diff --git a/CVE-2018-19518.patch b/CVE-2018-19518.patch deleted file mode 100644 index 1737830bf07bde2c2d0ea290992eaf3dc4be78aa..0000000000000000000000000000000000000000 --- a/CVE-2018-19518.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 336d2086a9189006909ae06c7e95902d7d5ff77e Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 18 Nov 2018 17:10:43 -0800 -Subject: [PATCH] Disable rsh/ssh functionality in imap by default (bug #77153) - ---- - NEWS | 4 ++++ - UPGRADING | 7 +++++++ - ext/imap/php_imap.c | 17 +++++++++++++++++ - ext/imap/php_imap.h | 1 + - ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++ - 5 files changed, 53 insertions(+) - create mode 100644 ext/imap/tests/bug77153.phpt - -index ec2d8f46ed..52968a3857 100644 - -diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c -index e1adcf2264..42e7d8611c 100644 ---- a/ext/imap/php_imap.c -+++ b/ext/imap/php_imap.c -@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = { - }; - /* }}} */ - -+ -+/* {{{ PHP_INI -+ */ -+PHP_INI_BEGIN() -+STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals) -+PHP_INI_END() -+/* }}} */ -+ -+ - /* {{{ imap_module_entry - */ - zend_module_entry imap_module_entry = { -@@ -832,6 +841,8 @@ PHP_MINIT_FUNCTION(imap) - { - unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY; - -+ REGISTER_INI_ENTRIES(); -+ - #ifndef PHP_WIN32 - mail_link(&unixdriver); /* link in the unix driver */ - mail_link(&mhdriver); /* link in the mh driver */ -@@ -1049,6 +1060,12 @@ PHP_MINIT_FUNCTION(imap) - GC_TEXTS texts - */ - -+ if (!IMAPG(enable_rsh)) { -+ /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */ -+ mail_parameters (NIL, SET_RSHTIMEOUT, 0); -+ mail_parameters (NIL, SET_SSHTIMEOUT, 0); -+ } -+ - le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number); - return SUCCESS; - } -diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h -index 7691d1fdd7..556163ed2d 100644 ---- a/ext/imap/php_imap.h -+++ b/ext/imap/php_imap.h -@@ -231,6 +231,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap) - #endif - /* php_stream for php_mail_gets() */ - php_stream *gets_stream; -+ zend_bool enable_rsh; - ZEND_END_MODULE_GLOBALS(imap) - - #ifdef ZTS -diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt -new file mode 100644 -index 0000000000..63590aee1d ---- /dev/null -+++ b/ext/imap/tests/bug77153.phpt -@@ -0,0 +1,24 @@ -+--TEST-- -+Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) -+--SKIPIF-- -+ -+--FILE-- -+ " . __DIR__ . '/__bug'; -+$payloadb64 = base64_encode($payload); -+$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; -+@imap_open('{'.$server.':143/imap}INBOX', '', ''); -+// clean -+imap_errors(); -+var_dump(file_exists(__DIR__ . '/__bug')); -+?> -+--EXPECT-- -+bool(false) -+--CLEAN-- -+ -\ No newline at end of file --- -2.11.0 diff --git a/CVE-2018-19935.patch b/CVE-2018-19935.patch deleted file mode 100644 index 14d72fcbfa4c62a075eeda25467ab5347a40f323..0000000000000000000000000000000000000000 --- a/CVE-2018-19935.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 3329e30a0c631753980757045ddfcc7b356a34a2 Mon Sep 17 00:00:00 2001 -Date: Wed, 4 Dec 2019 17:50:56 +0800 -Subject: Fix #77020: null pointer dereference in imap_mail - -If an empty $message is passed to imap_mail(), we must not set message -to NULL, since _php_imap_mail() is not supposed to handle NULL pointers -(opposed to pointers to NUL). - ---- - ext/imap/php_imap.c | 1 - - ext/imap/tests/bug77020.phpt | 15 +++++++++++++++ - 2 files changed, 15 insertions(+), 1 deletion(-) - create mode 100644 php-7.2.10/ext/imap/tests/bug77020.phpt - -diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c -index e1adcf22..56126a0c 100644 ---- a/ext/imap/php_imap.c -+++ b/ext/imap/php_imap.c -@@ -4106,7 +4106,6 @@ PHP_FUNCTION(imap_mail) - if (!ZSTR_LEN(message)) { - /* this is not really an error, so it is allowed. */ - php_error_docref(NULL, E_WARNING, "No message string in mail command"); -- message = NULL; - } - - if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL, -diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt -new file mode 100644 -index 00000000..76386a09 ---- /dev/null -+++ b/ext/imap/tests/bug77020.phpt -@@ -0,0 +1,15 @@ -+ --TEST-- -+Bug #77020 (null pointer dereference in imap_mail) -+--SKIPIF-- -+ -+--FILE-- -+ -+===DONE=== -+--EXPECTF-- -+Warning: imap_mail(): No message string in mail command in %s on line %d -+%s -+===DONE=== --- -2.19.1 - diff --git a/CVE-2019-11034.patch b/CVE-2019-11034.patch deleted file mode 100644 index 8bf5c9dea0bb647e8c36074e1ab1167911fc0852..0000000000000000000000000000000000000000 --- a/CVE-2019-11034.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f3aefc6d071b807ddacae0a0bc49f09c38e18490 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 17 Mar 2019 22:54:46 -0700 -Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s - ---- - ext/exif/exif.c | 4 ++++ - ext/exif/tests/bug77753.phpt | 16 ++++++++++++++++ - ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes - 3 files changed, 20 insertions(+) - create mode 100644 ext/exif/tests/bug77753.phpt - create mode 100644 ext/exif/tests/bug77753.tiff - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index fe89b85..0b5bb5a 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -2802,6 +2802,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len); - return FALSE; - } -+ if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) { -+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len); -+ return FALSE; -+ } - - for (de=0;de -+--FILE-- -+ -+DONE -+--EXPECTF-- -+%A -+Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d -+ -+Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d -+bool(false) -+DONE -\ No newline at end of file - --- -2.1.4 - diff --git a/CVE-2019-11035.patch b/CVE-2019-11035.patch deleted file mode 100644 index cdd334f0f67ba414239f4fc901d2d9125967019f..0000000000000000000000000000000000000000 --- a/CVE-2019-11035.patch +++ /dev/null @@ -1,185 +0,0 @@ -From 887a7b571407f7a49a5e7cf1e612d21ef83fedb4 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 2 Apr 2019 00:12:26 -0700 -Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value - in EXIF - ---- - NEWS | 1 + - ext/exif/exif.c | 43 ++++++++++++++++++++++++++++--------------- - ext/exif/tests/bug77831.phpt | 13 +++++++++++++ - ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes - 4 files changed, 42 insertions(+), 15 deletions(-) - create mode 100644 ext/exif/tests/bug77831.phpt - create mode 100644 ext/exif/tests/bug77831.tiff - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index 0b5bb5a..408bf03 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -1654,10 +1654,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo) - /* {{{ exif_iif_add_value - Add a value to image_info - */ --static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel) -+static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel) - { - size_t idex; -- void *vptr; -+ void *vptr, *vptr_end; - image_info_value *info_value; - image_info_data *info_data; - image_info_data *list; -@@ -1679,8 +1679,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c - - switch (format) { - case TAG_FMT_STRING: -+ if (length > value_len) { -+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); -+ value = NULL; -+ } - if (value) { -- length = php_strnlen(value, length); -+ length = (int)php_strnlen(value, length); - info_value->s = estrndup(value, length); - info_data->length = length; - } else { -@@ -1702,6 +1706,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c - if (!length) - break; - case TAG_FMT_UNDEFINED: -+ if (length > value_len) { -+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); -+ value = NULL; -+ } - if (value) { - if (tag == TAG_MAKER_NOTE) { - length = (int) php_strnlen(value, length); -@@ -1732,7 +1740,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c - } else { - info_value = &info_data->value; - } -+ vptr_end = value+value_len; - for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { -+ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) { -+ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); -+ break; -+ } - if (length>1) { - info_value = &info_data->value.list[idex]; - } -@@ -1768,7 +1781,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c - php_error_docref(NULL, E_WARNING, "Found value of type single"); - #endif - info_value->f = *(float *)value; -- -+ break; - case TAG_FMT_DOUBLE: - #ifdef EXIF_DEBUG - php_error_docref(NULL, E_WARNING, "Found value of type double"); -@@ -1786,9 +1799,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c - /* {{{ exif_iif_add_tag - Add a tag from IFD to image_info - */ --static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value) -+static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len) - { -- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel); -+ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel); - } - /* }}} */ - -@@ -2209,7 +2222,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im - */ - static void exif_process_COM (image_info_type *image_info, char *value, size_t length) - { -- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2); -+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2); - } - /* }}} */ - -@@ -2224,17 +2237,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l - if (length>3) { - switch(value[2]) { - case 0: -- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value); -+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length; - break; - case 1: -- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value); -+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length); - break; - default: - php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding"); - break; - } - } else { -- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL); -+ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0); - php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small"); - } - } -@@ -2827,7 +2840,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu - static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table) - { - size_t length; -- int tag, format, components; -+ unsigned int tag, format, components; - char *value_ptr, tagname[64], cbuf[32], *outside=NULL; - size_t byte_count, offset_val, fpos, fgot; - int64_t byte_count_signed; -@@ -3138,7 +3151,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha - } - } - } -- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr); -+ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count); - EFREE_IF(outside); - return TRUE; - } -@@ -3296,10 +3309,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t - size_t l1, l2=0; - - if ((l1 = php_strnlen(buffer+2, length-2)) > 0) { -- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2); -+ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1); - if (length > 2+l1+1) { - l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1); -- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1); -+ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2); - } - } - #ifdef EXIF_DEBUG -@@ -4100,7 +4113,7 @@ PHP_FUNCTION(exif_read_data) - if (ImageInfo.Thumbnail.size) { - if (read_thumbnail) { - /* not exif_iif_add_str : this is a buffer */ -- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data); -+ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); - } - if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { - /* try to evaluate if thumbnail data is present */ -diff --git a/ext/exif/tests/bug77831.phpt b/ext/exif/tests/bug77831.phpt -new file mode 100644 -index 0000000..d868d47 ---- /dev/null -+++ b/ext/exif/tests/bug77831.phpt -@@ -0,0 +1,13 @@ -+--TEST-- -+Bug #77831 (Heap-buffer-overflow in exif_iif_add_value in EXIF) -+--SKIPIF-- -+ -+--FILE-- -+ -+DONE -+--EXPECTF-- -+%A -+bool(false) -+DONE -\ No newline at end of file - --- -2.1.4 - diff --git a/CVE-2019-11036.patch b/CVE-2019-11036.patch deleted file mode 100644 index 34861d738e688ce6957d1d62cea673e90a810740..0000000000000000000000000000000000000000 --- a/CVE-2019-11036.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f80ad18afae2230c2c1802c7d829100af646874e Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 29 Apr 2019 23:38:12 -0700 -Subject: [PATCH] Fix bug #77950 - Heap-buffer-overflow in _estrndup via - exif_process_IFD_TAG - -I do not completely understand what is going on there, but I am pretty -sure dir_entry <= offset_base if not a normal situation, so we better not -to rely on such dir_entry. ---- - ext/exif/exif.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index a763f6c..d174def 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -2891,7 +2891,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha - offset_base is ImageInfo->file.list[sn].data-dir_offset - dir_entry - offset_base is dir_offset+2+i*12 - */ -- if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { -+ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) { - /* It is important to check for IMAGE_FILETYPE_TIFF - * JPEG does not use absolute pointers instead its pointers are - * relative to the start of the TIFF header in APP1 section. */ - diff --git a/CVE-2019-11041.patch b/CVE-2019-11041.patch deleted file mode 100644 index 4158d7b5d970c2d3ae22a859297df8a74a965c32..0000000000000000000000000000000000000000 --- a/CVE-2019-11041.patch +++ /dev/null @@ -1,45 +0,0 @@ -From dea2989ab8ba87a6180af497b2efaf0527e985c5 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 7 Jul 2019 17:01:01 -0700 -Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail) - ---- - ext/exif/exif.c | 2 +- - ext/exif/tests/bug78222.phpt | 11 +++++++++++ - 2 files changed, 12 insertions(+), 1 deletion(-) - create mode 100644 ext/exif/tests/bug78222.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index 605b37923f..cd7975a9f5 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3498,7 +3498,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) - size_t length=2, pos=0; - jpeg_sof_info sof_info; - -- if (!data) { -+ if (!data || ImageInfo->Thumbnail.size < 4) { - return FALSE; /* nothing to do here */ - } - if (memcmp(data, "\xFF\xD8\xFF", 3)) { -diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt -new file mode 100644 -index 0000000000..0e4ead33e4 ---- /dev/null -+++ b/ext/exif/tests/bug78222.phpt -@@ -0,0 +1,11 @@ -+--TEST-- -+Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail) -+--SKIPIF-- -+ -+--FILE-- -+ -+DONE -+--EXPECTF-- -+DONE -\ No newline at end of file --- -2.21.0 - diff --git a/CVE-2019-11042.patch b/CVE-2019-11042.patch deleted file mode 100644 index 3d217e535ce589e2c77d3109e7032bdb1deaa5ac..0000000000000000000000000000000000000000 --- a/CVE-2019-11042.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 99b7ef940e04cd273d03c5fa93bf182db2d7ce8d Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 7 Jul 2019 17:39:59 -0700 -Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on - exif_process_user_comment) - ---- - ext/exif/exif.c | 4 ++-- - ext/exif/tests/bug78256.phpt | 11 +++++++++++ - 2 files changed, 13 insertions(+), 2 deletions(-) - create mode 100644 ext/exif/tests/bug78256.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index 77a11300..a80f2c2a 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3040,11 +3040,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP - /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) - * since we have no encoding support for the BOM yet we skip that. - */ -- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { -+ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) { - decode = "UCS-2BE"; - szValuePtr = szValuePtr+2; - ByteCount -= 2; -- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { -+ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) { - decode = "UCS-2LE"; - szValuePtr = szValuePtr+2; - ByteCount -= 2; -diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt -new file mode 100644 -index 00000000..37a3f1d8 ---- /dev/null -+++ b/ext/exif/tests/bug78256.phpt -@@ -0,0 +1,11 @@ -+--TEST-- -+Bug #78256 (heap-buffer-overflow on exif_process_user_comment) -+--SKIPIF-- -+ -+--FILE-- -+ -+DONE -+--EXPECTF-- -+DONE -\ No newline at end of file --- -2.21.0 - diff --git a/CVE-2019-11043.patch b/CVE-2019-11043.patch deleted file mode 100644 index 89e3b10b27c6f7d1f80bc106c7228dc958928697..0000000000000000000000000000000000000000 --- a/CVE-2019-11043.patch +++ /dev/null @@ -1,131 +0,0 @@ -From ab061f95ca966731b1c84cf5b7b20155c0a1c06a Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sat, 12 Oct 2019 15:56:16 +0100 -Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE) - (CVE-2019-11043) - ---- - sapi/fpm/fpm/fpm_main.c | 4 +- - .../tests/bug78599-path-info-underflow.phpt | 61 +++++++++++++++++++ - sapi/fpm/tests/tester.inc | 11 +++- - 3 files changed, 72 insertions(+), 4 deletions(-) - create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt - -diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c -index 24a7e5d56ac6..50f92981f1fb 100644 ---- a/sapi/fpm/fpm/fpm_main.c -+++ b/sapi/fpm/fpm/fpm_main.c -@@ -1209,8 +1209,8 @@ static void init_request_info(void) - path_info = script_path_translated + ptlen; - tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); - } else { -- path_info = env_path_info ? env_path_info + pilen - slen : NULL; -- tflag = (orig_path_info != path_info); -+ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; -+ tflag = path_info && (orig_path_info != path_info); - } - - if (tflag) { -diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt -new file mode 100644 -index 000000000000..edd4e0d49699 ---- /dev/null -+++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt -@@ -0,0 +1,61 @@ -+--TEST-- -+FPM: bug78599 - env_path_info underflow - CVE-2019-11043 -+--SKIPIF-- -+ -+--FILE-- -+start(); -+$tester->expectLogStartNotices(); -+$uri = $tester->makeSourceFile(); -+$tester -+ ->request( -+ '', -+ [ -+ 'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35), -+ 'PATH_INFO' => '', -+ 'HTTP_HUI' => str_repeat('PTEST', 1000), -+ ], -+ $uri -+ ) -+ ->expectBody( -+ [ -+ 'Test Start', -+ 'string(0) ""', -+ 'Test End' -+ ] -+ ); -+$tester->terminate(); -+$tester->close(); -+ -+?> -+Done -+--EXPECT-- -+Done -+--CLEAN-- -+ -diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc -index 70c03ad70f1c..3b6702866cc1 100644 ---- a/sapi/fpm/tests/tester.inc -+++ b/sapi/fpm/tests/tester.inc -@@ -513,7 +513,7 @@ class Tester - return new Response(null, true); - } - if (is_null($uri)) { -- $uri = $this->makeFile('src.php', $this->code); -+ $uri = $this->makeSourceFile(); - } - - $params = array_merge( -@@ -538,7 +538,6 @@ class Tester - ], - $headers - ); -- - try { - $this->response = new Response( - $this->getClient($address, $connKeepAlive)->request_data($params, false) -@@ -944,6 +943,14 @@ class Tester - return $filePath; - } - -+ /** -+ * @return string -+ */ -+ public function makeSourceFile() -+ { -+ return $this->makeFile('src.php', $this->code); -+ } -+ - /** - * @param string|null $msg - */ diff --git a/CVE-2019-11045.patch b/CVE-2019-11045.patch deleted file mode 100644 index f86e68c63ca8d2aa90e7a52df239b499d2d35236..0000000000000000000000000000000000000000 --- a/CVE-2019-11045.patch +++ /dev/null @@ -1,72 +0,0 @@ -From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 25 Nov 2019 16:56:34 +0100 -Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after - a null byte - -Since the constructor of DirectoryIterator and friends is supposed to -accepts paths (i.e. strings without NUL bytes), we must not accept -arbitrary strings. ---- - ext/spl/spl_directory.c | 4 ++-- - ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++ - 2 files changed, 33 insertions(+), 2 deletions(-) - create mode 100644 ext/spl/tests/bug78863.phpt - -diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c -index 91ea2e0265..56e809b1c7 100644 ---- a/ext/spl/spl_directory.c -+++ b/ext/spl/spl_directory.c -@@ -701,10 +701,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto - - if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { - flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; -- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); -+ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); - } else { - flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; -- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); -+ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); - } - if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { - flags |= SPL_FILE_DIR_SKIPDOTS; -diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt -new file mode 100644 -index 0000000000..dc88d98dee ---- /dev/null -+++ b/ext/spl/tests/bug78863.phpt -@@ -0,0 +1,31 @@ -+--TEST-- -+Bug #78863 (DirectoryIterator class silently truncates after a null byte) -+--FILE-- -+isDot()) { -+ var_dump($fileinfo->getFilename()); -+ } -+} -+?