From f27cb75023bb3911b38f1d6e70ece545383c1ab8 Mon Sep 17 00:00:00 2001 From: zhoulong Date: Wed, 14 Jun 2023 15:44:13 +0800 Subject: [PATCH 1/2] update to php-7.4.33-1.module+el8.8.0+17865+ef7eddfa Signed-off-by: zhoulong --- 1000-anolis-php-support-loongarch64.patch | 22 ---------- download | 4 +- php-CVE-2022-31631.patch | 52 +++++++++++++++++++++++ php.spec | 17 ++++---- 4 files changed, 62 insertions(+), 33 deletions(-) delete mode 100644 1000-anolis-php-support-loongarch64.patch create mode 100644 php-CVE-2022-31631.patch diff --git a/1000-anolis-php-support-loongarch64.patch b/1000-anolis-php-support-loongarch64.patch deleted file mode 100644 index 966e463..0000000 --- a/1000-anolis-php-support-loongarch64.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- php-7.4.6/build/config.sub 2020-05-12 16:09:15.000000000 +0800 -+++ php-7.4.6/build/config.sub.new 2021-11-10 11:23:11.386075262 +0800 -@@ -1160,6 +1160,7 @@ - 1750a | 580 \ - | a29k \ - | aarch64 | aarch64_be \ -+ | loongarch32 | loongarch64 | loongarchx32 \ - | abacus \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ ---- /build/config.guess.orig 2023-01-31 11:42:02.301574989 +0800 -+++ /build/config.guess 2023-01-31 11:43:32.691853332 +0800 -@@ -973,6 +973,9 @@ - UNAME_MACHINE=aarch64_be - GUESS=$UNAME_MACHINE-unknown-linux-$LIBC - ;; -+ loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*) -+ GUESS=$UNAME_MACHINE-unknown-linux-$LIBC -+ ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in - EV5) UNAME_MACHINE=alphaev5 ;; diff --git a/download b/download index 987a0f0..a71c176 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -c373c0ea292e8a1d3e87a1153ee64199 php-7.4.30.tar.xz -d831d247dd385217a04861291a314f73 php-7.4.30.tar.xz.asc +f098632163cd47f2c1ffe2bdc6ef1ff2 php-7.4.33.tar.xz +306dca821388f20fa55324960d82f427 php-7.4.33.tar.xz.asc diff --git a/php-CVE-2022-31631.patch b/php-CVE-2022-31631.patch new file mode 100644 index 0000000..3627c23 --- /dev/null +++ b/php-CVE-2022-31631.patch @@ -0,0 +1,52 @@ +From 7cb160efe19d3dfb8b92629805733ea186b55050 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 31 Oct 2022 17:20:23 +0100 +Subject: [PATCH] Fix #81740: PDO::quote() may return unquoted string + +`sqlite3_snprintf()` expects its first parameter to be `int`; we need +to avoid overflow. + +(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba) +--- + ext/pdo_sqlite/sqlite_driver.c | 3 +++ + ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++ + 2 files changed, 20 insertions(+) + create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt + +diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c +index 0595bd09fe..54f9d05e1e 100644 +--- a/ext/pdo_sqlite/sqlite_driver.c ++++ b/ext/pdo_sqlite/sqlite_driver.c +@@ -233,6 +233,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t + /* NB: doesn't handle binary strings... use prepared stmts for that */ + static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype ) + { ++ if (unquotedlen > (INT_MAX - 3) / 2) { ++ return 0; ++ } + *quoted = safe_emalloc(2, unquotedlen, 3); + sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted); + *quotedlen = strlen(*quoted); +diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt +new file mode 100644 +index 0000000000..99fb07c304 +--- /dev/null ++++ b/ext/pdo_sqlite/tests/bug81740.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #81740 (PDO::quote() may return unquoted string) ++--SKIPIF-- ++ ++--INI-- ++memory_limit=-1 ++--FILE-- ++quote($string)); ++?> ++--EXPECT-- ++bool(false) diff --git a/php.spec b/php.spec index 4c519cc..7ad0584 100644 --- a/php.spec +++ b/php.