[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#725246: pu: package php5/5.4.4-14+deb7u5



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,

this is yet another round of php5 stable updates, and it introduces
for three fixes for crashes, memory corruptions when using traits
and one fix for annoying warning when using sessions.

  * Fix zend_mm_heap corrupted when using traits (Closes: #719507)
  * Fix inheritance with Traits failing with error (Closes: #721127)
  * Fix segfault when using traits a lot (Closes: #721336)
  * Don't reset mod_user_is_open in destroy (Closes: #722222)
    + Removes an annoying warning when using sessions

Full description from our git changelog with references to upstream bugs:

commit b0601db355914872ea4a8d2dd36bda603e20850c
Author: William Dauchy <william@gandi.net>
Date:   Tue Sep 10 20:14:22 2013 +0200

    upstream fix: Don't reset mod_user_is_open in destroy
    
    6566ea6
    Fix #63379 - Don't reset mod_user_is_open in destroy
    
    It removes an annoying warning when using session_regenerate_id with a SessionHandler
    PHP Warning:  Unknown: Parent session handler is not open in Unknown on line 0
    
    Closes: #722222

commit d04ff04b801bb1b4c15f558e3f9634bde0013c19
Author: William Dauchy <william@gandi.net>
Date:   Tue Oct 1 15:27:18 2013 +0200

    upstream fix: Segfault when using traits a lot
    
    6d1bebf
    Fixed bug #62358 (Segfault when using traits a lot)
    d39aa98
    Refix #62358, previous has side-affect
    6c0508f
    Fixed bug #62907 (Double free when use traits)
    
    Closes: #721336

commit 8d1ba951d046f5ea25f37377700b978c276a11c3
Author: William Dauchy <william@gandi.net>
Date:   Tue Sep 10 20:08:36 2013 +0200

    upstream fix: Inheritance with Traits failed with error
    
    42437dd
    Fixed bug #64070 (Inheritance with Traits failed with error)
    
    Closes: #721127

commit 6987eb272ea3fdf438362eb452a346d4e449aa0e
Author: William Dauchy <william@gandi.net>
Date:   Tue Sep 10 20:04:56 2013 +0200

    upstream fix: zend_mm_heap corrupted with traits
    
    74228c5:
    Fixed bug #63305 (zend_mm_heap corrupted with traits)
    
    Closes: #719507

The patches are small, contained to the area where there's the fix and
were pulled directly from upstream git.

diffstat:

$ diffstat php5_5.4.4-14+deb7u5.debdiff
 debian/patches/Dont-reset-mod_user_is_open-in-destroy.patch    |  146 +++++++++
 debian/patches/Inheritance-with-Traits-failed-with-error.patch |  102 ++++++
 debian/patches/Segfault-when-using-traits-a-lot.patch          |  159 ++++++++++
 debian/patches/zend_mm_heap-corrupted-with-traits.patch        |   84 +++++
 php5-5.4.4/debian/changelog                                    |   15 
 php5-5.4.4/debian/control                                      |    3 
 php5-5.4.4/debian/patches/series                               |    4 
 7 files changed, 512 insertions(+), 1 deletion(-)

Full debdiff attached to this email.

Kudos go to William, who have prepared this update.

Thanks,
Ondrej

diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,18 @@
+php5 (5.4.4-14+deb7u5) stable; urgency=low
+
+  [ William Dauchy ]
+  * Fix zend_mm_heap corrupted when using traits (Closes: #719507)
+  * Fix inheritance with Traits failing with error (Closes: #721127)
+  * Fix segfault when using traits a lot (Closes: #721336)
+  * Don't reset mod_user_is_open in destroy (Closes: #722222)
+    + Removes an annoying warning when using sessions
+  * Add myself to maintainers
+
+  [ OndÅ?ej Surý ]
+  * Upload to stable-proposed-updates
+
+ -- OndÅ?ej Surý <ondrej@debian.org>  Wed, 02 Oct 2013 12:47:02 +0200
+
 php5 (5.4.4-14+deb7u4) stable; urgency=low
 
