20192108 problem in UTILITY/PHP s11-update
authorCraig Mohrman <craig.mohrman@oracle.com>
Wed, 17 Jun 2015 15:47:38 -0700
branchs11-update
changeset 4499 4e8085696007
parent 4497 7665830787a5
child 4502 5a8413153abb
20192108 problem in UTILITY/PHP 20231115 problem in UTILITY/PHP 20936509 problem in UTILITY/PHP 20804024 problem in UTILITY/PHP 20804061 problem in UTILITY/PHP 20804135 problem in UTILITY/PHP 20804363 problem in UTILITY/PHP 20804424 problem in UTILITY/PHP 20433657 problem in UTILITY/PHP 20803998 problem in UTILITY/PHP 20804391 problem in UTILITY/PHP
components/php-5_3/php-sapi/patches/260_php_20936509.patch
components/php-5_3/php-sapi/patches/261_php_20936509.patch
components/php-5_3/php-sapi/patches/262_php_20936509.patch
components/php-5_3/php-sapi/patches/263_php_20936509.patch
components/php-5_3/php-sapi/patches/264_php_20936509.patch
components/php-5_3/php-sapi/patches/270_php_20192108.patch
components/php-5_3/php-sapi/patches/271_php_20192108.patch
components/php-5_3/php-sapi/patches/272_php_20192108.patch
components/php-5_3/php-sapi/patches/273_php_20192108.patch
components/php-5_3/php-sapi/patches/280_php_20804024.patch
components/php-5_3/php-sapi/patches/290_php_20804061.patch
components/php-5_3/php-sapi/patches/300_php_20804135.patch
components/php-5_3/php-sapi/patches/310_php_20804363.patch
components/php-5_3/php-sapi/patches/320_php_20804424.patch
components/php-5_3/php-sapi/patches/330_php_20231115.patch
components/php-5_3/php-sapi/patches/340_php_20433657.patch
components/php-5_3/php-sapi/patches/350_php_20803998.patch
components/php-5_3/php-sapi/patches/360_php_20804391.patch
components/php-5_3/php-sapi/php.mk
components/php-5_3/zendopcache/patches/php_20936509.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/260_php_20936509.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,18 @@
+CVE-2015-3330
+Community BUG:
+https://bugs.php.net/bug.php?id=69218
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/sapi/apache2handler/sapi_apache2.c_orig	2015-06-10 13:38:01.218738017 -0700
++++ php-5.3.29/sapi/apache2handler/sapi_apache2.c	2015-06-10 13:38:30.440222529 -0700
[email protected]@ -690,6 +690,7 @@
+ } zend_end_try();
+ 		}
+ 		apr_brigade_cleanup(brigade);
++		apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
+ 	} else {
+ 		ctx->r = parent_req;
+ 	}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/261_php_20936509.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,174 @@
+CVE-2015-2783
+Community BUG:
+https://bugs.php.net/bug.php?id=69324
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/phar/tests/bug69324.phar
+ext/phar/tests/bug69324.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+
+From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 5 Apr 2015 15:07:36 -0700
+Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when
+ parsing Phar)
+
+---
+ ext/phar/phar.c              |  65 ++++++++++++++++++++-----------------------
+ ext/phar/phar_internal.h     |   2 +-
+ ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes
+ ext/phar/tests/bug69324.phpt |  17 +++++++++++
+ 4 files changed, 48 insertions(+), 36 deletions(-)
+ create mode 100644 ext/phar/tests/bug69324.phar
+ create mode 100644 ext/phar/tests/bug69324.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index ec82351..bf0c985 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
[email protected]@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
+  * 
+  * data is the serialized zval
+  */
+-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */
++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
+ {
+ 	const unsigned char *p;
+-	php_uint32 buf_len;
+ 	php_unserialize_data_t var_hash;
+ 
+-	if (!zip_metadata_len) {
+-		PHAR_GET_32(*buffer, buf_len);
+-	} else {
+-		buf_len = zip_metadata_len;
+-	}
+-
+-	if (buf_len) {
++	if (zip_metadata_len) {
+ 		ALLOC_ZVAL(*metadata);
+ 		INIT_ZVAL(**metadata);
+ 		p = (const unsigned char*) *buffer;
+ 		PHP_VAR_UNSERIALIZE_INIT(var_hash);
+ 
+-		if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) {
++		if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
+ 			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ 			zval_ptr_dtor(metadata);
+ 			*metadata = NULL;
[email protected]@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR
+ 		if (PHAR_G(persist)) {
+ 			/* lazy init metadata */
+ 			zval_ptr_dtor(metadata);
+-			*metadata = (zval *) pemalloc(buf_len, 1);
+-			memcpy(*metadata, *buffer, buf_len);
+-			*buffer += buf_len;
++			*metadata = (zval *) pemalloc(zip_metadata_len, 1);
++			memcpy(*metadata, *buffer, zip_metadata_len);
+ 			return SUCCESS;
+ 		}
+ 	} else {
+ 		*metadata = NULL;
+ 	}
+ 
+-	if (!zip_metadata_len) {
+-		*buffer += buf_len;
+-	}
+-
+ 	return SUCCESS;
+ }
+ /* }}}*/
[email protected]@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ 	phar_entry_info entry;
+ 	php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
+ 	php_uint16 manifest_ver;
++	php_uint32 len;
+ 	long offset;
