diff --git a/php-CVE-2022-31625.patch b/php-CVE-2022-31625.patch new file mode 100644 index 0000000000000000000000000000000000000000..c45fab077c8ea33947063deffe31c167520b31c5 --- /dev/null +++ b/php-CVE-2022-31625.patch @@ -0,0 +1,73 @@ +From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 May 2022 12:59:23 +0200 +Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading + to RCE + +We must not free parameters which we haven't initialized yet. + +We also fix the not directly related issue, that we checked for the +wrong value being `NULL`, potentially causing a segfault. +--- + ext/pgsql/pgsql.c | 6 +++--- + ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 ext/pgsql/tests/bug81720.phpt + +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index f52ff884d83c..7dcd56cf1441 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -1994,7 +1994,7 @@ PHP_FUNCTION(pg_query_params) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +@@ -5175,8 +5175,8 @@ PHP_FUNCTION(pg_send_execute) + params[i] = NULL; + } else { + zend_string *tmp_str = zval_try_get_string(tmp); +- if (UNEXPECTED(!tmp)) { +- _php_pgsql_free_params(params, num_params); ++ if (UNEXPECTED(!tmp_str)) { ++ _php_pgsql_free_params(params, i); + return; + } + params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str)); +diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt +new file mode 100644 +index 000000000000..d79f1fcdd612 +--- /dev/null ++++ b/ext/pgsql/tests/bug81720.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #81720 (Uninitialized array in pg_query_params() leading to RCE) ++--SKIPIF-- ++ ++--FILE-- ++getMessage(), PHP_EOL; ++} ++ ++try { ++ pg_send_prepare($conn, "my_query", 'SELECT $1, $2'); ++ pg_get_result($conn); ++ pg_send_execute($conn, "my_query", [1, new stdClass()]); ++} catch (Throwable $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++?> ++--EXPECT-- ++Object of class stdClass could not be converted to string ++Object of class stdClass could not be converted to string diff --git a/php.spec b/php.spec index 3d0d3b37b5c47dd5687972d4b6f547a5b01033bb..a9581a19aa1793a067d41601f7fd6d008f8ae17d 100644 --- a/php.spec +++ b/php.spec @@ -61,7 +61,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 3%{anolis_release}%{?dist} +Release: 4%{anolis_release}%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -112,6 +112,7 @@ Patch47: php-5.6.3-phpinfo.patch Patch200: php-7.4.19-CVE-2021-21703.patch Patch201: php-7.4.19-CVE-2021-21705.patch Patch202: php-CVE-2022-31626.patch +Patch203: php-CVE-2022-31625.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -727,6 +728,7 @@ in pure PHP. %patch200 -p1 -b .cve21705 %patch201 -p1 -b .cve21703 %patch202 -p1 -b .cve31626 +%patch203 -p1 -b .cve31625 # Fixes for tests %patch300 -p1 -b .datetests @@ -1520,9 +1522,13 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog -* Mon Jul 4 2022 Liwei Ge - 7.4.19-3.0.1 +* Thu Aug 25 2022 Liwei Ge - 7.4.19-4.0.1 - Support loongarch64 platform +* Tue Aug 9 2022 Remi Collet - 7.4.19-4 +- fix uninitialized array in pg_query_params() leading to RCE + CVE-2022-31625 + * Wed Jun 22 2022 Remi Collet - 7.4.19-3 - fix password of excessive length triggers buffer overflow leading to RCE CVE-2022-31626