   * [CVE-2013-4248]: Fix handling of certs with NULL bytes (Closes: #719765)
diff -u php5-5.4.4/debian/control php5-5.4.4/debian/control
--- php5-5.4.4/debian/control
+++ php5-5.4.4/debian/control
@@ -5,7 +5,8 @@
 Uploaders: OndÅ?ej Surý <ondrej@debian.org>,
 	   Sean Finney <seanius@debian.org>,
 	   Thijs Kinkhorst <thijs@debian.org>,
-	   Lior Kaplan <kaplan@debian.org>
+	   Lior Kaplan <kaplan@debian.org>,
+	   William Dauchy <wdauchy@gmail.com>
 Build-Depends: apache2-prefork-dev,
 	       autoconf (>= 2.63),
 	       automake (>= 1.11) | automake1.11,
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -89,0 +90,4 @@
+zend_mm_heap-corrupted-with-traits.patch
+Inheritance-with-Traits-failed-with-error.patch
+Segfault-when-using-traits-a-lot.patch
+Dont-reset-mod_user_is_open-in-destroy.patch
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/zend_mm_heap-corrupted-with-traits.patch
+++ php5-5.4.4/debian/patches/zend_mm_heap-corrupted-with-traits.patch
@@ -0,0 +1,84 @@
+commit 74228c515197c8a3bda878a077d30c9b14482eb2
+Author: Xinchen Hui <laruence@php.net>
+Date:   Tue Oct 23 11:34:25 2012 +0800
+
+    Fixed bug #63305 (zend_mm_heap corrupted with traits)
+
+--- a/NEWS
++++ b/NEWS
+@@ -915,6 +915,9 @@
+   . Fixed bug #60150 (Integer overflow during the parsing of invalid exif
+     header). (CVE-2011-4566) (Stas, flolechaud at gmail dot com)
+ 
++- Core:
++  . Fixed bug #63305 (zend_mm_heap corrupted with traits). (Dmitry, Laruence)
++
+ - Fileinfo:
+   . Fixed bug #60094 (C++ comment fails in c89). (Laruence)
+   . Fixed possible memory leak in finfo_open(). (Felipe)
+--- /dev/null
++++ b/Zend/tests/bug63305.phpt
+@@ -0,0 +1,43 @@
++--TEST--
++Bug #63305 (zend_mm_heap corrupted with traits)
++--FILE--
++<?php
++new Attachment("");
++
++function __autoload($class) {
++    switch ($class) {
++    case "Attachment":
++        eval(<<<'PHP'
++class Attachment extends File {
++}
++PHP
++    );
++        break;
++    case "File":
++        eval(<<<'PHP'
++class File {
++    use TDatabaseObject {
++        TDatabaseObject::__construct as private databaseObjectConstruct;
++    }
++    public function __construct() {
++    }
++}
++PHP
++    );
++        break;
++    case "TDatabaseObject":
++        eval(<<<'PHP'
++trait TDatabaseObject {
++    public function __construct() {
++    }
++}
++PHP
++    );
++        break;
++    }
++    return TRUE;
++}
++echo "okey";
++?>
++--EXPECT--
++okey
+--- a/Zend/zend_compile.c
++++ b/Zend/zend_compile.c
+@@ -3877,7 +3877,7 @@
+ 					
+ 				/* if it is 0, no modifieres has been changed */
+ 				if (aliases[i]->modifiers) { 
+-					fn_copy.common.fn_flags = aliases[i]->modifiers;
++					fn_copy.common.fn_flags = aliases[i]->modifiers | ZEND_ACC_ALIAS;
+ 					if (!(aliases[i]->modifiers & ZEND_ACC_PPP_MASK)) {
+ 						fn_copy.common.fn_flags |= ZEND_ACC_PUBLIC;
+ 					}
+@@ -3917,7 +3917,7 @@
+ 					&& (!aliases[i]->trait_method->ce || fn->common.scope == aliases[i]->trait_method->ce)
+ 					&& (aliases[i]->trait_method->mname_len == fnname_len)
