soko1 / php52-backports Goto Github PK

bin/sh /root/DEBS/PHP-FPM/5.2.17/php-5.2.17/libtool --silent 
--preserve-dup-deps --mode=compile gcc  -Iext/libxml/ 
-I/root/DEBS/PHP-FPM/5.2.17
/php-5.2.17/ext/libxml/ -DPHP_ATOM_INC 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/include 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/main -I/root/DEBS/
PHP-FPM/5.2.17/php-5.2.17 -I/usr/include/libxml2 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/ext/date/lib -I/usr/include/freetype2 
-I/root/DEBS/PHP-
FPM/5.2.17/php-5.2.17/ext/mbstring/oniguruma 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/ext/mbstring/libmbfl 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17
/ext/mbstring/libmbfl/mbfl -I/usr/include/mysql 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/TSRM 
-I/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/Zend    -I/u
sr/include -g -O2  -c /root/DEBS/PHP-FPM/5.2.17/php-5.2.17/ext/libxml/libxml.c 
-o ext/libxml/libxml.lo 
/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/ext/libxml/libxml.c: In function 
‘_php_libxml_destroy_fci’:
/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/ext/libxml/libxml.c:279:4: warning: 
passing argument 1 of ‘_zval_ptr_dtor’ from incompatible pointer type 
[enabled by default]
In file included from /root/DEBS/PHP-FPM/5.2.17/php-5.2.17/Zend/zend.h:682:0,
                 from /root/DEBS/PHP-FPM/5.2.17/php-5.2.17/main/php.h:34,
                 from /root/DEBS/PHP-FPM/5.2.17/php-5.2.17/ext/libxml/libxml.c:28:
/root/DEBS/PHP-FPM/5.2.17/php-5.2.17/Zend/zend_variables.h:50:15: note: 
expected ‘struct zval **’ but argument is of type ‘struct zval ***’

In libxml.c:
static void _php_libxml_destroy_fci(zend_fcall_info *fci)
{
        if (fci->size > 0) {
                zval_ptr_dtor(&fci->function_name);
                if (fci->object_pp != NULL) {
                        zval_ptr_dtor(&fci->object_pp);
                                     ^^^^^^^^^^^^^^^^^
Shouldn't it be:
                        zval_ptor_dtor(fci->object_pp); ?


                }
                fci->size = 0;
        }
}

What steps will reproduce the problem?
1. If using r39 or r40 patch,
2. Attached script files to execute (upload fails but that is just a general 
error); 
3. Removed r39, but applied r41 and r41 changes separately and script works 
fine.

What is the expected output? Upload file, insert data into database after 
parsing. What do you see instead?
"Error uploading file /home/<user>/<script root>"

What version of the product are you using? On what operating system?
Linux 2.6.17.13 (Slackware 11), Apache 2.2 / PHP via DSO, compiled from source 
pulled via svn.

Attached is the script in question that we have noticed the issue.

php.ini error output was turned to max but it didn't echo out PHP specific 
errors so not sure exactly what it the issue is.

Dear Sirs:

We have downloeaded 20120721 security branch, and after using the same 
configuration:

./configure  --program-suffix=5 --with-pear=/usr/lib/php5 
--with-config-file-path=/usr/lib/php5 --with-libxml-dir --with-mysqli 
--with-kerberos --with-imap-ssl --enable-soap --with-xsl --enable-mbstring=all 
--with-curl --with-mcrypt --with-gd --with-pdo-mysql --with-freetype-dir 
--with-libxml-dir --with-mysql --with-zlib --enable-debug=no 
--enable-safe-mode=no --enable-discard-path=no --with-png-dir --with-gdbm 
--enable-force-cgi-redirect --with-ttf --enable-ftp --enable-dbase 
--enable-calendar --enable-wddx --enable-bcmath --enable-shmop --with-openssl 
--with-imap --with-iconv --with-bz2 --with-gettext --enable-exif --with-sqlite 
--enable-sqlite-utf8 --enable-zip --with-tidy --enable-gd-native-ttf 
--with-libdir=lib64 --with-apxs2=/usr/bin/apxs2

We receive the following error (an error that appeared on 20120525 and 
disappeared on 20120526 revision):

/usr/src/php52-backports/main/php_variables.c: In function 
â_php_import_environment_variablesâ:
/usr/src/php52-backports/main/php_variables.c:444: error: too many arguments to 
function âzend_alter_ini_entry_exâ
/usr/src/php52-backports/main/php_variables.c: In function 
âphp_register_server_variablesâ:
/usr/src/php52-backports/main/php_variables.c:589: error: too many arguments to 
function âzend_alter_ini_entry_exâ
/usr/src/php52-backports/main/php_variables.c:616: error: too many arguments to 
function âzend_alter_ini_entry_exâ
make: *** [main/php_variables.lo] Error 1

Please, can you help us or give us any advice?

