diff options
| author | sean finney <seanius@debian.org> | 2007-03-03 11:13:33 +0100 |
|---|---|---|
| committer | Mark A. Hershberger <mah@debian.(none)> | 2009-03-25 00:37:15 -0400 |
| commit | 33d60a62434acf2de1e7c8582d22a117b400aaf4 (patch) | |
| tree | fed42b04715f17eeda67fe7a4d77c1fecce67df2 | |
| parent | fc2d2776264903fe62f297e939f77b070be77ad8 (diff) | |
| download | php-debian/5.2.0-9.tar.gz | |
Imported Debian patch 5.2.0-9debian/5.2.0-9
| -rw-r--r-- | debian/changelog | 54 | ||||
| -rw-r--r-- | debian/control | 14 | ||||
| -rw-r--r-- | debian/patches/114-zend_alloc.c_m68k_alignment.patch | 14 | ||||
| -rw-r--r-- | debian/patches/115-zend_alloc.c_memleak.patch | 48 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0906_imap.patch | 159 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0906_session.patch | 15 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0906_streams.patch | 30 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0906_string.patch | 12 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0907.patch | 12 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0908.patch | 30 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0909_odbc.patch | 50 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0909_print.patch | 15 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0910.patch | 135 | ||||
| -rw-r--r-- | debian/patches/116-CVE-2007-0988.patch | 23 | ||||
| -rw-r--r-- | debian/patches/117-imap-auth-plain.patch | 10 | ||||
| -rw-r--r-- | debian/php5-common.README.Debian | 12 | ||||
| -rwxr-xr-x | debian/rules | 7 |
17 files changed, 632 insertions, 8 deletions
diff --git a/debian/changelog b/debian/changelog index 4c09441ca..4596940af 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,57 @@ +php5 (5.2.0-9) unstable; urgency=high + + [ sean finney ] + * The following security issues are addressed with this update: + - CVE-2007-0906: Multiple buffer overflows in various code: + * session (addressed in patch for CVE-2007-0910 below) + * imap (062-CVE-2007-0906-imap.patch) + * str_replace: (064-CVE-2007-0906-strreplace.patch) + * interbase: (063-CVE-2007-0906-interbase.patch) + * the zip, sqlite, stream filters, and mail related vulnerabilities + in this CVE do not affect the debian sarge php4 source package. + - CVE-2007-0907: sapi_header_op buffer underflow (065-CVE-2007-0907.patch) + - CVE-2007-0908: wddx information disclosure (066-CVE-2007-0908.patch) + - CVE-2007-0909: More buffer overflows: + * the odbc_result_all function (067-CVE-2007-0909-odbc.patch) + * various formatted print functions (068-CVE-2007-0909-printf.patch) + - CVE-2007-0910: Clobbering of super-globals (069-CVE-2007-0910.patch) + - CVE-2007-0988: 64bit unserialize DoS (070-CVE-2007-0988.patch) + Closes: #410995. + * The package maintainers would like to thank Joe Orton from redhat and + Martin Pitt from ubuntu for their help in preparation of this update. + * backport upstream fix for AUTH PLAIN support in imap extension + Closes: #401712. + + -- sean finney <seanius@debian.org> Sat, 03 Mar 2007 11:13:33 +0100 + +php5 (5.2.0-8) unstable; urgency=high + + [ sean finney ] + * Update package information to say simply "Apache 2" instead + of "Apache 2.0" (ref: #400306). + * Update package description for php-pear to mention needing + phpN-dev for building PECL extensions (closes: #401825). + * Add mention of Freetype fonts to php5-gd package description, + thanks to Ole Laursen for the suggestion (closes: #387881). + * Include a backported version of upstream's fix for + alignment calculatations which cause FTBFS problems for + some arches. Thanks to Roman Zippel for finding this (closes: #401129). + patch: 114-zend_alloc.c_m68k_alignment.patch + * Remove --enable-yp, as it's no longer used and seperately + packaged. Thanks to Martijn Grendelman for mentioning this + (closes: #402161). + * Add mention to README.Debian of needing to restart apache when + installing modules (closes: #392249). + * Don't strip the DSO modules if building with DEB_BUILD_OPTIONS + containing nostrip + * Backported a patch from upstream CVS to fix a rather nasty + memory leak in zend_alloc (closes: #402506). + patch: 115-zend_alloc.c_memleak.patch + * The memleak and FTBFS are targeted at etch, and there aren't + any other significant changes, so priority=high. + + -- sean finney <seanius@debian.org> Sun, 17 Dec 2006 16:49:35 +0100 + php5 (5.2.0-7) unstable; urgency=high [ Steve Langasek ] diff --git a/debian/control b/debian/control index bc9863e1c..daec7134d 100644 --- a/debian/control +++ b/debian/control @@ -46,7 +46,7 @@ Suggests: php-pear Description: server-side, HTML-embedded scripting language (apache 1.3 module) This package provides the PHP5 module for the Apache 1.3 webserver (as found in the apache, apache-ssl, and apache-perl packages). To use php5 - with Apache 2.0, you probably want libapache2-mod-php5 instead. + with Apache 2, you probably want libapache2-mod-php5 instead. . ${php:Extensions} . @@ -63,8 +63,8 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support (>= 2.03-1), ${apache2 Conflicts: libapache2-mod-php4 Provides: ${php:Provides} Suggests: php-pear -Description: server-side, HTML-embedded scripting language (apache 2.0 module) - This package provides the PHP5 module for the Apache 2.0 webserver (as +Description: server-side, HTML-embedded scripting language (apache 2 module) + This package provides the PHP5 module for the Apache 2 webserver (as found in the apache2-mpm-prefork package). Please note that this package ONLY works with Apache's prefork MPM, as it is not compiled thread-safe. To use php5 with Apache 1.3, you probably want libapache-mod-php5 instead. @@ -86,7 +86,7 @@ Conflicts: php3 (<= 3.0.18-1) Suggests: php-pear Description: server-side, HTML-embedded scripting language (CGI binary) This package provides the /usr/lib/cgi-bin/php5 CGI interpreter built - for use in apache 1.3 or apache 2.0 with mod_actions, or any other CGI + for use in apache 1.3 or apache 2 with mod_actions, or any other CGI httpd that supports a similar mechanism. Note that MOST apache users probably want the libapache-mod-php5 or libapache2-mod-php5 packages. . @@ -136,12 +136,14 @@ Package: php-pear Architecture: all Depends: php5-cli | php4-cli, php5-common (>= ${Source-Version}) Recommends: gnupg +Suggests: php5-dev | php4-dev Replaces: php4-pear (<< 4:4.4.0-0) Description: PEAR - PHP Extension and Application Repository This package contains the base PEAR classes for PHP, as well as the PEAR installer. Many PEAR classes are already packaged for Debian, and can be easily identified by names beginning with "php-", such as php-db and - php-auth. + php-auth. Note: to build and install precompiled PECL extensions, you + will need one of the php development packages installed. . PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown @@ -164,7 +166,7 @@ Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${Source-Version}) Description: GD module for php5 This package provides a module for handling graphics directly from PHP - scripts. It supports the PNG, JPEG, XPM and ttf fonts. + scripts. It supports the PNG, JPEG, XPM formats as well as Freetype/ttf fonts. . PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown diff --git a/debian/patches/114-zend_alloc.c_m68k_alignment.patch b/debian/patches/114-zend_alloc.c_m68k_alignment.patch new file mode 100644 index 000000000..a048ac9f2 --- /dev/null +++ b/debian/patches/114-zend_alloc.c_m68k_alignment.patch @@ -0,0 +1,14 @@ +--- php.old/Zend/zend_alloc.c 2006/12/01 13:54:19 1.144.2.3.2.17 ++++ php.new/Zend/zend_alloc.c 2006/12/01 15:32:55 1.144.2.3.2.18 +@@ -373,6 +373,11 @@ + #ifndef ZEND_MM_ALIGNMENT + # define ZEND_MM_ALIGNMENT 8 + # define ZEND_MM_ALIGNMENT_LOG2 3 ++#elif ZEND_MM_ALIGNMENT < 4 ++# undef ZEND_MM_ALIGNMENT ++# undef ZEND_MM_ALIGNMENT_LOG2 ++# define ZEND_MM_ALIGNMENT 4 ++# define