+ 					&& (zend_binary_strcasecmp(aliases[i]->trait_method->method_name, aliases[i]->trait_method->mname_len, fn->common.function_name, fnname_len) == 0)) {
+-					fn_copy.common.fn_flags = aliases[i]->modifiers;
++					fn_copy.common.fn_flags = aliases[i]->modifiers | ZEND_ACC_ALIAS;
+ 
+ 					if (!(aliases[i]->modifiers & ZEND_ACC_PPP_MASK)) {
+ 						fn_copy.common.fn_flags |= ZEND_ACC_PUBLIC;
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/Dont-reset-mod_user_is_open-in-destroy.patch
+++ php5-5.4.4/debian/patches/Dont-reset-mod_user_is_open-in-destroy.patch
@@ -0,0 +1,146 @@
+commit 6566ea61732a1ab42c1a57e60adc96788cb0feb2
+Author: Arpad Ray <arraypad@gmail.com>
+Date:   Thu Dec 13 23:51:43 2012 +0000
+
+    Fix #63379 - Don't reset mod_user_is_open in destroy
+    
+    The parent handler is still open so the reset here was in error.
+
+diff --git a/ext/session/mod_user_class.c b/ext/session/mod_user_class.c
+index 70d2f40..4edac28 100644
+--- a/ext/session/mod_user_class.c
++++ b/ext/session/mod_user_class.c
+@@ -121,7 +121,6 @@ PHP_METHOD(SessionHandler, destroy)
+ 		return;
+ 	}
+ 	
+-	PS(mod_user_is_open) = 0;
+ 	RETVAL_BOOL(SUCCESS == PS(default_mod)->s_destroy(&PS(mod_data), key TSRMLS_CC));
+ }
+ /* }}} */
+diff --git a/ext/session/tests/bug63379.phpt b/ext/session/tests/bug63379.phpt
+new file mode 100644
+index 0000000..8094182
+--- /dev/null
++++ b/ext/session/tests/bug63379.phpt
+@@ -0,0 +1,57 @@
++--TEST--
++Bug #63379: Warning when using session_regenerate_id(TRUE) with a SessionHandler
++--INI--
++session.save_handler=files
++session.name=PHPSESSID
++--SKIPIF--
++<?php include('skipif.inc'); ?>
++--FILE--
++<?php
++
++ob_start();
++
++$handler = new SessionHandler;
++session_set_save_handler($handler);
++
++session_start();
++
++$_SESSION['foo'] = 'hello';
++var_dump($_SESSION);
++
++session_regenerate_id(true);
++
++echo "*** Regenerated ***\n";
++var_dump($_SESSION);
++
++$_SESSION['bar'] = 'world';
++
++var_dump($_SESSION);
++
++session_write_close();
++session_unset();
++
++session_start();
++var_dump($_SESSION);
++
++--EXPECTF--
++array(1) {
++  ["foo"]=>
++  string(5) "hello"
++}
++*** Regenerated ***
++array(1) {
++  ["foo"]=>
++  string(5) "hello"
++}
++array(2) {
++  ["foo"]=>
++  string(5) "hello"
++  ["bar"]=>
++  string(5) "world"
++}
++array(2) {
++  ["foo"]=>
++  string(5) "hello"
++  ["bar"]=>
++  string(5) "world"
++}
+diff --git a/ext/session/tests/bug63379_nodestroy.phpt b/ext/session/tests/bug63379_nodestroy.phpt
+new file mode 100644
+index 0000000..03a9ae7
+--- /dev/null
++++ b/ext/session/tests/bug63379_nodestroy.phpt
+@@ -0,0 +1,57 @@
++--TEST--
++Bug #63379: Warning when using session_regenerate_id(TRUE) with a SessionHandler
++--INI--
++session.save_handler=files
++session.name=PHPSESSID
++--SKIPIF--
++<?php include('skipif.inc'); ?>
++--FILE--
++<?php
++
++ob_start();
++
++$handler = new SessionHandler;
++session_set_save_handler($handler);
++
++session_start();
++
++$_SESSION['foo'] = 'hello';
++var_dump($_SESSION);
++
++session_regenerate_id(false);
++
++echo "*** Regenerated ***\n";
