summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--failed.txt12
-rw-r--r--macros.php4
-rw-r--r--php-5.6.13-systzdata-v12.patch2
-rw-r--r--php-5.6.3-oci8conf.patch35
-rw-r--r--php-bug81726.patch33
-rw-r--r--php-bug81740.patch112
-rw-r--r--php-bug81744.patch190
-rw-r--r--php-bug81746.patch100
-rw-r--r--php-cve-2023-0662.patch148
-rw-r--r--php-cve-2023-3247.patch75
-rw-r--r--php-cve-2023-3823.patch96
-rw-r--r--php-cve-2023-3824.patch448
-rw-r--r--php56.spec228
13 files changed, 1363 insertions, 120 deletions
diff --git a/failed.txt b/failed.txt
index f85b219..4fee0b7 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,18 +1,12 @@
-===== 5.6.40-22 (2020-08-04)
+===== 5.6.40-36 (2023-02-15)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
-/var/lib/mock/el6i/build.log:Tests failed : 2
-/var/lib/mock/el6x/build.log:Tests failed : 0
-/var/lib/mock/el7x/build.log:Tests failed : 2
+/var/lib/mock/el7x/build.log:Tests failed : 20
-el6i:
- 4 Test date_sunrise() function : usage variation - Passing high positive and negative float values to time argument. [ext/date/tests/date_sunrise_variation9.phpt]
- 4 Test getdate() function : usage variation - Passing high positive and negative float values to timestamp. [ext/date/tests/getdate_variation7.phpt]
el7x:
- openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt]
- 2 Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
+ 2 related to tzdata, expired test cert and openssl policy
1 proc_open have erratic results... :(
diff --git a/macros.php b/macros.php
index 0c750a7..e27985c 100644
--- a/macros.php
+++ b/macros.php
@@ -18,4 +18,8 @@
%__php %{_bindir}/php
%__ztsphp %{_bindir}/zts-php
+%__phpize %{_bindir}/phpize
+%__ztsphpize %{_bindir}/zts-phpize
+%__phpconfig %{_bindir}/php-config
+%__ztsphpconfig %{_bindir}/zts-php-config
diff --git a/php-5.6.13-systzdata-v12.patch b/php-5.6.13-systzdata-v12.patch
index 3ff2b0b..d8c8503 100644
--- a/php-5.6.13-systzdata-v12.patch
+++ b/php-5.6.13-systzdata-v12.patch
@@ -387,7 +387,7 @@ diff -up php-5.6.13/ext/date/lib/parse_tz.c.systzdata php-5.6.13/ext/date/lib/pa
+ size_t n;
+ char *data, *p;
+
-+ data = malloc(3 * sysdb->index_size + 7);
++ data = malloc(3 * sysdb->index_size + sizeof(FAKE_HEADER) - 1);
+
+ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1);
+
diff --git a/php-5.6.3-oci8conf.patch b/php-5.6.3-oci8conf.patch
index f2d8f99..0f923f7 100644
--- a/php-5.6.3-oci8conf.patch
+++ b/php-5.6.3-oci8conf.patch
@@ -10,28 +10,29 @@ diff -up php5.3-201104170830/ext/ldap/php_ldap.h.remi-oci8 php5.3-201104170830/e
extern zend_module_entry ldap_module_entry;
#define ldap_module_ptr &ldap_module_entry
-diff -up php5.3-201104170830/ext/oci8/config.m4.remi-oci8 php5.3-201104170830/ext/oci8/config.m4
---- php5.3-201104170830/ext/oci8/config.m4.remi-oci8 2011-03-30 00:35:22.000000000 +0200
-+++ php5.3-201104170830/ext/oci8/config.m4 2011-04-17 11:55:25.628871315 +0200
-@@ -376,6 +376,7 @@ if test "$PHP_OCI8" != "no"; then
-
- dnl Header directory for Instant Client SDK RPM install
- OCISDKRPMINC=`echo "$PHP_OCI8_INSTANT_CLIENT" | $PHP_OCI8_SED -e 's!^/usr/lib/oracle/\(.*\)/client\('${PHP_OCI8_IC_LIBDIR_SUFFIX}'\)*/lib[/]*$!/usr/include/oracle/\1/client\2!'`
-+ OCISDKRPMINC=`echo "$PHP_OCI8_INSTANT_CLIENT" | $PHP_OCI8_SED -e 's!^/usr/\(lib64\|lib\)/oracle/\(.*\)/\(client64\|client\)/lib[/]*$!/usr/include/oracle/\2/\3!'`
-
- dnl Header directory for Instant Client SDK zip file install
- OCISDKZIPINC=$PHP_OCI8_INSTANT_CLIENT/sdk/include
-diff -up php5.3-201104170830/ext/pdo_oci/config.m4.remi-oci8 php5.3-201104170830/ext/pdo_oci/config.m4
---- php5.3-201104170830/ext/pdo_oci/config.m4.remi-oci8 2011-04-02 04:35:24.000000000 +0200
-+++ php5.3-201104170830/ext/pdo_oci/config.m4 2011-04-17 12:02:42.837194120 +0200
-@@ -104,8 +104,10 @@ You need to tell me where to find your O
+diff -up ./ext/pdo_oci/config.m4.remi-oci8 ./ext/pdo_oci/config.m4
+--- ./ext/pdo_oci/config.m4.remi-oci8 2019-10-22 18:59:47.000000000 +0200
++++ ./ext/pdo_oci/config.m4 2023-09-22 09:49:00.888471382 +0200
+@@ -104,7 +104,10 @@ You need to tell me where to find your O
+ fi
+ fi
+ AC_MSG_CHECKING([for oci.h])
+- if test -f $PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/oci.h ; then
++ if test -f $PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_MAJ_VER/$PDO_OCI_CLIENT_DIR/oci.h ; then
++ PHP_ADD_INCLUDE($PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_MAJ_VER/$PDO_OCI_CLIENT_DIR)
++ AC_MSG_RESULT($PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_MAJ_VER/$PDO_OCI_CLIENT_DIR)
++ elif test -f $PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/oci.h ; then
+ PHP_ADD_INCLUDE($PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR)
+ AC_MSG_RESULT($PDO_OCI_IC_PREFIX/include/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR)
+ elif test -f $PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/include/oci.h ; then
+@@ -119,8 +122,10 @@ You need to tell me where to find your O
else
AC_MSG_ERROR([I'm too dumb to figure out where the include dir is in your Instant Client install])
fi
- if test -f "$PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/lib/libclntsh.$SHLIB_SUFFIX_NAME" ; then
- PDO_OCI_LIB_DIR="$PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/lib"
-+ if test -f "$PDO_OCI_IC_PREFIX/lib64/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/lib/libclntsh.$SHLIB_SUFFIX_NAME" ; then
-+ PDO_OCI_LIB_DIR="$PDO_OCI_IC_PREFIX/lib64/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/lib"
++ if test -f "$PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_MAJ_VER/$PDO_OCI_CLIENT_DIR/lib/libclntsh.$SHLIB_SUFFIX_NAME" ; then
++ PDO_OCI_LIB_DIR="$PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_MAJ_VER/$PDO_OCI_CLIENT_DIR/lib"
+ elif test -f "$PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/lib/libclntsh.$SHLIB_SUFFIX_NAME" ; then
+ PDO_OCI_LIB_DIR="$PDO_OCI_IC_PREFIX/lib/oracle/$PDO_OCI_IC_VERS/$PDO_OCI_CLIENT_DIR/lib"
elif test -f "$PDO_OCI_IC_PREFIX/$PDO_OCI_CLIENT_DIR/lib/libclntsh.$SHLIB_SUFFIX_NAME" ; then
diff --git a/php-bug81726.patch b/php-bug81726.patch
index c096202..ca4d694 100644
--- a/php-bug81726.patch
+++ b/php-bug81726.patch
@@ -149,3 +149,36 @@ index a7f776efa4..45190e22aa 100644
--
2.37.3
+From 9d32d284b25f5df75780911a47b3c23cbaac1761 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 30 Sep 2022 09:22:14 +0200
+Subject: [PATCH] fix NEWS
+
+---
+ NEWS | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index fe4cb9c484..b7a19aea19 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,14 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
+-Backported from 7.4.31
++Backported from 7.4.32
+
+ - Core:
+- . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
+- (CVE-2022-31628). (cmb)
+ . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
+ that have a specific semantic meaning. (CVE-2022-31629). (Derick)
+
++- Phar:
++ . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
++ (CVE-2022-31628). (cmb)
++
+ Backported from 7.4.30
+
+ - mysqlnd:
diff --git a/php-bug81740.patch b/php-bug81740.patch
new file mode 100644
index 0000000..6ec1588
--- /dev/null
+++ b/php-bug81740.patch
@@ -0,0 +1,112 @@
+From d910f2d8dad3ec3351a6e583b1d157f8f286437c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 31 Oct 2022 17:20:23 +0100
+Subject: [PATCH 1/3] Fix #81740: PDO::quote() may return unquoted string
+
+`sqlite3_snprintf()` expects its first parameter to be `int`; we need
+to avoid overflow.