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # RHEL / Fedora spec file for php # # License: MIT @@ -55,13 +54,13 @@ %global with_tidy 0 %endif -%global upver 7.4.30 +%global upver 7.4.33 #global rcver RC1 Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{anolis_release}%{?dist} +Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -109,13 +108,12 @@ Patch47: php-5.6.3-phpinfo.patch # Upstream fixes (100+) # Security fixes (200+) +Patch200: php-CVE-2022-31631.patch # Fixes for tests (300+) # Factory is droped from system tzdata Patch300: php-5.6.3-datetests.patch -Patch1000: 1000-anolis-php-support-loongarch64.patch - BuildRequires: gnupg2 BuildRequires: bzip2-devel @@ -720,12 +718,11 @@ in pure PHP. # upstream patches # security patches +%patch200 -p1 -b .cve31631 # Fixes for tests %patch300 -p1 -b .datetests -%patch1000 -p1 - # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE ZEND_LICENSE @@ -1511,8 +1508,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog -* Tue Jan 31 2023 Liwei Ge - 7.4.30-1.0.1 -- Support loongarch64 platform +* Fri Jan 13 2023 Remi Collet - 7.4.33-1 +- rebase to 7.4.33 +- fix: due to an integer overflow PDO::quote() may return unquoted string + CVE-2022-31631 * Thu Jul 7 2022 Remi Collet - 7.4.30-1 - rebase to 7.4.30 #2099615 -- Gitee From ffea05e0ff5fd2a5425a840bf800988eed69aa10 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Mon, 8 Nov 2021 21:59:28 +0800 Subject: [PATCH 2/2] build: support loongarch64 platform Signed-off-by: Liwei Ge --- 1000-anolis-php-support-loongarch64.patch | 22 ++++++++++++++++++++++ php.spec | 10 +++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 1000-anolis-php-support-loongarch64.patch diff --git a/1000-anolis-php-support-loongarch64.patch b/1000-anolis-php-support-loongarch64.patch new file mode 100644 index 0000000..966e463 --- /dev/null +++ b/1000-anolis-php-support-loongarch64.patch @@ -0,0 +1,22 @@ +--- php-7.4.6/build/config.sub 2020-05-12 16:09:15.000000000 +0800 ++++ php-7.4.6/build/config.sub.new 2021-11-10 11:23:11.386075262 +0800 +@@ -1160,6 +1160,7 @@ + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ ++ | loongarch32 | loongarch64 | loongarchx32 \ + | abacus \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ +--- /build/config.guess.orig 2023-01-31 11:42:02.301574989 +0800 ++++ /build/config.guess 2023-01-31 11:43:32.691853332 +0800 +@@ -973,6 +973,9 @@ + UNAME_MACHINE=aarch64_be + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; ++ loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*) ++ GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ++ ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in + EV5) UNAME_MACHINE=alphaev5 ;; diff --git a/php.spec b/php.spec index 7ad0584..5ea803d 100644 --- a/php.spec +++ b/php.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # RHEL / Fedora spec file for php # # License: MIT @@ -60,7 +61,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 1%{anolis_release}%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -114,6 +115,8 @@ Patch200: php-CVE-2022-31631.patch # Factory is droped from system tzdata Patch300: php-5.6.3-datetests.patch +Patch1000: 1000-anolis-php-support-loongarch64.patch + BuildRequires: gnupg2 BuildRequires: bzip2-devel @@ -723,6 +726,8 @@ in pure PHP. # Fixes for tests %patch300 -p1 -b .datetests +%patch1000 -p1 + # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE ZEND_LICENSE @@ -1508,6 +1513,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Wed Jun 14 2023 Liwei Ge - 7.4.33-1.0.1 +- Support loongarch64 platform + * Fri Jan 13 2023 Remi Collet - 7.4.33-1 - rebase to 7.4.33 - fix: due to an integer overflow PDO::quote() may return unquoted string -- Gitee