summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-12-10 17:11:36 +0100
committerRemi Collet <remi@remirepo.net>2018-12-10 17:11:36 +0100
commit14af75a3038eff8af244db294486a1561729233c (patch)
tree0d41787556dd1fec29dd12eaffece79a4a31363d
parent421f2276eeeac617c7a5720d7f8de39a1403edb5 (diff)
Fix #77231 Segfault when using convert.quoted-printable-encode filter
Fix #77020 null pointer dereference in imap_mail CVE-2018-19935 Fix #77153 imap_open allows to run arbitrary shell commands via mailbox parameter CVE-2018-19158
-rw-r--r--bug77020.patch51
-rw-r--r--bug77153.patch124
-rw-r--r--bug77231.patch46
-rw-r--r--php54.spec17
4 files changed, 237 insertions, 1 deletions
diff --git a/bug77020.patch b/bug77020.patch
new file mode 100644
index 0000000..eafa38f
--- /dev/null
+++ b/bug77020.patch
@@ -0,0 +1,51 @@
+Backported for 5.4, from 5.6, by Remi
+
+
+From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Nov 2018 10:04:01 -0800
+Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail
+
+If an empty $message is passed to imap_mail(), we must not set message
+to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
+(opposed to pointers to NUL).
+---
+ NEWS | 1 +
+ ext/imap/php_imap.c | 1 -
+ ext/imap/tests/bug77020.phpt | 15 +++++++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 ext/imap/tests/bug77020.phpt
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index a23e84c08521..b30440f000f3 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -4088,7 +4088,6 @@ PHP_FUNCTION(imap_mail)
+ if (!message_len) {
+ /* this is not really an error, so it is allowed. */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command");
+- message = NULL;
+ }
+
+ if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) {
+diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
+new file mode 100644
+index 000000000000..8a65232eec6d
+--- /dev/null
++++ b/ext/imap/tests/bug77020.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #77020 (null pointer dereference in imap_mail)
++--SKIPIF--
++<?php
++if (!extension_loaded('imap')) die('skip imap extension not available');
++?>
++--FILE--
++<?php
++imap_mail('1', 1, NULL);
++?>
++===DONE===
++--EXPECTF--
++Warning: imap_mail(): No message string in mail command in %s on line %d
++%s
++===DONE===
diff --git a/bug77153.patch b/bug77153.patch
new file mode 100644
index 0000000..6eeab15
--- /dev/null
+++ b/bug77153.patch
@@ -0,0 +1,124 @@
+Backported for 5.4, from 5.6, by Remi
+
+
+From e5bfea64c81ae34816479bb05d17cdffe45adddb Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 18 Nov 2018 17:10:43 -0800
+Subject: [PATCH] Disable rsh/ssh functionality in imap by default (bug #77153)
+
+---
+ NEWS | 4 ++++
+ UPGRADING | 7 +++++++
+ ext/imap/php_imap.c | 17 +++++++++++++++++
+ ext/imap/php_imap.h | 1 +
+ ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++
+ 5 files changed, 53 insertions(+)
+ create mode 100644 ext/imap/tests/bug77153.phpt
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index 00eae89a963b..f6feebe9f769 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = {
+ };
+ /* }}} */
+
++
++/* {{{ PHP_INI
++ */
++PHP_INI_BEGIN()
++STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals)
++PHP_INI_END()
++/* }}} */
++
++
+ /* {{{ imap_module_entry
+ */
+ zend_module_entry imap_module_entry = {
+@@ -835,6 +844,8 @@ PHP_MINIT_FUNCTION(imap)
+ {
+ unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY;
+
++ REGISTER_INI_ENTRIES();
++
+ #ifndef PHP_WIN32
+ mail_link(&unixdriver); /* link in the unix driver */
+ mail_link(&mhdriver); /* link in the mh driver */
+@@ -1052,6 +1063,12 @@ PHP_MINIT_FUNCTION(imap)
+ GC_TEXTS texts
+ */
+
++ if (!IMAPG(enable_rsh)) {
++ /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */
++ mail_parameters (NIL, SET_RSHTIMEOUT, 0);
++ mail_parameters (NIL, SET_SSHTIMEOUT, 0);
++ }
++
+ le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number);
+ return SUCCESS;
+ }
+diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h
+index 3a1d048cd3e2..0c3ce78d4855 100644
+--- a/ext/imap/php_imap.h
++++ b/ext/imap/php_imap.h
+@@ -214,6 +214,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap)
+ #endif
+ /* php_stream for php_mail_gets() */