Best Regards,
Alberto Picón

Dear Sirs:

We have tried to compile 20120526, trunk and security branches and both of the 
fail to compile with the same error than 20120525 branch. Using the following 
configure instruction (Debian 6.0.5 64 bits):

./configure  --program-suffix=5 --with-pear=/usr/lib/php5 
--with-config-file-path=/usr/lib/php5 --with-libxml-dir --with-mysqli 
--with-kerberos --with-imap-ssl --enable-soap --with-xsl --enable-mbstring=all 
--with-curl --with-mcrypt --with-gd --with-pdo-mysql --with-freetype-dir 
--with-libxml-dir --with-mysql --with-zlib --enable-debug=no 
--enable-safe-mode=no --enable-discard-path=no --with-png-dir --with-gdbm 
--enable-force-cgi-redirect --with-ttf --enable-ftp --enable-dbase 
--enable-calendar --enable-wddx --enable-bcmath --enable-shmop --with-openssl 
--with-imap --with-iconv --with-bz2 --with-gettext --enable-exif --with-sqlite 
--enable-sqlite-utf8 --enable-zip --with-tidy --enable-gd-native-ttf 
--with-libdir=lib64 --with-apxs2=/usr/bin/apxs2

Both branches fail to compile with the following error:

/usr/src/php52-backports/main/php_variables.c: In function 
â_php_import_environment_variablesâ:
/usr/src/php52-backports/main/php_variables.c:444: error: too many arguments to 
function âzend_alter_ini_entry_exâ
/usr/src/php52-backports/main/php_variables.c: In function 
âphp_register_server_variablesâ:
/usr/src/php52-backports/main/php_variables.c:589: error: too many arguments to 
function âzend_alter_ini_entry_exâ
/usr/src/php52-backports/main/php_variables.c:616: error: too many arguments to 
function âzend_alter_ini_entry_exâ
make: *** [main/php_variables.lo] Error 1

Please, can you give us any clue to compile it correctly?

Best Regards,
Alberto Picón

This issue has been fixed by PHP Group in PHP 5.3 and higher.

Commit: 
http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfe
e6755

I've attached the patch for PHP 5.3 that also applies in PHP 5.2 with line 
number differences.

Dear Sirs:

We have been using HP 5.2.17+ security branch without issues for two months. We 
have downloeaded 20120525 security branch, and after using the same 
configuration:

./configure  --program-suffix=5 --with-pear=/usr/lib/php5 
--with-config-file-path=/usr/lib/php5 --with-libxml-dir --with-mysqli 
--with-kerberos --with-imap-ssl --enable-soap --with-xsl --enable-mbstring=all 
--with-curl --with-mcrypt --with-gd --with-pdo-mysql --with-freetype-dir 
--with-libxml-dir --with-mysql --with-zlib --enable-debug=no 
--enable-safe-mode=no --enable-discard-path=no --with-png-dir --with-gdbm 
--enable-force-cgi-redirect --with-ttf --enable-ftp --enable-dbase 
--enable-calendar --enable-wddx --enable-bcmath --enable-shmop --with-openssl 
--with-imap --with-iconv --with-bz2 --with-gettext --enable-exif --with-sqlite 
--enable-sqlite-utf8 --enable-zip --with-tidy --enable-gd-native-ttf 
--with-libdir=lib64 --with-apxs2=/usr/bin/apxs2

We receive the following error:

/usr/src/php52-backports/main/php_variables.c: In function 
â_php_import_environment_variablesâ:
/usr/src/php52-backports/main/php_variables.c:444: error: too many arguments to 
function âzend_alter_ini_entry_exâ
/usr/src/php52-backports/main/php_variables.c: In function 
âphp_register_server_variablesâ:
/usr/src/php52-backports/main/php_variables.c:589: error: too many arguments to 
function âzend_alter_ini_entry_exâ
/usr/src/php52-backports/main/php_variables.c:616: error: too many arguments to 
function âzend_alter_ini_entry_exâ
make: *** [main/php_variables.lo] Error 1

Please, can you help us or give us any advice?

Best Regards,
Alberto Picón

Hi!

As far as i can see you've not included a patch for CVE-2012-0057.
There is one available from Debian [1]

Thanks,
Raoul
[1] 
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/patches/CVE-
2012-0057.patch;h=1248158d8c0dffc02d6416651e97cd4d9553c92d;hb=c166bc8377bbbb9d9a
b31799b6aefca3dc007951

Currently the security patch only has the overflow fix for calendar/julian.c

I suggest adding calendar/gregor.c and calendar/jewish.c overflow fixes to make 
PHP more secure.

Source for the fixes:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/calendar/gregor.c?r1=
317393&r2=242949&pathrev=330286&view=patch

http://git.php.net/?p=php-src.git;a=blobdiff_plain;f=ext%2Fcalendar%2Fjewish.c;h
=fcc0e5c0b878ebdd41dfeaecf148b755cd5e6f2d;hp=f4dc7c35ae57cb63c7f32d0633e2a377c0e
b7bd8;hb=refs%2Fheads%2FPHP-5.3;hpb=9c038be621ba1b3e0cc6497a089afa4bbfc87c9b

A patch is also attached.

https://github.com/php/php-src/commit/e59b6dc0ae803d49c3f620818285f98dfb61fd57

worth to apply imho

Error follows:

ext/dom/node.c: In function 'dom_canonicalization':
ext/dom/node.c:1953:21: error: dereferencing pointer to incomplete type
ext/dom/node.c:1955:5: error: dereferencing pointer to incomplete type
make: *** [ext/dom/node.lo] Error 1

looks like something with buf->buffer class ;/

<?php
function loop()
{
    loop();
}
loop();

There are CVEs for XML bugs, but why there is no solution for this.
Bad gateway every time. php53 and php54 don't segfault here.

Depricared downloads (for lang/php52 port only)

Depricared shoild be spelled as Deprecated

http://www.merriam-webster.com/dictionary/deprecate

While inspecting the contents of the full patch I've found a security fix that 
is not into the security patch but is in the full patch.

Since overflow could be seen as a security issue I'd recommend adding the 
overflow fix to security patch as well.

I've attached a patch to the issue in question taken from the full patch.

Thank you.

Regards,
NewEraCracker

What steps will reproduce the problem?
1. phpinfo

What is the expected output? What do you see instead?
+       PUTS("<html xmlns=\"http://www.w3.org/1999/xhtml\">>")
should be:
+       PUTS("<html xmlns=\"http://www.w3.org/1999/xhtml\">")

What steps will reproduce the problem?
1. download the php 5.2.17 source from php.net
2. patch them with latest patch
3. try to compile with soap extension enabled

What is the expected output? What do you see instead?
The error about macros
Z_SET_ISREF_PP
Z_ADDREF_PP
will be thrown, compilation aborted

Please provide any additional information below.
Those macros were added in php 5.3 (and also existed in php 5.2.6 or such, but 
were deleted later).
To fix you need attached diff, please import to the trunk :)

What steps will reproduce the problem?
1. php info.php | grep magic_quotes_gpc
2.
3.

What is the expected output? What do you see instead?
in php.ini magic_quotes_gpc is set to On but in real it's off

What version of the product are you using? On what operating system?
php52-backports-20120216.patch Debian 5/6

Please provide any additional information below.
i've removed all lines related to magic_quotes_gpc from patch and then it's ok.

When compiling with enabled soap extension, i receive the following error:

> ext/soap/.libs/php_encoding.o: In function `to_zval_object_ex':
> /home/raoul/tmp/php5/php5-5.2.17-backports/ext/soap/php_encoding.c:366: 
undefined reference to `Z_SET_ISREF_PP'
> /home/raoul/tmp/php5/php5-5.2.17-backports/ext/soap/php_encoding.c:367: 
undefined reference to `Z_ADDREF_PP'
> collect2: ld returned 1 exit status
> make[1]: *** [sapi/cli/php] Error 1
> make[1]: Leaving directory 
`/home/raoul/tmp/php5/php5-5.2.17-backports/apache2-build'
> make: *** [build-apache2-stamp] Error 2

as far as i can see, this comes from php52-backports-20120526.patch line 983ff.

