19838509 upgrade php to version 5.3.29 s11-update
authorCraig Mohrman <craig.mohrman@oracle.com>
Thu, 12 Feb 2015 10:14:29 -0800
branchs11-update
changeset 3777 68aef260e079
parent 3773 2cdfec77a8eb
child 3778 35735ffdda43
19838509 upgrade php to version 5.3.29 18857741 problem in UTILITY/PHP 18890894 problem in UTILITY/PHP 18890895 problem in UTILITY/PHP 19003253 problem in UTILITY/PHP 19167518 problem in UTILITY/PHP 19519142 problem in UTILITY/PHP 19556437 problem in UTILITY/PHP 19707971 problem in UTILITY/PHP 19796954 problem in UTILITY/PHP 20258327 problem in UTILITY/PHP 20488612 announce PHP 5.2 EOF in man page
components/php-5_2/common.mk
components/php-5_2/php-sapi/Makefile
components/php-5_2/php-sapi/patches/60_php_18857741.patch
components/php-5_2/php-sapi/patches/61_php_19003253.patch
components/php-5_2/php-sapi/patches/62_php_19167518.patch
components/php-5_2/php-sapi/patches/63_php_19796954.patch
components/php-5_2/php-sapi/patches/64_php_19556437.patch
components/php-5_2/php-sapi/patches/65_php_19556437.patch
components/php-5_3/Makefile
components/php-5_3/common.mk
components/php-5_3/php-cgi/Makefile
components/php-5_3/php-nsapi/Makefile
components/php-5_3/php-pear.p5m
components/php-5_3/php-sapi/Makefile
components/php-5_3/php-sapi/patches/150_php_18083695.patch
components/php-5_3/php-sapi/patches/190_php_18857741.patch
components/php-5_3/php-sapi/patches/200_php_19796954.patch
components/php-5_3/php-sapi/patches/210_php_19556437.patch
components/php-5_3/php-sapi/patches/211_php_19556437.patch
components/php-5_3/php-sapi/patches/212_php_19556437.patch
components/php-5_3/php-sapi/patches/213_php_19556437.patch
components/php-5_3/php-sapi/patches/214_php_19556437.patch
components/php-5_3/php-sapi/patches/220_php_20258327.patch
components/php-common/php.1.sunman
--- a/components/php-5_2/common.mk	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_2/common.mk	Thu Feb 12 10:14:29 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 PHP_REL=		5.2
@@ -161,7 +161,7 @@
 CONF_ENVLINE += \
 	LIBS="$(LIBS)" \
 	EXTENSION_DIR=$(MODULES_DIR) \
-	PHP_PEAR_CACHE_DIR=/var/tmp/pear/cache \
+	PHP_PEAR_CACHE_DIR=/var/cache/php-pear \
 	PHP_PEAR_DOWNLOAD_DIR=/var/tmp/pear/cache \
 	PHP_PEAR_EXTENSION_DIR=/var/php/$(PHP_REL)/modules \
 	PHP_PEAR_INSTALL_DIR=/var/php/$(PHP_REL)/pear \
--- a/components/php-5_2/php-sapi/Makefile	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_2/php-sapi/Makefile	Thu Feb 12 10:14:29 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../../make-rules/shared-macros.mk
 
@@ -88,9 +88,9 @@
 	set -e; \
 	cat $(BUILD_DIR_32)/scripts/phpize | \
 	 sed -e "s,^\#!/bin/sh,\#!$(CONFIG_SHELL)," | \
-	 sed -e "s%^prefix=.*%prefix=$(SOURCE_DIR)%" | \
-	 sed -e "s%^includedir=.*%includedir=$(SOURCE_DIR)%" | \
-	 sed -e "s%^phpdir=.*%phpdir=$(SOURCE_DIR)%"  | \
+	 sed -e "s%^prefix=.*%prefix=$(BUILD_DIR_32)%" | \
+	 sed -e "s%^includedir=.*%includedir=$(BUILD_DIR_32)%" | \
+	 sed -e "s%^phpdir=.*%phpdir=$(BUILD_DIR_32)%"  | \
 	 sed -e "s%phpdir/phpize.m4%phpdir/scripts/phpize.m4%" | \
 	 sed -e "s%$PHP_AUTOCONF   || exit 1%$PHP_AUTOCONF -f   || exit 1%" | \
 	 sed -e "s%$PHP_AUTOHEADER || exit 1%$PHP_AUTOHEADER -f || exit 1%" | \
@@ -101,8 +101,8 @@
 	( set -e; \
 	 cat $(BUILD_DIR_32)/scripts/php-config | \
 	 sed -e "s,^\#! /bin/sh,\#!$(CONFIG_SHELL)," | \
-	 sed -e "s%^prefix=.*%prefix=$(SOURCE_DIR)%" | \
-	 sed -e "s%^include_dir=.*%include_dir=$(SOURCE_DIR)%" \
+	 sed -e "s%^prefix=.*%prefix=$(BUILD_DIR_32)%" | \
+	 sed -e "s%^include_dir=.*%include_dir=$(BUILD_DIR_32)%" \
 	 > php-config-proto ; \
 	chmod 755 php-config-proto ) ; \
 	( set -e; \
@@ -120,12 +120,12 @@
 	$(CP) $(COMPONENT_DIR)/../Solaris/php$(PHP_REL).conf \
 		$(PROTO_DIR)/$(APACHE2_PHP)/php$(PHP_REL).conf; \
 	$(CHMOD) 644 $(PROTO_DIR)/$(APACHE2_PHP)/php$(PHP_REL).conf; \
-	$(SYMLINK) php$(PHP_REL).conf \
-		$(PROTO_DIR)/$(APACHE2_PHP)/php.conf; \
+	cd $(PROTO_DIR)/$(APACHE2_PHP); \
+	$(SYMLINK) php$(PHP_REL).conf php.conf; \
 	$(CP) $(PROTO_DIR)/$(APACHE2_EXTDIR)/libphp5.so \
 		$(PROTO_DIR)/$(APACHE2_EXTDIR)/mod_php$(PHP_REL).so; \
-	$(SYMLINK) $(PROTO_DIR)/$(APACHE2_EXTDIR)/mod_php$(PHP_REL).so \
-		$(PROTO_DIR)/$(APACHE2_EXTDIR)/mod_php5.so; \
+	cd $(PROTO_DIR)/$(APACHE2_EXTDIR); \
+	$(SYMLINK) mod_php$(PHP_REL).so mod_php5.so; \
 	)
 
