From b7581d7d6e424b72f8653e9852e882436fffb6c5 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Mar 2020 08:17:06 +0100
Subject: standard:   Fix #79329 get_headers() silently truncates after a null
 byte   CVE-2020-7066 exif:   Fix #79282 Use-of-uninitialized-value in exif  
 CVE-2020-7064 use oracle client library version 19.6 (18.5 on EL-6)

---
 php-bug79282.patch | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug79329.patch |  59 ++++++++++++++++++++++++++++
 php56.spec         |  17 +++++++-
 3 files changed, 187 insertions(+), 2 deletions(-)
 create mode 100644 php-bug79282.patch
 create mode 100644 php-bug79329.patch

diff --git a/php-bug79282.patch b/php-bug79282.patch
new file mode 100644
index 0000000..9441159
--- /dev/null
+++ b/php-bug79282.patch
@@ -0,0 +1,113 @@
+From 5ac3ebcd4f9509d1a7e54f30117227822fbc0648 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:26:00 -0700
+Subject: [PATCH] Fixed bug #79282
+
+(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216)
+(cherry picked from commit 8577fa5891220dac40d42b2f745fa159dcd871ad)
+(cherry picked from commit 59119490c9e2359ea720928b2e71b68e5c20f195)
+---
+ ext/exif/exif.c              |  7 ++++++-
+ ext/exif/tests/bug79282.phpt | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug79282.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f64a14ed9c..bf2fd61cd1 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3253,6 +3253,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
+ {
+ 	unsigned exif_value_2a, offset_of_ifd;
+ 
++	if (length < 2) {
++		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
++		return;
++	}
++
+ 	/* set the thumbnail stuff to nothing so we can test to see if they get set up */
+ 	if (memcmp(CharBuf, "II", 2) == 0) {
+ 		ImageInfo->motorola_intel = 0;
+@@ -3405,7 +3410,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC)
+ 			return FALSE;
+ 		}
+ 
+-		sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
++		sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
+ 		Data = ImageInfo->file.list[sn].data;
+ 
+ 		/* Store first two pre-read bytes. */
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+new file mode 100644
+index 0000000000..7b7e365657
+--- /dev/null
++++ b/ext/exif/tests/bug79282.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #79282: Use-of-uninitialized-value in exif
++--FILE--
++<?php
++
++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
++
++?>
++--EXPECTF--
++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++
++Warning: exif_read_data(): File structure corrupted in %s on line %d
++
++Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++bool(false)
+From 90ca028814e7ba32e58b55f0b4db306f1809af3d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:55:28 -0700
+Subject: [PATCH] Fix test
+
+(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be)
+(cherry picked from commit ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c)
+(cherry picked from commit c1d08859cdac23aeff99953797231f6824d045c5)
+---
+ ext/exif/tests/bug79282.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index 7b7e365657..df91127c9c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+ 
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
+ 
+ Warning: exif_read_data(): File structure corrupted in %s on line %d
+ 
+From 4a281e20969e209bfdd2c88560ce5f57806d0b31 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:23:32 +0100
+Subject: [PATCH] fix test
+
+(cherry picked from commit b42b6d0ff774fdced1155cb0c721d91914d619f5)
+(cherry picked from commit 51cc7a6225bbf1f7dfe0ffeb318fb0ff098780f9)
+---
+ ext/exif/tests/bug79282.phpt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index df91127c9c..142cf28a6c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+ 
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d
+ 
+-Warning: exif_read_data(): File structure corrupted in %s on line %d
++Warning: exif_read_data(%s): File structure corrupted in %s on line %d
+ 
+-Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d
+ bool(false)
diff --git a/php-bug79329.patch b/php-bug79329.patch
new file mode 100644
index 0000000..a8bf790
--- /dev/null
+++ b/php-bug79329.patch
@@ -0,0 +1,59 @@
+From c3582855b88cfde8e69734da738803b54c2c2e26 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:25:12 +0100
+Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0
+
+From 0d139c5b94a5f485a66901919e51faddb0371c43
+
+(cherry picked from commit b7b9302660a23a67285e204bc3d7fcf6ba7f6533)
+(cherry picked from commit b9a1e6bfd762d2bf7fa3c5bbcfbb6dcdfdfa982c)
+---
+ ext/standard/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 6ecace53e5..d6e71fa487 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -675,7 +675,7 @@ PHP_FUNCTION(get_headers)
+ 	HashTable *hashT;
+ 	long format = 0;
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &url, &url_len, &format) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &url, &url_len, &format) == FAILURE) {
+ 		return;
+ 	}
+ 	context = FG(default_context) ? FG(default_context) : (FG(default_context) = php_stream_context_alloc(TSRMLS_C));
+From f94716859dfa52416754faa226d1bd642373f117 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 19:35:26 -0700
+Subject: [PATCH] [ci skip] Update NEWS
+
+(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5)
+(cherry picked from commit 03471e31c9b467d1d8d944e44fa009ef247e81bd)
+(cherry picked from commit 4844343ac37e8e3ca4d995b1d91fc0f9daf03d5f)
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 22e714e837..5085d35e9a 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.29
++
++- Core: 
++  . Fixed bug #79329 (get_headers() silently truncates after a null byte) 
++    (CVE-2020-7066) (cmb)
++
++- EXIF:
++  . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) 
++    (Nikita)
++
+ Backported from 7.2.28
+ 
+ - Phar:
diff --git a/php56.spec b/php56.spec
index 21e19c3..594e7b2 100644
--- a/php56.spec
+++ b/php56.spec
@@ -36,7 +36,7 @@
 %endif
 %global oraclelib 18.1
 %else
-%global oraclever 19.5
+%global oraclever 19.6
 %global oraclelib 19.1
 %endif
 
@@ -152,7 +152,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.40
-Release: 18%{?dist}
+Release: 19%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -244,6 +244,8 @@ Patch233: php-bug79099.patch
 Patch234: php-bug79037.patch
 Patch236: php-bug79221.patch
 Patch237: php-bug79082.patch
+Patch238: php-bug79282.patch
+Patch239: php-bug79329.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1041,6 +1043,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
 %patch234 -p1 -b .bug79037
 %patch236 -p1 -b .bug79221
 %patch237 -p1 -b .bug79082
+%patch238 -p1 -b .bug79282
+%patch239 -p1 -b .bug79329
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -2097,6 +2101,15 @@ EOF
 
 
 %changelog
+* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 5.6.40-19
+- standard:
+  Fix #79329 get_headers() silently truncates after a null byte
+  CVE-2020-7066
+- exif:
+  Fix #79282 Use-of-uninitialized-value in exif
+  CVE-2020-7064
+- use oracle client library version 19.6 (18.5 on EL-6)
+
 * Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 5.6.40-18
 - phar:
   Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
-- 
cgit