summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-07-30 11:12:58 +0200
committerRemi Collet <remi@remirepo.net>2019-07-30 11:12:58 +0200
commit671d9816d288c0bda30629fdaa1235c3baf5cc16 (patch)
tree25938cf83b834f3faeb5436bf5bbd45e67f8061e
parente8d44282fed603ea166c157ea7cc7ddc4fe0c9ef (diff)
- exif:
Fix #78256 heap-buffer-overflow on exif_process_user_comment CVE-2019-11042 Fix #78222 heap-buffer-overflow on exif_scan_thumbnail CVE-2019-11041 - phar: Fix #77919 Potential UAF in Phar RSHUTDOWN
-rw-r--r--failed.txt6
-rw-r--r--php-bug77919.patch74
-rw-r--r--php-bug78222.patch32
-rw-r--r--php-bug78256.patch47
-rw-r--r--php56.spec17
5 files changed, 173 insertions, 3 deletions
diff --git a/failed.txt b/failed.txt
index 023e9a8..70bd2b4 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,9 +1,9 @@
-===== 5.6.40-9 (2019-05-28)
+===== 5.6.40-12 (2019-07-30)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
/var/lib/mock/el6i/build.log:Tests failed : 4
-/var/lib/mock/el6x/build.log:Tests failed : 0
+/var/lib/mock/el6x/build.log:Tests failed : 1
/var/lib/mock/el7x/build.log:Tests failed : 0
@@ -12,6 +12,8 @@ el6i:
4 Test getdate() function : usage variation - Passing high positive and negative float values to timestamp. [ext/date/tests/getdate_variation7.phpt]
Peer verification enabled for client streams [ext/openssl/tests/peer_verification.phpt]
Peer verification matches SAN names [ext/openssl/tests/san_peer_matching.phpt]
+el6x:
+ Test disk_free_space and its alias diskfreespace() functions : basic functionality [ext/standard/tests/file/disk_free_space_basic.phpt]
1 proc_open have erratic results... :(
diff --git a/php-bug77919.patch b/php-bug77919.patch
new file mode 100644
index 0000000..4245a5d
--- /dev/null
+++ b/php-bug77919.patch
@@ -0,0 +1,74 @@
+From 245e5011da14098b8158cf5c5400483399729298 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 29 Jul 2019 16:08:03 +0200
+Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN
+
+We have to properly clean up in case phar_flush() is failing.
+
+We also make the expectation of the respective test case less liberal
+to avoid missing such bugs in the future.
+
+(cherry picked from commit cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d)
+---
+ NEWS | 10 ++++++++++
+ ext/phar/phar_object.c | 4 +++-
+ ext/phar/tests/bug71488.phpt | 5 ++++-
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 3f49461732..5039cdf59d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,17 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.1.31
++
++- EXIF:
++ . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
++ (CVE-2019-11042) (Stas)
++ . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
++ (CVE-2019-11041) (Stas)
++
++- Phar:
++ . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
++
+ Backported from 7.1.30
+
+ - EXIF:
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 77e08c52a5..d69837218f 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -2026,7 +2026,7 @@ static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool
+ char *newname = NULL, *newpath = NULL;
+ zval *ret, arg1;
+ zend_class_entry *ce;
+- char *error;
++ char *error = NULL;
+ const char *pcr_error;
+ int ext_len = ext ? strlen(ext) : 0;
+ int oldname_len;
+@@ -2186,6 +2186,8 @@ static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool
+ phar_flush(phar, 0, 0, 1, &error TSRMLS_CC);
+
+ if (error) {
++ zend_hash_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
++ *sphar = NULL;
+ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s", error);
+ efree(error);
+ efree(oldpath);
+diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
+index 8468ce212a..b8c0f33250 100644
+--- a/ext/phar/tests/bug71488.phpt
++++ b/ext/phar/tests/bug71488.phpt
+@@ -15,4 +15,7 @@ DONE
+ ?>
+ --EXPECTF--
+ Fatal error: Uncaught exception 'BadMethodCallException' with message 'tar-based phar "%sbug71488.test" cannot be created, link "%s" is too long for format' in %sbug71488.php:%d