 # Ship a default php.ini to simplify ease of use.
@@ -217,6 +217,8 @@
 CLEAN_PATHS += php.ini-patched
 
 # common targets
+configure:	$(CONFIGURE_32)
+
 build:		$(BUILD_32)
 
 install:	$(INSTALL_32) PHP-NSAPI_INSTALL PHP-CGI_INSTALL
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/60_php_18857741.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,32 @@
+Fix for CVE-2014-2497
+Patch:
+http://git.php.net/?p=php-src.git;a=patch;h=cf4753691dc55999373d1c576f62ecb298723420
+Code:
+http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420
+Verified by hand that it patches the correct code
+but needed one slight tweak needing return instead of goto.
+
+
+diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c
+index 73f86e5..b69414e 100644
+--- a/ext/gd/libgd/gdxpm.c
++++ b/ext/gd/libgd/gdxpm.c
[email protected]@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename)
+ 	if (ret != XpmSuccess) {
+ 		return 0;
+ 	}
++	number = image.ncolors;
++	for(i = 0; i < number; i++) {
++		if (!image.colorTable[i].c_color) {
++			return 0;
++		}
++	}
+ 
+ 	if (!(im = gdImageCreate(image.width, image.height))) {
+ 		return 0;
+ 	}
+ 
+-	number = image.ncolors;
+ 	colors = (int *) safe_emalloc(number, sizeof(int), 0);
+ 	for (i = 0; i < number; i++) {
+ 		switch (strlen (image.colorTable[i].c_color)) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/61_php_19003253.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,21 @@
+Fix for CVE-2014-4049
+Community bug:
+https://bugs.php.net/bug.php?id=67432
+Patch based on:
+https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468
+Slightly modified from the above source as the context is slightly different.
+
+
+--- php-5.2.17/ext/standard/dns.c_orig	2010-01-03 01:23:27.000000000 -0800
++++ php-5.2.17/ext/standard/dns.c	2014-10-17 11:12:46.117985578 -0700
[email protected]@ -484,6 +484,10 @@
+ 				
+ 				while (ll < dlen) {
+ 					n = cp[ll];
++					if ((ll + n) >= dlen) {
++						    // Invalid chunk length, truncate
++							n = dlen - (ll + 1);
++				    }
+ 					memcpy(tp + ll , cp + ll + 1, n);
+ 					ll = ll + n + 1;
+ 				}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/62_php_19167518.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,54 @@
+Fix for CVE-2014-4721
+Bug:
+https://bugs.php.net/bug.php?id=67498
+Patch:
+https://bugs.php.net/patch-display.php?bug=67498&patch=bug67948-patch&revision=1403508072
+Slightly modified to correct for diff context.
+
+
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 70b2e2f..0f15bbe 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
[email protected]@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
+ 
+ 		php_info_print_table_start();
+ 		php_info_print_table_header(2, "Variable", "Value");
+-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
+ 		}
+-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
+ 		}
+		php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
+diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
+new file mode 100644
+index 0000000..5b5951b
+--- /dev/null
++++ b/ext/standard/tests/general_functions/bug67498.phpt
[email protected]@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/63_php_19796954.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,29 @@
+Fix for CVE-2014-8088
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Code:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Verified by hand that it patches the correct code.
+
+
+diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
+index 10daa82..da5aa5f 100644
+--- a/ext/ldap/ldap.c
++++ b/ext/ldap/ldap.c
[email protected]@ -399,6 +399,16 @@ PHP_FUNCTION(ldap_bind)
+ 		RETURN_FALSE;
+ 	}
+ 
++	if (ldap_bind_dn != NULL && memchr(ldap_bind_dn, '\0', ldap_bind_dnlen) != NULL) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "DN contains a null byte");
++		RETURN_FALSE;
++	}
++
++	if (ldap_bind_pw != NULL && memchr(ldap_bind_pw, '\0', ldap_bind_pwlen) != NULL) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Password contains a null byte");
++		RETURN_FALSE;
++	}
++
+ 	ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link);
+ 
+ 	if ((rc = ldap_bind_s(ld->link, ldap_bind_dn, ldap_bind_pw, LDAP_AUTH_SIMPLE)) != LDAP_SUCCESS) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/64_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,255 @@
+Fix for CVE-2014-3597
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=2fefae47716d501aec41c1102f3fd4531f070b05
+This patch was created by hand from the above community diff.
+
+
+--- php-5.2.17/ext/standard/dns.c_orig	2014-10-29 09:08:05.187565521 -0700
++++ php-5.2.17/ext/standard/dns.c	2014-11-04 10:54:59.065340474 -0800
[email protected]@ -396,8 +396,14 @@
+ #define php_dns_free_res(__res__)
+ #endif
+ 
++#define CHECKCP(n) do { \
++	if (cp + n > end) { \
++		return NULL; \
++	} \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+ {
+ 	u_short type, class, dlen;
+ 	u_long ttl;
[email protected]@ -409,16 +415,18 @@
+ 
+ 	*subarray = NULL;
+ 
+-	n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++	n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ 	if (n < 0) {
+ 		return NULL;
+ 	}
+ 	cp += n;
+ 	
++	CHECKCP(10);
+ 	GETSHORT(type, cp);
+ 	GETSHORT(class, cp);
+ 	GETLONG(ttl, cp);
+ 	GETSHORT(dlen, cp);
++	CHECKCP(dlen);
+ 	if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ 		cp += dlen;
+ 		return cp;
[email protected]@ -435,12 +443,14 @@
+ 	add_assoc_string(*subarray, "host", name, 1);
+ 	switch (type) {
+ 		case DNS_T_A:
++			CHECKCP(4);
+ 			add_assoc_string(*subarray, "type", "A", 1);
+ 			snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ 			add_assoc_string(*subarray, "ip", name, 1);
+ 			cp += dlen;
+ 			break;
+ 		case DNS_T_MX:
++			CHECKCP(2);
+ 			add_assoc_string(*subarray, "type", "MX", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pri", n);
[email protected]@ -456,7 +466,7 @@
+ 		case DNS_T_PTR:
