20192108 problem in UTILITY/PHP
20231115 problem in UTILITY/PHP
20936509 problem in UTILITY/PHP
20804024 problem in UTILITY/PHP
20804061 problem in UTILITY/PHP
20804135 problem in UTILITY/PHP
20804363 problem in UTILITY/PHP
20804424 problem in UTILITY/PHP
20433657 problem in UTILITY/PHP
20803998 problem in UTILITY/PHP
20804391 problem in UTILITY/PHP
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/80_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,70 @@
+CVE-2014-3669
+Community BUG:
+https://bugs.php.net/bug.php?id=68044
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159
+Below is the community patch.
+
+
+
+From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 14:19:31 -0700
+Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
+ only)
+
+---
+ NEWS | 5 ++++-
+ ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
+ ext/standard/var_unserializer.c | 4 ++--
+ ext/standard/var_unserializer.re | 2 +-
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug68044.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
+new file mode 100644
+index 0000000..031e44e
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68044.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #68044 Integer overflow in unserialize() (32-bits only)
++--FILE--
++<?php
++ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
++?>
++===DONE==
++--EXPECTF--
++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
++
++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
++===DONE==
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 657051f..8129da3 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 1307508..6de1583 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/81_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,44 @@
+CVE-2014-3670
+Community BUG:
+https://bugs.php.net/bug.php?id=68113
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/exif/tests/bug68113.jpg
+ext/exif/tests/bug68113.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 16:57:42 -0700
+Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail())
+
+---
+ ext/exif/exif.c | 4 ++--
+ ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes
+ ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100755 ext/exif/tests/bug68113.jpg
+ create mode 100644 ext/exif/tests/bug68113.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 38907b4..637ebf9 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
+ data_ptr += 8;
+ break;
+ case TAG_FMT_SINGLE:
+- memmove(data_ptr, &info_data->value.f, byte_count);
++ memmove(data_ptr, &info_value->f, 4);
+ data_ptr += 4;
+ break;
+ case TAG_FMT_DOUBLE:
+- memmove(data_ptr, &info_data->value.d, byte_count);
++ memmove(data_ptr, &info_value->d, 8);
+ data_ptr += 8;
+ break;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/82_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,126 @@
+CVE-2014-3668
+Community BUG:
+https://bugs.php.net/bug.php?id=68027
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
+Below is the community patch.
+
+
+From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 17:33:44 -0700
+Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
+
+---
+ NEWS | 5 ++++-
+ ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++-----
+ ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug68027.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+index ce70c2a..b766a54 100644
+--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_mon = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+4])
+ tm.tm_mon += (text[i+4]-'0')*n;
+ n /= 10;
+ }
+ tm.tm_mon --;
++ if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++ return -1;
++ }
+
+ n = 10;
+ tm.tm_mday = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+6])
+ tm.tm_mday += (text[i+6]-'0')*n;
+ n /= 10;
+ }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_hour = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+9])
+ tm.tm_hour += (text[i+9]-'0')*n;
+ n /= 10;
+ }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_min = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+12])
+ tm.tm_min += (text[i+12]-'0')*n;
+ n /= 10;
+ }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_sec = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+15])
+ tm.tm_sec += (text[i+15]-'0')*n;
+ n /= 10;
+ }
+diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
+new file mode 100644
+index 0000000..a5c96f1
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug68027.phpt
+@@ -0,0 +1,44 @@
++--TEST--
++Bug #68027 (buffer overflow in mkgmtime() function)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++
++$d = '6-01-01 20:00:00';
++xmlrpc_set_type($d, 'datetime');
++var_dump($d);
++$datetime = "2001-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++$datetime = "34770-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++echo "Done\n";
++?>
++--EXPECTF--
++object(stdClass)#1 (3) {
++ ["scalar"]=>
++ string(16) "6-01-01 20:00:00"
++ ["xmlrpc_type"]=>
++ string(8) "datetime"
++ ["timestamp"]=>
++ int(%d)
++}
++stdClass Object
++(
++ [scalar] => 2001-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %s
++)
++stdClass Object
++(
++ [scalar] => 34770-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %d
++)
++Done
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/90_php_20231115.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,99 @@
+POODLE
+Crafted patch based on community code in
+php 5.5.26 and php 5.6.8.
