Browse Source

php5.4: add last debian u14 patchset

3.15-stable
parent
commit
5c9734c497
  1. 8
      testing/php5.4/APKBUILD
  2. 82
      testing/php5.4/d14-u001-CVE-2018-10545.patch
  3. 199
      testing/php5.4/d14-u002-CVE-2018-10547.patch
  4. 75
      testing/php5.4/d14-u003-CVE-2018-10548.patch

8
testing/php5.4/APKBUILD

@ -26,7 +26,7 @@
pkgname=php5.4
_pkgreal=php
pkgver=5.4.45
pkgrel=13
pkgrel=14
_apiver=20100412
_suffix=${pkgname#php}
_suffixA=5
@ -221,6 +221,9 @@ source="https://www.php.net/distributions/$_pkgreal-$pkgver.tar.bz2
d11-u001-CVE-2017-12933.patch
d12-u001-CVE-2018-5712.patch
d13-u001-CVE-2018-7584.patch
d14-u001-CVE-2018-10545.patch
d14-u002-CVE-2018-10547.patch
d14-u003-CVE-2018-10548.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -878,4 +881,7 @@ ac65be6646776ffb94b015f877b3851c420ea08a068635cf34bd2eca14a9011b07e07f01b978ab62
d5dd01841b845fb4a56fd7bc3be66a60c83ab45ac8a598b45e689c0bf128d19edbd5e79c961064c0a22ab95cebd079594c2d6041a55543eabb9763e165a0feb4 d11-u001-CVE-2017-12933.patch
b2e3f017d6dd88cc04e87431b22f220d2e1217bf11fe46a7bff447c108458398f0d59c1a2c5f4264158ad02d5ae44992bcf1a378c6c4c8435d463c0e152d8d12 d12-u001-CVE-2018-5712.patch
341b245b246abde3622a06e819181c3083266d2e66924e2617d986cf15d310f6844a604dae0bc4a844a46c1fde5f4542070c7b43b078f1229b9fe088174bfce1 d13-u001-CVE-2018-7584.patch
85c3912f0e57ccfa576319dbc9255925e00ac49b6a88af8577e60c7261bfe5f645e0321ed84b6ab19c911ddedaf293afd1e4a151b7dd00006d6053a0ff2b0b34 d14-u001-CVE-2018-10545.patch
e171a654fa575855401d1bb15169f6de0437a2c9c6cc51a0568609207415cd408d5b71f4b3506d9ea5773767c9dd66108780f7dc10175b6b8c370b2bd9fb8428 d14-u002-CVE-2018-10547.patch
d5b9f500ac1a2dc781d357446e1f26c8161e7fad9b077acaa1cee984a6a9bd03317fb8ed6405d6184770396c7d7220909aa43d1fb0b091063d7fe671a5450496 d14-u003-CVE-2018-10548.patch
"

