Pullup ticket #4617 - requested by sevan lang/php54: security patch Revisions pulled up: - lang/php54/Makefile 1.26 - lang/php54/distinfo 1.52 - lang/php54/patches/patch-ext_date_php_date.c 1.1 - lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt 1.1 --- Module Name: pkgsrc Committed By: sevan Date: Wed Feb 18 11:04:04 UTC 2015 Modified Files: pkgsrc/lang/php54: Makefile distinfo Added Files: pkgsrc/lang/php54/patches: patch-ext_date_php_date.c patch-ext_date_tests_bug68942_2.phpt Log Message: Fix CVE-2015-0273 php: #68942 Use after free vulnerability in unserialize() with DateTimeZone Reviewed by wiz@diff -r1.25 -r1.25.4.1 pkgsrc/lang/php54/Makefile
(tron)
@@ -1,19 +1,20 @@ | @@ -1,19 +1,20 @@ | |||
1 | # $NetBSD: Makefile,v 1.25 2014/07/26 00:12:54 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.25.4.1 2015/02/18 18:41:36 tron Exp $ | |
2 | 2 | |||
3 | # | 3 | # | |
4 | # We can't omit PKGNAME here to handle PKG_OPTIONS. | 4 | # We can't omit PKGNAME here to handle PKG_OPTIONS. | |
5 | # | 5 | # | |
6 | PKGNAME= php-${PHP_BASE_VERS} | 6 | PKGNAME= php-${PHP_BASE_VERS} | |
7 | PKGREVISION= 1 | |||
7 | CATEGORIES= lang | 8 | CATEGORIES= lang | |
8 | 9 | |||
9 | HOMEPAGE= http://www.php.net/ | 10 | HOMEPAGE= http://www.php.net/ | |
10 | COMMENT= PHP Hypertext Preprocessor version 5.4 | 11 | COMMENT= PHP Hypertext Preprocessor version 5.4 | |
11 | LICENSE= php | 12 | LICENSE= php | |
12 | 13 | |||
13 | TEST_TARGET= test | 14 | TEST_TARGET= test | |
14 | 15 | |||
15 | USE_TOOLS+= gmake lex pkg-config | 16 | USE_TOOLS+= gmake lex pkg-config | |
16 | LIBTOOL_OVERRIDE= # empty | 17 | LIBTOOL_OVERRIDE= # empty | |
17 | PHP_CHECK_INSTALLED= No | 18 | PHP_CHECK_INSTALLED= No | |
18 | 19 | |||
19 | PHP_VERSIONS_ACCEPTED= 54 | 20 | PHP_VERSIONS_ACCEPTED= 54 |
@@ -1,22 +1,24 @@ | @@ -1,22 +1,24 @@ | |||
1 | $NetBSD: distinfo,v 1.50.2.1 2015/01/27 18:30:15 tron Exp $ | 1 | $NetBSD: distinfo,v 1.50.2.2 2015/02/18 18:41:36 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (php-5.4.37.tar.bz2) = 608e00a730e9674e1a2e2627175e7a27f4add18f | 3 | SHA1 (php-5.4.37.tar.bz2) = 608e00a730e9674e1a2e2627175e7a27f4add18f | |
4 | RMD160 (php-5.4.37.tar.bz2) = 9aa559cd4c4c63701133194b59ccff0f241a2241 | 4 | RMD160 (php-5.4.37.tar.bz2) = 9aa559cd4c4c63701133194b59ccff0f241a2241 | |
5 | Size (php-5.4.37.tar.bz2) = 12275113 bytes | 5 | Size (php-5.4.37.tar.bz2) = 12275113 bytes | |
6 | SHA1 (patch-acinclude.m4) = 71635e5381abf99a9fc9f2537b1c2f18e8096f00 | 6 | SHA1 (patch-acinclude.m4) = 71635e5381abf99a9fc9f2537b1c2f18e8096f00 | |
7 | SHA1 (patch-aclocal.m4) = 699086785fcd3d3834cc6016479dbdae6518e522 | 7 | SHA1 (patch-aclocal.m4) = 699086785fcd3d3834cc6016479dbdae6518e522 | |
8 | SHA1 (patch-build_libtool.m4) = d81527abea3bd97e220f00a5d5296d8b1bfe2659 | 8 | SHA1 (patch-build_libtool.m4) = d81527abea3bd97e220f00a5d5296d8b1bfe2659 | |
9 | SHA1 (patch-configure) = df6209127b1e23d17bc7128da3a44f3e44bbfd48 | 9 | SHA1 (patch-configure) = df6209127b1e23d17bc7128da3a44f3e44bbfd48 | |
10 | SHA1 (patch-ext_date_php_date.c) = e1c6551a422c54c7be7ec16e6d10821f47cb924c | |||
11 | SHA1 (patch-ext_date_tests_bug68942_2.phpt) = 385ed2c3077b5384bff117b97867463c6bdac15e | |||
10 | SHA1 (patch-ext_gd_config.m4) = 2353efe6f25e1081b41d61033c3185cc643c7891 | 12 | SHA1 (patch-ext_gd_config.m4) = 2353efe6f25e1081b41d61033c3185cc643c7891 | |