+
+
+--- php-5.2.17/ext/openssl/openssl.c_orig 2015-06-18 10:15:48.109872494 -0700
++++ php-5.2.17/ext/openssl/openssl.c 2015-06-18 10:18:05.535474825 -0700
+@@ -778,7 +778,9 @@
+
+ php_stream_xport_register("ssl", php_openssl_ssl_socket_factory TSRMLS_CC);
+ php_stream_xport_register("sslv3", php_openssl_ssl_socket_factory TSRMLS_CC);
++#ifndef OPENSSL_NO_SSL2
+ php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
++#endif
+ php_stream_xport_register("tls", php_openssl_ssl_socket_factory TSRMLS_CC);
+
+ /* override the default tcp socket provider */
+@@ -812,7 +814,9 @@
+ php_unregister_url_stream_wrapper("ftps" TSRMLS_CC);
+
+ php_stream_xport_unregister("ssl" TSRMLS_CC);
++#ifndef OPENSSL_NO_SSL2
+ php_stream_xport_unregister("sslv2" TSRMLS_CC);
++#endif
+ php_stream_xport_unregister("sslv3" TSRMLS_CC);
+ php_stream_xport_unregister("tls" TSRMLS_CC);
+
+--- php-5.2.17/ext/openssl/xp_ssl.c_orig 2010-04-23 06:32:03.000000000 -0700
++++ php-5.2.17/ext/openssl/xp_ssl.c 2015-06-18 10:22:48.916391649 -0700
+@@ -333,13 +333,23 @@
+ method = SSLv23_client_method();
+ break;
+ case STREAM_CRYPTO_METHOD_SSLv2_CLIENT:
++#ifdef OPENSSL_NO_SSL2
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
++ return -1;
++#else
+ sslsock->is_client = 1;
+ method = SSLv2_client_method();
+ break;
++#endif
+ case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
++#ifdef OPENSSL_NO_SSL3
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++ return -1;
++#else
+ sslsock->is_client = 1;
+ method = SSLv3_client_method();
+ break;
++#endif
+ case STREAM_CRYPTO_METHOD_TLS_CLIENT:
+ sslsock->is_client = 1;
+ method = TLSv1_client_method();
+@@ -349,13 +359,23 @@
+ method = SSLv23_server_method();
+ break;
+ case STREAM_CRYPTO_METHOD_SSLv3_SERVER:
++#ifdef OPENSSL_NO_SSL3
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++ return -1;
++#else
+ sslsock->is_client = 0;
+ method = SSLv3_server_method();
+ break;
++#endif
+ case STREAM_CRYPTO_METHOD_SSLv2_SERVER:
++#ifdef OPENSSL_NO_SSL2
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
++ return -1;
++#else
+ sslsock->is_client = 0;
+ method = SSLv2_server_method();
+ break;
++#endif
+ case STREAM_CRYPTO_METHOD_TLS_SERVER:
+ sslsock->is_client = 0;
+ method = TLSv1_server_method();
+@@ -814,11 +834,21 @@
+ sslsock->enable_on_connect = 1;
+ sslsock->method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
+ } else if (strncmp(proto, "sslv2", protolen) == 0) {
++#ifdef OPENSSL_NO_SSL2
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
++ return NULL;
++#else
+ sslsock->enable_on_connect = 1;
+ sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
++#endif
+ } else if (strncmp(proto, "sslv3", protolen) == 0) {
++#ifdef OPENSSL_NO_SSL3
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++ return NULL;
++#else
+ sslsock->enable_on_connect = 1;
+ sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
++#endif
+ } else if (strncmp(proto, "tls", protolen) == 0) {
+ sslsock->enable_on_connect = 1;
+ sslsock->method = STREAM_CRYPTO_METHOD_TLS_CLIENT;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/a0_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,18 @@
+CVE-2015-3330
+Community BUG:
+https://bugs.php.net/bug.php?id=69218
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/sapi/apache2handler/sapi_apache2.c_orig 2015-06-10 13:38:01.218738017 -0700
++++ php-5.3.29/sapi/apache2handler/sapi_apache2.c 2015-06-10 13:38:30.440222529 -0700
+@@ -690,6 +690,7 @@
+ } zend_end_try();
+ }
+ apr_brigade_cleanup(brigade);
++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
+ } else {
+ ctx->r = parent_req;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/a1_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,38 @@
+CVE-2014-9709
+Community BUG:
+https://bugs.php.net/bug.php?id=68601
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b
+Below is the community patch.
+
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index ee88a2f..491e942 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -72,8 +72,10 @@ static struct {
+
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+- unsigned char buf[280];
++ unsigned char buf[CSD_BUF_SIZE];
+ int curbit, lastbit, done, last_byte;
+ } CODE_STATIC_DATA;
+
+@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
+- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
++ if (i < CSD_BUF_SIZE * 8) {
++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++ } else {
++ ret = -1;
++ break;
++ }
+
+ scd->curbit += code_size;
+ return ret;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/b0_php_20804363.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,35 @@
+CVE-2015-2331
+Community BUG:
+https://bugs.php.net/bug.php?id=69253
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
+Below is the community patch.
+
+
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past
+ heap boundary
+
+---
+ NEWS | 4 ++++
+ ext/zip/lib/zip_dirent.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- a/ext/zip/lib/zip_dirent.c
++++ b/ext/zip/lib/zip_dirent.c
+@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ return NULL;
+ }
+
+- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ == NULL) {
+ _zip_error_set(error, ZIP_ER_MEMORY, 0);
+ free(cd);
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/c0_php_20804424.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,32 @@
+CVE-2015-2787
+Community BUG:
+https://bugs.php.net/bug.php?id=68976
+Community CODE:
+https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d
+Below is the community patch.
+
+
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index f114080..c7749a4 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -349,6 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
++ var_push_dtor(var_hash, &data);
+
+ zval_dtor(key);
+ FREE_ZVAL(key);
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index f04fc74..abac77c 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
++ var_push_dtor(var_hash, &data);
+
+ zval_dtor(key);
+ FREE_ZVAL(key);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/d0_php_20433657.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,19 @@
+CVE-2015-0232
+Community BUG:
+https://bugs.php.net/bug.php?id=68799
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=55001de6d8c6ed2aada870a76de1e4b4558737bf
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/ext/exif/exif.c_orig 2015-06-14 15:28:49.975351692 -0700
++++ php-5.3.29/ext/exif/exif.c 2015-06-14 15:29:28.860406969 -0700
+@@ -2722,7 +2722,7 @@
+ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
+ {
+ xp_field->tag = tag;
+-
++ xp_field->value = NULL;
+ /* Copy the comment */
+ #if EXIF_USE_MBSTRING
+ /* What if MS supports big-endian with XP? */
--- a/components/php-5_2/php-sapi/php.mk Tue Jun 23 09:14:23 2015 -0700
+++ b/components/php-5_2/php-sapi/php.mk Tue Jun 23 13:44:01 2015 -0700
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
#
COMPONENT_PRE_INSTALL_ACTION += ( \
@@ -40,3 +40,7 @@
< configure.orig > configure; \
$(CHMOD) 755 configure; \
$(CLONEY) $(SOURCE_DIR) $(@D) )
+
+# Disable SSLv2 and SSLv3 for security reasons
+CFLAGS += -DOPENSSL_NO_SSL2
+CFLAGS += -DOPENSSL_NO_SSL3
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/260_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,18 @@
+CVE-2015-3330
+Community BUG:
+https://bugs.php.net/bug.php?id=69218
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/sapi/apache2handler/sapi_apache2.c_orig 2015-06-10 13:38:01.218738017 -0700
++++ php-5.3.29/sapi/apache2handler/sapi_apache2.c 2015-06-10 13:38:30.440222529 -0700
+@@ -690,6 +690,7 @@
+ } zend_end_try();
+ }
+ apr_brigade_cleanup(brigade);
++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
+ } else {
+ ctx->r = parent_req;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/261_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,174 @@
+CVE-2015-2783
+Community BUG:
+https://bugs.php.net/bug.php?id=69324
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/phar/tests/bug69324.phar
+ext/phar/tests/bug69324.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+
+From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 5 Apr 2015 15:07:36 -0700
+Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when
+ parsing Phar)
+
+---
+ ext/phar/phar.c | 65 ++++++++++++++++++++-----------------------
+ ext/phar/phar_internal.h | 2 +-
+ ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes
+ ext/phar/tests/bug69324.phpt | 17 +++++++++++
+ 4 files changed, 48 insertions(+), 36 deletions(-)
+ create mode 100644 ext/phar/tests/bug69324.phar
+ create mode 100644 ext/phar/tests/bug69324.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index ec82351..bf0c985 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
+ *
+ * data is the serialized zval
+ */
+-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */
++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
+ {
+ const unsigned char *p;
+- php_uint32 buf_len;
+ php_unserialize_data_t var_hash;
+
+- if (!zip_metadata_len) {
+- PHAR_GET_32(*buffer, buf_len);
+- } else {
+- buf_len = zip_metadata_len;
+- }
+-
+- if (buf_len) {
++ if (zip_metadata_len) {
+ ALLOC_ZVAL(*metadata);
+ INIT_ZVAL(**metadata);
+ p = (const unsigned char*) *buffer;
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) {
