in %sbadparameters.php on line %d + +-Warning: PharData::delete() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: PharData::delete() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + Cannot write out phar archive, phar is read-only + Entry oops does not exist and cannot be deleted + %sfiles/frontcontroller10.phar +@@ -165,18 +165,18 @@ + Warning: Phar::copy() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d + Cannot copy "a" to "b", phar is read-only + +-Warning: Phar::offsetExists() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::offsetExists() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + +-Warning: Phar::offsetGet() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::offsetGet() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::offsetSet() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d + +-Warning: PharData::offsetUnset() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: PharData::offsetUnset() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + Write operations disabled by the php.ini setting phar.readonly + +-Warning: Phar::addEmptyDir() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::addEmptyDir() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + +-Warning: Phar::addFile() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d ++Warning: Phar::addFile() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d + + Warning: Phar::addFromString() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d + Write operations disabled by the php.ini setting phar.readonly +Index: php5-5.5.9+dfsg/ext/phar/tests/create_path_error.phpt +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tests/create_path_error.phpt 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tests/create_path_error.phpt 2016-04-15 15:07:03.166506857 -0400 +@@ -58,5 +58,5 @@ + Error: file_put_contents(phar://%s/.): failed to open stream: phar error: file "" in phar "%s" cannot be empty + Error: file_put_contents(phar://%s/../): failed to open stream: phar error: file "" in phar "%s" cannot be empty + Error: file_put_contents(phar://%s/a/..): failed to open stream: phar error: file "" in phar "%s" cannot be empty +-Exception: Entry a does not exist and cannot be created: phar error: invalid path "a" contains illegal character ++Error: Phar::offsetSet() expects parameter 1 to be a valid path, string given + ===DONE=== +Index: php5-5.5.9+dfsg/ext/phar/tests/phar_extract.phpt +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tests/phar_extract.phpt 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tests/phar_extract.phpt 2016-04-15 15:06:27.286059261 -0400 +@@ -138,7 +138,7 @@ + bool(false) + Invalid argument, expected a filename (string) or array of filenames + +-Warning: Phar::extractTo() expects parameter 1 to be %string, array given in %sphar_extract.php on line %d ++Warning: Phar::extractTo() expects parameter 1 to be a valid path, array given in %sphar_extract.php on line %d + Invalid argument, extraction path must be non-zero length + Unable to use path "%soops" for extraction, it is a file, must be a directory + Invalid argument, array of filenames to extract contains non-string value +Index: php5-5.5.9+dfsg/ext/phar/tests/phar_isvalidpharfilename.phpt +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tests/phar_isvalidpharfilename.phpt 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tests/phar_isvalidpharfilename.phpt 2016-04-15 15:06:27.286059261 -0400 +@@ -76,7 +76,7 @@ + " + phar archive "%sphar_unlinkarchive.phar" has open file handles or objects. fclose() all file handles, and unset() all objects prior to calling unlinkArchive() +Index: php5-5.5.9+dfsg/ext/phar/tests/pharfileinfo_construct.phpt +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tests/pharfileinfo_construct.phpt 2016-04-15 15:06:27.290059311 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tests/pharfileinfo_construct.phpt 2016-04-15 15:06:27.286059261 -0400 +@@ -47,7 +47,7 @@ + --EXPECTF-- + Cannot open phar file 'phar://%spharfileinfo_construct.phar/oops': internal corruption of phar "%spharfileinfo_construct.phar" (truncated entry) + +-Warning: PharFileInfo::__construct() expects parameter 1 to be %string, array given in %spharfileinfo_construct.php on line %d ++Warning: PharFileInfo::__construct() expects parameter 1 to be a valid path, array given in %spharfileinfo_construct.php on line %d + Cannot access phar file entry '/oops/I/do/not/exist' in archive '%spharfileinfo_construct.phar' + Cannot call constructor twice + '%spharfileinfo_construct.php' is not a valid phar archive URL (must have at least phar://filename.phar) diff -Nru php5-5.5.9+dfsg/debian/patches/bug71906.patch php5-5.5.9+dfsg/debian/patches/bug71906.patch --- php5-5.5.9+dfsg/debian/patches/bug71906.