Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi release team, William was so kind to prepare another batch of *upstream* fixes (pulled from upstream git) Here's changelog (the PHP#xxx added by me): [ William Dauchy ] * upstream fix: $env can be destructively changed. (PHP#60602 fixed in 5.4.27/5.5.11) * upstream fix: copy() arginfo incorrect since 5.4 (PHP#66509 fixed in 5.4.25/5.5.9) * upstream fix: Out of memory on command stream_get_contents (PHP#61019 fixed in 5.4.28/5.512 * upstream fix: stream_socket_server() creates wrong Abstract Namespace UNIX sockets (PHP#64330 fixed in 5.4.28/5.5.12) * upstream fix: exit in stream filter produces segfault (PHP#66182 fixed in 5.4.28/5.5.12) * upstream fix: fpassthru broken (PHP#66736 fixed in 5.4.28/5.5.12) * upstream fix: Incorrect object comparison with inheritance (PHP#66286 fixed in 5.4.25) * upstream fix: openssl_seal() memory leak (PHP#66942 fixed in 5.5.12) * upstream fix: Segfault in mysqli_stmt::bind_result() when link closed (PHP# fixed in 5.4.28/5.5.11) * upstream fix: Segmentation fault after memory_limit (PHP#66283 fixed in 5.4.25) E.g. we already have the fixes in testing (5.5.12+dfsg-2) Here's the diffstat: $ diffstat php5_5.4.4-14+deb7u10.debdiff debian/patches/Incorrect-object-comparison-with-inheritance.patch | 53 +++ debian/patches/Out-of-memory-on-command-stream_get_contents.patch | 100 ++++++ debian/patches/Segfault-in-mysqli_stmt-bind_result-when-link-closed.patch | 77 +++++ debian/patches/Segmentation-fault-after-memory_limit.patch | 37 ++ debian/patches/copy-arginfo-incorrect-since-54.patch | 39 ++ debian/patches/exit-in-stream-filter-produces-segfault.patch | 22 + debian/patches/fpassthru-broken.patch | 57 +++ debian/patches/openssl_seal-memory-leak.patch | 86 ++++++ debian/patches/proc_open-separate-environment-values-that-arent-strings.patch | 143 ++++++++++ debian/patches/stream_socket_server-creates-wrong-Abstract-Namespace-UNIX-sockets.patch | 43 +++ php5-5.4.4/debian/changelog | 16 + php5-5.4.4/debian/patches/series | 10 12 files changed, 683 insertions(+) Here's more verbose diff from our git: - --cut here-- commit 4a40977740fae9f1d34a40788deec3f511488cf9 Author: Ondřej Surý <ondrej@sury.org> Date: Tue May 27 13:44:43 2014 +0200 prepare 5.4.4-14+deb7u10 release commit 88691aa77dbf7776d52b2da0238c37305a801a45 Author: William Dauchy <william@gandi.net> Date: Fri May 16 08:13:10 2014 +0200 upstream fix: Segmentation fault after memory_limit see upstream bug https://bugs.php.net/66283 Fix bug #66283 (Segmentation fault after memory_limit) commit e446a930eb58ac3a8032f15e78bc5d3cdc433d03 Author: William Dauchy <william@gandi.net> Date: Fri May 16 08:08:18 2014 +0200 upstream fix: Segfault in mysqli_stmt::bind_result() when link closed see https://bugs.php.net/66762 for details Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed commit d11a7129feb265f3294c68e4bb67ff09d28f7f4b Author: William Dauchy <william@gandi.net> Date: Fri May 16 08:04:30 2014 +0200 upstream fix: openssl_seal() memory leak see upstream bug https://bugs.php.net/66942 for details Fix #66942: openssl_seal() memory leak commit 15a2fe5b39ea1dd57e04bfee30b832bac448551a Author: William Dauchy <william@gandi.net> Date: Fri May 16 07:37:48 2014 +0200 upstream fix: Incorrect object comparison with inheritance see upstream bug https://bugs.php.net/66286 7e8e21d Fix bug #66286: Incorrect object comparison with inheritance commit 8147cf0199f551ae08349cff3dd490d9983379a6 Author: William Dauchy <william@gandi.net> Date: Fri May 16 07:29:01 2014 +0200 upstream fix: fpassthru broken see upstream bug https://bugs.php.net/66736 d08b4db Fix Bug #66736 fpassthru broken commit 9ff44b6877e7e2dc6157d64c9282ce378a5aa30e Author: William Dauchy <william@gandi.net> Date: Thu May 15 22:51:16 2014 +0200 upstream fix: exit in stream filter produces segfault see upstream bug https://bugs.php.net/66182 for details 7ab5c59 Fix bug #66182 exit in stream filter produces segfault commit bacc5dc59e7cf954c643cafe30905e460bb7cdf2 Author: William Dauchy <william@gandi.net> Date: Thu May 15 22:38:15 2014 +0200 upstream fix: stream_socket_server() creates wrong Abstract Namespace UNIX sockets see upstream bug for details https://bugs.php.net/64330 91a9d24 stream_socket_server() creates wrong Abstract Namespace UNIX sockets commit 7989b1d53d526da0c9655f5d8950ab4a9fc9bb06 Author: William Dauchy <william@gandi.net> Date: Thu May 15 22:25:09 2014 +0200 upstream fix: Out of memory on command stream_get_contents fixing upstream bug https://bugs.php.net/61019 1ec83d4 Fixed bug #61019 (Out of memory on command stream_get_contents) commit 6ff0b2950c39e3b014b02de1c645c89d16bfb724 Author: William Dauchy <william@gandi.net> Date: Mon Apr 28 11:58:42 2014 +0200 upstream fix: copy() arginfo incorrect since 5.4 see https://bugs.php.net/66509 for the upstream bug 5b906ce Fix bug #66509: copy() arginfo incorrect since 5.4 commit 5125e28f1275d22dad1ec2d909ac90a6a7fc2f27 Author: William Dauchy <william@gandi.net> Date: Mon Apr 28 11:25:20 2014 +0200 upstream fix: $env can be destructively changed. see upstream bug for details: https://bugs.php.net/60602 upstream fix: e73c05b proc_open(): separate environment values that aren't strings - --cut here-- And the full .debdiff is attached. Ondrej - -- System Information: Debian Release: 7.5 APT prefers stable APT policy: (900, 'stable'), (800, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJThIV9AAoJEAyZtw70/LsH42QP/2jHGYz4+Q8HNjzzpJMfbz1G j1HEgaRbi7WrIHcK2OE0tivfeyli90CnOzuAZlw+Aha4KxJHgLgMBsVq7yaz58o2 FFTcfFk99K35w0qV9P46UOL6NhlNGaeDI2Jp19wpzoxV6Gguy6E5EvPJjQwEic7P yIiC7of54Qz66VGTecms00V2gX7QBsC92DnXnGNXUm+exr7hN3Za+zaP1I4VqyB/ /hRLvKF4CN29JiehN6uVY+Ny+CL2CrZQqbxWw7unfXvkzmhoW2P8ZB6IGNs4ITvT eYURCplWvSiOfBKDmo7X4iYpkrqTYkHNHP2NK5Z49DyaZpaCpOVGKaqGNmMnGxaB w3ZR8kz7o+kygR8IYon64CIt03CZyuecjhC+FrCQnHIJPTgSETpRUNQ0BFPQs/cq VYuMauU2gYconkosTNxSe4T8QNoUzPMW3mCOYFMYgWBp6iaqO8tZkU0XzmA6toL5 K+Pd+k1PA6A7b0FbRBp0cHQIdJPTMghAI/3uHQs6OIS42DUAR0drS1+aRnHVKdKh 7JPKc8Cmey90kDTMdGzK95LXx80VzayE0GKZbdNuYtUsrLPShLG5mUAi2qew/90v BCLNzW0DCSrPDVpJxKc79o3XAFdzLrKT3zTu4AG1bv1HDaxJjW9Ib5EJkaeyrPXE YQ4cYJzY7PBQNf34A00u =/bx8 -----END PGP SIGNATURE-----
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog --- php5-5.4.4/debian/changelog +++ php5-5.4.4/debian/changelog @@ -1,3 +1,19 @@ +php5 (5.4.4-14+deb7u10) stable; urgency=medium + + [ William Dauchy ] + * upstream fix: $env can be destructively changed. + * upstream fix: copy() arginfo incorrect since 5.4 + * upstream fix: Out of memory on command stream_get_contents + * upstream fix: stream_socket_server() creates wrong Abstract Namespace UNIX sockets + * upstream fix: exit in stream filter produces segfault + * upstream fix: fpassthru broken + * upstream fix: Incorrect object comparison with inheritance + * upstream fix: openssl_seal() memory leak + * upstream fix: Segfault in mysqli_stmt::bind_result() when link closed + * upstream fix: Segmentation fault after memory_limit + + -- Ondřej Surý <ondrej@debian.org> Tue, 27 May 2014 13:44:18 +0200 + php5 (5.4.4-14+deb7u9) stable; urgency=low [ William Dauchy ] diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series --- php5-5.4.4/debian/patches/series +++ php5-5.4.4/debian/patches/series @@ -141,0 +142,10 @@ +proc_open-separate-environment-values-that-arent-strings.patch +copy-arginfo-incorrect-since-54.patch +Out-of-memory-on-command-stream_get_contents.patch +stream_socket_server-creates-wrong-Abstract-Namespace-UNIX-sockets.patch +exit-in-stream-filter-produces-segfault.patch +fpassthru-broken.patch +Incorrect-object-comparison-with-inheritance.patch +openssl_seal-memory-leak.patch +Segfault-in-mysqli_stmt-bind_result-when-link-closed.patch +Segmentation-fault-after-memory_limit.patch only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/Segfault-in-mysqli_stmt-bind_result-when-link-closed.patch +++ php5-5.4.4/debian/patches/Segfault-in-mysqli_stmt-bind_result-when-link-closed.patch @@ -0,0 +1,77 @@ +commit 9137acc7ecdf1542fe6fda5056a0273359682735 +Author: Remi Collet <remi@php.net> +Date: Thu Feb 27 08:45:16 2014 +0100 + + Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed + + Each new mysqli_stmt now increase the refcount of the link object. + So the link is really destroy after all statements. + + Only implemented with libmysqlclient, as mysqlnd already implement + this internally. + + So, libmysqlclient and mysqlnd have the same behavior. + +--- a/ext/mysqli/mysqli.c ++++ b/ext/mysqli/mysqli.c +@@ -176,8 +176,11 @@ + php_free_stmt_bind_buffer(stmt->param, FETCH_SIMPLE); + /* Clean output bind */ + php_free_stmt_bind_buffer(stmt->result, FETCH_RESULT); +-#endif + ++ if (stmt->link_handle) { ++ zend_objects_store_del_ref_by_handle(stmt->link_handle TSRMLS_CC); ++ } ++#endif + if (stmt->query) { + efree(stmt->query); + } +@@ -1052,6 +1055,10 @@ + efree(stmt); + RETURN_FALSE; + } ++#ifndef MYSQLI_USE_MYSQLND ++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link); ++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC); ++#endif + + mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE)); + mysqli_resource->ptr = (void *)stmt; +--- a/ext/mysqli/mysqli_api.c ++++ b/ext/mysqli/mysqli_api.c +@@ -1837,6 +1837,10 @@ + efree(stmt); + RETURN_FALSE; + } ++#ifndef MYSQLI_USE_MYSQLND ++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link); ++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC); ++#endif + + mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE)); + mysqli_resource->ptr = (void *)stmt; +@@ -2365,6 +2369,10 @@ + efree(stmt); + RETURN_FALSE; + } ++#ifndef MYSQLI_USE_MYSQLND ++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link); ++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC); ++#endif + + mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE)); + mysqli_resource->status = MYSQLI_STATUS_INITIALIZED; +--- a/ext/mysqli/php_mysqli_structs.h ++++ b/ext/mysqli/php_mysqli_structs.h +@@ -116,6 +116,10 @@ + BIND_BUFFER param; + BIND_BUFFER result; + char *query; ++#ifndef MYSQLI_USE_MYSQLND ++ /* used to manage refcount with libmysql (already implement in mysqlnd) */ ++ zend_object_handle link_handle; ++#endif + } MY_STMT; + + typedef struct { only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/stream_socket_server-creates-wrong-Abstract-Namespace-UNIX-sockets.patch +++ php5-5.4.4/debian/patches/stream_socket_server-creates-wrong-Abstract-Namespace-UNIX-sockets.patch @@ -0,0 +1,43 @@ +commit 91a9d24aa30507e6c7d8937db2de24394f0ce121 +Author: Michael Wallner <mike@php.net> +Date: Wed Apr 2 11:09:26 2014 +0200 + + Fix bug #64330 + + stream_socket_server() creates wrong Abstract Namespace UNIX sockets + +--- /dev/null ++++ b/ext/standard/tests/network/bug64330.phpt +@@ -0,0 +1,20 @@ ++--TEST-- ++Bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets) ++--SKIPIF-- ++<?php ++if (!in_array("unix", stream_get_transports())) die("SKIP unix domain sockets unavailable"); ++?> ++--FILE-- ++<?php ++echo "Test\n"; ++$server = stream_socket_server("unix://\x00/MyBindName"); ++$client = stream_socket_client("unix://\x00/MyBindName"); ++if ($client) { ++ echo "ok\n"; ++} ++?> ++===DONE=== ++--EXPECT-- ++Test ++ok ++===DONE=== +--- a/main/streams/xp_socket.c ++++ b/main/streams/xp_socket.c +@@ -588,7 +588,8 @@ + + parse_unix_address(xparam, &unix_addr TSRMLS_CC); + +- return bind(sock->socket, (struct sockaddr *)&unix_addr, sizeof(unix_addr)); ++ return bind(sock->socket, (const struct sockaddr *)&unix_addr, ++ (socklen_t) XtOffsetOf(struct sockaddr_un, sun_path) + xparam->inputs.namelen); + } + #endif + only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/Incorrect-object-comparison-with-inheritance.patch +++ php5-5.4.4/debian/patches/Incorrect-object-comparison-with-inheritance.patch @@ -0,0 +1,53 @@ +commit 7e8e21df0c9aa39278e994b05540b69920201b32 +Author: Nikita Popov <nikic@php.net> +Date: Sat Jan 4 01:22:14 2014 +0100 + + Fix bug #66286: Incorrect object comparison with inheritance + + std_compare_objects immidiately returned 0 if the property tables + of both objects contain NULL at some index. Thus it would report + objects as equal even though properties following after that + differ. + +--- /dev/null ++++ b/Zend/tests/bug66286.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #66286: Incorrect object comparison with inheritance ++--FILE-- ++<?php ++ ++abstract class first { ++ protected $someArray = array(); ++} ++ ++class second extends first { ++ protected $someArray = array(); ++ protected $someValue = null; ++ ++ public function __construct($someValue) { ++ $this->someValue = $someValue; ++ } ++} ++ ++$objFirst = new second('123'); ++$objSecond = new second('321'); ++ ++var_dump ($objFirst == $objSecond); ++ ++?> ++--EXPECT-- ++bool(false) +--- a/Zend/zend_object_handlers.c ++++ b/Zend/zend_object_handlers.c +@@ -1376,10 +1376,6 @@ + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); + return 1; +- } else { +- Z_OBJ_UNPROTECT_RECURSION(o1); +- Z_OBJ_UNPROTECT_RECURSION(o2); +- return 0; + } + } + } only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/Segmentation-fault-after-memory_limit.patch +++ php5-5.4.4/debian/patches/Segmentation-fault-after-memory_limit.patch @@ -0,0 +1,37 @@ +commit 2311ba7d3ff08d27bd7d4b87b51a0f96c5d62d12 +Author: Johannes Schlüter <johannes@php.net> +Date: Tue Jan 21 16:28:30 2014 +0100 + + Fix bug #66283 (Segmentation fault after memory_limit) + + There are situations where mysqlnd dupliates zvals while freeing result + sets. If the memory_limit is reached during this operation the engine + will bailout. This patch makes sure that a later attempt (during + RSHIUTDOWN) won't cause a double free, instead we rely on the engine to + free emalloc()ed memory after bailout. + +--- a/ext/mysqlnd/mysqlnd_result.c ++++ b/ext/mysqlnd/mysqlnd_result.c +@@ -198,9 +198,11 @@ + if (set->data) { + unsigned int copy_on_write_performed = 0; + unsigned int copy_on_write_saved = 0; ++ zval **data = set->data; ++ set->data = NULL; /* prevent double free if following loop is interrupted */ + + for (row = set->row_count - 1; row >= 0; row--) { +- zval **current_row = set->data + row * field_count; ++ zval **current_row = data + row * field_count; + MYSQLND_MEMORY_POOL_CHUNK *current_buffer = set->row_buffers[row]; + int64_t col; + +@@ -222,8 +224,7 @@ + + MYSQLND_INC_GLOBAL_STATISTIC_W_VALUE2(STAT_COPY_ON_WRITE_PERFORMED, copy_on_write_performed, + STAT_COPY_ON_WRITE_SAVED, copy_on_write_saved); +- mnd_efree(set->data); +- set->data = NULL; ++ mnd_efree(data); + } + + if (set->row_buffers) { only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/copy-arginfo-incorrect-since-54.patch +++ php5-5.4.4/debian/patches/copy-arginfo-incorrect-since-54.patch @@ -0,0 +1,39 @@ +commit 5b906ce6eb02118697c2f81d462ddfa724377fe8 +Author: Will Fitch <willfitch@php.net> +Date: Sat Jan 18 11:25:53 2014 -0500 + + Fix bug #66509: copy() arginfo incorrect since 5.4 + + Since 5.4, the ZEND_BEGIN_ARG_INFO_EX was replaced + by non _EX, causing Reflection to assume the + $context parameter is required. + +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -1206,7 +1206,7 @@ + ZEND_BEGIN_ARG_INFO(arginfo_fstat, 0) + ZEND_ARG_INFO(0, fp) + ZEND_END_ARG_INFO() +-ZEND_BEGIN_ARG_INFO(arginfo_copy, 0) ++ZEND_BEGIN_ARG_INFO_EX(arginfo_copy, 0, 0, 2) + ZEND_ARG_INFO(0, source_file) + ZEND_ARG_INFO(0, destination_file) + ZEND_ARG_INFO(0, context) +--- /dev/null ++++ b/ext/standard/tests/file/bug66509.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #66509 (copy() showing $context parameter as required) ++--FILE-- ++<?php ++ ++$r = new \ReflectionFunction('copy'); ++ ++foreach($r->getParameters() as $p) { ++ var_dump($p->isOptional()); ++} ++?> ++--EXPECT-- ++bool(false) ++bool(false) ++bool(true) only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/Out-of-memory-on-command-stream_get_contents.patch +++ php5-5.4.4/debian/patches/Out-of-memory-on-command-stream_get_contents.patch @@ -0,0 +1,100 @@ +commit 1ec83d44a1601c3560f430e08af9698bf8fb075c +Author: Michael Wallner <mike@php.net> +Date: Wed Apr 2 15:36:39 2014 +0200 + + Fixed bug #61019 (Out of memory on command stream_get_contents) + +--- /dev/null ++++ b/ext/standard/tests/streams/bug61019.phpt +@@ -0,0 +1,78 @@ ++--TEST-- ++Bug #61019 (Out of memory on command stream_get_contents) ++--FILE-- ++<?php ++ ++echo "Test\n"; ++ ++$descriptorspec = array( ++ 0 => array("pipe", "r"), // stdin is a pipe that the child will read from ++ 1 => array("pipe", "w"), // stdout is a pipe that the child will write to ++ 2 => array("pipe", "w") // stderr is a pipe that the child will write to ++); ++ ++$process=proc_open("echo testtext",$descriptorspec,$pipes); ++if(is_resource($process)) ++{ ++ stream_set_blocking($pipes[0],false); ++ stream_set_blocking($pipes[1],false); ++ stream_set_blocking($pipes[2],false); ++ stream_set_write_buffer($pipes[0],0); ++ stream_set_read_buffer($pipes[1],0); ++ stream_set_read_buffer($pipes[2],0); ++ $stdin_stream=""; ++ $stderr_stream=""; ++ ++ echo "External command executed\n"; ++ do ++ { ++ $process_state=proc_get_status($process); ++ $tmp_stdin=stream_get_contents($pipes[1]); ++ if($tmp_stdin) ++ { ++ $stdin_stream=$stdin_stream.$tmp_stdin; ++ } ++ $tmp_stderr=stream_get_contents($pipes[2]); ++ if($tmp_stderr) ++ { ++ $stderr_stream=$stderr_stream.$tmp_stderr; ++ } ++ } while($process_state['running']); ++ ++ echo "External command exit: ".$process_state['exitcode']."\n"; ++ ++ //read outstanding data ++ $tmp_stdin=stream_get_contents($pipes[1]); ++ if($tmp_stdin) ++ { ++ $stdin_stream=$stdin_stream.$tmp_stdin; ++ } ++ $tmp_stderr=stream_get_contents($pipes[2]); ++ if($tmp_stderr) ++ { ++ $stderr_stream=$stderr_stream.$tmp_stderr; ++ } ++ ++ fclose ($pipes[0]); ++ fclose ($pipes[1]); ++ fclose ($pipes[2]); ++ ++ proc_close($process); ++ ++ echo "STDOUT: ".$stdin_stream."\n"; ++ echo "STDERR: ".$stderr_stream."\n"; ++} ++else ++{ ++ echo "Can't start external command\n"; ++} ++?> ++===DONE=== ++--EXPECT-- ++Test ++External command executed ++External command exit: 0 ++STDOUT: testtext ++ ++STDERR: ++===DONE=== +--- a/main/streams/streams.c ++++ b/main/streams/streams.c +@@ -735,6 +735,10 @@ + + if (!stream->readfilters.head && (stream->flags & PHP_STREAM_FLAG_NO_BUFFER || stream->chunk_size == 1)) { + toread = stream->ops->read(stream, buf, size TSRMLS_CC); ++ if (toread == (size_t) -1) { ++ /* e.g. underlying read(2) returned -1 */ ++ break; ++ } + } else { + php_stream_fill_read_buffer(stream, size TSRMLS_CC); + only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/fpassthru-broken.patch +++ php5-5.4.4/debian/patches/fpassthru-broken.patch @@ -0,0 +1,57 @@ +commit d08b4dbf23febd3f305a2682b03ab9c70f11ac60 +Author: Michael Wallner <mike@php.net> +Date: Thu Apr 3 10:40:06 2014 +0200 + + Fix Bug #66736 fpassthru broken + +--- a/main/output.c ++++ b/main/output.c +@@ -234,6 +234,13 @@ + * Unbuffered write */ + PHPAPI int php_output_write_unbuffered(const char *str, size_t len TSRMLS_DC) + { ++#if PHP_DEBUG ++ if (len > UINT_MAX) { ++ php_error(E_WARNING, "Attempt to output more than UINT_MAX bytes at once; " ++ "output will be truncated %lu => %lu", ++ (unsigned long) len, (unsigned long) (len % UINT_MAX)); ++ } ++#endif + if (OG(flags) & PHP_OUTPUT_DISABLED) { + return 0; + } +@@ -248,6 +255,13 @@ + * Buffered write */ + PHPAPI int php_output_write(const char *str, size_t len TSRMLS_DC) + { ++#if PHP_DEBUG ++ if (len > UINT_MAX) { ++ php_error(E_WARNING, "Attempt to output more than UINT_MAX bytes at once; " ++ "output will be truncated %lu => %lu", ++ (unsigned long) len, (unsigned long) (len % UINT_MAX)); ++ } ++#endif + if (OG(flags) & PHP_OUTPUT_DISABLED) { + return 0; + } +--- a/main/streams/streams.c ++++ b/main/streams/streams.c +@@ -1404,11 +1404,16 @@ + p = php_stream_mmap_range(stream, php_stream_tell(stream), PHP_STREAM_MMAP_ALL, PHP_STREAM_MAP_MODE_SHARED_READONLY, &mapped); + + if (p) { +- PHPWRITE(p, mapped); ++ do { ++ /* output functions return int, so pass in int max */ ++ if (0 < (b = PHPWRITE(p, MIN(mapped - bcount, INT_MAX)))) { ++ bcount += b; ++ } ++ } while (b > 0 && mapped > bcount); + + php_stream_mmap_unmap_ex(stream, mapped); + +- return mapped; ++ return bcount; + } + } + only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/proc_open-separate-environment-values-that-arent-strings.patch +++ php5-5.4.4/debian/patches/proc_open-separate-environment-values-that-arent-strings.patch @@ -0,0 +1,143 @@ +commit e73c05b75e9b279acffe2320fd65e6e54cbd0b59 +Author: Tjerk Meesters <datibbaw@php.net> +Date: Thu Oct 10 20:21:14 2013 +0800 + + proc_open(): separate environment values that aren't strings + + Added a test case + +--- a/ext/standard/proc_open.c ++++ b/ext/standard/proc_open.c +@@ -116,8 +116,17 @@ + zend_hash_get_current_data_ex(target_hash, (void **) &element, &pos) == SUCCESS; + zend_hash_move_forward_ex(target_hash, &pos)) { + +- convert_to_string_ex(element); +- el_len = Z_STRLEN_PP(element); ++ if (Z_TYPE_PP(element) != IS_STRING) { ++ zval tmp; ++ ++ MAKE_COPY_ZVAL(element, &tmp); ++ convert_to_string(&tmp); ++ el_len = Z_STRLEN(tmp); ++ ++ zval_dtor(&tmp); ++ } else { ++ el_len = Z_STRLEN_PP(element); ++ } + if (el_len == 0) { + continue; + } +@@ -129,7 +138,7 @@ + if (string_length == 0) { + continue; + } +- sizeenv += string_length+1; ++ sizeenv += string_length; + break; + } + } +@@ -142,19 +151,26 @@ + for (zend_hash_internal_pointer_reset_ex(target_hash, &pos); + zend_hash_get_current_data_ex(target_hash, (void **) &element, &pos) == SUCCESS; + zend_hash_move_forward_ex(target_hash, &pos)) { ++ zval tmp; ++ ++ if (Z_TYPE_PP(element) != IS_STRING) { ++ MAKE_COPY_ZVAL(element, &tmp); ++ convert_to_string(&tmp); ++ } else { ++ tmp = **element; ++ } + +- convert_to_string_ex(element); +- el_len = Z_STRLEN_PP(element); ++ el_len = Z_STRLEN(tmp); + + if (el_len == 0) { +- continue; ++ goto next_element; + } + +- data = Z_STRVAL_PP(element); ++ data = Z_STRVAL(tmp); + switch (zend_hash_get_current_key_ex(target_hash, &string_key, &string_length, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + if (string_length == 0) { +- continue; ++ goto next_element; + } + + l = string_length + el_len + 1; +@@ -179,6 +195,11 @@ + case HASH_KEY_NON_EXISTANT: + break; + } ++ ++next_element: ++ if (Z_TYPE_PP(element) != IS_STRING) { ++ zval_dtor(&tmp); ++ } + } + + assert((uint)(p - env.envp) <= sizeenv); +--- /dev/null ++++ b/ext/standard/tests/streams/bug60602.phpt +@@ -0,0 +1,57 @@ ++--TEST-- ++Bug #60602 proc_open() modifies environment if it contains arrays ++--FILE-- ++<?php ++ ++$descs = array( ++ 0 => array('pipe', 'r'), // stdin ++ 1 => array('pipe', 'w'), // stdout ++ 2 => array('pipe', 'w'), // strerr ++); ++ ++$environment = array('test' => array(1, 2, 3)); ++ ++$cmd = (substr(PHP_OS, 0, 3) == 'WIN') ? 'dir' : 'ls'; ++$p = proc_open($cmd, $descs, $pipes, '.', $environment); ++ ++if (is_resource($p)) { ++ $data = ''; ++ ++ while (1) { ++ $w = $e = NULL; ++ $n = stream_select($pipes, $w, $e, 300); ++ ++ if ($n === false) { ++ echo "no streams \n"; ++ break; ++ } else if ($n === 0) { ++ echo "process timed out\n"; ++ proc_terminate($p, 9); ++ break; ++ } else if ($n > 0) { ++ $line = fread($pipes[1], 8192); ++ if (strlen($line) == 0) { ++ /* EOF */ ++ break; ++ } ++ $data .= $line; ++ } ++ } ++ var_dump(strlen($data)); ++ ++ $ret = proc_close($p); ++ var_dump($ret); ++ var_dump(is_array($environment['test'])); ++} else { ++ echo "no process\n"; ++} ++?> ++==DONE== ++--EXPECTF-- ++Notice: Array to string conversion in %s on line %d ++ ++Notice: Array to string conversion in %s on line %d ++int(%d) ++int(0) ++bool(true) ++==DONE== only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/openssl_seal-memory-leak.patch +++ php5-5.4.4/debian/patches/openssl_seal-memory-leak.patch @@ -0,0 +1,86 @@ +commit a186312832207437e4783024dcdece5232ac6c39 +Author: Chuan Ma <Chuan.Ma@avidlifemedia.com> +Date: Mon Mar 24 23:24:41 2014 -0400 + + Fix #66942: openssl_seal() memory leak + + Fix #66952: memory leak in openssl_open() + +--- a/NEWS ++++ b/NEWS +@@ -1068,6 +1068,10 @@ + - Session: + . Fixed bug #55267 (session_regenerate_id fails after header sent). (Hannes) + ++- OpenSSL: ++ . Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma) ++ . Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma) ++ + - SimpleXML: + . Reverted the SimpleXML->query() behaviour to returning empty arrays + instead of false when no nodes are found as it was since 5.3.3 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4287,6 +4287,7 @@ + + if (!EVP_EncryptInit(&ctx,cipher,NULL,NULL)) { + RETVAL_FALSE; ++ EVP_CIPHER_CTX_cleanup(&ctx); + goto clean_exit; + } + +@@ -4297,10 +4298,12 @@ + #endif + /* allocate one byte extra to make room for \0 */ + buf = emalloc(data_len + EVP_CIPHER_CTX_block_size(&ctx)); ++ EVP_CIPHER_CTX_cleanup(&ctx); + + if (!EVP_SealInit(&ctx, cipher, eks, eksl, NULL, pkeys, nkeys) || !EVP_SealUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len)) { + RETVAL_FALSE; + efree(buf); ++ EVP_CIPHER_CTX_cleanup(&ctx); + goto clean_exit; + } + +@@ -4333,6 +4336,7 @@ + efree(buf); + } + RETVAL_LONG(len1 + len2); ++ EVP_CIPHER_CTX_cleanup(&ctx); + + clean_exit: + for (i=0; i<nkeys; i++) { +@@ -4391,25 +4395,21 @@ + if (EVP_OpenInit(&ctx, cipher, (unsigned char *)ekey, ekey_len, NULL, pkey) && EVP_OpenUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len)) { + if (!EVP_OpenFinal(&ctx, buf + len1, &len2) || (len1 + len2 == 0)) { + efree(buf); +- if (keyresource == -1) { +- EVP_PKEY_free(pkey); +- } +- RETURN_FALSE; ++ RETVAL_FALSE; ++ } else { ++ zval_dtor(opendata); ++ buf[len1 + len2] = '\0'; ++ ZVAL_STRINGL(opendata, erealloc(buf, len1 + len2 + 1), len1 + len2, 0); ++ RETVAL_TRUE; + } + } else { + efree(buf); +- if (keyresource == -1) { +- EVP_PKEY_free(pkey); +- } +- RETURN_FALSE; ++ RETVAL_FALSE; + } + if (keyresource == -1) { + EVP_PKEY_free(pkey); + } +- zval_dtor(opendata); +- buf[len1 + len2] = '\0'; +- ZVAL_STRINGL(opendata, erealloc(buf, len1 + len2 + 1), len1 + len2, 0); +- RETURN_TRUE; ++ EVP_CIPHER_CTX_cleanup(&ctx); + } + /* }}} */ + only in patch2: unchanged: --- php5-5.4.4.orig/debian/patches/exit-in-stream-filter-produces-segfault.patch +++ php5-5.4.4/debian/patches/exit-in-stream-filter-produces-segfault.patch @@ -0,0 +1,22 @@ +commit 7ab5c593f77b229210a88d436270707f74b22b78 +Author: Michael Wallner <mike@php.net> +Date: Thu Apr 3 09:07:35 2014 +0200 + + Fix bug #66182 exit in stream filter produces segfault + + Unfortunately, a segv caused by exit cannot be tested reliably. + +--- a/ext/standard/user_filters.c ++++ b/ext/standard/user_filters.c +@@ -180,6 +180,11 @@ + zval zpropname; + int call_result; + ++ /* the userfilter object probably doesn't exist anymore */ ++ if (CG(unclean_shutdown)) { ++ return ret; ++ } ++ + if (FAILURE == zend_hash_find(Z_OBJPROP_P(obj), "stream", sizeof("stream"), (void**)&zstream)) { + /* Give the userfilter class a hook back to the stream */ + ALLOC_INIT_ZVAL(zstream);
Attachment:
php5_5.4.4-14+deb7u10.diff.gz