++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ zval_ptr_dtor(metadata);
+ *metadata = NULL;
+@@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR
+ if (PHAR_G(persist)) {
+ /* lazy init metadata */
+ zval_ptr_dtor(metadata);
+- *metadata = (zval *) pemalloc(buf_len, 1);
+- memcpy(*metadata, *buffer, buf_len);
+- *buffer += buf_len;
++ *metadata = (zval *) pemalloc(zip_metadata_len, 1);
++ memcpy(*metadata, *buffer, zip_metadata_len);
+ return SUCCESS;
+ }
+ } else {
+ *metadata = NULL;
+ }
+
+- if (!zip_metadata_len) {
+- *buffer += buf_len;
+- }
+-
+ return SUCCESS;
+ }
+ /* }}}*/
+@@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ phar_entry_info entry;
+ php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
+ php_uint16 manifest_ver;
++ php_uint32 len;
+ long offset;
+ int sig_len, register_alias = 0, temp_alias = 0;
+ char *signature = NULL;
+@@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ mydata->is_persistent = PHAR_G(persist);
+
+ /* check whether we have meta data, zero check works regardless of byte order */
++ PHAR_GET_32(buffer, len);
+ if (mydata->is_persistent) {
+- PHAR_GET_32(buffer, mydata->metadata_len);
+- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) {
+- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+- }
+- } else {
+- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) {
+- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
++ mydata->metadata_len = len;
++ if(!len) {
++ /* FIXME: not sure why this is needed but removing it breaks tests */
++ PHAR_GET_32(buffer, len);
+ }
+ }
++ if(len > endbuffer - buffer) {
++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
++ }
++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
++ }
++ buffer += len;
+
+ /* set up our manifest */
+ zend_hash_init(&mydata->manifest, manifest_count,
+@@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.manifest_pos = manifest_index;
+ }
+
+- if (buffer + entry.filename_len + 20 > endbuffer) {
++ if (entry.filename_len + 20 > endbuffer - buffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+
+@@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.flags |= PHAR_ENT_PERM_DEF_DIR;
+ }
+
++ PHAR_GET_32(buffer, len);
+ if (entry.is_persistent) {
+- PHAR_GET_32(buffer, entry.metadata_len);
+- if (!entry.metadata_len) buffer -= 4;
+- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) {
+- pefree(entry.filename, entry.is_persistent);
+- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+- }
++ entry.metadata_len = len;
+ } else {
+- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) {
+- pefree(entry.filename, entry.is_persistent);
+- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+- }
++ entry.metadata_len = 0;
++ }
++ if (len > endbuffer - buffer) {
++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
++ }
++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
++ pefree(entry.filename, entry.is_persistent);
++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+ }
++ buffer += len;
+
+ entry.offset = entry.offset_abs = offset;
+ offset += entry.compressed_filesize;
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index c9306c1..fcfc864 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
+@@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
+ char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC);
+ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC);
+ phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC);
+-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC);
++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
+ void destroy_phar_manifest_entry(void *pDest);
+ int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
+ php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/262_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,48 @@
+CVE-2015-3329
+Community BUG:
+https://bugs.php.net/bug.php?id=69441
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/phar/tests/bug69441.phar
+ext/phar/tests/bug69441.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 14 Apr 2015 00:03:50 -0700
+Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
+ phar_set_inode)
+
+---
+ ext/phar/phar_internal.h | 9 ++++++---
+ ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
+ ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++
+ 3 files changed, 27 insertions(+), 3 deletions(-)
+ create mode 100644 ext/phar/tests/bug69441.phar
+ create mode 100644 ext/phar/tests/bug69441.phpt
+
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index fcfc864..84282d2 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
+@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
+ {
+ char tmp[MAXPATHLEN];
+ int tmp_len;
++ size_t len;
+
+- tmp_len = entry->filename_len + entry->phar->fname_len;
+- memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
+- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
++ len = MIN(entry->phar->fname_len, tmp_len);
++ memcpy(tmp, entry->phar->fname, len);
++ len = MIN(tmp_len - len, entry->filename_len);
++ memcpy(tmp + entry->phar->fname_len, entry->filename, len);
+ entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
+ }
+ /* }}} */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/263_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,38 @@
+CVE-2014-9709
+Community BUG:
+https://bugs.php.net/bug.php?id=68601
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b
+Below is the community patch.
