-
php5 (5.6.11+dfsg-1ubuntu3.4) wily-security; urgency=medium
* SECURITY UPDATE: heap corruption in tar/zip/phar parser
- debian/patches/CVE-2016-4342.patch: remove UMR when size is 0 in
ext/phar/phar_object.c.
- CVE-2016-4342
* SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
- debian/patches/CVE-2016-4343.patch: check lengths in
ext/phar/dirstream.c, ext/phar/tar.c.
- CVE-2016-4343
* SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_
definition
- debian/patches/CVE-2016-4537.patch: properly detect scale in
ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt.
- CVE-2016-4537
- CVE-2016-4538
* SECURITY UPDATE: xml_parse_into_struct segmentation fault
- debian/patches/CVE-2016-4539.patch: check parser->level in
ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt.
- CVE-2016-4539
* SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and
zif_grapheme_strpos with negative offset
- debian/patches/CVE-2016-4540.patch: check bounds in
ext/intl/grapheme/grapheme_string.c, added test to
ext/intl/tests/bug72061.phpt.
- CVE-2016-4540
- CVE-2016-4541
* SECURITY UPDATE: out of bounds heap read access in exif header
processing
- debian/patches/CVE-2016-4542.patch: check sizes and length in
ext/exif/exif.c.
- CVE-2016-4542
- CVE-2016-4543
- CVE-2016-4544
-- Marc Deslauriers <email address hidden> Thu, 19 May 2016 12:03:33 -0400
-
php5 (5.6.11+dfsg-1ubuntu3.3) wily-security; urgency=medium
* SECURITY REGRESSION: out of memory in SOAP (LP: #1575298)
- debian/patches/CVE-2015-8835.patch: updated to fix bad patch
backport.
-- Marc Deslauriers <email address hidden> Tue, 26 Apr 2016 14:57:54 -0400
-
php5 (5.6.11+dfsg-1ubuntu3.2) wily-security; urgency=medium
* SECURITY UPDATE: directory traversal in ZipArchive::extractTo
- debian/patches/CVE-2014-9767.patch: use proper path in
ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
- CVE-2014-9767
* SECURITY UPDATE: type confusion issue in SoapClient
- debian/patches/CVE-2015-8835.patch: check types in
ext/soap/php_http.c.
- CVE-2015-8835
- CVE-2016-3185
* SECURITY UPDATE: denial of service or memory disclosure in gd via large
bgd_color argument to imagerotate
- debian/patches/CVE-2016-1903.patch: check bgcolor in
ext/gd/libgd/gd_interpolation.c, added test to
ext/gd/tests/bug70976.phpt.
- CVE-2016-1903
* SECURITY UPDATE: stack overflow when decompressing tar archives
- debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
in ext/phar/tar.c.
- CVE-2016-2554
* SECURITY UPDATE: use-after-free in WDDX
- debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
added test to ext/wddx/tests/bug71587.phpt.
- CVE-2016-3141
* SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
- debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
- CVE-2016-3142
* SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
secure
- debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
RAND_pseudo_bytes in ext/openssl/openssl.c.
- No CVE number
* SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
file
- debian/patches/bug71527.patch: properly calculate length in
ext/fileinfo/libmagic/funcs.c, added test to
ext/fileinfo/tests/bug71527.magic.
- CVE number pending
* SECURITY UPDATE: php_snmp_error() format string Vulnerability
- debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
- CVE number pending
* SECURITY UPDATE: integer overflow in php_raw_url_encode
- debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
- CVE number pending
* SECURITY UPDATE: invalid memory write in phar on filename containing
NULL
- debian/patches/bug71860.patch: require valid paths in
ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
ext/phar/tests/badparameters.phpt,
ext/phar/tests/bug64931/bug64931.phpt,
ext/phar/tests/create_path_error.phpt,
ext/phar/tests/phar_extract.phpt,
ext/phar/tests/phar_isvalidpharfilename.phpt,
ext/phar/tests/phar_unlinkarchive.phpt,
ext/phar/tests/pharfileinfo_construct.phpt.
- CVE number pending
* SECURITY UPDATE: invalid negative size in mbfl_strcut
- debian/patches/bug71906.patch: fix length checks in
ext/mbstring/libmbfl/mbfl/mbfilter.c.
- CVE number pending
-- Marc Deslauriers <email address hidden> Fri, 15 Apr 2016 10:37:57 -0400
-
php5 (5.6.11+dfsg-1ubuntu3.1) wily-security; urgency=medium
* SECURITY UPDATE: null pointer dereference in phar_get_fp_offset()
- debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c.
- CVE-2015-7803
* SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
- debian/patches/CVE-2015-7804.patch: check filename length in
ext/phar/util.c, ext/phar/zip.c.
- CVE-2015-7804
-- Marc Deslauriers <email address hidden> Tue, 27 Oct 2015 16:47:59 -0400
-
php5 (5.6.11+dfsg-1ubuntu3) wily; urgency=medium
* SECURITY UPDATE: multiple use-after-free issues in unserialize()
- debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in
ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt.
- debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in
ext/spl/spl_observer.c, added test to ext/spl/tests/bug70168.phpt.
- debian/patches/CVE-2015-6831-3.patch: fix SplDoublyLinkedList in
ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70169.phpt.
- CVE-2015-6831
* SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject
items
- debian/patches/CVE-2015-6832.patch: fix dangling pointer in
ext/spl/spl_array.c, added test to ext/spl/tests/bug70068.phpt.
- CVE-2015-6832
* SECURITY UPDATE: phar files extracted outside of destination dir
- debian/patches/CVE-2015-6833-1.patch: limit extracted files to given
directory in ext/phar/phar_object.c.
- debian/patches/CVE-2015-6833-2.patch: use emalloc in
ext/phar/phar_object.c.
- CVE-2015-6833
* SECURITY UPDATE: multiple vulnerabilities in unserialize()
- debian/patches/CVE-2015-6834-1.patch: fix use-after-free in
ext/standard/var.c, ext/standard/var_unserializer.*.
- debian/patches/CVE-2015-6834-2.patch: fix use-after-free in
ext/spl/spl_observer.c, added test to ext/spl/tests/bug70365.phpt.
- debian/patches/CVE-2015-6834-3.patch: fix use-after-free in
ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70366.phpt.
- CVE-2015-6834
* SECURITY UPDATE: use after free in session deserializer
- debian/patches/CVE-2015-6835-1.patch: fix use after free in
ext/session/session.c, ext/standard/var_unserializer.*
fixed tests in ext/session/tests/session_decode_error2.phpt,
ext/session/tests/session_decode_variation3.phpt.
- debian/patches/CVE-2015-6835-2.patch: add more fixes to
ext/session/session.c.
- CVE-2015-6835
* SECURITY UPDATE: SOAP serialize_function_call() type confusion
- debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c,
added test to ext/soap/tests/bug70388.phpt.
- CVE-2015-6836
* SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class
- debian/patches/CVE-2015-6837-6838.patch: fix logic in
ext/xsl/xsltprocessor.c.
- CVE-2015-6837
- CVE-2015-6838
-- Marc Deslauriers <email address hidden> Mon, 28 Sep 2015 07:26:44 -0400
-
php5 (5.6.11+dfsg-1ubuntu2) wily; urgency=medium
* No-change rebuild against new libicu
-- Iain Lane <email address hidden> Wed, 05 Aug 2015 17:41:17 +0100
-
php5 (5.6.11+dfsg-1ubuntu1) wily; urgency=medium
* Merge from Debian. Remaining changes:
- Drop support for firebird, c-client, mcrypt, onig and qdbm as they
are in universe:
+ d/control: drop Build-Depends on firebird-dev, libc-client-dev,
libmcrypt-dev, libonig-dev, libqdbm-dev.
+ d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt and their reverse dependencies.
+ d/rules: drop configuration of qdgm, onig, imap, mcrypt.
+ d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't
build interbase or firebird.
+ d/modulelist: drop imap, interbase and mcrypt.
- d/control: switch Build-Depends of netcat-traditional to
netcat-openbsd as only the latter is in main.
- d/source_php5.py, d/rules: add apport hook.
* New upstream version uses __builtin_clzl when __powerpc__ is defined,
improving performance on POWER systems (LP: #1458434).
* Drop changes (patches included upstream): CVE-2015-4598.patch,
CVE-2015-4643.patch, CVE-2015-4644.patch.
-- Robie Basak <email address hidden> Mon, 27 Jul 2015 11:15:34 +0000
-
php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium
* Merge from Debian. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm, onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
* Dropped changes:
- patches included in new upstream version: CVE-2014-9427.patch,
CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch,
CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch,
CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch,
CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch,
CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch,
bug69441.patch.