++var_dump($_SESSION);
++
++$_SESSION['bar'] = 'world';
++
++var_dump($_SESSION);
++
++session_write_close();
++session_unset();
++
++session_start();
++var_dump($_SESSION);
++
++--EXPECTF--
++array(1) {
++  ["foo"]=>
++  string(5) "hello"
++}
++*** Regenerated ***
++array(1) {
++  ["foo"]=>
++  string(5) "hello"
++}
++array(2) {
++  ["foo"]=>
++  string(5) "hello"
++  ["bar"]=>
++  string(5) "world"
++}
++array(2) {
++  ["foo"]=>
++  string(5) "hello"
++  ["bar"]=>
++  string(5) "world"
++}
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/Segfault-when-using-traits-a-lot.patch
+++ php5-5.4.4/debian/patches/Segfault-when-using-traits-a-lot.patch
@@ -0,0 +1,159 @@
+commit 6d1bebfcb0ad746cd0410d403a3812853a2cd457
+Author: Xinchen Hui <laruence@php.net>
+Date:   Thu Aug 23 15:41:49 2012 +0800
+
+    Fixed bug #62358 (Segfault when using traits a lot)
+
+commit d39aa984ad3ef79a8fc3db0cf8dc525a0738a7bc
+Author: Xinchen Hui <laruence@php.net>
+Date:   Thu Aug 23 16:06:17 2012 +0800
+
+    Refix #62358, previous has side-affect
+
+commit 6c0508f8d5d5a62adb37a76bc682c94540199ee3
+Author: Dmitry Stogov <dmitry@zend.com>
+Date:   Wed Sep 5 09:58:22 2012 +0400
+
+    Fixed bug #62907 (Double free when use traits)
+
+--- a/NEWS
++++ b/NEWS
+@@ -42,6 +42,8 @@
+   . Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename
+     set to null). (Anatoliy)
+   . Changed php://fd to be available only for CLI.
++  . Fixed bug #62358 (Segfault when using traits a lot). (Laruence)
++  . Fixed bug #62907 (Double free when use traits). (Dmitry)
+ 
+ - CURL:
+   . Fixed bug #61948 (CURLOPT_COOKIEFILE '' raises open_basedir restriction).
+@@ -55,6 +57,9 @@
+   . Fixed handling null bytes in subjectAltName (CVE-2013-4073). 
+     (Christian Heimes)
+ 
++- Installation:
++  . Fixed bug #62460 (php binaries installed as binary.dSYM). (Reeze Xia)
++
+ - PDO:
+   . Fixed bug #61755 (A parsing bug in the prepared statements can lead to
+     access violations). (Johannes)
+--- /dev/null
++++ b/Zend/tests/bug62358.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #62358 (Segfault when using traits a lot)
++--SKIPIF--
++<?php
++if (getenv("USE_ZEND_ALLOC") !== "0") {
++    die("skip Need Zend MM enabled");
++}
++?>
++--FILE--
++<?php 
++
++trait T {
++    public function foo() {
++        echo "from T";
++    }
++}
++
++interface I {
++    public function foo();
++}
++
++abstract class A implements I{
++    use T;
++}
++
++class B extends A {
++   public function foo($var) {
++   } 
++}
++?>
++--EXPECTF--
++Strict Standards: Declaration of B::foo() should be compatible with A::foo() in %sbug62358.php on line %d
+--- a/Zend/zend_compile.c
++++ b/Zend/zend_compile.c
+@@ -3801,9 +3801,12 @@
+ 		if (prototype) {
+ 			do_inheritance_check_on_method(fn, prototype TSRMLS_CC);
+ 		}
++
+ 		/* one more thing: make sure we properly implement an abstract method */
+ 		if (existing_fn && existing_fn->common.fn_flags & ZEND_ACC_ABSTRACT) {
++            prototype = fn->common.prototype;
+ 			do_inheritance_check_on_method(fn, existing_fn TSRMLS_CC);