+ 	int sig_len, register_alias = 0, temp_alias = 0;
+ 	char *signature = NULL;
[email protected]@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ 	mydata->is_persistent = PHAR_G(persist);
+ 
+ 	/* check whether we have meta data, zero check works regardless of byte order */
++	PHAR_GET_32(buffer, len);
+ 	if (mydata->is_persistent) {
+-		PHAR_GET_32(buffer, mydata->metadata_len);
+-		if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) {
+-			MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+-		}
+-	} else {
+-		if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) {
+-			MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
++		mydata->metadata_len = len;
++		if(!len) {
++			/* FIXME: not sure why this is needed but removing it breaks tests */
++			PHAR_GET_32(buffer, len);
+ 		}
+ 	}
++	if(len > endbuffer - buffer) {
++		MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
++	}
++	if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
++		MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
++	}
++	buffer += len;
+ 
+ 	/* set up our manifest */
+ 	zend_hash_init(&mydata->manifest, manifest_count,
[email protected]@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ 			entry.manifest_pos = manifest_index;
+ 		}
+ 
+-		if (buffer + entry.filename_len + 20 > endbuffer) {
++		if (entry.filename_len + 20 > endbuffer - buffer) {
+ 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ 		}
+ 
[email protected]@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ 			entry.flags |= PHAR_ENT_PERM_DEF_DIR;
+ 		}
+ 
++		PHAR_GET_32(buffer, len);
+ 		if (entry.is_persistent) {
+-			PHAR_GET_32(buffer, entry.metadata_len);
+-			if (!entry.metadata_len) buffer -= 4;
+-			if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) {
+-				pefree(entry.filename, entry.is_persistent);
+-				MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+-			}
++			entry.metadata_len = len;
+ 		} else {
+-			if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) {
+-				pefree(entry.filename, entry.is_persistent);
+-				MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+-			}
++			entry.metadata_len = 0;
++		}
++		if (len > endbuffer - buffer) {
++			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
++		}
++		if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
++			pefree(entry.filename, entry.is_persistent);
++			MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+ 		}
++		buffer += len;
+ 
+ 		entry.offset = entry.offset_abs = offset;
+ 		offset += entry.compressed_filesize;
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index c9306c1..fcfc864 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
[email protected]@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
+ char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC);
+ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC);
+ phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC);
+-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC);
++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
+ void destroy_phar_manifest_entry(void *pDest);
+ int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
+ php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/262_php_20936509.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,48 @@
+CVE-2015-3329
+Community BUG:
+https://bugs.php.net/bug.php?id=69441
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/phar/tests/bug69441.phar
+ext/phar/tests/bug69441.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 14 Apr 2015 00:03:50 -0700
+Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
+ phar_set_inode)
+
+---
+ ext/phar/phar_internal.h     |   9 ++++++---
+ ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
+ ext/phar/tests/bug69441.phpt |  21 +++++++++++++++++++++
+ 3 files changed, 27 insertions(+), 3 deletions(-)
+ create mode 100644 ext/phar/tests/bug69441.phar
+ create mode 100644 ext/phar/tests/bug69441.phpt
+
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index fcfc864..84282d2 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
[email protected]@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
+ {
+ 	char tmp[MAXPATHLEN];
+ 	int tmp_len;
++	size_t len;
+ 
+-	tmp_len = entry->filename_len + entry->phar->fname_len;
+-	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
+-	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
++	tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
++	len = MIN(entry->phar->fname_len, tmp_len);
++	memcpy(tmp, entry->phar->fname, len);
++	len = MIN(tmp_len - len, entry->filename_len);
++	memcpy(tmp + entry->phar->fname_len, entry->filename, len);
+ 	entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
+ }
+ /* }}} */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/263_php_20936509.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,38 @@
+CVE-2014-9709
+Community BUG:
+https://bugs.php.net/bug.php?id=68601
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b
+Below is the community patch.
