Fix CVE-2015-0273 php: #68942 Use after free vulnerability in

unserialize() with DateTimeZone Reviewed by wiz@
author: sevan <sevan@pkgsrc.org> 2015-02-18 11:04:03 +0000
committer: sevan <sevan@pkgsrc.org> 2015-02-18 11:04:03 +0000
commit: d9399c9ec5ace421ef806cf162d572cf544e35e0 (patch)
tree: b932770306156bbfbd0743b1ca9e2219661c58d5 /lang
parent: c427cb5d648e4ab3715a93cf32d073322e120f0a (diff)
download: pkgsrc-d9399c9ec5ace421ef806cf162d572cf544e35e0.tar.gz
4 files changed, 51 insertions, 2 deletions
diff --git a/lang/php54/Makefile b/lang/php54/Makefile
index 9cea231a8be..b8dd082d0a3 100644
--- a/lang/php54/Makefile
+++ b/lang/php54/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.25 2014/07/26 00:12:54 taca Exp $
+# $NetBSD: Makefile,v 1.26 2015/02/18 11:04:03 sevan Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
diff --git a/lang/php54/distinfo b/lang/php54/distinfo
index b09fd3c11d7..dde448413eb 100644
--- a/lang/php54/distinfo
+++ b/lang/php54/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.51 2015/01/23 16:09:26 taca Exp $
+$NetBSD: distinfo,v 1.52 2015/02/18 11:04:03 sevan Exp $
 
 SHA1 (php-5.4.37.tar.bz2) = 608e00a730e9674e1a2e2627175e7a27f4add18f
 RMD160 (php-5.4.37.tar.bz2) = 9aa559cd4c4c63701133194b59ccff0f241a2241
@@ -7,6 +7,8 @@ SHA1 (patch-acinclude.m4) = 71635e5381abf99a9fc9f2537b1c2f18e8096f00
 SHA1 (patch-aclocal.m4) = 699086785fcd3d3834cc6016479dbdae6518e522
 SHA1 (patch-build_libtool.m4) = d81527abea3bd97e220f00a5d5296d8b1bfe2659
 SHA1 (patch-configure) = df6209127b1e23d17bc7128da3a44f3e44bbfd48
+SHA1 (patch-ext_date_php_date.c) = e1c6551a422c54c7be7ec16e6d10821f47cb924c
+SHA1 (patch-ext_date_tests_bug68942_2.phpt) = 385ed2c3077b5384bff117b97867463c6bdac15e
 SHA1 (patch-ext_gd_config.m4) = 2353efe6f25e1081b41d61033c3185cc643c7891
 SHA1 (patch-ext_imap_config.m4) = 01681e8b54ee586ec4db72a5da2d0aec3fa89fcc
 SHA1 (patch-ext_mssql_php__mssql.c) = 732e48b05086180585a3087c2e9737db557dbc3b
diff --git a/lang/php54/patches/patch-ext_date_php_date.c b/lang/php54/patches/patch-ext_date_php_date.c
new file mode 100644
index 00000000000..e1bc4ab8865
--- /dev/null
+++ b/lang/php54/patches/patch-ext_date_php_date.c
@@ -0,0 +1,30 @@
+$NetBSD: patch-ext_date_php_date.c,v 1.1 2015/02/18 11:04:03 sevan Exp $
+
+Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
+
+--- ext/date/php_date.c.orig	2015-01-20 20:06:02.000000000 +0000
++++ ext/date/php_date.c
+@@ -2575,12 +2575,9 @@ static int php_date_initialize_from_hash
+ 	timelib_tzinfo   *tzi;
+ 	php_timezone_obj *tzobj;
+ 
+-	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
+-		convert_to_string(*z_date);
+-		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
+-			convert_to_long(*z_timezone_type);
+-			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
+-				convert_to_string(*z_timezone);
++	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
++		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
++			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
+ 
+ 				switch (Z_LVAL_PP(z_timezone_type)) {
+ 					case TIMELIB_ZONETYPE_OFFSET:
+@@ -2595,7 +2592,6 @@ static int php_date_initialize_from_hash
+ 
+ 					case TIMELIB_ZONETYPE_ID: {
+ 						int ret;
+-						convert_to_string(*z_timezone);
+ 
+ 						tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
+ 
diff --git a/lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt b/lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt
new file mode 100644
index 00000000000..ceb358bbcee
--- /dev/null
+++ b/lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt
@@ -0,0 +1,16 @@
+$NetBSD: patch-ext_date_tests_bug68942_2.phpt,v 1.1 2015/02/18 11:04:03 sevan Exp $
+
+Test for bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
+
+--- ext/date/tests/bug68942_2.phpt.orig	2015-02-18 01:43:49.000000000 +0000
++++ ext/date/tests/bug68942_2.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d
author	sevan <sevan@pkgsrc.org>	2015-02-18 11:04:03 +0000
committer	sevan <sevan@pkgsrc.org>	2015-02-18 11:04:03 +0000
commit	d9399c9ec5ace421ef806cf162d572cf544e35e0 (patch)
tree	b932770306156bbfbd0743b1ca9e2219661c58d5 /lang
parent	c427cb5d648e4ab3715a93cf32d073322e120f0a (diff)
download	pkgsrc-d9399c9ec5ace421ef806cf162d572cf544e35e0.tar.gz