ZEND_MM_ALIGNMENT_LOG2 2 + #endif + + #define ZEND_MM_ALIGNMENT_MASK ~(ZEND_MM_ALIGNMENT-1) diff --git a/debian/patches/115-zend_alloc.c_memleak.patch b/debian/patches/115-zend_alloc.c_memleak.patch new file mode 100644 index 000000000..768804f4e --- /dev/null +++ b/debian/patches/115-zend_alloc.c_memleak.patch @@ -0,0 +1,48 @@ +--- php.old/Zend/zend_alloc.c 2006/12/01 19:41:57 1.144.2.3.2.19 ++++ php.new/Zend/zend_alloc.c 2006/12/01 20:01:19 1.144.2.3.2.20 +@@ -472,6 +472,10 @@ + } + } else { + prev = &heap->free_buckets[0]; ++ while (prev->next_free_block != &heap->free_buckets[0] && ++ ZEND_MM_FREE_BLOCK_SIZE(prev->next_free_block) < size) { ++ prev = prev->next_free_block; ++ } + } + next = prev->next_free_block; + mm_block->prev_free_block = prev; +@@ -1098,10 +1102,8 @@ + + static void *_zend_mm_alloc_int(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) + { +- size_t true_size, best_size = 0x7fffffff; + zend_mm_free_block *p, *end, *best_fit = NULL; +- +- true_size = ZEND_MM_TRUE_SIZE(size); ++ size_t true_size = ZEND_MM_TRUE_SIZE(size); + + if (ZEND_MM_SMALL_SIZE(true_size)) { + size_t index = ZEND_MM_BUCKET_INDEX(true_size); +@@ -1154,16 +1156,14 @@ + + end = &heap->free_buckets[0]; + for (p = end->next_free_block; p != end; p = p->next_free_block) { +- size_t s = ZEND_MM_FREE_BLOCK_SIZE(p); +- if (s > true_size) { +- if (s < best_size) { /* better fit */ ++ if (ZEND_MM_FREE_BLOCK_SIZE(p) >= true_size) { ++ if (ZEND_MM_IS_FIRST_BLOCK(p) || ++ !ZEND_MM_IS_FIRST_BLOCK(ZEND_MM_PREV_BLOCK(p)) || ++ !ZEND_MM_IS_GUARD_BLOCK(ZEND_MM_NEXT_BLOCK(p)) || ++ p->next_free_block == end) { + best_fit = p; +- best_size = s; ++ goto zend_mm_finished_searching_for_block; + } +- } else if (s == true_size) { +- /* Found "big" free block of exactly the same size */ +- best_fit = p; +- goto zend_mm_finished_searching_for_block; + } + } + diff --git a/debian/patches/116-CVE-2007-0906_imap.patch b/debian/patches/116-CVE-2007-0906_imap.patch new file mode 100644 index 000000000..6c0ec5ffc --- /dev/null +++ b/debian/patches/116-CVE-2007-0906_imap.patch @@ -0,0 +1,159 @@ +diff -Nurp orig/ext/imap/php_imap.c new/ext/imap/php_imap.c +--- orig/ext/imap/php_imap.c 2007-02-21 08:35:44.000000000 +0100 ++++ new/ext/imap/php_imap.c 2007-02-21 08:37:15.000000000 +0100 +@@ -62,6 +62,9 @@ + #define CRLF_LEN sizeof("\015\012") - 1 + #define PHP_EXPUNGE 32768 + #define PHP_IMAP_ADDRESS_SIZE_BUF 10 ++#ifndef SENDBUFLEN ++#define SENDBUFLEN 16385 ++#endif + + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); +@@ -1152,13 +1152,13 @@ PHP_FUNCTION(imap_headers) + if ((i = cache->user_flags)) { + strcat(tmp, "{"); + while (i) { +- strcat(tmp, imap_le_struct->imap_stream->user_flags[find_rightmost_bit (&i)]); +- if (i) strcat(tmp, " "); ++ strlcat(tmp, imap_le_struct->imap_stream->user_flags[find_rightmost_bit (&i)], sizeof(tmp)); ++ if (i) strlcat(tmp, " ", sizeof(tmp)); + } +- strcat(tmp, "} "); ++ strlcat(tmp, "} ", sizeof(tmp)); + } + mail_fetchsubject(t = tmp + strlen(tmp), imap_le_struct->imap_stream, msgno, (long)25); +- sprintf(t += strlen(t), " (%ld chars)", cache->rfc822_size); ++ snprintf(t += strlen(t), sizeof(tmp) - strlen(tmp), " (%ld chars)", cache->rfc822_size); + add_next_index_string(return_value, tmp, 1); + } + } +@@ -2915,7 +2915,7 @@ PHP_FUNCTION(imap_mail_compose) + BODY *bod=NULL, *topbod=NULL; + PART *mypart=NULL, *part; + PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL, *tmp_param = NULL; +- char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL; ++ char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL; + int toppart = 0; + + if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body) == FAILURE) { +@@ -3216,8 +3216,8 @@ PHP_FUNCTION(imap_mail_compose) + goto done; + } + +- rfc822_encode_body_7bit(env, topbod); +- rfc822_header (tmp, env, topbod); ++ rfc822_encode_body_7bit(env, topbod); ++ rfc822_header(tmp, env, topbod); + + /* add custom envelope headers */ + if (custom_headers_param) { +@@ -3266,43 +3266,42 @@ PHP_FUNCTION(imap_mail_compose) + /* yucky default */ + if (!cookie) { + cookie = "-"; ++ } else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) { /* validate cookie length -- + CRLF */ ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The boudary should be no longer then 4kb"); ++ RETVAL_FALSE; ++ goto done; + } + + /* for each part */ + do { + t=tmp; + /* build cookie */ +- sprintf (t, "--%s%s", cookie, CRLF); ++ sprintf(t, "--%s%s", cookie, CRLF); + + /* append mini-header */ + rfc822_write_body_header(&t, &part->body); + + /* write terminating blank line */ +- strcat (t, CRLF); ++ strcat(t, CRLF); + + /* output cookie, mini-header, and contents */ +- tempstring=emalloc(strlen(mystring)+strlen(tmp)+1); +- sprintf(tempstring, "%s%s", mystring, tmp); ++ spprintf(&tempstring, 0, "%s%s", mystring, tmp); + efree(mystring); + mystring=tempstring; + + bod=&part->body; + +- tempstring=emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1); +- sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF); ++ spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); + efree(mystring); + mystring=tempstring; + } while ((part = part->next)); /* until done */ + + /* output trailing cookie */ +- sprintf(tmp, "--%s--", cookie); +- tempstring=emalloc(strlen(tmp)+strlen(CRLF)+strlen(mystring)+1); +- sprintf(tempstring, "%s%s%s", mystring, tmp, CRLF); ++ spprintf(&tempstring, 0, "%s--%s--%s", mystring, tmp, CRLF); + efree(mystring); + mystring=tempstring; + } else if (bod) { +- tempstring = emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1); +- sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF); ++ spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); + efree(mystring); + mystring=tempstring; + } else { +@@ -3350,14 +3349,14 @@ int _php_imap_mail(char *to, char *subje + #define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader); + #define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION); + +- bufferHeader = (char *)emalloc(bufferLen); ++ bufferHeader = (char *)emalloc(bufferLen + 1); + memset(bufferHeader, 0, bufferLen); + if (to && *to) { +- strcat(bufferHeader, "To: "); +- strcat(bufferHeader, to); +- strcat(bufferHeader, "\r\n"); ++ strlcat(bufferHeader, "To: ", bufferLen + 1); ++ strlcat(bufferHeader, to, bufferLen + 1); ++ strlcat(bufferHeader, "\r\n", bufferLen + 1); + tempMailTo = estrdup(to); +- bufferTo = (char *)emalloc(strlen(to)); ++ bufferTo = (char *)emalloc(strlen(to) + 1); + offset = 0; + addr = NULL; + rfc822_parse_adrlist(&addr, tempMailTo, NULL); +@@ -3376,11 +3375,11 @@ int _php_imap_mail(char *to, char *subje + } + + if (cc && *cc) { +- strcat(bufferHeader, "Cc: "); +- strcat(bufferHeader, cc); +- strcat(bufferHeader, "\r\n"); ++ strlcat(bufferHeader, "Cc: ", bufferLen + 1); ++ strlcat(bufferHeader, cc, bufferLen + 1); ++ strlcat(bufferHeader, "\r\n", bufferLen + 1); + tempMailTo = estrdup(cc); +- bufferCc = (char *)emalloc(strlen(cc)); ++ bufferCc = (char *)emalloc(strlen(cc) + 1); + offset = 0; + addr = NULL; + rfc822_parse_adrlist(&addr, tempMailTo, NULL); +@@ -3400,7 +3399,7 @@ int _php_imap_mail(char *to, char *subje + + if (bcc && *bcc) { + tempMailTo = estrdup(bcc); +- bufferBcc = (char *)emalloc(strlen(bcc)); ++ bufferBcc = (char *)emalloc(strlen(bcc) + 1); + offset = 0; + addr = NULL; + rfc822_parse_adrlist(&addr, tempMailTo, NULL); +@@ -3419,7 +3418,7 @@ int _php_imap_mail(char *to, char *subje + } + + if (headers && *headers) { +- strcat(bufferHeader, headers); ++ strlcat(bufferHeader, headers, bufferLen + 1); + } + + if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, bufferHeader, subject, bufferTo, message, bufferCc, bufferBcc, rpath TSRMLS_CC) != SUCCESS) { diff --git a/debian/patches/116-CVE-2007-0906_session.patch b/debian/patches/116-CVE-2007-0906_session.patch new file mode 100644 index 000000000..f8430d079 --- /dev/null +++ b/debian/patches/116-CVE-2007-0906_session.patch @@ -0,0 +1,15 @@ +diff -Nurp orig/ext/session/session.c new/ext/session/session.c +--- orig/ext/session/session.c 2007-02-21 08:40:31.000000000 +0100 ++++ new/ext/session/session.c 2007-02-21 08:41:11.000000000 +0100 +@@ -433,6 +433,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) + + for (p = val; p < endptr; ) { + namelen = *p & (~PS_BIN_UNDEF); ++ ++ if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) { ++ return FAILURE; ++ } ++ + has_value = *p & PS_BIN_UNDEF ? 