+
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index ee88a2f..491e942 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
[email protected]@ -72,8 +72,10 @@ static struct {
+ 
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+ 
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+-	unsigned char    buf[280];
++	unsigned char    buf[CSD_BUF_SIZE];
+ 	int              curbit, lastbit, done, last_byte;
+ } CODE_STATIC_DATA;
+ 
[email protected]@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+ 
+ 	ret = 0;
+ 	for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
+-		ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
++		if (i < CSD_BUF_SIZE * 8) {
++			ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++		} else {
++			ret = -1;
++			break;
++		}
+ 
+ 	scd->curbit += code_size;
+ 	return ret;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/264_php_20936509.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,22 @@
+CVE-2015-2301
+Community BUG:
+https://bugs.php.net/bug.php?id=68901
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b
+Below is the community patch.
+
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 3671054..712795b 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
[email protected]@ -2139,8 +2139,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
+ 	}
+ its_ok:
+ 	if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {
+-		efree(oldpath);
+ 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);
++		efree(oldpath);
+ 		return NULL;
+ 	}
+ 	if (!phar->is_data) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/270_php_20192108.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,26 @@
+CVE-2014-3710
+Community BUG:
+https://bugs.php.net/bug.php?id=68283
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d
+really:
+https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig	2015-06-12 14:26:23.865377086 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/readelf.c	2015-06-12 14:29:09.089820837 -0700
[email protected]@ -368,6 +368,13 @@
+ #endif
+ 	uint32_t namesz, descsz;
+ 
++	if (xnh_sizeof + offset > size) {
++	       /*
++		* We're out of note headers.
++		*/
++		return xnh_sizeof + offset;
++	}
++
+ 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ 	offset += xnh_sizeof;
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/271_php_20192108.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,70 @@
+CVE-2014-3669
+Community BUG:
+https://bugs.php.net/bug.php?id=68044
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159
+Below is the community patch.
+
+
+
+From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 14:19:31 -0700
+Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
+ only)
+
+---
+ NEWS                                       |  5 ++++-
+ ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
+ ext/standard/var_unserializer.c            |  4 ++--
+ ext/standard/var_unserializer.re           |  2 +-
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug68044.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
+new file mode 100644
+index 0000000..031e44e
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68044.phpt
[email protected]@ -0,0 +1,12 @@
++--TEST--
++Bug #68044 Integer overflow in unserialize() (32-bits only)
++--FILE--
++<?php
++	echo unserialize('C:3:"XYZ":18446744075857035259:{}');
++?>
++===DONE==
++--EXPECTF--
++Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
++
++Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
++===DONE==
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 657051f..8129da3 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
[email protected]@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+ 
+ 	(*p) += 2;
+ 
+-	if (datalen < 0 || (*p) + datalen >= max) {
++	if (datalen < 0 || (max - (*p)) <= datalen) {
+ 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ 		return 0;
+ 	}
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 1307508..6de1583 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
[email protected]@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
+ 
+ 	(*p) += 2;
+ 
+-	if (datalen < 0 || (*p) + datalen >= max) {
++	if (datalen < 0 || (max - (*p)) <= datalen) {
+ 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ 		return 0;
+ 	}
+-- 
+2.1.4
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/272_php_20192108.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,44 @@
+CVE-2014-3670
+Community BUG:
+https://bugs.php.net/bug.php?id=68113
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=ddb207e7fa2e9adeba021a1303c3781efda5409b
+Below is the community patch.
+
+Not including the test files at the moment:
+ext/exif/tests/bug68113.jpg
+ext/exif/tests/bug68113.phpt
+because our version of gpatch doesn't understand the git binary data file.
