Bug#706848: pu: package php5/5.4.4-16
Package: release.debian.org
Followup-For: Bug #706848
User: release.debian.org@packages.debian.org
Usertags: pu
Hello Adam,
version number changed to -14+deb7u1 (and merged changelogs for -15
and -16 releases).
$ diffstat php5_5.4.4-14+deb7u1.debdiff
debian/patches/CVE-2013-1643.patch | 135 ------------------
debian/patches/CVE-2013-1824.patch | 142 +++++++++++++++++++
debian/patches/fix-crash-in-garbage-collection.patch | 35 ++++
debian/patches/fix-dropping-connections-in-FPM.patch | 46 ++++++
debian/patches/libmagic-vision-fix.patch | 11 +
debian/patches/pdo_dblib.patch | 29 +++
php5-5.4.4/debian/changelog | 13 +
php5-5.4.4/debian/patches/series | 6
8 files changed, 281 insertions(+), 136 deletions(-)
And debdiff attached, sorry for to forgotting to attach it, I had it
already prepared, but somehow I didn't attach it.
O.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,16 @@
+php5 (5.4.4-14+deb7u1) unstable; urgency=low
+
+ * Pull upstream fix for FPM drops connection while receiving some binary
+ values in FastCGI requests (Closes: #703056)
+ * Fix crash in garbage collection (patch courtesy of Michal Cihar)
+ (Closes: #706082)
+ * Update libmagic detection of MS Office documents (Closes: #703504)
+ * Fix mssql connector to work with Azure SQL (Closes: #702079)
+ * [CVE-2013-1824]: CVE-2013-1643 was incomplete fix; this pulls full
+ upstream patch (5.4.4-14 already had all the relevant security parts)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 06 May 2013 18:15:49 +0200
+
php5 (5.4.4-14) unstable; urgency=high
* [CVE-2013-1635] Fixed external entity loading
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -81 +81,5 @@
-CVE-2013-1643.patch
+CVE-2013-1824.patch
+fix-dropping-connections-in-FPM.patch
+fix-crash-in-garbage-collection.patch
+libmagic-vision-fix.patch
+pdo_dblib.patch
reverted:
--- php5-5.4.4/debian/patches/CVE-2013-1643.patch
+++ php5-5.4.4.orig/debian/patches/CVE-2013-1643.patch
@@ -1,135 +0,0 @@
---- a/ext/libxml/libxml.c
-+++ b/ext/libxml/libxml.c
-@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml)
- libxml_globals->error_buffer.c = NULL;
- libxml_globals->error_list = NULL;
- libxml_globals->entity_loader.fci.size = 0;
-+ libxml_globals->entity_loader_disabled = 0;
- }
-
- static void _php_libxml_destroy_fci(zend_fcall_info *fci)
-@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v
- }
-
- static xmlParserInputBufferPtr
--php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc)
--{
-- return NULL;
--}
--
--static xmlParserInputBufferPtr
- php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc)
- {
- xmlParserInputBufferPtr ret;
- void *context = NULL;
-+ TSRMLS_FETCH();
-+
-+ if (LIBXML(entity_loader_disabled)) {
-+ return NULL;
-+ }
-
- if (URI == NULL)
- return(NULL);
-@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors)
- }
- /* }}} */
-
-+PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC)
-+{
-+ zend_bool old = LIBXML(entity_loader_disabled);
-+
-+ LIBXML(entity_loader_disabled) = disable;
-+ return old;
-+}
-+
- /* {{{ proto bool libxml_disable_entity_loader([boolean disable])
- Disable/Enable ability to load external entities */
- static PHP_FUNCTION(libxml_disable_entity_loader)
- {
- zend_bool disable = 1;
-- xmlParserInputBufferCreateFilenameFunc old;
-
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) {
- return;
- }
-
-- if (disable == 0) {
-- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename);
-- } else {
-- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload);
-- }
--
-- if (old == php_libxml_input_buffer_noload) {
-- RETURN_TRUE;
-- }
--
-- RETURN_FALSE;