11 | SHA1 (patch-ext_imap_config.m4) = 01681e8b54ee586ec4db72a5da2d0aec3fa89fcc | 13 | SHA1 (patch-ext_imap_config.m4) = 01681e8b54ee586ec4db72a5da2d0aec3fa89fcc | |
12 | SHA1 (patch-ext_mssql_php__mssql.c) = 732e48b05086180585a3087c2e9737db557dbc3b | 14 | SHA1 (patch-ext_mssql_php__mssql.c) = 732e48b05086180585a3087c2e9737db557dbc3b | |
13 | SHA1 (patch-ext_pdo__mysql_config.m4) = 3526e737da25129710218e7141d5a05ae0a51390 | 15 | SHA1 (patch-ext_pdo__mysql_config.m4) = 3526e737da25129710218e7141d5a05ae0a51390 | |
14 | SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59 | 16 | SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59 | |
15 | SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba | 17 | SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba | |
16 | SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c | 18 | SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c | |
17 | SHA1 (patch-ext_standard_basic__functions.c) = 563fe67eb78b786cd46195026381ef22128e0841 | 19 | SHA1 (patch-ext_standard_basic__functions.c) = 563fe67eb78b786cd46195026381ef22128e0841 | |
18 | SHA1 (patch-php.ini-development) = 056a74646cbeb0b2bcfc18463348343d817b54bc | 20 | SHA1 (patch-php.ini-development) = 056a74646cbeb0b2bcfc18463348343d817b54bc | |
19 | SHA1 (patch-php.ini-production) = ac61016e18077a0870b8c8c42e89e3848c26d1f2 | 21 | SHA1 (patch-php.ini-production) = ac61016e18077a0870b8c8c42e89e3848c26d1f2 | |
20 | SHA1 (patch-run-tests.php) = ff80b8ad52d7c0a43fa318ed9bffca9d7b3e688d | 22 | SHA1 (patch-run-tests.php) = ff80b8ad52d7c0a43fa318ed9bffca9d7b3e688d | |
21 | SHA1 (patch-sapi_cgi_Makefile.frag) = c271096b8565e89a85b0189c6f503f3fb5cd4b27 | 23 | SHA1 (patch-sapi_cgi_Makefile.frag) = c271096b8565e89a85b0189c6f503f3fb5cd4b27 | |
22 | SHA1 (patch-sapi_fpm_fpm_events_port.c) = ad45bcebadf923ee8cb3f2ad4d78d21dd178a8e3 | 24 | SHA1 (patch-sapi_fpm_fpm_events_port.c) = ad45bcebadf923ee8cb3f2ad4d78d21dd178a8e3 |
$NetBSD: patch-ext_date_php_date.c,v 1.1.2.2 2015/02/18 18:41:36 tron Exp $
Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
--- ext/date/php_date.c.orig 2015-01-20 20:06:02.000000000 +0000
+++ ext/date/php_date.c
@@ -2575,12 +2575,9 @@ static int php_date_initialize_from_hash
timelib_tzinfo *tzi;
php_timezone_obj *tzobj;
- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
- convert_to_string(*z_date);
- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
- convert_to_long(*z_timezone_type);
- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
- convert_to_string(*z_timezone);
+ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
+ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
+ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
switch (Z_LVAL_PP(z_timezone_type)) {
case TIMELIB_ZONETYPE_OFFSET:
@@ -2595,7 +2592,6 @@ static int php_date_initialize_from_hash
case TIMELIB_ZONETYPE_ID: {
int ret;
- convert_to_string(*z_timezone);
tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
$NetBSD: patch-ext_date_tests_bug68942_2.phpt,v 1.1.2.2 2015/02/18 18:41:36 tron Exp $
Test for bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
--- ext/date/tests/bug68942_2.phpt.orig 2015-02-18 01:43:49.000000000 +0000
+++ ext/date/tests/bug68942_2.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
+--FILE--
+<?php
+$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
+var_dump($data);
+?>
+--EXPECTF--
+Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d