summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 10:08:47 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 10:08:47 +0100
commit6a75ec7b86fc3f19b758a0e6525e9df7eb87a9f9 (patch)
tree3063e2862ede5cb869233359d021731e3b156e90
parentf6bab89b5b2345cac08d761e2fd93f7d18da8aea (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response
-rw-r--r--.gitignore10
-rw-r--r--bug73549.patch95
-rw-r--r--bug73868.patch47
-rw-r--r--bug73869.patch45
-rw-r--r--bug74435.patch35
-rw-r--r--bug75571.patch58
-rw-r--r--bug75981.patch68
-rw-r--r--php-5.4.34-systzdata-v11.patch3
-rw-r--r--php54.spec28
9 files changed, 386 insertions, 3 deletions
diff --git a/.gitignore b/.gitignore
index 4ab9ab5..6f69818 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,9 @@
-tembed5*
+clog
+package-*.xml
+*.tgz
+*.tar.gz
+*.tar.bz2
+*.tar.xz
+*.tar.xz.asc
+*.src.rpm
+*/*rpm
diff --git a/bug73549.patch b/bug73549.patch
new file mode 100644
index 0000000..5c39852
--- /dev/null
+++ b/bug73549.patch
@@ -0,0 +1,95 @@
+From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Nov 2016 13:44:30 +0100
+Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng
+
+If a stream is passed to imagepng() or other image output functions,
+opposed to a filename, we must not close this stream.
+---
+ NEWS | 3 +++
+ ext/gd/gd_ctx.c | 18 +++++++++++++++++-
+ ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+ create mode 100644 ext/gd/tests/bug73549.phpt
+
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index 34a9a00..acb96e1 100644
+--- a/ext/gd/gd_ctx.c
++++ b/ext/gd/gd_ctx.c
+@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l)
+
+ static void _php_image_stream_ctxfree(struct gdIOCtx *ctx)
+ {
++ if(ctx->data) {
++ ctx->data = NULL;
++ }
++ if(ctx) {
++ efree(ctx);
++ }
++} /* }}} */
++
++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */
++{
+ TSRMLS_FETCH();
+
+ if(ctx->data) {
+@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ gdIOCtx *ctx = NULL;
+ zval *to_zval = NULL;
+ php_stream *stream;
++ int close_stream = 1;
+
+ /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp().
+ * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called
+@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ if (stream == NULL) {
+ RETURN_FALSE;
+ }
++ close_stream = 0;
+ } else if (Z_TYPE_P(to_zval) == IS_STRING) {
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ ctx = emalloc(sizeof(gdIOCtx));
+ ctx->putC = _php_image_stream_putc;
+ ctx->putBuf = _php_image_stream_putbuf;
+- ctx->gd_free = _php_image_stream_ctxfree;
++ if (close_stream) {
++ ctx->gd_free = _php_image_stream_ctxfreeandclose;
++ } else {
++ ctx->gd_free = _php_image_stream_ctxfree;
++ }
+ ctx->data = (void *)stream;
+ }
+
+diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt
+new file mode 100644
+index 0000000..e0cc6cf
+--- /dev/null
++++ b/ext/gd/tests/bug73549.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++Bug #73549 (Use after free when stream is passed to imagepng)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available');
++?>
++--FILE--
++<?php
++$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w');
++$im = imagecreatetruecolor(8, 8);
++var_dump(imagepng($im, $stream));
++var_dump($stream);
++?>
++===DONE===
++--EXPECTF--
++bool(true)
++resource(%d) of type (stream)
++===DONE===
++--CLEAN--
++<?php
++unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png');
++?>
+--
+2.1.4
+
diff --git a/bug73868.patch b/bug73868.patch
new file mode 100644
index 0000000..6df0a22
--- /dev/null
+++ b/bug73868.patch
@@ -0,0 +1,47 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 18:23:36 +0200
+Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
+
+We must not pretend that there are image data if there are none. Instead
+we fail reading the image file gracefully.
+
+(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
+---
+ ext/gd/libgd/gd_gd2.c | 8 ++++++--
+ ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes
+ ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+ create mode 100644 ext/gd/tests/bug73868.gd2
+ create mode 100644 ext/gd/tests/bug73868.phpt
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index d06f328..196b785 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
+ for (x = xlo; x < xhi; x++) {
+ if (im->trueColor) {
+ if (!gdGetInt(&im->tpixels[y][x], in)) {
+- im->tpixels[y][x] = 0;
++ php_gd_error("gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ } else {
+ int ch;
+ if (!gdGetByte(&ch, in)) {
+- ch = 0;
++ php_gd_error("gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ im->pixels[y][x] = ch;
+ }
+--
+2.1.4
+
diff --git a/bug73869.patch b/bug73869.patch
new file mode 100644
index 0000000..6e5b08e
--- /dev/null
+++ b/bug73869.patch
@@ -0,0 +1,45 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 17 Dec 2016 17:06:58 +0100
+Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c
+
+GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
+byte unsigned). These values are multiplied and assigned to an int when
+reading the image, what can cause integer overflows. We have to avoid
+that, and also make sure that either chunk count is actually greater
+than zero. If illegal chunk counts are detected, we bail out from
+reading the image.
+
+(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
+---
+ ext/gd/libgd/gd_gd2.c | 4 ++++
+ ext/gd/tests/bug73869.phpt | 19 +++++++++++++++++++
+ ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes
+ ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes
+ 4 files changed, 23 insertions(+)
+ create mode 100644 ext/gd/tests/bug73869.phpt
+ create mode 100644 ext/gd/tests/bug73869a.gd2
+ create mode 100644 ext/gd/tests/bug73869b.gd2
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 196b785..3eba6b3 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
+ GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
+
+ if (gd2_compressed(*fmt)) {
++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++ goto fail1;
++ }
+ nc = (*ncx) * (*ncy);
+ GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+ if (overflow2(sizeof(t_chunk_info), nc)) {
+--
+2.1.4
+
diff --git a/bug74435.patch b/bug74435.patch
new file mode 100644
index 0000000..968078c
--- /dev/null
+++ b/bug74435.patch
@@ -0,0 +1,35 @@
+Adapted for 5.4.13
+With test removed (binary patch not handled)
+
+From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 20 Jun 2017 16:45:42 +0200
+Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory
+
+The stack allocated color map buffers were not zeroed before usage, and
+so undefined palette indexes could cause information leakage.
+---
+ ext/gd/libgd/gd_gif_in.c | 3 +++
+ ext/gd/tests/bug74435.gif | Bin 0 -> 11464 bytes
+ ext/gd/tests/bug74435.phpt | 27 +++++++++++++++++++++++++++
+ 3 files changed, 30 insertions(+)
+ create mode 100644 ext/gd/tests/bug74435.gif
+ create mode 100644 ext/gd/tests/bug74435.phpt
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 74b7493..76ba152 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
+ int haveGlobalColormap;
+ gdImagePtr im = 0;
+
++ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
++ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
++
+ /*1.4//imageNumber = 1; */
+ if (! ReadOK(fd,buf,6)) {
+ return 0;
+--
+2.1.4
+
diff --git a/bug75571.patch b/bug75571.patch
new file mode 100644
index 0000000..d35ca3a
--- /dev/null
+++ b/bug75571.patch
@@ -0,0 +1,58 @@
+Backported for 5.4 without test and binary patch
+
+From 8d6e9588671136837533fe3785657c31c5b52767 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 29 Nov 2017 18:52:33 +0100
+Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
+ gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop. Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+---
+ ext/gd/libgd/gd_gif_in.c | 10 +++++-----
+ ext/gd/tests/bug75571.gif | Bin 0 -> 1731 bytes
+ ext/gd/tests/bug75571.phpt | 15 +++++++++++++++
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+ create mode 100644 ext/gd/tests/bug75571.gif
+ create mode 100644 ext/gd/tests/bug75571.phpt
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index e0f0fe3..16776d3 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -261,10 +261,6 @@ terminated:
+ if (!im) {
+ return 0;
+ }
+- if (!im->colorsTotal) {
+- gdImageDestroy(im);
+- return 0;
+- }
+ /* Check for open colors at the end, so
+ we can reduce colorsTotal and ultimately
+ BitsPerPixel */
+@@ -275,6 +271,10 @@ terminated:
+ break;
+ }
+ }
++ if (!im->colorsTotal) {
++ gdImageDestroy(im);
++ return 0;
++ }
+ return im;
+ }
+ /* }}} */
+@@ -375,7 +375,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ int i, j, ret;
+- unsigned char count;
++ int count;
+
+ if (flag) {
+ scd->curbit = 0;
+--
+2.1.4
+
diff --git a/bug75981.patch b/bug75981.patch
new file mode 100644
index 0000000..27af03b
--- /dev/null
+++ b/bug75981.patch
@@ -0,0 +1,68 @@
+From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 20 Feb 2018 15:34:43 -0800
+Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start
+
+---
+ ext/standard/http_fopen_wrapper.c | 4 ++--
+ ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/http/bug75981.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index ed6adc0..78bd935 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -737,9 +737,9 @@ finish:
+ tmp_line, response_code);
+ }
+ }
+- if (tmp_line[tmp_line_len - 1] == '\n') {
++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
+ --tmp_line_len;
+- if (tmp_line[tmp_line_len - 1] == '\r') {
++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
+ --tmp_line_len;
+ }
+ }
+diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
+new file mode 100644
+index 0000000..d415de6
+--- /dev/null
++++ b/ext/standard/tests/http/bug75981.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #75981 (stack-buffer-overflow while parsing HTTP response)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
++--FILE--
++<?php
++require 'server.inc';
++
++$options = [
++ 'http' => [
++ 'protocol_version' => '1.1',
++ 'header' => 'Connection: Close'
++ ],
++];
++
++$ctx = stream_context_create($options);
++
++$responses = [
++ "data://text/plain,000000000100\xA\xA"
++];
++$pid = http_server('tcp://127.0.0.1:12342', $responses);
++
++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
++
++http_server_kill($pid);
++
++?>
++DONE
++--EXPECT--
++DONE
+--
+2.1.4
+
diff --git a/php-5.4.34-systzdata-v11.patch b/php-5.4.34-systzdata-v11.patch
index bfca49b..a12320c 100644
--- a/php-5.4.34-systzdata-v11.patch
+++ b/php-5.4.34-systzdata-v11.patch
@@ -1,3 +1,6 @@
+# License: MIT
+# http://opensource.org/licenses/MIT
+
Add support for use of the system timezone database, rather
than embedding a copy. Discussed upstream but was not desired.
diff --git a/php54.spec b/php54.spec
index 4f653e0..f85cacf 100644
--- a/php54.spec
+++ b/php54.spec
@@ -98,7 +98,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.45
-Release: 13%{?dist}
+Release: 14%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -222,6 +222,12 @@ Patch261: bug73737.patch
Patch262: bug73764.patch
Patch263: bug73768.patch
Patch264: bug73773.patch
+Patch265: bug73549.patch
+Patch266: bug73868.patch
+Patch267: bug73869.patch
+Patch268: bug74435.patch
+Patch269: bug75571.patch
+Patch270: bug75981.patch
# Fixes for tests
# no_NO issue
@@ -994,6 +1000,12 @@ rm -f ext/json/utf8_to_utf16.*
%patch262 -p1 -b .bug73764
%patch263 -p1 -b .bug73768
%patch264 -p1 -b .bug73773
+%patch265 -p1 -b .bug73549
+%patch266 -p1 -b .bug73868
+%patch267 -p1 -b .bug73869
+%patch268 -p1 -b .bug74435
+%patch269 -p1 -b .bug75571
+%patch270 -p1 -b .bug75981
# Fixes for tests
%patch301 -p1 -b .datetests2
@@ -1659,7 +1671,7 @@ cat << EOF
backported from 5.5 or 5.6,
The UPGRADE to a maintained version is very strongly RECOMMENDED.
-%if %{?fedora}%{!?fedora:99} < 24
+%if %{?fedora}%{!?fedora:99} < 26
WARNING : Fedora %{fedora} is now EOL :
You should consider upgrading to a supported release
%endif
@@ -1880,6 +1892,18 @@ fi
%changelog
+* Thu Mar 1 2018 Remi Collet <remi@remirepo.net> - 5.4.45-14
+- fix #73549: Use after free when stream is passed to imagepng
+- fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
+ CVE-2016-10167
+- fix #73869: Signed Integer Overflow gd_io.c
+ CVE-2016-10168
+- fix #74435: Buffer over-read into uninitialized memory
+ CVE-2017-7890
+- fix #75571: Potential infinite loop in gdImageCreateFromGifCtx
+ CVE-2018-5711
+- fix #75981: stack-buffer-overflow while parsing HTTP response
+
* Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.4.45-13
- fix #73737: FPE when parsing a tag format
CVE-2016-10158