+ 			if (type == DNS_T_PTR)
+ 				add_assoc_string(*subarray, "type", "PTR", 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
[email protected]@ -466,51 +476,59 @@
+ 		case DNS_T_HINFO:
+ 			/* See RFC 1010 for values */
+ 			add_assoc_string(*subarray, "type", "HINFO", 1);
++			CHECKCP(1);
+ 			n = *cp & 0xFF;
+ 			cp++;
++			CHECKCP(n);
+ 			add_assoc_stringl(*subarray, "cpu", cp, n, 1);
+ 			cp += n;
++			CHECKCP(1);
+ 			n = *cp & 0xFF;
+ 			cp++;
++			CHECKCP(n);
+ 			add_assoc_stringl(*subarray, "os", cp, n, 1);
+ 			cp += n;
+ 			break;
+ 		case DNS_T_TXT: 
+ 			{
+-				int ll = 0;
++				int l1 = 0, l2 = 0;
+ 
+ 				add_assoc_string(*subarray, "type", "TXT", 1);
+ 				tp = emalloc(dlen + 1);
+ 				
+-				while (ll < dlen) {
+-					n = cp[ll];
+-					if ((ll + n) >= dlen) {
++				while (l1 < dlen) {
++					n = cp[l1];
++					if ((l1 + n) >= dlen) {
+ 						    // Invalid chunk length, truncate
+-							n = dlen - (ll + 1);
++							n = dlen - (l1 + 1);
+ 				    }
+-					memcpy(tp + ll , cp + ll + 1, n);
+-					ll = ll + n + 1;
++					if (n) {
++						memcpy(tp + l2 , cp + l1 + 1, n);
++					}
++					l1 = l1 + n + 1;
++					l2 = l2 + n;
+ 				}
+-				tp[dlen] = '\0';
++				tp[l2] = '\0';
+ 				cp += dlen;
+ 
+-				add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
++				add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ 			}
+ 			break;
+ 		case DNS_T_SOA:
+ 			add_assoc_string(*subarray, "type", "SOA", 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+ 			cp += n;
+ 			add_assoc_string(*subarray, "mname", name, 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+ 			cp += n;
+ 			add_assoc_string(*subarray, "rname", name, 1);
++			CHECKCP(5*4);
+ 			GETLONG(n, cp);
+ 			add_assoc_long(*subarray, "serial", n);
+ 			GETLONG(n, cp);
[email protected]@ -524,6 +542,7 @@
+ 			break;
+ 		case DNS_T_AAAA:
+ 			tp = name;
++			CHECKCP(8*2);
+ 			for(i=0; i < 8; i++) {
+ 				GETSHORT(s, cp);
+ 				if (s != 0) {
[email protected]@ -558,6 +577,7 @@
+ 		case DNS_T_A6:
+ 			p = cp;
+ 			add_assoc_string(*subarray, "type", "A6", 1);
++			CHECKCP(1);
+ 			n = ((int)cp[0]) & 0xFF;
+ 			cp++;
+ 			add_assoc_long(*subarray, "masklen", n);
[email protected]@ -593,6 +613,7 @@
+ 				cp++;
+ 			}
+ 			for(i = (n+8)/16; i < 8; i++) {
++				CHECKCP(2);
+ 				GETSHORT(s, cp);
+ 				if (s != 0) {
+ 					if (tp > (u_char *)name) {
[email protected]@ -622,7 +643,7 @@
+ 			tp[0] = '\0';
+ 			add_assoc_string(*subarray, "ipv6", name, 1);
+ 			if (cp < p + dlen) {
+-				n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++				n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 				if (n < 0) {
+ 					return NULL;
+ 				}
[email protected]@ -631,6 +652,7 @@
+ 			}
+ 			break;
+ 		case DNS_T_SRV:
++			CHECKCP(3*2);
+ 			add_assoc_string(*subarray, "type", "SRV", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pri", n);
[email protected]@ -638,7 +660,7 @@
+ 			add_assoc_long(*subarray, "weight", n);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "port", n);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
[email protected]@ -646,21 +668,34 @@
+ 			add_assoc_string(*subarray, "target", name, 1);
+ 			break;
+ 		case DNS_T_NAPTR:
++			CHECKCP(2*2);
+ 			add_assoc_string(*subarray, "type", "NAPTR", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "order", n);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pref", n);
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "flags", ++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "flags", cp, n, 1);
+ 			cp += n;
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "services", ++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "services", cp, n, 1);
+ 			cp += n;
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "regex", ++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "regex", cp, n, 1);
+ 			cp += n;
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
[email protected]@ -833,7 +868,7 @@
+ 			while (an-- && cp && cp < end) {
+ 				zval *retval;
+ 
+-				cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
++				cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
+ 				if (retval != NULL && store_results) {
+ 					add_next_index_zval(return_value, retval);
+ 				}
[email protected]@ -848,7 +883,7 @@
+ 		while (ns-- > 0 && cp && cp < end) {
+ 			zval *retval;
+ 
+-			cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++			cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ 			if (retval != NULL) {
+ 				add_next_index_zval(authns, retval);
+ 			}
[email protected]@ -857,7 +892,7 @@
+ 		while (ar-- > 0 && cp && cp < end) {
+ 			zval *retval;
+ 
+-			cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++			cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ 			if (retval != NULL) {
+ 				add_next_index_zval(addtl, retval);
+ 			}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/65_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,18 @@
+Fix for CVE-2014-5120
+Based on code in php 5.3.29 from comments in:
+https://bugs.php.net/bug.php?id=67730
+
+
+--- php-5.2.17/ext/gd/gd_ctx.c_orig	2010-01-03 01:23:27.000000000 -0800
++++ php-5.2.17/ext/gd/gd_ctx.c	2014-11-04 15:12:01.612256878 -0800
[email protected]@ -90,7 +90,9 @@
+ 	}
+ 
+ 	if (argc > 1 && (Z_TYPE_PP(file) != IS_NULL && ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))))) {
+-
++		if (strlen(Z_STRVAL_PP(file)) != Z_STRLEN_PP(file)) {
++			RETURN_FALSE;
++		}
+ 		PHP_GD_CHECK_OPEN_BASEDIR(fn, "Invalid filename");
+ 
+ 		fp = VCWD_FOPEN(fn, "wb");
--- a/components/php-5_3/Makefile	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_3/Makefile	Thu Feb 12 10:14:29 2015 -0800
@@ -18,11 +18,11 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
-TPNO_PHP_5_3=		17137
+TPNO_PHP_5_3=		21389
 TPNO_PHP_APC=		17127
 TPNO_PHP_IDN=		17128
 TPNO_PHP_MEMCACHE=	17130
@@ -125,7 +125,7 @@
 #               looks like i DO NEED the pear patches
 
