From 794e4ce8b0c8c6592b935e82fd8d5a40cdbf35bd Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 14 Apr 2020 09:36:58 +0200 Subject: standard: Fix #79330 shell_exec silently truncates after a null byte Fix #79465 OOB Read in urldecode CVE-2020-7067 --- php-bug79330.patch | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug79465.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ php56.spec | 12 ++++++++++- 3 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 php-bug79330.patch create mode 100644 php-bug79465.patch diff --git a/php-bug79330.patch b/php-bug79330.patch new file mode 100644 index 0000000..2c112ef --- /dev/null +++ b/php-bug79330.patch @@ -0,0 +1,58 @@ +From 258ad37fe3f91cf862c2870d18d53e5cdb3b3752 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 13 Apr 2020 21:00:44 -0700 +Subject: [PATCH] Fix bug #79330 - make all execution modes consistent in + rejecting \0 + +(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62) +--- + ext/standard/exec.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ext/standard/exec.c b/ext/standard/exec.c +index 88a6b4ab79..a586b786ee 100644 +--- a/ext/standard/exec.c ++++ b/ext/standard/exec.c +@@ -537,6 +537,15 @@ PHP_FUNCTION(shell_exec) + return; + } + ++ if (!command_len) { ++ php_error_docref(NULL, E_WARNING, "Cannot execute a blank command"); ++ RETURN_FALSE; ++ } ++ if (strlen(command) != command_len) { ++ php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack"); ++ RETURN_FALSE; ++ } ++ + #ifdef PHP_WIN32 + if ((in=VCWD_POPEN(command, "rt"))==NULL) { + #else +From 6117c162636bfd7e981f7531dc4d48e358e62be4 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 14 Apr 2020 08:15:07 +0200 +Subject: [PATCH] ZTS + +--- + ext/standard/exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/standard/exec.c b/ext/standard/exec.c +index a586b786ee..40eca2b2c6 100644 +--- a/ext/standard/exec.c ++++ b/ext/standard/exec.c +@@ -538,11 +538,11 @@ PHP_FUNCTION(shell_exec) + } + + if (!command_len) { +- php_error_docref(NULL, E_WARNING, "Cannot execute a blank command"); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command"); + RETURN_FALSE; + } + if (strlen(command) != command_len) { +- php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack"); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "NULL byte detected. Possible attack"); + RETURN_FALSE; + } + diff --git a/php-bug79465.patch b/php-bug79465.patch new file mode 100644 index 0000000..6bdf194 --- /dev/null +++ b/php-bug79465.patch @@ -0,0 +1,59 @@ +From 26770fed5530c46a68653e868be0a266c42c33e8 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 13 Apr 2020 21:07:04 -0700 +Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes. + +(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be) +--- + ext/standard/url.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index d6e71fa487..0278bd47e8 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -545,7 +545,7 @@ PHPAPI int php_url_decode(char *str, int len) + #ifndef CHARSET_EBCDIC + *dest = (char) php_htoi(data + 1); + #else +- *dest = os_toebcdic[(char) php_htoi(data + 1)]; ++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; + #endif + data += 2; + len -= 2; +@@ -647,7 +647,7 @@ PHPAPI int php_raw_url_decode(char *str, int len) + #ifndef CHARSET_EBCDIC + *dest = (char) php_htoi(data + 1); + #else +- *dest = os_toebcdic[(char) php_htoi(data + 1)]; ++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; + #endif + data += 2; + len -= 2; +From c1f77159cfd61479bc22cf41d7964673c31b222a Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 14 Apr 2020 08:02:28 +0200 +Subject: [PATCH] NEWS + +(cherry picked from commit bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc) +--- + NEWS | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/NEWS b/NEWS +index 5085d35e9a..281b52fe76 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.30 ++ ++- Standard: ++ . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas) ++ . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas) ++ + Backported from 7.2.29 + + - Core: diff --git a/php56.spec b/php56.spec index 594e7b2..f04259c 100644 --- a/php56.spec +++ b/php56.spec @@ -152,7 +152,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.6.40 -Release: 19%{?dist} +Release: 20%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -246,6 +246,8 @@ Patch236: php-bug79221.patch Patch237: php-bug79082.patch Patch238: php-bug79282.patch Patch239: php-bug79329.patch +Patch240: php-bug79330.patch +Patch241: php-bug79465.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1045,6 +1047,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch237 -p1 -b .bug79082 %patch238 -p1 -b .bug79282 %patch239 -p1 -b .bug79329 +%patch240 -p1 -b .bug79330 +%patch241 -p1 -b .bug79465 # Fixes for tests %patch300 -p1 -b .datetests @@ -2101,6 +2105,12 @@ EOF %changelog +* Tue Apr 14 2020 Remi Collet - 5.6.40-20 +- standard: + Fix #79330 shell_exec silently truncates after a null byte + Fix #79465 OOB Read in urldecode + CVE-2020-7067 + * Tue Mar 17 2020 Remi Collet - 5.6.40-19 - standard: Fix #79329 get_headers() silently truncates after a null byte -- cgit