diff --git a/backport-CVE-2021-21708-Fix-81708.patch b/backport-CVE-2021-21708-Fix-81708.patch deleted file mode 100644 index 84095daf04f18a3fcbdd8124ec3f4e1b7f0a5a26..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-21708-Fix-81708.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 31 Jan 2022 15:43:24 +0100 -Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints - -We must only release the zval, if we actually assign a new zval. ---- - ext/filter/logical_filters.c | 2 +- - ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++ - 2 files changed, 21 insertions(+), 1 deletion(-) - create mode 100644 ext/filter/tests/bug81708.phpt - -diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c -index 1bf7c00d13c6..95f7a99e34b1 100644 ---- a/ext/filter/logical_filters.c -+++ b/ext/filter/logical_filters.c -@@ -436,10 +436,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - - switch (is_numeric_string(num, p - num, &lval, &dval, 0)) { - case IS_LONG: -- zval_ptr_dtor(value); - if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) { - goto error; - } -+ zval_ptr_dtor(value); - ZVAL_DOUBLE(value, (double)lval); - break; - case IS_DOUBLE: -diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt -new file mode 100644 -index 000000000000..d0036af13682 ---- /dev/null -+++ b/ext/filter/tests/bug81708.phpt -@@ -0,0 +1,20 @@ -+--TEST-- -+Bug #81708 (UAF due to php_filter_float() failing for ints) -+--SKIPIF-- -+ -+--INI-- -+opcache.enable_cli=0 -+--FILE-- -+ ['min_range' => -1, 'max_range' => 1]] -+); -+var_dump($input); -+?> -+--EXPECT-- -+string(3) "+11" diff --git a/backport-CVE-2022-31625.patch b/backport-CVE-2022-31625.patch deleted file mode 100644 index f0c4c6480c4963796fa23075ffe7a8e5fec8ee7e..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-31625.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Tue, 17 May 2022 12:59:23 +0200 -Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading - to RCE - -We must not free parameters which we haven't initialized yet. - -We also fix the not directly related issue, that we checked for the -wrong value being `NULL`, potentially causing a segfault. ---- - ext/pgsql/pgsql.c | 6 +++--- - ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ - 2 files changed, 30 insertions(+), 3 deletions(-) - create mode 100644 ext/pgsql/tests/bug81720.phpt - ---- a/ext/pgsql/pgsql.c -+++ b/ext/pgsql/pgsql.c -@@ -1201,7 +1201,7 @@ PHP_FUNCTION(pg_query_params) - } else { - zend_string *param_str = zval_try_get_string(tmp); - if (!param_str) { -- _php_pgsql_free_params(params, num_params); -+ _php_pgsql_free_params(params, i); - RETURN_THROWS(); - } - params[i] = estrndup(ZSTR_VAL(param_str), ZSTR_LEN(param_str)); -@@ -3918,8 +3918,8 @@ PHP_FUNCTION(pg_send_execute) - params[i] = NULL; - } else { - zend_string *tmp_str = zval_try_get_string(tmp); -- if (UNEXPECTED(!tmp)) { -- _php_pgsql_free_params(params, num_params); -+ if (UNEXPECTED(!tmp_str)) { -+ _php_pgsql_free_params(params, i); - return; - } - params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str)); ---- /dev/null -+++ b/ext/pgsql/tests/bug81720.phpt -@@ -0,0 +1,27 @@ -+--TEST-- -+Bug #81720 (Uninitialized array in pg_query_params() leading to RCE) -+--SKIPIF-- -+ -+--FILE-- -+getMessage(), PHP_EOL; -+} -+ -+try { -+ pg_send_prepare($conn, "my_query", 'SELECT $1, $2'); -+ pg_get_result($conn); -+ pg_send_execute($conn, "my_query", [1, new stdClass()]); -+} catch (Throwable $ex) { -+ echo $ex->getMessage(), PHP_EOL; -+} -+?