Fix CVE-2015-0273 php: #68942 Use after free vulnerability in

unserialize() with DateTimeZone Reviewed by wiz@
author: sevan <sevan@pkgsrc.org> 2015-02-19 00:23:20 +0000
committer: sevan <sevan@pkgsrc.org> 2015-02-19 00:23:20 +0000
commit: 756352dce5f75a0bda9fc51f480e5750b464a438 (patch)
tree: 90a9642ab78e17660e6a922a25eeb0987c4ebe07 /lang/php56
parent: 2bf1468e01ff70c82cb3d6a76627d1d82ca04417 (diff)
download: pkgsrc-756352dce5f75a0bda9fc51f480e5750b464a438.tar.gz
5 files changed, 101 insertions, 2 deletions
diff --git a/lang/php56/Makefile b/lang/php56/Makefile
index d6850714561..28516c304d1 100644
--- a/lang/php56/Makefile
+++ b/lang/php56/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.2 2015/02/02 10:54:19 sevan Exp $
+# $NetBSD: Makefile,v 1.3 2015/02/19 00:23:20 sevan Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
diff --git a/lang/php56/distinfo b/lang/php56/distinfo
index 1f6a90f4b35..a216bb193e3 100644
--- a/lang/php56/distinfo
+++ b/lang/php56/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2015/01/23 16:11:38 taca Exp $
+$NetBSD: distinfo,v 1.5 2015/02/19 00:23:20 sevan Exp $
 
 SHA1 (php-5.6.5.tar.bz2) = a523a13110a66f020c36f088089d2c5c7de9f6a9
 RMD160 (php-5.6.5.tar.bz2) = 9c9219b69187c2b14c9bb3b74ef30a65dbf458ed
@@ -7,6 +7,9 @@ SHA1 (patch-acinclude.m4) = b38fc34c3a3847dc317e8e286612b21ec8fd5ce8
 SHA1 (patch-aclocal.m4) = 49117c42e03bd3ed57d967d33ba543f936013b4f
 SHA1 (patch-build_libtool.m4) = f459cda09cbdad9780568d271091fb17bbc5d965
 SHA1 (patch-configure) = d3d44c814deb0264fd4fc41908c2ff31fde00b0d
+SHA1 (patch-ext_date_php_date.c) = a5d594d5b054f170f5cd129c0a9ddec6334cce9a
+SHA1 (patch-ext_date_tests_bug68942.phpt) = d3ebf7a5f78bf8b4b3f1a0c85d40480c335b491e
+SHA1 (patch-ext_date_tests_bug68942_2.phpt) = af2a9ffef7c7f0ecf5425e96cfb67dd3beac6827
 SHA1 (patch-ext_gd_config.m4) = 4b44853250eb4a638af4c663e618307ff25d2cbd
 SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577
 SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c
diff --git a/lang/php56/patches/patch-ext_date_php_date.c b/lang/php56/patches/patch-ext_date_php_date.c
new file mode 100644
index 00000000000..ded8beba396
--- /dev/null
+++ b/lang/php56/patches/patch-ext_date_php_date.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-ext_date_php_date.c,v 1.1 2015/02/19 00:23:20 sevan Exp $
+
+Fix CVE-2015-0273 / bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
+
+--- ext/date/php_date.c.orig	2015-01-21 00:40:37.000000000 +0000
++++ ext/date/php_date.c
+@@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash
+ 	timelib_tzinfo   *tzi;
+ 	php_timezone_obj *tzobj;
+ 
+-	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
+-		convert_to_string(*z_date);
+-		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
+-			convert_to_long(*z_timezone_type);
+-			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
+-				convert_to_string(*z_timezone);
++	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
++		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
++			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
+ 
+ 				switch (Z_LVAL_PP(z_timezone_type)) {
+ 					case TIMELIB_ZONETYPE_OFFSET:
+@@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash
+ 
+ 					case TIMELIB_ZONETYPE_ID: {
+ 						int ret;
+-						convert_to_string(*z_timezone);
+ 
+ 						tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
+ 
+@@ -3744,9 +3740,8 @@ static int php_date_timezone_initialize_
+ 	zval            **z_timezone = NULL;
+ 	zval            **z_timezone_type = NULL;
+ 
+-	if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
++	if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
+ 		if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
+-			convert_to_long(*z_timezone_type);
+ 			if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) {
+ 				return SUCCESS;
+ 			}
+@@ -3771,7 +3766,9 @@ PHP_METHOD(DateTimeZone, __set_state)
+ 
+ 	php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC);
+ 	tzobj = (php_timezone_obj *) zend_object_store_get_object(return_value TSRMLS_CC);
+-	php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC);
++	if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) {
++		php_error_docref(NULL, E_ERROR, "Timezone initialization failed");
++	}
+ }
+ /* }}} */
+ 
+@@ -3787,7 +3784,9 @@ PHP_METHOD(DateTimeZone, __wakeup)
+ 
+ 	myht = Z_OBJPROP_P(object);
+ 	
+-	php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC);
++	if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) {
++		php_error_docref(NULL, E_ERROR, "Timezone initialization failed");
++	}
+ }
+ /* }}} */
+ 
diff --git a/lang/php56/patches/patch-ext_date_tests_bug68942.phpt b/lang/php56/patches/patch-ext_date_tests_bug68942.phpt
new file mode 100644
index 00000000000..b2411fa0dcf
--- /dev/null
+++ b/lang/php56/patches/patch-ext_date_tests_bug68942.phpt
@@ -0,0 +1,16 @@
+$NetBSD: patch-ext_date_tests_bug68942.phpt,v 1.1 2015/02/19 00:23:20 sevan Exp $
+
+Test CVE-2015-0273 / bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
+
+--- ext/date/tests/bug68942.phpt.orig	2015-02-18 23:36:15.000000000 +0000
++++ ext/date/tests/bug68942.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d
diff --git a/lang/php56/patches/patch-ext_date_tests_bug68942_2.phpt b/lang/php56/patches/patch-ext_date_tests_bug68942_2.phpt
new file mode 100644
index 00000000000..10a47b4b67e
--- /dev/null
+++ b/lang/php56/patches/patch-ext_date_tests_bug68942_2.phpt
@@ -0,0 +1,16 @@
+$NetBSD: patch-ext_date_tests_bug68942_2.phpt,v 1.1 2015/02/19 00:23:20 sevan Exp $
+
+Test CVE-2015-0273 / bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
+
+--- ext/date/tests/bug68942_2.phpt.orig	2015-02-18 23:37:44.000000000 +0000
++++ ext/date/tests/bug68942_2.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d
author	sevan <sevan@pkgsrc.org>	2015-02-19 00:23:20 +0000
committer	sevan <sevan@pkgsrc.org>	2015-02-19 00:23:20 +0000
commit	756352dce5f75a0bda9fc51f480e5750b464a438 (patch)
tree	90a9642ab78e17660e6a922a25eeb0987c4ebe07 /lang/php56
parent	2bf1468e01ff70c82cb3d6a76627d1d82ca04417 (diff)
download	pkgsrc-756352dce5f75a0bda9fc51f480e5750b464a438.tar.gz