0 : 1; + + name = estrndup(p + 1, namelen); diff --git a/debian/patches/116-CVE-2007-0906_streams.patch b/debian/patches/116-CVE-2007-0906_streams.patch new file mode 100644 index 000000000..e1605bed8 --- /dev/null +++ b/debian/patches/116-CVE-2007-0906_streams.patch @@ -0,0 +1,30 @@ +diff -Nurp orig/ext/standard/streamsfuncs.c new/ext/standard/streamsfuncs.c +--- orig/ext/standard/streamsfuncs.c 2007-02-21 08:42:36.000000000 +0100 ++++ new/ext/standard/streamsfuncs.c 2007-02-21 08:43:20.000000000 +0100 +@@ -359,7 +359,7 @@ PHP_FUNCTION(stream_socket_recvfrom) + RETURN_FALSE; + } + +- read_buf = emalloc(to_read + 1); ++ read_buf = safe_emalloc(1, to_read, 1); + + recvd = php_stream_xport_recvfrom(stream, read_buf, to_read, flags, NULL, NULL, + zremote ? &Z_STRVAL_P(zremote) : NULL, +@@ -528,7 +528,7 @@ PHP_FUNCTION(stream_get_transports) + while (zend_hash_get_current_key_ex(stream_xport_hash, + &stream_xport, &stream_xport_len, + &num_key, 0, NULL) == HASH_KEY_IS_STRING) { +- add_next_index_stringl(return_value, stream_xport, stream_xport_len, 1); ++ add_next_index_stringl(return_value, stream_xport, stream_xport_len - 1, 1); + zend_hash_move_forward(stream_xport_hash); + } + } else { +@@ -556,7 +556,7 @@ PHP_FUNCTION(stream_get_wrappers) + (key_flags = zend_hash_get_current_key_ex(url_stream_wrappers_hash, &stream_protocol, &stream_protocol_len, &num_key, 0, NULL)) != HASH_KEY_NON_EXISTANT; + zend_hash_move_forward(url_stream_wrappers_hash)) { + if (key_flags == HASH_KEY_IS_STRING) { +- add_next_index_stringl(return_value, stream_protocol, stream_protocol_len, 1); ++ add_next_index_stringl(return_value, stream_protocol, stream_protocol_len - 1, 1); + } + } + } else { diff --git a/debian/patches/116-CVE-2007-0906_string.patch b/debian/patches/116-CVE-2007-0906_string.patch new file mode 100644 index 000000000..dbfab8706 --- /dev/null +++ b/debian/patches/116-CVE-2007-0906_string.patch @@ -0,0 +1,12 @@ +diff -Nurp orig/ext/standard/string.c new/ext/standard/string.c +--- orig/ext/standard/string.c 2007-02-21 08:44:35.000000000 +0100 ++++ new/ext/standard/string.c 2007-02-21 08:45:14.000000000 +0100 +@@ -3044,7 +3044,7 @@ PHPAPI int php_char_to_str_ex(char *str, + } + + Z_STRLEN_P(result) = len + (char_count * (to_len - 1)); +- Z_STRVAL_P(result) = target = emalloc(Z_STRLEN_P(result) + 1); ++ Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len + 1); + Z_TYPE_P(result) = IS_STRING; + + if (case_sensitivity) { diff --git a/debian/patches/116-CVE-2007-0907.patch b/debian/patches/116-CVE-2007-0907.patch new file mode 100644 index 000000000..1645b85b9 --- /dev/null +++ b/debian/patches/116-CVE-2007-0907.patch @@ -0,0 +1,12 @@ +diff -Nurp orig/main/SAPI.c new/main/SAPI.c +--- orig/main/SAPI.c 2007-02-21 08:48:51.000000000 +0100 ++++ new/main/SAPI.c 2007-02-21 08:49:14.000000000 +0100 +@@ -563,7 +563,7 @@ SAPI_API int sapi_header_op(sapi_header_ + header_line = estrndup(header_line, header_line_len); + + /* cut of trailing spaces, linefeeds and carriage-returns */ +- while(isspace(header_line[header_line_len-1])) ++ while(header_line_len && isspace(header_line[header_line_len-1])) + header_line[--header_line_len]='\0'; + + /* new line safety check */ diff --git a/debian/patches/116-CVE-2007-0908.patch b/debian/patches/116-CVE-2007-0908.patch new file mode 100644 index 000000000..d1e7eaf2c --- /dev/null +++ b/debian/patches/116-CVE-2007-0908.patch @@ -0,0 +1,30 @@ +diff -Nurp orig/ext/wddx/wddx.c