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/bug71906.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,49 @@ +From 64f42c73efc58e88671ad76b6b6bc8e2b62713e1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 28 Mar 2016 01:22:37 -0700 +Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1) + in mbfl_strcut + +--- + ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c +index 3b14727..4986472 100644 +--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c ++++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c +@@ -1501,7 +1501,7 @@ mbfl_strcut( + if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) { + from &= -2; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1510,14 +1510,14 @@ mbfl_strcut( + } else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) { + from &= -4; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + + start = string->val + from; + end = start + (length & -4); + } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1539,7 +1539,7 @@ mbfl_strcut( + start = p; + + /* search end position */ +- if ((start - string->val) + length >= (int)string->len) { ++ if (length >= (int)string->len - (start - string->val)) { + end = string->val + string->len; + } else { + for (q = p + length; p < q; p += (m = mbtab[*p])); diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2014-9767.patch php5-5.5.9+dfsg/debian/patches/CVE-2014-9767.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2014-9767.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2014-9767.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,66 @@ +From f9c2bf73adb2ede0a486b0db466c264f2b27e0bb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 30 Aug 2015 00:38:08 -0700 +Subject: [PATCH] Fixed bug #70350: ZipArchive::extractTo allows for directory + traversal when creating directories + +--- + ext/zip/php_zip.c | 78 ++++++++++++++++++++++----------------------- + ext/zip/tests/bug70350.phpt | 33 +++++++++++++++++++ + 2 files changed, 72 insertions(+), 39 deletions(-) + create mode 100644 ext/zip/tests/bug70350.phpt + +Note: +Also includes http://git.php.net/?p=php-src.git;a=commit;h=906f19f1365488f90f7473e833a7a13f2c1387ac + +Index: php5-5.5.9+dfsg/ext/zip/php_zip.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/zip/php_zip.c 2016-04-15 13:16:44.070440450 -0400 ++++ php5-5.5.9+dfsg/ext/zip/php_zip.c 2016-04-15 13:16:44.066440399 -0400 +@@ -174,7 +174,7 @@ + + /* it is a directory only, see #40228 */ + if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { +- len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); ++ len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned); + is_dir_only = 1; + } else { + memcpy(file_dirname, path_cleaned, path_cleaned_len); +Index: php5-5.5.9+dfsg/ext/zip/tests/bug70350.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.5.9+dfsg/ext/zip/tests/bug70350.phpt 2016-04-15 13:16:44.066440399 -0400 +@@ -0,0 +1,33 @@ ++--TEST-- ++Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories) ++--SKIPIF-- ++ ++--FILE-- ++open("$dir/a.zip",ZipArchive::CREATE); ++$archive->addEmptyDir("../down2/"); ++$archive->close(); ++ ++$archive2 = new ZipArchive(); ++$archive2->open("$dir/a.zip"); ++$archive2->extractTo($dir); ++$archive2->close(); ++var_dump(file_exists("$dir/down2/")); ++var_dump(file_exists("../down2/")); ++?> ++--CLEAN-- ++ ++--EXPECT-- ++bool(true) ++bool(false) diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2015-8835.patch php5-5.5.9+dfsg/debian/patches/CVE-2015-8835.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2015-8835.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2015-8835.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,37 @@ +From c96d08b27226193dd51f2b50e84272235c6aaa69 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 26 Jul 2015 16:44:18 -0700 +Subject: [PATCH] Fix bug #70081: check types for SOAP variables + +--- + ext/soap/php_http.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +Index: php5-5.5.9+dfsg/ext/soap/php_http.