* PHP-5.6.18:
fix tests
fix NEWS
Update NEWS
update NEWS
Fixed bug #71488: Stack overflow when decompressing tar archives
update NEWS
add missing headers for SIZE_MAX
backport the escapeshell* functions hardening branch
add tests
Fix bug #71459 - Integer overflow in iptcembed()
prepare 5.6.18RC1
Fix test when run with openssl < 1.0.2 (reorder so no more SSLv2 message) Fix skip message to work
improve fix for bug #71201
Fixed bug #71323 - Output of stream_get_meta_data can be falsified by its input
Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()
Fix bug #71335: Type Confusion in WDDX Packet Deserialization
Fix bug #71354 - remove UMR when size is 0
Conflicts:
configure.in
ext/phar/dirstream.c
ext/phar/phar_object.c
ext/phar/tar.c
ext/standard/exec.c
ext/standard/iptc.c
ext/standard/math.c
ext/standard/streamsfuncs.c
ext/wddx/wddx.c
main/php_version.h
main/streams/memory.c
If an archive can't be written, ZipArchive::close() nonetheless returns TRUE.
We fix the return value to properly return success, and additionally raise a
warning on failure.
* PHP-5.6: (21 commits)
fix unit tests
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix bug ##70284 (Use after free vulnerability in unserialize() with GMP)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
...
Conflicts:
ext/exif/exif.c
ext/gmp/gmp.c
ext/pcre/php_pcre.c
ext/session/session.c
ext/session/tests/session_decode_variation3.phpt
ext/soap/soap.c
ext/spl/spl_observer.c
ext/standard/var.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/xsl/xsltprocessor.c
* PHP-5.5:
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
5.4.45 next
Conflicts:
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/zip/php_zip.c
The constants have already been added long ago. This patch just adds a PHPT
which checks the recognition of the respective compression methods.
Unfortunately, I've not been able to assemble a zip with all compression
methods.
* master:
Fixed issue #183 (TMP_VAR is not only used once)
Fix broken Junit output with --disable-cgi
Added folder mark
Further test fixes for the fdb2709 breakage.
Fix broken test caused by fdb2709.
Added tests for ZipArchive::addGlob() and ZipArchive::addPattern()
Fix run-tests.php with Valgrind >= 3.10.0.
Add microseconds to the serialised form of DateTime objects.
Improved test for bug #62479
fix typo in ODBC code
gcov: tentative fix for broken coverage data after fix for opcache coverage slightly hackish, but works. The idea is that we want to give priority to .gcda files in .libs dirs vs the files in the upper level dir
5.5.14 now
Fix bug #67060: use default mode of 660
Conflicts:
ext/date/php_date.c
- update libzip to version 1.11.1. We don't use any private symbol anymore
- new method ZipArchive::setPassword($password)
- add --with-libzip option to build with system libzip
#It is unclear if url_stat handlers should emit a warning in case
#PHP_STREAM_URL_STAT_QUIET is not specified and the resource does
#not exist. Most url_stat handlers never emit messages; the plain
#one does only so in the extraordinary event of an open_basedir
#restriction.
#But in case, php_stat uses PHP_STREAM_URL_STAT_QUIET for the
#FS_EXISTS, which suggests that mere checks on file existence are
#supposed to use this flag (arguably).
#The downside is that important diagnostic messages might be
#omitted.
Joe Watkins