# HG changeset patch # User Craig Mohrman # Date 1434581258 25200 # Node ID 4e8085696007f527b5a708dde1574c4480df85de # Parent 7665830787a5e1912ddf21971e5b8f06bee8d05d 20192108 problem in UTILITY/PHP 20231115 problem in UTILITY/PHP 20936509 problem in UTILITY/PHP 20804024 problem in UTILITY/PHP 20804061 problem in UTILITY/PHP 20804135 problem in UTILITY/PHP 20804363 problem in UTILITY/PHP 20804424 problem in UTILITY/PHP 20433657 problem in UTILITY/PHP 20803998 problem in UTILITY/PHP 20804391 problem in UTILITY/PHP diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/260_php_20936509.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/260_php_20936509.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,18 @@ +CVE-2015-3330 +Community BUG: +https://bugs.php.net/bug.php?id=69218 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7 +This patch was created from the community reports above. + + +--- php-5.3.29/sapi/apache2handler/sapi_apache2.c_orig 2015-06-10 13:38:01.218738017 -0700 ++++ php-5.3.29/sapi/apache2handler/sapi_apache2.c 2015-06-10 13:38:30.440222529 -0700 +@@ -690,6 +690,7 @@ + } zend_end_try(); + } + apr_brigade_cleanup(brigade); ++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); + } else { + ctx->r = parent_req; + } diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/261_php_20936509.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/261_php_20936509.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,174 @@ +CVE-2015-2783 +Community BUG: +https://bugs.php.net/bug.php?id=69324 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42 +Below is the community patch. + +Not including the test files at the moment: +ext/phar/tests/bug69324.phar +ext/phar/tests/bug69324.phpt +because our version of gpatch doesn't understand the git binary data file. + + + +From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 5 Apr 2015 15:07:36 -0700 +Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when + parsing Phar) + +--- + ext/phar/phar.c | 65 ++++++++++++++++++++----------------------- + ext/phar/phar_internal.h | 2 +- + ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes + ext/phar/tests/bug69324.phpt | 17 +++++++++++ + 4 files changed, 48 insertions(+), 36 deletions(-) + create mode 100644 ext/phar/tests/bug69324.phar + create mode 100644 ext/phar/tests/bug69324.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index ec82351..bf0c985 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len + * + * data is the serialized zval + */ +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ + { + const unsigned char *p; +- php_uint32 buf_len; + php_unserialize_data_t var_hash; + +- if (!zip_metadata_len) { +- PHAR_GET_32(*buffer, buf_len); +- } else { +- buf_len = zip_metadata_len; +- } +- +- if (buf_len) { ++ if (zip_metadata_len) { + ALLOC_ZVAL(*metadata); + INIT_ZVAL(**metadata); + p = (const unsigned char*) *buffer; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_ptr_dtor(metadata); + *metadata = NULL; +@@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR + if (PHAR_G(persist)) { + /* lazy init metadata */ + zval_ptr_dtor(metadata); +- *metadata = (zval *) pemalloc(buf_len, 1); +- memcpy(*metadata, *buffer, buf_len); +- *buffer += buf_len; ++ *metadata = (zval *) pemalloc(zip_metadata_len, 1); ++ memcpy(*metadata, *buffer, zip_metadata_len); + return SUCCESS; + } + } else { + *metadata = NULL; + } + +- if (!zip_metadata_len) { +- *buffer += buf_len; +- } +- + return SUCCESS; + } + /* }}}*/ +@@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + phar_entry_info entry; + php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; + php_uint16 manifest_ver; ++ php_uint32 len; + long offset; + int sig_len, register_alias = 0, temp_alias = 0; + char *signature = NULL; +@@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + mydata->is_persistent = PHAR_G(persist); + + /* check whether we have meta data, zero check works regardless of byte order */ ++ PHAR_GET_32(buffer, len); + if (mydata->is_persistent) { +- PHAR_GET_32(buffer, mydata->metadata_len); +- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); +- } +- } else { +- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { +- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ mydata->metadata_len = len; ++ if(!len) { ++ /* FIXME: not sure why this is needed but removing it breaks tests */ ++ PHAR_GET_32(buffer, len); + } + } ++ if(len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); ++ } ++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { ++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); ++ } ++ buffer += len; + + /* set up our manifest */ + zend_hash_init(&mydata->manifest, manifest_count, +@@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (buffer + entry.filename_len + 20 > endbuffer) { ++ if (entry.filename_len + 20 > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +@@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.flags |= PHAR_ENT_PERM_DEF_DIR; + } + ++ PHAR_GET_32(buffer, len); + if (entry.is_persistent) { +- PHAR_GET_32(buffer, entry.metadata_len); +- if (!entry.metadata_len) buffer -= 4; +- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = len; + } else { +- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { +- pefree(entry.filename, entry.is_persistent); +- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); +- } ++ entry.metadata_len = 0; ++ } ++ if (len > endbuffer - buffer) { ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); ++ } ++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { ++ pefree(entry.filename, entry.is_persistent); ++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); + } ++ buffer += len; + + entry.offset = entry.offset_abs = offset; + offset += entry.compressed_filesize; +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index c9306c1..fcfc864 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len, + char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); + char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); + phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); +-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); ++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); + void destroy_phar_manifest_entry(void *pDest); + int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); + php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/262_php_20936509.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/262_php_20936509.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,48 @@ +CVE-2015-3329 +Community BUG: +https://bugs.php.net/bug.php?id=69441 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c +Below is the community patch. + +Not including the test files at the moment: +ext/phar/tests/bug69441.phar +ext/phar/tests/bug69441.phpt +because our version of gpatch doesn't understand the git binary data file. + + +From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 14 Apr 2015 00:03:50 -0700 +Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode) + +--- + ext/phar/phar_internal.h | 9 ++++++--- + ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes + ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ + 3 files changed, 27 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug69441.phar + create mode 100644 ext/phar/tests/bug69441.phpt + +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index fcfc864..84282d2 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */ + { + char tmp[MAXPATHLEN]; + int tmp_len; ++ size_t len; + +- tmp_len = entry->filename_len + entry->phar->fname_len; +- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); +- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); ++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); ++ len = MIN(entry->phar->fname_len, tmp_len); ++ memcpy(tmp, entry->phar->fname, len); ++ len = MIN(tmp_len - len, entry->filename_len); ++ memcpy(tmp + entry->phar->fname_len, entry->filename, len); + entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); + } + /* }}} */ diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/263_php_20936509.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/263_php_20936509.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,38 @@ +CVE-2014-9709 +Community BUG: +https://bugs.php.net/bug.php?id=68601 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b +Below is the community patch. + + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index ee88a2f..491e942 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -72,8 +72,10 @@ static struct { + + #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) + ++#define CSD_BUF_SIZE 280 ++ + typedef struct { +- unsigned char buf[280]; ++ unsigned char buf[CSD_BUF_SIZE]; + int curbit, lastbit, done, last_byte; + } CODE_STATIC_DATA; + +@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD + + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) +- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j; ++ if (i < CSD_BUF_SIZE * 8) { ++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; ++ } else { ++ ret = -1; ++ break; ++ } + + scd->curbit += code_size; + return ret; diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/264_php_20936509.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/264_php_20936509.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,22 @@ +CVE-2015-2301 +Community BUG: +https://bugs.php.net/bug.php?id=68901 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b +Below is the community patch. + + +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 3671054..712795b 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -2139,8 +2139,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c + } + its_ok: + if (SUCCESS == php_stream_stat_path(newpath, &ssb)) { +- efree(oldpath); + zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath); ++ efree(oldpath); + return NULL; + } + if (!phar->is_data) { diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/270_php_20192108.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/270_php_20192108.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,26 @@ +CVE-2014-3710 +Community BUG: +https://bugs.php.net/bug.php?id=68283 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d +really: +https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0 +This patch was created from the community reports above. + + +--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig 2015-06-12 14:26:23.865377086 -0700 ++++ php-5.3.29/ext/fileinfo/libmagic/readelf.c 2015-06-12 14:29:09.089820837 -0700 +@@ -368,6 +368,13 @@ + #endif + uint32_t namesz, descsz; + ++ if (xnh_sizeof + offset > size) { ++ /* ++ * We're out of note headers. ++ */ ++ return xnh_sizeof + offset; ++ } ++ + (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof); + offset += xnh_sizeof; + diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/271_php_20192108.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/271_php_20192108.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,70 @@ +CVE-2014-3669 +Community BUG: +https://bugs.php.net/bug.php?id=68044 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159 +Below is the community patch. + + + +From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 14:19:31 -0700 +Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits + only) + +--- + NEWS | 5 ++++- + ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++ + ext/standard/var_unserializer.c | 4 ++-- + ext/standard/var_unserializer.re | 2 +- + 4 files changed, 19 insertions(+), 4 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug68044.phpt + +diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt +new file mode 100644 +index 0000000..031e44e +--- /dev/null ++++ b/ext/standard/tests/serialize/bug68044.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #68044 Integer overflow in unserialize() (32-bits only) ++--FILE-- ++ ++===DONE== ++--EXPECTF-- ++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 ++ ++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 ++===DONE== +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 657051f..8129da3 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 1307508..6de1583 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) + + (*p) += 2; + +- if (datalen < 0 || (*p) + datalen >= max) { ++ if (datalen < 0 || (max - (*p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + } +-- +2.1.4 + diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/272_php_20192108.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/272_php_20192108.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,44 @@ +CVE-2014-3670 +Community BUG: +https://bugs.php.net/bug.php?id=68113 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b +Below is the community patch. + +Not including the test files at the moment: +ext/exif/tests/bug68113.jpg +ext/exif/tests/bug68113.phpt +because our version of gpatch doesn't understand the git binary data file. + + +From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 16:57:42 -0700 +Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail()) + +--- + ext/exif/exif.c | 4 ++-- + ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes + ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++ + 3 files changed, 19 insertions(+), 2 deletions(-) + create mode 100755 ext/exif/tests/bug68113.jpg + create mode 100644 ext/exif/tests/bug68113.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 38907b4..637ebf9 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel + data_ptr += 8; + break; + case TAG_FMT_SINGLE: +- memmove(data_ptr, &info_data->value.f, byte_count); ++ memmove(data_ptr, &info_value->f, 4); + data_ptr += 4; + break; + case TAG_FMT_DOUBLE: +- memmove(data_ptr, &info_data->value.d, byte_count); ++ memmove(data_ptr, &info_value->d, 8); + data_ptr += 8; + break; + } diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/273_php_20192108.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/273_php_20192108.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,126 @@ +CVE-2014-3668 +Community BUG: +https://bugs.php.net/bug.php?id=68027 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e +Below is the community patch. + + +From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 28 Sep 2014 17:33:44 -0700 +Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib + +--- + NEWS | 5 ++++- + ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++----- + ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 6 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug68027.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c +index ce70c2a..b766a54 100644 +--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c ++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c +@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_mon = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+4]) + tm.tm_mon += (text[i+4]-'0')*n; + n /= 10; + } + tm.tm_mon --; ++ if(tm.tm_mon < 0 || tm.tm_mon > 11) { ++ return -1; ++ } + + n = 10; + tm.tm_mday = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+6]) + tm.tm_mday += (text[i+6]-'0')*n; + n /= 10; + } +@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_hour = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+9]) + tm.tm_hour += (text[i+9]-'0')*n; + n /= 10; + } +@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_min = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+12]) + tm.tm_min += (text[i+12]-'0')*n; + n /= 10; + } +@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { + n = 10; + tm.tm_sec = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+15]) + tm.tm_sec += (text[i+15]-'0')*n; + n /= 10; + } +diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt +new file mode 100644 +index 0000000..a5c96f1 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug68027.phpt +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #68027 (buffer overflow in mkgmtime() function) ++--SKIPIF-- ++ ++--FILE-- ++$datetime"); ++print_r($obj); ++ ++$datetime = "34770-0-08T21:46:40-0400"; ++$obj = xmlrpc_decode("$datetime"); ++print_r($obj); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++object(stdClass)#1 (3) { ++ ["scalar"]=> ++ string(16) "6-01-01 20:00:00" ++ ["xmlrpc_type"]=> ++ string(8) "datetime" ++ ["timestamp"]=> ++ int(%d) ++} ++stdClass Object ++( ++ [scalar] => 2001-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %s ++) ++stdClass Object ++( ++ [scalar] => 34770-0-08T21:46:40-0400 ++ [xmlrpc_type] => datetime ++ [timestamp] => %d ++) ++Done +-- +2.1.4 + diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/280_php_20804024.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/280_php_20804024.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,46 @@ +CVE-2014-9653 +Community BUG: +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9653 +Community CODE: +https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f +This patch was adapted from the community reports above. + + +--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig 2015-06-12 16:40:10.463458900 -0700 ++++ php-5.3.29/ext/fileinfo/libmagic/readelf.c 2015-06-12 16:59:36.213626077 -0700 +@@ -313,7 +313,7 @@ + file_badseek(ms); + return -1; + } +- if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) == -1) { ++ if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) { + file_badread(ms); + return -1; + } +@@ -869,7 +869,7 @@ + file_badseek(ms); + return -1; + } +- if (FINFO_READ_FUNC(fd, xsh_addr, xsh_sizeof) == -1) { ++ if (FINFO_READ_FUNC(fd, xsh_addr, xsh_sizeof) < (ssize_t)xsh_sizeof) { + file_badread(ms); + return -1; + } +@@ -901,7 +901,7 @@ + efree(nbuf); + return -1; + } +- if (FINFO_READ_FUNC(fd, nbuf, (size_t)xsh_size) != ++ if (FINFO_READ_FUNC(fd, nbuf, (size_t)xsh_size) < + (ssize_t)xsh_size) { + efree(nbuf); + file_badread(ms); +@@ -1058,7 +1058,7 @@ + return -1; + } + +- if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) == -1) { ++ if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) { + file_badread(ms); + return -1; + } diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/290_php_20804061.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/290_php_20804061.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,42 @@ +CVE-2014-9705 +Community BUG: +https://bugs.php.net/bug.php?id=68552 +Community CODE: +http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803 +Below is the community patch. + + +--- a/ext/enchant/enchant.c 2011/10/01 13:13:13 317600 ++++ b/ext/enchant/enchant.c 2015/01/26 11:49:40 335803 +@@ -549,13 +549,12 @@ + + d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag); + if (d) { ++ pos = pbroker->dictcnt++; + if (pbroker->dictcnt) { + pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); +- pos = pbroker->dictcnt++; + } else { + pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); + pos = 0; +- pbroker->dictcnt++; + } + + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); +@@ -606,14 +605,14 @@ + + d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl); + if (d) { ++ pos = pbroker->dictcnt++; + if (pbroker->dictcnt) { +- pos = pbroker->dictcnt++; + pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); + } else { + pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); + pos = 0; +- pbroker->dictcnt++; + } ++ + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); + dict->id = pos; + dict->pbroker = pbroker; diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/300_php_20804135.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/300_php_20804135.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,83 @@ +CVE-2015-0273 +Community BUG: +https://bugs.php.net/bug.php?id=68942 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24 +Below is the community patch. + + +From 71335e6ebabc1b12c057d8017fd811892ecdfd24 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 17 Feb 2015 06:53:27 +0100 +Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize() + with DateTimeZone) + +--- + ext/date/php_date.c | 21 ++++++++++----------- + ext/date/tests/bug68942.phpt | 9 +++++++++ + ext/date/tests/bug68942_2.phpt | 9 +++++++++ + 3 files changed, 28 insertions(+), 11 deletions(-) + create mode 100644 ext/date/tests/bug68942.phpt + create mode 100644 ext/date/tests/bug68942_2.phpt + +diff --git a/ext/date/php_date.c b/ext/date/php_date.c +index f8571b9..15ca08d 100644 +--- a/ext/date/php_date.c ++++ b/ext/date/php_date.c +@@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht + timelib_tzinfo *tzi; + php_timezone_obj *tzobj; + +- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { +- convert_to_string(*z_date); +- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { +- convert_to_long(*z_timezone_type); +- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { +- convert_to_string(*z_timezone); ++ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { ++ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { ++ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { + + switch (Z_LVAL_PP(z_timezone_type)) { + case TIMELIB_ZONETYPE_OFFSET: +@@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht + + case TIMELIB_ZONETYPE_ID: { + int ret; +- convert_to_string(*z_timezone); + + tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); + +diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt +new file mode 100644 +index 0000000..595cd9f +--- /dev/null ++++ b/ext/date/tests/bug68942.phpt +@@ -0,0 +1,9 @@ ++--TEST-- ++Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). ++--FILE-- ++ ++--EXPECTF-- ++Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d +diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt +new file mode 100644 +index 0000000..5b02567 +--- /dev/null ++++ b/ext/date/tests/bug68942_2.phpt +@@ -0,0 +1,9 @@ ++--TEST-- ++Bug #68942 (Use after free vulnerability in unserialize() with DateTime). ++--FILE-- ++ ++--EXPECTF-- ++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d +-- +2.1.4 + diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/310_php_20804363.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/310_php_20804363.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,35 @@ +CVE-2015-2331 +Community BUG: +https://bugs.php.net/bug.php?id=69253 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 +Below is the community patch. + + +From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 17 Mar 2015 21:59:56 -0700 +Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past + heap boundary + +--- + NEWS | 4 ++++ + ext/zip/lib/zip_dirent.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c +index b9dac5c..0090801 100644 +--- a/ext/zip/lib/zip_dirent.c ++++ b/ext/zip/lib/zip_dirent.c +@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) + return NULL; + } + +- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) ++ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) + == NULL) { + _zip_error_set(error, ZIP_ER_MEMORY, 0); + free(cd); +-- +2.1.4 + diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/320_php_20804424.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/320_php_20804424.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,32 @@ +CVE-2015-2787 +Community BUG: +https://bugs.php.net/bug.php?id=68976 +Community CODE: +https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d +Below is the community patch. + + +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index f114080..c7749a4 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -349,6 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index f04fc74..abac77c 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } ++ var_push_dtor(var_hash, &data); + + zval_dtor(key); + FREE_ZVAL(key); diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/330_php_20231115.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/330_php_20231115.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,51 @@ +POODLE +Crafted patch based on community code in +php 5.5.26 and php 5.6.8. + + +--- php-5.3.29/ext/openssl/xp_ssl.c_orig 2015-06-14 14:43:23.797128188 -0700 ++++ php-5.3.29/ext/openssl/xp_ssl.c 2015-06-14 14:59:55.059042744 -0700 +@@ -338,9 +338,14 @@ + break; + #endif + case STREAM_CRYPTO_METHOD_SSLv3_CLIENT: ++#ifdef OPENSSL_NO_SSL3 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against"); ++ return -1; ++#else + sslsock->is_client = 1; + method = SSLv3_client_method(); + break; ++#endif + case STREAM_CRYPTO_METHOD_TLS_CLIENT: + sslsock->is_client = 1; + method = TLSv1_client_method(); +@@ -350,9 +355,14 @@ + method = SSLv23_server_method(); + break; + case STREAM_CRYPTO_METHOD_SSLv3_SERVER: ++#ifdef OPENSSL_NO_SSL3 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against"); ++ return -1; ++#else + sslsock->is_client = 0; + method = SSLv3_server_method(); + break; ++#endif + case STREAM_CRYPTO_METHOD_SSLv2_SERVER: + #ifdef OPENSSL_NO_SSL2 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against"); +@@ -933,8 +943,13 @@ + sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT; + #endif + } else if (strncmp(proto, "sslv3", protolen) == 0) { ++#ifdef OPENSSL_NO_SSL3 ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against"); ++ return NULL; ++#else + sslsock->enable_on_connect = 1; + sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; ++#endif + } else if (strncmp(proto, "tls", protolen) == 0) { + sslsock->enable_on_connect = 1; + sslsock->method = STREAM_CRYPTO_METHOD_TLS_CLIENT; diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/340_php_20433657.