Cheers,
Raoul

So there will be no new all-in-one security patch? I have a problem with 
combinating so much everything :(

After applying the security patch I am unable to build exif extension for PHP 
in Windows.

I had to do some code changes for it to build. I've also, comparing with the 
code of PHP 5.3 exif, fixed some typos.

I've attached a patch with the changes I've done.

Thanks.

If PHP 5.2 has magic_quotes_gpc enabled it will remove the first char of 
uploaded file name

This is the bug in question: https://bugs.php.net/bug.php?id=55510
I think it is a consequence of the fix for CVE 2011-2202 aka bug #54939

So after you've applied this fix:
http://svn.php.net/viewvc?view=revision&revision=312103

You should also have applied this one:
http://svn.php.net/viewvc?view=revision&revision=315742

I've attached a patch file.

Thank you.

Regards,
NewEraCracker

Further information:
https://bugs.php.net/bug.php?id=67249

Patch:
http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=091b7642c2d8a087d3cbcba68
1369abfb964330d

Also attached without news hunk.

The security patch lacks of two security fixes by PHP.NET team after PHP 5.2 
went EOL, those fixes were still committed to their SVN but were never released 
neither snapshots where made.

I have included those fixes in my custom PHP build for Windows and I'd like to 
see them merged with this project.

http://svn.php.net/viewvc?view=revision&revision=310753
http://svn.php.net/viewvc?view=revision&revision=311125

I've attached a single patch file here.

Thank you.

bug #67250: iptcparse out-of-bounds read
bug #67252: convert_uudecode out-of-bounds read
bug #65873: Integer overflow in exif_read_data()

I got this patch from another PHP downstream distribution, Zend Server, and I 
think their implementation to fix max input vars problem is much better than 
the one in current code base.

Hi!

After some further investigation, i found a couple of security fixes which 
might need to be checked for inclusion.

* CVE-2011-1468, CVE-2011-1469, CVE-2011-1470 (5.2.17 *is* explicitly listed as 
affected)
* CVE-2011-1657, CVE-2011-3182, CVE-2011-3267 (5.2.17 is *not* listed)

I have not verified if these issues / patches (yet).

Moreover, i think that the Ubuntu hardy packages are a good source for patches 
[1] as the server suite will be supported (including security patches) until 
April 2013 [2][3].

Thanks,
Raoul
[1] http://packages.ubuntu.com/hardy/php5
[2] https://en.wikipedia.org/wiki/Ubuntu_%28operating_system%29#Releases
[3] https://lists.ubuntu.com/archives/ubuntu-announce/2010-January/000128.html

I've created a patch to add curl.cainfo setting to PHP 5.2.17, this is based in 
PHP 5.3.7 implementation.

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/curl/interface.c?r1=3
06939&r2=309881&pathrev=330286

Further information:
http://packetstormsecurity.com/files/124436/PHP-openssl_x509_parse-Memory-Corrup
tion.html

Patch:
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf8
20fc18415

I have trouble building PHP-5.2.17 including the patches on this site on a 
modern system with libpcre-8.33:
php_pcre.c: undefined reference to `pcre_info'

The build problem is the exact same as described in PHP bug #60986
https://bugs.php.net/bug.php?id=60986

The reason is described in the referenced bug, pcre_info() was deprecated a 
very long time ago and has been removed in libpcre-8.30

The attached patch fixes the problem, it is taken straight from upstream SVN 
for the 5.3 branch:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/pcre/php_pcre.c?r1=32
1634&r2=323097&pathrev=323097

I've found a fix that is included into the security patch (similar code): 
http://git.php.net/?p=php-src.git;a=commitdiff;h=87c038be06b8b0eb721270f98c858fd
701f5d54b

Unfortunately that fix is incomplete and was fixed later by this commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=d1fd5432e1576865dbeb7650b7c7e0f
a0bd3a4e1

Personally, I have reverted the incomplete fix for cgi_main.c with the revert 
patch that I've attached here, since I see no added value in having those 
changes.

If you do not intend to revert and thus fix it, you could apply the 
fix_bug61043.diff in the security patched version.

backport of http://bugs.php.net/50563

grab patch from:
http://git.pld-linux.org/?p=packages/php.git;a=blob_plain;f=bug-50563.patch;h=92
27ac2d0dca9d4e6ba2f67bbfabea7165d6377c;hb=fe2476d85fc29325a675c178c5208033a3f9bb
e6

The same problem that I reported with r39/r40 in
http://code.google.com/p/php52-backports/issues/detail?id=10&can=1 is now back.