 COMPONENT_NAME=		php
-COMPONENT_VERSION=	5.3.28
+COMPONENT_VERSION=	5.3.29
 COMPONENT_PROJECT_URL=	http://www.php.net/
 COMPONENT_BUGDB=	utility/php
 
--- a/components/php-5_3/common.mk	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_3/common.mk	Thu Feb 12 10:14:29 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 PHP_REL=		5.3
@@ -161,8 +161,8 @@
 CONF_ENVLINE += \
 	LIBS="$(LIBS)" \
 	EXTENSION_DIR=$(MODULES_DIR) \
-	PHP_PEAR_CACHE_DIR=/var/tmp/pear/cache \
-	PHP_PEAR_DOWNLOAD_DIR=/var/tmp/pear/cache \
+	PHP_PEAR_CACHE_DIR=/var/cache/php-pear \
+	PHP_PEAR_DOWNLOAD_DIR=/tmp/pear/download \
 	PHP_PEAR_EXTENSION_DIR=/var/php/$(PHP_REL)/modules \
 	PHP_PEAR_INSTALL_DIR=/var/php/$(PHP_REL)/pear \
 	PHP_PEAR_SIG_BIN=/usr/gnu/bin/gpg \
--- a/components/php-5_3/php-cgi/Makefile	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_3/php-cgi/Makefile	Thu Feb 12 10:14:29 2015 -0800
@@ -18,16 +18,16 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		php
-COMPONENT_VERSION=	5.3.28
+COMPONENT_VERSION=	5.3.29
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.bz2
 COMPONENT_ARCHIVE_HASH= \
-    sha256:0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513
+    sha256:c4e1cf6972b2a9c7f2777a18497d83bf713cdbecabb65d3ff62ba441aebb0091
 COMPONENT_ARCHIVE_URL=	http://us.php.net/get/$(COMPONENT_ARCHIVE)/from/this/mirror
 
 PATCH_DIR = ../php-sapi/patches
@@ -55,6 +55,8 @@
 COMPONENT_INSTALL_TARGETS = install-sapi
 
 # common targets
+configure:	$(CONFIGURE_32)
+
 build:		$(BUILD_32)
 
 install:	$(INSTALL_32)
--- a/components/php-5_3/php-nsapi/Makefile	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_3/php-nsapi/Makefile	Thu Feb 12 10:14:29 2015 -0800
@@ -18,17 +18,17 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		php
-COMPONENT_VERSION=	5.3.28
+COMPONENT_VERSION=	5.3.29
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.bz2
 COMPONENT_ARCHIVE_HASH= \
-    sha256:0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513
+    sha256:c4e1cf6972b2a9c7f2777a18497d83bf713cdbecabb65d3ff62ba441aebb0091
 COMPONENT_ARCHIVE_URL=	http://us.php.net/get/$(COMPONENT_ARCHIVE)/from/this/mirror
 COMPONENT_PROJECT_URL=	http://www.php.net/
 
@@ -134,6 +134,8 @@
 CLEAN_PATHS += webserver7-spi phpize-proto.zts php.ini
 
 # common targets
+configure:	$(CONFIGURE_32)
+
 build:		$(BUILD_32)
 
 install:	$(INSTALL_32)
--- a/components/php-5_3/php-pear.p5m	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_3/php-pear.p5m	Thu Feb 12 10:14:29 2015 -0800
@@ -43,6 +43,7 @@
 file path=usr/php/5.3/bin/pear mode=0555
 file path=usr/php/5.3/bin/peardev mode=0555
 file path=usr/php/5.3/bin/pecl mode=0555
+dir  path=var/cache/php-pear owner=webservd group=webservd
 dir  path=var/php/5.3/include/php
 dir  path=var/php/5.3/modules
 file path=var/php/5.3/pear/.channels/.alias/pear.txt
@@ -197,7 +198,6 @@
 file path=var/php/5.3/pear/peclcmd.php
 file path=var/php/5.3/pear/test/Structures_Graph/tests/AllTests.php
 file path=var/php/5.3/pear/test/Structures_Graph/tests/testCase/BasicGraph.php
-file path=var/php/5.3/pear/test/XML_Util/tests/AllTests.php
 file path=var/php/5.3/pear/test/XML_Util/tests/testBasic_apiVersion.phpt
 file path=var/php/5.3/pear/test/XML_Util/tests/testBasic_attributesToString.phpt
 file path=var/php/5.3/pear/test/XML_Util/tests/testBasic_collapseEmptyTags.phpt
--- a/components/php-5_3/php-sapi/Makefile	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-5_3/php-sapi/Makefile	Thu Feb 12 10:14:29 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../../make-rules/shared-macros.mk
 
@@ -29,11 +29,11 @@
 #    published from.
 