> -+--EXPECT-- -+Object of class stdClass could not be converted to string -+Object of class stdClass could not be converted to string diff --git a/backport-CVE-2022-31626.patch b/backport-CVE-2022-31626.patch deleted file mode 100644 index f8ea8e835250c330db7858e578a4eafe016f44ac..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-31626.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 6 Jun 2022 00:56:51 -0600 -Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow - ---- - ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/ext/mysqlnd/mysqlnd_wireprotocol.c -+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c -@@ -768,7 +768,8 @@ php_mysqlnd_change_auth_response_write(M - MYSQLND_VIO * vio = conn->vio; - MYSQLND_STATS * stats = conn->stats; - MYSQLND_CONNECTION_STATE * connection_state = &conn->state; -- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); -+ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; -+ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); - zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ - - DBG_ENTER("php_mysqlnd_change_auth_response_write"); diff --git a/backport-CVE-2022-31627.patch b/backport-CVE-2022-31627.patch deleted file mode 100644 index 00cb0a3d13933dd480e1d7bc1934f13ae548cd51..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-31627.patch +++ /dev/null @@ -1,356 +0,0 @@ -From ca6d511fa54b34d5b75bf120a86482a1b9e1e686 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Thu, 30 Jun 2022 17:15:22 +0200 -Subject: [PATCH] Fix #81723: Memory corruption in finfo_buffer() - -We need to use the same memory allocator throughout. ---- - ext/fileinfo/libmagic.patch | 112 +++++++++++++++++------------- - ext/fileinfo/libmagic/softmagic.c | 8 +-- - ext/fileinfo/tests/bug81723.phpt | 12 ++++ - 3 files changed, 79 insertions(+), 53 deletions(-) - create mode 100644 ext/fileinfo/tests/bug81723.phpt - -diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch -index 27124692a0..3373ae4519 100644 ---- a/ext/fileinfo/libmagic.patch -+++ b/ext/fileinfo/libmagic.patch -@@ -1,6 +1,6 @@ --diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c -+diff -u libmagic.orig/apprentice.c libmagic/apprentice.c - --- libmagic.orig/apprentice.c 2021-02-23 01:51:11.000000000 +0100 --+++ libmagic/apprentice.c 2021-04-06 21:34:57.332978922 +0200 -++++ libmagic/apprentice.c 2022-06-16 13:39:41.570984700 +0200 - @@ -29,6 +29,8 @@ - * apprentice - make one pass through /etc/magic, learning its secrets. - */ -@@ -925,9 +925,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c - m->str_range = swap4(m->str_range); - m->str_flags = swap4(m->str_flags); - } --diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c -+diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c - --- libmagic.orig/ascmagic.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/ascmagic.c 2021-04-06 21:34:57.332978922 +0200 -++++ libmagic/ascmagic.c 2022-06-16 13:39:41.570984700 +0200 - @@ -96,7 +96,7 @@ - rv = file_ascmagic_with_encoding(ms, &bb, - ubuf, ulen, code, type, text); -@@ -956,9 +956,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c - - return rv; - } --diff -ur libmagic.orig/buffer.c libmagic/buffer.c -+diff -u libmagic.orig/buffer.c libmagic/buffer.c - --- libmagic.orig/buffer.c 2021-02-23 01:49:26.000000000 +0100 --+++ libmagic/buffer.c 2021-04-06 21:34:57.332978922 +0200 -++++ libmagic/buffer.c 2021-09-21 13:27:27.982716100 +0200 - @@ -31,19 +31,23 @@ - #endif /* lint */ - -@@ -1012,9 +1012,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c - b->ebuf = NULL; - goto out; - } --diff -ur libmagic.orig/cdf.c libmagic/cdf.c -+diff -u libmagic.orig/cdf.c libmagic/cdf.c - --- libmagic.orig/cdf.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/cdf.c 2021-04-06 21:34:57.332978922 +0200 -++++ libmagic/cdf.c 2021-09-21 13:27:27.983695600 +0200 - @@ -43,7 +43,17 @@ - #include - #endif -@@ -1247,9 +1247,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c - } - - #endif --diff -ur libmagic.orig/cdf.h libmagic/cdf.h -+diff -u libmagic.orig/cdf.h libmagic/cdf.h - --- libmagic.orig/cdf.h 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/cdf.h 2021-04-06 21:34:57.332978922 +0200 -++++ libmagic/cdf.h 2021-09-21 13:27:27.984674900 +0200 - @@ -35,10 +35,10 @@ - #ifndef _H_CDF_ - #define _H_CDF_ -@@ -1264,9 +1264,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h - #endif - #ifdef __DJGPP__ - #define timespec timeval --diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c -+diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c - --- libmagic.orig/cdf_time.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/cdf_time.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/cdf_time.c 2021-09-21 13:27:27.985654400 +0200 - @@ -23,6 +23,7 @@ - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. -@@ -1293,9 +1293,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c - if (ptr != NULL) - return buf; - (void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n", --diff -ur libmagic.orig/compress.c libmagic/compress.c -+diff -u libmagic.orig/compress.c libmagic/compress.c - --- libmagic.orig/compress.c 2021-02-23 01:49:07.000000000 +0100 --+++ libmagic/compress.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/compress.c 2022-06-16 13:39:41.586609800 +0200 - @@ -51,7 +51,7 @@ - #ifndef HAVE_SIG_T - typedef void (*sig_t)(int); -@@ -1430,9 +1430,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c - } - #endif - +#endif --diff -ur libmagic.orig/der.c libmagic/der.c -+diff -u libmagic.orig/der.c libmagic/der.c - --- libmagic.orig/der.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/der.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/der.c 2022-06-16 13:39:41.586609800 +0200 - @@ -54,7 +54,9 @@ - #include "magic.h" - #include "der.h" -@@ -1443,9 +1443,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c - #include - #include - #endif --diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h -+diff -u libmagic.orig/elfclass.h libmagic/elfclass.h - --- libmagic.orig/elfclass.h 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/elfclass.h 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/elfclass.h 2021-09-21 13:27:27.989571700 +0200 - @@ -41,7 +41,7 @@ - return toomany(ms, "program headers", phnum); - flags |= FLAGS_IS_CORE; -@@ -1473,9 +1473,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h - CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)), - fsize, elf_getu16(swap, elfhdr.e_machine), - CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)), --diff -ur libmagic.orig/encoding.c libmagic/encoding.c -+diff -u libmagic.orig/encoding.c libmagic/encoding.c - --- libmagic.orig/encoding.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/encoding.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/encoding.c 2022-06-16 13:39:41.586609800 +0200 - @@ -98,14 +98,14 @@ - nbytes = ms->encoding_max; - -@@ -1514,9 +1514,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c - } \ - if (u < 3) \ - return 0; \ --diff -ur libmagic.orig/file.h libmagic/file.h -+diff -u libmagic.orig/file.h libmagic/file.h - --- libmagic.orig/file.h 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/file.h 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/file.h 2022-06-16 13:39:41.586609800 +0200 - @@ -33,17 +33,14 @@ - #ifndef __file_h__ - #define __file_h__ -@@ -1775,9 +1775,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h - +#endif - + - #endif /* __file_h__ */ --diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c -+diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c - --- libmagic.orig/fsmagic.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/fsmagic.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/fsmagic.c 2021-09-21 13:27:27.992511000 +0200 - @@ -66,26 +66,10 @@ - # define minor(dev) ((dev) & 0xff) - #endif -@@ -2068,9 +2068,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c - #ifdef S_IFSOCK - #ifndef __COHERENT__ - case S_IFSOCK: --diff -ur libmagic.orig/funcs.c libmagic/funcs.c -+diff -u libmagic.orig/funcs.c libmagic/funcs.c - --- libmagic.orig/funcs.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/funcs.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/funcs.c 2022-06-16 13:39:41.586609800 +0200 - @@ -51,6 +51,13 @@ - #define SIZE_MAX ((size_t)~0) - #endif -@@ -2388,9 +2388,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c - - protected char * - file_strtrim(char *str) --diff -ur libmagic.orig/magic.c libmagic/magic.c -+diff -u libmagic.orig/magic.c libmagic/magic.c - --- libmagic.orig/magic.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/magic.c 2021-04-06 21:34:57.336978894 +0200 -++++ libmagic/magic.c 2022-06-16 13:39:41.586609800 +0200 - @@ -25,11 +25,6 @@ - * SUCH DAMAGE. - */ -@@ -2867,9 +2867,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c - return NULL; - } - return file_getbuffer(ms); --diff -ur libmagic.orig/magic.h libmagic/magic.h ----- libmagic.orig/magic.h 2021-04-06 22:37:37.647426536 +0200 --+++ libmagic/magic.h 2021-04-06 21:34:57.336978894 +0200 -+diff -u libmagic.orig/magic.h libmagic/magic.h -+--- libmagic.orig/magic.h 2022-06-30 17:16:06.144009900 +0200 -++++ libmagic/magic.h 2022-06-16 13:39:41.586609800 +0200 - @@ -126,6 +126,7 @@ - - const char *magic_getpath(const char *, int); -@@ -2878,9 +2878,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h - const char *magic_descriptor(magic_t, int); - const char *magic_buffer(magic_t, const void *, size_t); - --diff -ur libmagic.orig/print.c libmagic/print.c -+diff -u libmagic.orig/print.c libmagic/print.c - --- libmagic.orig/print.c 2021-02-23 01:49:07.000000000 +0100 --+++ libmagic/print.c 2021-04-06 21:34:57.340978869 +0200 -++++ libmagic/print.c 2021-09-21 13:27:27.998388700 +0200 - @@ -28,6 +28,7 @@ - /* - * print.c - debugging printout routines -@@ -2943,9 +2943,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c - - if (pp == NULL) - goto out; --diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c -+diff -u libmagic.orig/readcdf.c libmagic/readcdf.c - --- libmagic.orig/readcdf.c 2021-02-23 01:49:08.000000000 +0100 --+++ libmagic/readcdf.c 2021-04-06 21:34:57.340978869 +0200 -++++ libmagic/readcdf.c 2021-09-21 13:27:27.999369100 +0200 - @@ -31,7 +31,11 @@ - - #include -@@ -3067,9 +3067,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c - out0: - /* If we handled it already, return */ - if (i != -1) --diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c -+diff -u libmagic.orig/softmagic.c libmagic/softmagic.c - --- libmagic.orig/softmagic.c 2021-02-23 01:49:06.000000000 +0100 --+++ libmagic/softmagic.c 2021-04-06 21:34:57.340978869 +0200 -++++ libmagic/softmagic.c 2022-06-30 16:58:15.521661800 +0200 - @@ -43,6 +43,10 @@ - #include - #include "der.h" -@@ -3247,7 +3247,29 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c - return rv; - } - --@@ -1845,15 +1847,15 @@ -+@@ -1531,11 +1533,7 @@ -+ size_t len; -+ *c = ms->c; -+ len = c->len * sizeof(*c->li); -+- ms->c.li = CAST(struct level_info *, malloc(len)); -+- if (ms->c.li == NULL) { -+- ms->c = *c; -+- return -1; -+- } -++ ms->c.li = CAST(struct level_info *, emalloc(len)); -+ memcpy(ms->c.li, c->li, len); -+ return 0; -+ } -+@@ -1543,7 +1541,7 @@ -+ private void -+ restore_cont(struct magic_set *ms, struct cont *c) -+ { -+- free(ms->c.li); -++ efree(ms->c.li); -+ ms->c = *c; -+ } -+ -+@@ -1845,15 +1843,15 @@ - if ((ms->flags & MAGIC_NODESC) == 0 && - file_printf(ms, F(ms, m->desc, "%u"), offset) == -1) - { -@@ -3266,7 +3288,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c - return rv; - - case FILE_USE: --@@ -1958,10 +1960,13 @@ -+@@ -1958,10 +1956,13 @@ - } - else if ((flags & STRING_COMPACT_WHITESPACE) && - isspace(*a)) { -@@ -3281,7 +3303,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c - b++; - } - else { --@@ -1997,6 +2002,60 @@ -+@@ -1997,6 +1998,60 @@ - return file_strncmp(a, b, len, maxlen, flags); - } - -@@ -3342,7 +3364,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c - private int - magiccheck(struct magic_set *ms, struct magic *m) - { --@@ -2176,65 +2235,77 @@ -+@@ -2176,65 +2231,77 @@ - break; - } - case FILE_REGEX: { -@@ -3471,9 +3493,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c - break; - } - case FILE_USE: --diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c -+diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c - --- libmagic.orig/strcasestr.c 2021-02-23 01:49:12.000000000 +0100 --+++ libmagic/strcasestr.c 2021-04-06 21:34:57.340978869 +0200 -++++ libmagic/strcasestr.c 2021-09-21 13:27:28.002306200 +0200 - @@ -39,6 +39,8 @@ - - #include "file.h" -@@ -3483,7 +3505,3 @@ diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c - #include - #include - #include ----- libmagic/config.h 2021-04-06 22:19:57.552120067 +0200 --+++ /dev/null 2021-03-31 20:37:24.776503884 +0200 --@@ -1 +0,0 @@ ---#include "php.h" -diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c -index c86524e31e..5132b4ddea 100644 ---- a/ext/fileinfo/libmagic/softmagic.c -+++ b/ext/fileinfo/libmagic/softmagic.c -@@ -1533,11 +1533,7 @@ save_cont(struct magic_set *ms, struct cont *c) - size_t len; - *c = ms->c; - len = c->len * sizeof(*c->li); -- ms->c.li = CAST(struct level_info *, malloc(len)); -- if (ms->c.li == NULL) { -- ms->c = *c; -- return -1; -- } -+ ms->c.li = CAST(struct level_info *, emalloc(len)); - memcpy(ms->c.li, c->li, len); - return 0; - } -@@ -1545,7 +1541,7 @@ save_cont(struct magic_set *ms, struct cont *c) - private void - restore_cont(struct magic_set *ms, struct cont *c) - { -- free(ms->c.li); -+ efree(ms->c.li); - ms->c = *c; - } - -diff --git a/ext/fileinfo/tests/bug81723.phpt b/ext/fileinfo/tests/bug81723.phpt -new file mode 100644 -index 0000000000..16bfb81f10 ---- /dev/null -+++ b/ext/fileinfo/tests/bug81723.phpt -@@ -0,0 +1,12 @@ -+--TEST-- -+Bug #81723 (Memory corruption in finfo_buffer()) -+--EXTENSIONS-- -+fileinfo -+--FILE-- -+ -+--EXPECT-- --- -2.27.0 - diff --git a/php-8.1.0-systzdata-v21.patch b/php-8.1.0-systzdata-v22.patch similarity index 86% rename from php-8.1.0-systzdata-v21.patch