diff options
author | Remi Collet <remi@remirepo.net> | 2018-12-10 17:11:36 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-12-10 17:11:36 +0100 |
commit | 14af75a3038eff8af244db294486a1561729233c (patch) | |
tree | 0d41787556dd1fec29dd12eaffece79a4a31363d | |
parent | 421f2276eeeac617c7a5720d7f8de39a1403edb5 (diff) |
Fix #77231 Segfault when using convert.quoted-printable-encode filter
Fix #77020 null pointer dereference in imap_mail CVE-2018-19935
Fix #77153 imap_open allows to run arbitrary shell commands via mailbox parameter CVE-2018-19158
-rw-r--r-- | bug77020.patch | 51 | ||||
-rw-r--r-- | bug77153.patch | 124 | ||||
-rw-r--r-- | bug77231.patch | 46 | ||||
-rw-r--r-- | php54.spec | 17 |
4 files changed, 237 insertions, 1 deletions
diff --git a/bug77020.patch b/bug77020.patch new file mode 100644 index 0000000..eafa38f --- /dev/null +++ b/bug77020.patch @@ -0,0 +1,51 @@ +Backported for 5.4, from 5.6, by Remi + + +From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Nov 2018 10:04:01 -0800 +Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail + +If an empty $message is passed to imap_mail(), we must not set message +to NULL, since _php_imap_mail() is not supposed to handle NULL pointers +(opposed to pointers to NUL). +--- + NEWS | 1 + + ext/imap/php_imap.c | 1 - + ext/imap/tests/bug77020.phpt | 15 +++++++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/imap/tests/bug77020.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index a23e84c08521..b30440f000f3 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -4088,7 +4088,6 @@ PHP_FUNCTION(imap_mail) + if (!message_len) { + /* this is not really an error, so it is allowed. */ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command"); +- message = NULL; + } + + if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) { +diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt +new file mode 100644 +index 000000000000..8a65232eec6d +--- /dev/null ++++ b/ext/imap/tests/bug77020.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #77020 (null pointer dereference in imap_mail) ++--SKIPIF-- ++<?php ++if (!extension_loaded('imap')) die('skip imap extension not available'); ++?> ++--FILE-- ++<?php ++imap_mail('1', 1, NULL); ++?> ++===DONE=== ++--EXPECTF-- ++Warning: imap_mail(): No message string in mail command in %s on line %d ++%s ++===DONE=== diff --git a/bug77153.patch b/bug77153.patch new file mode 100644 index 0000000..6eeab15 --- /dev/null +++ b/bug77153.patch @@ -0,0 +1,124 @@ +Backported for 5.4, from 5.6, by Remi + + +From e5bfea64c81ae34816479bb05d17cdffe45adddb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 18 Nov 2018 17:10:43 -0800 +Subject: [PATCH] Disable rsh/ssh functionality in imap by default (bug #77153) + +--- + NEWS | 4 ++++ + UPGRADING | 7 +++++++ + ext/imap/php_imap.c | 17 +++++++++++++++++ + ext/imap/php_imap.h | 1 + + ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++ + 5 files changed, 53 insertions(+) + create mode 100644 ext/imap/tests/bug77153.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index 00eae89a963b..f6feebe9f769 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = { + }; + /* }}} */ + ++ ++/* {{{ PHP_INI ++ */ ++PHP_INI_BEGIN() ++STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals) ++PHP_INI_END() ++/* }}} */ ++ ++ + /* {{{ imap_module_entry + */ + zend_module_entry imap_module_entry = { +@@ -835,6 +844,8 @@ PHP_MINIT_FUNCTION(imap) + { + unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY; + ++ REGISTER_INI_ENTRIES(); ++ + #ifndef PHP_WIN32 + mail_link(&unixdriver); /* link in the unix driver */ + mail_link(&mhdriver); /* link in the mh driver */ +@@ -1052,6 +1063,12 @@ PHP_MINIT_FUNCTION(imap) + GC_TEXTS texts + */ + ++ if (!IMAPG(enable_rsh)) { ++ /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */ ++ mail_parameters (NIL, SET_RSHTIMEOUT, 0); ++ mail_parameters (NIL, SET_SSHTIMEOUT, 0); ++ } ++ + le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number); + return SUCCESS; + } +diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h +index 3a1d048cd3e2..0c3ce78d4855 100644 +--- a/ext/imap/php_imap.h ++++ b/ext/imap/php_imap.h +@@ -214,6 +214,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap) + #endif + /* php_stream for php_mail_gets() */ + php_stream *gets_stream; ++ zend_bool enable_rsh; + ZEND_END_MODULE_GLOBALS(imap) + + #ifdef ZTS +diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt +new file mode 100644 +index 000000000000..63590aee1dde +--- /dev/null ++++ b/ext/imap/tests/bug77153.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) ++--SKIPIF-- ++<?php ++ if (!extension_loaded("imap")) { ++ die("skip imap extension not available"); ++ } ++?> ++--FILE-- ++<?php ++$payload = "echo 'BUG'> " . __DIR__ . '/__bug'; ++$payloadb64 = base64_encode($payload); ++$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; ++@imap_open('{'.$server.':143/imap}INBOX', '', ''); ++// clean ++imap_errors(); ++var_dump(file_exists(__DIR__ . '/__bug')); ++?> ++--EXPECT-- ++bool(false) ++--CLEAN-- ++<?php ++if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug'); ++?> +\ No newline at end of file +From d8765852e0400ee2ce8ae9e2177c42731d4539d8 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 28 Nov 2018 15:45:51 -0800 +Subject: [PATCH] Add DISPLAY_INI_ENTRIES for imap + +--- + ext/imap/php_imap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index f6feebe9f769..a23e84c08521 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -1155,6 +1155,8 @@ PHP_MINFO_FUNCTION(imap) + php_info_print_table_row(2, "Kerberos Support", "enabled"); + #endif + php_info_print_table_end(); ++ ++ DISPLAY_INI_ENTRIES(); + } + /* }}} */ + diff --git a/bug77231.patch b/bug77231.patch new file mode 100644 index 0000000..8a2e237 --- /dev/null +++ b/bug77231.patch @@ -0,0 +1,46 @@ +Backported for 5.4, from 5.6, by Remi + + +From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 3 Dec 2018 02:12:11 -0800 +Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231) + +--- + NEWS | 4 ++++ + ext/standard/filters.c | 2 +- + ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/filters/bug77231.phpt + +diff --git a/ext/standard/filters.c b/ext/standard/filters.c +index dc7b0d86dcd3..9718a45be25e 100644 +--- a/ext/standard/filters.c ++++ b/ext/standard/filters.c +@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins + line_ccnt--; + CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt); + } else { +- if (line_ccnt < 4) { ++ if (line_ccnt < 4 && inst->lbchars != NULL) { + if (ocnt < inst->lbchars_len + 1) { + err = PHP_CONV_ERR_TOO_BIG; + break; +diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt +new file mode 100644 +index 000000000000..17967ee80fc5 +--- /dev/null ++++ b/ext/standard/tests/filters/bug77231.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #77231 (Segfault when using convert.quoted-printable-encode filter) ++--FILE-- ++<?php ++var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA'))); ++?> ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA" ++} +\ No newline at end of file @@ -27,6 +27,7 @@ %ifarch ppc ppc64 %global oraclever 10.2.0.2 %else +# See exclude line in mock configuration %global oraclever 12.1 %endif @@ -98,7 +99,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.45 -Release: 15%{?dist} +Release: 16%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -229,6 +230,9 @@ Patch268: bug74435.patch Patch269: bug75571.patch Patch270: bug75981.patch Patch271: bug76582.patch +Patch272: bug77153.patch +Patch273: bug77020.patch +Patch274: bug77231.patch # Fixes for tests # no_NO issue @@ -1008,6 +1012,9 @@ rm -f ext/json/utf8_to_utf16.* %patch269 -p1 -b .bug75571 %patch270 -p1 -b .bug75981 %patch271 -p1 -b .bug76582 +%patch272 -p1 -b .bug77153 +%patch273 -p1 -b .bug77020 +%patch274 -p1 -b .bug77231 # Fixes for tests %patch301 -p1 -b .datetests2 @@ -1894,6 +1901,14 @@ fi %changelog +* Mon Dec 10 2018 Remi Collet <remi@remirepo.net> - 5.4.45-16 +- Fix #77231 Segfault when using convert.quoted-printable-encode filter +- Fix #77020 null pointer dereference in imap_mail + CVE-2018-19935 +- Fix #77153 imap_open allows to run arbitrary shell commands via + mailbox parameter + CVE-2018-19158 + * Fri Sep 14 2018 Remi Collet <remi@remirepo.net> - 5.4.45-15 - fix #76582: XSS due to the header Transfer-Encoding: chunked |