diff --git a/backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch b/backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch new file mode 100644 index 0000000000000000000000000000000000000000..35ac9c8029b2c6bdce94acad1738dbbe81e2dea8 --- /dev/null +++ b/backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch @@ -0,0 +1,65 @@ +From ed6dee9a198c904ad5e03113e58a2d2c200f5184 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 6 May 2019 10:18:51 +0200 +Subject: [PATCH] Fix #77973: Uninitialized read in gdImageCreateFromXbm + +We have to ensure that `sscanf()` does indeed read a hex value here, +and bail out otherwise. +--- + ext/gd/libgd/gd_xbm.c | 6 +++++- + ext/gd/tests/bug77973.phpt | 26 ++++++++++++++++++++++++++ + 2 files changed, 31 insertions(+), 1 deletion(-) + create mode 100644 ext/gd/tests/bug77973.phpt + +diff --git a/ext/gd/libgd/gd_xbm.c b/ext/gd/libgd/gd_xbm.c +index 6ff18cd..bde590d 100644 +--- a/ext/gd/libgd/gd_xbm.c ++++ b/ext/gd/libgd/gd_xbm.c +@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) + } + h[3] = ch; + } +- sscanf(h, "%x", &b); ++ if (sscanf(h, "%x", &b) != 1) { ++ php_gd_error("invalid XBM"); ++ gdImageDestroy(im); ++ return 0; ++ } + for (bit = 1; bit <= max_bit; bit = bit << 1) { + gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); + if (x == im->sx) { +diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt +new file mode 100644 +index 0000000..2545dbe +--- /dev/null ++++ b/ext/gd/tests/bug77973.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #77973 (Uninitialized read in gdImageCreateFromXbm) ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++Warning: imagecreatefromxbm(): invalid XBM in %s on line %d ++ ++Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d ++bool(false) ++===DONE=== ++--CLEAN-- ++ +-- +1.8.3.1 + diff --git a/backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch b/backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b4aa98a4edd327dd342059aff664e168ee24f98 --- /dev/null +++ b/backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch @@ -0,0 +1,30 @@ +From 7cf7148a8f8f4f55fb04de2a517d740bb6253eac Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 16:32:42 -0700 +Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in + iconv.c:_php_iconv_mime_decode() due to integer overflow + +--- + ext/iconv/iconv.c | 4 +++- + 3 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 ext/iconv/tests/bug78069.data + create mode 100644 ext/iconv/tests/bug78069.phpt + +diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c +index f86d0ae..b4a2abe 100644 +--- a/ext/iconv/iconv.c ++++ b/ext/iconv/iconv.c +@@ -1673,7 +1673,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st + * we can do at this point. */ + if (*(p1 + 1) == '=') { + ++p1; +- --str_left; ++ if (str_left > 1) { ++ --str_left; ++ } + } + + err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); +-- +1.8.3.1 + diff --git a/backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch b/backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f8673f27322d908ef2d0a605888f1b72b4fca37 --- /dev/null +++ b/backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch @@ -0,0 +1,27 @@ +From 73ff4193be24192c894dc0502d06e2b2db35eefb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 17:16:29 -0700 +Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16 + +--- + ext/exif/exif.c | 2 ++ + 4 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug77988.jpg + create mode 100644 ext/exif/tests/bug77988.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index d174def..605b379 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3526,6 +3526,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + if (c == 0xFF) + return FALSE; + marker = c; ++ if (pos>=ImageInfo->Thumbnail.size) ++ return FALSE; + length = php_jpg_get16(data+pos); + if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { + return FALSE; +-- +1.8.3.1 + diff --git a/php.spec b/php.spec index c24c8989e6cf005bbe6c13522363fa0ce6a79636..a09517ef697eb00869513b1f6c09d8a83a4a010e 100644 --- a/php.spec +++ b/php.spec @@ -28,7 +28,7 @@ Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 18 +Release: 19 Summary: PHP scripting language for creating dynamic web sites License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA LGPL-2.1+ and Apache-2.0 and Artistic-1.0-Perl URL: http://www.php.net/ @@ -112,6 +112,9 @@ Patch6038: backport-CVE-2021-21704.patch Patch6039: backport-CVE-2021-21703.patch Patch6040: backport-CVE-2021-21707.patch Patch6041: backport-CVE-2020-7067-Fix-bug-79465-use-unsigneds-as-indexes.patch +Patch6042: backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch +Patch6043: backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch +Patch6044: backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel @@ -1173,6 +1176,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Mon Feb 28 2022 wangchen - 7.2.10-19 +- Fix CVE-2019-11038 CVE-2019-11039 CVE-2019-11040 + * Wed Feb 23 2022 panxiaohe - 7.2.10-18 - Fix CVE-2020-7067