Testing with your own examples from the orginal issue I only get the output:

Array ( [file] => Array ( [name] => GoogleEarth_Imagecopy.jpg ) ) 

Instead of output:

Array ( [file] => Array ( [name] => GoogleEarth_Imagecopy.jpg [type] => 
image/jpeg [tmp_name] => /tmp/php/phpneNuRR [error] => 0 [size] => 196163 ) ) 

As I can see in original PHP 5.2 php_variables.c in php_register_variable_ex 
function:

var_orig = estrdup(var_name);
var = var_orig;

The security patch adds some code in the function to add the max_input_vars and 
fix the HashDOS vulnerability. Unfortunately the code added seems to leak 
memory as var_orig isn't efree'd before return.

Taking a look at PHP.NET commit @ 
http://git.php.net/?p=php-src.git;a=commitdiff;h=89bc5ece51dde3edcb63fb8429d544c
dcf8f1b60

There is a call to efree var_orig before return. I don't see such call in the 
security patch although it does seem necessary to be made.

I'll be attaching a patch here to fix that issue.

Regards,
NewEraCracker

Apparently some code related with nullbyte handling was misplaced by the patch 
which causes OCI8 build failure. I've patched the issue and I've attached the 
patch here.

Thank you.

When send mail to host not localhost using phpmailer the fuction fsockopen 

Joomla 1.5.xx use this script to send mails

and show this error:

SMTP Error! Could not connect to SMTP host.

I think the problem is the patch in php52-backports/ext/sockets/sockets.c


@@ -246,16 +246,13 @@
 }
 /* }}} */

-static int php_accept_connect(php_socket *in_sock, php_socket **new_sock, 
struct sockaddr *la TSRMLS_DC) /* {{{ */
+static int php_accept_connect(php_socket *in_sock, php_socket **new_sock, 
struct sockaddr *la, socklen_t *la_len TSRMLS_DC) /* {{{ */
 {
-       socklen_t       salen;
        php_socket      *out_sock = (php_socket*)emalloc(sizeof(php_socket));

        *new_sock = out_sock;
-       salen = sizeof(*la);
-       out_sock->blocking = 1;

-       out_sock->bsd_socket = accept(in_sock->bsd_socket, la, &salen);
+       out_sock->bsd_socket = accept(in_sock->bsd_socket, la, la_len);

        if (IS_INVALID_SOCKET(out_sock)) {
                PHP_SOCKET_ERROR(out_sock, "unable to accept incoming connection", errno);
@@ -263,6 +260,10 @@
                return 0;
        }

+       out_sock->error = 0;
+       out_sock->blocking = 1;
+       out_sock->type = la->sa_family;
+
        return 1;
 }
 /* }}} */
@@ -723,9 +724,10 @@
    Accepts a connection on the listening socket fd */
 PHP_FUNCTION(socket_accept)
 {
-       zval                            *arg1;
-       php_socket                      *php_sock, *new_sock;
-       struct sockaddr_in      sa;
+       zval                             *arg1;
+       php_socket                       *php_sock, *new_sock;
+       php_sockaddr_storage sa;
+       socklen_t                        sa_len = sizeof(sa);

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &arg1) == FAILURE) {
                return;
@@ -733,13 +735,10 @@

        ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);

-       if (!php_accept_connect(php_sock, &new_sock, (struct sockaddr *) &sa 
TSRMLS_CC)) {
+       if (!php_accept_connect(php_sock, &new_sock, (struct sockaddr*)&sa, 
&sa_len TSRMLS_CC)) {
                RETURN_FALSE;
        }

-       new_sock->error = 0;
-       new_sock->blocking = 1;
-
        ZEND_REGISTER_RESOURCE(return_value, new_sock, le_socket);
 }
 /* }}} */

Relevant bug: https://access.redhat.com/security/cve/CVE-2013-4113

Relevant patch attached. Tested compiling with latest php52-backports with out 
issues.

Unserialize() contains a nasty remote code execution flaw.  This is exposed to 
a great deal of user data and so is a pretty nasty one.

PHP 5.4 bug: https://bugs.php.net/bug.php?id=67492
PHP 5.4 patch: 
http://git.php.net/?p=php-src.git;a=commit;h=a374dfab567ff7f0ab0dc150f14cc891b03
40b47

This patch does not apply to PHP 5.2.17, as there is no unserialize function in 
spl_array.c.   But grepping found the same code with the same problem in 
ext/spl_observer.c, function SPL_METHOD(SplObjectStorage, unserialize), line 
401:

    ALLOC_INIT_ZVAL(pmembers);                                                                                                                       
    if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {                                                                     
        zval_ptr_dtor(&pmembers);                                                                                                                    
        goto outexcept;                                                                                                                              
    }   

As the code appears identical to that in the PHP 5.4 patch, I would expect the 
same thing to work.  I'm preparing a patch now for testing and will attach it 
here when it's ready. 

Hello,

I've fixed some compiler issues (missing includes) when building PHP 5.2 with 
VC2008 or 2010.

I've also fixed issues related with connection refusal handling in the Windows 
platform (this from PHP.NET fixes).

http://svn.php.net/viewvc?view=revision&revision=303129
http://svn.php.net/viewvc?view=revision&revision=303166
http://svn.php.net/viewvc?view=revision&revision=303172
http://svn.php.net/viewvc?view=revision&revision=303958

I'd like to see this patch added to the full bugfix patch.

Thanks in advance.

Regards,
NewEraCracker

There is a bug that could be used to crash PHP that isn't yet fixed in the 
security patch.

Commit: 
http://git.php.net/?p=php-src.git;a=commitdiff;h=7d1eef4aa7cf05ae0141146a8fc72d1
2e566a975

change of int -> size_t in r101 makes my php 5.2 on amd64, glibc 2.3.6 segfault:

glen@carme-pld-ac BUILD.amd64-linux/php-5.2.17 $ gdb  --args 
./sapi/cli/.libs/php -n -dextension_dir=modules -dextension=exif.so 
~/php-exif-crash/test.php 
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "amd64-pld-linux"...
(gdb) r
Starting program: 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/sapi/cli/.libs/php -n 
-dextension_dir=modules -dextension=exif.so 
/home/users/glen/php-exif-crash/test.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x7fff81dfe000

