From 794e4ce8b0c8c6592b935e82fd8d5a40cdbf35bd Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Apr 2020 09:36:58 +0200
Subject: standard:   Fix #79330 shell_exec silently truncates after a null
 byte   Fix #79465 OOB Read in urldecode   CVE-2020-7067

---
 php-bug79465.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 php-bug79465.patch

(limited to 'php-bug79465.patch')

diff --git a/php-bug79465.patch b/php-bug79465.patch
new file mode 100644
index 0000000..6bdf194
--- /dev/null
+++ b/php-bug79465.patch
@@ -0,0 +1,59 @@
+From 26770fed5530c46a68653e868be0a266c42c33e8 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:07:04 -0700
+Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes.
+
+(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be)
+---
+ ext/standard/url.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index d6e71fa487..0278bd47e8 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -545,7 +545,7 @@ PHPAPI int php_url_decode(char *str, int len)
+ #ifndef CHARSET_EBCDIC
+ 			*dest = (char) php_htoi(data + 1);
+ #else
+-			*dest = os_toebcdic[(char) php_htoi(data + 1)];
++			*dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ 			data += 2;
+ 			len -= 2;
+@@ -647,7 +647,7 @@ PHPAPI int php_raw_url_decode(char *str, int len)
+ #ifndef CHARSET_EBCDIC
+ 			*dest = (char) php_htoi(data + 1);
+ #else
+-			*dest = os_toebcdic[(char) php_htoi(data + 1)];
++			*dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ 			data += 2;
+ 			len -= 2;
+From c1f77159cfd61479bc22cf41d7964673c31b222a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:02:28 +0200
+Subject: [PATCH] NEWS
+
+(cherry picked from commit bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5085d35e9a..281b52fe76 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.30
++
++- Standard:
++  . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas)
++  . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas)
++
+ Backported from 7.2.29
+ 
+ - Core: 
-- 
cgit