From fb3c931fa80d719f5df29807b3b81283896c7847 Mon Sep 17 00:00:00 2001 From: hongwei-qin Date: Thu, 25 Aug 2022 15:56:35 +0800 Subject: [PATCH] update to php-7.4.19-4.module+el8.6.0+16316+906f6c6d Signed-off-by: hongwei-qin --- 1000-anolis-php-support-loongarch64.patch | 23 ------- php-CVE-2022-31625.patch | 73 +++++++++++++++++++++++ php-CVE-2022-31626.patch | 23 +++++++ php.spec | 20 ++++--- 4 files changed, 108 insertions(+), 31 deletions(-) delete mode 100644 1000-anolis-php-support-loongarch64.patch create mode 100644 php-CVE-2022-31625.patch create mode 100644 php-CVE-2022-31626.patch diff --git a/1000-anolis-php-support-loongarch64.patch b/1000-anolis-php-support-loongarch64.patch deleted file mode 100644 index 607d933..0000000 --- a/1000-anolis-php-support-loongarch64.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -Nur php-7.2.24.new/build/config.guess php-7.2.24/build/config.guess ---- php-7.2.24.new/build/config.guess 2021-11-08 19:01:51.684000000 +0800 -+++ php-7.2.24/build/config.guess 2021-11-08 19:04:15.004000000 +0800 -@@ -891,6 +891,9 @@ - UNAME_MACHINE=aarch64_be - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; -+ loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*) -+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" -+ exit ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; ---- php-7.4.6/build/config.sub 2020-05-12 16:09:15.000000000 +0800 -+++ php-7.4.6/build/config.sub.new 2021-11-10 11:23:11.386075262 +0800 -@@ -1160,6 +1160,7 @@ - 1750a | 580 \ - | a29k \ - | aarch64 | aarch64_be \ -+ | loongarch32 | loongarch64 | loongarchx32 \ - | abacus \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ diff --git a/php-CVE-2022-31625.patch b/php-CVE-2022-31625.patch new file mode 100644 index 0000000..c45fab0 --- /dev/null +++ b/php-CVE-2022-31625.patch @@ -0,0 +1,73 @@ +From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 May 2022 12:59:23 +0200 +Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading + to RCE + +We must not free parameters which we haven't initialized yet. + +We also fix the not directly related issue, that we checked for the +wrong value being `NULL`, potentially causing a segfault. +--- + ext/pgsql/pgsql.c | 6 +++--- + ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 ext/pgsql/tests/bug81720.phpt + +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index f52ff884d83c..7dcd56cf1441 100644 +--- a/ext/pgsql/pgsql.c ++++ b/ext/pgsql/pgsql.c +@@ -1994,7 +1994,7 @@ PHP_FUNCTION(pg_query_params) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +@@ -5175,8 +5175,8 @@ PHP_FUNCTION(pg_send_execute) + params[i] = NULL; + } else { + zend_string *tmp_str = zval_try_get_string(tmp); +- if (UNEXPECTED(!tmp)) { +- _php_pgsql_free_params(params, num_params); ++ if (UNEXPECTED(!tmp_str)) { ++ _php_pgsql_free_params(params, i); + return; + } + params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str)); +diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt +new file mode 100644 +index 000000000000..d79f1fcdd612 +--- /dev/null ++++ b/ext/pgsql/tests/bug81720.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #81720 (Uninitialized array in pg_query_params() leading to RCE) ++--SKIPIF-- ++ ++--FILE-- ++getMessage(), PHP_EOL; ++} ++ ++try { ++ pg_send_prepare($conn, "my_query", 'SELECT $1, $2'); ++ pg_get_result($conn); ++ pg_send_execute($conn, "my_query", [1, new stdClass()]); ++} catch (Throwable $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++?> ++--EXPECT-- ++Object of class stdClass could not be converted to string ++Object of class stdClass could not be converted to string diff --git a/php-CVE-2022-31626.patch b/php-CVE-2022-31626.patch new file mode 100644 index 0000000..7f89dcb --- /dev/null +++ b/php-CVE-2022-31626.patch @@ -0,0 +1,23 @@ +From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 6 Jun 2022 00:56:51 -0600 +Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow + +--- + ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c +index 87b2e7c31331..e4a298adaea4 100644 +--- a/ext/mysqlnd/mysqlnd_wireprotocol.c ++++ b/ext/mysqlnd/mysqlnd_wireprotocol.c +@@ -771,7 +771,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet) + MYSQLND_VIO * vio = conn->vio; + MYSQLND_STATS * stats = conn->stats; + MYSQLND_CONNECTION_STATE * connection_state = &conn->state; +- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); ++ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; ++ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); + zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ + + DBG_ENTER("php_mysqlnd_change_auth_response_write"); diff --git a/php.spec b/php.spec index b9bc4c4..76fed93 100644 --- a/php.spec +++ b/php.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # RHEL / Fedora spec file for php # # License: MIT @@ -61,7 +60,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{anolis_release}%{?dist} +Release: 4%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -111,13 +110,13 @@ Patch47: php-5.6.3-phpinfo.patch # Security fixes (200+) Patch200: php-7.4.19-CVE-2021-21703.patch Patch201: php-7.4.19-CVE-2021-21705.patch +Patch202: php-CVE-2022-31626.patch +Patch203: php-CVE-2022-31625.patch # Fixes for tests (300+) # Factory is droped from system tzdata Patch300: php-5.6.3-datetests.patch -Patch1000: 1000-anolis-php-support-loongarch64.patch - BuildRequires: gnupg2 BuildRequires: bzip2-devel @@ -725,12 +724,12 @@ in pure PHP. # security patches %patch200 -p1 -b .cve21705 %patch201 -p1 -b .cve21703 +%patch202 -p1 -b .cve31626 +%patch203 -p1 -b .cve31625 # Fixes for tests %patch300 -p1 -b .datetests -%patch1000 -p1 - # Prevent %%doc confusion over LICENSE files cp Zend/LICENSE Zend/ZEND_LICENSE @@ -1518,8 +1517,13 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog -* Wed Apr 20 2022 Liwei Ge - 7.4.19-2.0.1 -- Support loongarch64 platform +* Tue Aug 9 2022 Remi Collet - 7.4.19-4 +- fix uninitialized array in pg_query_params() leading to RCE + CVE-2022-31625 + +* Wed Jun 22 2022 Remi Collet - 7.4.19-3 +- fix password of excessive length triggers buffer overflow leading to RCE + CVE-2022-31626 * Wed Jan 19 2022 Remi Collet - 7.4.19-2 - fix SSRF bypass in FILTER_VALIDATE_URL -- Gitee