* SECURITY UPDATE: more missing file path null byte checks
- debian/patches/CVE-2015-4598.patch: add missing checks to
ext/dom/document.c, ext/gd/gd.c, fix test in
ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.
- CVE-2015-4598
* SECURITY UPDATE: arbitrary code execution via ftp server long reply to
a LIST command
- debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
ext/ftp/ftp.c.
- CVE-2015-4643
* SECURITY UPDATE: denial of service via php_pgsql_meta_data
- debian/patches/CVE-2015-4644.patch: check return value in
ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
- CVE-2015-4644
php5 (5.6.9+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.9+dfsg
- Core:
. Fixed bug #69467 (Wrong checked for the interface by using Trait).
. Fixed bug #69420 (Invalid read in zend_std_get_method).
. Fixed bug #60022 ("use statement [...] has no effect" depends on
leading backslash).
. Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
. Fixed bug #68652 (segmentation fault in destructor).
. Fixed bug #69419 (Returning compatible sub generator produces a
warning).
. Fixed bug #69472 (php_sys_readlink ignores misc errors from
GetFinalPathNameByHandleA).
. Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability).
. Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
. Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+).
. Fixed bug #69522 (heap buffer overflow in unpack()).
- FTP:
. Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in
heap overflow).
- ODBC:
. Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
. Fixed bug #69474 (ODBC: Query with same field name from two tables
returns incorrect result).
. Fixed bug #69381 (out of memory with sage odbc driver).
- OpenSSL:
. Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
- PCNTL:
. Fixed bug #68598 (pcntl_exec() should not allow null char).
- PCRE
. Upgraded pcrelib to 8.37.
- Phar:
. Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry
filename starts with null).
* Rebased patches on top of 5.6.9+dfsg version
php5 (5.6.8+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.8+dfsg
- Core:
. Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
(Dmitry, Laruence)
. Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8
characters). (Tjerk)
. Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
. Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
configuration options). (Anatol Belski)
. Additional fix for bug #69152 (Type confusion vulnerability in
exception::getTraceAsString). (Stas)
. Fixed bug #69210 (serialize function return corrupted data when sleep has
non-string values). (Juan Basso)
. Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in
__call/... arg passing). (Nikita)
. Fixed bug #69221 (Segmentation fault when using a generator in combination
with an Iterator). (Nikita)
. Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion
vulnerability). (Stas)
. Fixed bug #69353 (Missing null byte checks for paths in various PHP
extensions). (Stas)
- Apache2handler:
. Fixed bug #69218 (potential remote code execution with apache 2.4
apache2handler). (Gerrit Venema)
- cURL:
. Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)
. Fixed bug #68739 (Missing break / control flow). (Laruence)
. Fixed bug #69316 (Use-after-free in php_curl related to
CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)
- Date:
. Fixed bug #69336 (Issues with "last day of <monthname>"). (Derick Rethans)
- Enchant:
. Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows
builds). (Anatol)
- Ereg:
. Fixed bug #68740 (NULL Pointer Dereference). (Laruence)
- Fileinfo:
. Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or
segfault). (Anatol Belski)
- Filter:
. Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other
flags are used). (Jeff Welch)
. Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff
Welch)
- OPCache:
. Fixed bug #69297 (function_exists strange behavior with OPCache on
disabled function). (Laruence)
. Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)
. Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)
- OpenSSL
. Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling
in stream_select() contexts) (Chris Wright)
. Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly)
(Daniel Lowrey)
. Fixed bug #69215 (Crypto servers should send client CA list)
(Daniel Lowrey)
. Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
- Phar:
. Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
(Mike)
. Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
. Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
. Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing
".tar"). (Mike)
. Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)
. Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in
phar_set_inode). (Stas)
- Postgres:
. Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)
- SPL:
. Fixed bug #69227 (Use after free in zval_scan caused by
spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
- SOAP:
. Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader
(bisected, regression)). (Laruence)
- Sqlite3:
. Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
(Dan Ackroyd)
. Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)
. Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)
* Update d/gbp.conf to new config style
* Update patches for 5.6.8 release
* Switch to gbp pq patch management
php5 (5.6.7+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.7+dfsg
- Core:
. Fixed bug #69174 (leaks when unused inner class use traits
precedence).
. Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
. Fixed bug #69121 (Segfault in get_current_user when script owner is
not in passwd with ZTS build).
. Fixed bug #65593 (Segfault when calling ob_start from output
buffering callback).
. Fixed bug #68986 (pointer returned by
php_stream_fopen_temporary_file not validated in memory.c).
. Fixed bug #68166 (Exception with invalid character causes segv).
. Fixed bug #69141 (Missing arguments in reflection info for some
builtin functions).
. Fixed bug #68976 (Use After Free Vulnerability in unserialize())
(CVE-2015-0231).
. Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
configuration options).
. Fixed bug #69207 (move_uploaded_file allows nulls in path).
- CGI:
. Fixed bug #69015 (php-cgi's getopt does not see $argv).
- CLI:
. Fixed bug #67741 (auto_prepend_file messes up __LINE__).
- cURL:
. Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL
on Win32).
. Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if
supported by libcurl.
- Ereg:
. Fixed bug #69248 (heap overflow vulnerability in regcomp.c)
(CVE-2015-2305).
- FPM:
. Fixed bug #68822 (request time is reset too early).
- ODBC:
. Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
- Opcache:
. Fixed bug #69159 (Opcache causes problem when passing a variable
variable to a function).
. Fixed bug #69125 (Array numeric string as key).
. Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
- OpenSSL:
. Fixed bug #68912 (Segmentation fault at openssl_spki_new).
. Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't
observe socket timeouts).
. Fixed bug #68920 (use strict peer_fingerprint input checks)
. Fixed bug #68879 (IP Address fields in subjectAltNames not used)
. Fixed bug #68265 (SAN match fails with trailing DNS dot)
. Fixed bug #67403 (Add signatureType to openssl_x509_parse)
. Fixed bug (#69195 Inconsistent stream crypto values across versions)
- pgsql:
. Fixed bug #68638 (pg_update() fails to store infinite values).
- Readline:
. Fixed bug #69054 (Null dereference in
readline_(read|write)_history() without parameters).
- SOAP:
. Fixed bug #69085 (SoapClient's __call() type confusion through
unserialize()).
- SPL:
. Fixed bug #69108 ("Segmentation fault" when (de)serializing
SplObjectStorage).
. Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after
calling getChildren()).
- ZIP:
. Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
boundary) (CVE-2015-2331).
* Refresh patches for 5.6.7 release
* Pull a patch to fix SQL_DESC_OCTET_LENGTH not supported by ADS ODBC
driver (PHP#68350) from Debian wheezy PHP 5.4 branch
* Fix PHP segfault in zend_hash_find (PHP#68486)
* Move PEAR-Builder-print-info-about-php5-dev.patch to debian/ as it's
not a quilt patch
php5 (5.6.6+dfsg-2) unstable; urgency=medium
* Fix use after free in 'opcache' component of PHP (CVE-2015-1351)
* Fix NULL Pointer Deference in pgsql (CVE-2015-1352) (Closes: #777033)
php5 (5.6.6+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.6+dfsg
* Pull patch from DragonFly BSD Project to limit the pattern space to
avoid a 32-bit overflow in Henry Spencer regular expressions (regex)
library (Closes: #778389)
* Update patches for 5.6.6 release
php5 (5.6.5+dfsg-2) unstable; urgency=high
* Add patch to revert upstream commit on feof that broke Horde and
others (Courtesy of Mike Gabriel) (Closes: #778374)
php5 (5.6.5+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.5+dfsg
* Security vulnerabilities fixed:
+ Core
- Fixed bug #68710 (Use After Free Vulnerability in PHP's
unserialize()). (CVE-2015-0231)
+ CGI:
- Fixed bug #68618 (out of bounds read crashes
php-cgi). (CVE-2014-9427)
+ EXIF:
- Fixed bug #68799: Free called on unitialized
pointer. (CVE-2015-0232)
* Update patches for 5.6.5 release
-- Marc Deslauriers <email address hidden> Mon, 06 Jul 2015 09:05:05 -0400
-
php5 (5.6.4+dfsg-4ubuntu6) vivid; urgency=medium
* SECURITY UPDATE: potential remote code execution vulnerability when
used with the Apache 2.4 apache2handler
- debian/patches/bug69218.patch: perform proper cleanup in
sapi/apache2handler/sapi_apache2.c.
- CVE number pending
* SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
- debian/patches/bug69441.patch: check lengths in
ext/phar/phar_internal.h.
- CVE number pending
* SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
- debian/patches/CVE-2015-2783.patch: properly check lengths in
ext/phar/phar.c, ext/phar/phar_internal.h.
- CVE-2015-2783
-- Marc Deslauriers <email address hidden> Fri, 17 Apr 2015 05:15:49 -0400
