diff options
| -rw-r--r-- | NEWS | 16 | ||||
| -rwxr-xr-x | configure | 2 | ||||
| -rw-r--r-- | configure.in | 2 | ||||
| -rw-r--r-- | ext/curl/interface.c | 5 | ||||
| -rw-r--r-- | ext/curl/tests/bug68089.phpt | 18 | ||||
| -rw-r--r-- | ext/exif/exif.c | 4 | ||||
| -rwxr-xr-x | ext/exif/tests/bug68113.jpg | bin | 0 -> 368 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug68113.phpt | 17 | ||||
| -rw-r--r-- | ext/openssl/tests/bug65729.pem | 42 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug68044.phpt | 12 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.c | 4 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.re | 2 | ||||
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 | ||||
| -rw-r--r-- | ext/xmlrpc/tests/bug68027.phpt | 44 | ||||
| -rw-r--r-- | main/php_version.h | 6 |
15 files changed, 151 insertions, 36 deletions
@@ -1,5 +1,21 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +16 Oct 2014, PHP 5.6.2 + +- Core: + . Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). + (CVE-2014-3669) (Stas) + +- cURL: + . Fixed bug #68089 (NULL byte injection - cURL lib). (Stas) + +- EXIF: + . Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670) + (Stas) + +- XMLRPC: + . Fixed bug #68027 (Global buffer overflow in mkgmtime() function). + (CVE-2014-3668) (Stas) 02 Oct 2014, PHP 5.6.1 @@ -3665,7 +3665,7 @@ ac_config_headers="$ac_config_headers main/php_config.h" PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=6 -PHP_RELEASE_VERSION=1 +PHP_RELEASE_VERSION=2 PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION` diff --git a/configure.in b/configure.in index d69a55a9f..bc4b81336 100644 --- a/configure.in +++ b/configure.in @@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=6 -PHP_RELEASE_VERSION=1 +PHP_RELEASE_VERSION=2 PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/ext/curl/interface.c b/ext/curl/interface.c index f8b04295d..9bb767624 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -169,6 +169,11 @@ static int php_curl_option_str(php_curl *ch, long option, const char *str, const { CURLcode error = CURLE_OK; + if (strlen(str) != len) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)"); + return FAILURE; + } + #if LIBCURL_VERSION_NUM >= 0x071100 if (make_copy) { #endif diff --git a/ext/curl/tests/bug68089.phpt b/ext/curl/tests/bug68089.phpt new file mode 100644 index 000000000..3bd588970 --- /dev/null +++ b/ext/curl/tests/bug68089.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68089 (NULL byte injection - cURL lib) +--SKIPIF-- +<?php +include 'skipif.inc'; + +?> +--FILE-- +<?php +$url = "file:///etc/passwd\0http://google.com"; +$ch = curl_init(); +var_dump(curl_setopt($ch, CURLOPT_URL, $url)); +?> +Done +--EXPECTF-- +Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4 +bool(false) +Done diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 0b28f1c26..ab2a50435 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2416,11 +2416,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel data_ptr += 8; break; case TAG_FMT_SINGLE: - memmove(data_ptr, &info_data->value.f, byte_count); + memmove(data_ptr, &info_value->f, 4); data_ptr += 4; break; case TAG_FMT_DOUBLE: - memmove(data_ptr, &info_data->value.d, byte_count); + memmove(data_ptr, &info_value->d, 8); data_ptr += 8; break; } diff --git a/ext/exif/tests/bug68113.jpg b/ext/exif/tests/bug68113.jpg Binary files differnew file mode 100755 index 000000000..3ce7a620f --- /dev/null +++ b/ext/exif/tests/bug68113.jpg diff --git a/ext/exif/tests/bug68113.phpt b/ext/exif/tests/bug68113.phpt new file mode 100644 index 000000000..0fa4c4aca --- /dev/null +++ b/ext/exif/tests/bug68113.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #68113 (Heap corruption in exif_thumbnail()) +--SKIPIF-- +<?php +extension_loaded("exif") or die("skip need exif"); +?> +--FILE-- +<?php +var_dump(exif_thumbnail(__DIR__."/bug68113.jpg")); +?> +Done +--EXPECTF-- +Warning: exif_thumbnail(bug68113.jpg): File structure corrupted in %s/bug68113.php on line 2 + +Warning: exif_thumbnail(bug68113.jpg): Invalid JPEG file in %s/bug68113.php on line 2 +bool(false) +Done
\ No newline at end of file diff --git a/ext/openssl/tests/bug65729.pem b/ext/openssl/tests/bug65729.pem index dbeed6efd..f0d44a4c7 100644 --- a/ext/openssl/tests/bug65729.pem +++ b/ext/openssl/tests/bug65729.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIICCTCCAXICCQDNMI29sowT7TANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJT +MIICCTCCAXICCQCx2JwIhbRefzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJT RzESMBAGA1UECBMJVGVzdHZpbGxlMREwDwYDVQQKEwhkYXRpYmJhdzETMBEGA1UE -AxQKKi50ZXN0LmNvbTAeFw0xMzA5MjEwNzUyMjRaFw0xNDA5MjEwNzUyMjRaMEkx +AxQKKi50ZXN0LmNvbTAeFw0xNDA5MjQxMTMzNTRaFw0yNDA5MjExMTMzNTRaMEkx CzAJBgNVBAYTAlNHMRIwEAYDVQQIEwlUZXN0dmlsbGUxETAPBgNVBAoTCGRhdGli YmF3MRMwEQYDVQQDFAoqLnRlc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQCdzVnic8K5W4SVbwVuqezcTjeqVLoQ91vVNZB0Jnsuz6q3DoK03oAd1jTe -Vd0k+MQDbXpHoc37lA4+8z/g5Bs0UXxNx+nkbFTE7Ba2/G24caI9/cOXZPG3UViD -rtqXKL6h5/umqRG9Dt5liF2MVP9XFAesVC7B8+Ca+PbPlQoYzwIDAQABMA0GCSqG -SIb3DQEBBQUAA4GBAAS07u/Ke+EhEHidz6CG3Qcr+zg483JKRgZFyGz+YUKyyKKy -fmLs7JieGJxYQjOmIpj/6X9Gnb2HjIPDnI6A+MV1emXDTnnmsgf2/lZGcthhpZn2 -rMbj9bI0iH6HwOVGtp4ZJA5fB7nj3J+gWNTCQzDDOxwX36d2LL9ua+UMnk/g +iQKBgQDBnR8DYzsN90kISI87kBvw40TQknS7/fuymWCmSrtRQLED8p2QL8PiYCZ8 +UdcFVsv+di7MJvUOzW6dRo2DCu8Rojx3ML8dAtPsQkDdaCXDnOvCTQCAqFmxa1A9 +c5kp0hbzCrucKGckb355A4NumFgX1fjQ705MfjGPgQef1ZtozQIDAQABMA0GCSqG +SIb3DQEBBQUAA4GBAGP07nJo0pI4FdsXuAHWr97XxV4EhHopFMw6svOZ3UtsRzmW +ScmmMdgd3c8ciVxOsztgnzvFq/nrUkw/3n/Xz/gtE7kZt9aS18SnCyyHPJcXmmUE +NsbyZ/7srIqCSrxUkP+N//nToqHxg1pqA/A8RzOOQUAp+UIVF6Zl/kkFNgt8 -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCdzVnic8K5W4SVbwVuqezcTjeqVLoQ91vVNZB0Jnsuz6q3DoK0 -3oAd1jTeVd0k+MQDbXpHoc37lA4+8z/g5Bs0UXxNx+nkbFTE7Ba2/G24caI9/cOX -ZPG3UViDrtqXKL6h5/umqRG9Dt5liF2MVP9XFAesVC7B8+Ca+PbPlQoYzwIDAQAB -AoGAeyzTwKPDl5QMRejHQL57GOwlH1vLcXrjv+VzwHZZKQ0IoKM++5fCQYf29KXp -XPahaluGW2u9sWa8R/7wGcd0Q4RtquGzsgT3+AQsIc5KfIamyOyDaRVM/ymX3fWg -gHIU7OOzB+ihOU8sHyRIwfbk01/kmrBXLRj8E31sy3i3PIECQQDQQYE+aN7Acrdt -yN5CaqvbkiCGjRvASlemiTzPosgOtndyp21w1gakJwKYhYDk1N6A6Qb8REMZqM/U -wFypldV/AkEAwfq6NFuhpGL6hDA7MvlyY1KiZ0cHetPUX+PgdNqy2DA+1Sv4i7gm -Wd/uA651K7aPXuUaf9dKtPCmZwI4M6SEsQJBALW89HTqP7niYoDEEnITdPaghxHk -gptERUln6lGo1L1CLus3gSI/JHyMLo+7scgAnEwTD62GRKhX0Ubwt+ymfTECQAY5 -fHYnppU20+EgBxZIqOIFCc8UmWnYmE0Ha/Fz/x8u1SVUBuK84wYpSGL32yyu7ATY -hzQo/W229zABAzqtAdECQQCUdB7IBFpPnsfv/EUBFX7X/7zAc9JpACmu9It5ju8C -KIsMuz/02D+TQoJNjdAngBM+4AJDIaGFgTMIfaDMh5L7 +MIICXgIBAAKBgQDBnR8DYzsN90kISI87kBvw40TQknS7/fuymWCmSrtRQLED8p2Q +L8PiYCZ8UdcFVsv+di7MJvUOzW6dRo2DCu8Rojx3ML8dAtPsQkDdaCXDnOvCTQCA +qFmxa1A9c5kp0hbzCrucKGckb355A4NumFgX1fjQ705MfjGPgQef1ZtozQIDAQAB +AoGADAnkAsbpxh2JKf2xAkgcpKbNAZcJsSLCwsEstEpTSWMXXqJ4T53YtTu7SOGh +2BAkkQbyM/l8JVZ6uUbIx8wnPzqAuB2hEDQHKZVyftDyJh+54Uyz0xV0JdWGWrFh +A+uDt/Zncx2g+qlkQG5J5nHnrd9OAns89wJXpBWA6twlsuECQQD/HC4wxOJzh1XI +YSWHWQulOnlNgZ2zERfmJeRfJ0ncmDOV2ofxOFQ+dMJ36XghPaH52KdxqWI1yQaE +yesx8ygFAkEAwkoF4lBuYdsXucJNDYf8o9MlBvazoriH0y26B/YozJ7iAEFqVvcC +TN+iKDIyiRALwR6a3nzhyFYJ4xyzgSIAKQJBAMnw3seQMsnM6aTS8cgwPr2uifNG +lTT4ZPi0KhEAosFSYhNPh6j1NAq0lnQhhgyaIywJypJ4yNtWpChdRiamGpkCQQDB +iUExPpOmMLwCk7VzrCmS+6pftHIevpi2WU99zMy5f+969665MFb/QqniRpamh/Bd +kGIPDPFQQbyZmqaJFNh5AkEAzy0YVbUT3C/QvstPr5i7ztj7WiW/1zJMamFwY/ZS +1J7e7lqHgRICie5uv1Yvh3w/qmV/7lTLhmlQZd9SJMpXhg== -----END RSA PRIVATE KEY----- diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt new file mode 100644 index 000000000..031e44e14 --- /dev/null +++ b/ext/standard/tests/serialize/bug68044.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #68044 Integer overflow in unserialize() (32-bits only) +--FILE-- +<?php + echo unserialize('C:3:"XYZ":18446744075857035259:{}'); +?> +===DONE== +--EXPECTF-- +Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 + +Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 +===DONE== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index d7cc85367..b06696aaf 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Fri Apr 18 15:07:27 2014 */ +/* Generated by re2c 0.13.5 */ /* +----------------------------------------------------------------------+ | PHP Version 5 | @@ -369,7 +369,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); return 0; } diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 3a1b91095..ef553ffb5 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -375,7 +375,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); return 0; } diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index ce70c2afd..b766a5495 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+4]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } tm.tm_mon --; + if(tm.tm_mon < 0 || tm.tm_mon > 11) { + return -1; + } n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+6]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+9]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+12]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+15]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt new file mode 100644 index 000000000..a5c96f1cf --- /dev/null +++ b/ext/xmlrpc/tests/bug68027.phpt @@ -0,0 +1,44 @@ +--TEST-- +Bug #68027 (buffer overflow in mkgmtime() function) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php + +$d = '6-01-01 20:00:00'; +xmlrpc_set_type($d, 'datetime'); +var_dump($d); +$datetime = "2001-0-08T21:46:40-0400"; +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); +print_r($obj); + +$datetime = "34770-0-08T21:46:40-0400"; +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); +print_r($obj); + +echo "Done\n"; +?> +--EXPECTF-- +object(stdClass)#1 (3) { + ["scalar"]=> + string(16) "6-01-01 20:00:00" + ["xmlrpc_type"]=> + string(8) "datetime" + ["timestamp"]=> + int(%d) +} +stdClass Object +( + [scalar] => 2001-0-08T21:46:40-0400 + [xmlrpc_type] => datetime + [timestamp] => %s +) +stdClass Object +( + [scalar] => 34770-0-08T21:46:40-0400 + [xmlrpc_type] => datetime + [timestamp] => %d +) +Done diff --git a/main/php_version.h b/main/php_version.h index fe6057d58..0ae6fc698 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 6 -#define PHP_RELEASE_VERSION 1 +#define PHP_RELEASE_VERSION 2 #define PHP_EXTRA_VERSION "" -#define PHP_VERSION "5.6.1" -#define PHP_VERSION_ID 50601 +#define PHP_VERSION "5.6.2" +#define PHP_VERSION_ID 50602 |