 COMPONENT_NAME=		php
-COMPONENT_VERSION=	5.3.28
+COMPONENT_VERSION=	5.3.29
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.bz2
 COMPONENT_ARCHIVE_HASH= \
-    sha256:0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513
+    sha256:c4e1cf6972b2a9c7f2777a18497d83bf713cdbecabb65d3ff62ba441aebb0091
 COMPONENT_ARCHIVE_URL=	http://us.php.net/get/$(COMPONENT_ARCHIVE)/from/this/mirror
 COMPONENT_PROJECT_URL=	http://www.php.net/
 
@@ -236,6 +236,8 @@
 CLEAN_PATHS += php.ini-patched
 
 # common targets
+configure:	$(CONFIGURE_32)
+
 build:		$(BUILD_32)
 
 install:	$(INSTALL_32) PHP-NSAPI_INSTALL PHP-CGI_INSTALL
--- a/components/php-5_3/php-sapi/patches/150_php_18083695.patch	Wed Jan 21 04:16:38 2015 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-Fix for CVE-2013-6712
-Patch:
-http://git.php.net/?p=php-src.git;a=patch;h=12fe4e90be7bfa2a763197079f68f5568a14e071
-Code:
-http://git.php.net/?p=php-src.git;a=commitdiff;h=12fe4e90be7bfa2a763197079f68f5568a14e071
-This patch is for php 5.4 code but works well enough on php 5.3 code.
-Verified by hand that it patches the correct code.
-Slightly modified by hand to remove unnecessary parts that fail to patch.
-
-
-From 12fe4e90be7bfa2a763197079f68f5568a14e071 Mon Sep 17 00:00:00 2001
-From: Remi Collet <[email protected]>
-Date: Wed, 27 Nov 2013 11:13:16 +0100
-Subject: [PATCH] Fixed bug #66060 (Heap buffer over-read in DateInterval)
-
----
- NEWS                                | 3 +++
- ext/date/lib/parse_iso_intervals.c  | 4 ++--
- ext/date/lib/parse_iso_intervals.re | 2 +-
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c
-index bd1ad05..480ea38 100644
---- a/ext/date/lib/parse_iso_intervals.c
-+++ b/ext/date/lib/parse_iso_intervals.c
[email protected]@ -415,7 +415,7 @@ yy6:
- 					break;
- 			}
- 			ptr++;
--		} while (*ptr);
-+		} while (!s->errors->error_count && *ptr);
- 		s->have_period = 1;
- 		TIMELIB_DEINIT;
- 		return TIMELIB_PERIOD;
-diff --git a/ext/date/lib/parse_iso_intervals.re b/ext/date/lib/parse_iso_intervals.re
-index 56aa34d..c5e9f67 100644
---- a/ext/date/lib/parse_iso_intervals.re
-+++ b/ext/date/lib/parse_iso_intervals.re
[email protected]@ -383,7 +383,7 @@ isoweek          = year4 "-"? "W" weekofyear;
- 					break;
- 			}
- 			ptr++;
--		} while (*ptr);
-+		} while (!s->errors->error_count && *ptr);
- 		s->have_period = 1;
- 		TIMELIB_DEINIT;
- 		return TIMELIB_PERIOD;
--- 
-1.8.4.3
-
-
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/190_php_18857741.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,31 @@
+Fix for CVE-2014-2497
+Patch:
+http://git.php.net/?p=php-src.git;a=patch;h=cf4753691dc55999373d1c576f62ecb298723420
+Code:
+http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420
+Verified by hand that it patches the correct code.
+
+
+diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c
+index 73f86e5..b69414e 100644
+--- a/ext/gd/libgd/gdxpm.c
++++ b/ext/gd/libgd/gdxpm.c
[email protected]@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename)
+ 	if (ret != XpmSuccess) {
+ 		return 0;
+ 	}
++	number = image.ncolors;
++	for(i = 0; i < number; i++) {
++		if (!image.colorTable[i].c_color) {
++			goto done;
++		}
++	}
+ 
+ 	if (!(im = gdImageCreate(image.width, image.height))) {
+ 		goto done;
+ 	}
+ 
+-	number = image.ncolors;
+ 	colors = (int *) safe_emalloc(number, sizeof(int), 0);
+ 	for (i = 0; i < number; i++) {
+ 		switch (strlen (image.colorTable[i].c_color)) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/200_php_19796954.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,29 @@
+Fix for CVE-2014-8088
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Code:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Verified by hand that it patches the correct code.
+
+
+diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
+index 10daa82..da5aa5f 100644
+--- a/ext/ldap/ldap.c
++++ b/ext/ldap/ldap.c
[email protected]@ -399,6 +399,16 @@ PHP_FUNCTION(ldap_bind)
+ 		RETURN_FALSE;
+ 	}
+ 
++	if (ldap_bind_dn != NULL && memchr(ldap_bind_dn, '\0', ldap_bind_dnlen) != NULL) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "DN contains a null byte");
++		RETURN_FALSE;
++	}
++
++	if (ldap_bind_pw != NULL && memchr(ldap_bind_pw, '\0', ldap_bind_pwlen) != NULL) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Password contains a null byte");
++		RETURN_FALSE;
++	}
++
+ 	ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link);
+ 
+ 	if ((rc = ldap_bind_s(ld->link, ldap_bind_dn, ldap_bind_pw, LDAP_AUTH_SIMPLE)) != LDAP_SUCCESS) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/210_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,98 @@
+Fix for CVE-2014-3538
+Patch from PHP community:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
+But this is for php 5.4.32.
+The website:
+http://permalink.gmane.org/gmane.linux.frugalware.scm/131282
+shows a patch for php 5.3.26 so I've hand crafted a patch
+based on both websites.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/softmagic.c_orig	2014-10-20 16:46:35.678013082 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/softmagic.c	2014-10-22 13:51:20.141509243 -0700
[email protected]@ -56,7 +56,7 @@
+ private int32_t moffset(struct magic_set *, struct magic *);
+ private void mdebug(uint32_t, const char *, size_t);
+ private int mcopy(struct magic_set *, union VALUETYPE *, int, int,
+-    const unsigned char *, uint32_t, size_t, size_t);
++    const unsigned char *, uint32_t, size_t, struct magic *);
+ private int mconvert(struct magic_set *, struct magic *);
+ private int print_sep(struct magic_set *, int);
+ private int handle_annotation(struct magic_set *, struct magic *);
[email protected]@ -898,7 +898,7 @@
+ 
+ private int
+ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+-    const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt)
++    const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m)
+ {
+ 	/*
+ 	 * Note: FILE_SEARCH and FILE_REGEX do not actually copy
[email protected]@ -918,15 +918,24 @@
+ 			const char *last;	/* end of search region */
+ 			const char *buf;	/* start of search region */
+ 			const char *end;
+-			size_t lines;
++			size_t lines, linecnt, bytecnt;
++			 
++			linecnt = m->str_range;
++			bytecnt = linecnt * 80;
+ 
++			if (bytecnt == 0) {
++				bytecnt = 8192;
++			}
++			if (bytecnt > nbytes) {
++				bytecnt = nbytes;
++			}
+ 			if (s == NULL) {
+ 				ms->search.s_len = 0;
+ 				ms->search.s = NULL;
+ 				return 0;
+ 			}
+ 			buf = RCAST(const char *, s) + offset;
+-			end = last = RCAST(const char *, s) + nbytes;
++			end = last = RCAST(const char *, s) + bytecnt;
+ 			/* mget() guarantees buf <= last */
+ 			for (lines = linecnt, b = buf; lines && b < end &&
+ 			     ((b = CAST(const char *,
[email protected]@ -939,7 +948,7 @@
+ 					b++;
+ 			}
+ 			if (lines)
+-				last = RCAST(const char *, s) + nbytes;
++				last = RCAST(const char *, s) + bytecnt;
+ 
+ 			ms->search.s = buf;
+ 			ms->search.s_len = last - buf;
[email protected]@ -1012,7 +1021,6 @@
+     int recursion_level)
+ {
+ 	uint32_t offset = ms->offset;
+-	uint32_t count = m->str_range;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 
+         if (recursion_level >= 20) {
[email protected]@ -1020,10 +1028,13 @@
+                 return -1;