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/soap/php_http.c 2016-04-15 13:17:01.050656960 -0400 ++++ php5-5.5.9+dfsg/ext/soap/php_http.c 2016-04-15 13:18:09.619530655 -0400 +@@ -821,18 +821,21 @@ + zend_hash_internal_pointer_reset(Z_ARRVAL_PP(cookies)); + smart_str_append_const(&soap_headers, "Cookie: "); + for (i = 0; i < n; i++) { ++ ulong numindx; ++ int res = zend_hash_get_current_key(Z_ARRVAL_PP(cookies), &key, &numindx, FALSE); + zend_hash_get_current_data(Z_ARRVAL_PP(cookies), (void **)&data); +- zend_hash_get_current_key(Z_ARRVAL_PP(cookies), &key, NULL, FALSE); + +- if (Z_TYPE_PP(data) == IS_ARRAY) { ++ if (res == HASH_KEY_IS_STRING && Z_TYPE_PP(data) == IS_ARRAY) { + zval** value; + + if (zend_hash_index_find(Z_ARRVAL_PP(data), 0, (void**)&value) == SUCCESS && + Z_TYPE_PP(value) == IS_STRING) { + zval **tmp; + if ((zend_hash_index_find(Z_ARRVAL_PP(data), 1, (void**)&tmp) == FAILURE || ++ Z_TYPE_PP(tmp) != IS_STRING || + strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_PP(tmp),Z_STRLEN_PP(tmp)) == 0) && + (zend_hash_index_find(Z_ARRVAL_PP(data), 2, (void**)&tmp) == FAILURE || ++ Z_TYPE_PP(tmp) != IS_STRING || + in_domain(phpurl->host,Z_STRVAL_PP(tmp))) && + (use_ssl || zend_hash_index_find(Z_ARRVAL_PP(data), 3, (void**)&tmp) == FAILURE)) { + smart_str_appendl(&soap_headers, key, strlen(key)); diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2015-8838.patch php5-5.5.9+dfsg/debian/patches/CVE-2015-8838.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2015-8838.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2015-8838.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,69 @@ +Backport of: + +From 97aa752fee61fccdec361279adbfb17a3c60f3f4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Jul 2015 00:00:53 -0700 +Subject: [PATCH] Fix bug #69669 (mysqlnd is vulnerable to BACKRONYM) + +--- + ext/mysqlnd/mysqlnd.c | 65 +++++++++++++++++++++++++++++++-------------------- + 1 file changed, 40 insertions(+), 25 deletions(-) + +Index: php5-5.5.9+dfsg/ext/mysqlnd/mysqlnd.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/mysqlnd/mysqlnd.c 2016-04-15 13:19:15.688371594 -0400 ++++ php5-5.5.9+dfsg/ext/mysqlnd/mysqlnd.c 2016-04-15 13:21:16.665909219 -0400 +@@ -464,27 +464,41 @@ + } + + #ifdef MYSQLND_SSL_SUPPORTED +- if ((greet_packet->server_capabilities & CLIENT_SSL) && (mysql_flags & CLIENT_SSL)) { +- zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; +- DBG_INF("Switching to SSL"); +- if (!PACKET_WRITE(auth_packet, conn)) { +- CONN_SET_STATE(conn, CONN_QUIT_SENT); +- conn->m->send_close(conn TSRMLS_CC); +- SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone); +- goto end; +- } ++ if (mysql_flags & CLIENT_SSL) { ++ zend_bool server_has_ssl = (greet_packet->server_capabilities & CLIENT_SSL)? TRUE:FALSE; ++ if (server_has_ssl == FALSE) { ++ goto close_conn; ++ } else { ++ zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; ++ DBG_INF("Switching to SSL"); ++ if (!PACKET_WRITE(auth_packet, conn)) { ++ goto close_conn; ++ } + +- conn->net->data->m.set_client_option(conn->net, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char *) &verify TSRMLS_CC); ++ conn->net->data->m.set_client_option(conn->net, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char *) &verify TSRMLS_CC); + +- if (FAIL == conn->net->data->m.enable_ssl(conn->net TSRMLS_CC)) { +- goto end; ++ if (FAIL == conn->net->data->m.enable_ssl(conn->net TSRMLS_CC)) { ++ goto end; ++ } + } + } ++#else ++ auth_packet->client_flags &= ~CLIENT_SSL; ++ if (!PACKET_WRITE(auth_packet, conn)) { ++ goto close_conn; ++ } + #endif + ret = PASS; + end: + PACKET_FREE(auth_packet); + DBG_RETURN(ret); ++ ++close_conn: ++ CONN_SET_STATE(conn, CONN_QUIT_SENT); ++ conn->m->send_close(conn TSRMLS_CC); ++ SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone); ++ PACKET_FREE(auth_packet); ++ DBG_RETURN(ret); + } + /* }}} */ + diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2016-1903.patch php5-5.5.9+dfsg/debian/patches/CVE-2016-1903.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2016-1903.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2016-1903.