From 671d9816d288c0bda30629fdaa1235c3baf5cc16 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 30 Jul 2019 11:12:58 +0200
Subject: - exif:   Fix #78256 heap-buffer-overflow on
 exif_process_user_comment   CVE-2019-11042   Fix #78222 heap-buffer-overflow
 on exif_scan_thumbnail   CVE-2019-11041 - phar:   Fix #77919 Potential UAF in
 Phar RSHUTDOWN

---
 failed.txt         |  6 +++--
 php-bug77919.patch | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug78222.patch | 32 +++++++++++++++++++++++
 php-bug78256.patch | 47 ++++++++++++++++++++++++++++++++++
 php56.spec         | 17 ++++++++++++-
 5 files changed, 173 insertions(+), 3 deletions(-)
 create mode 100644 php-bug77919.patch
 create mode 100644 php-bug78222.patch
 create mode 100644 php-bug78256.patch

diff --git a/failed.txt b/failed.txt
index 023e9a8..70bd2b4 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,9 +1,9 @@
-===== 5.6.40-9 (2019-05-28)
+===== 5.6.40-12 (2019-07-30)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
 /var/lib/mock/el6i/build.log:Tests failed    :     4
-/var/lib/mock/el6x/build.log:Tests failed    :     0
+/var/lib/mock/el6x/build.log:Tests failed    :     1
 /var/lib/mock/el7x/build.log:Tests failed    :     0
 
 
@@ -12,6 +12,8 @@ el6i:
 	4	Test getdate() function : usage variation - Passing high positive and negative float values to timestamp. [ext/date/tests/getdate_variation7.phpt]
 		Peer verification enabled for client streams [ext/openssl/tests/peer_verification.phpt]
 		Peer verification matches SAN names [ext/openssl/tests/san_peer_matching.phpt]
+el6x:
+		Test disk_free_space and its alias diskfreespace() functions : basic functionality [ext/standard/tests/file/disk_free_space_basic.phpt]
 
 
 1	proc_open have erratic results... :(
diff --git a/php-bug77919.patch b/php-bug77919.patch
new file mode 100644
index 0000000..4245a5d
--- /dev/null
+++ b/php-bug77919.patch
@@ -0,0 +1,74 @@
+From 245e5011da14098b8158cf5c5400483399729298 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 29 Jul 2019 16:08:03 +0200
+Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN
+
+We have to properly clean up in case phar_flush() is failing.
+
+We also make the expectation of the respective test case less liberal
+to avoid missing such bugs in the future.
+
+(cherry picked from commit cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d)
+---
+ NEWS                         | 10 ++++++++++
+ ext/phar/phar_object.c       |  4 +++-
+ ext/phar/tests/bug71488.phpt |  5 ++++-
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 3f49461732..5039cdf59d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,17 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.1.31
++
++- EXIF:
++  . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
++    (CVE-2019-11042) (Stas)
++  . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
++    (CVE-2019-11041) (Stas)
++  
++- Phar:
++  . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
++
+ Backported from 7.1.30
+ 
+ - EXIF:
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 77e08c52a5..d69837218f 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -2026,7 +2026,7 @@ static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool
+ 	char *newname = NULL, *newpath = NULL;
+ 	zval *ret, arg1;
+ 	zend_class_entry *ce;
+-	char *error;
++	char *error = NULL;
+ 	const char *pcr_error;
+ 	int ext_len = ext ? strlen(ext) : 0;
+ 	int oldname_len;
+@@ -2186,6 +2186,8 @@ static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool
+ 	phar_flush(phar, 0, 0, 1, &error TSRMLS_CC);
+ 
+ 	if (error) {
++		zend_hash_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
++		*sphar = NULL;
+ 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s", error);
+ 		efree(error);
+ 		efree(oldpath);
+diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
+index 8468ce212a..b8c0f33250 100644
+--- a/ext/phar/tests/bug71488.phpt
++++ b/ext/phar/tests/bug71488.phpt
+@@ -15,4 +15,7 @@ DONE
+ ?>
+ --EXPECTF--
+ Fatal error: Uncaught exception 'BadMethodCallException' with message 'tar-based phar "%sbug71488.test" cannot be created, link "%s" is too long for format' in %sbug71488.php:%d
+-Stack trace:%A
++Stack trace:
++#0 %s(%d): PharData->decompress('test')
++#1 {main}
++  thrown in %s on line %d
diff --git a/php-bug78222.patch b/php-bug78222.patch
new file mode 100644
index 0000000..13ea1d5
--- /dev/null
+++ b/php-bug78222.patch
@@ -0,0 +1,32 @@
+Without test as binary patch not supported
+
+
+
+
+From 13cbda640120afdaf68f44bb482723d451bc86ec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:01:01 -0700
+Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+
+(cherry picked from commit dea2989ab8ba87a6180af497b2efaf0527e985c5)
+---
+ ext/exif/exif.c              |   2 +-
+ ext/exif/tests/bug78222.jpg  | Bin 0 -> 91 bytes
+ ext/exif/tests/bug78222.phpt |  11 +++++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78222.jpg
+ create mode 100644 ext/exif/tests/bug78222.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index b6c31773ab..a5fa0b8fb0 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3508,7 +3508,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
+ 	size_t          length=2, pos=0;
+ 	jpeg_sof_info   sof_info;
+ 
+-	if (!data) {
++	if (!data || ImageInfo->Thumbnail.size < 4) {
+ 		return FALSE; /* nothing to do here */
+ 	}
+ 	if (memcmp(data, "\xFF\xD8\xFF", 3)) {
diff --git a/php-bug78256.patch b/php-bug78256.patch
new file mode 100644
index 0000000..553bcac
--- /dev/null
+++ b/php-bug78256.patch
@@ -0,0 +1,47 @@
+Without test as binary patch not supported
+
+
+
+
+From 63c0ed60c2b5580b1542690d52d4a26401342563 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:39:59 -0700
+Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
+ exif_process_user_comment)
+
+(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)
+---
+ ext/exif/exif.c              |   6 +++---
+ ext/exif/tests/bug78256.jpg  | Bin 0 -> 69 bytes
+ ext/exif/tests/bug78256.phpt |  11 +++++++++++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+ create mode 100644 ext/exif/tests/bug78256.jpg
+ create mode 100644 ext/exif/tests/bug78256.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a5fa0b8fb0..ec362f7e6d 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2628,7 +2628,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ {
+ 	int   a;
+ 	char  *decode;
+-	size_t len;;
++	size_t len;
+ 
+ 	*pszEncoding = NULL;
+ 	/* Copy the comment */
+@@ -2641,11 +2641,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
+ 			 * since we have no encoding support for the BOM yet we skip that.
+ 			 */
+-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
++			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
+ 				decode = "UCS-2BE";
+ 				szValuePtr = szValuePtr+2;
+ 				ByteCount -= 2;
+-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
++			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
+ 				decode = "UCS-2LE";
+ 				szValuePtr = szValuePtr+2;
+ 				ByteCount -= 2;
diff --git a/php56.spec b/php56.spec
index 903a907..e582328 100644
--- a/php56.spec
+++ b/php56.spec
@@ -148,7 +148,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.40
-Release: 11%{?dist}
+Release: 12%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -225,6 +225,9 @@ Patch218: php-bug77950.patch
 Patch219: php-bug78069.patch
 Patch220: php-bug77988.patch
 Patch221: php-bug77967.patch
+Patch222: php-bug78222.patch
+Patch223: php-bug78256.patch
+Patch224: php-bug77919.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1005,6 +1008,9 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
 %patch219 -p1 -b .bug78069
 %patch220 -p1 -b .bug77988
 %patch221 -p1 -b .bug77967
+%patch222 -p1 -b .bug78222
+%patch223 -p1 -b .bug78256
+%patch224 -p1 -b .bug77919
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -2057,6 +2063,15 @@ EOF
 
 
 %changelog
+* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12
+- exif:
+  Fix #78256 heap-buffer-overflow on exif_process_user_comment
+  CVE-2019-11042
+  Fix #78222 heap-buffer-overflow on exif_scan_thumbnail
+  CVE-2019-11041
+- phar:
+  Fix #77919 Potential UAF in Phar RSHUTDOWN
+
 * Tue Jul  2 2019 Remi Collet <remi@remirepo.net> - 5.6.40-11
 - use oracle client library version 19.3
 
-- 
cgit