++            fn->common.prototype = prototype;
+ 		}
+ 
+ 		/* delete inherited fn if the function to be added is not abstract */
+@@ -3870,10 +3873,10 @@
+ 				&& (zend_binary_strcasecmp(aliases[i]->trait_method->method_name, aliases[i]->trait_method->mname_len, hash_key->arKey, fnname_len) == 0)) {
+ 				fn_copy = *fn;
+ 				function_add_ref(&fn_copy);
+-				/* this function_name is never destroyed, because its refcount
+-				   greater than 1 and classes are always destoyed before the
+-				   traits they use */
++				/* this function_name is never destroyed, because ZEND_ACC_ALIAS
++				   flag is set */
+ 				fn_copy.common.function_name = aliases[i]->alias;
++				fn_copy.common.fn_flags |= ZEND_ACC_ALIAS;
+ 					
+ 				/* if it is 0, no modifieres has been changed */
+ 				if (aliases[i]->modifiers) { 
+@@ -3906,6 +3909,7 @@
+ 		/* is not in hashtable, thus, function is not to be excluded */
+ 		fn_copy = *fn;
+ 		function_add_ref(&fn_copy);
++		fn_copy.common.fn_flags |= ZEND_ACC_ALIAS;
+ 
+ 		/* apply aliases which are not qualified by a class name, or which have not
+ 		 * alias name, just setting visibility */
+--- a/Zend/zend_compile.h
++++ b/Zend/zend_compile.h
+@@ -207,6 +207,8 @@
+ #define ZEND_ACC_RETURN_REFERENCE		0x4000000
+ #define ZEND_ACC_DONE_PASS_TWO			0x8000000
+ 
++#define ZEND_ACC_ALIAS					0x10000000
++
+ char *zend_visibility_string(zend_uint fn_flags);
+ 
+ 
+--- a/Zend/zend_opcode.c
++++ b/Zend/zend_opcode.c
+@@ -267,6 +267,15 @@
+ 	}
+ }
+ 
++static int zend_clear_trait_method_name(zend_op_array *op_array TSRMLS_DC)
++{
++	if (op_array->function_name && (op_array->fn_flags & ZEND_ACC_ALIAS) == 0) {
++		efree(op_array->function_name);
++		op_array->function_name = NULL;
++	}
++	return 0;
++}
++
+ ZEND_API void destroy_zend_class(zend_class_entry **pce)
+ {
+ 	zend_class_entry *ce = *pce;
+@@ -298,6 +307,9 @@
+ 			}
+ 			zend_hash_destroy(&ce->properties_info);
+ 			str_efree(ce->name);
++			if ((ce->ce_flags & ZEND_ACC_TRAIT) == ZEND_ACC_TRAIT) {
++				zend_hash_apply(&ce->function_table, (apply_func_t)zend_clear_trait_method_name TSRMLS_CC);
++			}
+ 			zend_hash_destroy(&ce->function_table);
+ 			zend_hash_destroy(&ce->constants_table);
+ 			if (ce->num_interfaces > 0 && ce->interfaces) {
+@@ -387,7 +399,7 @@
+ 	}
+ 	efree(op_array->opcodes);
+ 
+-	if (op_array->function_name) {
++	if (op_array->function_name && (op_array->fn_flags & ZEND_ACC_ALIAS) == 0) {
+ 		efree((char*)op_array->function_name);
+ 	}
+ 	if (op_array->doc_comment) {
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/Inheritance-with-Traits-failed-with-error.patch
+++ php5-5.4.4/debian/patches/Inheritance-with-Traits-failed-with-error.patch
@@ -0,0 +1,102 @@
+commit 42437dd870de28eee6c9127f4c7e7c78ba8e0152
+Author: Dmitry Stogov <dmitry@zend.com>
+Date:   Mon Feb 18 16:07:51 2013 +0400
+
+    Fixed bug #64070 (Inheritance with Traits failed with error)
+
+--- a/NEWS
++++ b/NEWS
+@@ -135,6 +135,7 @@
+   . Fixed bug #52719 (array_walk_recursive crashes if third param of the