+
+
+From ddb207e7fa2e9adeba021a1303c3781efda5409b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 16:57:42 -0700
+Subject: [PATCH] Fix bug #68113 (Heap corruption in exif_thumbnail())
+
+---
+ ext/exif/exif.c              |   4 ++--
+ ext/exif/tests/bug68113.jpg  | Bin 0 -> 368 bytes
+ ext/exif/tests/bug68113.phpt |  17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100755 ext/exif/tests/bug68113.jpg
+ create mode 100644 ext/exif/tests/bug68113.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 38907b4..637ebf9 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
[email protected]@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
+ 					data_ptr += 8;
+ 					break;
+ 				case TAG_FMT_SINGLE:
+-					memmove(data_ptr, &info_data->value.f, byte_count);
++					memmove(data_ptr, &info_value->f, 4);
+ 					data_ptr += 4;
+ 					break;
+ 				case TAG_FMT_DOUBLE:
+-					memmove(data_ptr, &info_data->value.d, byte_count);
++					memmove(data_ptr, &info_value->d, 8);
+ 					data_ptr += 8;
+ 					break;
+ 			}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/273_php_20192108.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,126 @@
+CVE-2014-3668
+Community BUG:
+https://bugs.php.net/bug.php?id=68027
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
+Below is the community patch.
+
+
+From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Sun, 28 Sep 2014 17:33:44 -0700
+Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
+
+---
+ NEWS                           |  5 ++++-
+ ext/xmlrpc/libxmlrpc/xmlrpc.c  | 13 ++++++++-----
+ ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug68027.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+index ce70c2a..b766a54 100644
+--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
[email protected]@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+    n = 10;
+    tm.tm_mon = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+4])
+       tm.tm_mon += (text[i+4]-'0')*n;
+       n /= 10;
+    }
+    tm.tm_mon --;
++   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++       return -1;
++   }
+ 
+    n = 10;
+    tm.tm_mday = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+6])
+       tm.tm_mday += (text[i+6]-'0')*n;
+       n /= 10;
+    }
[email protected]@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+    n = 10;
+    tm.tm_hour = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+9])
+       tm.tm_hour += (text[i+9]-'0')*n;
+       n /= 10;
+    }
[email protected]@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+    n = 10;
+    tm.tm_min = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+12])
+       tm.tm_min += (text[i+12]-'0')*n;
+       n /= 10;
+    }
[email protected]@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+    n = 10;
+    tm.tm_sec = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+15])
+       tm.tm_sec += (text[i+15]-'0')*n;
+       n /= 10;
+    }
+diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
+new file mode 100644
+index 0000000..a5c96f1
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug68027.phpt
[email protected]@ -0,0 +1,44 @@
++--TEST--
++Bug #68027 (buffer overflow in mkgmtime() function)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++
++$d = '6-01-01 20:00:00';
++xmlrpc_set_type($d, 'datetime');
++var_dump($d);
++$datetime = "2001-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++$datetime = "34770-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++echo "Done\n";
++?>
++--EXPECTF--	
++object(stdClass)#1 (3) {
++  ["scalar"]=>
++  string(16) "6-01-01 20:00:00"
++  ["xmlrpc_type"]=>
++  string(8) "datetime"
++  ["timestamp"]=>
++  int(%d)
++}
++stdClass Object
++(
++    [scalar] => 2001-0-08T21:46:40-0400
++    [xmlrpc_type] => datetime
++    [timestamp] => %s
++)
++stdClass Object
++(
++    [scalar] => 34770-0-08T21:46:40-0400
++    [xmlrpc_type] => datetime
++    [timestamp] => %d
++)
++Done
+-- 
+2.1.4
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/280_php_20804024.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,46 @@
+CVE-2014-9653
+Community BUG:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9653
+Community CODE:
+https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
+This patch was adapted from the community reports above.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig	2015-06-12 16:40:10.463458900 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/readelf.c	2015-06-12 16:59:36.213626077 -0700
[email protected]@ -313,7 +313,7 @@
+ 			file_badseek(ms);
+ 			return -1;
+ 		}
+-		if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) == -1) {
++		if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
[email protected]@ -869,7 +869,7 @@
+ 			file_badseek(ms);
+ 			return -1;
+ 		}
+-		if (FINFO_READ_FUNC(fd, xsh_addr, xsh_sizeof) == -1) {
++		if (FINFO_READ_FUNC(fd, xsh_addr, xsh_sizeof) < (ssize_t)xsh_sizeof) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
[email protected]@ -901,7 +901,7 @@
+ 				efree(nbuf);
+ 				return -1;
+ 			}
+-			if (FINFO_READ_FUNC(fd, nbuf, (size_t)xsh_size) !=
++			if (FINFO_READ_FUNC(fd, nbuf, (size_t)xsh_size) <
+ 			    (ssize_t)xsh_size) {
+ 				efree(nbuf);
+ 				file_badread(ms);
[email protected]@ -1058,7 +1058,7 @@
+ 			return -1;
+ 		}
+ 
+-  		if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) == -1) {
++  		if (FINFO_READ_FUNC(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) {
+   			file_badread(ms);
+ 			return -1;
+ 		}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/290_php_20804061.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,42 @@
+CVE-2014-9705
+Community BUG:
+https://bugs.php.net/bug.php?id=68552
+Community CODE:
+http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803
+Below is the community patch.
+
+
+--- a/ext/enchant/enchant.c	2011/10/01 13:13:13	317600
++++ b/ext/enchant/enchant.c	2015/01/26 11:49:40	335803
[email protected]@ -549,13 +549,12 @@
+ 
+ 	d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
+ 	if (d) {
++		pos = pbroker->dictcnt++;
+ 		if (pbroker->dictcnt) {
+ 			pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
+-			pos = pbroker->dictcnt++;
+ 		} else {
+ 			pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
+ 			pos = 0;
+-			pbroker->dictcnt++;
+ 		}
+ 
+ 		dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
[email protected]@ -606,14 +605,14 @@
+ 
+ 	d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
+ 	if (d) {
++		pos = pbroker->dictcnt++;
+ 		if (pbroker->dictcnt) {
+-			pos = pbroker->dictcnt++;
+ 			pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
+ 		} else {
+ 			pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
+ 			pos = 0;
+-			pbroker->dictcnt++;
+ 		}
++
+ 		dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
+ 		dict->id = pos;
+ 		dict->pbroker = pbroker;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/300_php_20804135.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,83 @@
+CVE-2015-0273
+Community BUG:
+https://bugs.php.net/bug.php?id=68942
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24
+Below is the community patch.
+
+
+From 71335e6ebabc1b12c057d8017fd811892ecdfd24 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Feb 2015 06:53:27 +0100
+Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize()
+ with DateTimeZone)
+
+---
+ ext/date/php_date.c            | 21 ++++++++++-----------
+ ext/date/tests/bug68942.phpt   |  9 +++++++++
+ ext/date/tests/bug68942_2.phpt |  9 +++++++++
+ 3 files changed, 28 insertions(+), 11 deletions(-)
+ create mode 100644 ext/date/tests/bug68942.phpt
+ create mode 100644 ext/date/tests/bug68942_2.phpt
+
+diff --git a/ext/date/php_date.c b/ext/date/php_date.c
+index f8571b9..15ca08d 100644
+--- a/ext/date/php_date.c
++++ b/ext/date/php_date.c
[email protected]@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
+ 	timelib_tzinfo   *tzi;
+ 	php_timezone_obj *tzobj;
+ 
+-	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
+-		convert_to_string(*z_date);
+-		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
+-			convert_to_long(*z_timezone_type);
+-			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
+-				convert_to_string(*z_timezone);
++	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
++		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
++			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
+ 
+ 				switch (Z_LVAL_PP(z_timezone_type)) {
+ 					case TIMELIB_ZONETYPE_OFFSET:
[email protected]@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
+ 
+ 					case TIMELIB_ZONETYPE_ID: {
+ 						int ret;
+-						convert_to_string(*z_timezone);
+ 
+ 						tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
+ 
+diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt
+new file mode 100644
+index 0000000..595cd9f
+--- /dev/null
++++ b/ext/date/tests/bug68942.phpt
[email protected]@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d
+diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt
+new file mode 100644
+index 0000000..5b02567
+--- /dev/null
++++ b/ext/date/tests/bug68942_2.phpt
[email protected]@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d
+-- 
+2.1.4
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/310_php_20804363.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,35 @@
+CVE-2015-2331
+Community BUG:
+https://bugs.php.net/bug.php?id=69253
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
+Below is the community patch.