Description: application/gzip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.0 Source: php5 Binary: php5, php5-common, libapache2-mod-php5, libapache2-mod-php5filter, php5-cgi, php5-cli, php5-fpm, libphp5-embed, php5-dev, php5-dbg, php-pear, php5-curl, php5-enchant, php5-gd, php5-gmp, php5-imap, php5-interbase, php5-intl, php5-ldap, php5-mcrypt, php5-mysql, php5-mysqlnd, php5-odbc, php5-pgsql, php5-pspell, php5-recode, php5-snmp, php5-sqlite, php5-sybase, php5-tidy, php5-xmlrpc, php5-xsl Architecture: any all Version: 5.4.4-14+deb7u10 Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org> Uploaders: Ondřej Surý <ondrej@debian.org>, Sean Finney <seanius@debian.org>, Thijs Kinkhorst <thijs@debian.org>, Lior Kaplan <kaplan@debian.org>, William Dauchy <wdauchy@gmail.com> Homepage: http://www.php.net/ Standards-Version: 3.9.3 Vcs-Browser: http://git.debian.org/?p=pkg-php/php.git Vcs-Git: git://git.debian.org/pkg-php/php.git Build-Depends: apache2-prefork-dev, autoconf (>= 2.63), automake (>= 1.11) | automake1.11, bison, chrpath, debhelper (>= 5), firebird-dev [!hurd-any !m68k !hppa !ppc64] | firebird2.5-dev [!hurd-any !m68k !hppa !ppc64] | firebird2.1-dev [!hurd-any !m68k !hppa !ppc64], flex, freetds-dev, hardening-wrapper, libapr1-dev (>= 1.2.7-8), libbz2-dev, libc-client-dev, libcurl4-openssl-dev | libcurl-dev, libdb-dev, libenchant-dev, libevent-dev (>= 1.4.11), libexpat1-dev (>= 1.95.2-2.1), libfreetype6-dev, libgcrypt11-dev, libgd2-xpm-dev, libglib2.0-dev, libgmp3-dev, libicu-dev, libjpeg-dev | libjpeg62-dev, libkrb5-dev, libldap2-dev, libmagic-dev, libmcrypt-dev, libmhash-dev (>= 0.8.8), libmysqlclient-dev | libmysqlclient15-dev, libonig-dev, libpam0g-dev, libpcre3-dev (>= 6.6), libpng-dev | libpng12-dev, libpq-dev, libpspell-dev, libqdbm-dev, librecode-dev, libsasl2-dev, libsnmp-dev, libsqlite3-dev, libssl-dev, libtidy-dev, libtool (>= 2.2), libwrap0-dev, libxmltok1-dev, libxml2-dev, libx slt1-dev (>= 1.0.18), locales-all | language-pack-de, mysql-server, netbase, netcat-traditional, quilt, re2c, unixodbc-dev, zlib1g-dev, tzdata Build-Conflicts: bind-dev Package-List: libapache2-mod-php5 deb httpd optional libapache2-mod-php5filter deb httpd extra libphp5-embed deb php optional php-pear deb php optional php5 deb php optional php5-cgi deb php optional php5-cli deb php optional php5-common deb php optional php5-curl deb php optional php5-dbg deb debug extra php5-dev deb php optional php5-enchant deb php optional php5-fpm deb php optional php5-gd deb php optional php5-gmp deb php optional php5-imap deb php optional php5-interbase deb php optional php5-intl deb php optional php5-ldap deb php optional php5-mcrypt deb php optional php5-mysql deb php optional php5-mysqlnd deb php extra php5-odbc deb php optional php5-pgsql deb php optional php5-pspell deb php optional php5-recode deb php optional php5-snmp deb php optional php5-sqlite deb php optional php5-sybase deb php optional php5-tidy deb php optional php5-xmlrpc deb php optional php5-xsl deb php optional Checksums-Sha1: 5b218c805078dca5925bef26bb3fb7a9cf98a940 14060505 php5_5.4.4.orig.tar.gz 2a946b5bd712fb3cd53109963b43b3df303666ca 265525 php5_5.4.4-14+deb7u10.diff.gz Checksums-Sha256: 0404b517ff938aca2c445fd61d10467e275acb031607cb09bf678241ba205edf 14060505 php5_5.4.4.orig.tar.gz d26dea91b429ad5ee74da4f32509d736470bb279129992b6cb811f593142c8d7 265525 php5_5.4.4-14+deb7u10.diff.gz Files: 8366c3626f2275ab8c7ef5e2d6bc5bd7 14060505 php5_5.4.4.orig.tar.gz a71cf8c3efca25f8d6dcc3ddfe74557e 265525 php5_5.4.4-14+deb7u10.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJThIFfAAoJEAyZtw70/LsH7o4QAJUGcKhnnbXhirR+5Cx4BYAk qIvFaCSPcCsWbRR1me6mJ1osYwf9dXXk9FTLPj/Xvh8JUhOjBtYkaH/oXO4nq17I RtxR8W/xNq+75gPsTdHrcVVacvxoCrq5HYAtXHsGjQt0zrqTliVtpoH6je8EiaHX t0gA44Ff+1lzCiq+ylCXWByBXVag1ZYBvOSuW10X5GT6BmA7ZvDWFVWEHnQOAtRl 7ZW92UIQ2Z6G/Thp2rIp3LFue9jd9BboCHYAAQdR5Mlr5S87XIcGigMVg1uEbbZD T4O4o+HnEAN9FoYoEy4/kFemgp2WBP1jHG9I/6awJWXJMo5NvFNKhmseGx9FxL39 Otiu71uBohFdeTIwXAWxtRi9YT7eEswPn9hZB4/aW6LcqPWOlyrEP+AUhrQasroT otKhxLaEssJKQbNLIl5EEkLigURo38TrpDZsl6drXM6pOnYIaU0zFCVf0KTkT6Bu mHo2LrYdT519DUJYjsZgUDMv7Imnoozd+z3+tU9wybQ5ZuhBxMaQ2Z6SJQ4vW4p7 GfLwHiRwFJwseDUj4p276ZqxPHs2egYBhRruVYhDJVxVQsoyp/1odGf3ER052E2L 5gxeBd5MaKRnZbYf2bvUaBmdSmofdJhUXCy853pZf8ZBLDmF5erg7hFQSBrHfWKs cVob836Rkc5LeSMVyB4Y =F/3P -----END PGP SIGNATURE-----