+-Stack trace:%A
++Stack trace:
++#0 %s(%d): PharData->decompress('test')
++#1 {main}
++ thrown in %s on line %d
diff --git a/php-bug78222.patch b/php-bug78222.patch
new file mode 100644
index 0000000..13ea1d5
--- /dev/null
+++ b/php-bug78222.patch
@@ -0,0 +1,32 @@
+Without test as binary patch not supported
+
+
+
+
+From 13cbda640120afdaf68f44bb482723d451bc86ec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:01:01 -0700
+Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+
+(cherry picked from commit dea2989ab8ba87a6180af497b2efaf0527e985c5)
+---
+ ext/exif/exif.c | 2 +-
+ ext/exif/tests/bug78222.jpg | Bin 0 -> 91 bytes
+ ext/exif/tests/bug78222.phpt | 11 +++++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78222.jpg
+ create mode 100644 ext/exif/tests/bug78222.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index b6c31773ab..a5fa0b8fb0 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3508,7 +3508,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
+ size_t length=2, pos=0;
+ jpeg_sof_info sof_info;
+
+- if (!data) {
++ if (!data || ImageInfo->Thumbnail.size < 4) {
+ return FALSE; /* nothing to do here */
+ }
+ if (memcmp(data, "\xFF\xD8\xFF", 3)) {
diff --git a/php-bug78256.patch b/php-bug78256.patch
new file mode 100644
index 0000000..553bcac
--- /dev/null
+++ b/php-bug78256.patch
@@ -0,0 +1,47 @@
+Without test as binary patch not supported
+
+
+
+
+From 63c0ed60c2b5580b1542690d52d4a26401342563 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:39:59 -0700
+Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
+ exif_process_user_comment)
+
+(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)
+---
+ ext/exif/exif.c | 6 +++---
+ ext/exif/tests/bug78256.jpg | Bin 0 -> 69 bytes
+ ext/exif/tests/bug78256.phpt | 11 +++++++++++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+ create mode 100644 ext/exif/tests/bug78256.jpg
+ create mode 100644 ext/exif/tests/bug78256.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a5fa0b8fb0..ec362f7e6d 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2628,7 +2628,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ {
+ int a;
+ char *decode;
+- size_t len;;
++ size_t len;
+
+ *pszEncoding = NULL;
+ /* Copy the comment */
+@@ -2641,11 +2641,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
+ * since we have no encoding support for the BOM yet we skip that.
+ */
+- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
++ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
+ decode = "UCS-2BE";
+ szValuePtr = szValuePtr+2;
+ ByteCount -= 2;
+- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
++ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
+ decode = "UCS-2LE";
+ szValuePtr = szValuePtr+2;
+ ByteCount -= 2;
diff --git a/php56.spec b/php56.spec
index 903a907..e582328 100644
--- a/php56.spec
+++ b/php56.spec
@@ -148,7 +148,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.6.40
-Release: 11%{?dist}
+Release: 12%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -225,6 +225,9 @@ Patch218: php-bug77950.patch
Patch219: php-bug78069.patch
Patch220: php-bug77988.patch
Patch221: php-bug77967.patch
+Patch222: php-bug78222.patch
+Patch223: php-bug78256.patch
+Patch224: php-bug77919.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1005,6 +1008,9 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
%patch219 -p1 -b .bug78069
%patch220 -p1 -b .bug77988
%patch221 -p1 -b .bug77967
+%patch222 -p1 -b .bug78222
+%patch223 -p1 -b .bug78256
+%patch224 -p1 -b .bug77919
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -2057,6 +2063,15 @@ EOF
%changelog
+* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12
+- exif:
+ Fix #78256 heap-buffer-overflow on exif_process_user_comment
+ CVE-2019-11042
+ Fix #78222 heap-buffer-overflow on exif_scan_thumbnail
+ CVE-2019-11041
+- phar:
+ Fix #77919 Potential UAF in Phar RSHUTDOWN
+
* Tue Jul 2 2019 Remi Collet <remi@remirepo.net> - 5.6.40-11
- use oracle client library version 19.3