+         }
+ 
+-	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
++	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset,
++	    (uint32_t)nbytes, m) == -1)
+ 		return -1;
+ 
+ 	if ((ms->flags & MAGIC_DEBUG) != 0) {
++		fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, "
++		    "nbytes=%zu)\n", m->type, m->flag, offset, nbytes);
+ 		mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
+ 	}
+ 
[email protected]@ -1504,7 +1515,7 @@
+ 		if (m->flag & INDIROFFADD) {
+ 			offset += ms->c.li[cont_level-1].off;
+ 		}
+-		if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1)
++		if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1)
+ 			return -1;
+ 		ms->offset = offset;
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/211_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,18 @@
+Fix for CVE-2014-3587
+Patch from PHP community:
+http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/fileinfo/libmagic/cdf.c;h=2c0a2d9dfcd803e21fb40cd04c48a679aa09a6df;hp=429f3b952f68d1ef7f2ebb4925ef5b16c54b7833;hb=35f32637b08ca6397829138ed45a0768f592f262;hpb=eab42649ab9c6d949dc8e1ba9e31124e9cfb3b1b
+
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 429f3b9..2c0a2d9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
[email protected]@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ 		q = (const uint8_t *)(const void *)
+ 		    ((const char *)(const void *)p + ofs
+ 		    - 2 * sizeof(uint32_t));
+-		if (q > e) {
++		if (q < p || q > e) {
+ 			DPRINTF(("Ran of the end %p > %p\n", q, e));
+ 			goto out;
+ 		}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/212_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,267 @@
+Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597
+
+Incomplete fix for CVE-2014-4049
+
+Check possible buffer overflow
+- pass real buffer end to dn_expand calls
+- check buffer len before each read
+
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 214a7dc..0b5e69c 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
[email protected]@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record)
+ 
+ #if HAVE_FULL_DNS_FUNCS
+ 
++#define CHECKCP(n) do { \
++	if (cp + n > end) { \
++		return NULL; \
++	} \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+ {
+ 	u_short type, class, dlen;
+ 	u_long ttl;
[email protected]@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 
+ 	*subarray = NULL;
+ 
+-	n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++	n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ 	if (n < 0) {
+ 		return NULL;
+ 	}
+ 	cp += n;
+ 
++	CHECKCP(10);
+ 	GETSHORT(type, cp);
+ 	GETSHORT(class, cp);
+ 	GETLONG(ttl, cp);
+ 	GETSHORT(dlen, cp);
++	CHECKCP(dlen);
+ 	if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ 		cp += dlen;
+ 		return cp;
[email protected]@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 
+ 	switch (type) {
+ 		case DNS_T_A:
++			CHECKCP(4);
+ 			add_assoc_string(*subarray, "type", "A", 1);
+ 			snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ 			add_assoc_string(*subarray, "ip", name, 1);
+ 			cp += dlen;
+ 			break;
+ 		case DNS_T_MX:
++			CHECKCP(2);
+ 			add_assoc_string(*subarray, "type", "MX", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pri", n);
[email protected]@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 			if (type == DNS_T_PTR) {
+ 				add_assoc_string(*subarray, "type", "PTR", 1);
+ 			}
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
[email protected]@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 		case DNS_T_HINFO:
+ 			/* See RFC 1010 for values */
+ 			add_assoc_string(*subarray, "type", "HINFO", 1);
++			CHECKCP(1);
+ 			n = *cp & 0xFF;
+ 			cp++;
++			CHECKCP(n);
+ 			add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
+ 			cp += n;
++			CHECKCP(1);
+ 			n = *cp & 0xFF;
+ 			cp++;
++			CHECKCP(n);
+ 			add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
+ 			cp += n;
+ 			break;
+ 		case DNS_T_TXT:
+ 			{
+-				int ll = 0;
++				int l1 = 0, l2 = 0;
+ 				zval *entries = NULL;
+ 
+ 				add_assoc_string(*subarray, "type", "TXT", 1);
[email protected]@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 				MAKE_STD_ZVAL(entries);
+ 				array_init(entries);
+ 				
+-				while (ll < dlen) {
+-					n = cp[ll];
+-					if ((ll + n) >= dlen) {
++				while (l1 < dlen) {
++					n = cp[l1];
++					if ((l1 + n) >= dlen) {
+ 						// Invalid chunk length, truncate
+-						n = dlen - (ll + 1);
++						n = dlen - (l1 + 1);
++					}
++					if (n) {
++						memcpy(tp + l2 , cp + l1 + 1, n);
++						add_next_index_stringl(entries, cp + l1 + 1, n, 1);
+ 					}
+-					memcpy(tp + ll , cp + ll + 1, n);
+-					add_next_index_stringl(entries, cp + ll + 1, n, 1);
+-					ll = ll + n + 1;
++					l1 = l1 + n + 1;
++					l2 = l2 + n;
+ 				}
+-				tp[dlen] = '\0';
++				tp[l2] = '\0';
+ 				cp += dlen;
+ 
+-				add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
++				add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ 				add_assoc_zval(*subarray, "entries", entries);
+ 			}
+ 			break;
+ 		case DNS_T_SOA:
+ 			add_assoc_string(*subarray, "type", "SOA", 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+ 			cp += n;
+ 			add_assoc_string(*subarray, "mname", name, 1);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
+ 			cp += n;
+ 			add_assoc_string(*subarray, "rname", name, 1);
++			CHECKCP(5*4);
+ 			GETLONG(n, cp);
+ 			add_assoc_long(*subarray, "serial", n);
+ 			GETLONG(n, cp);
[email protected]@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 			break;
+ 		case DNS_T_AAAA:
+ 			tp = (u_char*)name;
++			CHECKCP(8*2);
+ 			for(i=0; i < 8; i++) {
+ 				GETSHORT(s, cp);
+ 				if (s != 0) {
[email protected]@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 		case DNS_T_A6:
+ 			p = cp;
+ 			add_assoc_string(*subarray, "type", "A6", 1);
++			CHECKCP(1);
+ 			n = ((int)cp[0]) & 0xFF;
+ 			cp++;
+ 			add_assoc_long(*subarray, "masklen", n);
[email protected]@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 				cp++;
+ 			}
+ 			for (i = (n + 8) / 16; i < 8; i++) {
++				CHECKCP(2);
+ 				GETSHORT(s, cp);
+ 				if (s != 0) {
+ 					if (tp > (u_char *)name) {
[email protected]@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 			tp[0] = '\0';
+ 			add_assoc_string(*subarray, "ipv6", name, 1);
+ 			if (cp < p + dlen) {
+-				n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++				n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 				if (n < 0) {
+ 					return NULL;
+ 				}
[email protected]@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 			}
+ 			break;
+ 		case DNS_T_SRV:
++			CHECKCP(3*2);
+ 			add_assoc_string(*subarray, "type", "SRV", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pri", n);
[email protected]@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 			add_assoc_long(*subarray, "weight", n);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "port", n);
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
[email protected]@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ 			add_assoc_string(*subarray, "target", name, 1);
+ 			break;
+ 		case DNS_T_NAPTR:
++			CHECKCP(2*2);
+ 			add_assoc_string(*subarray, "type", "NAPTR", 1);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "order", n);
+ 			GETSHORT(n, cp);
