summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-08-28 15:33:56 +0200
committerRemi Collet <remi@remirepo.net>2019-08-28 15:33:56 +0200
commit725130ba0bb06a3954b3e81c385bea0bca36324e (patch)
tree7369b1862f2594a83a90a5d0ae400c5706e24ba1
parent671d9816d288c0bda30629fdaa1235c3baf5cc16 (diff)
From 7.1.32HEADmaster
- mbstring: Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe - pcre: Fix #75457 heap use-after-free in pcrelib
-rw-r--r--failed.txt16
-rw-r--r--php-bug75457.patch86
-rw-r--r--php-bug78380.patch78
-rw-r--r--php56.spec12
4 files changed, 183 insertions, 9 deletions
diff --git a/failed.txt b/failed.txt
index 70bd2b4..5020e80 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,21 +1,21 @@
-===== 5.6.40-12 (2019-07-30)
+===== 5.6.40-13 (2019-08-28)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
-/var/lib/mock/el6i/build.log:Tests failed : 4
-/var/lib/mock/el6x/build.log:Tests failed : 1
-/var/lib/mock/el7x/build.log:Tests failed : 0
+/var/lib/mock/el6i/build.log:Tests failed : 2
+/var/lib/mock/el6x/build.log:Tests failed : 0
+/var/lib/mock/el7x/build.log:Tests failed : 2
el6i:
4 Test date_sunrise() function : usage variation - Passing high positive and negative float values to time argument. [ext/date/tests/date_sunrise_variation9.phpt]
4 Test getdate() function : usage variation - Passing high positive and negative float values to timestamp. [ext/date/tests/getdate_variation7.phpt]
- Peer verification enabled for client streams [ext/openssl/tests/peer_verification.phpt]
- Peer verification matches SAN names [ext/openssl/tests/san_peer_matching.phpt]
-el6x:
- Test disk_free_space and its alias diskfreespace() functions : basic functionality [ext/standard/tests/file/disk_free_space_basic.phpt]
+el7x:
+ TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment [ext/openssl/tests/stream_crypto_flags_002.phpt]
+ 2 Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
1 proc_open have erratic results... :(
+2 test fixed upstream
3 online test
4 tzdata are no more updated upstream in security branch
diff --git a/php-bug75457.patch b/php-bug75457.patch
new file mode 100644
index 0000000..88a1061
--- /dev/null
+++ b/php-bug75457.patch
@@ -0,0 +1,86 @@
+From 582128d6b5acdef94752cc4ea4a049497067bb38 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 16 Aug 2019 14:29:19 +0200
+Subject: [PATCH 1/3] Fix #75457: heap-use-after-free in php7.0.25
+
+Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.
+
+(cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9)
+---
+ ext/pcre/pcrelib/pcre_compile.c | 11 ++++++++++-
+ ext/pcre/tests/bug75457.phpt | 10 ++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pcre/tests/bug75457.phpt
+
+diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
+index c9171cbee9..1d37671635 100644
+--- a/ext/pcre/pcrelib/pcre_compile.c
++++ b/ext/pcre/pcrelib/pcre_compile.c
+@@ -485,7 +485,7 @@ static const char error_texts[] =
+ "lookbehind assertion is not fixed length\0"
+ "malformed number or name after (?(\0"
+ "conditional group contains more than two branches\0"
+- "assertion expected after (?(\0"
++ "assertion expected after (?( or (?(?C)\0"
+ "(?R or (?[+-]digits must be followed by )\0"
+ /* 30 */
+ "unknown POSIX class name\0"
+@@ -6734,6 +6734,15 @@ for (;; ptr++)
+ for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
+ if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
+ tempptr += i + 1;
++
++ /* tempptr should now be pointing to the opening parenthesis of the
++ assertion condition. */
++
++ if (*tempptr != CHAR_LEFT_PARENTHESIS)
++ {
++ *errorcodeptr = ERR28;
++ goto FAILED;
++ }
+ }
+
+ /* For conditions that are assertions, check the syntax, and then exit
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+new file mode 100644
+index 0000000000..c7ce9ed0f9
+--- /dev/null
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #75457 (heap-use-after-free in php7.0.25)
++--FILE--
++<?php
++$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
++var_dump(preg_match($pattern, "hello"));
++?>
++--EXPECTF--
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++bool(false)
+--
+2.20.1
+
+From b781eb2900cc0d74e385e704711a0002a9ecc8cb Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:34:48 +0200
+Subject: [PATCH] relax test, offset may be different on various system lib
+ versions
+
+---
+ ext/pcre/tests/bug75457.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+index c7ce9ed0f9..571a4bde77 100644
+--- a/ext/pcre/tests/bug75457.phpt
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -6,5 +6,5 @@ $pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
+ var_dump(preg_match($pattern, "hello"));
+ ?>
+ --EXPECTF--
+-Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset %d in %sbug75457.php on line %d
+ bool(false)
+--
+2.20.1
+
diff --git a/php-bug78380.patch b/php-bug78380.patch
new file mode 100644
index 0000000..4d7db35
--- /dev/null
+++ b/php-bug78380.patch
@@ -0,0 +1,78 @@
+From 8cc1b123b05c51442b9a4fc4ea61d7719ee96e0e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 24 Aug 2019 23:11:45 -0700
+Subject: [PATCH 2/3] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+Backport from https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
+
+(cherry picked from commit 1258303e66d8dede4f02347334b9f6576e98a21b)
+---
+ ext/mbstring/oniguruma/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/mbstring/oniguruma/regext.c b/ext/mbstring/oniguruma/regext.c
+index b1b957b40c..b108e638c6 100644
+--- a/ext/mbstring/oniguruma/regext.c
++++ b/ext/mbstring/oniguruma/regext.c
+@@ -29,6 +29,7 @@
+
+ #include "regint.h"
+
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+
+ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+ if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+
+ if (ci->pattern_enc != ci->target_enc) {
+- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+- &cpat, &cpat_end);
+- if (r) return r;
++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
+ else {
+ cpat = (UChar* )pattern;
+--
+2.20.1
+
+From b0aa68eade0d15274465136a6d6b84edd8ab6e4b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:06:50 +0200
+Subject: [PATCH 3/3] NEWS
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5039cdf59d..cb7919bafc 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.32
++
++- mbstring:
++ . Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe) (stas)
++
++- pcre:
++ . Fixed bug #75457 (heap use-after-free in pcrelib) (cmb)
++
+ Backported from 7.1.31
+
+ - EXIF:
+--
+2.20.1
+
diff --git a/php56.spec b/php56.spec
index e582328..4a50987 100644
--- a/php56.spec
+++ b/php56.spec
@@ -148,7 +148,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.6.40
-Release: 12%{?dist}
+Release: 13%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -228,6 +228,8 @@ Patch221: php-bug77967.patch
Patch222: php-bug78222.patch
Patch223: php-bug78256.patch
Patch224: php-bug77919.patch
+Patch225: php-bug75457.patch
+Patch226: php-bug78380.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1011,6 +1013,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
%patch222 -p1 -b .bug78222
%patch223 -p1 -b .bug78256
%patch224 -p1 -b .bug77919
+%patch225 -p1 -b .bug75457
+%patch226 -p1 -b .bug78380
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -2063,6 +2067,12 @@ EOF
%changelog
+* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 5.6.40-13
+- mbstring:
+ Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe
+- pcre:
+ Fix #75457 heap use-after-free in pcrelib
+
* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12
- exif:
Fix #78256 heap-buffer-overflow on exif_process_user_comment