Program received signal SIGSEGV, Segmentation fault.
0x00007f049f0f5acc in php_ifd_get16u (value=0x7f05a464802c, motorola_intel=0) 
at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:1092
1092                    return (((uchar *)value)[1] << 8) | ((uchar *)value)[0];
(gdb) bt
#0  0x00007f049f0f5acc in php_ifd_get16u (value=0x7f05a464802c, 
motorola_intel=0) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:1092
#1  0x00007f049f0f6c7c in exif_iif_add_value (image_info=0x7fff81c86ed0, 
section_index=13, name=0x7fff81c86670 "ModeArray", tag=1, format=3, length=49, 
    value=0x7f05a464802c, motorola_intel=0) at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:1758
#2  0x00007f049f0f6dfc in exif_iif_add_tag (image_info=0x7fff81c86ed0, 
section_index=13, name=0x7fff81c86670 "ModeArray", tag=1, format=3, length=49, 
    value=0x7f05a464802c) at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:1808
#3  0x00007f049f0fa087 in exif_process_IFD_TAG (ImageInfo=0x7fff81c86ed0, 
dir_entry=0x7f04a4647e84 "\001", 
    offset_base=0x7f05a4647b48 <Address 0x7f05a4647b48 out of bounds>, IFDlength=14704, displacement=12, section_index=13, ReadNextIFD=0, 
    tag_table=0x7f049f3021c0) at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3137
#4  0x00007f049f0f8fe7 in exif_process_IFD_in_MAKERNOTE 
(ImageInfo=0x7fff81c86ed0, value_ptr=0x7f04a4647e82 "#", value_len=7290, 
    offset_base=0x7f05a4647b48 <Address 0x7f05a4647b48 out of bounds>, IFDlength=14704, displacement=12)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:2812
#5  0x00007f049f0f9ece in exif_process_IFD_TAG (ImageInfo=0x7fff81c86ed0, 
dir_entry=0x7f04a4647d5a "|\222\a", offset_base=0x7f04a4647b48 "II*", 
    IFDlength=14704, displacement=12, section_index=7, ReadNextIFD=1, tag_table=0x7f049f300fa0)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3091
#6  0x00007f049f0fa204 in exif_process_IFD_in_JPEG (ImageInfo=0x7fff81c86ed0, 
dir_start=0x7f04a4647cb0 "\037", offset_base=0x7f04a4647b48 "II*", 
    IFDlength=14704, displacement=12, section_index=7) at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3165
#7  0x00007f049f0fa029 in exif_process_IFD_TAG (ImageInfo=0x7fff81c86ed0, 
dir_entry=0x7f04a4647bca "i\207\004", offset_base=0x7f04a4647b48 "II*", 
    IFDlength=14704, displacement=12, section_index=3, ReadNextIFD=1, tag_table=0x7f049f300fa0)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3128
#8  0x00007f049f0fa204 in exif_process_IFD_in_JPEG (ImageInfo=0x7fff81c86ed0, 
dir_start=0x7f04a4647b50 "\f", offset_base=0x7f04a4647b48 "II*", 
    IFDlength=14704, displacement=12, section_index=3) at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3165
#9  0x00007f049f0fa4a6 in exif_process_TIFF_in_JPEG (ImageInfo=0x7fff81c86ed0, 
CharBuf=0x7f04a4647b48 "II*", length=14704, displacement=12)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3242
#10 0x00007f049f0fa590 in exif_process_APP1 (ImageInfo=0x7fff81c86ed0, 
CharBuf=0x7f04a4647b40 "9xExif", length=14712, displacement=4)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3267
#11 0x00007f049f0fab23 in exif_scan_JPEG_header (ImageInfo=0x7fff81c86ed0) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3412
#12 0x00007f049f0fbaf8 in exif_scan_FILE_header (ImageInfo=0x7fff81c86ed0) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3797
#13 0x00007f049f0fc67f in exif_read_file (ImageInfo=0x7fff81c86ed0, 
FileName=0x7f04a4643a00 "/home/users/glen/php-exif-crash/IMG_4944.JPG", 
read_thumbnail=0, 
    read_all=0) at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:3936
#14 0x00007f049f0fcd12 in zif_exif_read_data (ht=1, 
return_value=0x7f04a46420e8, return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=1)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/ext/exif/exif.c:4002
#15 0x00007f04a426560b in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fff81c873a0)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/Zend/zend_vm_execute.h:200
#16 0x00007f04a42691d1 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0x7fff81c873a0)
    at /home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/Zend/zend_vm_execute.h:1740
#17 0x00007f04a42650a5 in execute (op_array=0x7f04a4642f88) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/Zend/zend_vm_execute.h:92
#18 0x00007f04a423c9dc in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/Zend/zend.c:1215
#19 0x00007f04a41de83c in php_execute_script (primary_file=0x7fff81c8aac0) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/main/main.c:2058
#20 0x0000000000404780 in main (argc=5, argv=0x7fff81c8ac58) at 
/home/users/glen/rpm/BUILD/amd64-linux/php-5.2.17/sapi/cli/php_cli.c:1177
(gdb) 

The bug is located: https://bugs.php.net/bug.php?id=62523&edit=2

I'm the original reporter. The fix provided - works! Attached the patch adopted 
for the 5.2.17.

ISSUE: Way not work on windows, but i don't really know, details in the bug 
tracking link.

What steps will reproduce the problem?
1.install php 5.2.17 with php52-backports-20120826.patch (apache2 dso) debian 
6.0 32 or 64bit and apache 2.2.22

After upgrade php from version with patch php52-backports-20120203 I'm 
observing a lot of apache errors child died with signal 11 (segmentation fault)
I'm trying to figure out where is the problem, but maybe someone else know the 
reason or give a hist where to look.

I've tested on two servers, 32 and 64 bit debian 6.0 with the same results.
Both are webhosting servers and I'm unable to find why and when apache threads 
dies with sigsegv.

Regards,
Adam

Bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability)

Patch for PHP 5.4:
http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=fb0128af2a95ec0d1a0360be4
9776c5b056d1f33

Patch for PHP 5.2 is attached.

Hi!

Your patch for CVE-2012-0830 in r21 looks quite different to the one for 
Debian's 5.2.6 [1].

I found out that your patch comes from [2] but I'm still wondering why the 
Debian developers do some additional changes.

Could you possibly comment on this?

Thanks,
Raoul

[1] 
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/patches/memo
ry_leaks.patch;h=427cc4a3693d4b7a8cc49991d3dc277f0d54b579;hb=18d699ddca44e9baf36
68f59e88222a67609f4c0
[2] http://svn.php.net/viewvc?view=revision&revision=323007