diff options
author | Remi Collet <remi@remirepo.net> | 2018-03-01 11:00:36 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-03-01 11:00:36 +0100 |
commit | 0a0c58dff2291870b56cec15fabf27119179c997 (patch) | |
tree | f88a2f98cf3eca3a515f66114341de807337994d | |
parent | b7dc0096c61deb8d3f7fb61d636b874ce1452197 (diff) |
fix #73549: Use after free when stream is passed to imagepng
fix #75981: stack-buffer-overflow while parsing HTTP response
-rw-r--r-- | .gitignore | 11 | ||||
-rw-r--r-- | bug73549.patch | 95 | ||||
-rw-r--r-- | bug75981.patch | 68 | ||||
-rw-r--r-- | php-5.5.25-systzdata-v12.patch | 3 | ||||
-rw-r--r-- | php55.spec | 18 |
5 files changed, 189 insertions, 6 deletions
@@ -1,2 +1,9 @@ -build*log -tembed* +clog +package-*.xml +*.tgz +*.tar.gz +*.tar.bz2 +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/bug73549.patch b/bug73549.patch new file mode 100644 index 0000000..5c39852 --- /dev/null +++ b/bug73549.patch @@ -0,0 +1,95 @@ +From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Thu, 17 Nov 2016 13:44:30 +0100 +Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng + +If a stream is passed to imagepng() or other image output functions, +opposed to a filename, we must not close this stream. +--- + NEWS | 3 +++ + ext/gd/gd_ctx.c | 18 +++++++++++++++++- + ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + create mode 100644 ext/gd/tests/bug73549.phpt + +diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c +index 34a9a00..acb96e1 100644 +--- a/ext/gd/gd_ctx.c ++++ b/ext/gd/gd_ctx.c +@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l) + + static void _php_image_stream_ctxfree(struct gdIOCtx *ctx) + { ++ if(ctx->data) { ++ ctx->data = NULL; ++ } ++ if(ctx) { ++ efree(ctx); ++ } ++} /* }}} */ ++ ++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */ ++{ + TSRMLS_FETCH(); + + if(ctx->data) { +@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + gdIOCtx *ctx = NULL; + zval *to_zval = NULL; + php_stream *stream; ++ int close_stream = 1; + + /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp(). + * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called +@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + if (stream == NULL) { + RETURN_FALSE; + } ++ close_stream = 0; + } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); +@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + ctx = emalloc(sizeof(gdIOCtx)); + ctx->putC = _php_image_stream_putc; + ctx->putBuf = _php_image_stream_putbuf; +- ctx->gd_free = _php_image_stream_ctxfree; ++ if (close_stream) { ++ ctx->gd_free = _php_image_stream_ctxfreeandclose; ++ } else { ++ ctx->gd_free = _php_image_stream_ctxfree; ++ } + ctx->data = (void *)stream; + } + +diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt +new file mode 100644 +index 0000000..e0cc6cf +--- /dev/null ++++ b/ext/gd/tests/bug73549.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++Bug #73549 (Use after free when stream is passed to imagepng) ++--SKIPIF-- ++<?php ++if (!extension_loaded('gd')) die('skip gd extension not available'); ++?> ++--FILE-- ++<?php ++$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w'); ++$im = imagecreatetruecolor(8, 8); ++var_dump(imagepng($im, $stream)); ++var_dump($stream); ++?> ++===DONE=== ++--EXPECTF-- ++bool(true) ++resource(%d) of type (stream) ++===DONE=== ++--CLEAN-- ++<?php ++unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png'); ++?> +-- +2.1.4 + diff --git a/bug75981.patch b/bug75981.patch new file mode 100644 index 0000000..27af03b --- /dev/null +++ b/bug75981.patch @@ -0,0 +1,68 @@ +From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index ed6adc0..78bd935 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -737,9 +737,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?> ++--FILE-- ++<?php ++require 'server.inc'; ++ ++$options = [ ++ 'http' => [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + diff --git a/php-5.5.25-systzdata-v12.patch b/php-5.5.25-systzdata-v12.patch index c4e56ae..ab1537e 100644 --- a/php-5.5.25-systzdata-v12.patch +++ b/php-5.5.25-systzdata-v12.patch @@ -1,3 +1,6 @@ +# License: MIT +# http://opensource.org/licenses/MIT + Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. @@ -141,7 +141,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.5.38 -Release: 7%{?dist} +Release: 8%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -257,6 +257,8 @@ Patch151: bug73764.patch Patch152: bug73768.patch Patch153: bug73773.patch Patch154: bug69090.patch +Patch155: bug73549.patch +Patch156: bug75981.patch # Security fixes (200+) @@ -1077,6 +1079,8 @@ rm -rf ext/json %patch152 -p1 -b .bug73768 %patch153 -p1 -b .bug73773 %patch154 -p1 -b .bug69090 +%patch155 -p1 -b .bug73549 +%patch156 -p1 -b .bug75981 # Fixes for tests %patch300 -p1 -b .datetests @@ -1940,11 +1944,13 @@ fi %posttrans common cat << EOF +========================================================================== -WARNING : PHP 5.5 have reached its "End of Life" in July 2016. -Even, if this package includes some security fix, backported from 5.6, -The upgrade to a maintained version is very strongly recommended. + WARNING : PHP 5.5 have reached its "End of Life" in July 2016. + Even, if this package includes some security fix, backported from 5.6, + The UPGRADE to a maintained version is very strongly RECOMMENDED. +========================================================================== EOF @@ -2099,6 +2105,10 @@ EOF %changelog +* Thu Mar 1 2018 Remi Collet <remi@remirepo.net> - 5.5.38-8 +- fix #73549: Use after free when stream is passed to imagepng +- fix #75981: stack-buffer-overflow while parsing HTTP response + * Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.5.38-7 - fix #73737: FPE when parsing a tag format CVE-2016-10158 |