+
+(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba)
+(cherry picked from commit 7cb160efe19d3dfb8b92629805733ea186b55050)
+---
+ ext/pdo_sqlite/sqlite_driver.c | 3 +++
+ ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
+ 2 files changed, 20 insertions(+)
+ create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
+
+diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
+index 09df8d7996..413c23c3d0 100644
+--- a/ext/pdo_sqlite/sqlite_driver.c
++++ b/ext/pdo_sqlite/sqlite_driver.c
+@@ -232,6 +232,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, unsigne
+ /* NB: doesn't handle binary strings... use prepared stmts for that */
+ static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, int unquotedlen, char **quoted, int *quotedlen, enum pdo_param_type paramtype TSRMLS_DC)
+ {
++ if (unquotedlen > (INT_MAX - 3) / 2) {
++ return 0;
++ }
+ *quoted = safe_emalloc(2, unquotedlen, 3);
+ sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
+ *quotedlen = strlen(*quoted);
+diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
+new file mode 100644
+index 0000000000..99fb07c304
+--- /dev/null
++++ b/ext/pdo_sqlite/tests/bug81740.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #81740 (PDO::quote() may return unquoted string)
++--SKIPIF--
++<?php
++if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--INI--
++memory_limit=-1
++--FILE--
++<?php
++$pdo = new PDO("sqlite::memory:");
++$string = str_repeat("a", 0x80000000);
++var_dump($pdo->quote($string));
++?>
++--EXPECT--
++bool(false)
+--
+2.38.1
+
+From f17a7dfa62b6b9aead71433cfe2563a5221e5228 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 20 Dec 2022 08:42:44 +0100
+Subject: [PATCH 2/3] adapt test for 5.x
+
+---
+ ext/pdo_sqlite/tests/bug81740.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
+index 99fb07c304..08947e3512 100644
+--- a/ext/pdo_sqlite/tests/bug81740.phpt
++++ b/ext/pdo_sqlite/tests/bug81740.phpt
+@@ -10,7 +10,7 @@ memory_limit=-1
+ --FILE--
+ <?php
+ $pdo = new PDO("sqlite::memory:");
+-$string = str_repeat("a", 0x80000000);
++$string = str_repeat("a", 0x7fffffff);
+ var_dump($pdo->quote($string));
+ ?>
+ --EXPECT--
+--
+2.38.1
+
+From 67b761ac0516914bf579df77dc548835c2e38e4a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Mon, 19 Dec 2022 09:24:02 +0100
+Subject: [PATCH 3/3] NEWS
+
+(cherry picked from commit 7328f3a0344806b846bd05657bdce96e47810bf0)
+(cherry picked from commit dbfbd99e91701c0a5613133c06305fd70545e9ad)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index eefb5b9b50..3d026cf70c 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.0.27
++
++- PDO/SQLite:
++ . Fixed bug #81740 (PDO::quote() may return unquoted string).
++ (CVE-2022-31631) (cmb)
++
+ Backported from 7.4.32
+
+ - Core:
+--
+2.38.1
+
diff --git a/php-bug81744.patch b/php-bug81744.patch
new file mode 100644
index 0000000..9866e8c
--- /dev/null
+++ b/php-bug81744.patch
@@ -0,0 +1,190 @@
+From ed8df26f0b2834cd35996e6712ac206972cb5324 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
+Date: Mon, 23 Jan 2023 21:15:24 +0100
+Subject: [PATCH 1/8] crypt: Fix validation of malformed BCrypt hashes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PHP’s implementation of crypt_blowfish differs from the upstream Openwall
+version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
+by including a `$` character within the characters that represent the salt.
+
+Hashes that are affected by the “PHP Hack” may erroneously validate any
+password as valid when used with `password_verify` and when comparing the
+return value of `crypt()` against the input.
+
+The PHP Hack exists since the first version of PHP’s own crypt_blowfish
+implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
+
+No clear reason is given for the PHP Hack’s existence. This commit removes it,
+because BCrypt hashes containing a `$` character in their salt are not valid
+BCrypt hashes.
+
+(cherry picked from commit c840f71524067aa474c00c3eacfb83bd860bfc8a)
+(cherry picked from commit 7437aaae38cf4b3357e7580f9e22fd4a403b6c23)
+---
+ ext/standard/crypt_blowfish.c | 8 --
+ .../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++
+ 2 files changed, 82 insertions(+), 8 deletions(-)
+ create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+
+diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
+index 5cf306715f..e923b55ed0 100644
+--- a/ext/standard/crypt_blowfish.c
++++ b/ext/standard/crypt_blowfish.c
+@@ -377,7 +377,6 @@ static unsigned char BF_atoi64[0x60] = {
+ #define BF_safe_atoi64(dst, src) \
+ { \
+ tmp = (unsigned char)(src); \
+- if (tmp == '$') break; /* PHP hack */ \
+ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
+ tmp = BF_atoi64[tmp]; \
+ if (tmp > 63) return -1; \
+@@ -405,13 +404,6 @@ static int BF_decode(BF_word *dst, const char *src, int size)
+ *dptr++ = ((c3 & 0x03) << 6) | c4;
+ } while (dptr < end);
+
+- if (end - dptr == size) {
+- return -1;
+- }
+-
+- while (dptr < end) /* PHP hack */
+- *dptr++ = 0;
+-
+ return 0;
+ }
+
+diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+new file mode 100644
+index 0000000000..32e335f4b0
+--- /dev/null
++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+@@ -0,0 +1,82 @@
++--TEST--
++bcrypt correctly rejects salts containing $
++--FILE--
++<?php
++for ($i = 0; $i < 23; $i++) {
++ $salt = '$2y$04$' . str_repeat('0', $i) . '$';
++ $result = crypt("foo", $salt);
++ var_dump($salt);
++ var_dump($result);
++ var_dump($result === $salt);
++}
++?>
++--EXPECT--
++string(8) "$2y$04$$"
++string(2) "*0"
++bool(false)
++string(9) "$2y$04$0$"
++string(2) "*0"
++bool(false)
++string(10) "$2y$04$00$"
++string(2) "*0"
++bool(false)
++string(11) "$2y$04$000$"
++string(2) "*0"
++bool(false)
++string(12) "$2y$04$0000$"
++string(2) "*0"
++bool(false)
++string(13) "$2y$04$00000$"
++string(2) "*0"
++bool(false)
++string(14) "$2y$04$000000$"
++string(2) "*0"
++bool(false)
++string(15) "$2y$04$0000000$"
++string(2) "*0"
++bool(false)
++string(16) "$2y$04$00000000$"
++string(2) "*0"
++bool(false)
++string(17) "$2y$04$000000000$"
++string(2) "*0"
++bool(false)
++string(18) "$2y$04$0000000000$"
++string(2) "*0"
++bool(false)
++string(19) "$2y$04$00000000000$"
++string(2) "*0"
++bool(false)
++string(20) "$2y$04$000000000000$"
++string(2) "*0"
++bool(false)
++string(21) "$2y$04$0000000000000$"
++string(2) "*0"
++bool(false)
++string(22) "$2y$04$00000000000000$"
++string(2) "*0"
++bool(false)
++string(23) "$2y$04$000000000000000$"
++string(2) "*0"
++bool(false)
++string(24) "$2y$04$0000000000000000$"
++string(2) "*0"
++bool(false)
++string(25) "$2y$04$00000000000000000$"
++string(2) "*0"
++bool(false)
++string(26) "$2y$04$000000000000000000$"
++string(2) "*0"
++bool(false)
++string(27) "$2y$04$0000000000000000000$"
++string(2) "*0"
++bool(false)
++string(28) "$2y$04$00000000000000000000$"
++string(2) "*0"
++bool(false)
++string(29) "$2y$04$000000000000000000000$"
++string(2) "*0"
++bool(false)
++string(30) "$2y$04$0000000000000000000000$"
++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K"
++bool(false)
+--
+2.31.1
+
+From bc633b1095280f6a6b96b82f5241c14d25008e7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
+Date: Mon, 23 Jan 2023 22:13:57 +0100
+Subject: [PATCH 2/8] crypt: Fix possible buffer overread in php_crypt()
+
+(cherry picked from commit a92acbad873a05470af1a47cb785a18eadd827b5)
+(cherry picked from commit ed0281b588a6840cb95f3134a4e68847a3be5bb7)
+---
+ ext/standard/crypt.c | 1 +
+ ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+ create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt
+
+diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
+index 1b83d6e127..56e1396fdb 100644
+--- a/ext/standard/crypt.c
++++ b/ext/standard/crypt.c
+@@ -196,6 +196,7 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
+ } else if (
+ salt[0] == '$' &&
+ salt[1] == '2' &&
++ salt[2] != 0 &&
+ salt[3] == '$' &&
+ salt[4] >= '0' && salt[4] <= '3' &&
+ salt[5] >= '0' && salt[5] <= '9' &&
+diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt
+new file mode 100644
+index 0000000000..085bc8a239
+--- /dev/null
++++ b/ext/standard/tests/password/password_bcrypt_short.phpt
+@@ -0,0 +1,8 @@
++--TEST--
++Test that password_hash() does not overread buffers when a short hash is passed
++--FILE--
++<?php
++var_dump(password_verify("foo", '$2'));
++?>
++--EXPECT--
++bool(false)
+--
+2.31.1
+
diff --git a/php-bug81746.patch b/php-bug81746.patch
new file mode 100644
index 0000000..579e9d2
--- /dev/null
+++ b/php-bug81746.patch
@@ -0,0 +1,100 @@
+From d43aca084651d395d1191a9751e2ea90036df09e Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Fri, 27 Jan 2023 19:28:27 +0100
+Subject: [PATCH 3/8] Fix array overrun when appending slash to paths
+
+Fix it by extending the array sizes by one character. As the input is
+limited to the maximum path length, there will always be place to append
+the slash. As the php_check_specific_open_basedir() simply uses the
+strings to compare against each other, no new failures related to too
+long paths are introduced.
+We'll let the DOM and XML case handle a potentially too long path in the
+library code.
+
+(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953)
+(cherry picked from commit 887cd0710ad856a0d22c329b6ea6c71ebd8621ae)
+---
+ ext/dom/document.c | 2 +-
+ ext/xmlreader/php_xmlreader.c | 2 +-
+ main/fopen_wrappers.c | 6 +++---
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index 1970c38574..7cf4464cec 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1498,7 +1498,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc
+ int validate, recover, resolve_externals, keep_blanks, substitute_ent;
+ int resolved_path_len;
+ int old_error_reporting = 0;
+- char *directory=NULL, resolved_path[MAXPATHLEN];
++ char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+
+ if (id != NULL) {
+ intern = (dom_object *)zend_object_store_get_object(id TSRMLS_CC);
+diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
+index 31208d8667..7948b4ca89 100644
+--- a/ext/xmlreader/php_xmlreader.c
++++ b/ext/xmlreader/php_xmlreader.c
+@@ -1044,7 +1044,7 @@ PHP_METHOD(xmlreader, XML)
+ xmlreader_object *intern = NULL;
+ char *source, *uri = NULL, *encoding = NULL;
+ int resolved_path_len, ret = 0;
+- char *directory=NULL, resolved_path[MAXPATHLEN];
++ char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ xmlParserInputBufferPtr inputbfr;
+ xmlTextReaderPtr reader;
+
+diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
+index af9c558b04..1554aaa1e6 100644
+--- a/main/fopen_wrappers.c
++++ b/main/fopen_wrappers.c
+@@ -141,10 +141,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
+ */
+ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path TSRMLS_DC)
+ {
+- char resolved_name[MAXPATHLEN];
+- char resolved_basedir[MAXPATHLEN];
++ char resolved_name[MAXPATHLEN + 1];
++ char resolved_basedir[MAXPATHLEN + 1];
+ char local_open_basedir[MAXPATHLEN];
+- char path_tmp[MAXPATHLEN];
++ char path_tmp[MAXPATHLEN + 1];
+ char *path_file;
+ int resolved_basedir_len;
+ int resolved_name_len;
+--
+2.31.1
+
+From d0db454c4ab17e2a64f9c06b5bc5b1001ddb9110 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Mon, 13 Feb 2023 11:46:47 +0100
+Subject: [PATCH 4/8] NEWS
+
+(cherry picked from commit 614468ce4056c0ef93aae09532dcffdf65b594b5)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 3d026cf70c..5e74b7547a 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.0.28
++
++- Core:
++ . Fixed bug #81744 (Password_verify() always return true with some hash).
++ (CVE-2023-0567). (Tim Düsterhus)
++ . Fixed bug #81746 (1-byte array overrun in common path resolve code).
++ (CVE-2023-0568). (Niels Dossche)
++
+ Backported from 8.0.27
+
+ - PDO/SQLite:
+--
+2.31.1
+
diff --git a/php-cve-2023-0662.patch b/php-cve-2023-0662.patch
new file mode 100644
index 0000000..ac405ec
--- /dev/null
+++ b/php-cve-2023-0662.patch
@@ -0,0 +1,148 @@
+From 951b823876274823f4f6d78004d0e4664fd24504 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 19 Jan 2023 14:11:18 +0000
+Subject: [PATCH 5/8] Fix repeated warning for file uploads limit exceeding
+
+(cherry picked from commit 3a2fdef1ae38881110006616ee1f0534b082ca45)
+---
+ main/rfc1867.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index fb3035072a..323370fc58 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -925,7 +925,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ skip_upload = 1;
+ } else if (upload_cnt <= 0) {
+ skip_upload = 1;
+- sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
++ if (upload_cnt == 0) {
++ --upload_cnt;
++ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
++ }
+ }
+
+ /* Return with an error if the posted data is garbled */
+--
+2.31.1
+
+From 21a325252a52d663533715900f091b0f025a77ab Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Thu, 19 Jan 2023 14:31:25 +0000
+Subject: [PATCH 6/8] Introduce max_multipart_body_parts INI
+
+This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
+parsed multipart body parts as currently all parts were always parsed.
+
+(cherry picked from commit 8ec78d28d20c82c75c4747f44c52601cfdb22516)
+---
+ main/main.c | 1 +
+ main/rfc1867.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/main/main.c b/main/main.c
+index ab55b5b831..66da1881d4 100644
+--- a/main/main.c
++++ b/main/main.c
+@@ -628,6 +628,7 @@ PHP_INI_BEGIN()
+ PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL)
++ PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL)
+
+ STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
+ STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 323370fc58..ce8f557f23 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -697,6 +697,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ void *event_extra_data = NULL;
+ unsigned int llen = 0;
+ int upload_cnt = INI_INT("max_file_uploads");
++ int body_parts_cnt = INI_INT("max_multipart_body_parts");
+ const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
+ php_rfc1867_getword_t getword;
+ php_rfc1867_getword_conf_t getword_conf;
+@@ -718,6 +719,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ return;
+ }
+
++ if (body_parts_cnt < 0) {
++ body_parts_cnt = PG(max_input_vars) + upload_cnt;
++ }
++ int body_parts_limit = body_parts_cnt;
++
+ /* Get the boundary */
+ boundary = strstr(content_type_dup, "boundary");
+ if (!boundary) {
+@@ -802,6 +808,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ char *pair = NULL;
+ int end = 0;
+
++ if (--body_parts_cnt < 0) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
++ goto fileupload_done;
++ }
++
+ while (isspace(*cd)) {
+ ++cd;
+ }
+--
+2.31.1
+
+From 734b43c5938037a03b6af7212a95813c1c9e729c Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Feb 2023 09:14:47 +0100
+Subject: [PATCH 7/8] NEWS
+
+(cherry picked from commit 472db3ee3a00ac00d36019eee0b3b7362334481c)
+---
+ NEWS | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5e74b7547a..bcb62b8325 100644
+--- a/NEWS
++++ b/NEWS
+@@ -9,6 +9,10 @@ Backported from 8.0.28
+ . Fixed bug #81746 (1-byte array overrun in common path resolve code).
+ (CVE-2023-0568). (Niels Dossche)
+
++- FPM:
++ . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
++ request body). (CVE-2023-0662) (Jakub Zelenka)
++
+ Backported from 8.0.27
+
+ - PDO/SQLite:
+--
+2.31.1
+
+From 72c4e7e7d9039d5b68fb52794acccf740167602a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Feb 2023 11:47:22 +0100
+Subject: [PATCH 8/8] fix NEWS, not FPM specific
+
+(cherry picked from commit c04f310440a906fc4ca885f4ecf6e3e4cd36edc7)
+---
+ NEWS | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index bcb62b8325..c9e6f7d328 100644
+--- a/NEWS
++++ b/NEWS
+@@ -8,8 +8,6 @@ Backported from 8.0.28
+ (CVE-2023-0567). (Tim Düsterhus)
+ . Fixed bug #81746 (1-byte array overrun in common path resolve code).
+ (CVE-2023-0568). (Niels Dossche)
+-
+-- FPM:
+ . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
+ request body). (CVE-2023-0662) (Jakub Zelenka)
+
+--
+2.31.1
+
diff --git a/php-cve-2023-3247.patch b/php-cve-2023-3247.patch
new file mode 100644
index 0000000..19c398d
--- /dev/null
+++ b/php-cve-2023-3247.patch
@@ -0,0 +1,75 @@
+From 66e67c73b83b42234530b6681dc16aac5efaf0f7 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 7 Jun 2023 10:11:02 +0200
+Subject: [PATCH] Increase random bytes in HTTP Digest authentication for SOAP
+ Minimal fix for GHSA-76gg-c692-v2mw
+
+---
+ NEWS | 6 ++++++
+ ext/soap/php_http.c | 7 +++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index c9e6f7d3285..d32f3d7a874 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.0.29
++
++- Soap:
++ . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random
++ bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla)
++
+ Backported from 8.0.28
+
+ - Core:
+diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
+index 324609197ad..f3935cb1b79 100644
+--- a/ext/soap/php_http.c
++++ b/ext/soap/php_http.c
+@@ -639,10 +639,13 @@ int make_http_soap_request(zval *this_ptr,
+ char HA1[33], HA2[33], response[33], cnonce[33], nc[9];
+ PHP_MD5_CTX md5ctx;
+ unsigned char hash[16];
++ int i;
+
+ PHP_MD5Init(&md5ctx);
+- snprintf(cnonce, sizeof(cnonce), "%ld", php_rand(TSRMLS_C));
+- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce));
++ for (i = 0; i < 4; i++) { /* 16 bytes of randomness*/
++ snprintf(cnonce, sizeof(cnonce), "%ld", php_rand(TSRMLS_C));
++ PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce));
++ }
+ PHP_MD5Final(hash, &md5ctx);
+ make_digest(cnonce, hash);
+
+From 486045f99833aa889be7a434a663fdf108a22992 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 15 Jun 2023 08:47:55 +0200
+Subject: [PATCH] add cve
+
+(cherry picked from commit f3021d66d7bb42d2578530cc94f9bde47e58eb10)
+---
+ NEWS | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index d32f3d7a87..a658151942 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,7 +5,8 @@ Backported from 8.0.29
+
+ - Soap:
+ . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random
+- bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla)
++ bytes in HTTP Digest authentication for SOAP).
++ (CVE-2023-3247) (nielsdos, timwolla)
+
+ Backported from 8.0.28
+
+--
+2.40.1
+
diff --git a/php-cve-2023-3823.patch b/php-cve-2023-3823.patch
new file mode 100644
index 0000000..4f0af64
--- /dev/null
+++ b/php-cve-2023-3823.patch
@@ -0,0 +1,96 @@
+From 738946df315c53b963c8ffce3a3a3828256349fc Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Mon, 10 Jul 2023 13:25:34 +0200
+Subject: [PATCH 1/4] Fix buffer mismanagement in phar_dir_read()
+
+Fixes GHSA-jqcx-ccgc-xwhv.
+
+(cherry picked from commit 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef)
+(cherry picked from commit c398fe98c044c8e7c23135acdc38d4ef7bedc983)
+(cherry picked from commit 3f14261065e4c0552afa9cb16411475050a41c2c)
+(cherry picked from commit f8f433d0d8eaac21af4f4532496d33f9c2b381d6)
+(cherry picked from commit f41261182dad0f831d8727967c127da1f08c8ce5)
+(cherry picked from commit 47388f7e4e1369feeffdb6976b469e7dfa72d9cb)
+---
+ ext/phar/dirstream.c | 16 +++++++++------
+ ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
+ 2 files changed, 37 insertions(+), 6 deletions(-)
+ create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+
+diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
+index f843501b58..411a2b0692 100644
+--- a/ext/phar/dirstream.c
++++ b/ext/phar/dirstream.c
+@@ -92,26 +92,30 @@ static int phar_dir_seek(php_stream *stream, off_t offset, int whence, off_t *ne
+ */
+ static size_t phar_dir_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) /* {{{ */
+ {
+- size_t to_read;
+ HashTable *data = (HashTable *)stream->abstract;
+ char *str_key;
+ uint keylen;
+ ulong unused;
+
++ if (count != sizeof(php_stream_dirent)) {
++ return -1;
++ }
++
+ if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(data, &str_key, &keylen, &unused, 0, NULL)) {
+ return 0;
+ }
+
+ zend_hash_move_forward(data);
+- to_read = MIN(keylen, count);
+
+- if (to_read == 0 || count < keylen) {
++ php_stream_dirent *dirent = (php_stream_dirent *) buf;
++
++ if (sizeof(dirent->d_name) <= keylen) {
+ return 0;
+ }
+
+- memset(buf, 0, sizeof(php_stream_dirent));
+- memcpy(((php_stream_dirent *) buf)->d_name, str_key, to_read);
+- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
++ memset(dirent, 0, sizeof(php_stream_dirent));
++ memcpy(dirent->d_name, str_key, keylen);
++ dirent->d_name[keylen] = '\0';
+
+ return sizeof(php_stream_dirent);
+ }
+diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+new file mode 100644
+index 0000000000..4e12f05fb6
+--- /dev/null
++++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--INI--
++phar.readonly=0
++--FILE--
++<?php
++$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
++$phar->startBuffering();
++$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
++$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
++$phar->stopBuffering();
++
++$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
++var_dump(strlen(readdir($handle)));
++// Must not be a string of length PHP_MAXPATHLEN+1
++var_dump(readdir($handle));
++closedir($handle);
++?>
++--CLEAN--
++<?php
++unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
++?>
++--EXPECTF--
++int(%d)
++bool(false)
+--
+2.41.0
+
diff --git a/php-cve-2023-3824.patch b/php-cve-2023-3824.patch
new file mode 100644
index 0000000..43d8813
--- /dev/null
+++ b/php-cve-2023-3824.patch
@@ -0,0 +1,448 @@
+From f477a112a95bdf38ca4e93dc77dc6b49067c1030 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 15 Jul 2023 17:33:52 +0200
+Subject: [PATCH 2/4] Sanitize libxml2 globals before parsing
+
+Fixes GHSA-3qrf-m4j2-pcrr.
+
+To parse a document with libxml2, you first need to create a parsing context.
+The parsing context contains parsing options (e.g. XML_NOENT to substitute
+entities) that the application (in this case PHP) can set.
+Unfortunately, libxml2 also supports providing default set options.
+For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
+option will be added to the parsing options every time you create a parsing
+context **even if the application never requested XML_NOENT**.
+
+Third party extensions can override these globals, in particular the
+substitute entity global. This causes entity substitution to be
+unexpectedly active.
+
+Fix it by setting the parsing options to a sane known value.
+For API calls that depend on global state we introduce
+PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
+For other APIs that work directly with a context we introduce
+php_libxml_sanitize_parse_ctxt_options().
+
+(cherry picked from commit c283c3ab0ba45d21b2b8745c1f9c7cbfe771c975)
+(cherry picked from commit b3758bd21223b97c042cae7bd26a66cde081ea98)
+(cherry picked from commit 4fb61f06b1aff89a4d7e548c37ffa5bf573270c3)
+(cherry picked from commit d7de6908dfc8774e86a54100ad4e2ee810426001)
+(cherry picked from commit 66a1fcc69765bb704146fe7d084848302dd3c89e)
+(cherry picked from commit 3824593952c6ce4c37cd43137b0877202f5c304e)
+---
+ ext/dom/document.c | 18 ++++++++++++++++++
+ ext/dom/documentfragment.c | 2 ++
+ ext/libxml/php_libxml.h | 36 +++++++++++++++++++++++++++++++++++
+ ext/simplexml/simplexml.c | 6 ++++++
+ ext/soap/php_xml.c | 2 ++
+ ext/xml/compat.c | 2 ++
+ ext/xmlreader/php_xmlreader.c | 9 +++++++++
+ ext/xsl/xsltprocessor.c | 9 ++++-----
+ 8 files changed, 79 insertions(+), 5 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index 7cf4464cec..d6d0d995d3 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1577,6 +1577,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc
+ options |= XML_PARSE_NOBLANKS;
+ }
+
++ php_libxml_sanitize_parse_ctxt_options(ctxt);
+ xmlCtxtUseOptions(ctxt, options);
+
+ ctxt->recovery = recover;
+@@ -1859,7 +1860,9 @@ PHP_FUNCTION(dom_document_xinclude)
+
+ DOM_GET_OBJ(docp, id, xmlDocPtr, intern);
+
++ PHP_LIBXML_SANITIZE_GLOBALS(xinclude);
+ err = xmlXIncludeProcessFlags(docp, flags);
++ PHP_LIBXML_RESTORE_GLOBALS(xinclude);
+
+ /* XML_XINCLUDE_START and XML_XINCLUDE_END nodes need to be removed as these
+ are added via xmlXIncludeProcess to mark beginning and ending of xincluded document
+@@ -1898,6 +1901,7 @@ PHP_FUNCTION(dom_document_validate)
+
+ DOM_GET_OBJ(docp, id, xmlDocPtr, intern);
+
++ PHP_LIBXML_SANITIZE_GLOBALS(validate);
+ cvp = xmlNewValidCtxt();
+
+ cvp->userData = NULL;
+@@ -1909,6 +1913,7 @@ PHP_FUNCTION(dom_document_validate)
+ } else {
+ RETVAL_FALSE;
+ }
++ PHP_LIBXML_RESTORE_GLOBALS(validate);
+
+ xmlFreeValidCtxt(cvp);
+
+@@ -1941,14 +1946,18 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
+
+ DOM_GET_OBJ(docp, id, xmlDocPtr, intern);
+
++ PHP_LIBXML_SANITIZE_GLOBALS(new_parser_ctxt);
++
+ switch (type) {
+ case DOM_LOAD_FILE:
+ if (CHECK_NULL_PATH(source, source_len)) {
++ PHP_LIBXML_RESTORE_GLOBALS(new_parser_ctxt);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
+ RETURN_FALSE;
+ }
+ valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
+ if (!valid_file) {
++ PHP_LIBXML_RESTORE_GLOBALS(new_parser_ctxt);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
+ RETURN_FALSE;
+ }
+@@ -1969,6 +1978,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
+ parser);
+ sptr = xmlSchemaParse(parser);
+ xmlSchemaFreeParserCtxt(parser);
++ PHP_LIBXML_RESTORE_GLOBALS(new_parser_ctxt);
+ if (!sptr) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema");
+ RETURN_FALSE;
+@@ -1989,11 +1999,13 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
+ }
+ #endif
+
++ PHP_LIBXML_SANITIZE_GLOBALS(validate);
+ xmlSchemaSetValidOptions(vptr, valid_opts);
+ xmlSchemaSetValidErrors(vptr, php_libxml_error_handler, php_libxml_error_handler, vptr);
+ is_valid = xmlSchemaValidateDoc(vptr, docp);
+ xmlSchemaFree(sptr);
+ xmlSchemaFreeValidCtxt(vptr);
++ PHP_LIBXML_RESTORE_GLOBALS(validate);
+
+ if (is_valid == 0) {
+ RETURN_TRUE;
+@@ -2063,12 +2075,14 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ
+ return;
+ }
+
++ PHP_LIBXML_SANITIZE_GLOBALS(parse);
+ xmlRelaxNGSetParserErrors(parser,
+ (xmlRelaxNGValidityErrorFunc) php_libxml_error_handler,
+ (xmlRelaxNGValidityWarningFunc) php_libxml_error_handler,
+ parser);
+ sptr = xmlRelaxNGParse(parser);
+ xmlRelaxNGFreeParserCtxt(parser);
++ PHP_LIBXML_RESTORE_GLOBALS(parse);
+ if (!sptr) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG");
+ RETURN_FALSE;
+@@ -2161,6 +2175,10 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
+ ctxt->sax->error = php_libxml_ctx_error;
+ ctxt->sax->warning = php_libxml_ctx_warning;
+ }
++ php_libxml_sanitize_parse_ctxt_options(ctxt);
++ if (options) {
++ htmlCtxtUseOptions(ctxt, (int)options);
++ }
+ htmlParseDocument(ctxt);
+ newdoc = ctxt->myDoc;
+ htmlFreeParserCtxt(ctxt);
+diff --git a/ext/dom/documentfragment.c b/ext/dom/documentfragment.c
+index 5ce1e3994c..3ecc71d42f 100644
+--- a/ext/dom/documentfragment.c
++++ b/ext/dom/documentfragment.c
+@@ -140,7 +140,9 @@ PHP_METHOD(domdocumentfragment, appendXML) {
+ }
+
+ if (data) {
++ PHP_LIBXML_SANITIZE_GLOBALS(parse);
+ err = xmlParseBalancedChunkMemory(nodep->doc, NULL, NULL, 0, data, &lst);
++ PHP_LIBXML_RESTORE_GLOBALS(parse);
+ if (err != 0) {
+ RETURN_FALSE;
+ }
+diff --git a/ext/libxml/php_libxml.h b/ext/libxml/php_libxml.h
+index 98cf726a3d..0c8ab3849d 100644
+--- a/ext/libxml/php_libxml.h
++++ b/ext/libxml/php_libxml.h
+@@ -110,6 +110,42 @@ PHP_LIBXML_API void php_libxml_shutdown(void);
+ #define LIBXML(v) (libxml_globals.v)
+ #endif
+
++/* Other extension may override the global state options, these global options
++ * are copied initially to ctxt->options. Set the options to a known good value.
++ * See libxml2 globals.c and parserInternals.c.
++ * The unique_name argument allows multiple sanitizes and restores within the
++ * same function, even nested is necessary. */
++#define PHP_LIBXML_SANITIZE_GLOBALS(unique_name) \
++ int xml_old_loadsubset_##unique_name = xmlLoadExtDtdDefaultValue; \
++ xmlLoadExtDtdDefaultValue = 0; \
++ int xml_old_validate_##unique_name = xmlDoValidityCheckingDefaultValue; \
++ xmlDoValidityCheckingDefaultValue = 0; \
++ int xml_old_pedantic_##unique_name = xmlPedanticParserDefault(0); \
++ int xml_old_substitute_##unique_name = xmlSubstituteEntitiesDefault(0); \
++ int xml_old_linenrs_##unique_name = xmlLineNumbersDefault(0); \
++ int xml_old_blanks_##unique_name = xmlKeepBlanksDefault(1);
++
++#define PHP_LIBXML_RESTORE_GLOBALS(unique_name) \
++ xmlLoadExtDtdDefaultValue = xml_old_loadsubset_##unique_name; \
++ xmlDoValidityCheckingDefaultValue = xml_old_validate_##unique_name; \
++ (void) xmlPedanticParserDefault(xml_old_pedantic_##unique_name); \
++ (void) xmlSubstituteEntitiesDefault(xml_old_substitute_##unique_name); \
++ (void) xmlLineNumbersDefault(xml_old_linenrs_##unique_name); \
++ (void) xmlKeepBlanksDefault(xml_old_blanks_##unique_name);
++
++/* Alternative for above, working directly on the context and not setting globals.
++ * Generally faster because no locking is involved, and this has the advantage that it sets the options to a known good value. */
++static zend_always_inline void php_libxml_sanitize_parse_ctxt_options(xmlParserCtxtPtr ctxt)
++{
++ ctxt->loadsubset = 0;
++ ctxt->validate = 0;
++ ctxt->pedantic = 0;
++ ctxt->replaceEntities = 0;
++ ctxt->linenumbers = 0;
++ ctxt->keepBlanks = 1;
++ ctxt->options = 0;
++}
++
+ #else /* HAVE_LIBXML */
+ #define libxml_module_ptr NULL
+ #endif
+diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
+index d7077fc935..78ad43a35b 100644
+--- a/ext/simplexml/simplexml.c
++++ b/ext/simplexml/simplexml.c
+@@ -2187,7 +2187,9 @@ PHP_FUNCTION(simplexml_load_file)
+ return;
+ }
+
++ PHP_LIBXML_SANITIZE_GLOBALS(read_file);
+ docp = xmlReadFile(filename, NULL, options);
++ PHP_LIBXML_RESTORE_GLOBALS(read_file);
+
+ if (! docp) {
+ RETURN_FALSE;
+@@ -2225,7 +2227,9 @@ PHP_FUNCTION(simplexml_load_string)
+ return;
+ }
+
++ PHP_LIBXML_SANITIZE_GLOBALS(read_memory);
+ docp = xmlReadMemory(data, data_len, NULL, NULL, options);
++ PHP_LIBXML_RESTORE_GLOBALS(read_memory);
+
+ if (! docp) {
+ RETURN_FALSE;
+@@ -2265,7 +2269,9 @@ SXE_METHOD(__construct)
+
+ zend_restore_error_handling(&error_handling TSRMLS_CC);
+
++ PHP_LIBXML_SANITIZE_GLOBALS(read_file_or_memory);
+ docp = is_url ? xmlReadFile(data, NULL, options) : xmlReadMemory(data, data_len, NULL, NULL, options);
++ PHP_LIBXML_RESTORE_GLOBALS(read_file_or_memory);
+
+ if (!docp) {
+ ((php_libxml_node_object *)sxe)->document = NULL;
+diff --git a/ext/soap/php_xml.c b/ext/soap/php_xml.c
+index 4694b4e05d..36d303c8b7 100644
+--- a/ext/soap/php_xml.c
++++ b/ext/soap/php_xml.c
+@@ -94,6 +94,7 @@ xmlDocPtr soap_xmlParseFile(const char *filename TSRMLS_DC)
+ if (ctxt) {
+ zend_bool old;
+
++ php_libxml_sanitize_parse_ctxt_options(ctxt);
+ ctxt->keepBlanks = 0;
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+@@ -145,6 +146,7 @@ xmlDocPtr soap_xmlParseMemory(const void *buf, size_t buf_size)
+ if (ctxt) {
+ zend_bool old;
+
++ php_libxml_sanitize_parse_ctxt_options(ctxt);
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+diff --git a/ext/xml/compat.c b/ext/xml/compat.c
+index a6d08ded5d..30181a109e 100644
+--- a/ext/xml/compat.c
++++ b/ext/xml/compat.c
+@@ -19,6 +19,7 @@
+ #include "php.h"
+ #if defined(HAVE_LIBXML) && (defined(HAVE_XML) || defined(HAVE_XMLRPC)) && !defined(HAVE_LIBEXPAT)
+ #include "expat_compat.h"
++#include "ext/libxml/php_libxml.h"
+
+ typedef struct _php_xml_ns {
+ xmlNsPtr nsptr;
+@@ -482,6 +483,7 @@ XML_ParserCreate_MM(const XML_Char *encoding, const XML_Memory_Handling_Suite *m
+ parser->parser->charset = XML_CHAR_ENCODING_NONE;
+ #endif
+
++ php_libxml_sanitize_parse_ctxt_options(parser->parser);
+ #if LIBXML_VERSION >= 20703
+ xmlCtxtUseOptions(parser->parser, XML_PARSE_OLDSAX);
+ #endif
+diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
+index 7948b4ca89..5570762353 100644
+--- a/ext/xmlreader/php_xmlreader.c
++++ b/ext/xmlreader/php_xmlreader.c
+@@ -305,6 +305,7 @@ static xmlRelaxNGPtr _xmlreader_get_relaxNG(char *source, int source_len, int ty
+ return NULL;
+ }
+
++ PHP_LIBXML_SANITIZE_GLOBALS(parse);
+ if (error_func || warn_func) {
+ xmlRelaxNGSetParserErrors(parser,
+ (xmlRelaxNGValidityErrorFunc) error_func,
+@@ -313,6 +314,7 @@ static xmlRelaxNGPtr _xmlreader_get_relaxNG(char *source, int source_len, int ty
+ }
+ sptr = xmlRelaxNGParse(parser);
+ xmlRelaxNGFreeParserCtxt(parser);
++ PHP_LIBXML_RESTORE_GLOBALS(parse);
+
+ return sptr;
+ }
+@@ -886,7 +888,9 @@ PHP_METHOD(xmlreader, open)
+ valid_file = _xmlreader_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
+
+ if (valid_file) {
++ PHP_LIBXML_SANITIZE_GLOBALS(reader_for_file);
+ reader = xmlReaderForFile(valid_file, encoding, options);
++ PHP_LIBXML_RESTORE_GLOBALS(reader_for_file);
+ }
+
+ if (reader == NULL) {
+@@ -963,7 +967,9 @@ PHP_METHOD(xmlreader, setSchema)
+
+ intern = (xmlreader_object *)zend_object_store_get_object(id TSRMLS_CC);
+ if (intern && intern->ptr) {
++ PHP_LIBXML_SANITIZE_GLOBALS(schema);
+ retval = xmlTextReaderSchemaValidate(intern->ptr, source);
++ PHP_LIBXML_RESTORE_GLOBALS(schema);
+
+ if (retval == 0) {
+ RETURN_TRUE;
+@@ -1083,6 +1089,7 @@ PHP_METHOD(xmlreader, XML)
+ }
+ uri = (char *) xmlCanonicPath((const xmlChar *) resolved_path);
+ }
++ PHP_LIBXML_SANITIZE_GLOBALS(text_reader);
+ reader = xmlNewTextReader(inputbfr, uri);
+
+ if (reader != NULL) {
+@@ -1103,9 +1110,11 @@ PHP_METHOD(xmlreader, XML)
+ xmlFree(uri);
+ }
+
++ PHP_LIBXML_RESTORE_GLOBALS(text_reader);
+ return;
+ }
+ }
++ PHP_LIBXML_RESTORE_GLOBALS(text_reader);
+ }
+
+ if (uri) {
+diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
+index 5d34651930..e7012ed2cc 100644
+--- a/ext/xsl/xsltprocessor.c
++++ b/ext/xsl/xsltprocessor.c
+@@ -408,7 +408,7 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
+ xmlDoc *doc = NULL, *newdoc = NULL;
+ xsltStylesheetPtr sheetp, oldsheetp;
+ xsl_object *intern;
+- int prevSubstValue, prevExtDtdValue, clone_docu = 0;
++ int clone_docu = 0;
+ xmlNode *nodep = NULL;
+ zend_object_handlers *std_hnd;
+ zval *cloneDocu, *member;
+@@ -431,13 +431,12 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
+ stylesheet document otherwise the node proxies will be a mess */
+ newdoc = xmlCopyDoc(doc, 1);
+ xmlNodeSetBase((xmlNodePtr) newdoc, (xmlChar *)doc->URL);
+- prevSubstValue = xmlSubstituteEntitiesDefault(1);
+- prevExtDtdValue = xmlLoadExtDtdDefaultValue;
++ PHP_LIBXML_SANITIZE_GLOBALS(parse);
++ xmlSubstituteEntitiesDefault(1);
+ xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
+
+ sheetp = xsltParseStylesheetDoc(newdoc);
+- xmlSubstituteEntitiesDefault(prevSubstValue);
+- xmlLoadExtDtdDefaultValue = prevExtDtdValue;
++ PHP_LIBXML_RESTORE_GLOBALS(parse);
+
+ if (!sheetp) {
+ xmlFreeDoc(newdoc);
+--
+2.41.0
+
+From a911a06e92c99a3a2466ca4d9ba53fa2f395b89d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 2 Aug 2023 11:36:13 +0200
+Subject: [PATCH 4/4] fix backport
+
+---
+ ext/dom/document.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index d6d0d995d3..6f4ae268e7 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -2165,6 +2165,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
+ RETURN_FALSE;
+ }
+
++ php_libxml_sanitize_parse_ctxt_options(ctxt);
+ if (options) {
+ htmlCtxtUseOptions(ctxt, options);
+ }
+@@ -2175,10 +2176,6 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
+ ctxt->sax->error = php_libxml_ctx_error;
+ ctxt->sax->warning = php_libxml_ctx_warning;
+ }
+- php_libxml_sanitize_parse_ctxt_options(ctxt);
+- if (options) {
+- htmlCtxtUseOptions(ctxt, (int)options);
+- }
+ htmlParseDocument(ctxt);
+ newdoc = ctxt->myDoc;
+ htmlFreeParserCtxt(ctxt);
+--
+2.41.0
+
+From 8e8afb29f0f8a3872f4c0bf3b05ce6c5fd074610 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 1 Aug 2023 07:22:33 +0200
+Subject: [PATCH 3/4] NEWS
+
+(cherry picked from commit ef1d507acf7be23d7624dc3c891683b2218feb51)
+(cherry picked from commit 3cf7c2b10e577136b267f2d90bfdff6743271c5c)
+(cherry picked from commit 79c0bf87711036b83f8ee1723c034ccc839d847b)
+(cherry picked from commit 3ac0ce8a462cb31815330d1410e1a8a615c395eb)
+(cherry picked from commit 59ec21e12409bd87106f3437dbcc680608eb85a8)
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index a658151942..0e7d9abf11 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.0.30
++
++- Libxml:
++ . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
++ in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)
++
++- Phar:
++ . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
++ (CVE-2023-3824) (nielsdos)
++
+ Backported from 8.0.29
+
+ - Soap:
+--
+2.41.0
+
diff --git a/php56.spec b/php56.spec
index 6bf3cd1..84d2a43 100644
--- a/php56.spec
+++ b/php56.spec
@@ -28,8 +28,15 @@
%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
-%global oraclever 21.7
+%ifarch aarch64
+%global oraclever 19.19
+%global oraclelib 19.1
+%global oracledir 19.19
+%else
+%global oraclever 21.11
%global oraclelib 21.1
+%global oracledir 21
+%endif
# Build for LiteSpeed Web Server (LSAPI)
%global with_lsws 1
@@ -143,7 +150,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.6.40
-Release: 34%{?dist}
+Release: 39%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -256,6 +263,13 @@ Patch255: php-bug81719.patch
Patch256: php-bug81720.patch
Patch257: php-bug81727.patch
Patch258: php-bug81726.patch
+Patch259: php-bug81740.patch
+Patch260: php-bug81744.patch
+Patch261: php-bug81746.patch
+Patch262: php-cve-2023-0662.patch
+Patch263: php-cve-2023-3247.patch
+Patch264: php-cve-2023-3823.patch
+Patch265: php-cve-2023-3824.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -712,15 +726,20 @@ Summary: A module for PHP applications that use OCI8 databases
Group: Development/Languages
# All files licensed under PHP version 3.01
License: PHP
+%ifarch aarch64
+BuildRequires: oracle-instantclient%{oraclever}-devel
+# Should requires libclntsh.so.19.1()(aarch-64), but it's not provided by Oracle RPM.
+Requires: libclntsh.so.%{oraclelib}
+AutoReq: 0
+%else
BuildRequires: oracle-instantclient-devel >= %{oraclever}
+%endif
Requires: php-pdo%{?_isa} = %{version}-%{release}
Provides: php_database
Provides: php-pdo_oci, php-pdo_oci%{?_isa}
Obsoletes: php-pecl-oci8 < %{oci8ver}
Conflicts: php-pecl-oci8 >= %{oci8ver}
Provides: php-pecl(oci8) = %{oci8ver}, php-pecl(oci8)%{?_isa} = %{oci8ver}
-# Should requires libclntsh.so.12.1, but it's not provided by Oracle RPM.
-AutoReq: 0
Obsoletes: php53-oci8, php53u-oci8, php54-oci8, php54w-oci8, php55u-oci8, php55w-oci8, php56u-oci8, php56w-oci8
%description oci8
@@ -731,13 +750,9 @@ The extension is linked with Oracle client libraries %{oraclever}
(Oracle Instant Client). For details, see Oracle's note
"Oracle Client / Server Interoperability Support" (ID 207303.1).
-You must install libclntsh.so.%{oraclelib} to use this package, provided
-in the database installation, or in the free Oracle Instant Client
-available from Oracle.
-
-Notice:
-- php-oci8 provides oci8 and pdo_oci extensions from php sources.
-- php-pecl-oci8 only provides oci8 extension.
+You must install libclntsh.so.%{oraclelib} to use this package,
+provided by Oracle Instant Client RPM available from Oracle on:
+https://www.oracle.com/database/technologies/instant-client/downloads.html
Documentation is at http://php.net/oci8 and http://php.net/pdo_oci
%endif
@@ -991,97 +1006,104 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
%setup -q -n php-%{version}%{?rcver}
-%patch1 -p1 -b .mpmcheck
-%patch5 -p1 -b .includedir
-%patch6 -p1 -b .embed
-%patch7 -p1 -b .recode
-%patch8 -p1 -b .libdb
+%patch -P1 -p1 -b .mpmcheck
+%patch -P5 -p1 -b .includedir
+%patch -P6 -p1 -b .embed
+%patch -P7 -p1 -b .recode
+%patch -P8 -p1 -b .libdb
%if 0%{?rhel}
-%patch9 -p1 -b .curltls
+%patch -P9 -p1 -b .curltls
%endif
%if 0%{?fedora} >= 29 || 0%{?rhel} >= 7
-%patch10 -p1 -b .icu62
+%patch -P10 -p1 -b .icu62
%endif
-%patch40 -p1 -b .dlopen
-%patch41 -p1 -b .dtrace
+%patch -P40 -p1 -b .dlopen
+%patch -P41 -p1 -b .dtrace
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 5
-%patch42 -p1 -b .systzdata
+%patch -P42 -p1 -b .systzdata
%endif
-%patch43 -p1 -b .headers
+%patch -P43 -p1 -b .headers
%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
-%patch45 -p1 -b .ldap_r
+%patch -P45 -p1 -b .ldap_r
%endif
-%patch46 -p1 -b .fixheader
-%patch47 -p1 -b .phpinfo
+%patch -P46 -p1 -b .fixheader
+%patch -P47 -p1 -b .phpinfo
-%patch91 -p1 -b .remi-oci8
+%patch -P91 -p1 -b .remi-oci8
# upstream patches
-%patch100 -p1 -b .pdo_oci
-%patch103 -p1 -b .bug76846
+%patch -P100 -p1 -b .pdo_oci
+%patch -P103 -p1 -b .bug76846
# security patches
-%patch208 -p1 -b .bug77396
-%patch209 -p1 -b .bug77431
-%patch210 -p1 -b .bug77540
-%patch211 -p1 -b .bug77563
-%patch212 -p1 -b .bug77586
-%patch213 -p1 -b .bug77630
-%patch214 -p1 -b .backport
-%patch215 -p1 -b .sqlite3.defensive
-%patch216 -p1 -b .bug77753
-%patch217 -p1 -b .bug77831
-%patch218 -p1 -b .bug77950
-%patch219 -p1 -b .bug78069
-%patch220 -p1 -b .bug77988
-%patch221 -p1 -b .bug77967
-%patch222 -p1 -b .bug78222
-%patch223 -p1 -b .bug78256
-%patch224 -p1 -b .bug77919
-%patch225 -p1 -b .bug75457
-%patch226 -p1 -b .bug78380
-%patch227 -p1 -b .bug78599
-%patch228 -p1 -b .bug78878
-%patch229 -p1 -b .bug78862
-%patch230 -p1 -b .bug78863
-%patch231 -p1 -b .bug78793
-%patch232 -p1 -b .bug78910
-%patch233 -p1 -b .bug79099
-%patch234 -p1 -b .bug79037
-%patch236 -p1 -b .bug79221
-%patch237 -p1 -b .bug79082
-%patch238 -p1 -b .bug79282
-%patch239 -p1 -b .bug79329
-%patch240 -p1 -b .bug79330
-%patch241 -p1 -b .bug79465
-%patch242 -p1 -b .bug78875
-%patch243 -p1 -b .bug79797
-%patch244 -p1 -b .bug79877
-%patch246 -p1 -b .bug79699
-%patch247 -p1 -b .bug77423
-%patch248 -p1 -b .bug80672
-%patch249 -p1 -b .bug80710
-%patch250 -p1 -b .bug81122
-%patch251 -p1 -b .bug76450
-%patch252 -p1 -b .bug81211
-%patch253 -p1 -b .bug81026
-%patch254 -p1 -b .bug79971
-%patch255 -p1 -b .bug81719
-%patch256 -p1 -b .bug81720
-%patch257 -p1 -b .bug81727
-%patch258 -p1 -b .bug81726
+%patch -P208 -p1 -b .bug77396
+%patch -P209 -p1 -b .bug77431
+%patch -P210 -p1 -b .bug77540
+%patch -P211 -p1 -b .bug77563
+%patch -P212 -p1 -b .bug77586
+%patch -P213 -p1 -b .bug77630
+%patch -P214 -p1 -b .backport
+%patch -P215 -p1 -b .sqlite3.defensive
+%patch -P216 -p1 -b .bug77753
+%patch -P217 -p1 -b .bug77831
+%patch -P218 -p1 -b .bug77950
+%patch -P219 -p1 -b .bug78069
+%patch -P220 -p1 -b .bug77988
+%patch -P221 -p1 -b .bug77967
+%patch -P222 -p1 -b .bug78222
+%patch -P223 -p1 -b .bug78256
+%patch -P224 -p1 -b .bug77919
+%patch -P225 -p1 -b .bug75457
+%patch -P226 -p1 -b .bug78380
+%patch -P227 -p1 -b .bug78599
+%patch -P228 -p1 -b .bug78878
+%patch -P229 -p1 -b .bug78862
+%patch -P230 -p1 -b .bug78863
+%patch -P231 -p1 -b .bug78793
+%patch -P232 -p1 -b .bug78910
+%patch -P233 -p1 -b .bug79099
+%patch -P234 -p1 -b .bug79037
+%patch -P236 -p1 -b .bug79221
+%patch -P237 -p1 -b .bug79082
+%patch -P238 -p1 -b .bug79282
+%patch -P239 -p1 -b .bug79329
+%patch -P240 -p1 -b .bug79330
+%patch -P241 -p1 -b .bug79465
+%patch -P242 -p1 -b .bug78875
+%patch -P243 -p1 -b .bug79797
+%patch -P244 -p1 -b .bug79877
+%patch -P246 -p1 -b .bug79699
+%patch -P247 -p1 -b .bug77423
+%patch -P248 -p1 -b .bug80672
+%patch -P249 -p1 -b .bug80710
+%patch -P250 -p1 -b .bug81122
+%patch -P251 -p1 -b .bug76450
+%patch -P252 -p1 -b .bug81211
+%patch -P253 -p1 -b .bug81026
+%patch -P254 -p1 -b .bug79971
+%patch -P255 -p1 -b .bug81719
+%patch -P256 -p1 -b .bug81720
+%patch -P257 -p1 -b .bug81727
+%patch -P258 -p1 -b .bug81726
+%patch -P259 -p1 -b .bug81740
+%patch -P260 -p1 -b .bug81744
+%patch -P261 -p1 -b .bug81746
+%patch -P262 -p1 -b .cve0662
+%patch -P263 -p1 -b .cve3247
+%patch -P264 -p1 -b .cve3823
+%patch -P265 -p1 -b .cve3824
# Fixes for tests
-%patch300 -p1 -b .datetests
+%patch -P300 -p1 -b .datetests
%if %{with_libpcre}
%if 0%{?fedora} < 21
# Only apply when system libpcre < 8.34
-%patch301 -p1 -b .pcre834
+%patch -P301 -p1 -b .pcre834
%endif
%endif
# New openssl certs
-%patch302 -p1 -b .renewcert
+%patch -P302 -p1 -b .renewcert
rm ext/openssl/tests/bug65538_003.phpt
# WIP patch
@@ -1343,11 +1365,7 @@ build --libdir=%{_libdir}/php \
--with-mysqli=shared,mysqlnd \
--with-mysql-sock=%{mysql_sock} \
%if %{with_oci8}
-%ifarch x86_64
- --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client64/lib,%{oraclever} \
-%else
- --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client/lib,%{oraclever} \
-%endif
+ --with-oci8=shared,instantclient,%{_prefix}/lib/oracle/%{oracledir}/client64/lib,%{oraclever} \
--with-pdo-oci=shared,instantclient,/usr,%{oraclever} \
%endif
--with-interbase=shared,%{_libdir}/firebird \
@@ -1489,11 +1507,7 @@ build --includedir=%{_includedir}/php-zts \
--with-mysql-sock=%{mysql_sock} \
--enable-mysqlnd-threading \
%if %{with_oci8}
-%ifarch x86_64
- --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client64/lib,%{oraclever} \
-%else
- --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client/lib,%{oraclever} \
-%endif
+ --with-oci8=shared,instantclient,%{_prefix}/lib/oracle/%{oracledir}/client64/lib,%{oraclever} \
--with-pdo-oci=shared,instantclient,/usr,%{oraclever} \
%endif
--with-interbase=shared,%{_libdir}/firebird \
@@ -1847,7 +1861,7 @@ sed -e "s/@PHP_APIVER@/%{apiver}%{isasuffix}/" \
%endif
< %{SOURCE3} > macros.php
%if 0%{?fedora} >= 24
-echo '%%pecl_xmldir %{_localstatedir}/lib/php/peclxml' >>macros.php
+echo '%%pecl_xmldir %%{_localstatedir}/lib/php/peclxml' >>macros.php
%endif
install -m 644 -D macros.php \
$RPM_BUILD_ROOT%{macrosdir}/macros.php
@@ -1948,7 +1962,7 @@ cat << EOF
WARNING : PHP 5.6 have reached its "End of Life" in
January 2019. Even, if this package includes some of
- the important security fix, backported from 7.4, the
+ the important security fixes, backported from 8.0, the
UPGRADE to a maintained version is very strongly RECOMMENDED.
=====================================================================
@@ -2127,7 +2141,35 @@ EOF
%changelog
-* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 7.0.33-35
+* Wed Aug 2 2023 Remi Collet <remi@remirepo.net> - 5.6.40-39
+- Fix Security issue with external entity loading in XML without enabling it
+ GHSA-3qrf-m4j2-pcrr CVE-2023-3823
+- Fix Buffer mismanagement in phar_dir_read()
+ GHSA-jqcx-ccgc-xwhv CVE-2023-3824
+
+* Wed Jun 21 2023 Remi Collet <remi@remirepo.net> - 5.6.40-38
+- fix possible buffer overflow in date
+
+* Wed Jun 7 2023 Remi Collet <remi@remirepo.net> - 5.6.40-37
+- Fix insufficient random bytes in HTTP Digest authentication for SOAP
+ GHSA-76gg-c692-v2mw CVE-2023-3247
+- use oracle client library version 21.10
+- define __phpize and __phpconfig
+
+* Tue Feb 14 2023 Remi Collet <remi@remirepo.net> - 5.6.40-36
+- fix #81744: Password_verify() always return true with some hash
+ CVE-2023-0567
+- fix #81746: 1-byte array overrun in common path resolve code
+ CVE-2023-0568
+- fix DOS vulnerability when parsing multipart request body
+ CVE-2023-0662
+
+* Tue Dec 20 2022 Remi Collet <remi@remirepo.net> - 5.6.40-35
+- pdo: fix #81740: PDO::quote() may return unquoted string
+ CVE-2022-31631
+- use oracle client library version 21.8
+
+* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 5.6.40-34
- phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628
- core: fix #81727 Don't mangle HTTP variable names that clash with ones
that have a specific semantic meaning. CVE-2022-31629