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,39 @@ +Description: fix denial of service or memory disclosure in gd via large + bgd_color argument to imagerotate +Bug: https://bugs.php.net/bug.php?id=70976 +Origin: upstream, https://github.com/php/php-src/commit/4bb422343f29f06b7081323844d9b52e1a71e4a5 +Origin: upstream, https://github.com/php/php-src/commit/2baeb167a08b0186a885208bdc8b5871f1681dc8 +Origin: upstream, https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4 + +Index: php5-5.5.9+dfsg/ext/gd/libgd/gd_interpolation.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/gd/libgd/gd_interpolation.c 2016-04-15 13:24:57.128704439 -0400 ++++ php5-5.5.9+dfsg/ext/gd/libgd/gd_interpolation.c 2016-04-15 13:24:57.124704388 -0400 +@@ -2162,7 +2162,7 @@ + images can be done at a later point. + */ + if (src->trueColor == 0) { +- if (bgcolor >= 0) { ++ if (bgcolor < gdMaxColors) { + bgcolor = gdTrueColorAlpha(src->red[bgcolor], src->green[bgcolor], src->blue[bgcolor], src->alpha[bgcolor]); + } + gdImagePaletteToTrueColor(src); +Index: php5-5.5.9+dfsg/ext/gd/tests/bug70976.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.5.9+dfsg/ext/gd/tests/bug70976.phpt 2016-04-15 13:24:57.124704388 -0400 +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++resource(5) of type (gd) +\ No newline at end of file diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2016-2554.patch php5-5.5.9+dfsg/debian/patches/CVE-2016-2554.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2016-2554.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2016-2554.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,79 @@ +Backport of: + +From 07c7df68bd68bbe706371fccc77c814ebb335d9e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 Jan 2016 19:37:56 -0800 +Subject: [PATCH] Fixed bug #71488: Stack overflow when decompressing tar + archives + +--- + ext/phar/tar.c | 22 ++++++++++++++++------ + ext/phar/tests/bug71488.phpt | 16 ++++++++++++++++ + ext/phar/tests/bug71488.tar | Bin 0 -> 10240 bytes + 3 files changed, 32 insertions(+), 6 deletions(-) + create mode 100644 ext/phar/tests/bug71488.phpt + create mode 100644 ext/phar/tests/bug71488.tar + +Index: php5-5.5.9+dfsg/ext/phar/tar.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/phar/tar.c 2016-04-15 13:25:09.268858120 -0400 ++++ php5-5.5.9+dfsg/ext/phar/tar.c 2016-04-15 13:25:09.264858068 -0400 +@@ -192,6 +192,13 @@ + } + /* }}} */ + ++#if !HAVE_STRNLEN ++static size_t strnlen(const char *s, size_t maxlen) { ++ char *r = (char *)memchr(s, '\0', maxlen); ++ return r ? r-s : maxlen; ++} ++#endif ++ + int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */ + { + char buf[512], *actual_alias = NULL, *p; +@@ -201,6 +208,7 @@ + php_uint32 sum1, sum2, size, old; + phar_archive_data *myphar, **actual; + int last_was_longlink = 0; ++ int linkname_len; + + if (error) { + *error = NULL; +@@ -255,7 +263,7 @@ + size = entry.uncompressed_filesize = entry.compressed_filesize = + phar_tar_number(hdr->size, sizeof(hdr->size)); + +- if (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) { ++ if (((!old && hdr->prefix[0] == 0) || old) && strnlen(hdr->name, 100) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) { + off_t curloc; + + if (size > 511) { +@@ -465,20 +473,22 @@ + } + + entry.link = NULL; +- ++ /* link field is null-terminated unless it has 100 non-null chars. ++ * Thus we can not use strlen. */ ++ linkname_len = strnlen(hdr->linkname, 100); + if (entry.tar_type == TAR_LINK) { +- if (!zend_hash_exists(&myphar->manifest, hdr->linkname, strlen(hdr->linkname))) { ++ if (!zend_hash_exists(&myphar->manifest, hdr->linkname, linkname_len)) { + if (error) { +- spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%s\"", fname, hdr->linkname); ++ spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%.*s\"", fname, linkname_len, hdr->linkname); + } + pefree(entry.filename, entry.is_persistent); + php_stream_close(fp); + phar_destroy_phar_data(myphar TSRMLS_CC); + return FAILURE; + } +- entry.link = estrdup(hdr->linkname); ++ entry.link = estrndup(hdr->linkname, linkname_len); + } else if (entry.tar_type == TAR_SYMLINK) { +- entry.link = estrdup(hdr->linkname); ++ entry.link = estrndup(hdr->linkname, linkname_len); + } + phar_set_inode(&entry TSRMLS_CC); + zend_hash_add(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), (void **) &newentry); diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2016-3141.patch php5-5.5.9+dfsg/debian/patches/CVE-2016-3141.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2016-3141.