summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 11:00:36 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 11:00:36 +0100
commit0a0c58dff2291870b56cec15fabf27119179c997 (patch)
treef88a2f98cf3eca3a515f66114341de807337994d
parentb7dc0096c61deb8d3f7fb61d636b874ce1452197 (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #75981: stack-buffer-overflow while parsing HTTP response
-rw-r--r--.gitignore11
-rw-r--r--bug73549.patch95
-rw-r--r--bug75981.patch68
-rw-r--r--php-5.5.25-systzdata-v12.patch3
-rw-r--r--php55.spec18
5 files changed, 189 insertions, 6 deletions
diff --git a/.gitignore b/.gitignore
index 744ca7b..6f69818 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,9 @@
-build*log
-tembed*
+clog
+package-*.xml
+*.tgz
+*.tar.gz
+*.tar.bz2
+*.tar.xz
+*.tar.xz.asc
+*.src.rpm
+*/*rpm
diff --git a/bug73549.patch b/bug73549.patch
new file mode 100644
index 0000000..5c39852
--- /dev/null
+++ b/bug73549.patch
@@ -0,0 +1,95 @@
+From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Nov 2016 13:44:30 +0100
+Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng
+
+If a stream is passed to imagepng() or other image output functions,
+opposed to a filename, we must not close this stream.
+---
+ NEWS | 3 +++
+ ext/gd/gd_ctx.c | 18 +++++++++++++++++-
+ ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+ create mode 100644 ext/gd/tests/bug73549.phpt
+
+diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
+index 34a9a00..acb96e1 100644
+--- a/ext/gd/gd_ctx.c
++++ b/ext/gd/gd_ctx.c
+@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l)
+
+ static void _php_image_stream_ctxfree(struct gdIOCtx *ctx)
+ {
++ if(ctx->data) {
++ ctx->data = NULL;
++ }
++ if(ctx) {
++ efree(ctx);
++ }
++} /* }}} */
++
++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */
++{
+ TSRMLS_FETCH();
+
+ if(ctx->data) {
+@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ gdIOCtx *ctx = NULL;
+ zval *to_zval = NULL;
+ php_stream *stream;
++ int close_stream = 1;
+
+ /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp().
+ * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called
+@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ if (stream == NULL) {
+ RETURN_FALSE;
+ }
++ close_stream = 0;
+ } else if (Z_TYPE_P(to_zval) == IS_STRING) {
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
+ ctx = emalloc(sizeof(gdIOCtx));
+ ctx->putC = _php_image_stream_putc;
+ ctx->putBuf = _php_image_stream_putbuf;
+- ctx->gd_free = _php_image_stream_ctxfree;
++ if (close_stream) {
++ ctx->gd_free = _php_image_stream_ctxfreeandclose;
++ } else {
++ ctx->gd_free = _php_image_stream_ctxfree;
++ }
+ ctx->data = (void *)stream;
+ }
+
+diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt
+new file mode 100644
+index 0000000..e0cc6cf
+--- /dev/null
++++ b/ext/gd/tests/bug73549.phpt
+@@ -0,0 +1,22 @@
++--TEST--
++Bug #73549 (Use after free when stream is passed to imagepng)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available');
++?>
++--FILE--
++<?php
++$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w');
++$im = imagecreatetruecolor(8, 8);
++var_dump(imagepng($im, $stream));
++var_dump($stream);
++?>
++===DONE===
++--EXPECTF--
++bool(true)
++resource(%d) of type (stream)
++===DONE===
++--CLEAN--
++<?php
++unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png');
++?>
+--
+2.1.4
+
diff --git a/bug75981.patch b/bug75981.patch
new file mode 100644
index 0000000..27af03b
--- /dev/null
+++ b/bug75981.patch
@@ -0,0 +1,68 @@
+From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 20 Feb 2018 15:34:43 -0800
+Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start
+
+---
+ ext/standard/http_fopen_wrapper.c | 4 ++--
+ ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/http/bug75981.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index ed6adc0..78bd935 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -737,9 +737,9 @@ finish:
+ tmp_line, response_code);
+ }
+ }
+- if (tmp_line[tmp_line_len - 1] == '\n') {
++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
+ --tmp_line_len;
+- if (tmp_line[tmp_line_len - 1] == '\r') {
++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
+ --tmp_line_len;
+ }
+ }
+diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
+new file mode 100644
+index 0000000..d415de6
+--- /dev/null
++++ b/ext/standard/tests/http/bug75981.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #75981 (stack-buffer-overflow while parsing HTTP response)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
++--FILE--
++<?php
++require 'server.inc';
++
++$options = [
++ 'http' => [
++ 'protocol_version' => '1.1',
++ 'header' => 'Connection: Close'
++ ],
++];
++
++$ctx = stream_context_create($options);
++
++$responses = [
++ "data://text/plain,000000000100\xA\xA"
++];
++$pid = http_server('tcp://127.0.0.1:12342', $responses);
++
++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
++
++http_server_kill($pid);
++
++?>
++DONE
++--EXPECT--
++DONE
+--
+2.1.4
+
diff --git a/php-5.5.25-systzdata-v12.patch b/php-5.5.25-systzdata-v12.patch
index c4e56ae..ab1537e 100644
--- a/php-5.5.25-systzdata-v12.patch
+++ b/php-5.5.25-systzdata-v12.patch
@@ -1,3 +1,6 @@
+# License: MIT
+# http://opensource.org/licenses/MIT
+
Add support for use of the system timezone database, rather
than embedding a copy. Discussed upstream but was not desired.
diff --git a/php55.spec b/php55.spec
index 98b7669..9477b1c 100644
--- a/php55.spec
+++ b/php55.spec
@@ -141,7 +141,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.5.38
-Release: 7%{?dist}
+Release: 8%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -257,6 +257,8 @@ Patch151: bug73764.patch
Patch152: bug73768.patch
Patch153: bug73773.patch
Patch154: bug69090.patch
+Patch155: bug73549.patch
+Patch156: bug75981.patch
# Security fixes (200+)
@@ -1077,6 +1079,8 @@ rm -rf ext/json
%patch152 -p1 -b .bug73768
%patch153 -p1 -b .bug73773
%patch154 -p1 -b .bug69090
+%patch155 -p1 -b .bug73549
+%patch156 -p1 -b .bug75981
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1940,11 +1944,13 @@ fi
%posttrans common
cat << EOF
+==========================================================================
-WARNING : PHP 5.5 have reached its "End of Life" in July 2016.
-Even, if this package includes some security fix, backported from 5.6,
-The upgrade to a maintained version is very strongly recommended.
+ WARNING : PHP 5.5 have reached its "End of Life" in July 2016.
+ Even, if this package includes some security fix, backported from 5.6,
+ The UPGRADE to a maintained version is very strongly RECOMMENDED.
+==========================================================================
EOF
@@ -2099,6 +2105,10 @@ EOF
%changelog
+* Thu Mar 1 2018 Remi Collet <remi@remirepo.net> - 5.5.38-8
+- fix #73549: Use after free when stream is passed to imagepng
+- fix #75981: stack-buffer-overflow while parsing HTTP response
+
* Sat Feb 18 2017 Remi Collet <remi@remirepo.net> - 5.5.38-7
- fix #73737: FPE when parsing a tag format
CVE-2016-10158