+     function is by reference). (Nikita Popov)
+   . Improve performance of set_exception_handler while doing reset (Laruence)
++  . Fixed bug #64070 (Inheritance with Traits failed with error). (Dmitry)
+ 
+ - fileinfo:
+   . Fix fileinfo test problems. (Anatoliy Belsky)
+--- /dev/null
++++ b/Zend/tests/traits/bug64070.phpt
+@@ -0,0 +1,36 @@
++--TEST--
++Bug #64070 (Inheritance with Traits failed with error)
++--FILE--
++<?php
++trait first_trait
++{
++    function first_function()
++    {
++        echo "From First Trait\n";
++    }
++}
++
++trait second_trait
++{
++    use first_trait {
++        first_trait::first_function as second_function;
++    }
++
++    function first_function()
++    {
++        echo "From Second Trait\n";
++    }
++}
++
++class first_class
++{
++    use second_trait;
++}
++
++$obj = new first_class();
++$obj->first_function();
++$obj->second_function();
++?>
++--EXPECT--
++From Second Trait
++From First Trait
+--- a/Zend/zend_compile.c
++++ b/Zend/zend_compile.c
+@@ -3858,7 +3858,7 @@
+ 	aliases       = va_arg(args, zend_trait_alias**);
+ 	exclude_table = va_arg(args, HashTable*);
+ 
+-	fnname_len = strlen(fn->common.function_name);
++	fnname_len = hash_key->nKeyLength - 1;
+ 
+ 	/* apply aliases which are qualified with a class name, there should not be any ambiguity */
+ 	if (aliases) {
+@@ -3867,7 +3867,7 @@
+ 			if (aliases[i]->alias != NULL
+ 				&& (!aliases[i]->trait_method->ce || fn->common.scope == aliases[i]->trait_method->ce)
+ 				&& aliases[i]->trait_method->mname_len == fnname_len
+-				&& (zend_binary_strcasecmp(aliases[i]->trait_method->method_name, aliases[i]->trait_method->mname_len, fn->common.function_name, fnname_len) == 0)) {
++				&& (zend_binary_strcasecmp(aliases[i]->trait_method->method_name, aliases[i]->trait_method->mname_len, hash_key->arKey, fnname_len) == 0)) {
+ 				fn_copy = *fn;
+ 				function_add_ref(&fn_copy);
+ 				/* this function_name is never destroyed, because its refcount
+@@ -3900,7 +3900,7 @@
+ 		}
+ 	}
+ 
+-	lcname = zend_str_tolower_dup(fn->common.function_name, fnname_len);
++	lcname = hash_key->arKey;
+ 
+ 	if (exclude_table == NULL || zend_hash_find(exclude_table, lcname, fnname_len, &dummy) == FAILURE) {
+ 		/* is not in hashtable, thus, function is not to be excluded */
+@@ -3916,7 +3916,7 @@
+ 				if (aliases[i]->alias == NULL && aliases[i]->modifiers != 0
+ 					&& (!aliases[i]->trait_method->ce || fn->common.scope == aliases[i]->trait_method->ce)
+ 					&& (aliases[i]->trait_method->mname_len == fnname_len)
+-					&& (zend_binary_strcasecmp(aliases[i]->trait_method->method_name, aliases[i]->trait_method->mname_len, fn->common.function_name, fnname_len) == 0)) {
++					&& (zend_binary_strcasecmp(aliases[i]->trait_method->method_name, aliases[i]->trait_method->mname_len, lcname, fnname_len) == 0)) {
+ 					fn_copy.common.fn_flags = aliases[i]->modifiers | ZEND_ACC_ALIAS;
+ 
+ 					if (!(aliases[i]->modifiers & ZEND_ACC_PPP_MASK)) {
+@@ -3938,8 +3938,6 @@
+ 		}
+ 	}
+ 
+-	efree(lcname);
+-
+ 	return ZEND_HASH_APPLY_KEEP;
+ }
+ /* }}} */


Reply to: