]>
granicus.if.org Git - php/log
Christoph M. Becker [Fri, 16 Aug 2019 12:29:19 +0000 (14:29 +0200)]
Fix #75457: heap-use-after-free in php7.0.25
Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.
Stanislav Malyshev [Sun, 25 Aug 2019 06:11:45 +0000 (23:11 -0700)]
Fix CVE-2019-13224: don't allow different encodings for onig_new_deluxe()
Backport from https://github.com/kkos/oniguruma/commit/
0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
Joe Watkins [Wed, 31 Jul 2019 06:21:39 +0000 (08:21 +0200)]
set version for release
Christoph M. Becker [Mon, 29 Jul 2019 14:08:03 +0000 (16:08 +0200)]
Fix #77919: Potential UAF in Phar RSHUTDOWN
We have to properly clean up in case phar_flush() is failing.
We also make the expectation of the respective test case less liberal
to avoid missing such bugs in the future.
Stanislav Malyshev [Mon, 29 Jul 2019 07:55:18 +0000 (00:55 -0700)]
Update NEWS
Stanislav Malyshev [Mon, 8 Jul 2019 00:39:59 +0000 (17:39 -0700)]
Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
Stanislav Malyshev [Mon, 8 Jul 2019 00:01:01 +0000 (17:01 -0700)]
Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
Christoph M. Becker [Fri, 21 Jun 2019 13:48:50 +0000 (15:48 +0200)]
Upgrade to SQLite 3.28.0
Over the years, multiple security vulnerabilities[1] have been found
and fixed in SQLite3, so it makes sense to update our bundled libsqlite
to the latest available version.
[1] <https://www.cvedetails.com/vulnerability-list/vendor_id-9237/Sqlite.html>
Joe Watkins [Tue, 28 May 2019 07:52:52 +0000 (09:52 +0200)]
bump version after release
Stanislav Malyshev [Tue, 28 May 2019 01:04:00 +0000 (18:04 -0700)]
Fix bug #77967 - Bypassing open_basedir restrictions via file uris
Stanislav Malyshev [Tue, 28 May 2019 00:16:29 +0000 (17:16 -0700)]
Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
Stanislav Malyshev [Mon, 27 May 2019 23:48:32 +0000 (16:48 -0700)]
Update NEWS
Stanislav Malyshev [Mon, 27 May 2019 23:32:42 +0000 (16:32 -0700)]
Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
Christoph M. Becker [Mon, 6 May 2019 08:18:51 +0000 (10:18 +0200)]
Fix #77973: Uninitialized read in gdImageCreateFromXbm
We have to ensure that `sscanf()` does indeed read a hex value here,
and bail out otherwise.
Stanislav Malyshev [Tue, 30 Apr 2019 06:38:12 +0000 (23:38 -0700)]
Fix bug #77950 - Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG
I do not completely understand what is going on there, but I am pretty
sure dir_entry <= offset_base if not a normal situation, so we better not
to rely on such dir_entry.
Christoph M. Becker [Fri, 29 Mar 2019 10:12:09 +0000 (11:12 +0100)]
Fix #77821: Potential heap corruption in TSendMail()
`zend_string_tolower()` returns a copy (not a duplicate) of the given
string, if it is already in lower case. In this case we must not not
`zend_string_free()` both strings. The cleanest solution is to call
` zend_string_release()` on both strings, which properly handles the
refcount.
Stanislav Malyshev [Sun, 7 Apr 2019 01:15:42 +0000 (18:15 -0700)]
Always use ZEND_SECURE_ZERO() when cleaning up data
Optimizing compilers have an annoying tendency to throw out
memsets over data that they think aren't used anymore. Apply secure
zero-out in cases where this has potential to happen.
Joe Watkins [Tue, 2 Apr 2019 14:50:20 +0000 (16:50 +0200)]
bump versions after release
Remi Collet [Tue, 2 Apr 2019 09:03:40 +0000 (11:03 +0200)]
fix paste issue
Christoph M. Becker [Tue, 2 Apr 2019 08:37:40 +0000 (10:37 +0200)]
Pointer arithmetic on void pointers is illegal
We quick-fix this by casting to char*; it might be more appropriate to
use char pointers in the first place.
Stanislav Malyshev [Tue, 2 Apr 2019 07:12:26 +0000 (00:12 -0700)]
Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value in EXIF
Stanislav Malyshev [Mon, 1 Apr 2019 06:11:15 +0000 (23:11 -0700)]
Update NEWS
Stanislav Malyshev [Mon, 18 Mar 2019 05:54:46 +0000 (22:54 -0700)]
Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
Nikita Popov [Mon, 11 Feb 2019 11:31:59 +0000 (12:31 +0100)]
Validate subject encoding in mb_split and mb_ereg_match
We were already validating the subject encoding in most functions,
but not these two.
Nikita Popov [Mon, 11 Feb 2019 11:10:40 +0000 (12:10 +0100)]
Validate pattern against mbregex encoding
Oniguruma does not consistently perform this validation itself (at least
on older versions), so make sure we check pattern encoding validity on the
PHP side.
bohwaz [Sun, 16 Dec 2018 21:52:37 +0000 (22:52 +0100)]
SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a mitigation strategy against potential security flaws
Anatol Belski [Thu, 28 Feb 2019 11:48:47 +0000 (12:48 +0100)]
Sync with behavior change in OpenSSL 1.1.1b
A behavior change in revealed by some openssl_decrypt() based test,
where an encrypt API is used with a decrypt context. The EVP_Cipher*
functions will automatically choose the right operation depending on the
context passed.
(cherry picked from commit
19a44ffb7be91344550fa700830b8e62a73031ba )
Joe Watkins [Tue, 5 Mar 2019 19:50:07 +0000 (20:50 +0100)]
fix news
Joe Watkins [Tue, 5 Mar 2019 17:28:47 +0000 (18:28 +0100)]
bump versions after release
Stanislav Malyshev [Sun, 3 Mar 2019 07:42:53 +0000 (23:42 -0800)]
Fix bug #77630 - safer rename() procedure
In order to rename safer, we do the following:
- set umask to 077 (unfortunately, not TS, so excluding ZTS)
- chown() first, to set proper group before allowing group access
- chmod() after, even if chown() fails
Stanislav Malyshev [Mon, 4 Mar 2019 06:33:38 +0000 (22:33 -0800)]
Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow
Stanislav Malyshev [Mon, 4 Mar 2019 04:10:12 +0000 (20:10 -0800)]
Update NEWS
Stanislav Malyshev [Mon, 4 Mar 2019 03:30:14 +0000 (19:30 -0800)]
Fix test error message
Stanislav Malyshev [Sat, 2 Mar 2019 23:07:40 +0000 (15:07 -0800)]
Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE
Also fix for bug #77659
Stanislav Malyshev [Sat, 2 Mar 2019 21:38:00 +0000 (13:38 -0800)]
Fix bug #77540 - Invalid Read on exif_process_SOFn
Stanislav Malyshev [Sat, 2 Mar 2019 07:25:45 +0000 (23:25 -0800)]
Fix integer overflows on 32-bits
Christoph M. Becker [Wed, 9 Jan 2019 13:26:18 +0000 (14:26 +0100)]
Fix #77431 SplFileInfo::__construct() accepts NUL bytes
`SplFileInfo::__construct()` has to expect a path instead of a string,
analogous to `SplFileObject::__construct()`.
Stanislav Malyshev [Mon, 4 Mar 2019 02:22:32 +0000 (18:22 -0800)]
Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename
Derick Rethans [Wed, 6 Feb 2019 10:39:55 +0000 (10:39 +0000)]
Use pkg-config for ICU, as the old icu-config has been deprecated
Sara Golemon [Tue, 8 Jan 2019 19:17:43 +0000 (14:17 -0500)]
Bump for 7.1.27
Stanislav Malyshev [Mon, 7 Jan 2019 09:03:04 +0000 (01:03 -0800)]
Still leaking for some reason, XFAIL for now, I'll look into it later.
Stanislav Malyshev [Mon, 7 Jan 2019 07:32:36 +0000 (23:32 -0800)]
Merge branch 'PHP-5.6' into PHP-7.1
* PHP-5.6:
Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
[ci skip] Add NEWS
Fix more issues with encodilng length
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
Fix #77269: Potential unsigned underflow in gdImageScale
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
Regenerate certs for openssl tests
Stanislav Malyshev [Mon, 7 Jan 2019 07:31:15 +0000 (23:31 -0800)]
Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
Stanislav Malyshev [Sun, 6 Jan 2019 21:04:51 +0000 (13:04 -0800)]
Add NEWS
Stanislav Malyshev [Sun, 6 Jan 2019 21:03:38 +0000 (13:03 -0800)]
[ci skip] Add NEWS
Stanislav Malyshev [Sun, 6 Jan 2019 20:30:44 +0000 (12:30 -0800)]
Fix test
Stanislav Malyshev [Sun, 30 Dec 2018 04:39:08 +0000 (20:39 -0800)]
Fix #77369 - memcpy with negative length via crafted DNS response
Stanislav Malyshev [Wed, 2 Jan 2019 08:36:30 +0000 (00:36 -0800)]
Fix more issues with encodilng length
Should fix bug #77381, bug #77382, bug #77385, bug #77394.
Christoph M. Becker [Sun, 30 Dec 2018 12:59:26 +0000 (13:59 +0100)]
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal. We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
Stanislav Malyshev [Wed, 2 Jan 2019 01:15:20 +0000 (17:15 -0800)]
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
Stanislav Malyshev [Sun, 30 Dec 2018 04:06:08 +0000 (20:06 -0800)]
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
Stanislav Malyshev [Sun, 30 Dec 2018 03:51:24 +0000 (19:51 -0800)]
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
Christoph M. Becker [Wed, 12 Dec 2018 15:00:59 +0000 (16:00 +0100)]
Fix #77269: Potential unsigned underflow in gdImageScale
Belatedly, we're porting the respective upstream patch[1].
[1] <https://github.com/libgd/libgd/commit/
60bfb401ad5a4a8ae995dcd36372fe15c71e1a35 >
Stanislav Malyshev [Sun, 30 Dec 2018 02:25:37 +0000 (18:25 -0800)]
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
Stanislav Malyshev [Sun, 30 Dec 2018 01:56:36 +0000 (17:56 -0800)]
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
Alexander Kurilo [Mon, 31 Dec 2018 09:19:36 +0000 (12:19 +0300)]
Regenerate certs for openssl tests
Stanislav Malyshev [Wed, 2 Jan 2019 08:36:30 +0000 (00:36 -0800)]
Fix more issues with encodilng length
Should fix bug #77381, bug #77382, bug #77385, bug #77394.
Christoph M. Becker [Sun, 30 Dec 2018 12:59:26 +0000 (13:59 +0100)]
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal. We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
Stanislav Malyshev [Wed, 2 Jan 2019 01:15:20 +0000 (17:15 -0800)]
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
Stanislav Malyshev [Sun, 30 Dec 2018 04:06:08 +0000 (20:06 -0800)]
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
Stanislav Malyshev [Sun, 30 Dec 2018 03:51:24 +0000 (19:51 -0800)]
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
Christoph M. Becker [Wed, 12 Dec 2018 15:00:59 +0000 (16:00 +0100)]
Fix #77269: Potential unsigned underflow in gdImageScale
Belatedly, we're porting the respective upstream patch[1].
[1] <https://github.com/libgd/libgd/commit/
60bfb401ad5a4a8ae995dcd36372fe15c71e1a35 >
Stanislav Malyshev [Sun, 30 Dec 2018 02:25:37 +0000 (18:25 -0800)]
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
Stanislav Malyshev [Sun, 30 Dec 2018 01:56:36 +0000 (17:56 -0800)]
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
Alexander Kurilo [Mon, 31 Dec 2018 09:19:36 +0000 (12:19 +0300)]
Regenerate certs for openssl tests
Remi Collet [Sat, 8 Dec 2018 09:24:36 +0000 (10:24 +0100)]
add imap.enable_insecure_rsh in php.ini
Remi Collet [Sat, 8 Dec 2018 09:06:19 +0000 (10:06 +0100)]
missing entry for #77020
Ferenc Kovacs [Wed, 5 Dec 2018 08:30:20 +0000 (09:30 +0100)]
Merge branch 'PHP-7.0' into PHP-7.1
Ferenc Kovacs [Wed, 5 Dec 2018 08:25:53 +0000 (09:25 +0100)]
Merge branch 'PHP-5.6' into PHP-7.0
Ferenc Kovacs [Wed, 5 Dec 2018 08:13:30 +0000 (09:13 +0100)]
5.6.40 will be next. probably not
Anatol Belski [Tue, 4 Dec 2018 11:49:42 +0000 (12:49 +0100)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Sync NEWS [ci skip]
Anatol Belski [Tue, 4 Dec 2018 11:49:10 +0000 (12:49 +0100)]
Sync NEWS [ci skip]
Stanislav Malyshev [Mon, 3 Dec 2018 18:19:57 +0000 (10:19 -0800)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fix null pointer deref in qprint-encode filter (bug #77231)
Stanislav Malyshev [Mon, 3 Dec 2018 18:19:49 +0000 (10:19 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix null pointer deref in qprint-encode filter (bug #77231)
Stanislav Malyshev [Mon, 3 Dec 2018 10:12:11 +0000 (02:12 -0800)]
Fix null pointer deref in qprint-encode filter (bug #77231)
Stanislav Malyshev [Mon, 3 Dec 2018 08:42:45 +0000 (00:42 -0800)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fix bug #77143 - add more checks to buffer reads
Fix bug #77143 - add more checks to buffer reads
Fix #77020: null pointer dereference in imap_mail
Stanislav Malyshev [Mon, 3 Dec 2018 08:42:35 +0000 (00:42 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix bug #77143 - add more checks to buffer reads
Stanislav Malyshev [Mon, 12 Nov 2018 22:02:26 +0000 (14:02 -0800)]
Fix bug #77143 - add more checks to buffer reads
Stanislav Malyshev [Mon, 3 Dec 2018 08:39:03 +0000 (00:39 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix bug #77143 - add more checks to buffer reads
Fix #77020: null pointer dereference in imap_mail
Stanislav Malyshev [Mon, 12 Nov 2018 22:02:26 +0000 (14:02 -0800)]
Fix bug #77143 - add more checks to buffer reads
Stanislav Malyshev [Sun, 11 Nov 2018 18:04:01 +0000 (10:04 -0800)]
Fix #77020: null pointer dereference in imap_mail
If an empty $message is passed to imap_mail(), we must not set message
to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
(opposed to pointers to NUL).
Philip Prindeville [Sun, 8 Jul 2018 16:55:54 +0000 (10:55 -0600)]
Don't need interactive progress on git clones in Travis
Travis logs are usually inspected after the build completes, by which time
progress info is useless.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Stanislav Malyshev [Sun, 2 Dec 2018 21:38:59 +0000 (13:38 -0800)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fix TSRM signature - php_stream_stat macro has it's own TSRM
Regenerate certificates for openssl tests
Improve test for bug77022
Stanislav Malyshev [Sun, 2 Dec 2018 21:18:07 +0000 (13:18 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix TSRM signature - php_stream_stat macro has it's own TSRM
Regenerate certificates for openssl tests
Improve test for bug77022
Stanislav Malyshev [Sun, 2 Dec 2018 20:54:19 +0000 (12:54 -0800)]
Fix TSRM signature - php_stream_stat macro has it's own TSRM
Alexander Kurilo [Sun, 2 Dec 2018 07:53:45 +0000 (10:53 +0300)]
Regenerate certificates for openssl tests
Stanislav Malyshev [Sun, 2 Dec 2018 20:06:13 +0000 (12:06 -0800)]
Improve test for bug77022
Stanislav Malyshev [Sun, 2 Dec 2018 05:48:35 +0000 (21:48 -0800)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Stanislav Malyshev [Sun, 2 Dec 2018 05:07:05 +0000 (21:07 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix bug #77022 - use file mode or umask for new files
Stanislav Malyshev [Sun, 2 Dec 2018 05:47:37 +0000 (21:47 -0800)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fix bug #77022 - use file mode or umask for new files
Stanislav Malyshev [Sun, 2 Dec 2018 05:07:05 +0000 (21:07 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix bug #77022 - use file mode or umask for new files
Stanislav Malyshev [Sun, 2 Dec 2018 05:04:56 +0000 (21:04 -0800)]
Fix bug #77022 - use file mode or umask for new files
Stanislav Malyshev [Wed, 28 Nov 2018 23:46:53 +0000 (15:46 -0800)]
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Add DISPLAY_INI_ENTRIES for imap
Disable rsh/ssh functionality in imap by default (bug #77153)
Disable rsh/ssh functionality in imap by default (bug #77153)
Stanislav Malyshev [Wed, 28 Nov 2018 23:46:39 +0000 (15:46 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Add DISPLAY_INI_ENTRIES for imap
Stanislav Malyshev [Wed, 28 Nov 2018 23:45:51 +0000 (15:45 -0800)]
Add DISPLAY_INI_ENTRIES for imap
Sara Golemon [Wed, 21 Nov 2018 19:37:37 +0000 (14:37 -0500)]
Prep for 7.1.26
Valentin V. Bartenev [Tue, 20 Nov 2018 15:48:06 +0000 (18:48 +0300)]
Fix bug #71041 dynamic embed SAPI load error
If the library is built with ZEND_SIGNALS defined, it's unusable with an
external SAPI module because the zend_signal_startup() call is mandatory
in this case.
This bug is similar to #74149, but related to dynamic loading of PHP library.
Stanislav Malyshev [Mon, 19 Nov 2018 01:10:43 +0000 (17:10 -0800)]
Disable rsh/ssh functionality in imap by default (bug #77153)
Stanislav Malyshev [Tue, 20 Nov 2018 19:14:18 +0000 (11:14 -0800)]
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Disable rsh/ssh functionality in imap by default (bug #77153)
Stanislav Malyshev [Mon, 19 Nov 2018 01:10:43 +0000 (17:10 -0800)]
Disable rsh/ssh functionality in imap by default (bug #77153)