From 1fda5dd66392735d945bce762f060a9540d83e20 Mon Sep 17 00:00:00 2001 From: Hugel <2712504175@qq.com> Date: Tue, 12 Jul 2022 11:38:53 +0800 Subject: [PATCH] Fix CVE-2022-31627 --- backport-CVE-2022-31627.patch | 356 ++++++++++++++++++++++++++++++++++ php.spec | 6 +- 2 files changed, 361 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-31627.patch diff --git a/backport-CVE-2022-31627.patch b/backport-CVE-2022-31627.patch new file mode 100644 index 0000000..00cb0a3 --- /dev/null +++ b/backport-CVE-2022-31627.patch @@ -0,0 +1,356 @@ +From ca6d511fa54b34d5b75bf120a86482a1b9e1e686 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 30 Jun 2022 17:15:22 +0200 +Subject: [PATCH] Fix #81723: Memory corruption in finfo_buffer() + +We need to use the same memory allocator throughout. +--- + ext/fileinfo/libmagic.patch | 112 +++++++++++++++++------------- + ext/fileinfo/libmagic/softmagic.c | 8 +-- + ext/fileinfo/tests/bug81723.phpt | 12 ++++ + 3 files changed, 79 insertions(+), 53 deletions(-) + create mode 100644 ext/fileinfo/tests/bug81723.phpt + +diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch +index 27124692a0..3373ae4519 100644 +--- a/ext/fileinfo/libmagic.patch ++++ b/ext/fileinfo/libmagic.patch +@@ -1,6 +1,6 @@ +-diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c ++diff -u libmagic.orig/apprentice.c libmagic/apprentice.c + --- libmagic.orig/apprentice.c 2021-02-23 01:51:11.000000000 +0100 +-+++ libmagic/apprentice.c 2021-04-06 21:34:57.332978922 +0200 +++++ libmagic/apprentice.c 2022-06-16 13:39:41.570984700 +0200 + @@ -29,6 +29,8 @@ + * apprentice - make one pass through /etc/magic, learning its secrets. + */ +@@ -925,9 +925,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c + m->str_range = swap4(m->str_range); + m->str_flags = swap4(m->str_flags); + } +-diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c ++diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c + --- libmagic.orig/ascmagic.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/ascmagic.c 2021-04-06 21:34:57.332978922 +0200 +++++ libmagic/ascmagic.c 2022-06-16 13:39:41.570984700 +0200 + @@ -96,7 +96,7 @@ + rv = file_ascmagic_with_encoding(ms, &bb, + ubuf, ulen, code, type, text); +@@ -956,9 +956,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c + + return rv; + } +-diff -ur libmagic.orig/buffer.c libmagic/buffer.c ++diff -u libmagic.orig/buffer.c libmagic/buffer.c + --- libmagic.orig/buffer.c 2021-02-23 01:49:26.000000000 +0100 +-+++ libmagic/buffer.c 2021-04-06 21:34:57.332978922 +0200 +++++ libmagic/buffer.c 2021-09-21 13:27:27.982716100 +0200 + @@ -31,19 +31,23 @@ + #endif /* lint */ + +@@ -1012,9 +1012,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c + b->ebuf = NULL; + goto out; + } +-diff -ur libmagic.orig/cdf.c libmagic/cdf.c ++diff -u libmagic.orig/cdf.c libmagic/cdf.c + --- libmagic.orig/cdf.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/cdf.c 2021-04-06 21:34:57.332978922 +0200 +++++ libmagic/cdf.c 2021-09-21 13:27:27.983695600 +0200 + @@ -43,7 +43,17 @@ + #include + #endif +@@ -1247,9 +1247,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c + } + + #endif +-diff -ur libmagic.orig/cdf.h libmagic/cdf.h ++diff -u libmagic.orig/cdf.h libmagic/cdf.h + --- libmagic.orig/cdf.h 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/cdf.h 2021-04-06 21:34:57.332978922 +0200 +++++ libmagic/cdf.h 2021-09-21 13:27:27.984674900 +0200 + @@ -35,10 +35,10 @@ + #ifndef _H_CDF_ + #define _H_CDF_ +@@ -1264,9 +1264,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h + #endif + #ifdef __DJGPP__ + #define timespec timeval +-diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c ++diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c + --- libmagic.orig/cdf_time.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/cdf_time.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/cdf_time.c 2021-09-21 13:27:27.985654400 +0200 + @@ -23,6 +23,7 @@ + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. +@@ -1293,9 +1293,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c + if (ptr != NULL) + return buf; + (void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n", +-diff -ur libmagic.orig/compress.c libmagic/compress.c ++diff -u libmagic.orig/compress.c libmagic/compress.c + --- libmagic.orig/compress.c 2021-02-23 01:49:07.000000000 +0100 +-+++ libmagic/compress.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/compress.c 2022-06-16 13:39:41.586609800 +0200 + @@ -51,7 +51,7 @@ + #ifndef HAVE_SIG_T + typedef void (*sig_t)(int); +@@ -1430,9 +1430,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c + } + #endif + +#endif +-diff -ur libmagic.orig/der.c libmagic/der.c ++diff -u libmagic.orig/der.c libmagic/der.c + --- libmagic.orig/der.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/der.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/der.c 2022-06-16 13:39:41.586609800 +0200 + @@ -54,7 +54,9 @@ + #include "magic.h" + #include "der.h" +@@ -1443,9 +1443,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c + #include + #include + #endif +-diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h ++diff -u libmagic.orig/elfclass.h libmagic/elfclass.h + --- libmagic.orig/elfclass.h 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/elfclass.h 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/elfclass.h 2021-09-21 13:27:27.989571700 +0200 + @@ -41,7 +41,7 @@ + return toomany(ms, "program headers", phnum); + flags |= FLAGS_IS_CORE; +@@ -1473,9 +1473,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h + CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)), + fsize, elf_getu16(swap, elfhdr.e_machine), + CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)), +-diff -ur libmagic.orig/encoding.c libmagic/encoding.c ++diff -u libmagic.orig/encoding.c libmagic/encoding.c + --- libmagic.orig/encoding.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/encoding.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/encoding.c 2022-06-16 13:39:41.586609800 +0200 + @@ -98,14 +98,14 @@ + nbytes = ms->encoding_max; + +@@ -1514,9 +1514,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c + } \ + if (u < 3) \ + return 0; \ +-diff -ur libmagic.orig/file.h libmagic/file.h ++diff -u libmagic.orig/file.h libmagic/file.h + --- libmagic.orig/file.h 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/file.h 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/file.h 2022-06-16 13:39:41.586609800 +0200 + @@ -33,17 +33,14 @@ + #ifndef __file_h__ + #define __file_h__ +@@ -1775,9 +1775,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h + +#endif + + + #endif /* __file_h__ */ +-diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c ++diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c + --- libmagic.orig/fsmagic.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/fsmagic.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/fsmagic.c 2021-09-21 13:27:27.992511000 +0200 + @@ -66,26 +66,10 @@ + # define minor(dev) ((dev) & 0xff) + #endif +@@ -2068,9 +2068,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c + #ifdef S_IFSOCK + #ifndef __COHERENT__ + case S_IFSOCK: +-diff -ur libmagic.orig/funcs.c libmagic/funcs.c ++diff -u libmagic.orig/funcs.c libmagic/funcs.c + --- libmagic.orig/funcs.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/funcs.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/funcs.c 2022-06-16 13:39:41.586609800 +0200 + @@ -51,6 +51,13 @@ + #define SIZE_MAX ((size_t)~0) + #endif +@@ -2388,9 +2388,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c + + protected char * + file_strtrim(char *str) +-diff -ur libmagic.orig/magic.c libmagic/magic.c ++diff -u libmagic.orig/magic.c libmagic/magic.c + --- libmagic.orig/magic.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/magic.c 2021-04-06 21:34:57.336978894 +0200 +++++ libmagic/magic.c 2022-06-16 13:39:41.586609800 +0200 + @@ -25,11 +25,6 @@ + * SUCH DAMAGE. + */ +@@ -2867,9 +2867,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c + return NULL; + } + return file_getbuffer(ms); +-diff -ur libmagic.orig/magic.h libmagic/magic.h +---- libmagic.orig/magic.h 2021-04-06 22:37:37.647426536 +0200 +-+++ libmagic/magic.h 2021-04-06 21:34:57.336978894 +0200 ++diff -u libmagic.orig/magic.h libmagic/magic.h ++--- libmagic.orig/magic.h 2022-06-30 17:16:06.144009900 +0200 +++++ libmagic/magic.h 2022-06-16 13:39:41.586609800 +0200 + @@ -126,6 +126,7 @@ + + const char *magic_getpath(const char *, int); +@@ -2878,9 +2878,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h + const char *magic_descriptor(magic_t, int); + const char *magic_buffer(magic_t, const void *, size_t); + +-diff -ur libmagic.orig/print.c libmagic/print.c ++diff -u libmagic.orig/print.c libmagic/print.c + --- libmagic.orig/print.c 2021-02-23 01:49:07.000000000 +0100 +-+++ libmagic/print.c 2021-04-06 21:34:57.340978869 +0200 +++++ libmagic/print.c 2021-09-21 13:27:27.998388700 +0200 + @@ -28,6 +28,7 @@ + /* + * print.c - debugging printout routines +@@ -2943,9 +2943,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c + + if (pp == NULL) + goto out; +-diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c ++diff -u libmagic.orig/readcdf.c libmagic/readcdf.c + --- libmagic.orig/readcdf.c 2021-02-23 01:49:08.000000000 +0100 +-+++ libmagic/readcdf.c 2021-04-06 21:34:57.340978869 +0200 +++++ libmagic/readcdf.c 2021-09-21 13:27:27.999369100 +0200 + @@ -31,7 +31,11 @@ + + #include +@@ -3067,9 +3067,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c + out0: + /* If we handled it already, return */ + if (i != -1) +-diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c ++diff -u libmagic.orig/softmagic.c libmagic/softmagic.c + --- libmagic.orig/softmagic.c 2021-02-23 01:49:06.000000000 +0100 +-+++ libmagic/softmagic.c 2021-04-06 21:34:57.340978869 +0200 +++++ libmagic/softmagic.c 2022-06-30 16:58:15.521661800 +0200 + @@ -43,6 +43,10 @@ + #include + #include "der.h" +@@ -3247,7 +3247,29 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c + return rv; + } + +-@@ -1845,15 +1847,15 @@ ++@@ -1531,11 +1533,7 @@ ++ size_t len; ++ *c = ms->c; ++ len = c->len * sizeof(*c->li); ++- ms->c.li = CAST(struct level_info *, malloc(len)); ++- if (ms->c.li == NULL) { ++- ms->c = *c; ++- return -1; ++- } +++ ms->c.li = CAST(struct level_info *, emalloc(len)); ++ memcpy(ms->c.li, c->li, len); ++ return 0; ++ } ++@@ -1543,7 +1541,7 @@ ++ private void ++ restore_cont(struct magic_set *ms, struct cont *c) ++ { ++- free(ms->c.li); +++ efree(ms->c.li); ++ ms->c = *c; ++ } ++ ++@@ -1845,15 +1843,15 @@ + if ((ms->flags & MAGIC_NODESC) == 0 && + file_printf(ms, F(ms, m->desc, "%u"), offset) == -1) + { +@@ -3266,7 +3288,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c + return rv; + + case FILE_USE: +-@@ -1958,10 +1960,13 @@ ++@@ -1958,10 +1956,13 @@ + } + else if ((flags & STRING_COMPACT_WHITESPACE) && + isspace(*a)) { +@@ -3281,7 +3303,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c + b++; + } + else { +-@@ -1997,6 +2002,60 @@ ++@@ -1997,6 +1998,60 @@ + return file_strncmp(a, b, len, maxlen, flags); + } + +@@ -3342,7 +3364,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c + private int + magiccheck(struct magic_set *ms, struct magic *m) + { +-@@ -2176,65 +2235,77 @@ ++@@ -2176,65 +2231,77 @@ + break; + } + case FILE_REGEX: { +@@ -3471,9 +3493,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c + break; + } + case FILE_USE: +-diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c ++diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c + --- libmagic.orig/strcasestr.c 2021-02-23 01:49:12.000000000 +0100 +-+++ libmagic/strcasestr.c 2021-04-06 21:34:57.340978869 +0200 +++++ libmagic/strcasestr.c 2021-09-21 13:27:28.002306200 +0200 + @@ -39,6 +39,8 @@ + + #include "file.h" +@@ -3483,7 +3505,3 @@ diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c + #include + #include + #include +---- libmagic/config.h 2021-04-06 22:19:57.552120067 +0200 +-+++ /dev/null 2021-03-31 20:37:24.776503884 +0200 +-@@ -1 +0,0 @@ +--#include "php.h" +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index c86524e31e..5132b4ddea 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -1533,11 +1533,7 @@ save_cont(struct magic_set *ms, struct cont *c) + size_t len; + *c = ms->c; + len = c->len * sizeof(*c->li); +- ms->c.li = CAST(struct level_info *, malloc(len)); +- if (ms->c.li == NULL) { +- ms->c = *c; +- return -1; +- } ++ ms->c.li = CAST(struct level_info *, emalloc(len)); + memcpy(ms->c.li, c->li, len); + return 0; + } +@@ -1545,7 +1541,7 @@ save_cont(struct magic_set *ms, struct cont *c) + private void + restore_cont(struct magic_set *ms, struct cont *c) + { +- free(ms->c.li); ++ efree(ms->c.li); + ms->c = *c; + } + +diff --git a/ext/fileinfo/tests/bug81723.phpt b/ext/fileinfo/tests/bug81723.phpt +new file mode 100644 +index 0000000000..16bfb81f10 +--- /dev/null ++++ b/ext/fileinfo/tests/bug81723.phpt +@@ -0,0 +1,12 @@ ++--TEST-- ++Bug #81723 (Memory corruption in finfo_buffer()) ++--EXTENSIONS-- ++fileinfo ++--FILE-- ++ ++--EXPECT-- +-- +2.27.0 + diff --git a/php.spec b/php.spec index 7849462..a31a0d3 100644 --- a/php.spec +++ b/php.spec @@ -26,7 +26,7 @@ Name: php Version: %{upver} -Release: 4 +Release: 5 Summary: PHP scripting language for creating dynamic web sites License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and Boost URL: http://www.php.net/ @@ -59,6 +59,7 @@ Patch8: php-7.4.0-datetests.patch Patch9: backport-CVE-2021-21708-Fix-81708.patch Patch10: backport-CVE-2022-31625.patch Patch11: backport-CVE-2022-31626.patch +Patch12: backport-CVE-2022-31627.patch BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel @@ -1092,6 +1093,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Tue Jul 12 2022 Hugel - 8.1.1-5 +- Fix CVE-2022-31627 + * Sat Jun 18 2022 Hugel - 8.1.1-4 - Fix CVE-2022-31625 CVE-2022-31626 -- Gitee