new/ext/wddx/wddx.c +--- orig/ext/wddx/wddx.c 2007-02-21 08:52:27.000000000 +0100 ++++ new/ext/wddx/wddx.c 2007-02-21 08:52:53.000000000 +0100 +@@ -284,7 +284,7 @@ PS_SERIALIZER_DECODE_FUNC(wddx) + + switch (hash_type) { + case HASH_KEY_IS_LONG: +- sprintf(tmp, "%ld", idx); ++ key_length = sprintf(tmp, "%ld", idx) + 1; + key = tmp; + /* fallthru */ + case HASH_KEY_IS_STRING: +@@ -448,7 +448,7 @@ static void php_wddx_serialize_object(wd + PHP_SET_CLASS_ATTRIBUTES(obj); + + php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); +- sprintf(tmp_buf, WDDX_VAR_S, PHP_CLASS_NAME_VAR); ++ snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); + php_wddx_add_chunk(packet, tmp_buf); + php_wddx_add_chunk_static(packet, WDDX_STRING_S); + php_wddx_add_chunk_ex(packet, class_name, name_len); +@@ -480,7 +480,7 @@ static void php_wddx_serialize_object(wd + PHP_SET_CLASS_ATTRIBUTES(obj); + + php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); +- sprintf(tmp_buf, WDDX_VAR_S, PHP_CLASS_NAME_VAR); ++ snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); + php_wddx_add_chunk(packet, tmp_buf); + php_wddx_add_chunk_static(packet, WDDX_STRING_S); + php_wddx_add_chunk_ex(packet, class_name, name_len); diff --git a/debian/patches/116-CVE-2007-0909_odbc.patch b/debian/patches/116-CVE-2007-0909_odbc.patch new file mode 100644 index 000000000..794a29997 --- /dev/null +++ b/debian/patches/116-CVE-2007-0909_odbc.patch @@ -0,0 +1,50 @@ +diff -Nurp orig/ext/odbc/php_odbc.c new/ext/odbc/php_odbc.c +--- orig/ext/odbc/php_odbc.c 2007-02-21 08:58:37.000000000 +0100 ++++ new/ext/odbc/php_odbc.c 2007-02-21 08:59:13.000000000 +0100 +@@ -1991,12 +1991,12 @@ PHP_FUNCTION(odbc_result_all) + RETURN_FALSE; + } + if (rc == SQL_SUCCESS_WITH_INFO) +- php_printf(buf,result->longreadlen); ++ PHPWRITE(buf, result->longreadlen); + else if (result->values[i].vallen == SQL_NULL_DATA) { + php_printf("<td>NULL</td>"); + break; + } else { +- php_printf(buf, result->values[i].vallen); ++ PHPWRITE(buf, result->values[i].vallen); + } + php_printf("</td>"); + break; +@@ -2097,23 +2097,23 @@ int odbc_sqlconnect(odbc_connection **co + if (strstr(db, "pwd") || strstr(db, "PWD")) { + pwd = NULL; + } +- strncpy( lpszConnStr, db, CONNSTRSIZE); ++ strlcpy( lpszConnStr, db, CONNSTRSIZE); + } + else { + strcpy(lpszConnStr, "DSN="); +- strcat(lpszConnStr, db); ++ strlcat(lpszConnStr, db, CONNSTRSIZE); + } + if (uid) { + if (uid[0]) { +- strcat(lpszConnStr, ";UID="); +- strcat(lpszConnStr, uid); +- strcat(lpszConnStr, ";"); ++ strlcat(lpszConnStr, ";UID=", CONNSTRSIZE); ++ strlcat(lpszConnStr, uid, CONNSTRSIZE); ++ strlcat(lpszConnStr, ";", CONNSTRSIZE); + } + if (pwd) { + if (pwd[0]) { +- strcat(lpszConnStr, "PWD="); +- strcat(lpszConnStr, pwd); +- strcat(lpszConnStr, ";"); ++ strlcat(lpszConnStr, "PWD=", CONNSTRSIZE); ++ strlcat(lpszConnStr, pwd, CONNSTRSIZE); ++ strlcat(lpszConnStr, ";", CONNSTRSIZE); + } + } + } diff --git a/debian/patches/116-CVE-2007-0909_print.patch b/debian/patches/116-CVE-2007-0909_print.patch new file mode 100644 index 000000000..309ba3616 --- /dev/null +++ b/debian/patches/116-CVE-2007-0909_print.patch @@ -0,0 +1,15 @@ +diff -Nurp orig/ext/standard/formatted_print.c new/ext/standard/formatted_print.c +--- orig/ext/standard/formatted_print.c 2007-02-21 08:56:46.000000000 +0100 ++++ new/ext/standard/formatted_print.c 2007-02-21 08:57:26.000000000 +0100 +@@ -485,9 +485,10 @@ php_formatted_print(int ht, int *len, in + { + zval ***args, **z_format; + int argc, size = 240, inpos = 0, outpos = 0, temppos; +- int alignment, width, precision, currarg, adjusting, argnum; ++ int alignment, currarg, adjusting; + char *format, *result, padding; + int always_sign; ++ long argnum, width, precision; + + argc = ZEND_NUM_ARGS(); + diff --git a/debian/patches/116-CVE-2007-0910.patch b/debian/patches/116-CVE-2007-0910.patch new file mode 100644 index 000000000..33812398e --- /dev/null +++ b/debian/patches/116-CVE-2007-0910.patch @@ -0,0 +1,135 @@ +diff -Nurp orig/ext/session/session.c new/ext/session/session.c +--- orig/ext/session/session.c 2007-02-21 09:31:23.000000000 +0100 ++++ new/ext/session/session.c 2007-02-21 09:32:02.000000000 +0100 +@@ -291,9 +291,12 @@ void php_add_session_var(char *name, siz + if (PG(register_globals)) { + zval **sym_global = NULL; + +- zend_hash_find(&EG(symbol_table), name, namelen + 1, +- (void *) &sym_global); +- ++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void *) &sym_global) == SUCCESS) { ++ if ((Z_TYPE_PP(sym_global) == IS_ARRAY && Z_ARRVAL_PP(sym_global) == &EG(symbol_table)) || *sym_global == PS(http_session_vars)) { ++ return; ++ } ++ } ++ + if (sym_global == NULL && sym_track == NULL) { + zval *empty_var; + +@@ -323,7 +326,10 @@ void php_set_session_var(char *name, siz + if (PG(register_globals)) { + zval **old_symbol; + if (zend_hash_find(&EG(symbol_table),name,namelen+1,(void *)&old_symbol) == SUCCESS) { +- ++ if ((Z_TYPE_PP(old_symbol) == IS_ARRAY && Z_ARRVAL_PP(old_symbol) == &EG(symbol_table)) || *old_symbol == PS(http_session_vars)) { ++ return; ++ } ++ + /* + * A global symbol with the same name exists already. That + * symbol might have been created by other means (e.g. $_GET). +@@ -432,12 +438,20 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) + PHP_VAR_UNSERIALIZE_INIT(var_hash); + + for (p = val; p < endptr; ) { ++ zval **tmp; + namelen = *p & (~PS_BIN_UNDEF); + + if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) { + return FAILURE; + } + ++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { ++ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { ++ efree(name); ++ continue; ++ } ++ } ++ + has_value = *p & PS_BIN_UNDEF ? 0 : 1; + + name = estrndup(p + 1, namelen); +@@ -509,6 +523,7 @@ PS_SERIALIZER_DECODE_FUNC(php) + p = val; + + while (p < endptr) { ++ zval **tmp; + q = p; + while (*q != PS_DELIMITER) + if (++q >= endptr) goto break_outer_loop; +@@ -523,7 +538,13 @@ PS_SERIALIZER_DECODE_FUNC(php) + namelen = q - p; + name = estrndup(p, namelen); + q++; +- ++ ++ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { ++ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { ++ goto skip; ++ } ++ } ++ + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { +@@ -532,6 +553,7 @@ PS_SERIALIZER_DECODE_FUNC(php) + zval_ptr_dtor(¤t); + } + PS_ADD_VARL(name, namelen); ++skip: + efree(name); + + p = q; +@@ -672,7 +694,7 @@ PHPAPI char *php_session_create_id(PS_CR + buf = emalloc(100); + + /* maximum 15+19+19+10 bytes */ +- sprintf(buf, "%.15s%ld%ld%0.8f", remote_addr ? remote_addr : "", ++ sprintf(buf, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", + tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10); + + switch (PS(hash_func)) { +@@ -1435,6 +1457,11 @@ PHP_FUNCTION(session_save_path) + + if (ac == 1) { + convert_to_string_ex(p_name); ++ if (memchr(Z_STRVAL_PP(p_name), '\0', Z_STRLEN_PP(p_name)) != NULL) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The save_path cannot contain NULL characters."); ++ efree(old); ++ RETURN_FALSE; ++ } + zend_alter_ini_entry("session.save_path", sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME); + } + +diff -Nurp orig/main/php_variables.c new/main/php_variables.c +--- orig/main/php_variables.c 2007-02-21 09:31:20.000000000 +0100 ++++ new/main/php_variables.c 2007-02-21 09:32:31.000000000 +0100 +@@ -611,8 +611,6 @@ int php_hash_environment(TSRMLS_D) + { + char *p; + unsigned char _gpc_flags[5] = {0, 0, 0, 0, 0}; +- zval *dummy_track_vars_array = NULL; +- zend_bool initialized_dummy_track_vars_array=0; + zend_bool jit_initialization = (PG(auto_globals_jit) && !PG(register_globals) && !PG(register_long_arrays)); + struct auto_global_record { + char *name; +@@ -703,15 +701,9 @@ int php_hash_environment(TSRMLS_D) + continue; + } + if (!PG(http_globals)[i]) { +- if (!initialized_dummy_track_vars_array) { +- ALLOC_ZVAL(dummy_track_vars_array); +- array_init(dummy_track_vars_array); +- INIT_PZVAL(dummy_track_vars_array); +- initialized_dummy_track_vars_array = 1; +- } else { +- dummy_track_vars_array->refcount++; +- } +- PG(http_globals)[i] = dummy_track_vars_array; ++ ALLOC_ZVAL(PG(http_globals)[i]); ++ array_init(PG(http_globals)[i]); ++ INIT_PZVAL(PG(http_globals)[i]); + } + + PG(http_globals)[i]->refcount++; diff --git a/debian/patches/116-CVE-2007-0988.patch b/debian/patches/116-CVE-2007-0988.patch new file mode 100644 index 000000000..be5e6a8e3 --- /dev/null +++ b/debian/patches/116-CVE-2007-0988.patch @@ -0,0 +1,23 @@ +diff -Nurp orig/Zend/zend_hash.c new/Zend/zend_hash.c +--- orig/Zend/zend_hash.c 2007-02-21 09:22:11.000000000 +0100 ++++ new/Zend/zend_hash.c 2007-02-21 09:22:48.000000000 +0100 +@@ -141,11 +141,16 @@ ZEND_API int _zend_hash_init(HashTable * + + SET_INCONSISTENT(HT_OK); + +- while ((1U << i) < nSize) { +- i++; ++ if (nSize >= 0x80000000) { ++ /* prevent overflow */ ++ ht->nTableSize = 0x80000000; ++ } else { ++ while ((1U << i) < nSize) { ++ i++; ++ } ++ ht->nTableSize = 1 << i; + } + +- ht->nTableSize = 1 << i; + ht->nTableMask = ht->nTableSize - 1; + ht->pDestructor = pDestructor; + ht->arBuckets = NULL; diff --git a/debian/patches/117-imap-auth-plain.patch b/debian/patches/117-imap-auth-plain.patch new file mode 100644 index 000000000..ed67e84c0 --- /dev/null +++ b/debian/patches/117-imap-auth-plain.patch @@ -0,0 +1,10 @@ +--- old/ext/imap/php_imap.c 2006/11/24 10:28:51 1.208.2.7.2.10 ++++ new/ext/imap/php_imap.c 2006/12/17 18:22:53 1.208.2.7.2.11 +@@ -471,6 +471,7 @@ + #if HAVE_IMAP_KRB && defined(HAVE_IMAP_AUTH_GSS) + auth_link(&auth_gss); /* link in the gss authenticator */ + #endif ++ auth_link(&auth_pla); /* link in the plain authenticator */ + + #ifdef HAVE_IMAP_SSL + ssl_onceonlyinit (); diff --git a/debian/php5-common.README.Debian b/debian/php5-common.README.Debian index ea9d858eb..807922dcb 100644 --- a/debian/php5-common.README.Debian +++ b/debian/php5-common.README.Debian @@ -5,6 +5,7 @@ Table of Contents: * Session storage * Other caveats * php5-cgi and apache/apache2 +* Restarting your web server after installing modules * Configuration layout * Further documentation, errata, etc @@ -103,6 +104,17 @@ To use php5-cgi with apache2 Adam Conrad <adconrad@0c3.net> Sat, 04 Sep 2004 23:04:26 -0600 +Restarting your web server after installing modules +--------------------------------------------------------------------- + +Many of the php modules (php5-mysql, for example) require that you +restart your webserver after installation. This currently isn't +done automatically, so changes won't take affect until you run +/etc/init.d/apache2 reload or your webserver's equivalent (some cases +may need to use "restart" instead of "reload" too) + +sean finney <seanius@debian.org> Sat, 09 Dec 2006 12:42:21 +0100 + Configuration Layout --------------------------------------------------------------------- diff --git a/debian/rules b/debian/rules index c01caa7c8..5647aeaed 100755 --- a/debian/rules +++ b/debian/rules @@ -44,6 +44,10 @@ else CFLAGS += -gstabs endif +ifneq (nostrip, $(findstring nostrip, $(DEB_BUILD_OPTIONS))) + install_strip = -s +endif + # Old magic.mime location: ifeq ($(wildcard /usr/share/misc/file/magic.mime), /usr/share/misc/file/magic.mime) MAGIC_MIME = /usr/share/misc/file/magic.mime @@ -92,7 +96,6 @@ COMMON_CONFIG=--build=$(PHP5_BUILD_GNU_TYPE)-gnu \ --enable-sockets \ --enable-wddx \ --with-libxml-dir=/usr \ - --enable-yp \ --with-zlib \ --with-kerberos=/usr \ --with-openssl=/usr \ @@ -382,7 +385,7 @@ install: build mkdir -p debian/php5-$$package$${ext}; \ chrpath debian/libapache2-mod-php5/$${ext}/$$dsoname.so; \ chrpath -d debian/libapache2-mod-php5/$${ext}/$$dsoname.so; \ - install -s -m 644 -o root -g root \ + install ${install_strip} -m 644 -o root -g root \ debian/libapache2-mod-php5/$${ext}/$$dsoname.so \ debian/php5-$$package$${ext}/$$dsoname.so; \ rm debian/libapache2-mod-php5/$${ext}/$$dsoname.so; \ |