From: Pierre Joye Date: Wed, 8 Jun 2016 04:07:32 +0000 (+0700) Subject: Merge branch 'PHP-5.6' into PHP-7.0 X-Git-Tag: php-7.1.0alpha2~45^2~7 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4d81bf937fbdb121d52ecaba7499db1a3afdf985;p=php Merge branch 'PHP-5.6' into PHP-7.0 * PHP-5.6: prevent invalid color index (palette only), may lead to crash Add CVE to #66387 add missing NEWS entry --- 4d81bf937fbdb121d52ecaba7499db1a3afdf985 diff --cc NEWS index 48cb9167ff,8686b862f8..a94f4955dc --- a/NEWS +++ b/NEWS @@@ -1,81 -1,22 +1,84 @@@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2016, PHP 5.6.23 +?? ??? 2016 PHP 7.0.9 + + + +23 Jun 2016 PHP 7.0.8 + +- Core: + . Fixed bug #72221 (segfault, past-the-end access). (Lauri Kenttä) + . Fixed bug #72218 (If host name cannot be resolved then PHP 7 crashes). + (Esminis at esminis dot lt) + +- FPM: + . Fixed bug #72308 (fastcgi_finish_request and logging environment + variables). (Laruence) + - GD: + . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre) + - Intl: - . Fixed bug #70484 (selectordinal doesn't work with named parameters). + . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) + +- PCRE: + . Fixed bug #72143 (preg_replace uses int instead of size_t). (Joe) + +- PDO_pgsql: + . Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound). + (Laruence) + . Fixed bug #72294 (Segmentation fault/invalid pointer in connection + with pgsql_stmt_dtor). (Anatol) + +- Phpdbg: + . Fixed bug #72284 (phpdbg fatal errors with coverage). (Bob) + +- Postgres: + . Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free). (Laruence) + . Fixed bug #72197 (pg_lo_create arbitrary read). (Anatol) + +- Standard: + . Fixed bug #72300 (ignore_user_abort(false) has no effect). (Laruence) + . Fixed bug #72229 (Wrong reference when serialize/unserialize an object). + (Laruence) + . Fixed bug #72193 (dns_get_record returns array containing elements of + type 'unknown'). (Laruence) + . Fixed bug #72017 (range() with float step produces unexpected result). + (Thomas Punt) + +- XML: + . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe) + +- XMLRPC: + . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type). + (Joe, Laruence) + +- Zip: + . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form). (Anatol) -26 May 2016, PHP 5.6.22 +26 May 2016 PHP 7.0.7 - Core: - . Fixed bug #72172 (zend_hex_strtod should not use strlen). - (bwitz at hotmail dot com ) - . Fixed bug #72114 (Integer underflow / arbitrary null write in - fread/gzread). (Stas) - . Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas) + . Fixed bug #72162 (use-after-free - error_reporting). (Laruence) + . Add compiler option to disable special case function calls. (Joe) + . Fixed bug #72101 (crash on complex code). (Dmitry) + . Fixed bug #72100 (implode() inserts garbage into resulting string when + joins very big integer). (Mikhail Galanin) + . Fixed bug #72057 (PHP Hangs when using custom error handler and typehint). + (Nikita Nefedov) + . Fixed bug #72038 (Function calls with values to a by-ref parameter don't + always throw a notice). (Bob) + . Fixed bug #71737 (Memory leak in closure with parameter named $this). + (Nikita) + . Fixed bug #72059 (?? is not allowed on constant expressions). (Bob, Marcio) + . Fixed bug #72159 (Imported Class Overrides Local Class Name). (Nikita) + +- Curl: + . Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick) + +- DBA: + . Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence) - GD: . Fixed bug #72227 (imagescale out-of-bounds read). (Stas) @@@ -985,27 -413,74 +988,28 @@@ . Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes). (Stas) -- GMP: - . Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP). - (stas) - -- hash: - . Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). (letsgolee - at naver dot com) - -- MCrypt: - . Fixed bug #69833 (mcrypt fd caching not working). (Anatol) - -- Opcache: - . Fixed bug #70237 (Empty while and do-while segmentation fault with opcode - on CLI enabled). (Dmitry, Laruence) - -- PCRE: - . Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string - match). (cmb) - . Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). - (Anatol Belski) - -- SOAP: - . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). - (CVE-2015-6836) (Stas) - -- SPL: - . Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via - ob_start). (hugh at allthethings dot co dot nz) - . Fixed bug #70303 (Incorrect constructor reflection for ArrayObject). (cmb) - . Fixed bug #70365 (Use-after-free vulnerability in unserialize() with - SplObjectStorage). (CVE-2015-6834) (taoguangchen at icloud dot com) - . Fixed bug #70366 (Use-after-free vulnerability in unserialize() with - SplDoublyLinkedList). (CVE-2015-6834) (taoguangchen at icloud dot com) - -- Standard: - . Fixed bug #70052 (getimagesize() fails for very large and very small WBMP). - (cmb) - . Fixed bug #70157 (parse_ini_string() segmentation fault with - INI_SCANNER_TYPED). (Tjerk) - -- XSLT: - . Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838) - (Stas) +- Fileinfo: + . Fixed bug #66242 (libmagic: don't assume char is signed). (ArdB) -- ZIP: - . Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when - creating directories). (CVE-2014-9767) (neal at fb dot com) +- Filter: + . New FILTER_VALIDATE_DOMAIN and better RFC conformance for FILTER_VALIDATE_URL. (Kevin Dunglas) -06 Aug 2015, PHP 5.6.12 +- FPM: + . Fixed bug #70538 ("php-fpm -i" crashes). (rainer dot jung at + kippdata dot de) + . Fixed bug #70279 (HTTP Authorization Header is sometimes passed to newer + reqeusts). (Laruence) + . Fixed bug #68945 (Unknown admin values segfault pools). (Laruence) + . Fixed bug #65933 (Cannot specify config lines longer than 1024 bytes). (Chris Wright) + . Implemented FR #67106 (Split main fpm config). (Elan Ruusamäe, Remi) -- Core: - . Fixed bug #70012 (Exception lost with nested finally block). (Laruence) - . Fixed bug #70002 (TS issues with temporary dir handling). (Anatol) - . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive - method calls). (Stas) - . Fixed bug #69892 (Different arrays compare indentical due to integer key - truncation). (Nikita) - . Fixed bug #70121 (unserialize() could lead to unexpected methods execution - / NULL pointer deref). (Stas) +- FTP: + . Fixed bug #69082 (FTPS support on Windows). (Anatol) -- CLI server: - . Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). (cmb) - . Fixed bug #64878 (304 responses return Content-Type header). (cmb) - - GD: . Fixed bug #53156 (imagerectangle problem with point ordering). (cmb) - . Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb) + . Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874) + (cmb) . Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb) . Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb) . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb)