diff --git a/CVE-2018-19935.patch b/CVE-2018-19935.patch new file mode 100644 index 0000000000000000000000000000000000000000..14d72fcbfa4c62a075eeda25467ab5347a40f323 --- /dev/null +++ b/CVE-2018-19935.patch @@ -0,0 +1,50 @@ +From 3329e30a0c631753980757045ddfcc7b356a34a2 Mon Sep 17 00:00:00 2001 +Date: Wed, 4 Dec 2019 17:50:56 +0800 +Subject: Fix #77020: null pointer dereference in imap_mail + +If an empty $message is passed to imap_mail(), we must not set message +to NULL, since _php_imap_mail() is not supposed to handle NULL pointers +(opposed to pointers to NUL). + +--- + ext/imap/php_imap.c | 1 - + ext/imap/tests/bug77020.phpt | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 php-7.2.10/ext/imap/tests/bug77020.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index e1adcf22..56126a0c 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -4106,7 +4106,6 @@ PHP_FUNCTION(imap_mail) + if (!ZSTR_LEN(message)) { + /* this is not really an error, so it is allowed. */ + php_error_docref(NULL, E_WARNING, "No message string in mail command"); +- message = NULL; + } + + if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL, +diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt +new file mode 100644 +index 00000000..76386a09 +--- /dev/null ++++ b/ext/imap/tests/bug77020.phpt +@@ -0,0 +1,15 @@ ++ --TEST-- ++Bug #77020 (null pointer dereference in imap_mail) ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++Warning: imap_mail(): No message string in mail command in %s on line %d ++%s ++===DONE=== +-- +2.19.1 + diff --git a/CVE-2019-11034.patch b/CVE-2019-11034.patch new file mode 100644 index 0000000000000000000000000000000000000000..8bf5c9dea0bb647e8c36074e1ab1167911fc0852 --- /dev/null +++ b/CVE-2019-11034.patch @@ -0,0 +1,55 @@ +From f3aefc6d071b807ddacae0a0bc49f09c38e18490 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 17 Mar 2019 22:54:46 -0700 +Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s + +--- + ext/exif/exif.c | 4 ++++ + ext/exif/tests/bug77753.phpt | 16 ++++++++++++++++ + ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes + 3 files changed, 20 insertions(+) + create mode 100644 ext/exif/tests/bug77753.phpt + create mode 100644 ext/exif/tests/bug77753.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index fe89b85..0b5bb5a 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2802,6 +2802,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len); + return FALSE; + } ++ if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len); ++ return FALSE; ++ } + + for (de=0;de ++--FILE-- ++ ++DONE ++--EXPECTF-- ++%A ++Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d ++ ++Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d ++bool(false) ++DONE +\ No newline at end of file + +-- +2.1.4 + diff --git a/CVE-2019-11035.patch b/CVE-2019-11035.patch new file mode 100644 index 0000000000000000000000000000000000000000..cdd334f0f67ba414239f4fc901d2d9125967019f --- /dev/null +++ b/CVE-2019-11035.patch @@ -0,0 +1,185 @@ +From 887a7b571407f7a49a5e7cf1e612d21ef83fedb4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 2 Apr 2019 00:12:26 -0700 +Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value + in EXIF + +--- + NEWS | 1 + + ext/exif/exif.c | 43 ++++++++++++++++++++++++++++--------------- + ext/exif/tests/bug77831.phpt | 13 +++++++++++++ + ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes + 4 files changed, 42 insertions(+), 15 deletions(-) + create mode 100644 ext/exif/tests/bug77831.phpt + create mode 100644 ext/exif/tests/bug77831.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 0b5bb5a..408bf03 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1654,10 +1654,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo) + /* {{{ exif_iif_add_value + Add a value to image_info + */ +-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel) ++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel) + { + size_t idex; +- void *vptr; ++ void *vptr, *vptr_end; + image_info_value *info_value; + image_info_data *info_data; + image_info_data *list; +@@ -1679,8 +1679,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + + switch (format) { + case TAG_FMT_STRING: ++ if (length > value_len) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); ++ value = NULL; ++ } + if (value) { +- length = php_strnlen(value, length); ++ length = (int)php_strnlen(value, length); + info_value->s = estrndup(value, length); + info_data->length = length; + } else { +@@ -1702,6 +1706,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + if (!length) + break; + case TAG_FMT_UNDEFINED: ++ if (length > value_len) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); ++ value = NULL; ++ } + if (value) { + if (tag == TAG_MAKER_NOTE) { + length = (int) php_strnlen(value, length); +@@ -1732,7 +1740,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + } else { + info_value = &info_data->value; + } ++ vptr_end = value+value_len; + for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { ++ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); ++ break; ++ } + if (length>1) { + info_value = &info_data->value.list[idex]; + } +@@ -1768,7 +1781,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + php_error_docref(NULL, E_WARNING, "Found value of type single"); + #endif + info_value->f = *(float *)value; +- ++ break; + case TAG_FMT_DOUBLE: + #ifdef EXIF_DEBUG + php_error_docref(NULL, E_WARNING, "Found value of type double"); +@@ -1786,9 +1799,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + /* {{{ exif_iif_add_tag + Add a tag from IFD to image_info + */ +-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value) ++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len) + { +- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel); ++ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel); + } + /* }}} */ + +@@ -2209,7 +2222,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im + */ + static void exif_process_COM (image_info_type *image_info, char *value, size_t length) + { +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2); + } + /* }}} */ + +@@ -2224,17 +2237,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l + if (length>3) { + switch(value[2]) { + case 0: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length; + break; + case 1: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length); + break; + default: + php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding"); + break; + } + } else { +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0); + php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small"); + } + } +@@ -2827,7 +2840,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table) + { + size_t length; +- int tag, format, components; ++ unsigned int tag, format, components; + char *value_ptr, tagname[64], cbuf[32], *outside=NULL; + size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; +@@ -3138,7 +3151,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha + } + } + } +- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr); ++ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count); + EFREE_IF(outside); + return TRUE; + } +@@ -3296,10 +3309,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t + size_t l1, l2=0; + + if ((l1 = php_strnlen(buffer+2, length-2)) > 0) { +- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2); ++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1); + if (length > 2+l1+1) { + l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1); +- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1); ++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2); + } + } + #ifdef EXIF_DEBUG +@@ -4100,7 +4113,7 @@ PHP_FUNCTION(exif_read_data) + if (ImageInfo.Thumbnail.size) { + if (read_thumbnail) { + /* not exif_iif_add_str : this is a buffer */ +- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data); ++ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); + } + if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { + /* try to evaluate if thumbnail data is present */ +diff --git a/ext/exif/tests/bug77831.phpt b/ext/exif/tests/bug77831.phpt +new file mode 100644 +index 0000000..d868d47 +--- /dev/null ++++ b/ext/exif/tests/bug77831.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #77831 (Heap-buffer-overflow in exif_iif_add_value in EXIF) ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++%A ++bool(false) ++DONE +\ No newline at end of file + +-- +2.1.4 + diff --git a/CVE-2019-11036.patch b/CVE-2019-11036.patch new file mode 100644 index 0000000000000000000000000000000000000000..34861d738e688ce6957d1d62cea673e90a810740 --- /dev/null +++ b/CVE-2019-11036.patch @@ -0,0 +1,27 @@ +From f80ad18afae2230c2c1802c7d829100af646874e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 29 Apr 2019 23:38:12 -0700 +Subject: [PATCH] Fix bug #77950 - Heap-buffer-overflow in _estrndup via + exif_process_IFD_TAG + +I do not completely understand what is going on there, but I am pretty +sure dir_entry <= offset_base if not a normal situation, so we better not +to rely on such dir_entry. +--- + ext/exif/exif.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index a763f6c..d174def 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2891,7 +2891,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha + offset_base is ImageInfo->file.list[sn].data-dir_offset + dir_entry - offset_base is dir_offset+2+i*12 + */ +- if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { ++ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) { + /* It is important to check for IMAGE_FILETYPE_TIFF + * JPEG does not use absolute pointers instead its pointers are + * relative to the start of the TIFF header in APP1 section. */ + diff --git a/CVE-2019-11041.patch b/CVE-2019-11041.patch new file mode 100644 index 0000000000000000000000000000000000000000..4158d7b5d970c2d3ae22a859297df8a74a965c32 --- /dev/null +++ b/CVE-2019-11041.patch @@ -0,0 +1,45 @@ +From dea2989ab8ba87a6180af497b2efaf0527e985c5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Jul 2019 17:01:01 -0700 +Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail) + +--- + ext/exif/exif.c | 2 +- + ext/exif/tests/bug78222.phpt | 11 +++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug78222.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 605b37923f..cd7975a9f5 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3498,7 +3498,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + size_t length=2, pos=0; + jpeg_sof_info sof_info; + +- if (!data) { ++ if (!data || ImageInfo->Thumbnail.size < 4) { + return FALSE; /* nothing to do here */ + } + if (memcmp(data, "\xFF\xD8\xFF", 3)) { +diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt +new file mode 100644 +index 0000000000..0e4ead33e4 +--- /dev/null ++++ b/ext/exif/tests/bug78222.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail) ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++DONE +\ No newline at end of file +-- +2.21.0 + diff --git a/CVE-2019-11042.patch b/CVE-2019-11042.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d217e535ce589e2c77d3109e7032bdb1deaa5ac --- /dev/null +++ b/CVE-2019-11042.patch @@ -0,0 +1,51 @@ +From 99b7ef940e04cd273d03c5fa93bf182db2d7ce8d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Jul 2019 17:39:59 -0700 +Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on + exif_process_user_comment) + +--- + ext/exif/exif.c | 4 ++-- + ext/exif/tests/bug78256.phpt | 11 +++++++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug78256.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 77a11300..a80f2c2a 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3040,11 +3040,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP + /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) + * since we have no encoding support for the BOM yet we skip that. + */ +- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { ++ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) { + decode = "UCS-2BE"; + szValuePtr = szValuePtr+2; + ByteCount -= 2; +- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) { ++ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) { + decode = "UCS-2LE"; + szValuePtr = szValuePtr+2; + ByteCount -= 2; +diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt +new file mode 100644 +index 00000000..37a3f1d8 +--- /dev/null ++++ b/ext/exif/tests/bug78256.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #78256 (heap-buffer-overflow on exif_process_user_comment) ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++DONE +\ No newline at end of file +-- +2.21.0 + diff --git a/CVE-2019-11043.patch b/CVE-2019-11043.patch new file mode 100644 index 0000000000000000000000000000000000000000..89e3b10b27c6f7d1f80bc106c7228dc958928697 --- /dev/null +++ b/CVE-2019-11043.patch @@ -0,0 +1,131 @@ +From ab061f95ca966731b1c84cf5b7b20155c0a1c06a Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Sat, 12 Oct 2019 15:56:16 +0100 +Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE) + (CVE-2019-11043) + +--- + sapi/fpm/fpm/fpm_main.c | 4 +- + .../tests/bug78599-path-info-underflow.phpt | 61 +++++++++++++++++++ + sapi/fpm/tests/tester.inc | 11 +++- + 3 files changed, 72 insertions(+), 4 deletions(-) + create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt + +diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c +index 24a7e5d56ac6..50f92981f1fb 100644 +--- a/sapi/fpm/fpm/fpm_main.c ++++ b/sapi/fpm/fpm/fpm_main.c +@@ -1209,8 +1209,8 @@ static void init_request_info(void) + path_info = script_path_translated + ptlen; + tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); + } else { +- path_info = env_path_info ? env_path_info + pilen - slen : NULL; +- tflag = (orig_path_info != path_info); ++ path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; ++ tflag = path_info && (orig_path_info != path_info); + } + + if (tflag) { +diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt +new file mode 100644 +index 000000000000..edd4e0d49699 +--- /dev/null ++++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt +@@ -0,0 +1,61 @@ ++--TEST-- ++FPM: bug78599 - env_path_info underflow - CVE-2019-11043 ++--SKIPIF-- ++ ++--FILE-- ++start(); ++$tester->expectLogStartNotices(); ++$uri = $tester->makeSourceFile(); ++$tester ++ ->request( ++ '', ++ [ ++ 'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35), ++ 'PATH_INFO' => '', ++ 'HTTP_HUI' => str_repeat('PTEST', 1000), ++ ], ++ $uri ++ ) ++ ->expectBody( ++ [ ++ 'Test Start', ++ 'string(0) ""', ++ 'Test End' ++ ] ++ ); ++$tester->terminate(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++Done ++--CLEAN-- ++ +diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +index 70c03ad70f1c..3b6702866cc1 100644 +--- a/sapi/fpm/tests/tester.inc ++++ b/sapi/fpm/tests/tester.inc +@@ -513,7 +513,7 @@ class Tester + return new Response(null, true); + } + if (is_null($uri)) { +- $uri = $this->makeFile('src.php', $this->code); ++ $uri = $this->makeSourceFile(); + } + + $params = array_merge( +@@ -538,7 +538,6 @@ class Tester + ], + $headers + ); +- + try { + $this->response = new Response( + $this->getClient($address, $connKeepAlive)->request_data($params, false) +@@ -944,6 +943,14 @@ class Tester + return $filePath; + } + ++ /** ++ * @return string ++ */ ++ public function makeSourceFile() ++ { ++ return $this->makeFile('src.php', $this->code); ++ } ++ + /** + * @param string|null $msg + */ diff --git a/CVE-2019-11045.patch b/CVE-2019-11045.patch