From 0a0c58dff2291870b56cec15fabf27119179c997 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 1 Mar 2018 11:00:36 +0100 Subject: fix #73549: Use after free when stream is passed to imagepng fix #75981: stack-buffer-overflow while parsing HTTP response --- .gitignore | 11 ++++- bug73549.patch | 95 ++++++++++++++++++++++++++++++++++++++++++ bug75981.patch | 68 ++++++++++++++++++++++++++++++ php-5.5.25-systzdata-v12.patch | 3 ++ php55.spec | 18 ++++++-- 5 files changed, 189 insertions(+), 6 deletions(-) create mode 100644 bug73549.patch create mode 100644 bug75981.patch diff --git a/.gitignore b/.gitignore index 744ca7b..6f69818 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,9 @@ -build*log -tembed* +clog +package-*.xml +*.tgz +*.tar.gz +*.tar.bz2 +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/bug73549.patch b/bug73549.patch new file mode 100644 index 0000000..5c39852 --- /dev/null +++ b/bug73549.patch @@ -0,0 +1,95 @@ +From 5049ef2f1c496c4964cd147e185c1f765ab0347b Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 17 Nov 2016 13:44:30 +0100 +Subject: [PATCH] Fix #73549: Use after free when stream is passed to imagepng + +If a stream is passed to imagepng() or other image output functions, +opposed to a filename, we must not close this stream. +--- + NEWS | 3 +++ + ext/gd/gd_ctx.c | 18 +++++++++++++++++- + ext/gd/tests/bug73549.phpt | 22 ++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + create mode 100644 ext/gd/tests/bug73549.phpt + +diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c +index 34a9a00..acb96e1 100644 +--- a/ext/gd/gd_ctx.c ++++ b/ext/gd/gd_ctx.c +@@ -62,6 +62,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l) + + static void _php_image_stream_ctxfree(struct gdIOCtx *ctx) + { ++ if(ctx->data) { ++ ctx->data = NULL; ++ } ++ if(ctx) { ++ efree(ctx); ++ } ++} /* }}} */ ++ ++static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */ ++{ + TSRMLS_FETCH(); + + if(ctx->data) { +@@ -87,6 +97,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + gdIOCtx *ctx = NULL; + zval *to_zval = NULL; + php_stream *stream; ++ int close_stream = 1; + + /* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp(). + * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called +@@ -123,6 +134,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + if (stream == NULL) { + RETURN_FALSE; + } ++ close_stream = 0; + } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); +@@ -159,7 +171,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, + ctx = emalloc(sizeof(gdIOCtx)); + ctx->putC = _php_image_stream_putc; + ctx->putBuf = _php_image_stream_putbuf; +- ctx->gd_free = _php_image_stream_ctxfree; ++ if (close_stream) { ++ ctx->gd_free = _php_image_stream_ctxfreeandclose; ++ } else { ++ ctx->gd_free = _php_image_stream_ctxfree; ++ } + ctx->data = (void *)stream; + } + +diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt +new file mode 100644 +index 0000000..e0cc6cf +--- /dev/null ++++ b/ext/gd/tests/bug73549.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++Bug #73549 (Use after free when stream is passed to imagepng) ++--SKIPIF-- ++ ++--FILE-- ++ ++===DONE=== ++--EXPECTF-- ++bool(true) ++resource(%d) of type (stream) ++===DONE=== ++--CLEAN-- ++ +-- +2.1.4 + diff --git a/bug75981.patch b/bug75981.patch new file mode 100644 index 0000000..27af03b --- /dev/null +++ b/bug75981.patch @@ -0,0 +1,68 @@ +From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index ed6adc0..78bd935 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -737,9 +737,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++ ++--FILE-- ++ [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + diff --git a/php-5.5.25-systzdata-v12.patch b/php-5.5.25-systzdata-v12.patch index c4e56ae..ab1537e 100644 --- a/php-5.5.25-systzdata-v12.patch +++ b/php-5.5.25-systzdata-v12.patch @@ -1,3 +1,6 @@ +# License: MIT +# http://opensource.org/licenses/MIT + Add support for use of the system timezone database, rather than embedding a copy. Discussed upstream but was not desired. diff --git a/php55.spec b/php55.spec index 98b7669..9477b1c 100644 --- a/php55.spec +++ b/php55.spec @@ -141,7 +141,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.5.38 -Release: 7%{?dist} +Release: 8%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -257,6 +257,8 @@ Patch151: bug73764.patch Patch152: bug73768.patch Patch153: bug73773.patch Patch154: bug69090.patch +Patch155: bug73549.patch +Patch156: bug75981.patch # Security fixes (200+) @@ -1077,6 +1079,8 @@ rm -rf ext/json %patch152 -p1 -b .bug73768 %patch153 -p1 -b .bug73773 %patch154 -p1 -b .bug69090 +%patch155 -p1 -b .bug73549 +%patch156 -p1 -b .bug75981 # Fixes for tests %patch300 -p1 -b .datetests @@ -1940,11 +1944,13 @@ fi %posttrans common cat << EOF +========================================================================== -WARNING : PHP 5.5 have reached its "End of Life" in July 2016. -Even, if this package includes some security fix, backported from 5.6, -The upgrade to a maintained version is very strongly recommended. + WARNING : PHP 5.5 have reached its "End of Life" in July 2016. + Even, if this package includes some security fix, backported from 5.6, + The UPGRADE to a maintained version is very strongly RECOMMENDED. +========================================================================== EOF @@ -2099,6 +2105,10 @@ EOF %changelog +* Thu Mar 1 2018 Remi Collet - 5.5.38-8 +- fix #73549: Use after free when stream is passed to imagepng +- fix #75981: stack-buffer-overflow while parsing HTTP response + * Sat Feb 18 2017 Remi Collet - 5.5.38-7 - fix #73737: FPE when parsing a tag format CVE-2016-10158 -- cgit