From c9ac441fe883ef1980d5374c3ef09eb1048a532a Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 22 May 2015 10:58:28 +0300 Subject: [PATCH 1/5] Add CVE for bugs in 5.5.25 --- NEWS | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 2cae7404e98..0ccc88c8ac1 100644 --- a/NEWS +++ b/NEWS @@ -30,10 +30,12 @@ PHP NEWS 14 May 2015, PHP 5.5.25 - Core: - . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas) + . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). + (CVE-2015-4024) (Stas) . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas) - . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas) + . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025) + (Stas) . Fixed bug #69522 (heap buffer overflow in unpack()). (Stas) . Fixed bug #69467 (Wrong checked for the interface by using Trait). (Laruence) @@ -50,7 +52,7 @@ PHP NEWS - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap - overflow). (Stas) + overflow). (CVE-2015-4022) (Stas) - ODBC: . Fixed bug #69474 (ODBC: Query with same field name from two tables returns @@ -63,11 +65,12 @@ PHP NEWS (Daniel Lowrey) - PCNTL: - . Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas) + . Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026) + (Stas) - Phar: - . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename - starts with null). (Stas) + . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry + filename starts with null). (CVE-2015-4021) (Stas) 16 Apr 2015, PHP 5.5.24 From 7ecab5d23fc6939334d333713ac899e7a8153856 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 22 May 2015 11:02:01 +0300 Subject: [PATCH 2/5] Add entry about PCRE upgrade (rev 95fa7279) --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 0ccc88c8ac1..2cb177bf2da 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,9 @@ PHP NEWS - MCrypt: . Added file descriptor caching to mcrypt_create_iv() (Leigh) +- PCRE: + . Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326) + - Phar: . Fixed bug #69680 (phar symlink in binary directory broken). (Matteo Bernardini, Remi) From f736934af08d8cef65860bd1a0bdf12f3630ae39 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 22 May 2015 11:15:36 +0300 Subject: [PATCH 3/5] Add CVE for bugs in 5.6.9 --- NEWS | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index aa752a4f2f5..852358af115 100644 --- a/NEWS +++ b/NEWS @@ -39,15 +39,17 @@ PHP NEWS (Nikita) . Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). (Jan Starke) - . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas) + . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). + (CVE-2015-4024) (Stas) . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas) - . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas) + . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025) + (Stas) . Fixed bug #69522 (heap buffer overflow in unpack()). (Stas) - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap - overflow). (Stas) + overflow). (CVE-2015-4022) (Stas) - ODBC: . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). @@ -62,14 +64,15 @@ PHP NEWS (Daniel Lowrey) - PCNTL: - . Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas) + . Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026) + (Stas) - PCRE - . Upgraded pcrelib to 8.37. + . Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326) - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry - filename starts with null). (Stas) + filename starts with null). (CVE-2015-4021) (Stas) 16 Apr 2015, PHP 5.6.8 From 827d2c14150197e20897cba39c1824aa910df95a Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 22 May 2015 11:17:01 +0300 Subject: [PATCH 4/5] Add entry for bug #69354, fixed in 5.5.25 --- NEWS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEWS b/NEWS index 2cb177bf2da..0e0af2c3626 100644 --- a/NEWS +++ b/NEWS @@ -58,6 +58,8 @@ PHP NEWS overflow). (CVE-2015-4022) (Stas) - ODBC: + . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). + (Anatol) . Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). (Anatol) . Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, From d9c266f4c91ab4cbee1c334f078c63519ab21395 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Fri, 22 May 2015 21:25:52 +0200 Subject: [PATCH 5/5] fix test Sometimes the path is unixified, sometimes not, so better don't care about the slash in this case. --- ext/phar/tests/bug69441.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/phar/tests/bug69441.phpt b/ext/phar/tests/bug69441.phpt index 03c87e34caf..934c5f6b735 100644 --- a/ext/phar/tests/bug69441.phpt +++ b/ext/phar/tests/bug69441.phpt @@ -14,7 +14,7 @@ $r = new Phar($fname, 0); ==DONE== --EXPECTF-- -exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s%ebug69441.phar"' in %s%ebug69441.php:%d +exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%sbug69441.phar"' in %sbug69441.php:%d Stack trace: #0 %s%ebug69441.php(%d): Phar->__construct('%s', 0) #1 {main}