new file mode 100644 index 0000000000000000000000000000000000000000..f86e68c63ca8d2aa90e7a52df239b499d2d35236 --- /dev/null +++ b/CVE-2019-11045.patch @@ -0,0 +1,72 @@ +From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 25 Nov 2019 16:56:34 +0100 +Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after + a null byte + +Since the constructor of DirectoryIterator and friends is supposed to +accepts paths (i.e. strings without NUL bytes), we must not accept +arbitrary strings. +--- + ext/spl/spl_directory.c | 4 ++-- + ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 2 deletions(-) + create mode 100644 ext/spl/tests/bug78863.phpt + +diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c +index 91ea2e0265..56e809b1c7 100644 +--- a/ext/spl/spl_directory.c ++++ b/ext/spl/spl_directory.c +@@ -701,10 +701,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto + + if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { + flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; +- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); ++ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); + } else { + flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; +- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); ++ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); + } + if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { + flags |= SPL_FILE_DIR_SKIPDOTS; +diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt +new file mode 100644 +index 0000000000..dc88d98dee +--- /dev/null ++++ b/ext/spl/tests/bug78863.phpt +@@ -0,0 +1,31 @@ ++--TEST-- ++Bug #78863 (DirectoryIterator class silently truncates after a null byte) ++--FILE-- ++isDot()) { ++ var_dump($fileinfo->getFilename()); ++ } ++} ++?> ++--EXPECTF-- ++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d ++Stack trace: ++#0 %s(%d): DirectoryIterator->__construct('%s') ++#1 {main} ++ thrown in %s on line %d ++--CLEAN-- ++ +-- +2.19.1 + diff --git a/CVE-2019-11046.patch b/CVE-2019-11046.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7963df7117c88bd7a5cb17c5609750bae4ab9af --- /dev/null +++ b/CVE-2019-11046.patch @@ -0,0 +1,51 @@ +From eb23c6008753b1cdc5359dead3a096dce46c9018 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Sat, 30 Nov 2019 12:26:37 +0100 +Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub + +We must not rely on `isdigit()` to detect digits, since we only support +decimal ASCII digits in the following processing. +--- + ext/bcmath/libbcmath/src/str2num.c | 4 ++-- + ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + create mode 100644 ext/bcmath/tests/bug78878.phpt + +diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c +index f38d341570..03aec15930 100644 +--- a/ext/bcmath/libbcmath/src/str2num.c ++++ b/ext/bcmath/libbcmath/src/str2num.c +@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) + zero_int = FALSE; + if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ + while (*ptr == '0') ptr++; /* Skip leading zeros. */ +- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ ++ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ + if (*ptr == '.') ptr++; /* decimal point */ +- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ ++ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ + if ((*ptr != '\0') || (digits+strscale == 0)) + { + *num = bc_copy_num (BCG(_zero_)); +diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt +new file mode 100644 +index 0000000000..2c9d72b946 +--- /dev/null ++++ b/ext/bcmath/tests/bug78878.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #78878 (Buffer underflow in bc_shift_addsub) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++bc math warning: non-zero scale in modulus ++0 +-- +2.19.1 + diff --git a/CVE-2019-11047.patch b/CVE-2019-11047.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c52d1bf11b08e215852c6f70028c3e03af55684 --- /dev/null +++ b/CVE-2019-11047.patch @@ -0,0 +1,50 @@ +From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 16 Dec 2019 00:10:39 -0800 +Subject: [PATCH] Fixed bug #78910 + +--- + ext/exif/exif.c | 3 ++- + ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug78910.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index f961f44a46c..c0be05922fb 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3154,7 +3154,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + continue; + if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) + continue; +- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) ++ if (maker_note->id_string && value_len >= maker_note->id_string_len ++ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) + continue; + break; + } +diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt +new file mode 100644 +index 00000000000..f5b1c32c1bd +--- /dev/null ++++ b/ext/exif/tests/bug78910.