82
testing/php5.4/d14-u001-CVE-2018-10545.patch

@ -0,0 +1,82 @@
From: Markus Koschany <apo@debian.org>
Date: Wed, 9 May 2018 15:52:36 +0200
Subject: CVE-2018-10545
Bug-Upstream: https://bugs.php.net/bug.php?id=75605
---
sapi/fpm/fpm/fpm_conf.c | 3 +++
sapi/fpm/fpm/fpm_conf.h | 1 +
sapi/fpm/fpm/fpm_unix.c | 2 +-
sapi/fpm/php-fpm.conf.in | 6 ++++++
4 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c
index c521f5e..60253cc 100644
--- a/sapi/fpm/fpm/fpm_conf.c
+++ b/sapi/fpm/fpm/fpm_conf.c
@@ -128,6 +128,7 @@ static struct ini_value_parser_s ini_fpm_pool_options[] = {
{ "listen.mode", &fpm_conf_set_string, WPO(listen_mode) },
{ "listen.allowed_clients", &fpm_conf_set_string, WPO(listen_allowed_clients) },
{ "process.priority", &fpm_conf_set_integer, WPO(process_priority) },
+ { "process.dumpable", &fpm_conf_set_boolean, WPO(process_dumpable) },
{ "pm", &fpm_conf_set_pm, WPO(pm) },
{ "pm.max_children", &fpm_conf_set_integer, WPO(pm_max_children) },
{ "pm.start_servers", &fpm_conf_set_integer, WPO(pm_start_servers) },
@@ -604,6 +605,7 @@ static void *fpm_worker_pool_config_alloc() /* {{{ */
wp->config->listen_backlog = FPM_BACKLOG_DEFAULT;
wp->config->pm_process_idle_timeout = 10; /* 10s by default */
wp->config->process_priority = 64; /* 64 means unset */
+ wp->config->process_dumpable = 0;
wp->config->clear_env = 1;
if (!fpm_worker_all_pools) {
@@ -1585,6 +1587,7 @@ static void fpm_conf_dump() /* {{{ */
} else {
zlog(ZLOG_NOTICE, "\tprocess.priority = %d", wp->config->process_priority);
}
+ zlog(ZLOG_NOTICE, "\tprocess.dumpable = %s", BOOL2STR(wp->config->process_dumpable));
zlog(ZLOG_NOTICE, "\tpm = %s", PM2STR(wp->config->pm));
zlog(ZLOG_NOTICE, "\tpm.max_children = %d", wp->config->pm_max_children);
zlog(ZLOG_NOTICE, "\tpm.start_servers = %d", wp->config->pm_start_servers);
diff --git a/sapi/fpm/fpm/fpm_conf.h b/sapi/fpm/fpm/fpm_conf.h
index 19bd7ff..64ef11f 100644
--- a/sapi/fpm/fpm/fpm_conf.h
+++ b/sapi/fpm/fpm/fpm_conf.h
@@ -63,6 +63,7 @@ struct fpm_worker_pool_config_s {
char *listen_mode;
char *listen_allowed_clients;
int process_priority;
+ int process_dumpable;
int pm;
int pm_max_children;
int pm_start_servers;
diff --git a/sapi/fpm/fpm/fpm_unix.c b/sapi/fpm/fpm/fpm_unix.c
index ea0e673..57a87be 100644
--- a/sapi/fpm/fpm/fpm_unix.c
+++ b/sapi/fpm/fpm/fpm_unix.c
@@ -214,7 +214,7 @@ int fpm_unix_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
}
#ifdef HAVE_PRCTL
- if (0 > prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) {
+ if (wp->config->process_dumpable && 0 > prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to prctl(PR_SET_DUMPABLE)", wp->config->name);
}
#endif
diff --git a/sapi/fpm/php-fpm.conf.in b/sapi/fpm/php-fpm.conf.in
index 58852f7..3f78ef9 100644
--- a/sapi/fpm/php-fpm.conf.in
+++ b/sapi/fpm/php-fpm.conf.in
@@ -191,6 +191,12 @@ listen = /var/run/php5-fpm.sock
; Default Value: no set
; process.priority = -19
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is differrent than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;

199
testing/php5.4/d14-u002-CVE-2018-10547.patch

@ -0,0 +1,199 @@
From: Markus Koschany <apo@debian.org>
Date: Wed, 9 May 2018 15:23:23 +0200
Subject: CVE-2018-10547
Bug-Upstream: https://bugs.php.net/bug.php?id=76129
---
ext/phar/phar_object.c | 6 ++----
ext/phar/tests/cache_list/frontcontroller10.phpt | 2 +-
ext/phar/tests/cache_list/frontcontroller6.phpt | 2 +-
ext/phar/tests/cache_list/frontcontroller8.phpt | 2 +-
ext/phar/tests/frontcontroller10.phpt | 2 +-
ext/phar/tests/frontcontroller6.phpt | 2 +-
ext/phar/tests/frontcontroller8.phpt | 2 +-
ext/phar/tests/tar/frontcontroller10.phar.phpt | 2 +-
ext/phar/tests/tar/frontcontroller6.phar.phpt | 2 +-
ext/phar/tests/tar/frontcontroller8.phar.phpt | 2 +-
ext/phar/tests/zip/frontcontroller10.phar.phpt | 2 +-
ext/phar/tests/zip/frontcontroller6.phar.phpt | 2 +-
ext/phar/tests/zip/frontcontroller8.phar.phpt | 2 +-
13 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 204cabb..eb23223 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -340,8 +340,7 @@ static void phar_do_403(char *entry, int entry_len TSRMLS_DC) /* {{{ */
sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC);
sapi_send_headers(TSRMLS_C);
PHPWRITE("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ", sizeof("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ") - 1);
- PHPWRITE(entry, entry_len);
- PHPWRITE(" Access Denied</h1>\n </body>\n</html>", sizeof(" Access Denied</h1>\n </body>\n</html>") - 1);
+ PHPWRITE("Access Denied</h1>\n </body>\n</html>", sizeof("Access Denied</h1>\n </body>\n</html>") - 1);
}
/* }}} */
@@ -365,8 +364,7 @@ static void phar_do_404(phar_archive_data *phar, char *fname, int fname_len, cha
sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC);
sapi_send_headers(TSRMLS_C);
PHPWRITE("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ", sizeof("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ") - 1);
- PHPWRITE(entry, entry_len);
- PHPWRITE(" Not Found</h1>\n </body>\n</html>", sizeof(" Not Found</h1>\n </body>\n</html>") - 1);
+ PHPWRITE("Not Found</h1>\n </body>\n</html>", sizeof("Not Found</h1>\n </body>\n</html>") - 1);
}
/* }}} */
diff --git a/ext/phar/tests/cache_list/frontcontroller10.phpt b/ext/phar/tests/cache_list/frontcontroller10.phpt
index 00177d4..5fd9868 100644
--- a/ext/phar/tests/cache_list/frontcontroller10.phpt
+++ b/ext/phar/tests/cache_list/frontcontroller10.phpt
@@ -20,6 +20,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html>
diff --git a/ext/phar/tests/cache_list/frontcontroller6.phpt b/ext/phar/tests/cache_list/frontcontroller6.phpt
index 2480be4..a79c958 100644
--- a/ext/phar/tests/cache_list/frontcontroller6.phpt
+++ b/ext/phar/tests/cache_list/frontcontroller6.phpt
@@ -18,6 +18,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/cache_list/frontcontroller8.phpt b/ext/phar/tests/cache_list/frontcontroller8.phpt
index bf9b390..e04f9e5 100644
--- a/ext/phar/tests/cache_list/frontcontroller8.phpt
+++ b/ext/phar/tests/cache_list/frontcontroller8.phpt
@@ -18,6 +18,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/frontcontroller10.phpt b/ext/phar/tests/frontcontroller10.phpt
index 667d5c2..b3f5e64 100644
--- a/ext/phar/tests/frontcontroller10.phpt
+++ b/ext/phar/tests/frontcontroller10.phpt
@@ -19,6 +19,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html>
diff --git a/ext/phar/tests/frontcontroller6.phpt b/ext/phar/tests/frontcontroller6.phpt
index 1a2cc2c..c5dd382 100644
--- a/ext/phar/tests/frontcontroller6.phpt
+++ b/ext/phar/tests/frontcontroller6.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/frontcontroller8.phpt b/ext/phar/tests/frontcontroller8.phpt
index 36e3206..77d33da 100644
--- a/ext/phar/tests/frontcontroller8.phpt
+++ b/ext/phar/tests/frontcontroller8.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/tar/frontcontroller10.phar.phpt b/ext/phar/tests/tar/frontcontroller10.phar.phpt
index f1fc6e3..23ce6f3 100644
--- a/ext/phar/tests/tar/frontcontroller10.phar.phpt
+++ b/ext/phar/tests/tar/frontcontroller10.phar.phpt
@@ -19,6 +19,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/tar/frontcontroller6.phar.phpt b/ext/phar/tests/tar/frontcontroller6.phar.phpt
index 5375bee..b811f00 100644
--- a/ext/phar/tests/tar/frontcontroller6.phar.phpt
+++ b/ext/phar/tests/tar/frontcontroller6.phar.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/tar/frontcontroller8.phar.phpt b/ext/phar/tests/tar/frontcontroller8.phar.phpt
index 19844cb..a180e20 100644
--- a/ext/phar/tests/tar/frontcontroller8.phar.phpt
+++ b/ext/phar/tests/tar/frontcontroller8.phar.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/zip/frontcontroller10.phar.phpt b/ext/phar/tests/zip/frontcontroller10.phar.phpt
index 56d16c2..5bbe9e1 100644
--- a/ext/phar/tests/zip/frontcontroller10.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller10.phar.phpt
@@ -19,6 +19,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/zip/frontcontroller6.phar.phpt b/ext/phar/tests/zip/frontcontroller6.phar.phpt
index 15489f6..63f7c62 100644
--- a/ext/phar/tests/zip/frontcontroller6.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller6.phar.phpt
@@ -17,6 +17,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file
diff --git a/ext/phar/tests/zip/frontcontroller8.phar.phpt b/ext/phar/tests/zip/frontcontroller8.phar.phpt
index 1b0d133..d4c3a3f 100644
--- a/ext/phar/tests/zip/frontcontroller8.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller8.phar.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html>
\ No newline at end of file

75
testing/php5.4/d14-u003-CVE-2018-10548.patch

@ -0,0 +1,75 @@
From: Markus Koschany <apo@debian.org>
Date: Wed, 9 May 2018 15:20:34 +0200
Subject: CVE-2018-10548
Bug-Upstream: https://bugs.php.net/bug.php?id=76248
---
ext/ldap/ldap.c | 6 +++++-
ext/ldap/tests/bug76248.phpt | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 ext/ldap/tests/bug76248.phpt
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index 2092b5e..a3c604b 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -1026,7 +1026,11 @@ PHP_FUNCTION(ldap_get_entries)
add_assoc_long(tmp1, "count", num_attrib);
dn = ldap_get_dn(ldap, ldap_result_entry);
- add_assoc_string(tmp1, "dn", dn, 1);
+ if (dn) {
+ add_assoc_string(tmp1, "dn", dn, 1);
+ } else {
+ add_assoc_null(tmp1, "dn");
+ }
#if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP_10 || WINDOWS
ldap_memfree(dn);
#else
diff --git a/ext/ldap/tests/bug76248.phpt b/ext/ldap/tests/bug76248.phpt
new file mode 100644
index 0000000..45a7f83
--- /dev/null
+++ b/ext/ldap/tests/bug76248.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #76248 (Malicious LDAP-Server Response causes Crash)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+if (!function_exists('pcntl_fork')) die('skip fork not available');
+?>
+--FILE--
+<?php
+$pid = pcntl_fork();
+const PORT = 12345;
+if ($pid == 0) {
+ // child
+ $server = stream_socket_server("tcp://127.0.0.1:12345");
+ $socket = stream_socket_accept($server, 3);
+ fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA"));
+ fflush($socket);
+} else {
+ // parent
+ $ds = ldap_connect("127.0.0.1", PORT);
+ ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+ $b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret");
+
+ $s = ldap_search($ds, "dc=example,dc=com", "(cn=root)");
+ $tt = ldap_get_entries($ds, $s);
+ var_dump($tt);
+}
+?>
+--EXPECT--
+array(2) {
+ ["count"]=>
+ int(1)
+ [0]=>
+ array(2) {
+ ["count"]=>
+ int(0)
+ ["dn"]=>
+ NULL
+ }
+}
\ No newline at end of file
Loading…
Cancel
Save