+ php_stream *gets_stream;
++ zend_bool enable_rsh;
+ ZEND_END_MODULE_GLOBALS(imap)
+
+ #ifdef ZTS
+diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt
+new file mode 100644
+index 000000000000..63590aee1dde
+--- /dev/null
++++ b/ext/imap/tests/bug77153.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter)
++--SKIPIF--
++<?php
++ if (!extension_loaded("imap")) {
++ die("skip imap extension not available");
++ }
++?>
++--FILE--
++<?php
++$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
++$payloadb64 = base64_encode($payload);
++$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
++@imap_open('{'.$server.':143/imap}INBOX', '', '');
++// clean
++imap_errors();
++var_dump(file_exists(__DIR__ . '/__bug'));
++?>
++--EXPECT--
++bool(false)
++--CLEAN--
++<?php
++if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug');
++?>
+\ No newline at end of file
+From d8765852e0400ee2ce8ae9e2177c42731d4539d8 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 28 Nov 2018 15:45:51 -0800
+Subject: [PATCH] Add DISPLAY_INI_ENTRIES for imap
+
+---
+ ext/imap/php_imap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index f6feebe9f769..a23e84c08521 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -1155,6 +1155,8 @@ PHP_MINFO_FUNCTION(imap)
+ php_info_print_table_row(2, "Kerberos Support", "enabled");
+ #endif
+ php_info_print_table_end();
++
++ DISPLAY_INI_ENTRIES();
+ }
+ /* }}} */
+
diff --git a/bug77231.patch b/bug77231.patch
new file mode 100644
index 0000000..8a2e237
--- /dev/null
+++ b/bug77231.patch
@@ -0,0 +1,46 @@
+Backported for 5.4, from 5.6, by Remi
+
+
+From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 3 Dec 2018 02:12:11 -0800
+Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231)
+
+---
+ NEWS | 4 ++++
+ ext/standard/filters.c | 2 +-
+ ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/filters/bug77231.phpt
+
+diff --git a/ext/standard/filters.c b/ext/standard/filters.c
+index dc7b0d86dcd3..9718a45be25e 100644
+--- a/ext/standard/filters.c
++++ b/ext/standard/filters.c
+@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
+ line_ccnt--;
+ CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
+ } else {
+- if (line_ccnt < 4) {
++ if (line_ccnt < 4 && inst->lbchars != NULL) {
+ if (ocnt < inst->lbchars_len + 1) {
+ err = PHP_CONV_ERR_TOO_BIG;
+ break;
+diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
+new file mode 100644
+index 000000000000..17967ee80fc5
+--- /dev/null
++++ b/ext/standard/tests/filters/bug77231.phpt
+@@ -0,0 +1,11 @@
++--TEST--
++Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
++--FILE--
++<?php
++var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
++?>
++--EXPECT--
++array(1) {
++ [0]=>
++ string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
++}
+\ No newline at end of file
diff --git a/php54.spec b/php54.spec
index 815597f..b0bb171 100644
--- a/php54.spec
+++ b/php54.spec
@@ -27,6 +27,7 @@
%ifarch ppc ppc64
%global oraclever 10.2.0.2
%else
+# See exclude line in mock configuration
%global oraclever 12.1
%endif
@@ -98,7 +99,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.45
-Release: 15%{?dist}
+Release: 16%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -229,6 +230,9 @@ Patch268: bug74435.patch
Patch269: bug75571.patch
Patch270: bug75981.patch
Patch271: bug76582.patch
+Patch272: bug77153.patch
+Patch273: bug77020.patch
+Patch274: bug77231.patch
# Fixes for tests
# no_NO issue
@@ -1008,6 +1012,9 @@ rm -f ext/json/utf8_to_utf16.*
%patch269 -p1 -b .bug75571
%patch270 -p1 -b .bug75981
%patch271 -p1 -b .bug76582
+%patch272 -p1 -b .bug77153
+%patch273 -p1 -b .bug77020
+%patch274 -p1 -b .bug77231
# Fixes for tests
%patch301 -p1 -b .datetests2
@@ -1894,6 +1901,14 @@ fi
%changelog
+* Mon Dec 10 2018 Remi Collet <remi@remirepo.net> - 5.4.45-16
+- Fix #77231 Segfault when using convert.quoted-printable-encode filter
+- Fix #77020 null pointer dereference in imap_mail
+ CVE-2018-19935
+- Fix #77153 imap_open allows to run arbitrary shell commands via
+ mailbox parameter
+ CVE-2018-19158
+
* Fri Sep 14 2018 Remi Collet <remi@remirepo.net> - 5.4.45-15
- fix #76582: XSS due to the header Transfer-Encoding: chunked