rename to php-8.1.0-systzdata-v22.patch index fb696217b35187d6bf865e1f00c5b33a5661ef14..d1c8d9096db5d5d9e3011e716ecb506c6ab24eda 100644 --- a/php-8.1.0-systzdata-v21.patch +++ b/php-8.1.0-systzdata-v22.patch @@ -5,6 +5,7 @@ Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. History: +r22: retrieve tzdata version from /usr/share/zoneinfo/tzdata.zi r21: adapt for timelib 2021.03 (in 8.1.0) r20: adapt for timelib 2020.03 (in 8.0.10RC1) r19: adapt for timelib 2020.02 (in 8.0.0beta2) @@ -32,9 +33,10 @@ r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) r2: add filesystem trawl to set up name alias index r1: initial revision -diff -up php-8.0.0beta3/ext/date/config0.m4.systzdata php-8.0.0beta3/ext/date/config0.m4 ---- php-8.0.0beta3/ext/date/config0.m4.systzdata 2020-09-01 19:13:26.000000000 +0200 -+++ php-8.0.0beta3/ext/date/config0.m4 2020-09-02 08:07:51.039979873 +0200 +diff --git a/ext/date/config0.m4 b/ext/date/config0.m4 +index 18b8106bd2..3d1f63c758 100644 +--- a/ext/date/config0.m4 ++++ b/ext/date/config0.m4 @@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h]) dnl Check for strtoll, atoll AC_CHECK_FUNCS(strtoll atoll) @@ -55,9 +57,10 @@ diff -up php-8.0.0beta3/ext/date/config0.m4.systzdata php-8.0.0beta3/ext/date/co PHP_DATE_CFLAGS="-Wno-implicit-fallthrough -I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1" timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c lib/parse_posix.c lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c" -diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/date/lib/parse_tz.c ---- php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata 2020-09-01 19:13:26.000000000 +0200 -+++ php-8.0.0beta3/ext/date/lib/parse_tz.c 2020-09-02 08:07:51.039979873 +0200 +diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c +index e41315efdb..4b6547c0a3 100644 +--- a/ext/date/lib/parse_tz.c ++++ b/ext/date/lib/parse_tz.c @@ -26,9 +26,22 @@ #include "timelib.h" #include "timelib_private.h" @@ -81,7 +84,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) # if defined(__LITTLE_ENDIAN__) -@@ -95,6 +108,11 @@ static int read_php_preamble(const unsig +@@ -95,6 +108,11 @@ static int read_php_preamble(const unsigned char **tzf, timelib_tzinfo *tz) { uint32_t version; @@ -93,7 +96,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat /* read ID */ version = (*tzf)[3] - '0'; *tzf += 4; -@@ -577,7 +595,429 @@ void timelib_dump_tzinfo(timelib_tzinfo +@@ -577,7 +595,467 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) } } @@ -323,6 +326,44 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat + return timelib_strcasecmp(alpha->id, beta->id); +} + ++/* Retrieve tzdata version. */ ++static void retrieve_zone_version(timelib_tzdb *db) ++{ ++ static char buf[30]; ++ char path[PATH_MAX]; ++ FILE *fp; ++ ++ strncpy(path, ZONEINFO_PREFIX "/tzdata.zi", sizeof(path)); ++ ++ fp = fopen(path, "r"); ++ if (fp) { ++ if (fgets(buf, sizeof(buf), fp)) { ++ if (!memcmp(buf, "# version ", 10) && ++ isdigit(buf[10]) && ++ isdigit(buf[11]) && ++ isdigit(buf[12]) && ++ isdigit(buf[13]) && ++ islower(buf[14])) { ++ if (buf[14] >= 't') { /* 2022t = 2022.20 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 't' + '0'; ++ buf[15] = '2'; ++ } else if (buf[14] >= 'j') { /* 2022j = 2022.10 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 'j' + '0'; ++ buf[15] = '1'; ++ } else { /* 2022a = 2022.1 */ ++ buf[16] = 0; ++ buf[15] = buf[14] - 'a' + '1'; ++ } ++ buf[14] = '.'; ++ db->version = buf+10; ++ } ++ } ++ fclose(fp); ++ } ++} ++ + +/* Create the zone identifier index by trawling the filesystem. */ +static void create_zone_index(timelib_tzdb *db) @@ -524,7 +565,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat { int left = 0, right = tzdb->index_size - 1; -@@ -603,9 +1043,48 @@ static int seek_to_tz_position(const uns +@@ -603,9 +1081,49 @@ static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, return 0; } @@ -561,6 +602,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat + tmp->version = "0.system"; + tmp->data = NULL; + create_zone_index(tmp); ++ retrieve_zone_version(tmp); + system_location_table = create_location_table(); + fake_data_segment(tmp, system_location_table); + timezonedb_system = tmp; @@ -573,7 +615,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat } const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count) -@@ -617,7 +1096,30 @@ const timelib_tzdb_index_entry *timelib_ +@@ -617,7 +1135,30 @@ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_ int timelib_timezone_id_is_valid(const char *timezone, const timelib_tzdb *tzdb) { const unsigned char *tzf; @@ -605,7 +647,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat } static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) -@@ -662,6 +1164,8 @@ static timelib_tzinfo* timelib_tzinfo_ct +@@ -662,6 +1203,8 @@ static timelib_tzinfo* timelib_tzinfo_ctor(const char *name) timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *tzdb, int *error_code) { const unsigned char *tzf; @@ -614,7 +656,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat timelib_tzinfo *tmp; int version; int transitions_result, types_result; -@@ -669,7 +1173,7 @@ timelib_tzinfo *timelib_parse_tzfile(con +@@ -669,7 +1212,7 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t *error_code = TIMELIB_ERROR_NO_ERROR; @@ -623,7 +665,7 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat tmp = timelib_tzinfo_ctor(timezone); version = read_preamble(&tzf, tmp, &type); -@@ -712,11 +1216,36 @@ timelib_tzinfo *timelib_parse_tzfile(con +@@ -712,11 +1255,36 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t return NULL; } @@ -660,3 +702,19 @@ diff -up php-8.0.0beta3/ext/date/lib/parse_tz.c.systzdata php-8.0.0beta3/ext/dat } else { *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; tmp = NULL; +diff --git a/ext/date/php_date.c b/ext/date/php_date.c +index cf4a11b8a2..cd49abc78d 100644 +--- a/ext/date/php_date.c ++++ b/ext/date/php_date.c +@@ -457,7 +457,11 @@ PHP_MINFO_FUNCTION(date) + php_info_print_table_row(2, "date/time support", "enabled"); + php_info_print_table_row(2, "timelib version", TIMELIB_ASCII_VERSION); + php_info_print_table_row(2, "\"Olson\" Timezone Database Version", tzdb->version); ++#ifdef HAVE_SYSTEM_TZDATA ++ php_info_print_table_row(2, "Timezone Database", "system"); ++#else + php_info_print_table_row(2, "Timezone Database", php_date_global_timezone_db_enabled ? "external" : "internal"); ++#endif + php_info_print_table_row(2, "Default timezone", guess_timezone(tzdb)); + php_info_print_table_end(); + diff --git a/php-8.1.1.tar.xz b/php-8.1.10.tar.xz similarity index 59% rename from php-8.1.1.tar.xz rename to php-8.1.10.tar.xz index 55b8028d631fc0fc4d9ba34835a61322d3c78799..28a7ba957de37aa5aea63fe0f5105250ed50581d 100644 Binary files a/php-8.1.1.tar.xz and b/php-8.1.10.tar.xz differ diff --git a/php.modconf b/php.modconf index 3377f720fa8d8ef634a028616ec11951d69c2b79..e70ec59ca7e27c7a7fa2af91b8795467d39fffb2 100644 --- a/php.modconf +++ b/php.modconf @@ -6,7 +6,7 @@ # Cannot load both php5 and php7 modules - LoadModule php7_module modules/libphp7.so + LoadModule php7_module modules/libphp.so diff --git a/php.spec b/php.spec index a31a0d35982872bb2b7c2ff50ba638e313d92281..7dc8cfe301616ac6380b7a63dd62c3ad6f692e70 100644 --- a/php.spec +++ b/php.spec @@ -20,13 +20,13 @@ %global with_firebird 0 %global with_imap 0 %global with_freetds 0 -%global with_sodium 0 +%global with_sodium 1 %global with_pspell 0 -%global upver 8.1.1 +%global upver 8.1.10 Name: php Version: %{upver} -Release: 5 +Release: 1 Summary: PHP scripting language for creating dynamic web sites License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and Boost URL: http://www.php.net/ @@ -51,15 +51,11 @@ Patch0: php-7.4.0-httpd.patch Patch1: php-7.2.0-includedir.patch Patch2: php-8.0.0-embed.patch Patch3: php-8.1.0-parser.patch -Patch4: php-8.1.0-systzdata-v21.patch +Patch4: php-8.1.0-systzdata-v22.patch Patch5: php-7.4.0-phpize.patch Patch6: php-7.4.0-ldap_r.patch Patch7: php-8.1.0-phpinfo.patch Patch8: php-7.4.0-datetests.patch -Patch9: backport-CVE-2021-21708-Fix-81708.patch -Patch10: backport-CVE-2022-31625.patch -Patch11: backport-CVE-2022-31626.patch -Patch12: backport-CVE-2022-31627.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel @@ -114,7 +110,6 @@ The php-dbg package contains the interactive PHP debugger. Summary: PHP FastCGI Process Manager BuildRequires: libacl-devel Requires: php-common%{?_isa} = %{version}-%{release} -Requires(pre): /usr/sbin/useradd BuildRequires: systemd-devel %{?systemd_requires} Requires(pre): httpd-filesystem @@ -458,7 +453,7 @@ support for using the enchant library to PHP. %package sodium Summary: Wrapper for the Sodium cryptographic library License: PHP -BuildRequires: pkgconfig(libsodium) >= 1.0.9 +BuildRequires: pkgconfig(libsodium) >= 1.0.8 Requires: php-common%{?_isa} = %{version}-%{release} Obsoletes: php-pecl-libsodium2 < 3 @@ -586,9 +581,9 @@ ln -sf ../configure --enable-rtld-now \ --cache-file=../config.cache --with-libdir=%{_lib} --with-config-file-path=%{_sysconfdir} \ --with-config-file-scan-dir=%{_sysconfdir}/php.d --disable-debug --with-pic --disable-rpath \ - --without-pear --with-exec-dir=%{_bindir} --without-gdbm --with-openssl \ - --with-system-ciphers --with-pcre-regex=%{_prefix} --with-zlib --with-layout=GNU --with-kerberos \ - --with-libxml-dir=%{_prefix} --with-system-tzdata --with-mhash \ + --without-pear --without-gdbm --with-openssl \ + --with-system-ciphers --with-zlib --with-layout=GNU --with-kerberos \ + --with-system-tzdata --with-mhash \ %ifarch riscv64 --without-pcre-jit \ %endif @@ -660,7 +655,7 @@ build --libdir=%{_libdir}/php --enable-pcntl --enable-opcache --enable-phpdbg \ --enable-intl=shared --with-enchant=shared,%{_prefix} popd -without_shared="--without-gd --disable-dom --disable-dba --without-unixODBC --disable-opcache \ +without_shared="--disable-gd --disable-dom --disable-dba --without-unixODBC --disable-opcache \ --disable-opcache --disable-phpdbg --without-ffi \ --disable-xmlreader --disable-xmlwriter --without-sodium --without-sqlite3 --disable-phar --disable-fileinfo \ --without-pspell --without-curl --disable-posix --disable-xml --disable-simplexml --disable-exif \ @@ -1093,6 +1088,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Sat Sep 17 2022 Funda Wang - 8.1.10-1 +- New version 8.1.10 +- Sync systzdata with remi's php repo +- enable libsodium sub package +- cleanup unused build switches + * Tue Jul 12 2022 Hugel - 8.1.1-5 - Fix CVE-2022-31627