-+ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC));
- }
- /* }}} */
-
---- a/ext/libxml/php_libxml.h
-+++ b/ext/libxml/php_libxml.h
-@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml)
- zend_fcall_info fci;
- zend_fcall_info_cache fcc;
- } entity_loader;
-+ zend_bool entity_loader_disabled;
- ZEND_END_MODULE_GLOBALS(libxml)
-
- typedef struct _libxml_doc_props {
-@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error
- PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s);
- PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC);
- PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC);
-+PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC);
-
- /* Init/shutdown functions*/
- PHP_LIBXML_API void php_libxml_initialize(void);
---- a/ext/soap/php_xml.c
-+++ b/ext/soap/php_xml.c
-@@ -20,6 +20,7 @@
- /* $Id$ */
-
- #include "php_soap.h"
-+#include "ext/libxml/php_libxml.h"
- #include "libxml/parser.h"
- #include "libxml/parserInternals.h"
-
-@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char *
- ctxt = xmlCreateFileParserCtxt(filename);
- PG(allow_url_fopen) = old_allow_url_fopen;
- if (ctxt) {
-+ zend_bool old;
-+
- ctxt->keepBlanks = 0;
- ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
- ctxt->sax->comment = soap_Comment;
- ctxt->sax->warning = NULL;
- ctxt->sax->error = NULL;
- /*ctxt->sax->fatalError = NULL;*/
-+ old = php_libxml_disable_entity_loader(1);
- xmlParseDocument(ctxt);
-+ php_libxml_disable_entity_loader(old);
- if (ctxt->wellFormed) {
- ret = ctxt->myDoc;
- if (ret->URL == NULL && ctxt->directory != NULL) {
-@@ -133,6 +138,8 @@ xmlDocPtr soap_xmlParseMemory(const void
- */
- ctxt = xmlCreateMemoryParserCtxt(buf, buf_size);
- if (ctxt) {
-+ zend_bool old;
-+
- ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
- ctxt->sax->comment = soap_Comment;
- ctxt->sax->warning = NULL;
-@@ -141,7 +148,9 @@ xmlDocPtr soap_xmlParseMemory(const void
- #if LIBXML_VERSION >= 20703
- ctxt->options |= XML_PARSE_HUGE;
- #endif
-+ old = php_libxml_disable_entity_loader(1);
- xmlParseDocument(ctxt);
-+ php_libxml_disable_entity_loader(old);
- if (ctxt->wellFormed) {
- ret = ctxt->myDoc;
- if (ret->URL == NULL && ctxt->directory != NULL) {
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/fix-dropping-connections-in-FPM.patch
+++ php5-5.4.4/debian/patches/fix-dropping-connections-in-FPM.patch
@@ -0,0 +1,46 @@
+X-Git-Url: http://git.php.net/?p=php-src.git;a=blobdiff_plain;f=sapi%2Ffpm%2Ffpm%2Ffastcgi.c;h=9df26f11cdb497108850d4b5ad42089d8129312b;hp=212b6ff1db5221e7540f23f4c58ed02deae9822a;hb=60cca8b9c9b879295dbf1f76e305882e347dcb53;hpb=e052da3a6bc353636fa4bf9cb488573c50adf9a0
+
+--- a/sapi/fpm/fpm/fastcgi.c
++++ b/sapi/fpm/fpm/fastcgi.c
+@@ -399,7 +399,7 @@ static inline int fcgi_param_get_eff_len
+ {
+ int ret = 1;
+ int zero_found = 0;
+- *eff_len = 0;
++ *eff_len = 0;
+ for (; p != end; ++p) {
+ if (*p == '\0') {
+ zero_found = 1;
+@@ -427,7 +427,7 @@ static int fcgi_get_params(fcgi_request
+ char *tmp = buf;
+ size_t buf_size = sizeof(buf);
+ int name_len, val_len;
+- uint eff_name_len, eff_val_len;
++ uint eff_name_len;
+ char *s;
+ int ret = 1;
+ size_t bytes_consumed;
+@@ -453,8 +453,12 @@ static int fcgi_get_params(fcgi_request
+ ret = 0;
+ break;
+ }
+- if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) ||
+- !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, &eff_val_len)) {
++
++ /*
++ * get the effective length of the name in case it's not a valid string
++ * don't do this on the value because it can be binary data
++ */
++ if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len)){
+ /* Malicious request */
+ ret = 0;
+ break;
+@@ -473,7 +477,7 @@ static int fcgi_get_params(fcgi_request
+ }
+ memcpy(tmp, p, eff_name_len);
+ tmp[eff_name_len] = 0;
+- s = estrndup((char*)p + name_len, eff_val_len);
++ s = estrndup((char*)p + name_len, val_len);
+ if (s == NULL) {
+ ret = 0;
+ break;
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/libmagic-vision-fix.patch
+++ php5-5.4.4/debian/patches/libmagic-vision-fix.patch
@@ -0,0 +1,11 @@
+--- a/ext/fileinfo/libmagic/readcdf.c
++++ b/ext/fileinfo/libmagic/readcdf.c
+@@ -295,7 +295,7 @@ file_trycdf(struct magic_set *ms, int fd
+ d = &dir.dir_tab[j];
+ for (k = 0; k < sizeof(name); k++)
+ name[k] = (char)cdf_tole2(d->d_name[k]);
+- if (strstr(name, "WordDocument") == 0) {
++ if (strstr(name, "WordDocument") != 0) {
+ str = "msword";
+ break;
+ }
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/CVE-2013-1824.patch
+++ php5-5.4.4/debian/patches/CVE-2013-1824.patch
@@ -0,0 +1,142 @@
+--- a/ext/soap/php_xml.c
++++ b/ext/soap/php_xml.c
+@@ -20,6 +20,7 @@
+ /* $Id$ */
+
+ #include "php_soap.h"
++#include "ext/libxml/php_libxml.h"
+ #include "libxml/parser.h"
+ #include "libxml/parserInternals.h"
+
+@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char *
+ ctxt = xmlCreateFileParserCtxt(filename);
+ PG(allow_url_fopen) = old_allow_url_fopen;
+ if (ctxt) {
++ zend_bool old;
++
+ ctxt->keepBlanks = 0;
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+ ctxt->sax->error = NULL;
+ /*ctxt->sax->fatalError = NULL;*/
++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC);
+ xmlParseDocument(ctxt);
++ php_libxml_disable_entity_loader(old TSRMLS_CC);
+ if (ctxt->wellFormed) {
+ ret = ctxt->myDoc;
+ if (ret->URL == NULL && ctxt->directory != NULL) {
+@@ -128,11 +133,15 @@ xmlDocPtr soap_xmlParseMemory(const void
+ xmlParserCtxtPtr ctxt = NULL;
+ xmlDocPtr ret;
+
++ TSRMLS_FETCH();
++
+ /*
+ xmlInitParser();
+ */
+ ctxt = xmlCreateMemoryParserCtxt(buf, buf_size);
+ if (ctxt) {
++ zend_bool old;
++
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+@@ -141,7 +150,9 @@ xmlDocPtr soap_xmlParseMemory(const void
+ #if LIBXML_VERSION >= 20703
+ ctxt->options |= XML_PARSE_HUGE;
+ #endif
++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC);
+ xmlParseDocument(ctxt);
++ php_libxml_disable_entity_loader(old TSRMLS_CC);
+ if (ctxt->wellFormed) {
+ ret = ctxt->myDoc;
+ if (ret->URL == NULL && ctxt->directory != NULL) {
+--- a/ext/libxml/libxml.c
++++ b/ext/libxml/libxml.c
+@@ -270,6 +270,7 @@ static PHP_GINIT_FUNCTION(libxml)
+ libxml_globals->error_buffer.c = NULL;
+ libxml_globals->error_list = NULL;
+ libxml_globals->entity_loader.fci.size = 0;
++ libxml_globals->entity_loader_disabled = 0;
+ }
+
+ static void _php_libxml_destroy_fci(zend_fcall_info *fci)
+@@ -369,16 +370,15 @@ static int php_libxml_streams_IO_close(v
+ }
+
+ static xmlParserInputBufferPtr
+-php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc)
+-{
+- return NULL;
+-}
+-
+-static xmlParserInputBufferPtr
+ php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc)
+ {
+ xmlParserInputBufferPtr ret;
+ void *context = NULL;
++ TSRMLS_FETCH();
++
++ if (LIBXML(entity_loader_disabled)) {
++ return NULL;
++ }
+
+ if (URI == NULL)
+ return(NULL);
+@@ -1052,28 +1052,25 @@ static PHP_FUNCTION(libxml_clear_errors)
+ }
+ /* }}} */
+
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC)
++{
++ zend_bool old = LIBXML(entity_loader_disabled);
++
++ LIBXML(entity_loader_disabled) = disable;
++ return old;
++}
++
+ /* {{{ proto bool libxml_disable_entity_loader([boolean disable])
+ Disable/Enable ability to load external entities */
+ static PHP_FUNCTION(libxml_disable_entity_loader)
+ {