+
+
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past
+ heap boundary
+
+---
+ NEWS                     | 4 ++++
+ ext/zip/lib/zip_dirent.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- a/ext/zip/lib/zip_dirent.c
++++ b/ext/zip/lib/zip_dirent.c
[email protected]@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ 	return NULL;
+     }
+ 
+-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ 	== NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);
+-- 
+2.1.4
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/320_php_20804424.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,32 @@
+CVE-2015-2787
+Community BUG:
+https://bugs.php.net/bug.php?id=68976
+Community CODE:
+https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d
+Below is the community patch.
+
+
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index f114080..c7749a4 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
[email protected]@ -349,6 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ 					sizeof data, NULL);
+ 		}
++		var_push_dtor(var_hash, &data);
+ 		
+ 		zval_dtor(key);
+ 		FREE_ZVAL(key);
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index f04fc74..abac77c 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
[email protected]@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ 					sizeof data, NULL);
+ 		}
++		var_push_dtor(var_hash, &data);
+ 		
+ 		zval_dtor(key);
+ 		FREE_ZVAL(key);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/330_php_20231115.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,51 @@
+POODLE
+Crafted patch based on community code in
+php 5.5.26 and php 5.6.8.
+
+
+--- php-5.3.29/ext/openssl/xp_ssl.c_orig	2015-06-14 14:43:23.797128188 -0700
++++ php-5.3.29/ext/openssl/xp_ssl.c	2015-06-14 14:59:55.059042744 -0700
[email protected]@ -338,9 +338,14 @@
+ 			break;
+ #endif
+ 		case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
++#ifdef OPENSSL_NO_SSL3
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++			return -1;
++#else
+ 			sslsock->is_client = 1;
+ 			method = SSLv3_client_method();
+ 			break;
++#endif
+ 		case STREAM_CRYPTO_METHOD_TLS_CLIENT:
+ 			sslsock->is_client = 1;
+ 			method = TLSv1_client_method();
[email protected]@ -350,9 +355,14 @@
+ 			method = SSLv23_server_method();
+ 			break;
+ 		case STREAM_CRYPTO_METHOD_SSLv3_SERVER:
++#ifdef OPENSSL_NO_SSL3
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++			return -1;
++#else
+ 			sslsock->is_client = 0;
+ 			method = SSLv3_server_method();
+ 			break;
++#endif
+ 		case STREAM_CRYPTO_METHOD_SSLv2_SERVER:
+ #ifdef OPENSSL_NO_SSL2
+ 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
[email protected]@ -933,8 +943,13 @@
+ 		sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
+ #endif
+ 	} else if (strncmp(proto, "sslv3", protolen) == 0) {
++#ifdef OPENSSL_NO_SSL3
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");
++		return NULL;
++#else
+ 		sslsock->enable_on_connect = 1;
+ 		sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
++#endif
+ 	} else if (strncmp(proto, "tls", protolen) == 0) {
+ 		sslsock->enable_on_connect = 1;
+ 		sslsock->method = STREAM_CRYPTO_METHOD_TLS_CLIENT;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/340_php_20433657.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,19 @@
+CVE-2015-0232
+Community BUG:
+https://bugs.php.net/bug.php?id=68799
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=55001de6d8c6ed2aada870a76de1e4b4558737bf 
+This patch was created from the community reports above.
+
+
+--- php-5.3.29/ext/exif/exif.c_orig	2015-06-14 15:28:49.975351692 -0700
++++ php-5.3.29/ext/exif/exif.c	2015-06-14 15:29:28.860406969 -0700
[email protected]@ -2722,7 +2722,7 @@
+ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
+ {
+ 	xp_field->tag = tag;	
+-
++	xp_field->value = NULL;
+ 	/* Copy the comment */
+ #if EXIF_USE_MBSTRING
+ /*  What if MS supports big-endian with XP? */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/350_php_20803998.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,51 @@
+CVE-2014-9652
+Community BUG:
+https://bugs.php.net/bug.php?id=68735
+Community CODE:
+https://bugs.php.net/patch-display.php?bug=68735&patch=bug68735.patch&revision=1420309079
+Below is the community patch.