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2016-3141.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,113 @@ +From b1bd4119bcafab6f9a8f84d92cd65eec3afeface Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 14 Feb 2016 22:34:39 -0800 +Subject: [PATCH] Fixed bug #71587 - Use-After-Free / Double-Free in WDDX + Deserialize + +--- + ext/wddx/tests/bug71587.phpt | 43 +++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 19 +++++++++++++++---- + 2 files changed, 58 insertions(+), 4 deletions(-) + create mode 100644 ext/wddx/tests/bug71587.phpt + +Index: php5-5.5.9+dfsg/ext/wddx/tests/bug71587.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php5-5.5.9+dfsg/ext/wddx/tests/bug71587.phpt 2016-04-15 13:25:55.489442998 -0400 +@@ -0,0 +1,43 @@ ++--TEST-- ++Bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ manhluat ++ ++ ++ ++ ++ ++EOF; ++ ++$wddx = wddx_deserialize($xml); ++var_dump($wddx); ++// Print mem leak ++foreach($wddx as $k=>$v) ++ printf("Key: %s\nValue: %s\n",bin2hex($k),bin2hex($v)); ++ ++?> ++DONE ++--EXPECTF-- ++array(2) { ++ [0]=> ++ string(8) "manhluat" ++ [1]=> ++ bool(true) ++} ++Key: 30 ++Value: 6d616e686c756174 ++Key: 31 ++Value: 31 ++DONE +Index: php5-5.5.9+dfsg/ext/wddx/wddx.c +=================================================================== +--- php5-5.5.9+dfsg.orig/ext/wddx/wddx.c 2016-04-15 13:25:55.493443048 -0400 ++++ php5-5.5.9+dfsg/ext/wddx/wddx.c 2016-04-15 13:25:55.493443048 -0400 +@@ -933,6 +933,16 @@ + !strcmp(name, EL_DATETIME)) { + wddx_stack_top(stack, (void**)&ent1); + ++ if (!ent1->data) { ++ if (stack->top > 1) { ++ stack->top--; ++ } else { ++ stack->done = 1; ++ } ++ efree(ent1); ++ return; ++ } ++ + if (!strcmp(name, EL_BINARY)) { + int new_len=0; + unsigned char *new_str; +@@ -1028,6 +1038,7 @@ + } + } else if (!strcmp(name, EL_VAR) && stack->varname) { + efree(stack->varname); ++ stack->varname = NULL; + } else if (!strcmp(name, EL_FIELD)) { + st_entry *ent; + wddx_stack_top(stack, (void **)&ent); +@@ -1047,7 +1058,7 @@ + + if (!wddx_stack_is_empty(stack) && !stack->done) { + wddx_stack_top(stack, (void**)&ent); +- switch (Z_TYPE_P(ent)) { ++ switch (ent->type) { + case ST_STRING: + if (Z_STRLEN_P(ent->data) == 0) { + STR_FREE(Z_STRVAL_P(ent->data)); +@@ -1086,11 +1097,11 @@ + } else if (!strcmp(s, "false")) { + Z_LVAL_P(ent->data) = 0; + } else { +- stack->top--; + zval_ptr_dtor(&ent->data); +- if (ent->varname) ++ if (ent->varname) { + efree(ent->varname); +- efree(ent); ++ } ++ ent->data = NULL; + } + break; + diff -Nru php5-5.5.9+dfsg/debian/patches/CVE-2016-3142.patch php5-5.5.9+dfsg/debian/patches/CVE-2016-3142.patch --- php5-5.5.9+dfsg/debian/patches/CVE-2016-3142.patch 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/CVE-2016-3142.patch 2016-04-28 15:26:14.000000000 +0000 @@ -0,0 +1,27 @@ +From a6fdc5bb27b20d889de0cd29318b3968aabb57bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 21 Feb 2016 16:51:05 -0800 +Subject: [PATCH] Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile() + +--- + ext/phar/tests/bug71488.phpt | 1 + + ext/phar/tests/bug71498.phpt | 17 +++++++++++++++++ + ext/phar/tests/bug71498.zip | Bin 0 -> 65677 bytes + ext/phar/zip.c | 6 +++--- + 4 files changed, 21 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug71498.phpt + create mode 100644 ext/phar/tests/bug71498.zip + +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index e4883d3..7f294c2 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, + } + + while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) { +- if (!memcmp(p + 1, "K\5\6", 3)) { ++ if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) { + memcpy((void *)&locator, (void *) p, sizeof(locator)); + if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) { + /* split archives not handled */ diff -Nru php5-5.5.9+dfsg/debian/patches/series php5-5.5.9+dfsg/debian/patches/series --- php5-5.5.9+dfsg/debian/patches/series 2016-04-07 21:27:28.000000000 +0000 +++ php5-5.5.9+dfsg/debian/patches/series 2016-04-28 15:26:42.000000000 +0000 @@ -107,4 +107,18 @@ CVE-2015-6837-6838.patch CVE-2015-7803.patch CVE-2015-7804.patch +CVE-2014-9767.patch +CVE-2015-8835.patch +CVE-2015-8838.patch +CVE-2016-1903.patch +CVE-2016-2554.patch +CVE-2016-3141.patch +CVE-2016-3142.patch +bug64938.patch +bug70014.patch +bug71527.patch +bug71704.patch +bug71798.patch +bug71860.patch +bug71906.patch backport_2c204a55.patch