+
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index ee88a2f..491e942 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -72,8 +72,10 @@ static struct {
+
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+- unsigned char buf[280];
++ unsigned char buf[CSD_BUF_SIZE];
+ int curbit, lastbit, done, last_byte;
+ } CODE_STATIC_DATA;
+
+@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
+- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
++ if (i < CSD_BUF_SIZE * 8) {
++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++ } else {
++ ret = -1;
++ break;
++ }
+
+ scd->curbit += code_size;
+ return ret;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/264_php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,22 @@
+CVE-2015-2301
+Community BUG:
+https://bugs.php.net/bug.php?id=68901
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b
+Below is the community patch.
+
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 3671054..712795b 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -2139,8 +2139,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
+ }
+ its_ok:
+ if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {
+- efree(oldpath);
+ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);
++ efree(oldpath);
+ return NULL;
+ }
+ if (!phar->is_data) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/270_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,26 @@
+CVE-2014-3710
+Community BUG:
+https://bugs.php.net/bug.php?id=68283
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d
+really:
+https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig 2015-06-12 14:26:23.865377086 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/readelf.c 2015-06-12 14:29:09.089820837 -0700
+@@ -368,6 +368,13 @@
+ #endif
+ uint32_t namesz, descsz;
+
++ if (xnh_sizeof + offset > size) {
++ /*
++ * We're out of note headers.
++ */
++ return xnh_sizeof + offset;
++ }
++
+ (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ offset += xnh_sizeof;
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/271_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,70 @@
+CVE-2014-3669
+Community BUG:
+https://bugs.php.net/bug.php?id=68044
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159
+Below is the community patch.
+
+
+
+From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 14:19:31 -0700
+Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
+ only)
+
+---
+ NEWS | 5 ++++-
+ ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
+ ext/standard/var_unserializer.c | 4 ++--
+ ext/standard/var_unserializer.re | 2 +-
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug68044.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
+new file mode 100644
+index 0000000..031e44e
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68044.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #68044 Integer overflow in unserialize() (32-bits only)
++--FILE--
++<?php
++ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
++?>
++===DONE==
++--EXPECTF--
++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
++
++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
++===DONE==
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 657051f..8129da3 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 1307508..6de1583 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+
+ (*p) += 2;
+
+- if (datalen < 0 || (*p) + datalen >= max) {
++ if (datalen < 0 || (max - (*p)) <= datalen) {
+ zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ return 0;
+ }
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/272_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,44 @@
+CVE-2014-3670
+Community BUG:
+https://bugs.php.net/bug.php?id=68113
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/exif/tests/bug68113.jpg
+ext/exif/tests/bug68113.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 16:57:42 -0700
+Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail())
+
+---
+ ext/exif/exif.c | 4 ++--
+ ext/exif/tests/bug68113.jpg | Bin 0 -> 368 bytes
+ ext/exif/tests/bug68113.phpt | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100755 ext/exif/tests/bug68113.jpg
+ create mode 100644 ext/exif/tests/bug68113.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 38907b4..637ebf9 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
+ data_ptr += 8;
+ break;
+ case TAG_FMT_SINGLE:
+- memmove(data_ptr, &info_data->value.f, byte_count);
++ memmove(data_ptr, &info_value->f, 4);
+ data_ptr += 4;
+ break;
+ case TAG_FMT_DOUBLE:
+- memmove(data_ptr, &info_data->value.d, byte_count);
++ memmove(data_ptr, &info_value->d, 8);
+ data_ptr += 8;
+ break;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/273_php_20192108.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,126 @@
+CVE-2014-3668
+Community BUG:
+https://bugs.php.net/bug.php?id=68027
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
+Below is the community patch.
+
+
+From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 17:33:44 -0700
+Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
+
+---
+ NEWS | 5 ++++-
+ ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++-----
+ ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug68027.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+index ce70c2a..b766a54 100644
+--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_mon = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+4])
+ tm.tm_mon += (text[i+4]-'0')*n;
+ n /= 10;
+ }
+ tm.tm_mon --;
++ if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++ return -1;
++ }
+
+ n = 10;
+ tm.tm_mday = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+6])
+ tm.tm_mday += (text[i+6]-'0')*n;
+ n /= 10;
+ }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_hour = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+9])
+ tm.tm_hour += (text[i+9]-'0')*n;
+ n /= 10;
+ }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_min = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+12])
+ tm.tm_min += (text[i+12]-'0')*n;
+ n /= 10;
+ }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_sec = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+15])
+ tm.tm_sec += (text[i+15]-'0')*n;
+ n /= 10;
+ }
+diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
+new file mode 100644
+index 0000000..a5c96f1
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug68027.phpt
+@@ -0,0 +1,44 @@
++--TEST--
++Bug #68027 (buffer overflow in mkgmtime() function)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++
++$d = '6-01-01 20:00:00';
++xmlrpc_set_type($d, 'datetime');
++var_dump($d);
++$datetime = "2001-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++$datetime = "34770-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++echo "Done\n";
++?>
++--EXPECTF--
++object(stdClass)#1 (3) {
++ ["scalar"]=>
++ string(16) "6-01-01 20:00:00"
++ ["xmlrpc_type"]=>
++ string(8) "datetime"
++ ["timestamp"]=>
++ int(%d)
++}
++stdClass Object
++(
++ [scalar] => 2001-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %s
++)
++stdClass Object
++(
++ [scalar] => 34770-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %d
++)
++Done
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/280_php_20804024.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,46 @@
+CVE-2014-9653
+Community BUG:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9653
+Community CODE:
+https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
+This patch was adapted from the community reports above.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig 2015-06-12 16:40:10.463458900 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/readelf.c 2015-06-12 16:59:36.213626077 -0700
+@@ -313,7 +313,7 @@
+ file_badseek(ms);
+ return -1;
+ }
+- if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) == -1) {
++ if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) {
+ file_badread(ms);
+ return -1;
+ }
+@@ -869,7 +869,7 @@
+ file_badseek(ms);
+ return -1;
+ }
+- if (FINFO_READ_FUNC(fd, xsh_addr, xsh_sizeof) == -1) {
++ if (FINFO_READ_FUNC(fd, xsh_addr, xsh_sizeof) < (ssize_t)xsh_sizeof) {
+ file_badread(ms);
+ return -1;
+ }
+@@ -901,7 +901,7 @@
+ efree(nbuf);
+ return -1;
+ }
+- if (FINFO_READ_FUNC(fd, nbuf, (size_t)xsh_size) !=
++ if (FINFO_READ_FUNC(fd, nbuf, (size_t)xsh_size) <
+ (ssize_t)xsh_size) {
+ efree(nbuf);
+ file_badread(ms);
+@@ -1058,7 +1058,7 @@
+ return -1;
+ }
+
+- if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) == -1) {
++ if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) {
+ file_badread(ms);
+ return -1;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/290_php_20804061.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,42 @@
+CVE-2014-9705
+Community BUG:
+https://bugs.php.net/bug.php?id=68552
+Community CODE:
+http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803
+Below is the community patch.
+
+
+--- a/ext/enchant/enchant.c 2011/10/01 13:13:13 317600
++++ b/ext/enchant/enchant.c 2015/01/26 11:49:40 335803
+@@ -549,13 +549,12 @@
+
+ d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
+ if (d) {
++ pos = pbroker->dictcnt++;
+ if (pbroker->dictcnt) {
+ pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
+- pos = pbroker->dictcnt++;
+ } else {
+ pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
+ pos = 0;
+- pbroker->dictcnt++;
+ }
+
+ dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
+@@ -606,14 +605,14 @@
+
+ d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
+ if (d) {
++ pos = pbroker->dictcnt++;
+ if (pbroker->dictcnt) {
+- pos = pbroker->dictcnt++;
+ pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
+ } else {
+ pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
+ pos = 0;
+- pbroker->dictcnt++;
+ }
++
+ dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
+ dict->id = pos;
+ dict->pbroker = pbroker;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/300_php_20804135.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,83 @@
+CVE-2015-0273
+Community BUG:
+https://bugs.php.net/bug.php?id=68942
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24
+Below is the community patch.
