From 9e7d3a688f1f2c69c5ded60cdad11b45068528bd Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Wed, 3 Jul 2024 15:00:23 +0800
Subject: [PATCH] fix cve-2024-2756 cve-2024-3096

---
 fix-cve-2024-2756.patch | 156 ++++++++++++++++++++++++++++++++++++++++
 fix-cve-2024-3096.patch |  49 +++++++++++++
 php.spec                |  12 +++-
 3 files changed, 215 insertions(+), 2 deletions(-)
 create mode 100644 fix-cve-2024-2756.patch
 create mode 100644 fix-cve-2024-3096.patch

diff --git a/fix-cve-2024-2756.patch b/fix-cve-2024-2756.patch
new file mode 100644
index 0000000..122e551
--- /dev/null
+++ b/fix-cve-2024-2756.patch
@@ -0,0 +1,156 @@
+From 4341fa828ab7ccd9c543d1984cb634a2db5c0101 Mon Sep 17 00:00:00 2001
+From: yangxinyu <yangxinyu@nfschina.com>
+Date: Wed, 5 Jun 2024 14:13:06 +0800
+Subject: [PATCH] fix-cve-2024-2756
+
+---
+ ext/standard/ghsa-wpj3-hf5j-x4v4.phpt | 63 +++++++++++++++++++++++++++
+ main/php_variables.c                  | 41 +++++++++++------
+ 2 files changed, 90 insertions(+), 14 deletions(-)
+ create mode 100644 ext/standard/ghsa-wpj3-hf5j-x4v4.phpt
+
+diff --git a/ext/standard/ghsa-wpj3-hf5j-x4v4.phpt b/ext/standard/ghsa-wpj3-hf5j-x4v4.phpt
+new file mode 100644
+index 00000000..77fcb680
+--- /dev/null
++++ b/ext/standard/ghsa-wpj3-hf5j-x4v4.phpt
+@@ -0,0 +1,63 @@
++--TEST--
++ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix)
++--COOKIE--
++..Host-test=ignore_1;
++._Host-test=ignore_2;
++.[Host-test=ignore_3;
++_.Host-test=ignore_4;
++__Host-test=ignore_5;
++_[Host-test=ignore_6;
++[.Host-test=ignore_7;
++[_Host-test=ignore_8;
++[[Host-test=ignore_9;
++..Host-test[]=ignore_10;
++._Host-test[]=ignore_11;
++.[Host-test[]=ignore_12;
++_.Host-test[]=ignore_13;
++__Host-test[]=legitimate_14;
++_[Host-test[]=legitimate_15;
++[.Host-test[]=ignore_16;
++[_Host-test[]=ignore_17;
++[[Host-test[]=ignore_18;
++..Secure-test=ignore_1;
++._Secure-test=ignore_2;
++.[Secure-test=ignore_3;
++_.Secure-test=ignore_4;
++__Secure-test=ignore_5;
++_[Secure-test=ignore_6;
++[.Secure-test=ignore_7;
++[_Secure-test=ignore_8;
++[[Secure-test=ignore_9;
++..Secure-test[]=ignore_10;
++._Secure-test[]=ignore_11;
++.[Secure-test[]=ignore_12;
++_.Secure-test[]=ignore_13;
++__Secure-test[]=legitimate_14;
++_[Secure-test[]=legitimate_15;
++[.Secure-test[]=ignore_16;
++[_Secure-test[]=ignore_17;
++[[Secure-test[]=ignore_18;
++--FILE--
++<?php
++var_dump($_COOKIE);
++?>
++--EXPECT--
++array(3) {
++  ["__Host-test"]=>
++  array(1) {
++    [0]=>
++    string(13) "legitimate_14"
++  }
++  ["_"]=>
++  array(2) {
++    ["Host-test["]=>
++    string(13) "legitimate_15"
++    ["Secure-test["]=>
++    string(13) "legitimate_15"
++  }
++  ["__Secure-test"]=>
++  array(1) {
++    [0]=>
++    string(13) "legitimate_14"
++  }
++}
+diff --git a/main/php_variables.c b/main/php_variables.c
+index 3d7d904a..1c8a807c 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -54,6 +54,21 @@ static zend_always_inline void php_register_variable_quick(const char *name, siz
+ 	zend_string_release_ex(key, 0);
+ }
+ 
++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
++static bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
++{
++	if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
++		return true;
++	}
++
++	if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
++		return true;
++	}
++
++	return false;
++}
++
+ PHPAPI void php_register_known_variable(const char *var_name, size_t var_name_len, zval *value, zval *track_vars_array)
+ {
+ 	HashTable *symbol_table = NULL;
+@@ -137,20 +152,6 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ 	}
+ 	var_len = p - var;
+ 
+-	/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+-	if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+-		zval_ptr_dtor_nogc(val);
+-		free_alloca(var_orig, use_heap);
+-		return;
+-	}
+-
+-	/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+-	if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+-		zval_ptr_dtor_nogc(val);
+-		free_alloca(var_orig, use_heap);
+-		return;
+-	}
+-
+ 	if (var_len==0) { /* empty variable name, or variable name with a space in it */
+ 		zval_ptr_dtor_nogc(val);
+ 		free_alloca(var_orig, use_heap);
+@@ -254,6 +255,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ 					return;
+ 				}
+ 			} else {
++				if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++					zval_ptr_dtor_nogc(val);
++					free_alloca(var_orig, use_heap);
++					return;
++				}
++
+ 				gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
+ 				if (!gpc_element_p) {
+ 					zval tmp;
+@@ -291,6 +298,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ 				zval_ptr_dtor_nogc(val);
+ 			}
+ 		} else {
++			if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++				zval_ptr_dtor_nogc(val);
++				free_alloca(var_orig, use_heap);
++				return;
++			}
++
+ 			zend_ulong idx;
+ 
+ 			/*
+-- 
+2.33.0
+
diff --git a/fix-cve-2024-3096.patch b/fix-cve-2024-3096.patch
new file mode 100644
index 0000000..306be1b
--- /dev/null
+++ b/fix-cve-2024-3096.patch
@@ -0,0 +1,49 @@
+From 09c17bd4218188e1905f61ba076b209c11a40e8a Mon Sep 17 00:00:00 2001
+From: yangxinyu <yangxinyu@nfschina.com>
+Date: Wed, 3 Jul 2024 09:42:06 +0800
+Subject: [PATCH] fix-cve-2024-3096
+
+---
+ ext/standard/password.c                                 | 5 +++++
+ ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/ext/standard/password.c b/ext/standard/password.c
+index 81117f17..93058be8 100644
+--- a/ext/standard/password.c
++++ b/ext/standard/password.c
+@@ -180,6 +180,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
+ 	zval *zcost;
+ 	zend_long cost = PHP_PASSWORD_BCRYPT_COST;
+ 
++	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
++		zend_value_error("Bcrypt password must not contain null character");
++		return NULL;
++	}
++	
+ 	if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
+ 		cost = zval_get_long(zcost);
+ 	}
+diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
+index 10c3483f..54edb01c 100644
+--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
+@@ -14,7 +14,14 @@
+ } catch (ValueError $exception) {
+     echo $exception->getMessage() . "\n";
+ }
++
++try {
++    var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
+ ?>
+ --EXPECT--
+ Invalid bcrypt cost parameter specified: 3
+ Invalid bcrypt cost parameter specified: 32
++Bcrypt password must not contain null character
+\ No newline at end of file
+-- 
+2.33.0
+
diff --git a/php.spec b/php.spec
index 5354007..fcc04d2 100644
--- a/php.spec
+++ b/php.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 # API/ABI check
 %global apiver      20220829
@@ -99,6 +99,10 @@ Patch100: https://github.com/php/php-src/commit/0dadd6616a491418871fb0b41590a73b
 # Factory is droped from system tzdata
 Patch300: php-7.4.0-datetests.patch
 
+#https://github.com/php/php-src/commit/093c08af25fb323efa0c8e6154aa9fdeae3d3b53
+Patch1001: fix-cve-2024-2756.patch
+#https://github.com/php/php-src/commit/0ba5229a3f7572846e91c8f5382e87785f543826
+Patch1002: fix-cve-2024-3096.patch
 
 BuildRequires: gnupg2
 BuildRequires: bzip2-devel
@@ -700,7 +704,8 @@ bytecode optimization patterns that make code execution faster.
 
 # Fixes for tests
 %patch -P 300 -p1 -b .datetests
-
+%patch -P 1001 -p1
+%patch -P 1002 -p1
 
 # Prevent %%doc confusion over LICENSE files
 cp ext/date/lib/LICENSE.rst timelib_LICENSE
@@ -1511,6 +1516,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Wed June 05 2024 Yangxinyu <yangxinyu@nfschina.com> - 8.2.11-2
+- fix-cve-2024-2756 fix-cve-2024-3096
+
 * Fri Sep 29 2023 Funda Wang <fundawang@yeah.net> - 8.2.11-1
 - New version 8.2.11
 
-- 
Gitee