From 1e6e62f7248c974e3a6863f99d4478861d912cbf Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Sat, 16 Oct 2021 14:24:33 +0800 Subject: [PATCH] fix CVE-2021-21704 --- backport-CVE-2021-21704.patch | 68 +++++++++++++++++++++++++++++++++++ php.spec | 6 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-21704.patch diff --git a/backport-CVE-2021-21704.patch b/backport-CVE-2021-21704.patch new file mode 100644 index 0000000..890385b --- /dev/null +++ b/backport-CVE-2021-21704.patch @@ -0,0 +1,68 @@ +From 08da7c73726f7b86b67d6f0ff87c73c585a7834a Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Fri, 30 Apr 2021 13:53:21 +0200 +Subject: [PATCH] Fix #76449: SIGSEGV in firebird_handle_doer + +We need to verify that the `result_size` is not larger than our buffer, +and also should make sure that the `len` which is passed to +`isc_vax_integer()` has a permissible value; otherwise we bail out. +--- + ext/pdo_firebird/firebird_driver.c | 10 ++++++++++ + ext/pdo_firebird/tests/bug_76449.phpt | 23 +++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt + +diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c +index c27a9e2e..303e0f47 100644 +--- a/ext/pdo_firebird/firebird_driver.c ++++ b/ext/pdo_firebird/firebird_driver.c +@@ -626,8 +626,18 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq + if (result[0] == isc_info_sql_records) { + unsigned i = 3, result_size = isc_vax_integer(&result[1],2); + ++ if (result_size > sizeof(result)) { ++ ret = -1; ++ goto free_statement; ++ } ++ + while (result[i] != isc_info_end && i < result_size) { + short len = (short)isc_vax_integer(&result[i+1],2); ++ /* bail out on bad len */ ++ if (len != 1 && len != 2 && len != 4) { ++ ret = -1; ++ goto free_statement; ++ } + if (result[i] != isc_info_req_select_count) { + ret += isc_vax_integer(&result[i+3],len); + } +diff --git a/ext/pdo_firebird/tests/bug_76449.phpt b/ext/pdo_firebird/tests/bug_76449.phpt +new file mode 100644 +index 00000000..48a09c1d +--- /dev/null ++++ b/ext/pdo_firebird/tests/bug_76449.phpt +@@ -0,0 +1,23 @@ ++--TEST-- ++Bug #76449 (SIGSEGV in firebird_handle_doer) ++--SKIPIF-- ++ ++--FILE-- ++ PDO::ERRMODE_EXCEPTION]); ++var_dump($dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')")); ++?> ++--EXPECT-- ++bool(false) +-- +2.27.0 \ No newline at end of file diff --git a/php.spec b/php.spec index 236b7dd..7ecd2c4 100644 --- a/php.spec +++ b/php.spec @@ -27,7 +27,7 @@ Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 4 +Release: 5 Summary: PHP scripting language for creating dynamic web sites License: PHP and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA URL: http://www.php.net/ @@ -63,6 +63,7 @@ Patch11: backport-0001-CVE-2020-7071.patch Patch12: backport-0002-CVE-2020-7071.patch Patch13: backport-0001-CVE-2021-21705.patch Patch14: backport-0002-CVE-2021-21705.patch +Patch15: backport-CVE-2021-21704.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel @@ -1101,6 +1102,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Sat Oct 16 2021 wangjie - 8.0.0-5 +- fix CVE-2021-21704 + * Wed Sep 29 2021 fuanan - 8.0.0-4 - refix CVE-2020-7071 and fix CVE-2021-21705 -- Gitee