+
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 7e0c856..e7b7855 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
[email protected]@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ 		size_t sz = file_pstring_length_size(m);
+ 		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ 		size_t len = file_pstring_get_length(m, ptr1);
+-		if (len >= sizeof(p->s)) {
++		sz = sizeof(p->s) - sz; /* maximum length of string */
++		if (len >= sz) {
+ 			/*
+ 			 * The size of the pascal string length (sz)
+ 			 * is 1, 2, or 4. We need at least 1 byte for NUL
+ 			 * termination, but we've already truncated the
+ 			 * string by p->s, so we need to deduct sz.
++			 * Because we can use one of the bytes of the length
++			 * after we shifted as NUL termination.
+ 			 */ 
+-			len = sizeof(p->s) - sz;
++			len = sz;
+ 		}
+ 		while (len--)
+ 			*ptr1++ = *ptr2++;
+--- /dev/null	Sat Jan  3 19:01:50 2015
++++ a/ext/fileinfo/tests/bug68735.phpt	Sat Jan  3 18:57:32 2015
[email protected]@ -0,0 +1,16 @@
++--TEST--
++Bug #68735 fileinfo out-of-bounds memory access
++--SKIPIF--
++<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
++--FILE--
++<?php
++	$test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg";
++	$f = new finfo;
++
++	var_dump($f->file($test_file));
++
++?>
++===DONE===
++--EXPECTF--
++string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S""
++===DONE===
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/360_php_20804391.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,34 @@
+CVE-2015-2348
+Community BUG:
+https://bugs.php.net/bug.php?id=69207
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1
+Below is the community patch.
+
+
+From 1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 17 Mar 2015 12:47:58 -0700
+Subject: [PATCH] Fix bug #69207 - move_uploaded_file allows nulls in path
+
+---
+ NEWS                           | 3 +++
+ ext/standard/basic_functions.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 9a9df30..c3e2230 100644
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
[email protected]@ -5775,7 +5775,7 @@ PHP_FUNCTION(move_uploaded_file)
+ 		RETURN_FALSE;
+ 	}
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
+ 		return;
+ 	}
+ 
+-- 
+2.1.4
+
--- a/components/php-5_3/php-sapi/php.mk	Wed Jun 17 11:15:14 2015 -0700
+++ b/components/php-5_3/php-sapi/php.mk	Wed Jun 17 15:47:38 2015 -0700
@@ -38,8 +38,6 @@
 	      $(COMPONENT_SRC)/Zend/zend_language_parser.h \
 	      $(COMPONENT_SRC)/Zend/zend_language_parser.output )
 
-PATCHES = $(shell cd $(PATCH_DIR); echo [0-9]* $$(MACH)* )
-
 COMPONENT_PRE_CONFIGURE_ACTION = ( \
 	set -e; \
 	cd $(COMPONENT_SRC); $(ENV) -i PATH=/usr/gnu/bin:$(PATH) \
@@ -50,3 +48,7 @@
 		< configure_orig > configure; \
 	$(CHMOD) 755 configure; \
 	$(CLONEY) $(SOURCE_DIR) $(@D) )
+
+# Disable SSLv2 and SSLv3 for security reasons
+CFLAGS += -DOPENSSL_NO_SSL2
+CFLAGS += -DOPENSSL_NO_SSL3
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/zendopcache/patches/php_20936509.patch	Wed Jun 17 15:47:38 2015 -0700
@@ -0,0 +1,22 @@
+CVE-2015-1351
+Community BUG:
+https://bugs.php.net/bug.php?id=68677
+Community CODE:
+http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115
+This patch was created from the community reports above.
+
+
+--- zendopcache-7.0.2/zend_shared_alloc.c_orig	2015-06-10 13:25:02.003036264 -0700
++++ zendopcache-7.0.2/zend_shared_alloc.c	2015-06-10 13:25:50.714271495 -0700
[email protected]@ -346,10 +346,10 @@
+ 	retval = ZCG(mem);;
+ 	ZCG(mem) = (void*)(((char*)ZCG(mem)) + ZEND_ALIGNED_SIZE(size));
+ 	memcpy(retval, source, size);
++	zend_shared_alloc_register_xlat_entry(source, retval);
+ 	if (free_source) {
+ 		interned_efree((char*)source);
+ 	}
+-	zend_shared_alloc_register_xlat_entry(source, retval);
+ 	return retval;
+ }
+