+
+
+From 71335e6ebabc1b12c057d8017fd811892ecdfd24 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Feb 2015 06:53:27 +0100
+Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize()
+ with DateTimeZone)
+
+---
+ ext/date/php_date.c | 21 ++++++++++-----------
+ ext/date/tests/bug68942.phpt | 9 +++++++++
+ ext/date/tests/bug68942_2.phpt | 9 +++++++++
+ 3 files changed, 28 insertions(+), 11 deletions(-)
+ create mode 100644 ext/date/tests/bug68942.phpt
+ create mode 100644 ext/date/tests/bug68942_2.phpt
+
+diff --git a/ext/date/php_date.c b/ext/date/php_date.c
+index f8571b9..15ca08d 100644
+--- a/ext/date/php_date.c
++++ b/ext/date/php_date.c
+@@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
+ timelib_tzinfo *tzi;
+ php_timezone_obj *tzobj;
+
+- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
+- convert_to_string(*z_date);
+- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
+- convert_to_long(*z_timezone_type);
+- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
+- convert_to_string(*z_timezone);
++ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
++ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
++ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
+
+ switch (Z_LVAL_PP(z_timezone_type)) {
+ case TIMELIB_ZONETYPE_OFFSET:
+@@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
+
+ case TIMELIB_ZONETYPE_ID: {
+ int ret;
+- convert_to_string(*z_timezone);
+
+ tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
+
+diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt
+new file mode 100644
+index 0000000..595cd9f
+--- /dev/null
++++ b/ext/date/tests/bug68942.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d
+diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt
+new file mode 100644
+index 0000000..5b02567
+--- /dev/null
++++ b/ext/date/tests/bug68942_2.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/310_php_20804363.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,35 @@
+CVE-2015-2331
+Community BUG:
+https://bugs.php.net/bug.php?id=69253
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
+Below is the community patch.
+
+
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past
+ heap boundary
+
+---
+ NEWS | 4 ++++
+ ext/zip/lib/zip_dirent.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- a/ext/zip/lib/zip_dirent.c
++++ b/ext/zip/lib/zip_dirent.c
+@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ return NULL;
+ }
+
+- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ == NULL) {
+ _zip_error_set(error, ZIP_ER_MEMORY, 0);
+ free(cd);
+--
+2.1.4
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/320_php_20804424.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,32 @@
+CVE-2015-2787
+Community BUG:
+https://bugs.php.net/bug.php?id=68976
+Community CODE:
+https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d
+Below is the community patch.
+
+
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index f114080..c7749a4 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -349,6 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
++ var_push_dtor(var_hash, &data);
+
+ zval_dtor(key);
+ FREE_ZVAL(key);
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index f04fc74..abac77c 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
++ var_push_dtor(var_hash, &data);
+
+ zval_dtor(key);
+ FREE_ZVAL(key);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/330_php_20231115.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,51 @@
+POODLE
+Crafted patch based on community code in
+php 5.5.26 and php 5.6.8.
+
+
+--- php-5.3.29/ext/openssl/xp_ssl.c_orig 2015-06-14 14:43:23.797128188 -0700
++++ php-5.3.29/ext/openssl/xp_ssl.c 2015-06-14 14:59:55.059042744 -0700
+@@ -338,9 +338,14 @@
+ break;
+ #endif
+ case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
++#ifdef OPENSSL_NO_SSL3
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++ return -1;
++#else
+ sslsock->is_client = 1;
+ method = SSLv3_client_method();
+ break;
++#endif
+ case STREAM_CRYPTO_METHOD_TLS_CLIENT:
+ sslsock->is_client = 1;
+ method = TLSv1_client_method();
+@@ -350,9 +355,14 @@
+ method = SSLv23_server_method();
+ break;
+ case STREAM_CRYPTO_METHOD_SSLv3_SERVER:
++#ifdef OPENSSL_NO_SSL3
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++ return -1;
++#else
+ sslsock->is_client = 0;
+ method = SSLv3_server_method();
+ break;
++#endif
+ case STREAM_CRYPTO_METHOD_SSLv2_SERVER:
+ #ifdef OPENSSL_NO_SSL2
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
+@@ -933,8 +943,13 @@
+ sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
+ #endif
+ } else if (strncmp(proto, "sslv3", protolen) == 0) {
++#ifdef OPENSSL_NO_SSL3
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++ return NULL;
++#else
+ sslsock->enable_on_connect = 1;
+ sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
++#endif
+ } else if (strncmp(proto, "tls", protolen) == 0) {
+ sslsock->enable_on_connect = 1;
+ sslsock->method = STREAM_CRYPTO_METHOD_TLS_CLIENT;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/340_php_20433657.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,19 @@
+CVE-2015-0232
+Community BUG:
+https://bugs.php.net/bug.php?id=68799
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=55001de6d8c6ed2aada870a76de1e4b4558737bf
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/ext/exif/exif.c_orig 2015-06-14 15:28:49.975351692 -0700
++++ php-5.3.29/ext/exif/exif.c 2015-06-14 15:29:28.860406969 -0700
+@@ -2722,7 +2722,7 @@
+ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
+ {
+ xp_field->tag = tag;
+-
++ xp_field->value = NULL;
+ /* Copy the comment */
+ #if EXIF_USE_MBSTRING
+ /* What if MS supports big-endian with XP? */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/350_php_20803998.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,51 @@
+CVE-2014-9652
+Community BUG:
+https://bugs.php.net/bug.php?id=68735
+Community CODE:
+https://bugs.php.net/patch-display.php?bug=68735&patch=bug68735.patch&revision=1420309079
+Below is the community patch.
