summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-09-14 14:41:14 +0200
committerRemi Collet <remi@remirepo.net>2018-09-14 14:41:14 +0200
commit421f2276eeeac617c7a5720d7f8de39a1403edb5 (patch)
tree8134e625ea9ba6b90a01469e7b2262fcd028189b
parent6a75ec7b86fc3f19b758a0e6525e9df7eb87a9f9 (diff)
fix #76582: XSS due to the header Transfer-Encoding: chunked
-rw-r--r--bug76582.patch23
-rw-r--r--php54.spec7
2 files changed, 29 insertions, 1 deletions
diff --git a/bug76582.patch b/bug76582.patch
new file mode 100644
index 0000000..fd35f43
--- /dev/null
+++ b/bug76582.patch
@@ -0,0 +1,23 @@
+From 23b057742e3cf199612fa8050ae86cae675e214e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 28 Jul 2018 22:16:29 -0700
+Subject: [PATCH] Fix for bug #76582
+
+The brigade seems to end up in a messed up state if something fails
+in shutdown, so we clean it up.
+---
+ sapi/apache2handler/sapi_apache2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c
+index 6fa2521c3847..0ebca9bca863 100644
+--- a/sapi/apache2handler/sapi_apache2.c
++++ b/sapi/apache2handler/sapi_apache2.c
+@@ -678,6 +678,7 @@ zend_first_try {
+ if (!parent_req) {
+ php_apache_request_dtor(r TSRMLS_CC);
+ ctx->request_processed = 1;
++ apr_brigade_cleanup(brigade);
+ bucket = apr_bucket_eos_create(r->connection->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(brigade, bucket);
+
diff --git a/php54.spec b/php54.spec
index f85cacf..815597f 100644
--- a/php54.spec
+++ b/php54.spec
@@ -98,7 +98,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.45
-Release: 14%{?dist}
+Release: 15%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -228,6 +228,7 @@ Patch267: bug73869.patch
Patch268: bug74435.patch
Patch269: bug75571.patch
Patch270: bug75981.patch
+Patch271: bug76582.patch
# Fixes for tests
# no_NO issue
@@ -1006,6 +1007,7 @@ rm -f ext/json/utf8_to_utf16.*
%patch268 -p1 -b .bug74435
%patch269 -p1 -b .bug75571
%patch270 -p1 -b .bug75981
+%patch271 -p1 -b .bug76582
# Fixes for tests
%patch301 -p1 -b .datetests2
@@ -1892,6 +1894,9 @@ fi
%changelog
+* Fri Sep 14 2018 Remi Collet <remi@remirepo.net> - 5.4.45-15
+- fix #76582: XSS due to the header Transfer-Encoding: chunked
+
* Thu Mar 1 2018 Remi Collet <remi@remirepo.net> - 5.4.45-14
- fix #73549: Use after free when stream is passed to imagepng
- fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()