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) ++--FILE-- ++ ++--EXPECTF-- ++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d ++ ++Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d ++ ++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d ++ ++Warning: exif_read_data(): Invalid TIFF file in %s on line %d ++bool(false) +-- +2.11.0 diff --git a/CVE-2019-11050.patch b/CVE-2019-11050.patch new file mode 100644 index 0000000000000000000000000000000000000000..9122d878dccb2b9b1c80fe7500fa215568fa4603 --- /dev/null +++ b/CVE-2019-11050.patch @@ -0,0 +1,48 @@ +From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 16 Dec 2019 01:14:38 -0800 +Subject: [PATCH] Fix bug #78793 + +--- + ext/exif/exif.c | 5 +++-- + ext/exif/tests/bug78793.phpt | 12 ++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug78793.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index c0be05922f..7fe055f381 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3235,8 +3235,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + } + + for (de=0;detag_table)) { ++ size_t offset = 2 + 12 * de; ++ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset, ++ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) { + return FALSE; + } + } +diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt +new file mode 100644 +index 0000000000..033f255ace +--- /dev/null ++++ b/ext/exif/tests/bug78793.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #78793: Use-after-free in exif parsing under memory sanitizer ++--FILE-- ++ ++===DONE=== ++--EXPECT-- ++===DONE=== +-- +2.19.1 + diff --git a/CVE-2019-9021.patch b/CVE-2019-9021.patch new file mode 100644 index 0000000000000000000000000000000000000000..33b39a96732f70299707715dc3d0f22a47da87a4 --- /dev/null +++ b/CVE-2019-9021.patch @@ -0,0 +1,14 @@ +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 4d5988eaa9..812720a011 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2026,7 +2026,7 @@ next_extension: + } + + while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) { +- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1); ++ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1); + if (!pos) { + return FAILURE; + } + diff --git a/CVE-2019-9022.patch b/CVE-2019-9022.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b3e03a3ba944bebf3fc8ac0acefda9a01679dca --- /dev/null +++ b/CVE-2019-9022.patch @@ -0,0 +1,37 @@ +From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 20:39:08 -0800 +Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS + response + +--- + ext/standard/dns.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 8e102f8..b5fbcb9 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t + GETLONG(ttl, cp); + GETSHORT(dlen, cp); + CHECKCP(dlen); ++ if (dlen == 0) { ++ /* No data in the response - nothing to do */ ++ return NULL; ++ } + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -549,6 +553,9 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t + CHECKCP(n); + add_assoc_stringl(subarray, "tag", (char*)cp, n); + cp += n; ++ if ( (size_t) dlen < ((size_t)n) + 2 ) { ++ return NULL; ++ } + n = dlen - n - 2; + CHECKCP(n); + add_assoc_stringl(subarray, "value", (char*)cp, n); +-- +2.1.4 diff --git a/CVE-2019-9023.patch b/CVE-2019-9023.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6716ffb32ba5b8c601ae003b20214e11a1b82e6 --- /dev/null +++ b/CVE-2019-9023.patch @@ -0,0 +1,91 @@ +From 9a96e864885ccc3b19d360ba410a562eb7c5dc45 Mon Sep 17 00:00:00 2001 +From: gwx620998 +Date: Sat, 23 Mar 2019 03:34:11 -0400 +Subject: [PATCH] CVE-2019-9023 + +Signed-off-by: gwx620998 +--- + ext/mbstring/oniguruma/src/regcomp.c | 3 +++ + ext/mbstring/oniguruma/src/regparse.c | 2 ++ + ext/mbstring/oniguruma/src/unicode.c | 1 + + ext/mbstring/oniguruma/src/utf32_be.c | 3 ++- + 4 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c +index 0e9a9ab..cf914cc 100644 +--- a/ext/mbstring/oniguruma/src/regcomp.c ++++ b/ext/mbstring/oniguruma/src/regcomp.c +@@ -476,6 +476,7 @@ compile_length_string_node(Node* node, regex_t* reg) + + for (; p < sn->end; ) { + len = enclen(enc, p); ++ if (p + len > sn->end) len = sn->end - p; + if (len == prev_len) { + slen++; + } +@@ -524,6 +525,7 @@ compile_string_node(Node* node, regex_t* reg) + + for (; p < end; ) { + len = enclen(enc, p); ++ if (p + len > end) len = end - p; + if (len == prev_len) { + slen++; + } +@@ -3436,6 +3438,7 @@ expand_case_fold_string(Node* node, regex_t* reg) + } + + len = enclen(reg->enc, p); ++ if (p + len > end) len = end - p; + + if (n == 0) { + if (IS_NULL(snode)) { +diff --git a/ext/mbstring/oniguruma/src/regparse.c b/ext/mbstring/oniguruma/src/regparse.c +index 8153513..9393b9d 100644 +--- a/ext/mbstring/oniguruma/src/regparse.c ++++ b/ext/mbstring/oniguruma/src/regparse.c +@@ -3594,6 +3594,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) + } + else { /* string */ + p = tok->backp + enclen(enc, tok->backp); ++ if (p > end) p = end; + } + } + break; +@@ -3763,6 +3764,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) + out: + #endif + *src = p; ++ if (*src > end) *src = end; + return tok->type; + } + +diff --git a/ext/mbstring/oniguruma/src/unicode.c b/ext/mbstring/oniguruma/src/unicode.c +index 8812ca2..cbdc42f 100644 +--- a/ext/mbstring/oniguruma/src/unicode.c ++++ b/ext/mbstring/oniguruma/src/unicode.c +@@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc, + + code = ONIGENC_MBC_TO_CODE(enc, p, end); + len = enclen(enc, p); ++ if (*pp + len > end) len = end - *pp; + *pp += len; + + #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI +diff --git a/ext/mbstring/oniguruma/src/utf32_be.c b/ext/mbstring/oniguruma/src/utf32_be.c +index d0c7f39..4cf6fed 100644 +--- a/ext/mbstring/oniguruma/src/utf32_be.c ++++ b/ext/mbstring/oniguruma/src/utf32_be.c +@@ -65,8 +65,9 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++utf32be_mbc_to_code(const UChar* p, const UChar* end) + { ++ if (p + 4 > end) return (OnigCodePoint ) NULL; + return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); + } + +-- +1.8.3.1 + diff --git a/CVE-2019-9024.patch b/CVE-2019-9024.patch new file mode 100644 index 0000000000000000000000000000000000000000..5ac3f3ceb1c7fac4829ede497cd67e6385748e83 --- /dev/null +++ b/CVE-2019-9024.patch @@ -0,0 +1,23 @@ +From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31..a4fa193 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +-- +2.1.4 + diff --git a/CVE-2019-9637.patch b/CVE-2019-9637.patch new file mode 100644 index 0000000000000000000000000000000000000000..ccc4f21328289cf75c902e7a57998c571f16eb77 --- /dev/null +++ b/CVE-2019-9637.patch @@ -0,0 +1,85 @@ +From 40f6425978917209cb0c2c3be05a25c65c9a900e Mon Sep 17 00:00:00 2001 +From: gwx620998 +Date: Sat, 23 Mar 2019 07:14:35 -0400 +Subject: [PATCH] CVE-2019-9637 + +Signed-off-by: gwx620998 +--- + main/streams/plain_wrapper.c | 50 +++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 17 deletions(-) + +diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c +index 9b36d00..cb9e642 100644 +--- a/main/streams/plain_wrapper.c ++++ b/main/streams/plain_wrapper.c +@@ -1168,34 +1168,50 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f + # ifdef EXDEV + if (errno == EXDEV) { + zend_stat_t sb; ++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) ++ /* not sure what to do in ZTS case, umask is not thread-safe */ ++ int oldmask = umask(077); ++# endif ++ int success = 0; + if (php_copy_file(url_from, url_to) == SUCCESS) { + if (VCWD_STAT(url_from, &sb) == 0) { ++ success = 1; + # ifndef TSRM_WIN32 +- if (VCWD_CHMOD(url_to, sb.st_mode)) { +- if (errno == EPERM) { +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; +- } ++ /* ++ * Try to set user and permission info on the target. ++ * If we're not root, then some of these may fail. ++ * We try chown first, to set proper group info, relying ++ * on the system environment to have proper umask to not allow ++ * access to the file in the meantime. ++ */ ++ if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { + php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; ++ if (errno != EPERM) { ++ success = 0; ++ } + } +- if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { +- if (errno == EPERM) { ++ if (success) { ++ if (VCWD_CHMOD(url_to, sb.st_mode)) { + php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; ++ if (errno != EPERM) { ++ success = 0; ++ } + } +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; + } + # endif +- VCWD_UNLINK(url_from); +- return 1; ++ if (success) { ++ VCWD_UNLINK(url_from); ++ } ++ } else { ++ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); + } ++ } else { ++ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); + } +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; ++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) ++ umask(oldmask); ++# endif ++ return success; + } + # endif + #endif +-- +1.8.3.1 + diff --git a/CVE-2019-9638-CVE-2019-9639.patch b/CVE-2019-9638-CVE-2019-9639.patch new file mode 100644 index 0000000000000000000000000000000000000000..ddc1dae033259ec6c54014cd78ad2b50de43976a --- /dev/null +++ b/CVE-2019-9638-CVE-2019-9639.patch @@ -0,0 +1,60 @@ +From 7168d3dc576344f7e55fac81d86304d2421ffe93 Mon Sep 17 00:00:00 2001 +From: gwx620998 +Date: Sat, 23 Mar 2019 07:42:34 -0400 +Subject: [PATCH] CVE-2019-9638 + +Signed-off-by: gwx620998 +--- + ext/exif/exif.c | 5 +++-- + ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug77563.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 3a76d8f..d82b5ae 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3151,8 +3151,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + continue; + break; + } +- +- if (maker_note->offset >= value_len) { ++ ++ if (value_len < 2 || maker_note->offset >= value_len - 1) { + /* Do not go past the value end */ + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset); + return FALSE; +@@ -3207,6 +3207,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + #endif + default: + case MN_OFFSET_NORMAL: ++ data_len = value_len; + break; + } + +diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt +new file mode 100644 +index 0000000..d1c5b9f +--- /dev/null ++++ b/ext/exif/tests/bug77563.phpt +@@ -0,0 +1,16 @@ +++--TEST-- +++Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE) +++--SKIPIF-- +++ +++--FILE-- +++ +++DONE +++--EXPECTF-- +++Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d +++ +++Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d +++ +++Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d +++DONE +-- +1.8.3.1 + diff --git a/CVE-2019-9640.patch b/CVE-2019-9640.patch new file mode 100644 index 0000000000000000000000000000000000000000..4cda3bcb52ccacad2259cd9619db6720e44dad58 --- /dev/null +++ b/CVE-2019-9640.patch @@ -0,0 +1,74 @@ +From 30d2b94a2e88021b77b07149e1f4438662ca8e5e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 2 Mar 2019 13:38:00 -0800 +Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn + +--- + ext/exif/exif.c | 10 ++++++++-- + ext/exif/tests/bug77540.jpg | Bin 0 -> 91 bytes + ext/exif/tests/bug77540.phpt | 16 ++++++++++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug77540.jpg + create mode 100644 ext/exif/tests/bug77540.