+
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 7e0c856..e7b7855 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ size_t sz = file_pstring_length_size(m);
+ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ size_t len = file_pstring_get_length(m, ptr1);
+- if (len >= sizeof(p->s)) {
++ sz = sizeof(p->s) - sz; /* maximum length of string */
++ if (len >= sz) {
+ /*
+ * The size of the pascal string length (sz)
+ * is 1, 2, or 4. We need at least 1 byte for NUL
+ * termination, but we've already truncated the
+ * string by p->s, so we need to deduct sz.
++ * Because we can use one of the bytes of the length
++ * after we shifted as NUL termination.
+ */
+- len = sizeof(p->s) - sz;
++ len = sz;
+ }
+ while (len--)
+ *ptr1++ = *ptr2++;
+--- /dev/null Sat Jan 3 19:01:50 2015
++++ a/ext/fileinfo/tests/bug68735.phpt Sat Jan 3 18:57:32 2015
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #68735 fileinfo out-of-bounds memory access
++--SKIPIF--
++<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
++--FILE--
++<?php
++ $test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg";
++ $f = new finfo;
++
++ var_dump($f->file($test_file));
++
++?>
++===DONE===
++--EXPECTF--
++string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S""
++===DONE===
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/360_php_20804391.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,34 @@
+CVE-2015-2348
+Community BUG:
+https://bugs.php.net/bug.php?id=69207
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1
+Below is the community patch.
+
+
+From 1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Mar 2015 12:47:58 -0700
+Subject: [PATCH] Fix bug #69207 - move_uploaded_file allows nulls in path
+
+---
+ NEWS | 3 +++
+ ext/standard/basic_functions.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 9a9df30..c3e2230 100644
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -5775,7 +5775,7 @@ PHP_FUNCTION(move_uploaded_file)
+ RETURN_FALSE;
+ }
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
+ return;
+ }
+
+--
+2.1.4
+
--- a/components/php-5_3/php-sapi/php.mk Tue Jun 23 09:14:23 2015 -0700
+++ b/components/php-5_3/php-sapi/php.mk Tue Jun 23 13:44:01 2015 -0700
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
#
COMPONENT_PRE_INSTALL_ACTION += ( \
@@ -51,3 +51,7 @@
< configure_orig > configure; \
$(CHMOD) 755 configure; \
$(CLONEY) $(SOURCE_DIR) $(@D) )
+
+# Disable SSLv2 and SSLv3 for security reasons
+CFLAGS += -DOPENSSL_NO_SSL2
+CFLAGS += -DOPENSSL_NO_SSL3
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/zendopcache/patches/php_20936509.patch Tue Jun 23 13:44:01 2015 -0700
@@ -0,0 +1,22 @@
+CVE-2015-1351
+Community BUG:
+https://bugs.php.net/bug.php?id=68677
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115
+This patch was created from the community reports above.
+
+
+--- zendopcache-7.0.2/zend_shared_alloc.c_orig 2015-06-10 13:25:02.003036264 -0700
++++ zendopcache-7.0.2/zend_shared_alloc.c 2015-06-10 13:25:50.714271495 -0700
+@@ -346,10 +346,10 @@
+ retval = ZCG(mem);;
+ ZCG(mem) = (void*)(((char*)ZCG(mem)) + ZEND_ALIGNED_SIZE(size));
+ memcpy(retval, source, size);
++ zend_shared_alloc_register_xlat_entry(source, retval);
+ if (free_source) {
+ interned_efree((char*)source);
+ }
+- zend_shared_alloc_register_xlat_entry(source, retval);
+ return retval;
+ }
+