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/340_php_20433657.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,19 @@ +CVE-2015-0232 +Community BUG: +https://bugs.php.net/bug.php?id=68799 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=55001de6d8c6ed2aada870a76de1e4b4558737bf +This patch was created from the community reports above. + + +--- php-5.3.29/ext/exif/exif.c_orig 2015-06-14 15:28:49.975351692 -0700 ++++ php-5.3.29/ext/exif/exif.c 2015-06-14 15:29:28.860406969 -0700 +@@ -2722,7 +2722,7 @@ + static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) + { + xp_field->tag = tag; +- ++ xp_field->value = NULL; + /* Copy the comment */ + #if EXIF_USE_MBSTRING + /* What if MS supports big-endian with XP? */ diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/350_php_20803998.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/350_php_20803998.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,51 @@ +CVE-2014-9652 +Community BUG: +https://bugs.php.net/bug.php?id=68735 +Community CODE: +https://bugs.php.net/patch-display.php?bug=68735&patch=bug68735.patch&revision=1420309079 +Below is the community patch. + + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 7e0c856..e7b7855 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) + size_t sz = file_pstring_length_size(m); + char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) { ++ sz = sizeof(p->s) - sz; /* maximum length of string */ ++ if (len >= sz) { + /* + * The size of the pascal string length (sz) + * is 1, 2, or 4. We need at least 1 byte for NUL + * termination, but we've already truncated the + * string by p->s, so we need to deduct sz. ++ * Because we can use one of the bytes of the length ++ * after we shifted as NUL termination. + */ +- len = sizeof(p->s) - sz; ++ len = sz; + } + while (len--) + *ptr1++ = *ptr2++; +--- /dev/null Sat Jan 3 19:01:50 2015 ++++ a/ext/fileinfo/tests/bug68735.phpt Sat Jan 3 18:57:32 2015 +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #68735 fileinfo out-of-bounds memory access ++--SKIPIF-- ++ ++--FILE-- ++file($test_file)); ++ ++?> ++===DONE=== ++--EXPECTF-- ++string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S"" ++===DONE=== diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/patches/360_php_20804391.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/360_php_20804391.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,34 @@ +CVE-2015-2348 +Community BUG: +https://bugs.php.net/bug.php?id=69207 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 +Below is the community patch. + + +From 1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 17 Mar 2015 12:47:58 -0700 +Subject: [PATCH] Fix bug #69207 - move_uploaded_file allows nulls in path + +--- + NEWS | 3 +++ + ext/standard/basic_functions.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c +index 9a9df30..c3e2230 100644 +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -5775,7 +5775,7 @@ PHP_FUNCTION(move_uploaded_file) + RETURN_FALSE; + } + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) { + return; + } + +-- +2.1.4 + diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/php-sapi/php.mk --- a/components/php-5_3/php-sapi/php.mk Wed Jun 17 11:15:14 2015 -0700 +++ b/components/php-5_3/php-sapi/php.mk Wed Jun 17 15:47:38 2015 -0700 @@ -38,8 +38,6 @@ $(COMPONENT_SRC)/Zend/zend_language_parser.h \ $(COMPONENT_SRC)/Zend/zend_language_parser.output ) -PATCHES = $(shell cd $(PATCH_DIR); echo [0-9]* $$(MACH)* ) - COMPONENT_PRE_CONFIGURE_ACTION = ( \ set -e; \ cd $(COMPONENT_SRC); $(ENV) -i PATH=/usr/gnu/bin:$(PATH) \ @@ -50,3 +48,7 @@ < configure_orig > configure; \ $(CHMOD) 755 configure; \ $(CLONEY) $(SOURCE_DIR) $(@D) ) + +# Disable SSLv2 and SSLv3 for security reasons +CFLAGS += -DOPENSSL_NO_SSL2 +CFLAGS += -DOPENSSL_NO_SSL3 diff -r 7665830787a5 -r 4e8085696007 components/php-5_3/zendopcache/patches/php_20936509.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/zendopcache/patches/php_20936509.patch Wed Jun 17 15:47:38 2015 -0700 @@ -0,0 +1,22 @@ +CVE-2015-1351 +Community BUG: +https://bugs.php.net/bug.php?id=68677 +Community CODE: +http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115 +This patch was created from the community reports above. + + +--- zendopcache-7.0.2/zend_shared_alloc.c_orig 2015-06-10 13:25:02.003036264 -0700 ++++ zendopcache-7.0.2/zend_shared_alloc.c 2015-06-10 13:25:50.714271495 -0700 +@@ -346,10 +346,10 @@ + retval = ZCG(mem);; + ZCG(mem) = (void*)(((char*)ZCG(mem)) + ZEND_ALIGNED_SIZE(size)); + memcpy(retval, source, size); ++ zend_shared_alloc_register_xlat_entry(source, retval); + if (free_source) { + interned_efree((char*)source); + } +- zend_shared_alloc_register_xlat_entry(source, retval); + return retval; + } +