> -+--EXPECTF-- -+Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d -+Stack trace: -+#0 %s(%d): DirectoryIterator->__construct('%s') -+#1 {main} -+ thrown in %s on line %d -+--CLEAN-- -+ --- -2.19.1 - diff --git a/CVE-2019-11046.patch b/CVE-2019-11046.patch deleted file mode 100644 index b7963df7117c88bd7a5cb17c5609750bae4ab9af..0000000000000000000000000000000000000000 --- a/CVE-2019-11046.patch +++ /dev/null @@ -1,51 +0,0 @@ -From eb23c6008753b1cdc5359dead3a096dce46c9018 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Sat, 30 Nov 2019 12:26:37 +0100 -Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub - -We must not rely on `isdigit()` to detect digits, since we only support -decimal ASCII digits in the following processing. ---- - ext/bcmath/libbcmath/src/str2num.c | 4 ++-- - ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ - 2 files changed, 15 insertions(+), 2 deletions(-) - create mode 100644 ext/bcmath/tests/bug78878.phpt - -diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c -index f38d341570..03aec15930 100644 ---- a/ext/bcmath/libbcmath/src/str2num.c -+++ b/ext/bcmath/libbcmath/src/str2num.c -@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) - zero_int = FALSE; - if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ - while (*ptr == '0') ptr++; /* Skip leading zeros. */ -- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ -+ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ - if (*ptr == '.') ptr++; /* decimal point */ -- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ -+ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ - if ((*ptr != '\0') || (digits+strscale == 0)) - { - *num = bc_copy_num (BCG(_zero_)); -diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt -new file mode 100644 -index 0000000000..2c9d72b946 ---- /dev/null -+++ b/ext/bcmath/tests/bug78878.phpt -@@ -0,0 +1,13 @@ -+--TEST-- -+Bug #78878 (Buffer underflow in bc_shift_addsub) -+--SKIPIF-- -+ -+--FILE-- -+ -+--EXPECT-- -+bc math warning: non-zero scale in modulus -+0 --- -2.19.1 - diff --git a/CVE-2019-11047.patch b/CVE-2019-11047.patch deleted file mode 100644 index 3c52d1bf11b08e215852c6f70028c3e03af55684..0000000000000000000000000000000000000000 --- a/CVE-2019-11047.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 16 Dec 2019 00:10:39 -0800 -Subject: [PATCH] Fixed bug #78910 - ---- - ext/exif/exif.c | 3 ++- - ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++ - 2 files changed, 19 insertions(+), 1 deletion(-) - create mode 100644 ext/exif/tests/bug78910.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index f961f44a46c..c0be05922fb 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3154,7 +3154,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu - continue; - if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) - continue; -- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) -+ if (maker_note->id_string && value_len >= maker_note->id_string_len -+ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) - continue; - break; - } -diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt -new file mode 100644 -index 00000000000..f5b1c32c1bd ---- /dev/null -+++ b/ext/exif/tests/bug78910.phpt -@@ -0,0 +1,17 @@ -+--TEST-- -+Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) -+--FILE-- -+ -+--EXPECTF-- -+Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d -+ -+Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d -+ -+Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d -+ -+Warning: exif_read_data(): Invalid TIFF file in %s on line %d -+bool(false) --- -2.11.0 diff --git a/CVE-2019-11048.patch b/CVE-2019-11048.patch deleted file mode 100644 index d5849a59b51857fe90cdea6dc0e3d1b909557c97..0000000000000000000000000000000000000000 --- a/CVE-2019-11048.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Wed, 18 Mar 2020 10:26:53 +0100 -Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not - cleaned - -We must not cast `size_t` to `int` (unless the `size_t` value is -guaranteed to be less than or equal to `INT_MAX`). In this case we can -declare `array_len` as `size_t` in the first place. ---- - main/rfc1867.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/main/rfc1867.c b/main/rfc1867.c -index bd01b34cf070..783eab4175d5 100644 ---- a/main/rfc1867.c -+++ b/main/rfc1867.c -@@ -692,7 +692,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ - char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; - char *lbuf = NULL, *abuf = NULL; - zend_string *temp_filename = NULL; -- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; -+ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; -+ size_t array_len = 0; - int64_t total_bytes = 0, max_file_size = 0; - int skip_upload = 0, anonindex = 0, is_anonymous; - HashTable *uploaded_files = NULL; -@@ -1126,7 +1127,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ - is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); - - if (is_arr_upload) { -- array_len = (int)strlen(start_arr); -+ array_len = strlen(start_arr); - if (array_index) { - efree(array_index); - } diff --git a/CVE-2019-11050.patch b/CVE-2019-11050.patch deleted file mode 100644 index 9122d878dccb2b9b1c80fe7500fa215568fa4603..0000000000000000000000000000000000000000 --- a/CVE-2019-11050.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 16 Dec 2019 01:14:38 -0800 -Subject: [PATCH] Fix bug #78793 - ---- - ext/exif/exif.c | 5 +++-- - ext/exif/tests/bug78793.phpt | 12 ++++++++++++ - 2 files changed, 15 insertions(+), 2 deletions(-) - create mode 100644 ext/exif/tests/bug78793.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index c0be05922f..7fe055f381 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3235,8 +3235,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu - } - - for (de=0;detag_table)) { -+ size_t offset = 2 + 12 * de; -+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, -+ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) { - return FALSE; - } - } -diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt -new file mode 100644 -index 0000000000..033f255ace ---- /dev/null -+++ b/ext/exif/tests/bug78793.phpt -@@ -0,0 +1,12 @@ -+--TEST-- -+Bug #78793: Use-after-free in exif parsing under memory sanitizer -+--FILE-- -+ -+===DONE=== -+--EXPECT-- -+===DONE=== --- -2.19.1 - diff --git a/CVE-2019-6977.patch b/CVE-2019-6977.patch deleted file mode 100644 index a72f65ee5294a0b36dd29f54066a0dfef0ba7b17..0000000000000000000000000000000000000000 --- a/CVE-2019-6977.patch +++ /dev/null @@ -1,59 +0,0 @@ -From a15af81b5f0058e020eda0f109f51a3c863f5212 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Sun, 30 Dec 2018 13:59:26 +0100 -Subject: [PATCH] Fix #77270: imagecolormatch Out Of Bounds Write on Heap - -At least some of the image reading functions may return images which -use color indexes greater than or equal to im->colorsTotal. We cater -to this by always using a buffer size which is sufficient for -`gdMaxColors` in `gdImageColorMatch()`. - -(cherry picked from commit 7a12dad4dd6c370835b13afae214b240082c7538) ---- - NEWS | 1 + - ext/gd/libgd/gd_color_match.c | 4 ++-- - ext/gd/tests/bug77270.phpt | 18 ++++++++++++++++++ - 3 files changed, 21 insertions(+), 2 deletions(-) - create mode 100644 ext/gd/tests/bug77270.phpt - -diff --git a/ext/gd/libgd/gd_color_match.c b/ext/gd/libgd/gd_color_match.c -index a4e56b1c40..e6f539bc75 100644 ---- a/ext/gd/libgd/gd_color_match.c -+++ b/ext/gd/libgd/gd_color_match.c -@@ -33,8 +33,8 @@ int gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) - return -4; /* At least 1 color must be allocated */ - } - -- buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0); -- memset( buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); -+ buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * gdMaxColors, 0); -+ memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); - - for (x=0; xsx; x++) { - for( y=0; ysy; y++ ) { -diff --git a/ext/gd/tests/bug77270.phpt b/ext/gd/tests/bug77270.phpt -new file mode 100644 -index 0000000000..1c4555a64d ---- /dev/null -+++ b/ext/gd/tests/bug77270.phpt -@@ -0,0 +1,18 @@ -+--TEST-- -+Bug #77270 (imagecolormatch Out Of Bounds Write on Heap) -+--SKIPIF-- -+ -+--FILE-- -+ -+===DONE=== -+--EXPECT-- -+===DONE=== --- -2.11.0 diff --git a/CVE-2019-9021.patch b/CVE-2019-9021.patch deleted file mode 100644 index 33b39a96732f70299707715dc3d0f22a47da87a4..0000000000000000000000000000000000000000 --- a/CVE-2019-9021.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index 4d5988eaa9..812720a011 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -2026,7 +2026,7 @@ next_extension: - } - - while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) { -- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1); -+ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1); - if (!pos) { - return FAILURE; - } - diff --git a/CVE-2019-9022.patch b/CVE-2019-9022.patch deleted file mode 100644 index 0b3e03a3ba944bebf3fc8ac0acefda9a01679dca..0000000000000000000000000000000000000000 --- a/CVE-2019-9022.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 29 Dec 2018 20:39:08 -0800 -Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS - response - ---- - ext/standard/dns.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ext/standard/dns.c b/ext/standard/dns.c -index 8e102f8..b5fbcb9 100644 ---- a/ext/standard/dns.c -+++ b/ext/standard/dns.c -@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t - GETLONG(ttl, cp); - GETSHORT(dlen, cp); - CHECKCP(dlen); -+ if (dlen == 0) { -+ /* No data in the response - nothing to do */ -+ return NULL; -+ } - if (type_to_fetch != T_ANY && type != type_to_fetch) { - cp += dlen; - return cp; -@@ -549,6 +553,9 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t - CHECKCP(n); - add_assoc_stringl(subarray, "tag", (char*)cp, n); - cp += n; -+ if ( (size_t) dlen < ((size_t)n) + 2 ) { -+ return NULL; -+ } - n = dlen - n - 2; - CHECKCP(n); - add_assoc_stringl(subarray, "value", (char*)cp, n); --- -2.1.4 diff --git a/CVE-2019-9023.patch b/CVE-2019-9023.patch deleted file mode 100644 index a6716ffb32ba5b8c601ae003b20214e11a1b82e6..0000000000000000000000000000000000000000 --- a/CVE-2019-9023.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 9a96e864885ccc3b19d360ba410a562eb7c5dc45 Mon Sep 17 00:00:00 2001 -From: gwx620998 -Date: Sat, 23 Mar 2019 03:34:11 -0400 -Subject: [PATCH] CVE-2019-9023 - -Signed-off-by: gwx620998 ---- - ext/mbstring/oniguruma/src/regcomp.c | 3 +++ - ext/mbstring/oniguruma/src/regparse.c | 2 ++ - ext/mbstring/oniguruma/src/unicode.c | 1 + - ext/mbstring/oniguruma/src/utf32_be.c | 3 ++- - 4 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c -index 0e9a9ab..cf914cc 100644 ---- a/ext/mbstring/oniguruma/src/regcomp.c -+++ b/ext/mbstring/oniguruma/src/regcomp.c -@@ -476,6 +476,7 @@ compile_length_string_node(Node* node, regex_t* reg) - - for (; p < sn->end; ) { - len = enclen(enc, p); -+ if (p + len > sn->end) len = sn->end - p; - if (len == prev_len) { - slen++; - } -@@ -524,6 +525,7 @@ compile_string_node(Node* node, regex_t* reg) - - for (; p < end; ) { - len = enclen(enc, p); -+ if (p + len > end) len = end - p; - if (len == prev_len) { - slen++; - } -@@ -3436,6 +3438,7 @@ expand_case_fold_string(Node* node, regex_t* reg) - } - - len = enclen(reg->enc, p); -+ if (p + len > end) len = end - p; - - if (n == 0) { - if (IS_NULL(snode)) { -diff --git a/ext/mbstring/oniguruma/src/regparse.c b/ext/mbstring/oniguruma/src/regparse.c -index 8153513..9393b9d 100644 ---- a/ext/mbstring/oniguruma/src/regparse.c -+++ b/ext/mbstring/oniguruma/src/regparse.c -@@ -3594,6 +3594,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) - } - else { /* string */ - p = tok->backp + enclen(enc, tok->backp); -+ if (p > end) p = end; - } - } - break; -@@ -3763,6 +3764,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) - out: - #endif - *src = p; -+ if (*src > end) *src = end; - return tok->type; - } - -diff --git a/ext/mbstring/oniguruma/src/unicode.c b/ext/mbstring/oniguruma/src/unicode.c -index 8812ca2..cbdc42f 100644 ---- a/ext/mbstring/oniguruma/src/unicode.c -+++ b/ext/mbstring/oniguruma/src/unicode.c -@@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc, - - code = ONIGENC_MBC_TO_CODE(enc, p, end); - len = enclen(enc, p); -+ if (*pp + len > end) len = end - *pp; - *pp += len; - - #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI -diff --git a/ext/mbstring/oniguruma/src/utf32_be.c b/ext/mbstring/oniguruma/src/utf32_be.c -index d0c7f39..4cf6fed 100644 ---- a/ext/mbstring/oniguruma/src/utf32_be.c -+++ b/ext/mbstring/oniguruma/src/utf32_be.c -@@ -65,8 +65,9 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) - } - - static OnigCodePoint --utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) -+utf32be_mbc_to_code(const UChar* p, const UChar* end) - { -+ if (p + 4 > end) return (OnigCodePoint ) NULL; - return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); - } - --- -1.8.3.1 - diff --git a/CVE-2019-9024.patch b/CVE-2019-9024.patch deleted file mode 100644 index 5ac3f3ceb1c7fac4829ede497cd67e6385748e83..0000000000000000000000000000000000000000 --- a/CVE-2019-9024.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 1 Jan 2019 17:15:20 -0800 -Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 - code) - ---- -diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c -index 5ebdf31..a4fa193 100644 ---- a/ext/xmlrpc/libxmlrpc/base64.c -+++ b/ext/xmlrpc/libxmlrpc/base64.c -@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) - return; - } - -- if (dtable[c] & 0x80) { -+ if (dtable[(unsigned char)c] & 0x80) { - /* - fprintf(stderr, "Offset %i length %i\n", offset, length); - fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); --- -2.1.4 - diff --git a/CVE-2019-9637.patch b/CVE-2019-9637.patch deleted file mode 100644 index ccc4f21328289cf75c902e7a57998c571f16eb77..0000000000000000000000000000000000000000 --- a/CVE-2019-9637.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 40f6425978917209cb0c2c3be05a25c65c9a900e Mon Sep 17 00:00:00 2001 -From: gwx620998 -Date: Sat, 23 Mar 2019 07:14:35 -0400 -Subject: [PATCH] CVE-2019-9637 - -Signed-off-by: gwx620998 ---- - main/streams/plain_wrapper.c | 50 +++++++++++++++++++++++++++++--------------- - 1 file changed, 33 insertions(+), 17 deletions(-) - -diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c -index 9b36d00..cb9e642 100644 ---- a/main/streams/plain_wrapper.c -+++ b/main/streams/plain_wrapper.c -@@ -1168,34 +1168,50 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f - # ifdef EXDEV - if (errno == EXDEV) { - zend_stat_t sb; -+# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) -+ /* not sure what to do in ZTS case, umask is not thread-safe */ -+ int oldmask = umask(077); -+# endif -+ int success = 0; - if (php_copy_file(url_from, url_to) == SUCCESS) { - if (VCWD_STAT(url_from, &sb) == 0) { -+ success = 1; - # ifndef TSRM_WIN32 -- if (VCWD_CHMOD(url_to, sb.st_mode)) { -- if (errno == EPERM) { -- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- VCWD_UNLINK(url_from); -- return 1; -- } -+ /* -+ * Try to set user and permission info on the target. -+ * If we're not root, then some of these may fail. -+ * We try chown first, to set proper group info, relying -+ * on the system environment to have proper umask to not allow -+ * access to the file in the meantime. -+ */ -+ if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { - php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- return 0; -+ if (errno != EPERM) { -+ success = 0; -+ } - } -- if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { -- if (errno == EPERM) { -+ if (success) { -+ if (VCWD_CHMOD(url_to, sb.st_mode)) { - php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- VCWD_UNLINK(url_from); -- return 1; -+ if (errno != EPERM) { -+ success = 0; -+ } - } -- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- return 0; - } - # endif -- VCWD_UNLINK(url_from); -- return 1; -+ if (success) { -+ VCWD_UNLINK(url_from); -+ } -+ } else { -+ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); - } -+ } else { -+ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); - } -- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); -- return 0; -+# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) -+ umask(oldmask); -+# endif -+ return success; - } - # endif - #endif --- -1.8.3.1 - diff --git a/CVE-2019-9638-CVE-2019-9639.patch b/CVE-2019-9638-CVE-2019-9639.patch deleted file mode 100644 index ddc1dae033259ec6c54014cd78ad2b50de43976a..0000000000000000000000000000000000000000 --- a/CVE-2019-9638-CVE-2019-9639.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 7168d3dc576344f7e55fac81d86304d2421ffe93 Mon Sep 17 00:00:00 2001 -From: gwx620998 -Date: Sat, 23 Mar 2019 07:42:34 -0400 -Subject: [PATCH] CVE-2019-9638 - -Signed-off-by: gwx620998 ---- - ext/exif/exif.c | 5 +++-- - ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++ - 2 files changed, 19 insertions(+), 2 deletions(-) - create mode 100644 ext/exif/tests/bug77563.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index 3a76d8f..d82b5ae 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3151,8 +3151,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu - continue; - break; - } -- -- if (maker_note->offset >= value_len) { -+ -+ if (value_len < 2 || maker_note->offset >= value_len - 1) { - /* Do not go past the value end */ - exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset); - return FALSE; -@@ -3207,6 +3207,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu - #endif - default: - case MN_OFFSET_NORMAL: -+ data_len = value_len; - break; - } - -diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt -new file mode 100644 -index 0000000..d1c5b9f ---- /dev/null -+++ b/ext/exif/tests/bug77563.phpt -@@ -0,0 +1,16 @@ -++--TEST-- -++Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE) -++--SKIPIF-- -++ -++--FILE-- -++ -++DONE -++--EXPECTF-- -++Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d -++ -++Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d -++ -++Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d -++DONE --- -1.8.3.1 - diff --git a/CVE-2019-9640.patch b/CVE-2019-9640.patch deleted file mode 100644 index 4cda3bcb52ccacad2259cd9619db6720e44dad58..0000000000000000000000000000000000000000 --- a/CVE-2019-9640.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 30d2b94a2e88021b77b07149e1f4438662ca8e5e Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 2 Mar 2019 13:38:00 -0800 -Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn - ---- - ext/exif/exif.c | 10 ++++++++-- - ext/exif/tests/bug77540.jpg | Bin 0 -> 91 bytes - ext/exif/tests/bug77540.phpt | 16 ++++++++++++++++ - 3 files changed, 24 insertions(+), 2 deletions(-) - create mode 100644 ext/exif/tests/bug77540.jpg - create mode 100644 ext/exif/tests/bug77540.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index 4f2f660..8ed9c85 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3902,7 +3902,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) - return FALSE; - marker = c; - length = php_jpg_get16(data+pos); -- if (pos+length>=ImageInfo->Thumbnail.size) { -+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { - return FALSE; - } - #ifdef EXIF_DEBUG -@@ -3923,6 +3923,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) - case M_SOF14: - case M_SOF15: - /* handle SOFn block */ -+ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) { -+ /* exif_process_SOFn needs 8 bytes */ -+ return FALSE; -+ } - exif_process_SOFn(data+pos, marker, &sof_info); - ImageInfo->Thumbnail.height = sof_info.height; - ImageInfo->Thumbnail.width = sof_info.width; -@@ -4654,7 +4658,9 @@ PHP_FUNCTION(exif_thumbnail) - ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); - if (arg_c >= 3) { - if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { -- exif_scan_thumbnail(&ImageInfo); -+ if (!exif_scan_thumbnail(&ImageInfo)) { -+ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0; -+ } - } - zval_dtor(z_width); - zval_dtor(z_height); --- -diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt -new file mode 100644 -index 0000000..8702e0c ---- /dev/null -+++ b/ext/exif/tests/bug77540.phpt -@@ -0,0 +1,16 @@ -+--TEST-- -+Bug 77540 (Invalid Read on exif_process_SOFn) -+--SKIPIF-- -+ -+--FILE-- -+ -+DONE -+--EXPECTF-- -+Width 0 -+Height 0 -+DONE --- -2.1.4 - diff --git a/CVE-2020-7063.patch b/CVE-2020-7063.patch deleted file mode 100644 index 9eb6c50dc895cd1ff780aeb2abb3226ec331ff69..0000000000000000000000000000000000000000 --- a/CVE-2020-7063.patch +++ /dev/null @@ -1,121 +0,0 @@ -From ead40a66785aedaa393f953a0ed9224adaf040cd Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 15 Feb 2020 22:17:14 -0800 -Subject: [PATCH] Fix bug #79082 - Files added to tar with - Phar::buildFromIterator have all-access permissions - ---- - ext/phar/phar_object.c | 11 ++++++ - ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++++++++++ - ext/phar/tests/test79082/test79082-testfile | 1 + - ext/phar/tests/test79082/test79082-testfile2 | 1 + - 4 files changed, 65 insertions(+) - create mode 100644 ext/phar/tests/bug79082.phpt - create mode 100644 ext/phar/tests/test79082/test79082-testfile - create mode 100644 ext/phar/tests/test79082/test79082-testfile2 - -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index 6cf097e36fe..89b553c2b91 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -1419,6 +1419,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ - char *str_key; - zend_class_entry *ce = p_obj->c; - phar_archive_object *phar_obj = p_obj->p; -+ php_stream_statbuf ssb; - - value = iter->funcs->get_current_data(iter); - -@@ -1686,6 +1687,16 @@ after_open_fp: - php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len); - data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize = - php_stream_tell(p_obj->fp) - data->internal_file->offset; -+ if (php_stream_stat(fp, &ssb) != -1) { -+ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ; -+ } else { -+#ifndef _WIN32 -+ mode_t mask; -+ mask = umask(0); -+ umask(mask); -+ data->internal_file->flags &= ~mask; -+#endif -+ } - } - - if (close_fp) { -diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt -new file mode 100644 -index 00000000000..ca453d1b57b ---- /dev/null -+++ b/ext/phar/tests/bug79082.phpt -@@ -0,0 +1,52 @@ -+--TEST-- -+Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions -+--SKIPIF-- -+ -+--FILE-- -+ 'tar', Phar::ZIP => 'zip'] as $mode => $ext) { -+ clearstatcache(); -+ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode); -+ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082'); -+ $phar->extractTo(__DIR__); -+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode'])); -+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode'])); -+ unlink(__DIR__ . '/test79082-testfile'); -+ unlink(__DIR__ . '/test79082-testfile2'); -+} -+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) { -+ clearstatcache(); -+ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode); -+ $phar->buildFromDirectory(__DIR__ . '/test79082'); -+ $phar->extractTo(__DIR__); -+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode'])); -+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode'])); -+ unlink(__DIR__ . '/test79082-testfile'); -+ unlink(__DIR__ . '/test79082-testfile2'); -+} -+?