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 4f2f660..8ed9c85 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3902,7 +3902,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + return FALSE; + marker = c; + length = php_jpg_get16(data+pos); +- if (pos+length>=ImageInfo->Thumbnail.size) { ++ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { + return FALSE; + } + #ifdef EXIF_DEBUG +@@ -3923,6 +3923,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + case M_SOF14: + case M_SOF15: + /* handle SOFn block */ ++ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) { ++ /* exif_process_SOFn needs 8 bytes */ ++ return FALSE; ++ } + exif_process_SOFn(data+pos, marker, &sof_info); + ImageInfo->Thumbnail.height = sof_info.height; + ImageInfo->Thumbnail.width = sof_info.width; +@@ -4654,7 +4658,9 @@ PHP_FUNCTION(exif_thumbnail) + ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); + if (arg_c >= 3) { + if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { +- exif_scan_thumbnail(&ImageInfo); ++ if (!exif_scan_thumbnail(&ImageInfo)) { ++ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0; ++ } + } + zval_dtor(z_width); + zval_dtor(z_height); +-- +diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt +new file mode 100644 +index 0000000..8702e0c +--- /dev/null ++++ b/ext/exif/tests/bug77540.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug 77540 (Invalid Read on exif_process_SOFn) ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++Width 0 ++Height 0 ++DONE +-- +2.1.4 + diff --git a/php-CVE-2018-20783.patch b/php-CVE-2018-20783.patch new file mode 100644 index 0000000000000000000000000000000000000000..7511507b9ad19331f6d194cba37b10460bc6362d --- /dev/null +++ b/php-CVE-2018-20783.patch @@ -0,0 +1,146 @@ +From e7c8e6cde021afd637ea535b0641a1851e57fb2a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 12 Nov 2018 14:02:26 -0800 +Subject: [PATCH] Fix bug #77143 - add more checks to buffer reads + +--- + NEWS | 4 ++++ + ext/phar/phar.c | 30 +++++++++++++++++++++--------- + ext/phar/tests/bug73768.phpt | 2 +- + ext/phar/tests/bug77143.phar | Bin 0 -> 50 bytes + ext/phar/tests/bug77143.phpt | 18 ++++++++++++++++++ + 5 files changed, 44 insertions(+), 10 deletions(-) + create mode 100644 ext/phar/tests/bug77143.phar + create mode 100644 ext/phar/tests/bug77143.phpt + +diff -Nur php-7.2.10/NEWS php-7.2.10_bak/NEWS +--- php-7.2.10/NEWS 2018-09-11 15:06:00.000000000 +0800 ++++ php-7.2.10_bak/NEWS 2019-04-04 17:41:54.869000000 +0800 +@@ -136,6 +136,10 @@ + . Fixed bug #76477 (Opcache causes empty return value). + (Nikita, Laruence) + ++- Phar: ++ . Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). ++ (Stas) ++ + - PGSQL: + . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol) + +diff -Nur php-7.2.10/ext/phar/phar.c php-7.2.10_bak/ext/phar/phar.c +--- php-7.2.10/ext/phar/phar.c 2019-04-04 17:39:04.158000000 +0800 ++++ php-7.2.10_bak/ext/phar/phar.c 2019-04-04 17:49:51.807000000 +0800 +@@ -643,6 +643,18 @@ + /* }}}*/ + + /** ++ * Size of fixed fields in the manifest. ++ * See: http://php.net/manual/en/phar.fileformat.phar.php ++ */ ++#define MANIFEST_FIXED_LEN 18 ++ ++#define SAFE_PHAR_GET_32(buffer, endbuffer, var) \ ++ if (UNEXPECTED(buffer + 4 > endbuffer)) { \ ++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)"); \ ++ } \ ++ PHAR_GET_32(buffer, var); ++ ++/** + * Does not check for a previously opened phar in the cache. + * + * Parse a new one and add it to the cache, returning either SUCCESS or +@@ -725,7 +737,7 @@ + savebuf = buffer; + endbuffer = buffer + manifest_len; + +- if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) { ++ if (manifest_len < MANIFEST_FIXED_LEN || manifest_len != php_stream_read(fp, buffer, manifest_len)) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)") + } + +@@ -750,7 +762,7 @@ + return FAILURE; + } + +- PHAR_GET_32(buffer, manifest_flags); ++ SAFE_PHAR_GET_32(buffer, endbuffer, manifest_flags); + + manifest_flags &= ~PHAR_HDR_COMPRESSION_MASK; + manifest_flags &= ~PHAR_FILE_COMPRESSION_MASK; +@@ -970,13 +982,13 @@ + } + + /* extract alias */ +- PHAR_GET_32(buffer, tmp_len); ++ SAFE_PHAR_GET_32(buffer, endbuffer, tmp_len); + + if (buffer + tmp_len > endbuffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)"); + } + +- if (manifest_len < 10 + tmp_len) { ++ if (manifest_len < MANIFEST_FIXED_LEN + tmp_len) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)") + } + +@@ -1014,7 +1026,7 @@ + } + + /* we have 5 32-bit items plus 1 byte at least */ +- if (manifest_count > ((manifest_len - 10 - tmp_len) / (5 * 4 + 1))) { ++ if (manifest_count > ((manifest_len - MANIFEST_FIXED_LEN - tmp_len) / (5 * 4 + 1))) { + /* prevent serious memory issues */ + MAPPHAR_FAIL("internal corruption of phar \"%s\" (too many manifest entries for size of manifest)") + } +@@ -1023,12 +1035,12 @@ + mydata->is_persistent = PHAR_G(persist); + + /* check whether we have meta data, zero check works regardless of byte order */ +- PHAR_GET_32(buffer, len); ++ SAFE_PHAR_GET_32(buffer, endbuffer, len); + if (mydata->is_persistent) { + mydata->metadata_len = len; +- if(!len) { ++ if (!len) { + /* FIXME: not sure why this is needed but removing it breaks tests */ +- PHAR_GET_32(buffer, len); ++ SAFE_PHAR_GET_32(buffer, endbuffer, len); + } + } + if(len > (size_t)(endbuffer - buffer)) { +diff -Nur php-7.2.10/ext/phar/tests/bug73768.phpt php-7.2.10_bak/ext/phar/tests/bug73768.phpt +--- php-7.2.10/ext/phar/tests/bug73768.phpt 2018-09-11 15:06:03.000000000 +0800 ++++ php-7.2.10_bak/ext/phar/tests/bug73768.phpt 2019-04-04 17:50:51.796000000 +0800 +@@ -13,4 +13,4 @@ + } + ?> + --EXPECTF-- +-cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar" ++internal corruption of phar "%sbug73768.phar" (truncated manifest header) +diff --git a/ext/phar/tests/bug77143.phpt b/ext/phar/tests/bug77143.phpt +new file mode 100644 +index 0000000..f9f80fc +--- /dev/null ++++ b/ext/phar/tests/bug77143.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++PHP bug #77143: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile ++--INI-- ++phar.readonly=0 ++--SKIPIF-- ++ ++--FILE-- ++getMessage(); ++} ++?> ++--EXPECTF-- ++internal corruption of phar "%sbug77143.phar" (truncated manifest header) +-- +2.1.4 + diff --git a/php-CVE-2019-9641.patch b/php-CVE-2019-9641.patch new file mode 100644 index 0000000000000000000000000000000000000000..e49b455e44ebc11de19a5e56afb17a4b5695851a --- /dev/null +++ b/php-CVE-2019-9641.patch @@ -0,0 +1,47 @@ +commit 25aa5f434dfb3337a6617b46224f1b505053d8e9 +Author: Stanislav Malyshev +Date: Fri Mar 1 23:25:45 2019 -0800 + + Fix integer overflows on 32-bits + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index cbde3effed..b4563927a5 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3567,10 +3567,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + tag_table_type tag_table = exif_get_tag_table(section_index); + + if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { +- return FALSE; +- } ++ return FALSE; ++ } + +- if (ImageInfo->FileSize >= dir_offset+2) { ++ if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) { + sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2); +@@ -3578,8 +3578,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */ + php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2); + num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel); +- dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; +- if (ImageInfo->FileSize >= dir_offset+dir_size) { ++ dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; ++ if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) { + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries); + #endif +@@ -3662,9 +3662,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + } + } + } +- if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) { ++ if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) { + if (ifd_size > dir_size) { +- if (dir_offset + ifd_size > ImageInfo->FileSize) { ++ if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size); + return FALSE; + } diff --git a/php.spec b/php.spec index a1c67c561ed2b7c62d4bea289bb80668b0f09545..803f2688afb9183df3466ba4512a26408995fedf 100644 --- a/php.spec +++ b/php.spec @@ -28,7 +28,7 @@ Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1 +Release: 2 Summary: PHP scripting language for creating dynamic web sites License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA URL: http://www.php.net/ @@ -65,6 +65,27 @@ Patch0014: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece66 Patch0015: https://github.com/php/php-src/commit/c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch Patch0016: php-5.6.3-datetests.patch +Patch6000: CVE-2019-9021.patch +Patch6001: CVE-2019-9022.patch +Patch6002: CVE-2019-9023.patch +Patch6003: CVE-2019-9024.patch +Patch6004: CVE-2019-9637.patch +Patch6005: CVE-2019-9638-CVE-2019-9639.patch +Patch6006: CVE-2019-9640.patch +Patch6007: php-CVE-2018-20783.patch +Patch6008: php-CVE-2019-9641.patch +Patch6009: CVE-2019-11034.patch +Patch6010: CVE-2019-11035.patch +Patch6011: CVE-2019-11036.patch +Patch6012: CVE-2019-11041.patch +Patch6013: CVE-2019-11042.patch +Patch6014: CVE-2019-11043.patch +Patch6015: CVE-2018-19935.patch +Patch6016: CVE-2019-11045.patch +Patch6017: CVE-2019-11046.patch +Patch6018: CVE-2019-11050.patch +Patch6019: CVE-2019-11047.patch + BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel BuildRequires: pcre-devel >= 6.6, bzip2, perl-interpreter, autoconf, automake, gcc, gcc-c++, libtool, libtool-ltdl-devel @@ -1120,5 +1141,8 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Thu Mar 12 2020 openEuler Buildteam - 7.2.10-2 +- Add CVE patches + * Fri Feb 14 2020 openEuler Buildteam - 7.2.10-1 - Package init