+ 			add_assoc_long(*subarray, "pref", n);
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
+ 			cp += n;
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
+ 			cp += n;
++
++			CHECKCP(1);
+ 			n = (cp[0] & 0xFF);
+-			add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
++			cp++;
++			CHECKCP(n);
++			add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
+ 			cp += n;
+-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++
++			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ 			if (n < 0) {
+ 				return NULL;
+ 			}
[email protected]@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record)
+ 			while (an-- && cp && cp < end) {
+ 				zval *retval;
+ 
+-				cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
++				cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
+ 				if (retval != NULL && store_results) {
+ 					add_next_index_zval(return_value, retval);
+ 				}
[email protected]@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record)
+ 				while (ns-- > 0 && cp && cp < end) {
+ 					zval *retval = NULL;
+ 
+-					cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
++					cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
+ 					if (retval != NULL) {
+ 						add_next_index_zval(authns, retval);
+ 					}
[email protected]@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record)
+ 				while (ar-- > 0 && cp && cp < end) {
+ 					zval *retval = NULL;
+ 
+-					cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++					cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ 					if (retval != NULL) {
+ 						add_next_index_zval(addtl, retval);
+ 					}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/213_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,60 @@
+Fix for CVE-2014-4670
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=df78c48354f376cf419d7a97f88ca07d572f00fb
+
+
+Fixed Bug #67538 (SPL Iterators use-after-free)
+---
+
+diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
+index 39a0733..0b44d41 100644
+--- a/ext/spl/spl_dllist.c
++++ b/ext/spl/spl_dllist.c
[email protected]@ -43,12 +43,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
+ 
+ #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
+ 	efree(elem); \
+-	elem = NULL; \
+ }
+ 
+ #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
+ 	efree(elem); \
+-	elem = NULL; \
+ }
+ 
+ #define SPL_LLIST_ADDREF(elem) (elem)->rc++
[email protected]@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
+ 			llist->dtor(element TSRMLS_CC);
+ 		}
+ 
++		if (intern->traverse_pointer == element) {
++			SPL_LLIST_DELREF(element);
++			intern->traverse_pointer = NULL;
++		}
++
+ 		zval_ptr_dtor((zval **)&element->data);
+ 		element->data = NULL;
+ 
+diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
+new file mode 100644
+index 0000000..b6f3848
+--- /dev/null
++++ b/ext/spl/tests/bug67538.phpt
[email protected]@ -0,0 +1,17 @@
++--TEST--
++Bug #67538 (SPL Iterators use-after-free)
++--FILE--
++<?php
++$list = new SplDoublyLinkedList();
++$list->push('a');
++$list->push('b');
++
++$list->rewind();
++$list->offsetUnset(0);
++$list->push('b');
++$list->offsetUnset(0);
++$list->next();
++echo "okey";
++?>
++--EXPECTF--
++okey
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/214_php_19556437.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,47 @@
+Fix for CVE-2014-4698
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd
+
+Hand crafted patch for php 5.3 from above due to context differences.
+
+--- php-5.3.29/ext/spl/spl_array.c_orig	2014-08-13 12:22:50.000000000 -0700
++++ php-5.3.29/ext/spl/spl_array.c	2014-11-04 14:31:14.198629945 -0800
[email protected]@ -1843,6 +1843,7 @@
+ 	int buf_len;
+ 	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
+ 	int was_in_unserialize = intern->unserialize_data != NULL;
++	HashTable *aht;
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
+ 		return;
[email protected]@ -1853,6 +1854,12 @@
+ 		return;
+ 	}
+ 
++    aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
++	if (aht->nApplyCount > 0) {
++		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
++		return;
++	}
++
+ 	if (!was_in_unserialize) {
+ 		intern->unserialize_data = emalloc(sizeof(php_unserialize_data_t));
+ 		PHP_VAR_UNSERIALIZE_INIT(*intern->unserialize_data);
+--- php-5.3.29/ext/spl/tests/bug67539.phpt_orig	2014-11-04 14:32:52.307769425 -0800
++++ php-5.3.29/ext/spl/tests/bug67539.phpt	2014-11-04 14:33:24.460710922 -0800
[email protected]@ -0,0 +1,15 @@
++--TEST--
++Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
++--FILE--
++<?php
++
++$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
++
++function badsort($a, $b) {
++        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
++        return TRUE;
++}
++
++$it->uksort('badsort');
++--EXPECTF--
++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/220_php_20258327.patch	Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,60 @@
+Fix from PHP community for CVE-2014-8142
+Bug:
+https://bugs.php.net/bug.php?id=68594
+Code:
+http://git.php.net/?p=php-src.git;a=commit;h=630f9c33c23639de85c3fd306b209b538b73b4c9
+This patch is for a newer version of php so this hand crafted equivalent
+was created for php 5.3.
+
+--- php-5.3.29/ext/standard/var_unserializer.re_orig	2014-08-13 12:22:50.000000000 -0700
++++ php-5.3.29/ext/standard/var_unserializer.re	2015-02-05 14:51:58.796366953 -0800
[email protected]@ -304,6 +304,9 @@
+ 		} else {
+ 			/* object properties should include no integers */
+ 			convert_to_string(key);
++			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++				var_push_dtor(var_hash, old_data);
++			}
+ 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ 					sizeof data, NULL);
+ 		}
+
+--- php-5.3.29/ext/standard/var_unserializer.c_orig	2014-08-13 12:27:30.000000000 -0700
++++ php-5.3.29/ext/standard/var_unserializer.c	2015-02-05 15:20:42.925115687 -0800
[email protected]@ -298,6 +298,9 @@
+ 		} else {
+ 			/* object properties should include no integers */
+ 			convert_to_string(key);
++			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++				var_push_dtor(var_hash, old_data);
++			}
+ 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ 					sizeof data, NULL);
+ 		}
+
+--- php-5.3.29/ext/standard/tests/serialize/bug68594.phpt_orig	2015-02-05 14:59:34.551069069 -0800
++++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt	2015-02-05 14:54:28.269051205 -0800
[email protected]@ -0,0 +1,23 @@
++--TEST--
++Bug #68545 Use after free vulnerability in unserialize()
++--FILE--
++<?php
++for ($i=4; $i<100; $i++) {
++	$m = new StdClass();
++
++	$u = array(1);
++
++	$m->aaa = array(1,2,&$u,4,5);
++	$m->bbb = 1;
++	$m->ccc = &$u;
++	$m->ddd = str_repeat("A", $i);
++
++	$z = serialize($m);
++	$z = str_replace("bbb", "aaa", $z);
++	$y = unserialize($z);
++	$z = serialize($y);
++}
++?>
++===DONE===
++--EXPECTF--
++===DONE===
--- a/components/php-common/php.1.sunman	Wed Jan 21 04:16:38 2015 -0800
+++ b/components/php-common/php.1.sunman	Thu Feb 12 10:14:29 2015 -0800
@@ -1,6 +1,6 @@
 '\" te
-.\" Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
-.TH php 1 "10 May 2012" "SunOS 5.11" "User Commands"
+.\" Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH php 1 "29 Jan 2015" "SunOS 5.11" "User Commands"
 