> -+--CLEAN-- -+ -+--EXPECT-- -+string(2) "22" -+string(6) "100644" -+string(6) "100400" -+string(6) "100644" -+string(6) "100400" -+string(6) "100644" -+string(6) "100400" -+string(6) "100644" -+string(6) "100400" -diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile -new file mode 100644 -index 00000000000..9daeafb9864 ---- /dev/null -+++ b/ext/phar/tests/test79082/test79082-testfile -@@ -0,0 +1 @@ -+test -diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2 -new file mode 100644 -index 00000000000..9daeafb9864 ---- /dev/null -+++ b/ext/phar/tests/test79082/test79082-testfile2 -@@ -0,0 +1 @@ -+test --- -2.11.0 - - diff --git a/CVE-2020-7064.patch b/CVE-2020-7064.patch deleted file mode 100644 index 3cce2dcb164482871902fc562447b5b2769cdd4d..0000000000000000000000000000000000000000 --- a/CVE-2020-7064.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0c77b4307df73217283a4aaf9313e1a33a0967ff Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 15 Mar 2020 17:26:00 -0700 -Subject: [PATCH] Fixed bug #79282 - ---- - ext/exif/exif.c | 7 ++++++- - ext/exif/tests/bug79282.phpt | 15 +++++++++++++++ - 2 files changed, 21 insertions(+), 1 deletion(-) - create mode 100644 ext/exif/tests/bug79282.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index a63e0c1..b85ac19 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3660,6 +3660,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, - { - unsigned exif_value_2a, offset_of_ifd; - -+ if (length < 2) { -+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); -+ return; -+ } -+ - /* set the thumbnail stuff to nothing so we can test to see if they get set up */ - if (memcmp(CharBuf, "II", 2) == 0) { - ImageInfo->motorola_intel = 0; -@@ -3812,7 +3817,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) - return FALSE; - } - -- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); -+ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); - Data = ImageInfo->file.list[sn].data; - - /* Store first two pre-read bytes. */ -diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt -new file mode 100644 -index 0000000..7b7e365 ---- /dev/null -+++ b/ext/exif/tests/bug79282.phpt -@@ -0,0 +1,15 @@ -+--TEST-- -+Bug #79282: Use-of-uninitialized-value in exif -+--FILE-- -+ -+--EXPECTF-- -+Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d -+ -+Warning: exif_read_data(): File structure corrupted in %s on line %d -+ -+Warning: exif_read_data(): Invalid JPEG file in %s on line %d -+bool(false) --- -1.8.3.1 - diff --git a/CVE-2020-7066.patch b/CVE-2020-7066.patch deleted file mode 100644 index 63200d170b36d4b4b306d8e7da34eb0ffa071d49..0000000000000000000000000000000000000000 --- a/CVE-2020-7066.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0181cb204b54ee08710147338b76dc0845aba4f9 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 15 Mar 2020 17:30:44 -0700 -Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0 - ---- - ext/standard/url.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/standard/url.c b/ext/standard/url.c -index 57fd80c..fe6d7f9 100644 ---- a/ext/standard/url.c -+++ b/ext/standard/url.c -@@ -680,7 +680,7 @@ PHP_FUNCTION(get_headers) - php_stream_context *context; - - ZEND_PARSE_PARAMETERS_START(1, 3) -- Z_PARAM_STRING(url, url_len) -+ Z_PARAM_PATH(url, url_len) - Z_PARAM_OPTIONAL - Z_PARAM_LONG(format) - Z_PARAM_RESOURCE_EX(zcontext, 1, 0) --- -1.8.3.1 - diff --git a/CVE-2020-7068.patch b/CVE-2020-7068.patch deleted file mode 100644 index 3726e1e1dce479fb189dfb26b01f79c08224c702..0000000000000000000000000000000000000000 --- a/CVE-2020-7068.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 7355ab81763a3d6a04ac11660e6a16d58838d187 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Tue, 14 Jul 2020 17:04:24 +0200 -Subject: [PATCH] Fix #79797: Use of freed hash key in the -phar_parse_zipfile funtion - ---- - ext/phar/zip.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/phar/zip.c b/ext/phar/zip.c -index d615e8ad..50c5d69e 100644 ---- a/ext/phar/zip.c -+++ b/ext/phar/zip.c -@@ -703,7 +703,7 @@ foundit: - efree(actual_alias); - } - -- zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata); -+ zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata); - } else { - phar_archive_data *fd_ptr; - --- -2.23.0 - diff --git a/backport-0001-CVE-2020-7071.patch b/backport-0001-CVE-2020-7071.patch deleted file mode 100644 index f7d41901cd0c564baab2666a744fb81ea3ebd17d..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2020-7071.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 4a89e726bd4d0571991dc22a9a1ad4509e8fe347 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Tue, 19 Jan 2021 11:23:25 +0100 -Subject: [PATCH] Alternative fix for bug 77423 - -That bug report originally was about `parse_url()` misbehaving, but the -security aspect was actually only regarding `FILTER_VALIDATE_URL`. -Since the changes to `parse_url_ex()` apparently affect userland code -which is relying on the sloppy URL parsing[1], this alternative -restores the old parsing behavior, but ensures that the userinfo is -checked for correctness for `FILTER_VALIDATE_URL`. - -[1] ---- - ext/filter/logical_filters.c | 23 +++++++++++++++++++ - .../tests/url => filter/tests}/bug77423.phpt | 15 ------------ - ext/standard/tests/strings/url_t.phpt | 6 +++-- - .../tests/url/parse_url_basic_001.phpt | 6 +++-- - .../tests/url/parse_url_basic_003.phpt | 2 +- - .../tests/url/parse_url_basic_005.phpt | 2 +- - .../tests/url/parse_url_unterminated.phpt | 6 +++-- - ext/standard/url.c | 6 +---- - 8 files changed, 38 insertions(+), 28 deletions(-) - rename ext/{standard/tests/url => filter/tests}/bug77423.phpt (53%) - -diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c -index 076d2479461f..1cf345dbb58a 100644 ---- a/ext/filter/logical_filters.c -+++ b/ext/filter/logical_filters.c -@@ -532,6 +532,22 @@ void php_filter_validate_domain(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - } - /* }}} */ - -+static int is_userinfo_valid(zend_string *str) -+{ -+ const char *valid = "-._~!$&'()*+,;=:"; -+ const char *p = ZSTR_VAL(str); -+ while (p - ZSTR_VAL(str) < ZSTR_LEN(str)) { -+ if (isalpha(*p) || isdigit(*p) || strchr(valid, *p)) { -+ p++; -+ } else if (*p == '%' && p - ZSTR_VAL(str) <= ZSTR_LEN(str) - 3 && isdigit(*(p+1)) && isxdigit(*(p+2))) { -+ p += 3; -+ } else { -+ return 0; -+ } -+ } -+ return 1; -+} -+ - void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - { - php_url *url; -@@ -592,6 +608,13 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - php_url_free(url); - RETURN_VALIDATION_FAILED - } -+ -+ if (url->user != NULL && !is_userinfo_valid(url->user)) { -+ php_url_free(url); -+ RETURN_VALIDATION_FAILED -+ -+ } -+ - php_url_free(url); - } - /* }}} */ -diff --git a/ext/standard/tests/url/bug77423.phpt b/ext/filter/tests/bug77423.phpt -similarity index 53% -rename from ext/standard/tests/url/bug77423.phpt -rename to ext/filter/tests/bug77423.phpt -index be03fe95e24e..761c7c359a92 100644 ---- a/ext/standard/tests/url/bug77423.phpt -+++ b/ext/filter/tests/bug77423.phpt -@@ -8,23 +8,8 @@ $urls = array( - ); - foreach ($urls as $url) { - var_dump(filter_var($url, FILTER_VALIDATE_URL)); -- var_dump(parse_url($url)); - } - ?> - --EXPECT-- - bool(false) --array(3) { -- ["scheme"]=> -- string(4) "http" -- ["host"]=> -- string(19) "php.net\@aliyun.com" -- ["path"]=> -- string(7) "/aaa.do" --} - bool(false) --array(2) { -- ["scheme"]=> -- string(5) "https" -- ["host"]=> -- string(26) "example.com\uFF03@bing.com" --} -diff --git a/ext/standard/tests/strings/url_t.phpt b/ext/standard/tests/strings/url_t.phpt -index f564f59f0632..79ff3bc4a8e3 100644 ---- a/ext/standard/tests/strings/url_t.phpt -+++ b/ext/standard/tests/strings/url_t.phpt -@@ -575,13 +575,15 @@ $sample_urls = array ( - string(16) "some_page_ref123" - } - ----> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(6) { -+--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(7) { - ["scheme"]=> - string(4) "http" - ["host"]=> -- string(26) "secret@hideout@www.php.net" -+ string(11) "www.php.net" - ["port"]=> - int(80) -+ ["user"]=> -+ string(14) "secret@hideout" - ["path"]=> - string(10) "/index.php" - ["query"]=> -diff --git a/ext/standard/tests/url/parse_url_basic_001.phpt b/ext/standard/tests/url/parse_url_basic_001.phpt -index 57014f08391a..7ffd001856c8 100644 ---- a/ext/standard/tests/url/parse_url_basic_001.phpt -+++ b/ext/standard/tests/url/parse_url_basic_001.phpt -@@ -506,13 +506,15 @@ echo "Done"; - string(16) "some_page_ref123" - } - ----> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(6) { -+--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(7) { - ["scheme"]=> - string(4) "http" - ["host"]=> -- string(26) "secret@hideout@www.php.net" -+ string(11) "www.php.net" - ["port"]=> - int(80) -+ ["user"]=> -+ string(14) "secret@hideout" - ["path"]=> - string(10) "/index.php" - ["query"]=> -diff --git a/ext/standard/tests/url/parse_url_basic_003.phpt b/ext/standard/tests/url/parse_url_basic_003.phpt -index e7cd24c9698c..8b0e7eb87500 100644 ---- a/ext/standard/tests/url/parse_url_basic_003.phpt -+++ b/ext/standard/tests/url/parse_url_basic_003.phpt -@@ -68,7 +68,7 @@ echo "Done"; - --> http://secret:@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" - --> http://:hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" - --> http://secret:hideout@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" ----> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(26) "secret@hideout@www.php.net" -+--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" - --> http://secret:hid:out@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" - --> nntp://news.php.net : string(12) "news.php.net" - --> ftp://ftp.gnu.org/gnu/glic/glibc.tar.gz : string(11) "ftp.gnu.org" -diff --git a/ext/standard/tests/url/parse_url_basic_005.phpt b/ext/standard/tests/url/parse_url_basic_005.phpt -index 8617d37059ec..a5ca381a691f 100644 ---- a/ext/standard/tests/url/parse_url_basic_005.phpt -+++ b/ext/standard/tests/url/parse_url_basic_005.phpt -@@ -68,7 +68,7 @@ echo "Done"; - --> http://secret:@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(6) "secret" - --> http://:hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(0) "" - --> http://secret:hideout@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(6) "secret" ----> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : NULL -+--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(14) "secret@hideout" - --> http://secret:hid:out@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(6) "secret" - --> nntp://news.php.net : NULL - --> ftp://ftp.gnu.org/gnu/glic/glibc.tar.gz : NULL -diff --git a/ext/standard/tests/url/parse_url_unterminated.phpt b/ext/standard/tests/url/parse_url_unterminated.phpt -index 1377cb7735f0..8f46eb3dbedf 100644 ---- a/ext/standard/tests/url/parse_url_unterminated.phpt -+++ b/ext/standard/tests/url/parse_url_unterminated.phpt -@@ -508,13 +508,15 @@ echo "Done"; - string(16) "some_page_ref123" - } - ----> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(6) { -+--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(7) { - ["scheme"]=> - string(4) "http" - ["host"]=> -- string(26) "secret@hideout@www.php.net" -+ string(11) "www.php.net" - ["port"]=> - int(80) -+ ["user"]=> -+ string(14) "secret@hideout" - ["path"]=> - string(10) "/index.php" - ["query"]=> -diff --git a/ext/standard/url.c b/ext/standard/url.c -index 157d61466e69..9743a00166b1 100644 ---- a/ext/standard/url.c -+++ b/ext/standard/url.c -@@ -260,9 +260,6 @@ PHPAPI php_url *php_url_parse_ex(char const *str, size_t length) - ret->pass = estrndup(pp, (p-pp)); - php_replace_controlchars_ex(ret->pass, (p-pp)); - } else { -- if (!is_userinfo_valid(s, p-s)) { -- goto check_port; -- } - ret->user = estrndup(s, (p-s)); - php_replace_controlchars_ex(ret->user, (p-s)); - -@@ -271,7 +268,6 @@ PHPAPI php_url *php_url_parse_ex(char const *str, size_t length) - s = p + 1; - } - --check_port: - /* check for port */ - if (s < ue && *s == '[' && *(e-1) == ']') { - /* Short circuit portscan, diff --git a/backport-0002-CVE-2020-7071.patch b/backport-0002-CVE-2020-7071.patch deleted file mode 100644 index aedffc09ef7558ea711870a1fbf5f24eeacabc8d..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2020-7071.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9c673083cd46ee2a954a62156acbe4b6e657c048 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Wed, 27 Jan 2021 00:13:43 -0800 -Subject: [PATCH] Rm unneeded function - ---- - ext/standard/url.c | 16 ---------------- - 1 file changed, 16 deletions(-) - -diff --git a/ext/standard/url.c b/ext/standard/url.c -index 9743a00166b1..0b3d97a76691 100644 ---- a/ext/standard/url.c -+++ b/ext/standard/url.c -@@ -102,22 +102,6 @@ PHPAPI php_url *php_url_parse(char const *str) - return php_url_parse_ex(str, strlen(str)); - } - --static int is_userinfo_valid(const char *str, size_t len) --{ -- char *valid = "-._~!$&'()*+,;=:"; -- char *p = str; -- while (p - str < len) { -- if (isalpha(*p) || isdigit(*p) || strchr(valid, *p)) { -- p++; -- } else if (*p == '%' && p - str <= len - 3 && isdigit(*(p+1)) && isxdigit(*(p+2))) { -- p += 3; -- } else { -- return 0; -- } -- } -- return 1; --} -- - /* {{{ php_url_parse - */ - PHPAPI php_url *php_url_parse_ex(char const *str, size_t length) diff --git a/backport-0002-CVE-2021-21705.patch b/backport-0002-CVE-2021-21705.patch deleted file mode 100644 index 1f98d1ee8fa95e6ef60cd7375ae2d4c39272438c..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-21705.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7bab67c2d0d3c30b1176d5bcf6f20b0e1c50c589 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 27 Jun 2021 21:57:58 -0700 -Subject: [PATCH] Fix warning - -(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef) ---- - ext/filter/logical_filters.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c -index 721da45d532d..1ffc467b43c1 100644 ---- a/ext/filter/logical_filters.c -+++ b/ext/filter/logical_filters.c -@@ -632,8 +632,8 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - RETURN_VALIDATION_FAILED - } - -- if (url->user != NULL && !is_userinfo_valid(url->user) -- || url->pass != NULL && !is_userinfo_valid(url->pass) -+ if ((url->user != NULL && !is_userinfo_valid(url->user)) -+ || (url->pass != NULL && !is_userinfo_valid(url->pass)) - ) { - php_url_free(url); - RETURN_VALIDATION_FAILED --- -2.27.0 - diff --git a/backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch b/backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch deleted file mode 100644 index 35ac9c8029b2c6bdce94acad1738dbbe81e2dea8..0000000000000000000000000000000000000000 --- a/backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ed6dee9a198c904ad5e03113e58a2d2c200f5184 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 6 May 2019 10:18:51 +0200 -Subject: [PATCH] Fix #77973: Uninitialized read in gdImageCreateFromXbm - -We have to ensure that `sscanf()` does indeed read a hex value here, -and bail out otherwise. ---- - ext/gd/libgd/gd_xbm.c | 6 +++++- - ext/gd/tests/bug77973.phpt | 26 ++++++++++++++++++++++++++ - 2 files changed, 31 insertions(+), 1 deletion(-) - create mode 100644 ext/gd/tests/bug77973.phpt - -diff --git a/ext/gd/libgd/gd_xbm.c b/ext/gd/libgd/gd_xbm.c -index 6ff18cd..bde590d 100644 ---- a/ext/gd/libgd/gd_xbm.c -+++ b/ext/gd/libgd/gd_xbm.c -@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) - } - h[3] = ch; - } -- sscanf(h, "%x", &b); -+ if (sscanf(h, "%x", &b) != 1) { -+ php_gd_error("invalid XBM"); -+ gdImageDestroy(im); -+ return 0; -+ } - for (bit = 1; bit <= max_bit; bit = bit << 1) { - gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); - if (x == im->sx) { -diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt -new file mode 100644 -index 0000000..2545dbe ---- /dev/null -+++ b/ext/gd/tests/bug77973.phpt -@@ -0,0 +1,26 @@ -+--TEST-- -+Bug #77973 (Uninitialized read in gdImageCreateFromXbm) -+--SKIPIF-- -+ -+--FILE-- -+ -+===DONE=== -+--EXPECTF-- -+Warning: imagecreatefromxbm(): invalid XBM in %s on line %d -+ -+Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d -+bool(false) -+===DONE=== -+--CLEAN-- -+ --- -1.8.3.1 - diff --git a/backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch b/backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch deleted file mode 100644 index 6b4aa98a4edd327dd342059aff664e168ee24f98..0000000000000000000000000000000000000000 --- a/backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 7cf7148a8f8f4f55fb04de2a517d740bb6253eac Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 27 May 2019 16:32:42 -0700 -Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in - iconv.c:_php_iconv_mime_decode() due to integer overflow - ---- - ext/iconv/iconv.c | 4 +++- - 3 files changed, 18 insertions(+), 1 deletion(-) - create mode 100644 ext/iconv/tests/bug78069.data - create mode 100644 ext/iconv/tests/bug78069.phpt - -diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c -index f86d0ae..b4a2abe 100644 ---- a/ext/iconv/iconv.c -+++ b/ext/iconv/iconv.c -@@ -1673,7 +1673,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st - * we can do at this point. */ - if (*(p1 + 1) == '=') { - ++p1; -- --str_left; -+ if (str_left > 1) { -+ --str_left; -+ } - } - - err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); --- -1.8.3.1 - diff --git a/backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch b/backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch deleted file mode 100644 index 1f8673f27322d908ef2d0a605888f1b72b4fca37..0000000000000000000000000000000000000000 --- a/backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 73ff4193be24192c894dc0502d06e2b2db35eefb Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 27 May 2019 17:16:29 -0700 -Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16 - ---- - ext/exif/exif.c | 2 ++ - 4 files changed, 19 insertions(+), 2 deletions(-) - create mode 100644 ext/exif/tests/bug77988.jpg - create mode 100644 ext/exif/tests/bug77988.phpt - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index d174def..605b379 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3526,6 +3526,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) - if (c == 0xFF) - return FALSE; - marker = c; -+ if (pos>=ImageInfo->Thumbnail.size) -+ return FALSE; - length = php_jpg_get16(data+pos); - if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { - return FALSE; --- -1.8.3.1 - diff --git a/backport-CVE-2020-7059-Fix-79099-OOB-read.patch b/backport-CVE-2020-7059-Fix-79099-OOB-read.patch deleted file mode 100644 index 38fcfa2be43d77a18ec8d5e34530c6e0917ab6de..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-7059-Fix-79099-OOB-read.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 0f79b1bf301f455967676b5129240140c5c45b09 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 20 Jan 2020 21:33:17 -0800 -Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex - ---- - ext/standard/string.c | 6 ++--- - ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++ - 2 files changed, 35 insertions(+), 3 deletions(-) - create mode 100644 ext/standard/tests/file/bug79099.phpt - -diff --git a/ext/standard/string.c b/ext/standard/string.c -index da51cd0966fc..fb44cc505d9d 100644 ---- a/ext/standard/string.c -+++ b/ext/standard/string.c -@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const - if (state == 4) { - /* Inside */ - break; -- } else if (state == 2 && *(p-1) != '\\') { -+ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') { - if (lc == c) { - lc = '\0'; - } else if (lc != '\\') { -@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const - - case '!': - /* JavaScript & Other HTML scripting languages */ -- if (state == 1 && *(p-1) == '<') { -+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { - state = 3; - lc = c; - } else { -@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const - - case '?': - -- if (state == 1 && *(p-1) == '<') { -+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { - br=0; - state=2; - break; -diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt -new file mode 100644 -index 000000000000..7c842f4654f0 ---- /dev/null -+++ b/ext/standard/tests/file/bug79099.phpt -@@ -0,0 +1,32 @@ -+--TEST-- -+Bug #79099 (OOB read in php_strip_tags_ex) -+--FILE-- -+ -+--EXPECT-- -+string(0) "" -+string(0) "" -+string(0) "" -+string(0) "" -+string(0) "" -+string(0) "" diff --git a/backport-CVE-2020-7060-Fix-bug-79037-global-buffer-overflow-in-mbfl_filt_co.patch b/backport-CVE-2020-7060-Fix-bug-79037-global-buffer-overflow-in-mbfl_filt_co.patch deleted file mode 100644 index b103d510fb61771aa5e8f0ade37e8d98c3a3d864..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-7060-Fix-bug-79037-global-buffer-overflow-in-mbfl_filt_co.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2bcbc95f033c31b00595ed39f79c3a99b4ed0501 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 20 Jan 2020 21:42:44 -0800 -Subject: [PATCH] Fix bug #79037 (global buffer-overflow in - `mbfl_filt_conv_big5_wchar`) - ---- - ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++----- - ext/mbstring/tests/bug79037.phpt | 10 ++++++++++ - 2 files changed, 22 insertions(+), 5 deletions(-) - create mode 100644 ext/mbstring/tests/bug79037.phpt - -diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c -index f5ab8809ce8a..5e1ca815da31 100644 ---- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c -+++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c -@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = { - {0xf70f,0xf848,0xc740,0xc8fe}, - }; - -+static inline int is_in_cp950_pua(int c1, int c) { -+ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || -+ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) { -+ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe); -+ } -+ if (c1 == 0xc6) { -+ return c >= 0xa1 && c <= 0xfe; -+ } -+ return 0; -+} -+ - /* - * Big5 => wchar - */ -@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter) - - if (filter->from->no_encoding == mbfl_no_encoding_cp950) { - /* PUA for CP950 */ -- if (w <= 0 && -- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || -- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8)) -- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) || -- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) { -+ if (w <= 0 && is_in_cp950_pua(c1, c)) { - c2 = c1 << 8 | c; - for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) { - if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) { -diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt -new file mode 100644 -index 000000000000..94ff01a4a1da ---- /dev/null -+++ b/ext/mbstring/tests/bug79037.phpt -@@ -0,0 +1,10 @@ -+--TEST-- -+Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` -+--FILE-- -+ -+--EXPECT-- -+string(1) "?" diff --git a/backport-CVE-2020-7062-Fix-bug-79221.patch b/backport-CVE-2020-7062-Fix-bug-79221.patch deleted file mode 100644 index 58805deef5ffc366f62e38062616d49b8ff4afd7..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-7062-Fix-bug-79221.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 90ae1818d54b3017ed114d45e83924eebafdb7d7 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 15 Feb 2020 20:52:19 -0800 -Subject: [PATCH] Fix bug #79221 - Null Pointer Dereference in PHP Session - Upload Progress - ---- - ext/session/session.c | 10 +++++--- - ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++ - 2 files changed, 51 insertions(+), 4 deletions(-) - create mode 100644 ext/session/tests/bug79221.phpt - -diff --git a/ext/session/session.c b/ext/session/session.c -index 0470ba1fc645..ad299209b6a4 100644 ---- a/ext/session/session.c -+++ b/ext/session/session.c -@@ -3217,10 +3217,12 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo - if (PS(rfc1867_cleanup)) { - php_session_rfc1867_cleanup(progress); - } else { -- SEPARATE_ARRAY(&progress->data); -- add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1); -- Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; -- php_session_rfc1867_update(progress, 1); -+ if (!Z_ISUNDEF(progress->data)) { -+ SEPARATE_ARRAY(&progress->data); -+ add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1); -+ Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; -+ php_session_rfc1867_update(progress, 1); -+ } - } - php_rshutdown_session_globals(); - } -diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt -new file mode 100644 -index 000000000000..b0972c469705 ---- /dev/null -+++ b/ext/session/tests/bug79221.phpt -@@ -0,0 +1,45 @@ -+--TEST-- -+Null Pointer Dereference in PHP Session Upload Progress -+--INI-- -+error_reporting=0 -+file_uploads=1 -+upload_max_filesize=1024 -+session.save_path= -+session.name=PHPSESSID -+session.serialize_handler=php -+session.use_strict_mode=0 -+session.use_cookies=1 -+session.use_only_cookies=0 -+session.upload_progress.enabled=1 -+session.upload_progress.cleanup=0 -+session.upload_progress.prefix=upload_progress_ -+session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS -+session.upload_progress.freq=1% -+session.upload_progress.min_freq=0.000000001 -+--COOKIE-- -+PHPSESSID=session-upload -+--POST_RAW-- -+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 -+-----------------------------20896060251896012921717172737 -+Content-Disposition: form-data; name="PHPSESSID" -+ -+session-upload -+-----------------------------20896060251896012921717172737 -+Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" -+ -+ryat -+-----------------------------20896060251896012921717172737 -+Content-Disposition: form-data; file="file"; ryat="filename" -+ -+1 -+-----------------------------20896060251896012921717172737-- -+--FILE-- -+ -Date: Mon, 13 Apr 2020 21:07:04 -0700 -Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes. - ---- - ext/standard/url.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ext/standard/url.c b/ext/standard/url.c -index fe6d7f9de1d6..1dd073e2bb42 100644 ---- a/ext/standard/url.c -+++ b/ext/standard/url.c -@@ -559,7 +559,7 @@ PHPAPI size_t php_url_decode(char *str, size_t len) - #ifndef CHARSET_EBCDIC - *dest = (char) php_htoi(data + 1); - #else -- *dest = os_toebcdic[(char) php_htoi(data + 1)]; -+ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; - #endif - data += 2; - len -= 2; -@@ -651,7 +651,7 @@ PHPAPI size_t php_raw_url_decode(char *str, size_t len) - #ifndef CHARSET_EBCDIC - *dest = (char) php_htoi(data + 1); - #else -- *dest = os_toebcdic[(char) php_htoi(data + 1)]; -+ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; - #endif - data += 2; - len -= 2; diff --git a/backport-CVE-2020-7069-Fix-bug-79601-Wrong-ciphertext-tag-in-AES-CCM-encryp.patch b/backport-CVE-2020-7069-Fix-bug-79601-Wrong-ciphertext-tag-in-AES-CCM-encryp.patch deleted file mode 100644 index 6818eddc404102acdfa805d2612c57ab3af78bf4..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-7069-Fix-bug-79601-Wrong-ciphertext-tag-in-AES-CCM-encryp.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 0216630ea2815a5789a24279a1211ac398d4de79 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 26 Sep 2020 22:08:52 -0700 -Subject: [PATCH] Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption - for a 12 bytes IV) - ---- - ext/openssl/openssl.c | 10 ++++----- - ext/openssl/tests/cipher_tests.inc | 21 +++++++++++++++++ - ext/openssl/tests/openssl_decrypt_ccm.phpt | 22 +++++++++++------- - ext/openssl/tests/openssl_encrypt_ccm.phpt | 26 ++++++++++++++-------- - 4 files changed, 57 insertions(+), 22 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 6c1dd9d3435d..3eea08c64901 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6391,11 +6391,6 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir - { - char *iv_new; - -- /* Best case scenario, user behaved */ -- if (*piv_len == iv_required_len) { -- return SUCCESS; -- } -- - if (mode->is_aead) { - if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) { - php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed"); -@@ -6404,6 +6399,11 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir - return SUCCESS; - } - -+ /* Best case scenario, user behaved */ -+ if (*piv_len == iv_required_len) { -+ return SUCCESS; -+ } -+ - iv_new = ecalloc(1, iv_required_len + 1); - - if (*piv_len == 0) { -diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc -index b1e46b411e54..779bfa8515cb 100644 ---- a/ext/openssl/tests/cipher_tests.inc -+++ b/ext/openssl/tests/cipher_tests.inc -@@ -1,5 +1,26 @@ - array( -+ array( -+ 'key' => '404142434445464748494a4b4c4d4e4f', -+ 'iv' => '1011121314151617', -+ 'aad' => '000102030405060708090a0b0c0d0e0f', -+ 'tag' => '1fc64fbfaccd', -+ 'pt' => '202122232425262728292a2b2c2d2e2f', -+ 'ct' => 'd2a1f0e051ea5f62081a7792073d593d', -+ ), -+ array( -+ 'key' => '404142434445464748494a4b4c4d4e4f', -+ 'iv' => '101112131415161718191a1b', -+ 'aad' => '000102030405060708090a0b0c0d0e0f' . -+ '10111213', -+ 'tag' => '484392fbc1b09951', -+ 'pt' => '202122232425262728292a2b2c2d2e2f' . -+ '3031323334353637', -+ 'ct' => 'e3b201a9f5b71a7a9b1ceaeccd97e70b' . -+ '6176aad9a4428aa5', -+ ), -+ ), - 'aes-256-ccm' => array( - array( - 'key' => '1bde3251d41a8b5ea013c195ae128b21' . -diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt -index a5f01b87cea8..08ef5bb7b7c4 100644 ---- a/ext/openssl/tests/openssl_decrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt -@@ -10,14 +10,16 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods())) - --FILE-- - $test) { -- echo "TEST $idx\n"; -- $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, -- $test['iv'], $test['tag'], $test['aad']); -- var_dump($test['pt'] === $pt); -+foreach ($methods as $method) { -+ $tests = openssl_get_cipher_tests($method); -+ foreach ($tests as $idx => $test) { -+ echo "$method - TEST $idx\n"; -+ $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, -+ $test['iv'], $test['tag'], $test['aad']); -+ var_dump($test['pt'] === $pt); -+ } - } - - // no IV -@@ -32,7 +34,11 @@ var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - - ?> - --EXPECTF-- --TEST 0 -+aes-128-ccm - TEST 0 -+bool(true) -+aes-128-ccm - TEST 1 -+bool(true) -+aes-256-ccm - TEST 0 - bool(true) - - Warning: openssl_decrypt(): Setting of IV length for AEAD mode failed in %s on line %d -diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt -index fb5dbbc849d0..8c4c41f81870 100644 ---- a/ext/openssl/tests/openssl_encrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt -@@ -10,15 +10,17 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods())) - --FILE-- - $test) { -- echo "TEST $idx\n"; -- $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA, -- $test['iv'], $tag, $test['aad'], strlen($test['tag'])); -- var_dump($test['ct'] === $ct); -- var_dump($test['tag'] === $tag); -+foreach ($methods as $method) { -+ $tests = openssl_get_cipher_tests($method); -+ foreach ($tests as $idx => $test) { -+ echo "$method - TEST $idx\n"; -+ $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA, -+ $test['iv'], $tag, $test['aad'], strlen($test['tag'])); -+ var_dump($test['ct'] === $ct); -+ var_dump($test['tag'] === $tag); -+ } - } - - // Empty IV error -@@ -32,7 +34,13 @@ var_dump(strlen($tag)); - var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024)); - ?> - --EXPECTF-- --TEST 0 -+aes-128-ccm - TEST 0 -+bool(true) -+bool(true) -+aes-128-ccm - TEST 1 -+bool(true) -+bool(true) -+aes-256-ccm - TEST 0 - bool(true) - bool(true) - diff --git a/backport-CVE-2020-7070-Do-not-decode-cookie-names-anymore.patch b/backport-CVE-2020-7070-Do-not-decode-cookie-names-anymore.patch deleted file mode 100644 index c508d5e803124591a6c66a116bdb3a9e5639893e..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-7070-Do-not-decode-cookie-names-anymore.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 6559fe912661ca5ce5f0eeeb591d928451428ed0 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 20 Sep 2020 18:08:55 -0700 -Subject: [PATCH] Do not decode cookie names anymore - ---- - main/php_variables.c | 8 ++++++-- - tests/basic/022.phpt | 10 +++++++--- - tests/basic/023.phpt | 4 +++- - tests/basic/bug79699.phpt | 22 ++++++++++++++++++++++ - 4 files changed, 38 insertions(+), 6 deletions(-) - create mode 100644 tests/basic/bug79699.phpt - -diff --git a/main/php_variables.c b/main/php_variables.c -index 916fc1295b4c..097c17d32afe 100644 ---- a/main/php_variables.c -+++ b/main/php_variables.c -@@ -492,7 +492,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) - size_t new_val_len; - - *val++ = '\0'; -- php_url_decode(var, strlen(var)); -+ if (arg != PARSE_COOKIE) { -+ php_url_decode(var, strlen(var)); -+ } - val_len = php_url_decode(val, strlen(val)); - val = estrndup(val, val_len); - if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { -@@ -503,7 +505,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) - size_t val_len; - size_t new_val_len; - -- php_url_decode(var, strlen(var)); -+ if (arg != PARSE_COOKIE) { -+ php_url_decode(var, strlen(var)); -+ } - val_len = 0; - val = estrndup("", val_len); - if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { -diff --git a/tests/basic/022.phpt b/tests/basic/022.phpt -index 0ab70d4be764..bd1db1370182 100644 ---- a/tests/basic/022.phpt -+++ b/tests/basic/022.phpt -@@ -10,7 +10,7 @@ cookie1=val1 ; cookie2=val2%20; cookie3=val 3.; cookie 4= value 4 %3B; cookie1= - var_dump($_COOKIE); - ?> - --EXPECT-- --array(10) { -+array(12) { - ["cookie1"]=> - string(6) "val1 " - ["cookie2"]=> -@@ -19,11 +19,15 @@ array(10) { - string(6) "val 3." - ["cookie_4"]=> - string(10) " value 4 ;" -+ ["%20cookie1"]=> -+ string(6) "ignore" -+ ["+cookie1"]=> -+ string(6) "ignore" - ["cookie__5"]=> - string(7) " value" -- ["cookie_6"]=> -+ ["cookie%206"]=> - string(3) "þæö" -- ["cookie_7"]=> -+ ["cookie+7"]=> - string(0) "" - ["$cookie_8"]=> - string(0) "" -diff --git a/tests/basic/023.phpt b/tests/basic/023.phpt -index ca5f1dcfbb1a..0e2e0ac66945 100644 ---- a/tests/basic/023.phpt -+++ b/tests/basic/023.phpt -@@ -10,9 +10,11 @@ c o o k i e=value; c o o k i e= v a l u e ;;c%20o+o k+i%20e=v;name="value","valu - var_dump($_COOKIE); - ?> - --EXPECT-- --array(3) { -+array(4) { - ["c_o_o_k_i_e"]=> - string(5) "value" -+ ["c%20o+o_k+i%20e"]=> -+ string(1) "v" - ["name"]=> - string(24) ""value","value",UEhQIQ==" - ["UEhQIQ"]=> -diff --git a/tests/basic/bug79699.phpt b/tests/basic/bug79699.phpt -new file mode 100644 -index 000000000000..fc3d3fedb08f ---- /dev/null -+++ b/tests/basic/bug79699.phpt -@@ -0,0 +1,22 @@ -+--TEST-- -+Cookies Security Bug -+--INI-- -+max_input_vars=1000 -+filter.default=unsafe_raw -+--COOKIE-- -+__%48ost-evil=evil; __Host-evil=good; %66oo=baz;foo=bar -+--FILE-- -+ -+--EXPECT-- -+array(4) { -+ ["__%48ost-evil"]=> -+ string(4) "evil" -+ ["__Host-evil"]=> -+ string(4) "good" -+ ["%66oo"]=> -+ string(3) "baz" -+ ["foo"]=> -+ string(3) "bar" -+} diff --git a/backport-CVE-2021-21704.patch b/backport-CVE-2021-21704.patch deleted file mode 100644 index ab215456dd676ec2f1e67f0571afda014dc13503..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-21704.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 08da7c73726f7b86b67d6f0ff87c73c585a7834a Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Fri, 30 Apr 2021 13:53:21 +0200 -Subject: [PATCH] Fix #76449: SIGSEGV in firebird_handle_doer - -We need to verify that the `result_size` is not larger than our buffer, -and also should make sure that the `len` which is passed to -`isc_vax_integer()` has a permissible value; otherwise we bail out. ---- - ext/pdo_firebird/firebird_driver.c | 9 +++++++++ - ext/pdo_firebird/tests/bug_76449.phpt | 23 +++++++++++++++++++++++ - 2 files changed, 32 insertions(+) - create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt - -diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c -index 6b77e31372d2..b4b2861f9779 100644 ---- a/ext/pdo_firebird/firebird_driver.c -+++ b/ext/pdo_firebird/firebird_driver.c -@@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq - if (result[0] == isc_info_sql_records) { - unsigned i = 3, result_size = isc_vax_integer(&result[1],2); - -+ if (result_size > sizeof(result)) { -+ ret = -1; -+ goto free_statement; -+ } - while (result[i] != isc_info_end && i < result_size) { - short len = (short)isc_vax_integer(&result[i+1],2); -+ /* bail out on bad len */ -+ if (len != 1 && len != 2 && len != 4) { -+ ret = -1; -+ goto free_statement; -+ } - if (result[i] != isc_info_req_select_count) { - ret += isc_vax_integer(&result[i+3],len); - } -diff --git a/ext/pdo_firebird/tests/bug_76449.phpt b/ext/pdo_firebird/tests/bug_76449.phpt -new file mode 100644 -index 000000000000..48a09c1d4ee3 ---- /dev/null -+++ b/ext/pdo_firebird/tests/bug_76449.phpt -@@ -0,0 +1,23 @@ -+--TEST-- -+Bug #76449 (SIGSEGV in firebird_handle_doer) -+--SKIPIF-- -+ -+--FILE-- -+ PDO::ERRMODE_EXCEPTION]); -+var_dump($dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')")); -+?> -+--EXPECT-- -+bool(false) diff --git a/backport-Fix-bug-78079-openssl_encrypt_ccm.phpt-fails-with-op.patch b/backport-Fix-bug-78079-openssl_encrypt_ccm.phpt-fails-with-op.patch deleted file mode 100644 index 2e80ed3465974c0d4585fe20bcd4dc7937c4dfa9..0000000000000000000000000000000000000000 --- a/backport-Fix-bug-78079-openssl_encrypt_ccm.phpt-fails-with-op.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 2e025794745e09f7d0c72822ad0238bf6d67b2e8 Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sun, 2 Jun 2019 19:10:56 +0100 -Subject: [PATCH] Fix bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL - 1.1.1c) - -It also fixes invalid setting of tag length ---- - ext/openssl/openssl.c | 5 ++++- - ext/openssl/tests/openssl_encrypt_ccm.phpt | 12 +++++++++--- - 3 files changed, 17 insertions(+), 4 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 7df50720eb12..91df229c3d45 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6444,7 +6444,10 @@ static int php_openssl_cipher_init(const EVP_CIPHER *cipher_type, - return FAILURE; - } - if (mode->is_single_run_aead && enc) { -- EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, NULL); -+ if (!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, NULL)) { -+ php_error_docref(NULL, E_WARNING, "Setting tag length for AEAD cipher failed"); -+ return FAILURE; -+ } - } else if (!enc && tag && tag_len > 0) { - if (!mode->is_aead) { - php_error_docref(NULL, E_WARNING, "The tag cannot be used because the cipher method does not support AEAD"); -diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt -index c8610bc96bc4..fb5dbbc849d0 100644 ---- a/ext/openssl/tests/openssl_encrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt -@@ -24,9 +24,12 @@ foreach ($tests as $idx => $test) { - // Empty IV error - var_dump(openssl_encrypt('data', $method, 'password', 0, NULL, $tag, '')); - --// Test setting different IV length and unlimeted tag --var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 10), $tag, '', 1024)); -+// Test setting different IV length and tag length -+var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 10), $tag, '', 14)); - var_dump(strlen($tag)); -+ -+// Test setting invalid tag length -+var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024)); - ?> - --EXPECTF-- - TEST 0 -@@ -36,4 +39,7 @@ bool(true) - Warning: openssl_encrypt(): Setting of IV length for AEAD mode failed in %s on line %d - bool(false) - string(8) "p/lvgA==" --int(1024) -+int(14) -+ -+Warning: openssl_encrypt(): Setting of IV length for AEAD mode failed in %s on line %d -+bool(false) diff --git a/be50a72715c141befe6f34ece660745da894aaf3.patch b/be50a72715c141befe6f34ece660745da894aaf3.patch deleted file mode 100644 index 2bcf82df4cad8095e39fc216713174403af3dec2..0000000000000000000000000000000000000000 --- a/be50a72715c141befe6f34ece660745da894aaf3.patch +++ /dev/null @@ -1,37 +0,0 @@ -From be50a72715c141befe6f34ece660745da894aaf3 Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sun, 9 Sep 2018 18:53:37 +0100 -Subject: [PATCH] Fix ssl stream reneg limit test to print only after first - renegotiation - -It has been reported that in some setup the test does multiple -renegotiations which is allowed. ---- - ext/openssl/tests/stream_server_reneg_limit.phpt | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/ext/openssl/tests/stream_server_reneg_limit.phpt b/ext/openssl/tests/stream_server_reneg_limit.phpt -index f0353351a23a..f033cbabe343 100644 ---- a/ext/openssl/tests/stream_server_reneg_limit.phpt -+++ b/ext/openssl/tests/stream_server_reneg_limit.phpt -@@ -22,14 +22,18 @@ if(substr(PHP_OS, 0, 3) == 'WIN') { - */ - - $serverCode = <<<'CODE' -+ $printed = false; - $serverUri = "ssl://127.0.0.1:64321"; - $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; - $serverCtx = stream_context_create(['ssl' => [ - 'local_cert' => __DIR__ . '/bug54992.pem', - 'reneg_limit' => 0, - 'reneg_window' => 30, -- 'reneg_limit_callback' => function($stream) { -- var_dump($stream); -+ 'reneg_limit_callback' => function($stream) use (&$printed) { -+ if (!$printed) { -+ $printed = true; -+ var_dump($stream); -+ } - } - ]]); - diff --git a/c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch b/c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch deleted file mode 100644 index d9451923904982c815027a6029126c3e00f08628..0000000000000000000000000000000000000000 --- a/c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch +++ /dev/null @@ -1,22 +0,0 @@ -From c1729272b17a1fe893d1a54e423d3b71470f3ee8 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 29 Aug 2018 09:10:59 +0200 -Subject: [PATCH] fix double cast to int on 32-bit - ---- - Zend/zend_operators.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c -index cafb14d4cc25..9a8a40142433 100644 ---- a/Zend/zend_operators.c -+++ b/Zend/zend_operators.c -@@ -3101,7 +3101,7 @@ ZEND_API zend_long ZEND_FASTCALL zend_dval_to_lval_slow(double d) - if (dmod < 0) { - /* we're going to make this number positive; call ceil() - * to simulate rounding towards 0 of the negative number */ -- dmod = ceil(dmod);// + two_pow_32; -+ dmod = ceil(dmod) + two_pow_32; - } - return (zend_long)(zend_ulong)dmod; - } diff --git a/cd0a37994e3cbf1f0aa1174155d3d662cefe2e7a.patch b/cd0a37994e3cbf1f0aa1174155d3d662cefe2e7a.patch deleted file mode 100644 index 0cb89c82dcc057e7aef48f6543658df8dff556af..0000000000000000000000000000000000000000 --- a/cd0a37994e3cbf1f0aa1174155d3d662cefe2e7a.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cd0a37994e3cbf1f0aa1174155d3d662cefe2e7a Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sun, 2 Sep 2018 20:00:08 +0100 -Subject: [PATCH] Fix stream_security_level.phpt with OpenSSL 1.1.1 - ---- - ext/openssl/tests/stream_security_level.phpt | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ext/openssl/tests/stream_security_level.phpt b/ext/openssl/tests/stream_security_level.phpt -index fb1d36a58624..26fedcf670e9 100644 ---- a/ext/openssl/tests/stream_security_level.phpt -+++ b/ext/openssl/tests/stream_security_level.phpt -@@ -5,6 +5,7 @@ security_level setting to prohibit cert - if (!extension_loaded("openssl")) die("skip openssl not loaded"); - if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required"); - if (!function_exists("proc_open")) die("skip no proc_open"); -+?> - --FILE-- - [ -- 'security_level' => 3, -+ 'security_level' => 2, - 'verify_peer' => true, - 'cafile' => __DIR__ . '/bug54992-ca.pem', - 'verify_peer_name' => false -@@ -38,6 +39,7 @@ CODE; - - include 'ServerClientTestCase.inc'; - ServerClientTestCase::getInstance()->run($clientCode, $serverCode); -+?> - --EXPECTF-- - Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d diff --git a/php-5.4.0-phpize.patch b/php-7.2.12-phpize.patch similarity index 60% rename from php-5.4.0-phpize.patch rename to php-7.2.12-phpize.patch index e666e45b64ffcdab87f00e77091dbb441fc5f5fc..77913a587a4dc1b6c7ac177b4c80539d543b6cb6 100644 --- a/php-5.4.0-phpize.patch +++ b/php-7.2.12-phpize.patch @@ -1,6 +1,7 @@ ---- php-5.4.0RC5/scripts/phpize.in.orig 2012-01-18 17:13:54.018022983 +0100 -+++ php-5.4.0RC5/scripts/phpize.in 2012-01-18 17:14:40.614024941 +0100 -@@ -162,6 +162,15 @@ +diff -up php-7.2.12RC1/scripts/phpize.in.headers php-7.2.12RC1/scripts/phpize.in +--- php-7.2.12RC1/scripts/phpize.in.headers 2018-10-23 11:47:43.000000000 +0200 ++++ php-7.2.12RC1/scripts/phpize.in 2018-10-23 11:49:51.651818777 +0200 +@@ -162,6 +162,15 @@ phpize_autotools() $PHP_AUTOHEADER || exit 1 } @@ -15,8 +16,8 @@ + # Main script - case "$1" in -@@ -180,12 +189,15 @@ + case "$1" in +@@ -180,12 +189,15 @@ case "$1" in # Version --version|-v) diff --git a/php-7.2.3-systzdata-v16.patch b/php-7.2.16-systzdata-v17.patch similarity index 95% rename from php-7.2.3-systzdata-v16.patch rename to php-7.2.16-systzdata-v17.patch index e488beb9c503de63308e32743ea5a522b4b3498f..640bff20eb81807ba549fd09bb9bb55d78b73563 100644 --- a/php-7.2.3-systzdata-v16.patch +++ b/php-7.2.16-systzdata-v17.patch @@ -5,6 +5,7 @@ Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. History: +r17: adapt for autotool change in 7.2.16RC1 r16: adapt for timelib 2017.06 (in 7.2.3RC1) r15: adapt for timelib 2017.05beta7 (in 7.2.0RC1) r14: improve check for valid tz file @@ -27,9 +28,32 @@ r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) r2: add filesystem trawl to set up name alias index r1: initial revision -diff -up php-7.2.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.2.3RC1/ext/date/lib/parse_tz.c ---- php-7.2.3RC1/ext/date/lib/parse_tz.c.systzdata 2018-02-13 20:18:34.000000000 +0100 -+++ php-7.2.3RC1/ext/date/lib/parse_tz.c 2018-02-14 06:14:23.484804852 +0100 +diff -up php-7.2.16RC1/ext/date/config0.m4.systzdata php-7.2.16RC1/ext/date/config0.m4 +--- php-7.2.16RC1/ext/date/config0.m4.systzdata 2019-02-19 11:22:22.223741585 +0100 ++++ php-7.2.16RC1/ext/date/config0.m4 2019-02-19 11:23:05.089111556 +0100 +@@ -10,6 +10,19 @@ io.h + dnl Check for strtoll, atoll + AC_CHECK_FUNCS(strtoll atoll) + ++PHP_ARG_WITH(system-tzdata, for use of system timezone data, ++[ --with-system-tzdata[=DIR] to specify use of system timezone data], ++no, no) ++ ++if test "$PHP_SYSTEM_TZDATA" != "no"; then ++ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) ++ ++ if test "$PHP_SYSTEM_TZDATA" != "yes"; then ++ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", ++ [Define for location of system timezone data]) ++ fi ++fi ++ + PHP_DATE_CFLAGS="-I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1" + timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c + lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c" +diff -up php-7.2.16RC1/ext/date/lib/parse_tz.c.systzdata php-7.2.16RC1/ext/date/lib/parse_tz.c +--- php-7.2.16RC1/ext/date/lib/parse_tz.c.systzdata 2019-02-19 11:13:22.000000000 +0100 ++++ php-7.2.16RC1/ext/date/lib/parse_tz.c 2019-02-19 11:19:40.245313535 +0100 @@ -25,8 +25,21 @@ #include "timelib.h" #include "timelib_private.h" @@ -632,23 +656,3 @@ diff -up php-7.2.3RC1/ext/date/lib/parse_tz.c.systzdata php-7.2.3RC1/ext/date/li } else { *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; tmp = NULL; -diff -up php-7.2.3RC1/ext/date/lib/timelib.m4.systzdata php-7.2.3RC1/ext/date/lib/timelib.m4 ---- php-7.2.3RC1/ext/date/lib/timelib.m4.systzdata 2018-02-13 20:18:34.000000000 +0100 -+++ php-7.2.3RC1/ext/date/lib/timelib.m4 2018-02-14 06:11:54.273089963 +0100 -@@ -81,3 +81,16 @@ io.h - - dnl Check for strtoll, atoll - AC_CHECK_FUNCS(strtoll atoll strftime gettimeofday) -+ -+PHP_ARG_WITH(system-tzdata, for use of system timezone data, -+[ --with-system-tzdata[=DIR] to specify use of system timezone data], -+no, no) -+ -+if test "$PHP_SYSTEM_TZDATA" != "no"; then -+ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) -+ -+ if test "$PHP_SYSTEM_TZDATA" != "yes"; then -+ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", -+ [Define for location of system timezone data]) -+ fi -+fi diff --git a/php-7.2.10.tar.xz b/php-7.2.34.tar.xz similarity index 59% rename from php-7.2.10.tar.xz rename to php-7.2.34.tar.xz index f1cae0ba6eb3bd3fa124ad1e2025cbeeb3a628d4..eec59190fa506c85918fee16b570babbed1c5a0f 100644 Binary files a/php-7.2.10.tar.xz and b/php-7.2.34.tar.xz differ diff --git a/php-CVE-2018-20783.patch b/php-CVE-2018-20783.patch deleted file mode 100644 index 7511507b9ad19331f6d194cba37b10460bc6362d..0000000000000000000000000000000000000000 --- a/php-CVE-2018-20783.patch +++ /dev/null @@ -1,146 +0,0 @@ -From e7c8e6cde021afd637ea535b0641a1851e57fb2a Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 12 Nov 2018 14:02:26 -0800 -Subject: [PATCH] Fix bug #77143 - add more checks to buffer reads - ---- - NEWS | 4 ++++ - ext/phar/phar.c | 30 +++++++++++++++++++++--------- - ext/phar/tests/bug73768.phpt | 2 +- - ext/phar/tests/bug77143.phar | Bin 0 -> 50 bytes - ext/phar/tests/bug77143.phpt | 18 ++++++++++++++++++ - 5 files changed, 44 insertions(+), 10 deletions(-) - create mode 100644 ext/phar/tests/bug77143.phar - create mode 100644 ext/phar/tests/bug77143.phpt - -diff -Nur php-7.2.10/NEWS php-7.2.10_bak/NEWS ---- php-7.2.10/NEWS 2018-09-11 15:06:00.000000000 +0800 -+++ php-7.2.10_bak/NEWS 2019-04-04 17:41:54.869000000 +0800 -@@ -136,6 +136,10 @@ - . Fixed bug #76477 (Opcache causes empty return value). - (Nikita, Laruence) - -+- Phar: -+ . Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). -+ (Stas) -+ - - PGSQL: - . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol) - -diff -Nur php-7.2.10/ext/phar/phar.c php-7.2.10_bak/ext/phar/phar.c ---- php-7.2.10/ext/phar/phar.c 2019-04-04 17:39:04.158000000 +0800 -+++ php-7.2.10_bak/ext/phar/phar.c 2019-04-04 17:49:51.807000000 +0800 -@@ -643,6 +643,18 @@ - /* }}}*/ - - /** -+ * Size of fixed fields in the manifest. -+ * See: http://php.net/manual/en/phar.fileformat.phar.php -+ */ -+#define MANIFEST_FIXED_LEN 18 -+ -+#define SAFE_PHAR_GET_32(buffer, endbuffer, var) \ -+ if (UNEXPECTED(buffer + 4 > endbuffer)) { \ -+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)"); \ -+ } \ -+ PHAR_GET_32(buffer, var); -+ -+/** - * Does not check for a previously opened phar in the cache. - * - * Parse a new one and add it to the cache, returning either SUCCESS or -@@ -725,7 +737,7 @@ - savebuf = buffer; - endbuffer = buffer + manifest_len; - -- if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) { -+ if (manifest_len < MANIFEST_FIXED_LEN || manifest_len != php_stream_read(fp, buffer, manifest_len)) { - MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)") - } - -@@ -750,7 +762,7 @@ - return FAILURE; - } - -- PHAR_GET_32(buffer, manifest_flags); -+ SAFE_PHAR_GET_32(buffer, endbuffer, manifest_flags); - - manifest_flags &= ~PHAR_HDR_COMPRESSION_MASK; - manifest_flags &= ~PHAR_FILE_COMPRESSION_MASK; -@@ -970,13 +982,13 @@ - } - - /* extract alias */ -- PHAR_GET_32(buffer, tmp_len); -+ SAFE_PHAR_GET_32(buffer, endbuffer, tmp_len); - - if (buffer + tmp_len > endbuffer) { - MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)"); - } - -- if (manifest_len < 10 + tmp_len) { -+ if (manifest_len < MANIFEST_FIXED_LEN + tmp_len) { - MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)") - } - -@@ -1014,7 +1026,7 @@ - } - - /* we have 5 32-bit items plus 1 byte at least */ -- if (manifest_count > ((manifest_len - 10 - tmp_len) / (5 * 4 + 1))) { -+ if (manifest_count > ((manifest_len - MANIFEST_FIXED_LEN - tmp_len) / (5 * 4 + 1))) { - /* prevent serious memory issues */ - MAPPHAR_FAIL("internal corruption of phar \"%s\" (too many manifest entries for size of manifest)") - } -@@ -1023,12 +1035,12 @@ - mydata->is_persistent = PHAR_G(persist); - - /* check whether we have meta data, zero check works regardless of byte order */ -- PHAR_GET_32(buffer, len); -+ SAFE_PHAR_GET_32(buffer, endbuffer, len); - if (mydata->is_persistent) { - mydata->metadata_len = len; -- if(!len) { -+ if (!len) { - /* FIXME: not sure why this is needed but removing it breaks tests */ -- PHAR_GET_32(buffer, len); -+ SAFE_PHAR_GET_32(buffer, endbuffer, len); - } - } - if(len > (size_t)(endbuffer - buffer)) { -diff -Nur php-7.2.10/ext/phar/tests/bug73768.phpt php-7.2.10_bak/ext/phar/tests/bug73768.phpt ---- php-7.2.10/ext/phar/tests/bug73768.phpt 2018-09-11 15:06:03.000000000 +0800 -+++ php-7.2.10_bak/ext/phar/tests/bug73768.phpt 2019-04-04 17:50:51.796000000 +0800 -@@ -13,4 +13,4 @@ - } - ?> - --EXPECTF-- --cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar" -+internal corruption of phar "%sbug73768.phar" (truncated manifest header) -diff --git a/ext/phar/tests/bug77143.phpt b/ext/phar/tests/bug77143.phpt -new file mode 100644 -index 0000000..f9f80fc ---- /dev/null -+++ b/ext/phar/tests/bug77143.phpt -@@ -0,0 +1,18 @@ -+--TEST-- -+PHP bug #77143: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile -+--INI-- -+phar.readonly=0 -+--SKIPIF-- -+ -+--FILE-- -+getMessage(); -+} -+?> -+--EXPECTF-- -+internal corruption of phar "%sbug77143.phar" (truncated manifest header) --- -2.1.4 - diff --git a/php-CVE-2019-9641.patch b/php-CVE-2019-9641.patch deleted file mode 100644 index e49b455e44ebc11de19a5e56afb17a4b5695851a..0000000000000000000000000000000000000000 --- a/php-CVE-2019-9641.patch +++ /dev/null @@ -1,47 +0,0 @@ -commit 25aa5f434dfb3337a6617b46224f1b505053d8e9 -Author: Stanislav Malyshev -Date: Fri Mar 1 23:25:45 2019 -0800 - - Fix integer overflows on 32-bits - -diff --git a/ext/exif/exif.c b/ext/exif/exif.c -index cbde3effed..b4563927a5 100644 ---- a/ext/exif/exif.c -+++ b/ext/exif/exif.c -@@ -3567,10 +3567,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse - tag_table_type tag_table = exif_get_tag_table(section_index); - - if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { -- return FALSE; -- } -+ return FALSE; -+ } - -- if (ImageInfo->FileSize >= dir_offset+2) { -+ if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) { - sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); - #ifdef EXIF_DEBUG - exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2); -@@ -3578,8 +3578,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse - php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */ - php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2); - num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel); -- dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; -- if (ImageInfo->FileSize >= dir_offset+dir_size) { -+ dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; -+ if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) { - #ifdef EXIF_DEBUG - exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries); - #endif -@@ -3662,9 +3662,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse - } - } - } -- if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) { -+ if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) { - if (ifd_size > dir_size) { -- if (dir_offset + ifd_size > ImageInfo->FileSize) { -+ if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) { - exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size); - return FALSE; - } diff --git a/php-bug76450.patch b/php-bug76450.patch new file mode 100644 index 0000000000000000000000000000000000000000..e1cffa629f46922e4898d2d449740c9c5c8a7a48 --- /dev/null +++ b/php-bug76450.patch @@ -0,0 +1,208 @@ +From 18aadb2d10b70f40f67b3fa233f67f366d7d2572 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 5 May 2021 12:42:17 +0200 +Subject: [PATCH 3/7] Fix #76452: Crash while parsing blob data in + firebird_fetch_blob + +We need to prevent integer overflow when calling `erealloc()` with +`len+1`. + +(cherry picked from commit 286162e9b03071c4308e7e92597bca4239f49d89) +--- + ext/pdo_firebird/firebird_statement.c | 5 +++++ + ext/pdo_firebird/tests/bug_76452.data | Bin 0 -> 856 bytes + ext/pdo_firebird/tests/bug_76452.phpt | 31 ++++++++++++++++++++++++++ + 3 files changed, 36 insertions(+) + create mode 100644 ext/pdo_firebird/tests/bug_76452.data + create mode 100644 ext/pdo_firebird/tests/bug_76452.phpt + +diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c +index 1c0f5b6071..c5e6b684c3 100644 +--- a/ext/pdo_firebird/firebird_statement.c ++++ b/ext/pdo_firebird/firebird_statement.c +@@ -294,6 +294,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ * + unsigned short seg_len; + ISC_STATUS stat; + ++ /* prevent overflow */ ++ if (*len == ZEND_ULONG_MAX) { ++ result = 0; ++ goto fetch_blob_end; ++ } + *ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1); + + for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) { + +From e968635df5b42b9358c08f3c57bf15f24e4de62e Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Fri, 30 Apr 2021 14:10:50 +0200 +Subject: [PATCH 4/7] Fix #76450: SIGSEGV in firebird_stmt_execute + +We need to verify that the `result_size` is not larger than our buffer, +and also should make sure that the `len` which is passed to +`isc_vax_integer()` has a permissible value; otherwise we bail out. + +(cherry picked from commit bcbf8aa0c96d8d9e81ec3428232485555fae0b37) +--- + ext/pdo_firebird/firebird_statement.c | 7 +++++++ + ext/pdo_firebird/tests/bug_76450.data | Bin 0 -> 464 bytes + ext/pdo_firebird/tests/bug_76450.phpt | 29 ++++++++++++++++++++++++++ + 3 files changed, 36 insertions(+) + create mode 100644 ext/pdo_firebird/tests/bug_76450.data + create mode 100644 ext/pdo_firebird/tests/bug_76450.phpt + +diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c +index c5e6b684c3..bdde6c7cf2 100644 +--- a/ext/pdo_firebird/firebird_statement.c ++++ b/ext/pdo_firebird/firebird_statement.c +@@ -133,8 +133,14 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */ + } + if (result[0] == isc_info_sql_records) { + unsigned i = 3, result_size = isc_vax_integer(&result[1], 2); ++ if (result_size > sizeof(result)) { ++ goto error; ++ } + while (result[i] != isc_info_end && i < result_size) { + short len = (short) isc_vax_integer(&result[i + 1], 2); ++ if (len != 1 && len != 2 && len != 4) { ++ goto error; ++ } + if (result[i] != isc_info_req_select_count) { + affected_rows += isc_vax_integer(&result[i + 3], len); + } +@@ -158,6 +164,7 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */ + return 1; + } while (0); + ++error: + RECORD_ERROR(stmt); + + return 0; + +From 6c114f1907051632e02cdc45de8b4b249d84e7df Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Fri, 30 Apr 2021 13:53:21 +0200 +Subject: [PATCH 5/7] Fix #76449: SIGSEGV in firebird_handle_doer + +We need to verify that the `result_size` is not larger than our buffer, +and also should make sure that the `len` which is passed to +`isc_vax_integer()` has a permissible value; otherwise we bail out. + +(cherry picked from commit 08da7c73726f7b86b67d6f0ff87c73c585a7834a) +--- + ext/pdo_firebird/firebird_driver.c | 9 +++++++++ + ext/pdo_firebird/tests/bug_76449.data | Bin 0 -> 464 bytes + ext/pdo_firebird/tests/bug_76449.phpt | 23 +++++++++++++++++++++++ + 3 files changed, 32 insertions(+) + create mode 100644 ext/pdo_firebird/tests/bug_76449.data + create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt + +diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c +index 3060615e8d..c9f90fdef1 100644 +--- a/ext/pdo_firebird/firebird_driver.c ++++ b/ext/pdo_firebird/firebird_driver.c +@@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq + if (result[0] == isc_info_sql_records) { + unsigned i = 3, result_size = isc_vax_integer(&result[1],2); + ++ if (result_size > sizeof(result)) { ++ ret = -1; ++ goto free_statement; ++ } + while (result[i] != isc_info_end && i < result_size) { + short len = (short)isc_vax_integer(&result[i+1],2); ++ /* bail out on bad len */ ++ if (len != 1 && len != 2 && len != 4) { ++ ret = -1; ++ goto free_statement; ++ } + if (result[i] != isc_info_req_select_count) { + ret += isc_vax_integer(&result[i+3],len); + } + +From c9bdb0c993a079102ce854ef7859087170e7b9a1 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 29 Apr 2021 15:26:22 +0200 +Subject: [PATCH 6/7] Fix #76448: Stack buffer overflow in firebird_info_cb + +We ensure not to overflow the stack allocated buffer by using `strlcat`. + +(cherry picked from commit 67afa32541ebc4abbf633cb1e7e879b2fbb616ad) +--- + ext/pdo_firebird/firebird_driver.c | 8 +++++--- + ext/pdo_firebird/tests/bug_76448.data | Bin 0 -> 749 bytes + ext/pdo_firebird/tests/bug_76448.phpt | 23 +++++++++++++++++++++++ + 3 files changed, 28 insertions(+), 3 deletions(-) + create mode 100644 ext/pdo_firebird/tests/bug_76448.data + create mode 100644 ext/pdo_firebird/tests/bug_76448.phpt + +diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c +index c9f90fdef1..1e2e7746fa 100644 +--- a/ext/pdo_firebird/firebird_driver.c ++++ b/ext/pdo_firebird/firebird_driver.c +@@ -509,14 +509,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v + } + /* }}} */ + ++#define INFO_BUF_LEN 512 ++ + /* callback to used to report database server info */ + static void firebird_info_cb(void *arg, char const *s) /* {{{ */ + { + if (arg) { + if (*(char*)arg) { /* second call */ +- strcat(arg, " "); ++ strlcat(arg, " ", INFO_BUF_LEN); + } +- strcat(arg, s); ++ strlcat(arg, s, INFO_BUF_LEN); + } + } + /* }}} */ +@@ -527,7 +529,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v + pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data; + + switch (attr) { +- char tmp[512]; ++ char tmp[INFO_BUF_LEN]; + + case PDO_ATTR_AUTOCOMMIT: + ZVAL_LONG(val,dbh->auto_commit); + +From 7598733c51af30611aa64e456c9a777069d2efb9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 20 Jun 2021 22:20:38 -0700 +Subject: [PATCH 7/7] Update NEWS + +(cherry picked from commit c68a687566591e2268f35d124a90c7d556ce968b) +--- + NEWS | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/NEWS b/NEWS +index e331598176..f083e44dcc 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,19 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.3.29 ++ ++- Core: ++ . Fixed #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705) (cmb) ++ ++- PDO_Firebird: ++ . Fixed #76448: Stack buffer overflow in firebird_info_cb. (CVE-2021-21704) ++ (cmb) ++ . Fixed #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704) (cmb) ++ . Fixed #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704) (cmb) ++ . Fixed #76452: Crash while parsing blob data in firebird_fetch_blob. ++ (CVE-2021-21704) (cmb) ++ + Backported from 7.3.28 + + - Imap: +-- +2.31.1 + diff --git a/backport-CVE-2020-7071-Fix-bug-77423.patch b/php-bug77423.patch similarity index 44% rename from backport-CVE-2020-7071-Fix-bug-77423.patch rename to php-bug77423.patch index ced3680444c50acbd5287e54eeeff2e69268cbe9..5d61bc1f7a3e98ceea8e06ef3987221d17e39c89 100644 --- a/backport-CVE-2020-7071-Fix-bug-77423.patch +++ b/php-bug77423.patch @@ -194,3 +194,272 @@ index 1dd073e2bb42..8d155bb9846c 100644 /* check for port */ if (s < ue && *s == '[' && *(e-1) == ']') { /* Short circuit portscan, +From 22756113c67b9fc7dce542c80722f24351e85a45 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 7 Jan 2021 11:42:58 +0100 +Subject: [PATCH] NEWS + +--- + NEWS | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/NEWS b/NEWS +index 1f037cb301..7f2d588c4d 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ++ ++Backported from 7.3.26 ++ ++- Standard: ++ . Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). ++ (CVE-2020-7071) (cmb) ++ + 01 Oct 2020, PHP 7.2.34 + + - Core: +From 356f7008f36da60ec9794d48c55d117f1dd31903 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 19 Jan 2021 11:23:25 +0100 +Subject: [PATCH] Alternative fix for bug 77423 + +That bug report originally was about `parse_url()` misbehaving, but the +security aspect was actually only regarding `FILTER_VALIDATE_URL`. +Since the changes to `parse_url_ex()` apparently affect userland code +which is relying on the sloppy URL parsing[1], this alternative +restores the old parsing behavior, but ensures that the userinfo is +checked for correctness for `FILTER_VALIDATE_URL`. + +[1] + +(cherry picked from commit 4a89e726bd4d0571991dc22a9a1ad4509e8fe347) +(cherry picked from commit 9c673083cd46ee2a954a62156acbe4b6e657c048) +--- + ext/filter/logical_filters.c | 25 +++++++++++++++++++ + .../tests/url => filter/tests}/bug77423.phpt | 15 ----------- + ext/standard/tests/strings/url_t.phpt | 6 +++-- + .../tests/url/parse_url_basic_001.phpt | 6 +++-- + .../tests/url/parse_url_basic_003.phpt | 2 +- + .../tests/url/parse_url_basic_005.phpt | 2 +- + .../tests/url/parse_url_unterminated.phpt | 6 +++-- + ext/standard/url.c | 21 ---------------- + 8 files changed, 39 insertions(+), 44 deletions(-) + rename ext/{standard/tests/url => filter/tests}/bug77423.phpt (53%) + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index b2d0264b76..ad0956a505 100644 +--- a/ext/filter/logical_filters.c ++++ b/ext/filter/logical_filters.c +@@ -514,6 +514,24 @@ void php_filter_validate_domain(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + } + /* }}} */ + ++static int is_userinfo_valid(char *str) ++{ ++ const char *valid = "-._~!$&'()*+,;=:"; ++ const char *p = str; ++ size_t len = strlen(str); ++ ++ while (p - str < len) { ++ if (isalpha(*p) || isdigit(*p) || strchr(valid, *p)) { ++ p++; ++ } else if (*p == '%' && p - str <= len - 3 && isdigit(*(p+1)) && isxdigit(*(p+2))) { ++ p += 3; ++ } else { ++ return 0; ++ } ++ } ++ return 1; ++} ++ + void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ + { + php_url *url; +@@ -568,6 +586,13 @@ bad_url: + php_url_free(url); + RETURN_VALIDATION_FAILED + } ++ ++ if (url->user != NULL && !is_userinfo_valid(url->user)) { ++ php_url_free(url); ++ RETURN_VALIDATION_FAILED ++ ++ } ++ + php_url_free(url); + } + /* }}} */ +diff --git a/ext/standard/tests/url/bug77423.phpt b/ext/filter/tests/bug77423.phpt +similarity index 53% +rename from ext/standard/tests/url/bug77423.phpt +rename to ext/filter/tests/bug77423.phpt +index be03fe95e2..761c7c359a 100644 +--- a/ext/standard/tests/url/bug77423.phpt ++++ b/ext/filter/tests/bug77423.phpt +@@ -8,23 +8,8 @@ $urls = array( + ); + foreach ($urls as $url) { + var_dump(filter_var($url, FILTER_VALIDATE_URL)); +- var_dump(parse_url($url)); + } + ?> + --EXPECT-- + bool(false) +-array(3) { +- ["scheme"]=> +- string(4) "http" +- ["host"]=> +- string(19) "php.net\@aliyun.com" +- ["path"]=> +- string(7) "/aaa.do" +-} + bool(false) +-array(2) { +- ["scheme"]=> +- string(5) "https" +- ["host"]=> +- string(26) "example.com\uFF03@bing.com" +-} +diff --git a/ext/standard/tests/strings/url_t.phpt b/ext/standard/tests/strings/url_t.phpt +index f564f59f06..79ff3bc4a8 100644 +--- a/ext/standard/tests/strings/url_t.phpt ++++ b/ext/standard/tests/strings/url_t.phpt +@@ -575,13 +575,15 @@ $sample_urls = array ( + string(16) "some_page_ref123" + } + +---> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(6) { ++--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(7) { + ["scheme"]=> + string(4) "http" + ["host"]=> +- string(26) "secret@hideout@www.php.net" ++ string(11) "www.php.net" + ["port"]=> + int(80) ++ ["user"]=> ++ string(14) "secret@hideout" + ["path"]=> + string(10) "/index.php" + ["query"]=> +diff --git a/ext/standard/tests/url/parse_url_basic_001.phpt b/ext/standard/tests/url/parse_url_basic_001.phpt +index 5101099132..4606849c57 100644 +--- a/ext/standard/tests/url/parse_url_basic_001.phpt ++++ b/ext/standard/tests/url/parse_url_basic_001.phpt +@@ -506,13 +506,15 @@ echo "Done"; + string(16) "some_page_ref123" + } + +---> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(6) { ++--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(7) { + ["scheme"]=> + string(4) "http" + ["host"]=> +- string(26) "secret@hideout@www.php.net" ++ string(11) "www.php.net" + ["port"]=> + int(80) ++ ["user"]=> ++ string(14) "secret@hideout" + ["path"]=> + string(10) "/index.php" + ["query"]=> +diff --git a/ext/standard/tests/url/parse_url_basic_003.phpt b/ext/standard/tests/url/parse_url_basic_003.phpt +index 7968fd3f09..3d5a4a344a 100644 +--- a/ext/standard/tests/url/parse_url_basic_003.phpt ++++ b/ext/standard/tests/url/parse_url_basic_003.phpt +@@ -68,7 +68,7 @@ echo "Done"; + --> http://secret:@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" + --> http://:hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" + --> http://secret:hideout@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" +---> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(26) "secret@hideout@www.php.net" ++--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" + --> http://secret:hid:out@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(11) "www.php.net" + --> nntp://news.php.net : string(12) "news.php.net" + --> ftp://ftp.gnu.org/gnu/glic/glibc.tar.gz : string(11) "ftp.gnu.org" +diff --git a/ext/standard/tests/url/parse_url_basic_005.phpt b/ext/standard/tests/url/parse_url_basic_005.phpt +index ba778bf903..aefb33964b 100644 +--- a/ext/standard/tests/url/parse_url_basic_005.phpt ++++ b/ext/standard/tests/url/parse_url_basic_005.phpt +@@ -68,7 +68,7 @@ echo "Done"; + --> http://secret:@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(6) "secret" + --> http://:hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(0) "" + --> http://secret:hideout@www.php.net/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(6) "secret" +---> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : NULL ++--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(14) "secret@hideout" + --> http://secret:hid:out@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123 : string(6) "secret" + --> nntp://news.php.net : NULL + --> ftp://ftp.gnu.org/gnu/glic/glibc.tar.gz : NULL +diff --git a/ext/standard/tests/url/parse_url_unterminated.phpt b/ext/standard/tests/url/parse_url_unterminated.phpt +index 875d93a109..912b6a5641 100644 +--- a/ext/standard/tests/url/parse_url_unterminated.phpt ++++ b/ext/standard/tests/url/parse_url_unterminated.phpt +@@ -508,13 +508,15 @@ echo "Done"; + string(16) "some_page_ref123" + } + +---> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(6) { ++--> http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123: array(7) { + ["scheme"]=> + string(4) "http" + ["host"]=> +- string(26) "secret@hideout@www.php.net" ++ string(11) "www.php.net" + ["port"]=> + int(80) ++ ["user"]=> ++ string(14) "secret@hideout" + ["path"]=> + string(10) "/index.php" + ["query"]=> +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 8d155bb984..1dd073e2bb 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -92,22 +92,6 @@ PHPAPI php_url *php_url_parse(char const *str) + return php_url_parse_ex(str, strlen(str)); + } + +-static int is_userinfo_valid(const char *str, size_t len) +-{ +- char *valid = "-._~!$&'()*+,;=:"; +- char *p = str; +- while (p - str < len) { +- if (isalpha(*p) || isdigit(*p) || strchr(valid, *p)) { +- p++; +- } else if (*p == '%' && p - str <= len - 3 && isdigit(*(p+1)) && isxdigit(*(p+2))) { +- p += 3; +- } else { +- return 0; +- } +- } +- return 1; +-} +- + /* {{{ php_url_parse + */ + PHPAPI php_url *php_url_parse_ex(char const *str, size_t length) +@@ -251,18 +235,13 @@ PHPAPI php_url *php_url_parse_ex(char const *str, size_t length) + ret->pass = estrndup(pp, (p-pp)); + php_replace_controlchars_ex(ret->pass, (p-pp)); + } else { +- if (!is_userinfo_valid(s, p-s)) { +- goto check_port; +- } + ret->user = estrndup(s, (p-s)); + php_replace_controlchars_ex(ret->user, (p-s)); +- + } + + s = p + 1; + } + +-check_port: + /* check for port */ + if (s < ue && *s == '[' && *(e-1) == ']') { + /* Short circuit portscan, +-- +2.29.2 + diff --git a/backport-CVE-2021-21707.patch b/php-bug79971.patch similarity index 74% rename from backport-CVE-2021-21707.patch rename to php-bug79971.patch index a0a0a80075fc8d93743675d84d8f018d5750f0e8..9f31d286ce17b9c3a38f701516975c0cd230ca3c 100644 --- a/backport-CVE-2021-21707.patch +++ b/php-bug79971.patch @@ -1,13 +1,15 @@ -From f15f8fc573eb38c3c73e23e0930063a6f6409ed4 Mon Sep 17 00:00:00 2001 +From 2936b97fe42fb5713595a1559b91d568ccddb04a Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 1 Sep 2020 10:04:28 +0200 -Subject: [PATCH] Fix #79971: special character is breaking the path in xml +Subject: [PATCH 1/2] Fix #79971: special character is breaking the path in xml function The libxml based XML functions accepting a filename actually accept URIs with possibly percent-encoded characters. Percent-encoded NUL bytes lead to truncation, like non-encoded NUL bytes would. We catch those, and let the functions fail with a respective warning. + +(cherry picked from commit f15f8fc573eb38c3c73e23e0930063a6f6409ed4) --- ext/dom/domimplementation.c | 5 +++++ ext/dom/tests/bug79971_2.phpt | 20 ++++++++++++++++++++ @@ -20,10 +22,10 @@ those, and let the functions fail with a respective warning. create mode 100644 ext/simplexml/tests/bug79971_1.xml diff --git a/ext/dom/domimplementation.c b/ext/dom/domimplementation.c -index c6629c85e965..6f59f9c7c89f 100644 +index 28e35eb785..f4d1358b8e 100644 --- a/ext/dom/domimplementation.c +++ b/ext/dom/domimplementation.c -@@ -112,6 +112,11 @@ PHP_METHOD(domimplementation, createDocumentType) +@@ -114,6 +114,11 @@ PHP_METHOD(domimplementation, createDocumentType) pch2 = (xmlChar *) systemid; } @@ -37,7 +39,7 @@ index c6629c85e965..6f59f9c7c89f 100644 localname = xmlStrdup((xmlChar *) uri->opaque); diff --git a/ext/dom/tests/bug79971_2.phpt b/ext/dom/tests/bug79971_2.phpt new file mode 100644 -index 000000000000..c4e6b1e4e093 +index 0000000000..c4e6b1e4e0 --- /dev/null +++ b/ext/dom/tests/bug79971_2.phpt @@ -0,0 +1,20 @@ @@ -62,10 +64,10 @@ index 000000000000..c4e6b1e4e093 +Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d +bool(false) diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c -index 2be6a5b47a06..72ceea63274c 100644 +index c871cb89bd..da553d64ee 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c -@@ -306,6 +306,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char +@@ -308,6 +308,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char int isescaped=0; xmlURI *uri; @@ -76,7 +78,7 @@ index 2be6a5b47a06..72ceea63274c 100644 uri = xmlParseURI(filename); if (uri && (uri->scheme == NULL || -@@ -437,6 +441,11 @@ php_libxml_output_buffer_create_filename(const char *URI, +@@ -438,6 +442,11 @@ php_libxml_output_buffer_create_filename(const char *URI, if (URI == NULL) return(NULL); @@ -90,7 +92,7 @@ index 2be6a5b47a06..72ceea63274c 100644 if (puri->scheme != NULL) diff --git a/ext/simplexml/tests/bug79971_1.phpt b/ext/simplexml/tests/bug79971_1.phpt new file mode 100644 -index 000000000000..197776d82d38 +index 0000000000..197776d82d --- /dev/null +++ b/ext/simplexml/tests/bug79971_1.phpt @@ -0,0 +1,27 @@ @@ -123,9 +125,43 @@ index 000000000000..197776d82d38 +bool(false) diff --git a/ext/simplexml/tests/bug79971_1.xml b/ext/simplexml/tests/bug79971_1.xml new file mode 100644 -index 000000000000..912bb76d9d7e +index 0000000000..912bb76d9d --- /dev/null +++ b/ext/simplexml/tests/bug79971_1.xml @@ -0,0 +1,2 @@ + + +-- +2.31.1 + +From c032381da0bfb6457aa9cfa7a430790f6eab8178 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 15 Nov 2021 09:05:33 +0100 +Subject: [PATCH 2/2] NEWS + +--- + NEWS | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index e5ecd3865a..2177c64aef 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,7 +1,13 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + +-Backported from 7.4.25 ++Backported from 7.3.33 ++ ++- XML: ++ . Fix #79971: special character is breaking the path in xml function. ++ (CVE-2021-21707) (cmb) ++ ++Backported from 7.3.32 + + - FPM: + . Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege +-- +2.31.1 + diff --git a/php-bug80672.patch b/php-bug80672.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f63aab0d00f182069048ba40c91e16da9800aa1 --- /dev/null +++ b/php-bug80672.patch @@ -0,0 +1,237 @@ +From f1e2cfa008d1596251968d13eb9a8539dba6879f Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 31 Jan 2021 21:15:23 -0800 +Subject: [PATCH 1/2] Fix bug #80672 - Null Dereference in SoapClient + +(cherry picked from commit 3c939e3f69955d087e0bb671868f7267dfb2a502) +--- + NEWS | 5 +++++ + ext/soap/php_sdl.c | 26 ++++++++++++++------------ + ext/soap/php_xml.c | 4 ++-- + ext/soap/tests/bug80672.phpt | 15 +++++++++++++++ + ext/soap/tests/bug80672.xml | 6 ++++++ + 5 files changed, 42 insertions(+), 14 deletions(-) + create mode 100644 ext/soap/tests/bug80672.phpt + create mode 100644 ext/soap/tests/bug80672.xml + +diff --git a/NEWS b/NEWS +index 7f2d588c4d..884285f05f 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,11 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.3.27 ++ ++- SOAP: ++ . Fixed bug #80672 (Null Dereference in SoapClient). (CVE-2021-21702) (cmb, Stas) ++ + Backported from 7.3.26 + + - Standard: +diff --git a/ext/soap/php_sdl.c b/ext/soap/php_sdl.c +index d16056e4a3..b8d40f0cfe 100644 +--- a/ext/soap/php_sdl.c ++++ b/ext/soap/php_sdl.c +@@ -314,6 +314,8 @@ void sdl_restore_uri_credentials(sdlCtx *ctx) + ctx->context = NULL; + } + ++#define SAFE_STR(a) ((a)?a:"") ++ + static void load_wsdl_ex(zval *this_ptr, char *struri, sdlCtx *ctx, int include) + { + sdlPtr tmpsdl = ctx->sdl; +@@ -375,7 +377,7 @@ static void load_wsdl_ex(zval *this_ptr, char *struri, sdlCtx *ctx, int include) + if (node_is_equal_ex(trav2, "schema", XSD_NAMESPACE)) { + load_schema(ctx, trav2); + } else if (is_wsdl_element(trav2) && !node_is_equal(trav2,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav2->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav2->name)); + } + trav2 = trav2->next; + } +@@ -436,7 +438,7 @@ static void load_wsdl_ex(zval *this_ptr, char *struri, sdlCtx *ctx, int include) + soap_error0(E_ERROR, "Parsing WSDL: has no name attribute"); + } + } else if (!node_is_equal(trav,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav->name)); + } + trav = trav->next; + } +@@ -546,7 +548,7 @@ static sdlSoapBindingFunctionHeaderPtr wsdl_soap_binding_header(sdlCtx* ctx, xml + } + smart_str_free(&key); + } else if (is_wsdl_element(trav) && !node_is_equal(trav,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav->name)); + } + trav = trav->next; + } +@@ -648,7 +650,7 @@ static void wsdl_soap_binding_body(sdlCtx* ctx, xmlNodePtr node, char* wsdl_soap + } + smart_str_free(&key); + } else if (is_wsdl_element(trav) && !node_is_equal(trav,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav->name)); + } + trav = trav->next; + } +@@ -680,14 +682,14 @@ static HashTable* wsdl_message(sdlCtx *ctx, xmlChar* message_name) + sdlParamPtr param; + + if (trav->ns != NULL && strcmp((char*)trav->ns->href, WSDL_NAMESPACE) != 0) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected extensibility element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected extensibility element <%s>", SAFE_STR(trav->name)); + } + if (node_is_equal(trav,"documentation")) { + trav = trav->next; + continue; + } + if (!node_is_equal(trav,"part")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav->name)); + } + part = trav; + param = emalloc(sizeof(sdlParam)); +@@ -696,7 +698,7 @@ static HashTable* wsdl_message(sdlCtx *ctx, xmlChar* message_name) + + name = get_attribute(part->properties, "name"); + if (name == NULL) { +- soap_error1(E_ERROR, "Parsing WSDL: No name associated with '%s'", message->name); ++ soap_error1(E_ERROR, "Parsing WSDL: No name associated with '%s'", SAFE_STR(message->name)); + } + + param->paramName = estrdup((char*)name->children->content); +@@ -765,7 +767,7 @@ static sdlPtr load_wsdl(zval *this_ptr, char *struri) + continue; + } + if (!node_is_equal(trav,"port")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav->name)); + } + + port = trav; +@@ -804,7 +806,7 @@ static sdlPtr load_wsdl(zval *this_ptr, char *struri) + } + } + if (trav2 != address && is_wsdl_element(trav2) && !node_is_equal(trav2,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav2->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav2->name)); + } + trav2 = trav2->next; + } +@@ -906,7 +908,7 @@ static sdlPtr load_wsdl(zval *this_ptr, char *struri) + continue; + } + if (!node_is_equal(trav2,"operation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav2->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav2->name)); + } + + operation = trav2; +@@ -925,7 +927,7 @@ static sdlPtr load_wsdl(zval *this_ptr, char *struri) + !node_is_equal(trav3,"output") && + !node_is_equal(trav3,"fault") && + !node_is_equal(trav3,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav3->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav3->name)); + } + trav3 = trav3->next; + } +@@ -1103,7 +1105,7 @@ static sdlPtr load_wsdl(zval *this_ptr, char *struri) + } + } + } else if (is_wsdl_element(trav) && !node_is_equal(trav,"documentation")) { +- soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", trav->name); ++ soap_error1(E_ERROR, "Parsing WSDL: Unexpected WSDL element <%s>", SAFE_STR(trav->name)); + } + trav = trav->next; + } +diff --git a/ext/soap/php_xml.c b/ext/soap/php_xml.c +index bf76e237a9..1ac684eb81 100644 +--- a/ext/soap/php_xml.c ++++ b/ext/soap/php_xml.c +@@ -204,7 +204,7 @@ xmlNsPtr node_find_ns(xmlNodePtr node) + + int attr_is_equal_ex(xmlAttrPtr node, char *name, char *ns) + { +- if (name == NULL || strcmp((char*)node->name, name) == 0) { ++ if (name == NULL || ((node->name) && strcmp((char*)node->name, name) == 0)) { + if (ns) { + xmlNsPtr nsPtr = attr_find_ns(node); + if (nsPtr) { +@@ -220,7 +220,7 @@ int attr_is_equal_ex(xmlAttrPtr node, char *name, char *ns) + + int node_is_equal_ex(xmlNodePtr node, char *name, char *ns) + { +- if (name == NULL || strcmp((char*)node->name, name) == 0) { ++ if (name == NULL || ((node->name) && strcmp((char*)node->name, name) == 0)) { + if (ns) { + xmlNsPtr nsPtr = node_find_ns(node); + if (nsPtr) { +diff --git a/ext/soap/tests/bug80672.phpt b/ext/soap/tests/bug80672.phpt +new file mode 100644 +index 0000000000..71e2b1d841 +--- /dev/null ++++ b/ext/soap/tests/bug80672.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #80672 Null Dereference in SoapClient ++--SKIPIF-- ++ ++--FILE-- ++query(array('sXML' => 'something')); ++} catch(SoapFault $e) { ++ print $e->getMessage(); ++} ++?> ++--EXPECTF-- ++SOAP-ERROR: Parsing WSDL: Unexpected WSDL element <> +\ No newline at end of file +diff --git a/ext/soap/tests/bug80672.xml b/ext/soap/tests/bug80672.xml +new file mode 100644 +index 0000000000..0fa185bf1e +--- /dev/null ++++ b/ext/soap/tests/bug80672.xml +@@ -0,0 +1,6 @@ ++ ++ ++ ++ +-- +2.29.2 + +From 02352d5acc1896756dcb4645f54689ffdcc4ca52 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 1 Feb 2021 09:46:17 +0100 +Subject: [PATCH 2/2] Fix build + +(cherry picked from commit e5d767d27f94895e09f0321562fd3774d4656164) +--- + ext/soap/php_sdl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/soap/php_sdl.c b/ext/soap/php_sdl.c +index b8d40f0cfe..522db1c979 100644 +--- a/ext/soap/php_sdl.c ++++ b/ext/soap/php_sdl.c +@@ -314,7 +314,7 @@ void sdl_restore_uri_credentials(sdlCtx *ctx) + ctx->context = NULL; + } + +-#define SAFE_STR(a) ((a)?a:"") ++#define SAFE_STR(a) ((a)?((const char *)a):"") + + static void load_wsdl_ex(zval *this_ptr, char *struri, sdlCtx *ctx, int include) + { +-- +2.29.2 + diff --git a/php-bug80710.patch b/php-bug80710.patch new file mode 100644 index 0000000000000000000000000000000000000000..2dd68f07049f6c766a1c749bce8f7c612c31b3d1 --- /dev/null +++ b/php-bug80710.patch @@ -0,0 +1,371 @@ +From 9017896cccefe000938f80b49361b1c183849922 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Fri, 5 Feb 2021 22:51:41 +0100 +Subject: [PATCH 1/2] Fix #80710: imap_mail_compose() header injection + +Like `mail()` and `mb_send_mail()`, `imap_mail_compose()` must prevent +header injection. For maximum backward compatibility, we still allow +header folding for general headers, and still accept trailing line +breaks for address lists. + +(cherry picked from commit 37962c61d29794645ec45d45d78123382d82c2e5) +--- + ext/imap/php_imap.c | 56 ++++++++++++++++++++++++++++++++++ + ext/imap/tests/bug80710_1.phpt | 37 ++++++++++++++++++++++ + ext/imap/tests/bug80710_2.phpt | 37 ++++++++++++++++++++++ + 3 files changed, 130 insertions(+) + create mode 100644 ext/imap/tests/bug80710_1.phpt + create mode 100644 ext/imap/tests/bug80710_2.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index 37eb5e1296..9cac2264fb 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -3528,6 +3528,23 @@ PHP_FUNCTION(imap_fetch_overview) + } + /* }}} */ + ++static zend_bool header_injection(zend_string *str, zend_bool adrlist) ++{ ++ char *p = ZSTR_VAL(str); ++ ++ while ((p = strpbrk(p, "\r\n")) != NULL) { ++ if (!(p[0] == '\r' && p[1] == '\n') ++ /* adrlists do not support folding, but swallow trailing line breaks */ ++ && !((adrlist && p[1] == '\0') ++ /* other headers support folding */ ++ || !adrlist && (p[1] == ' ' || p[1] == '\t'))) { ++ return 1; ++ } ++ p++; ++ } ++ return 0; ++} ++ + /* {{{ proto string imap_mail_compose(array envelope, array body) + Create a MIME message based on given envelope and body sections */ + PHP_FUNCTION(imap_mail_compose) +@@ -3548,6 +3565,13 @@ PHP_FUNCTION(imap_mail_compose) + return; + } + ++#define CHECK_HEADER_INJECTION(zstr, adrlist, header) \ ++ if (header_injection(zstr, adrlist)) { \ ++ php_error_docref(NULL, E_WARNING, "header injection attempt in " header); \ ++ RETVAL_FALSE; \ ++ goto done; \ ++ } ++ + #define PHP_RFC822_PARSE_ADRLIST(target, value) \ + str_copy = estrndup(Z_STRVAL_P(value), Z_STRLEN_P(value)); \ + rfc822_parse_adrlist(target, str_copy, "NO HOST"); \ +@@ -3556,46 +3580,57 @@ PHP_FUNCTION(imap_mail_compose) + env = mail_newenvelope(); + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "remail", sizeof("remail") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "remail"); + env->remail = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "return_path", sizeof("return_path") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 1, "return_path"); + PHP_RFC822_PARSE_ADRLIST(&env->return_path, pvalue); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "date", sizeof("date") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "date"); + env->date = (unsigned char*)cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "from", sizeof("from") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 1, "from"); + PHP_RFC822_PARSE_ADRLIST(&env->from, pvalue); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "reply_to", sizeof("reply_to") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 1, "reply_to"); + PHP_RFC822_PARSE_ADRLIST(&env->reply_to, pvalue); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "in_reply_to", sizeof("in_reply_to") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "in_reply_to"); + env->in_reply_to = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "subject", sizeof("subject") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "subject"); + env->subject = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "to", sizeof("to") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 1, "to"); + PHP_RFC822_PARSE_ADRLIST(&env->to, pvalue); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "cc", sizeof("cc") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 1, "cc"); + PHP_RFC822_PARSE_ADRLIST(&env->cc, pvalue); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "bcc", sizeof("bcc") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 1, "bcc"); + PHP_RFC822_PARSE_ADRLIST(&env->bcc, pvalue); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "message_id", sizeof("message_id") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "message_id"); + env->message_id=cpystr(Z_STRVAL_P(pvalue)); + } + +@@ -3605,6 +3640,7 @@ PHP_FUNCTION(imap_mail_compose) + ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(pvalue), env_data) { + custom_headers_param = mail_newbody_parameter(); + convert_to_string_ex(env_data); ++ CHECK_HEADER_INJECTION(Z_STR_P(env_data), 0, "custom_headers"); + custom_headers_param->value = (char *) fs_get(Z_STRLEN_P(env_data) + 1); + custom_headers_param->attribute = NULL; + memcpy(custom_headers_param->value, Z_STRVAL_P(env_data), Z_STRLEN_P(env_data) + 1); +@@ -3637,6 +3673,7 @@ PHP_FUNCTION(imap_mail_compose) + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "charset", sizeof("charset") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body charset"); + tmp_param = mail_newbody_parameter(); + tmp_param->value = cpystr(Z_STRVAL_P(pvalue)); + tmp_param->attribute = cpystr("CHARSET"); +@@ -3647,9 +3684,11 @@ PHP_FUNCTION(imap_mail_compose) + if(Z_TYPE_P(pvalue) == IS_ARRAY) { + disp_param = tmp_param = NULL; + ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { ++ CHECK_HEADER_INJECTION(key, 0, "body disposition key"); + disp_param = mail_newbody_parameter(); + disp_param->attribute = cpystr(ZSTR_VAL(key)); + convert_to_string_ex(disp_data); ++ CHECK_HEADER_INJECTION(Z_STR_P(disp_data), 0, "body disposition value"); + disp_param->value = (char *) fs_get(Z_STRLEN_P(disp_data) + 1); + memcpy(disp_param->value, Z_STRVAL_P(disp_data), Z_STRLEN_P(disp_data) + 1); + disp_param->next = tmp_param; +@@ -3660,18 +3699,22 @@ PHP_FUNCTION(imap_mail_compose) + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "subtype", sizeof("subtype") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body subtype"); + bod->subtype = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "id", sizeof("id") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body id"); + bod->id = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "description", sizeof("description") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body description"); + bod->description = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "disposition.type", sizeof("disposition.type") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body disposition.type"); + bod->disposition.type = (char *) fs_get(Z_STRLEN_P(pvalue) + 1); + memcpy(bod->disposition.type, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue)+1); + } +@@ -3679,9 +3722,11 @@ PHP_FUNCTION(imap_mail_compose) + if (Z_TYPE_P(pvalue) == IS_ARRAY) { + disp_param = tmp_param = NULL; + ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { ++ CHECK_HEADER_INJECTION(key, 0, "body type.parameters key"); + disp_param = mail_newbody_parameter(); + disp_param->attribute = cpystr(ZSTR_VAL(key)); + convert_to_string_ex(disp_data); ++ CHECK_HEADER_INJECTION(Z_STR_P(disp_data), 0, "body type.parameters value"); + disp_param->value = (char *) fs_get(Z_STRLEN_P(disp_data) + 1); + memcpy(disp_param->value, Z_STRVAL_P(disp_data), Z_STRLEN_P(disp_data) + 1); + disp_param->next = tmp_param; +@@ -3710,6 +3755,7 @@ PHP_FUNCTION(imap_mail_compose) + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "md5", sizeof("md5") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body md5"); + bod->md5 = cpystr(Z_STRVAL_P(pvalue)); + } + } else if (Z_TYPE_P(data) == IS_ARRAY) { +@@ -3740,6 +3786,7 @@ PHP_FUNCTION(imap_mail_compose) + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "charset", sizeof("charset") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body charset"); + tmp_param = mail_newbody_parameter(); + tmp_param->value = (char *) fs_get(Z_STRLEN_P(pvalue) + 1); + memcpy(tmp_param->value, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue) + 1); +@@ -3751,9 +3798,11 @@ PHP_FUNCTION(imap_mail_compose) + if (Z_TYPE_P(pvalue) == IS_ARRAY) { + disp_param = tmp_param = NULL; + ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { ++ CHECK_HEADER_INJECTION(key, 0, "body type.parameters key"); + disp_param = mail_newbody_parameter(); + disp_param->attribute = cpystr(ZSTR_VAL(key)); + convert_to_string_ex(disp_data); ++ CHECK_HEADER_INJECTION(Z_STR_P(disp_data), 0, "body type.parameters value"); + disp_param->value = (char *)fs_get(Z_STRLEN_P(disp_data) + 1); + memcpy(disp_param->value, Z_STRVAL_P(disp_data), Z_STRLEN_P(disp_data) + 1); + disp_param->next = tmp_param; +@@ -3764,18 +3813,22 @@ PHP_FUNCTION(imap_mail_compose) + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "subtype", sizeof("subtype") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body subtype"); + bod->subtype = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "id", sizeof("id") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body id"); + bod->id = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "description", sizeof("description") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body description"); + bod->description = cpystr(Z_STRVAL_P(pvalue)); + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "disposition.type", sizeof("disposition.type") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body disposition.type"); + bod->disposition.type = (char *) fs_get(Z_STRLEN_P(pvalue) + 1); + memcpy(bod->disposition.type, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue)+1); + } +@@ -3783,9 +3836,11 @@ PHP_FUNCTION(imap_mail_compose) + if (Z_TYPE_P(pvalue) == IS_ARRAY) { + disp_param = tmp_param = NULL; + ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { ++ CHECK_HEADER_INJECTION(key, 0, "body disposition key"); + disp_param = mail_newbody_parameter(); + disp_param->attribute = cpystr(ZSTR_VAL(key)); + convert_to_string_ex(disp_data); ++ CHECK_HEADER_INJECTION(Z_STR_P(disp_data), 0, "body disposition value"); + disp_param->value = (char *) fs_get(Z_STRLEN_P(disp_data) + 1); + memcpy(disp_param->value, Z_STRVAL_P(disp_data), Z_STRLEN_P(disp_data) + 1); + disp_param->next = tmp_param; +@@ -3814,6 +3869,7 @@ PHP_FUNCTION(imap_mail_compose) + } + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "md5", sizeof("md5") - 1)) != NULL) { + convert_to_string_ex(pvalue); ++ CHECK_HEADER_INJECTION(Z_STR_P(pvalue), 0, "body md5"); + bod->md5 = cpystr(Z_STRVAL_P(pvalue)); + } + } +diff --git a/ext/imap/tests/bug80710_1.phpt b/ext/imap/tests/bug80710_1.phpt +new file mode 100644 +index 0000000000..5cdee03401 +--- /dev/null ++++ b/ext/imap/tests/bug80710_1.phpt +@@ -0,0 +1,37 @@ ++--TEST-- ++Bug #80710 (imap_mail_compose() header injection) - MIME Splitting Attack ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++Warning: imap_mail_compose(): header injection attempt in from in %s on line %d +diff --git a/ext/imap/tests/bug80710_2.phpt b/ext/imap/tests/bug80710_2.phpt +new file mode 100644 +index 0000000000..b9f2fa8544 +--- /dev/null ++++ b/ext/imap/tests/bug80710_2.phpt +@@ -0,0 +1,37 @@ ++--TEST-- ++Bug #80710 (imap_mail_compose() header injection) - Remail ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++Warning: imap_mail_compose(): header injection attempt in remail in %s on line %d +-- +2.30.2 + +From f16c623ec8ae3f3cdc73ab3fa05ae6bb0a77d1f3 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 27 Apr 2021 13:38:39 +0200 +Subject: [PATCH 2/2] Add missing NEWS entry for #80710 + +(cherry picked from commit 60a68a45c3e9f63585151221e7fe9ddff78bd71f) +--- + NEWS | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/NEWS b/NEWS +index 884285f05f..e331598176 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,11 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.3.28 ++ ++- Imap: ++ . Fixed bug #80710 (imap_mail_compose() header injection). (cmb, Stas) ++ + Backported from 7.3.27 + + - SOAP: +-- +2.30.2 + diff --git a/backport-CVE-2021-21703.patch b/php-bug81026.patch similarity index 85% rename from backport-CVE-2021-21703.patch rename to php-bug81026.patch index 4f6ab66e6ad07a16f8d380eaa42d479cdf778d3f..3bb8cc76a841ffa94d29f69821e058976a8d2f41 100644 --- a/backport-CVE-2021-21703.patch +++ b/php-bug81026.patch @@ -1,13 +1,14 @@ -From cb2021e5f69da5e2868130a05bb53db0f9f89e4b Mon Sep 17 00:00:00 2001 +From 7e7f808fbc9a6a5d2eabdd9e7cb058a61f439aee Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 2 Oct 2021 22:53:41 +0100 -Subject: [PATCH] Fix bug #81026 (PHP-FPM oob R/W in root process leading to - priv escalation) +Subject: [PATCH 1/2] Fix bug #81026 (PHP-FPM oob R/W in root process leading + to priv escalation) The main change is to store scoreboard procs directly to the variable sized array rather than indirectly through the pointer. Signed-off-by: Stanislav Malyshev +(cherry picked from commit cb2021e5f69da5e2868130a05bb53db0f9f89e4b) --- sapi/fpm/fpm/fpm_children.c | 14 ++--- sapi/fpm/fpm/fpm_request.c | 4 +- @@ -18,10 +19,10 @@ Signed-off-by: Stanislav Malyshev 6 files changed, 81 insertions(+), 60 deletions(-) diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c -index fd121372f37c..912f77c11aa7 100644 +index eed0c6757a..05513f0084 100644 --- a/sapi/fpm/fpm/fpm_children.c +++ b/sapi/fpm/fpm/fpm_children.c -@@ -246,7 +246,7 @@ void fpm_children_bury() /* {{{ */ +@@ -243,7 +243,7 @@ void fpm_children_bury() /* {{{ */ fpm_child_unlink(child); @@ -30,7 +31,7 @@ index fd121372f37c..912f77c11aa7 100644 fpm_clock_get(&tv1); -@@ -256,9 +256,9 @@ void fpm_children_bury() /* {{{ */ +@@ -253,9 +253,9 @@ void fpm_children_bury() /* {{{ */ if (!fpm_pctl_can_spawn_children()) { severity = ZLOG_DEBUG; } @@ -42,7 +43,7 @@ index fd121372f37c..912f77c11aa7 100644 } fpm_child_close(child, 1 /* in event_loop */); -@@ -324,7 +324,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / +@@ -321,7 +321,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / return 0; } @@ -51,7 +52,7 @@ index fd121372f37c..912f77c11aa7 100644 fpm_stdio_discard_pipes(c); fpm_child_free(c); return 0; -@@ -336,7 +336,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / +@@ -333,7 +333,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / static void fpm_resources_discard(struct fpm_child_s *child) /* {{{ */ { @@ -60,7 +61,7 @@ index fd121372f37c..912f77c11aa7 100644 fpm_stdio_discard_pipes(child); fpm_child_free(child); } -@@ -349,10 +349,10 @@ static void fpm_child_resources_use(struct fpm_child_s *child) /* {{{ */ +@@ -346,10 +346,10 @@ static void fpm_child_resources_use(struct fpm_child_s *child) /* {{{ */ if (wp == child->wp) { continue; } @@ -74,10 +75,10 @@ index fd121372f37c..912f77c11aa7 100644 fpm_child_free(child); } diff --git a/sapi/fpm/fpm/fpm_request.c b/sapi/fpm/fpm/fpm_request.c -index c80aa144628f..0a6f6a7cfbf0 100644 +index a4ace85310..deaccf432a 100644 --- a/sapi/fpm/fpm/fpm_request.c +++ b/sapi/fpm/fpm/fpm_request.c -@@ -285,7 +285,7 @@ int fpm_request_is_idle(struct fpm_child_s *child) /* {{{ */ +@@ -286,7 +286,7 @@ int fpm_request_is_idle(struct fpm_child_s *child) /* {{{ */ struct fpm_scoreboard_proc_s *proc; /* no need in atomicity here */ @@ -86,7 +87,7 @@ index c80aa144628f..0a6f6a7cfbf0 100644 if (!proc) { return 0; } -@@ -300,7 +300,7 @@ int fpm_request_last_activity(struct fpm_child_s *child, struct timeval *tv) /* +@@ -301,7 +301,7 @@ int fpm_request_last_activity(struct fpm_child_s *child, struct timeval *tv) /* if (!tv) return -1; @@ -96,10 +97,10 @@ index c80aa144628f..0a6f6a7cfbf0 100644 return -1; } diff --git a/sapi/fpm/fpm/fpm_scoreboard.c b/sapi/fpm/fpm/fpm_scoreboard.c -index 328f999f0c9b..7e9da4d6848a 100644 +index 7a65fcbeb7..091efdc574 100644 --- a/sapi/fpm/fpm/fpm_scoreboard.c +++ b/sapi/fpm/fpm/fpm_scoreboard.c -@@ -6,6 +6,7 @@ +@@ -7,6 +7,7 @@ #include #include "fpm_config.h" @@ -107,7 +108,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 #include "fpm_scoreboard.h" #include "fpm_shm.h" #include "fpm_sockets.h" -@@ -23,7 +24,6 @@ static float fpm_scoreboard_tick; +@@ -24,7 +25,6 @@ static float fpm_scoreboard_tick; int fpm_scoreboard_init_main() /* {{{ */ { struct fpm_worker_pool_s *wp; @@ -115,7 +116,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 #ifdef HAVE_TIMES #if (defined(HAVE_SYSCONF) && defined(_SC_CLK_TCK)) -@@ -40,7 +40,7 @@ int fpm_scoreboard_init_main() /* {{{ */ +@@ -41,7 +41,7 @@ int fpm_scoreboard_init_main() /* {{{ */ for (wp = fpm_worker_all_pools; wp; wp = wp->next) { @@ -124,7 +125,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 void *shm_mem; if (wp->config->pm_max_children < 1) { -@@ -53,22 +53,15 @@ int fpm_scoreboard_init_main() /* {{{ */ +@@ -54,22 +54,15 @@ int fpm_scoreboard_init_main() /* {{{ */ return -1; } @@ -151,7 +152,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 wp->scoreboard->start_epoch = time(NULL); strlcpy(wp->scoreboard->pool, wp->config->name, sizeof(wp->scoreboard->pool)); } -@@ -162,28 +155,48 @@ struct fpm_scoreboard_s *fpm_scoreboard_get() /* {{{*/ +@@ -163,28 +156,48 @@ struct fpm_scoreboard_s *fpm_scoreboard_get() /* {{{*/ } /* }}} */ @@ -207,7 +208,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang) /* {{{ */ { struct fpm_scoreboard_s *s; -@@ -234,28 +247,28 @@ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc) /* {{{ */ +@@ -235,28 +248,28 @@ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc) /* {{{ */ proc->lock = 0; } @@ -226,7 +227,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 - scoreboard_size = sizeof(struct fpm_scoreboard_s) + (scoreboard->nprocs) * sizeof(struct fpm_scoreboard_proc_s *); - scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * scoreboard->nprocs; + scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; - + - fpm_shm_free(scoreboard, scoreboard_size + scoreboard_nprocs_size); + fpm_shm_free(scoreboard, sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size); } @@ -245,7 +246,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 if (!proc) { return; } -@@ -264,18 +277,22 @@ void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_ind +@@ -265,18 +278,22 @@ void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_ind } /* }}} */ @@ -272,7 +273,7 @@ index 328f999f0c9b..7e9da4d6848a 100644 } /* set this slot as free to avoid search on next alloc */ -@@ -283,41 +300,44 @@ void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_ind +@@ -284,41 +301,44 @@ void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_ind } /* }}} */ @@ -328,10 +329,10 @@ index 328f999f0c9b..7e9da4d6848a 100644 } else { scoreboard->free_proc = i + 1; diff --git a/sapi/fpm/fpm/fpm_scoreboard.h b/sapi/fpm/fpm/fpm_scoreboard.h -index 1fecde1d0feb..9d5981e1c739 100644 +index abce616d76..6405abb7cf 100644 --- a/sapi/fpm/fpm/fpm_scoreboard.h +++ b/sapi/fpm/fpm/fpm_scoreboard.h -@@ -63,7 +63,7 @@ struct fpm_scoreboard_s { +@@ -64,7 +64,7 @@ struct fpm_scoreboard_s { unsigned int nprocs; int free_proc; unsigned long int slow_rq; @@ -340,7 +341,7 @@ index 1fecde1d0feb..9d5981e1c739 100644 }; int fpm_scoreboard_init_main(); -@@ -72,18 +72,19 @@ int fpm_scoreboard_init_child(struct fpm_worker_pool_s *wp); +@@ -73,18 +73,19 @@ int fpm_scoreboard_init_child(struct fpm_worker_pool_s *wp); void fpm_scoreboard_update(int idle, int active, int lq, int lq_len, int requests, int max_children_reached, int slow_rq, int action, struct fpm_scoreboard_s *scoreboard); struct fpm_scoreboard_s *fpm_scoreboard_get(); struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index); @@ -365,10 +366,10 @@ index 1fecde1d0feb..9d5981e1c739 100644 #ifdef HAVE_TIMES float fpm_scoreboard_get_tick(); diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c -index 36d224063583..de8db9d61a25 100644 +index 1d78ebf849..45852a5b39 100644 --- a/sapi/fpm/fpm/fpm_status.c +++ b/sapi/fpm/fpm/fpm_status.c -@@ -498,10 +498,10 @@ int fpm_status_handle_request(void) /* {{{ */ +@@ -402,10 +402,10 @@ int fpm_status_handle_request(void) /* {{{ */ first = 1; for (i=0; inprocs; i++) { @@ -382,10 +383,10 @@ index 36d224063583..de8db9d61a25 100644 if (first) { first = 0; diff --git a/sapi/fpm/fpm/fpm_worker_pool.c b/sapi/fpm/fpm/fpm_worker_pool.c -index d04528f4e0d0..65a9b226b1ae 100644 +index 90e155975e..96b7ca50fc 100644 --- a/sapi/fpm/fpm/fpm_worker_pool.c +++ b/sapi/fpm/fpm/fpm_worker_pool.c -@@ -54,7 +54,7 @@ static void fpm_worker_pool_cleanup(int which, void *arg) /* {{{ */ +@@ -43,7 +43,7 @@ static void fpm_worker_pool_cleanup(int which, void *arg) /* {{{ */ fpm_worker_pool_config_free(wp->config); fpm_children_free(wp->children); if ((which & FPM_CLEANUP_CHILD) == 0 && fpm_globals.parent_pid == getpid()) { @@ -394,3 +395,35 @@ index d04528f4e0d0..65a9b226b1ae 100644 } fpm_worker_pool_free(wp); } +-- +2.31.1 + +From b84a7a8c2db91714bfb2894894e61758189983df Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 20 Oct 2021 14:06:59 +0200 +Subject: [PATCH 2/2] NEWS + +--- + NEWS | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/NEWS b/NEWS +index 1e8a7c7903..b8b1849134 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.4.25 ++ ++- FPM: ++ . Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege ++ escalation) (CVE-2021-21703). (Jakub Zelenka) ++ + Backported from 7.3.30 + + - Phar: +-- +2.31.1 + diff --git a/backport-0001-CVE-2021-21705.patch b/php-bug81122.patch similarity index 55% rename from backport-0001-CVE-2021-21705.patch rename to php-bug81122.patch index acf35bafd45d6edb876ec4630cd0cb937246f667..a5341393dbc60a74dcdebdcf4e774d11f909affd 100644 --- a/backport-0001-CVE-2021-21705.patch +++ b/php-bug81122.patch @@ -1,10 +1,12 @@ -From a5538c62293fa782fcc382d0635cfc0c8b9190e3 Mon Sep 17 00:00:00 2001 +From 34e7f97cf67a8e2e0dd6675e4d82c0f8be7ad77f Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 14 Jun 2021 13:22:27 +0200 -Subject: [PATCH] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL +Subject: [PATCH 1/7] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL We need to ensure that the password detected by parse_url() is actually a valid password; we can re-use is_userinfo_valid() for that. + +(cherry picked from commit a5538c62293fa782fcc382d0635cfc0c8b9190e3) --- ext/filter/logical_filters.c | 4 +++- ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++ @@ -12,10 +14,10 @@ a valid password; we can re-use is_userinfo_valid() for that. create mode 100644 ext/filter/tests/bug81122.phpt diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c -index 1cf345dbb58a..3f314fefa0e1 100644 +index ad0956a505..7ddf44cff0 100644 --- a/ext/filter/logical_filters.c +++ b/ext/filter/logical_filters.c -@@ -609,7 +609,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ +@@ -587,7 +587,9 @@ bad_url: RETURN_VALIDATION_FAILED } @@ -28,7 +30,7 @@ index 1cf345dbb58a..3f314fefa0e1 100644 diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt new file mode 100644 -index 000000000000..d89d4114a547 +index 0000000000..d89d4114a5 --- /dev/null +++ b/ext/filter/tests/bug81122.phpt @@ -0,0 +1,21 @@ @@ -54,5 +56,33 @@ index 000000000000..d89d4114a547 +bool(false) +bool(false) -- -2.27.0 +2.31.1 + +From 84d1d39e26520ae131a6ac14891c836adc969ad5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 27 Jun 2021 21:57:58 -0700 +Subject: [PATCH 2/7] Fix warning + +(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef) +--- + ext/filter/logical_filters.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index 7ddf44cff0..6894fa2551 100644 +--- a/ext/filter/logical_filters.c ++++ b/ext/filter/logical_filters.c +@@ -587,8 +587,8 @@ bad_url: + RETURN_VALIDATION_FAILED + } + +- if (url->user != NULL && !is_userinfo_valid(url->user) +- || url->pass != NULL && !is_userinfo_valid(url->pass) ++ if ((url->user != NULL && !is_userinfo_valid(url->user)) ++ || (url->pass != NULL && !is_userinfo_valid(url->pass)) + ) { + php_url_free(url); + RETURN_VALIDATION_FAILED +-- +2.31.1 diff --git a/php-bug81211.patch b/php-bug81211.patch new file mode 100644 index 0000000000000000000000000000000000000000..1e09d65fccc7448cd970e0289e2541a9c72e63e1 --- /dev/null +++ b/php-bug81211.patch @@ -0,0 +1,163 @@ +From 92a270e564ffda7fe825d1472fe567323f137fba Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 23 Aug 2021 13:42:17 +0200 +Subject: [PATCH 1/3] Fix #81211: Symlinks are followed when creating PHAR + archive + +It is insufficient to check whether the `base` is contained in `fname`; +we also need to ensure that `fname` is properly separated. And of +course, `fname` has to start with `base`. + +(cherry picked from commit 2ff853aa113e52637c85e28d1a03df1aa2d747b5) +--- + ext/phar/phar_object.c | 3 +- + ext/phar/tests/bug81211.phpt | 45 +++++++++++++++++++ + .../tests/file/windows_links/common.inc | 9 +++- + 3 files changed, 55 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug81211.phpt + +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 2987b64012..01bdc0596b 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -1440,6 +1440,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ + zend_class_entry *ce = p_obj->c; + phar_archive_object *phar_obj = p_obj->p; + php_stream_statbuf ssb; ++ char ch; + + value = iter->funcs->get_current_data(iter); + +@@ -1569,7 +1570,7 @@ phar_spl_fileinfo: + base = temp; + base_len = (int)strlen(base); + +- if (strstr(fname, base)) { ++ if (fname_len >= base_len && strncmp(fname, base, base_len) == 0 && ((ch = fname[base_len - IS_SLASH(base[base_len - 1])]) == '\0' || IS_SLASH(ch))) { + str_key_len = fname_len - base_len; + + if (str_key_len <= 0) { +diff --git a/ext/phar/tests/bug81211.phpt b/ext/phar/tests/bug81211.phpt +new file mode 100644 +index 0000000000..43d82143f2 +--- /dev/null ++++ b/ext/phar/tests/bug81211.phpt +@@ -0,0 +1,45 @@ ++--TEST-- ++Bug #81211 (Symlinks are followed when creating PHAR archive) ++--SKIPIF-- ++ ++--FILE-- ++buildFromDirectory(__DIR__ . '/bug81211/foo'); ++} catch (UnexpectedValueException $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++try { ++ $archive->buildFromIterator(new RecursiveDirectoryIterator(__DIR__ . '/bug81211/foo', FilesystemIterator::SKIP_DOTS), __DIR__ . '/bug81211/foo'); ++} catch (UnexpectedValueException $ex) { ++ echo $ex->getMessage(), PHP_EOL; ++} ++?