+ zend_bool disable = 1;
+- xmlParserInputBufferCreateFilenameFunc old;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) {
+ return;
+ }
+
+- if (disable == 0) {
+- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename);
+- } else {
+- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload);
+- }
+-
+- if (old == php_libxml_input_buffer_noload) {
+- RETURN_TRUE;
+- }
+-
+- RETURN_FALSE;
++ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC));
+ }
+ /* }}} */
+
+--- a/ext/libxml/php_libxml.h
++++ b/ext/libxml/php_libxml.h
+@@ -47,6 +47,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml)
+ zend_fcall_info fci;
+ zend_fcall_info_cache fcc;
+ } entity_loader;
++ zend_bool entity_loader_disabled;
+ ZEND_END_MODULE_GLOBALS(libxml)
+
+ typedef struct _libxml_doc_props {
+@@ -97,6 +98,7 @@ PHP_LIBXML_API void php_libxml_ctx_error
+ PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s);
+ PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC);
+ PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC);
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC);
+
+ /* Init/shutdown functions*/
+ PHP_LIBXML_API void php_libxml_initialize(void);
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/fix-crash-in-garbage-collection.patch
+++ php5-5.4.4/debian/patches/fix-crash-in-garbage-collection.patch
@@ -0,0 +1,35 @@
+--- a/Zend/zend_gc.c
++++ b/Zend/zend_gc.c
+@@ -644,7 +644,8 @@ tail_call:
+ struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj;
+
+ if (obj->buffered == (gc_root_buffer*)GC_WHITE) {
+- GC_SET_BLACK(obj->buffered);
++ /* PURPLE instead of BLACK to prevent buffering in nested gc calls */
++ GC_SET_PURPLE(obj->buffered);
+
+ if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid &&
+ (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) {
+@@ -715,7 +716,8 @@ static void zobj_collect_white(zval *pz
+ struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj;
+
+ if (obj->buffered == (gc_root_buffer*)GC_WHITE) {
+- GC_SET_BLACK(obj->buffered);
++ /* PURPLE instead of BLACK to prevent buffering in nested gc calls */
++ GC_SET_PURPLE(obj->buffered);
+
+ if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid &&
+ (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) {
+--- a/ext/pcre/php_pcre.c
++++ b/ext/pcre/php_pcre.c
+@@ -547,8 +547,9 @@ PHPAPI void php_pcre_match_impl(pcre_cac
+
+ /* Overwrite the passed-in value for subpatterns with an empty array. */
+ if (subpats != NULL) {
+- zval_dtor(subpats);
++ zval garbage = *subpats;
+ array_init(subpats);
++ zval_dtor(&garbage);
+ }
+
+ subpats_order = global ? PREG_PATTERN_ORDER : 0;
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/pdo_dblib.patch
+++ php5-5.4.4/debian/patches/pdo_dblib.patch
@@ -0,0 +1,29 @@
+Use the DBSETLDBNAME macro to set the dbname in the db-lib LOGINREC.
+That sets the dbname in the login packet, obviating the need for "USE
+dbname" and allowing pdo_dblib to work with Azure's SQL.
+
+--- a/ext/pdo_dblib/dblib_driver.c
++++ b/ext/pdo_dblib/dblib_driver.c
+@@ -288,6 +288,9 @@ static int pdo_dblib_handle_factory(pdo_
+ if (dbh->password) {
+ DBSETLPWD(H->login, dbh->password);
+ }
++ if (vars[3].optval) {
++ DBSETLDBNAME(H->login, vars[3].optval);
++ }
+
+ #if !PHP_DBLIB_IS_MSSQL
+ if (vars[0].optval) {
+@@ -317,11 +320,8 @@ static int pdo_dblib_handle_factory(pdo_
+ DBSETOPT(H->link, DBTEXTSIZE, "2147483647");
+
+ /* allow double quoted indentifiers */
+- DBSETOPT(H->link, DBQUOTEDIDENT, 1);
++ DBSETOPT(H->link, DBQUOTEDIDENT, "1");
+
+- if (vars[3].optval && FAIL == dbuse(H->link, vars[3].optval)) {
+- goto cleanup;
+- }
+
+ ret = 1;
+ dbh->max_escaped_char_length = 2;
Reply to: