Wed Feb 18 18:41:36 2015 UTC ()

Pullup ticket #4617 - requested by sevan
lang/php54: security patch

Revisions pulled up:
- lang/php54/Makefile                                           1.26
- lang/php54/distinfo                                           1.52
- lang/php54/patches/patch-ext_date_php_date.c                  1.1
- lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt       1.1

---
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Wed Feb 18 11:04:04 UTC 2015

   Modified Files:
           pkgsrc/lang/php54: Makefile distinfo
   Added Files:
           pkgsrc/lang/php54/patches: patch-ext_date_php_date.c
               patch-ext_date_tests_bug68942_2.phpt

   Log Message:
   Fix CVE-2015-0273 php: #68942 Use after free vulnerability in
   unserialize() with DateTimeZone

   Reviewed by wiz@


(tron)

diff -r1.25 -r1.25.4.1 pkgsrc/lang/php54/Makefile
diff -r1.50.2.1 -r1.50.2.2 pkgsrc/lang/php54/distinfo
diff -r0 -r1.1.2.2 pkgsrc/lang/php54/patches/patch-ext_date_php_date.c
diff -r0 -r1.1.2.2 pkgsrc/lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt

--- pkgsrc/lang/php54/Attic/Makefile 2014/07/26 00:12:54 1.25
+++ pkgsrc/lang/php54/Attic/Makefile 2015/02/18 18:41:36 1.25.4.1

 @@ -1,19 +1,20 @@
-# $NetBSD: Makefile,v 1.25 2014/07/26 00:12:54 taca Exp $
+# $NetBSD: Makefile,v 1.25.4.1 2015/02/18 18:41:36 tron Exp $
+#
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
+#
 PKGNAME=		php-${PHP_BASE_VERS}
 PKGREVISION=		1
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5.4
 LICENSE=		php
 TEST_TARGET=		test
 USE_TOOLS+=		gmake lex pkg-config
 LIBTOOL_OVERRIDE=	# empty
 PHP_CHECK_INSTALLED=	No
 PHP_VERSIONS_ACCEPTED=		54

--- pkgsrc/lang/php54/Attic/distinfo 2015/01/27 18:30:15 1.50.2.1
+++ pkgsrc/lang/php54/Attic/distinfo 2015/02/18 18:41:36 1.50.2.2

 @@ -1,22 +1,24 @@
-$NetBSD: distinfo,v 1.50.2.1 2015/01/27 18:30:15 tron Exp $
+$NetBSD: distinfo,v 1.50.2.2 2015/02/18 18:41:36 tron Exp $
 SHA1 (php-5.4.37.tar.bz2) = 608e00a730e9674e1a2e2627175e7a27f4add18f
 RMD160 (php-5.4.37.tar.bz2) = 9aa559cd4c4c63701133194b59ccff0f241a2241
 Size (php-5.4.37.tar.bz2) = 12275113 bytes
 SHA1 (patch-acinclude.m4) = 71635e5381abf99a9fc9f2537b1c2f18e8096f00
 SHA1 (patch-aclocal.m4) = 699086785fcd3d3834cc6016479dbdae6518e522
 SHA1 (patch-build_libtool.m4) = d81527abea3bd97e220f00a5d5296d8b1bfe2659
 SHA1 (patch-configure) = df6209127b1e23d17bc7128da3a44f3e44bbfd48
 SHA1 (patch-ext_date_php_date.c) = e1c6551a422c54c7be7ec16e6d10821f47cb924c
 SHA1 (patch-ext_date_tests_bug68942_2.phpt) = 385ed2c3077b5384bff117b97867463c6bdac15e
 SHA1 (patch-ext_gd_config.m4) = 2353efe6f25e1081b41d61033c3185cc643c7891
 SHA1 (patch-ext_imap_config.m4) = 01681e8b54ee586ec4db72a5da2d0aec3fa89fcc
 SHA1 (patch-ext_mssql_php__mssql.c) = 732e48b05086180585a3087c2e9737db557dbc3b
 SHA1 (patch-ext_pdo__mysql_config.m4) = 3526e737da25129710218e7141d5a05ae0a51390
 SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59
 SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba
 SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c
 SHA1 (patch-ext_standard_basic__functions.c) = 563fe67eb78b786cd46195026381ef22128e0841
 SHA1 (patch-php.ini-development) = 056a74646cbeb0b2bcfc18463348343d817b54bc
 SHA1 (patch-php.ini-production) = ac61016e18077a0870b8c8c42e89e3848c26d1f2
 SHA1 (patch-run-tests.php) = ff80b8ad52d7c0a43fa318ed9bffca9d7b3e688d
 SHA1 (patch-sapi_cgi_Makefile.frag) = c271096b8565e89a85b0189c6f503f3fb5cd4b27
 SHA1 (patch-sapi_fpm_fpm_events_port.c) = ad45bcebadf923ee8cb3f2ad4d78d21dd178a8e3

$NetBSD: patch-ext_date_php_date.c,v 1.1.2.2 2015/02/18 18:41:36 tron Exp $

Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)

--- ext/date/php_date.c.orig	2015-01-20 20:06:02.000000000 +0000
+++ ext/date/php_date.c
@@ -2575,12 +2575,9 @@ static int php_date_initialize_from_hash
 	timelib_tzinfo   *tzi;
 	php_timezone_obj *tzobj;
 
-	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
-		convert_to_string(*z_date);
-		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
-			convert_to_long(*z_timezone_type);
-			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
-				convert_to_string(*z_timezone);
+	if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
+		if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
+			if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
 
 				switch (Z_LVAL_PP(z_timezone_type)) {
 					case TIMELIB_ZONETYPE_OFFSET:
@@ -2595,7 +2592,6 @@ static int php_date_initialize_from_hash
 
 					case TIMELIB_ZONETYPE_ID: {
 						int ret;
-						convert_to_string(*z_timezone);
 
 						tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);

$NetBSD: patch-ext_date_tests_bug68942_2.phpt,v 1.1.2.2 2015/02/18 18:41:36 tron Exp $

Test for bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)

--- ext/date/tests/bug68942_2.phpt.orig	2015-02-18 01:43:49.000000000 +0000
+++ ext/date/tests/bug68942_2.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
+--FILE--
+<?php
+$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
+var_dump($data);
+?>
+--EXPECTF--
+Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d