 .SH "NAME"
 php \- PHP Command Line Interface
@@ -88,48 +88,82 @@
 http://pecl.php.net/        PECL Repository
 .fi
 .SH NOTES
-.PP
+.LP
+PHP 5.2 may be removed in a future update.
+Newer versions of PHP will appear in a future Solaris.
+.LP
+Please migrate to a newer version.
+Migration documentation is available on the PHP website:
+.LP
+.nf
+http://php.net/manual/en/appendices.php
+.fi
+.LP
+If it is desired to keep the obsolete version of PHP
+then it should be frozen to prevent its removal by a future update.
+.LP
+.nf
+pkg freeze 'web/php-52*' web/server/apache-22/module/apache-php52
+pkg change-facet --no-backup-be 'version-lock\&.web/php-52*=False' \e
+    version-lock\&.web/server/apache-22/module/apache-php52=False
+.fi
+.LP
+Please note that the freezing of packages may yield
+an unsupportable system so use with caution.
+.LP
 PHP has been built to be largefile-aware and to use
 64-bit integers, although the interpreter and the library
 themselves are 32-bit applications (LP32).
-.PP
+.LP
 If you wish to build and install PHP add-on modules from PECL,
 you can do so using the phpize script  -  see phpize(1) for
 details.
-.PP
-Solaris ships with PHP 5.2.17 and 5.3.14.
-To install PHP 5.2.17 use the pkg(1) command:
-.PP
+.LP
+Solaris ships with PHP 5.2 and 5.3.
+To install PHP 5.2 use the pkg(1) command:
+.LP
+.nf
 pkg install web/php-52 web/server/apache-22/module/apache-php52
-.PP
-To install PHP 5.3.14:
-.PP
+.fi
+.LP
+To install PHP 5.3:
+.LP
+.nf
 pkg install web/php-53 web/server/apache-22/module/apache-php53
-.PP
+.fi
+.LP
 Documentation is separate:
-.PP
+.LP
+.nf
 pkg install web/php-53/documentation
-.PP
+.fi
+.LP
 Before and after installing check or set the value of PHP's pkg
 mediator to the default version desired:
-.PP
+.LP
+.nf
 pkg mediator
-.PP
+.fi
+.LP
 To set the default version of PHP change the pkg mediator value:
-.PP
+.LP
+.nf
 pkg set-mediator -V 5.3 php
-.PP
+.fi
+.LP
 where php mediator values are 5.2 or 5.3.
-.PP
+.LP
 The configuration of php is controlled by editing the php
 configuration file for that specific version:
-.PP
+.LP
+.nf
 /etc/apache2/2.2/conf.d/php/php5.2.conf
 .br
 or
 .br
 /etc/apache2/2.2/conf.d/php/php5.3.conf
-.PP
+.fi
+.LP
 The pkg mediator will select the proper file to use.
-.PP
+.LP
 PHP is a recursive acronym which stands for PHP Hypertext Pages.