> ++--CLEAN-- ++ ++--EXPECTF-- ++Iterator RecursiveIteratorIterator returned a path "%s%ebug81211\foobar\file" that is not in the base directory "%s%ebug81211\foo" ++Iterator RecursiveDirectoryIterator returned a path "%s%ebug81211\foobar\file" that is not in the base directory "%s%ebug81211\foo" +diff --git a/ext/standard/tests/file/windows_links/common.inc b/ext/standard/tests/file/windows_links/common.inc +index 505368b8b0..caa3758d44 100644 +--- a/ext/standard/tests/file/windows_links/common.inc ++++ b/ext/standard/tests/file/windows_links/common.inc +@@ -20,4 +20,11 @@ function get_mountvol() { + return "$sysroot\\System32\\mountvol.exe"; + } + +-?> ++function skipIfSeCreateSymbolicLinkPrivilegeIsDisabled(string $filename) { ++ $ln = "$filename.lnk"; ++ $ret = exec("mklink $ln " . __FILE__ .' 2>&1', $out); ++ @unlink($ln); ++ if (strpos($ret, 'privilege') !== false) { ++ die('skip SeCreateSymbolicLinkPrivilege not enabled'); ++ } ++} +-- +2.31.1 + +From cb376010c6a48c5454c47140dfbdee6f0e48bb12 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 23 Aug 2021 23:43:32 -0700 +Subject: [PATCH 2/3] Fix test + +(cherry picked from commit b815645aac76b494dc119fa6b88de32fa9bcccf1) +--- + ext/phar/tests/bug81211.phpt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/phar/tests/bug81211.phpt b/ext/phar/tests/bug81211.phpt +index 43d82143f2..96b1401b40 100644 +--- a/ext/phar/tests/bug81211.phpt ++++ b/ext/phar/tests/bug81211.phpt +@@ -41,5 +41,5 @@ try { + @rmdir(__DIR__ . '/bug81211'); + ?> + --EXPECTF-- +-Iterator RecursiveIteratorIterator returned a path "%s%ebug81211\foobar\file" that is not in the base directory "%s%ebug81211\foo" +-Iterator RecursiveDirectoryIterator returned a path "%s%ebug81211\foobar\file" that is not in the base directory "%s%ebug81211\foo" ++Iterator RecursiveIteratorIterator returned a path "%s%ebug81211%efoobar%efile" that is not in the base directory "%s%ebug81211%efoo" ++Iterator RecursiveDirectoryIterator returned a path "%s%ebug81211%efoobar%efile" that is not in the base directory "%s%ebug81211%efoo" +-- +2.31.1 + +From 5539cefcda6aca7af220e7be7760a682abb88200 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 25 Aug 2021 15:23:50 +0200 +Subject: [PATCH 3/3] NEWS + +--- + NEWS | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/NEWS b/NEWS +index f083e44dcc..1e8a7c7903 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,11 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.3.30 ++ ++- Phar: ++ . Fixed bug #81211: Symlinks are followed when creating PHAR archive (cmb) ++ + Backported from 7.3.29 + + - Core: +-- +2.31.1 + diff --git a/backport-CVE-2022-31626.patch b/php-bug81719.patch similarity index 34% rename from backport-CVE-2022-31626.patch rename to php-bug81719.patch index 8a0a90e367996475309b19b4208c4c1ed892eb1d..5aa8ab5c87494c7b70c1460d7e7704d834c1e463 100644 --- a/backport-CVE-2022-31626.patch +++ b/php-bug81719.patch @@ -1,21 +1,62 @@ -From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001 +From 1560224d3a26574f0195af3853e4d7e050b0b06f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 6 Jun 2022 00:56:51 -0600 -Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow +Subject: [PATCH 2/3] Fix bug #81719: mysqlnd/pdo password buffer overflow +(cherry picked from commit 58006537fc5f133ae8549efe5118cde418b3ace9) +(cherry picked from commit 9433de72e291db518357fe55531cc15432d43ec4) --- ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) +diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c +index 759b131b63..eb7af323a4 100644 --- a/ext/mysqlnd/mysqlnd_wireprotocol.c +++ b/ext/mysqlnd/mysqlnd_wireprotocol.c -@@ -794,7 +794,8 @@ php_mysqlnd_change_auth_response_write(v +@@ -794,7 +794,8 @@ php_mysqlnd_change_auth_response_write(void * _packet) MYSQLND_VIO * vio = packet->header.vio; MYSQLND_STATS * stats = packet->header.stats; MYSQLND_CONNECTION_STATE * connection_state = packet->header.connection_state; - zend_uchar * buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); + size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE; -+ zend_uchar * buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); ++ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size); zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ DBG_ENTER("php_mysqlnd_change_auth_response_write"); +-- +2.35.3 + +From 87247fb08e905e629836350ac4e639edd1b40ed8 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 7 Jun 2022 09:57:15 +0200 +Subject: [PATCH 3/3] NEWS + +(cherry picked from commit f451082baf14ee9ea86cdd19870e906adb368f02) +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index 2177c64aef..8f09ddfee0 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.4.30 ++ ++- mysqlnd: ++ . Fixed bug #81719: mysqlnd/pdo password buffer overflow. ++ (CVE-2022-31626) (c dot fol at ambionics dot io) ++ ++- pgsql ++ . Fixed bug #81720: Uninitialized array in pg_query_params(). ++ (CVE-2022-31625) (cmb) ++ + Backported from 7.3.33 + + - XML: +-- +2.35.3 + diff --git a/backport-CVE-2022-31625.patch b/php-bug81720.patch similarity index 61% rename from backport-CVE-2022-31625.patch rename to php-bug81720.patch index 3eafb5a9894924f1877c9e9bde6e50d7fc61a524..3e47b6c23e8b06fca82fb4f9fbe8e85c2d907166 100644 --- a/backport-CVE-2022-31625.patch +++ b/php-bug81720.patch @@ -1,19 +1,24 @@ -From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001 +From 310b17f5c8938389b1dbd7d8ff5a8144bfb9a351 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 17 May 2022 12:59:23 +0200 -Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading - to RCE +Subject: [PATCH 1/3] Fix #81720: Uninitialized array in pg_query_params() + leading to RCE We must not free parameters which we haven't initialized yet. We also fix the not directly related issue, that we checked for the wrong value being `NULL`, potentially causing a segfault. + +(cherry picked from commit 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab) +(cherry picked from commit 6f979c832c861fb32e2dbad5e0cc29edcee7c500) --- - ext/pgsql/pgsql.c | 6 +++--- + ext/pgsql/pgsql.c | 4 ++-- ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++ - 2 files changed, 30 insertions(+), 3 deletions(-) + 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 ext/pgsql/tests/bug81720.phpt +diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c +index c97c600b66..8bc7568056 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -1988,7 +1988,7 @@ PHP_FUNCTION(pg_query_params) @@ -25,6 +30,18 @@ wrong value being `NULL`, potentially causing a segfault. RETURN_FALSE; } params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +@@ -5188,7 +5188,7 @@ PHP_FUNCTION(pg_send_execute) + if (Z_TYPE(tmp_val) != IS_STRING) { + php_error_docref(NULL, E_WARNING,"Error converting parameter"); + zval_ptr_dtor(&tmp_val); +- _php_pgsql_free_params(params, num_params); ++ _php_pgsql_free_params(params, i); + RETURN_FALSE; + } + params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val)); +diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt +new file mode 100644 +index 0000000000..d79f1fcdd6 --- /dev/null +++ b/ext/pgsql/tests/bug81720.phpt @@ -0,0 +1,27 @@ @@ -55,3 +72,6 @@ wrong value being `NULL`, potentially causing a segfault. +--EXPECT-- +Object of class stdClass could not be converted to string +Object of class stdClass could not be converted to string +-- +2.35.3 + diff --git a/php-bug81726.patch b/php-bug81726.patch new file mode 100644 index 0000000000000000000000000000000000000000..847ebffdbb79d410f4219a661fc777bde3dfae98 --- /dev/null +++ b/php-bug81726.patch @@ -0,0 +1,180 @@ +From 2bdc26af43cdd4376bf8e0fdf532bb12dd35d3dd Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 25 Jul 2022 15:58:59 +0200 +Subject: [PATCH 2/2] Fix #81726: phar wrapper: DOS when using quine gzip file + +The phar wrapper needs to uncompress the file; the uncompressed file +might be compressed, so the wrapper implementation loops. This raises +potential DOS issues regarding too deep or even infinite recursion (the +latter are called compressed file quines[1]). We avoid that by +introducing a recursion limit; we choose the somewhat arbitrary limit +`3`. + +This issue has been reported by real_as3617 and gPayl0ad. + +[1] + +(cherry picked from commit 404e8bdb68350931176a5bdc86fc417b34fb583d) +(cherry picked from commit 96fda78bcddd1d793cf2d0ee463dbb49621b577f) +--- + NEWS | 2 ++ + ext/phar/phar.c | 16 +++++++++++----- + ext/phar/tests/bug81726.gz | Bin 0 -> 204 bytes + ext/phar/tests/bug81726.phpt | 14 ++++++++++++++ + 4 files changed, 27 insertions(+), 5 deletions(-) + create mode 100644 ext/phar/tests/bug81726.gz + create mode 100644 ext/phar/tests/bug81726.phpt + +diff --git a/NEWS b/NEWS +index 90ac6b751b..be8bfd2f98 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,6 +4,8 @@ PHP NEWS + Backported from 7.4.31 + + - Core: ++ . Fixed bug #81726: phar wrapper: DOS when using quine gzip file. ++ (CVE-2022-31628). (cmb) + . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones + that have a specific semantic meaning. (CVE-2022-31629). (Derick) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index ba76a9b0e0..52c973d7c4 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1575,7 +1575,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + const char zip_magic[] = "PK\x03\x04"; + const char gz_magic[] = "\x1f\x8b\x08"; + const char bz_magic[] = "BZh"; +- char *pos, test = '\0'; ++ char *pos; ++ int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion + const int window_size = 1024; + char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ + const zend_long readsize = sizeof(buffer) - sizeof(token); +@@ -1603,8 +1604,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)") + } + +- if (!test) { +- test = '\1'; ++ if (recursion_count) { + pos = buffer+tokenlen; + if (!memcmp(pos, gz_magic, 3)) { + char err = 0; +@@ -1664,7 +1664,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + compression = PHAR_FILE_COMPRESSED_GZ; + + /* now, start over */ +- test = '\0'; ++ if (!--recursion_count) { ++ MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\""); ++ break; ++ } + continue; + } else if (!memcmp(pos, bz_magic, 3)) { + php_stream_filter *filter; +@@ -1702,7 +1705,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + compression = PHAR_FILE_COMPRESSED_BZ2; + + /* now, start over */ +- test = '\0'; ++ if (!--recursion_count) { ++ MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\""); ++ break; ++ } + continue; + } + +From 8fad7bf40e1b5bf74f308eb882b1d72987ef539c Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 27 Sep 2022 17:43:40 +0200 +Subject: [PATCH] Fix regression introduced by fixing bug 81726 + +When a tar phar is created, `phar_open_from_fp()` is also called, but +since the file has just been created, none of the format checks can +succeed, so we continue to loop, but must not check again for the +format. Therefore, we bring back the old `test` variable. + +Closes GH-9620. + +(cherry picked from commit 432bf196d59bcb661fcf9cb7029cea9b43f490af) +--- + ext/phar/phar.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 52c973d7c4..534af318f4 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1575,7 +1575,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + const char zip_magic[] = "PK\x03\x04"; + const char gz_magic[] = "\x1f\x8b\x08"; + const char bz_magic[] = "BZh"; +- char *pos; ++ char *pos, test = '\0'; + int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion + const int window_size = 1024; + char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ +@@ -1604,7 +1604,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)") + } + +- if (recursion_count) { ++ if (!test && recursion_count) { ++ test = '\1'; + pos = buffer+tokenlen; + if (!memcmp(pos, gz_magic, 3)) { + char err = 0; +@@ -1664,6 +1665,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + compression = PHAR_FILE_COMPRESSED_GZ; + + /* now, start over */ ++ test = '\0'; + if (!--recursion_count) { + MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\""); + break; +@@ -1705,6 +1707,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a + compression = PHAR_FILE_COMPRESSED_BZ2; + + /* now, start over */ ++ test = '\0'; + if (!--recursion_count) { + MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\""); + break; +-- +2.37.3 + +From 9d32d284b25f5df75780911a47b3c23cbaac1761 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Fri, 30 Sep 2022 09:22:14 +0200 +Subject: [PATCH] fix NEWS + +--- + NEWS | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/NEWS b/NEWS +index fe4cb9c484..b7a19aea19 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,14 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + +-Backported from 7.4.31 ++Backported from 7.4.32 + + - Core: +- . Fixed bug #81726: phar wrapper: DOS when using quine gzip file. +- (CVE-2022-31628). (cmb) + . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones + that have a specific semantic meaning. (CVE-2022-31629). (Derick) + ++- Phar: ++ . Fixed bug #81726: phar wrapper: DOS when using quine gzip file. ++ (CVE-2022-31628). (cmb) ++ + Backported from 7.4.30 + + - mysqlnd: diff --git a/php-bug81727.patch b/php-bug81727.patch new file mode 100644 index 0000000000000000000000000000000000000000..74a25eb850e10a46fe121813767837eccc2fab5e --- /dev/null +++ b/php-bug81727.patch @@ -0,0 +1,81 @@ +From e92c3b23aa13860777dd09106ce309dac49edd13 Mon Sep 17 00:00:00 2001 +From: Derick Rethans +Date: Fri, 9 Sep 2022 16:54:03 +0100 +Subject: [PATCH 1/2] Fix #81727: Don't mangle HTTP variable names that clash + with ones that have a specific semantic meaning. + +(cherry picked from commit 0611be4e82887cee0de6c4cbae320d34eec946ca) +(cherry picked from commit 8b300e157e92b0e945ad813d608f076b5323d721) +--- + NEWS | 6 ++++++ + ext/standard/tests/bug81727.phpt | 15 +++++++++++++++ + main/php_variables.c | 14 ++++++++++++++ + 3 files changed, 35 insertions(+) + create mode 100644 ext/standard/tests/bug81727.phpt + +diff --git a/NEWS b/NEWS +index 8f09ddfee0..90ac6b751b 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.4.31 ++ ++- Core: ++ . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones ++ that have a specific semantic meaning. (CVE-2022-31629). (Derick) ++ + Backported from 7.4.30 + + - mysqlnd: +diff --git a/ext/standard/tests/bug81727.phpt b/ext/standard/tests/bug81727.phpt +new file mode 100644 +index 0000000000..71a9cb46c8 +--- /dev/null ++++ b/ext/standard/tests/bug81727.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #81727: $_COOKIE name starting with ..Host/..Secure should be discarded ++--COOKIE-- ++..Host-test=ignore; __Host-test=correct; . Secure-test=ignore; . Elephpant=Awesome; ++--FILE-- ++ ++--EXPECT-- ++array(2) { ++ ["__Host-test"]=> ++ string(7) "correct" ++ ["__Elephpant"]=> ++ string(7) "Awesome" ++} +diff --git a/main/php_variables.c b/main/php_variables.c +index 097c17d32a..bd59134fc9 100644 +--- a/main/php_variables.c ++++ b/main/php_variables.c +@@ -109,6 +109,20 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars + } + var_len = p - var; + ++ /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */ ++ if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) { ++ zval_ptr_dtor_nogc(val); ++ free_alloca(var_orig, use_heap); ++ return; ++ } ++ ++ /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */ ++ if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) { ++ zval_ptr_dtor_nogc(val); ++ free_alloca(var_orig, use_heap); ++ return; ++ } ++ + if (var_len==0) { /* empty variable name, or variable name with a space in it */ + zval_dtor(val); + free_alloca(var_orig, use_heap); +-- +2.37.3 + diff --git a/php.spec b/php.spec index 716a097df99c1780682796a152a820ca34dca14a..ff8ba32458f9ae787b32b613cb0bff34016ef406 100644 --- a/php.spec +++ b/php.spec @@ -21,14 +21,14 @@ %global with_firebird 0 %global with_imap 0 %global with_freetds 0 -%global with_sodium 0 +%global with_sodium 1 %global with_pspell 0 %global with_lmdb 0 -%global upver 7.2.10 +%global upver 7.2.34 Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 20 +Release: 1 Summary: PHP scripting language for creating dynamic web sites License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA LGPL-2.1+ and Apache-2.0 and Artistic-1.0-Perl URL: http://www.php.net/ @@ -54,69 +54,27 @@ Patch0003: php-5.6.3-embed.patch Patch0004: php-5.3.0-recode.patch Patch0005: php-7.2.0-libdb.patch Patch0006: php-7.2.4-dlopen.patch -Patch0007: php-7.2.3-systzdata-v16.patch -Patch0008: php-5.4.0-phpize.patch +Patch0007: php-7.2.16-systzdata-v17.patch +Patch0008: php-7.2.12-phpize.patch Patch0009: php-7.2.3-ldap_r.patch Patch0010: php-7.2.4-fixheader.patch Patch0011: php-5.6.3-phpinfo.patch Patch0012: php-7.2.8-getallheaders.patch -#https://github.com/php/php-src/commit/cd0a37994e3cbf1f0aa1174155d3d662cefe2e7a.patch -Patch0013: cd0a37994e3cbf1f0aa1174155d3d662cefe2e7a.patch -#https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch -Patch0014: be50a72715c141befe6f34ece660745da894aaf3.patch -#https://github.com/php/php-src/commit/c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch -Patch0015: c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch Patch0016: php-5.6.3-datetests.patch -Patch6000: CVE-2019-9021.patch -Patch6001: CVE-2019-9022.patch -Patch6002: CVE-2019-9023.patch -Patch6003: CVE-2019-9024.patch -Patch6004: CVE-2019-9637.patch -Patch6005: CVE-2019-9638-CVE-2019-9639.patch -Patch6006: CVE-2019-9640.patch -Patch6007: php-CVE-2018-20783.patch -Patch6008: php-CVE-2019-9641.patch -Patch6009: CVE-2019-11034.patch -Patch6010: CVE-2019-11035.patch -Patch6011: CVE-2019-11036.patch -Patch6012: CVE-2019-11041.patch -Patch6013: CVE-2019-11042.patch -Patch6014: CVE-2019-11043.patch -Patch6015: CVE-2018-19935.patch -Patch6016: CVE-2019-11045.patch -Patch6017: CVE-2019-11046.patch -Patch6018: CVE-2019-11050.patch -Patch6019: CVE-2019-11047.patch -#git.php.net/?p=php-src.git;a=patch;h=336d2086a9189006909ae06c7e95902d7d5ff77e -Patch6020: CVE-2018-19518.patch -#git.php.net/?p=php-src.git;a=patch;h=a15af81b5f0058e020eda0f109f51a3c863f5212 -Patch6021: CVE-2019-6977.patch -Patch6022: CVE-2020-7064.patch -Patch6023: CVE-2020-7066.patch -Patch6024: CVE-2019-11048.patch -Patch6025: CVE-2020-7068.patch -Patch6026: CVE-2020-7063.patch -Patch6027: backport-CVE-2020-7059-Fix-79099-OOB-read.patch -Patch6028: backport-CVE-2020-7062-Fix-bug-79221.patch -Patch6029: backport-CVE-2020-7071-Fix-bug-77423.patch -Patch6030: backport-CVE-2020-7060-Fix-bug-79037-global-buffer-overflow-in-mbfl_filt_co.patch -Patch6031: backport-Fix-bug-78079-openssl_encrypt_ccm.phpt-fails-with-op.patch -Patch6032: backport-CVE-2020-7069-Fix-bug-79601-Wrong-ciphertext-tag-in-AES-CCM-encryp.patch -Patch6033: backport-CVE-2020-7070-Do-not-decode-cookie-names-anymore.patch -Patch6034: backport-0001-CVE-2020-7071.patch -Patch6035: backport-0002-CVE-2020-7071.patch -Patch6036: backport-0001-CVE-2021-21705.patch -Patch6037: backport-0002-CVE-2021-21705.patch -Patch6038: backport-CVE-2021-21704.patch -Patch6039: backport-CVE-2021-21703.patch -Patch6040: backport-CVE-2021-21707.patch -Patch6041: backport-CVE-2020-7067-Fix-bug-79465-use-unsigneds-as-indexes.patch -Patch6042: backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch -Patch6043: backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch -Patch6044: backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch -Patch6045: backport-CVE-2022-31625.patch -Patch6046: backport-CVE-2022-31626.patch +# Remi Security fixes (200+) +Patch6000: php-bug77423.patch +Patch6001: php-bug80672.patch +Patch6002: php-bug80710.patch +Patch6003: php-bug81122.patch +Patch6004: php-bug76450.patch +Patch6005: php-bug81211.patch +Patch6006: php-bug81026.patch +Patch6007: php-bug79971.patch +Patch6008: php-bug81719.patch +Patch6009: php-bug81720.patch +Patch6010: php-bug81727.patch +Patch6011: php-bug81726.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel @@ -136,8 +94,6 @@ Provides: php-zts = %{version}-%{release}, php-zts%{?_isa} = %{version}-%{releas Requires: httpd-mmn = %{_httpd_mmn}, php-common%{?_isa} = %{version}-%{release}, php-cli%{?_isa} = %{version}-%{release} Provides: mod_php = %{version}-%{release}, php(httpd) -#Recommends: php-fpm%{?_isa} = %{version}-%{release} -Requires(pre): httpd-filesystem Recommends: %{name}-help = %{version}-%{release} %description @@ -172,7 +128,6 @@ The php-dbg package contains the interactive PHP debugger. Summary: PHP FastCGI Process Manager BuildRequires: libacl-devel Requires: php-common%{?_isa} = %{version}-%{release} -Requires(pre): /usr/sbin/useradd BuildRequires: systemd-devel %{?systemd_requires} Requires(pre): httpd-filesystem @@ -668,7 +623,7 @@ ln -sf ../configure %configure \ --cache-file=../config.cache --with-libdir=%{_lib} --with-config-file-path=%{_sysconfdir} \ --with-config-file-scan-dir=%{_sysconfdir}/php.d --disable-debug --with-pic --disable-rpath \ - --without-pear --with-exec-dir=%{_bindir} --with-freetype-dir=%{_prefix} --with-png-dir=%{_prefix} \ + --without-pear --with-freetype-dir=%{_prefix} --with-png-dir=%{_prefix} \ --with-xpm-dir=%{_prefix} --without-gdbm --with-jpeg-dir=%{_prefix} --with-openssl --with-system-ciphers \ --with-pcre-regex=%{_prefix} --with-zlib --with-layout=GNU --with-kerberos --with-libxml-dir=%{_prefix} \ --with-system-tzdata --with-mhash \ @@ -1178,6 +1133,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Thu Oct 6 2022 Funda Wang - 7.2.34-1 +- New version 7.2.34 +- Sync with remi's patches + * Sat Jun 18 2022 Hugel - 7.2.10-20 - Fix CVE-2022-31625 CVE-2022-31626