summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-07-30 12:13:26 +0200
committerRemi Collet <remi@remirepo.net>2019-07-30 12:13:26 +0200
commit05daae53dc5973acafcaf058685d3766c8505d63 (patch)
tree9977f212071d4fff92667e77b0cc9216c5d1fa58
parentc26b254de1a2c65b994cca66fb4ef9ee292b8db7 (diff)
- exif:
Fix #78256 heap-buffer-overflow on exif_process_user_comment CVE-2019-11042 Fix #78222 heap-buffer-overflow on exif_scan_thumbnail CVE-2019-11041 - phar: Fix #77919 Potential UAF in Phar RSHUTDOWN
-rw-r--r--failed.txt2
-rw-r--r--php-bug77919.patch61
-rw-r--r--php-bug78222.patch32
-rw-r--r--php-bug78256.patch47
-rw-r--r--php70.spec19
5 files changed, 158 insertions, 3 deletions
diff --git a/failed.txt b/failed.txt
index c0072c0..23bd611 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.0.33-9 (2019-05-28)
+===== 7.0.33-12 (2019-07-30)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
diff --git a/php-bug77919.patch b/php-bug77919.patch
new file mode 100644
index 0000000..c299960
--- /dev/null
+++ b/php-bug77919.patch
@@ -0,0 +1,61 @@
+From 8fb2917b3fa4f97ae290b109e91dab558552ad3c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 29 Jul 2019 16:08:03 +0200
+Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN
+
+We have to properly clean up in case phar_flush() is failing.
+
+We also make the expectation of the respective test case less liberal
+to avoid missing such bugs in the future.
+
+(cherry picked from commit cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d)
+---
+ NEWS | 9 +++++++++
+ ext/phar/phar_object.c | 4 +++-
+ ext/phar/tests/bug71488.phpt | 5 ++++-
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 0a941ccd21..e27ac93e67 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,17 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++ Backported from 7.1.31
++
++- EXIF:
++ . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
++ (CVE-2019-11042) (Stas)
++ . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
++ (CVE-2019-11041) (Stas)
++
++- Phar:
++ . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
++
+ Backported from 7.1.30
+
+ - EXIF:
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 539ef50f8f..d4ad4e0dcf 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -2064,7 +2064,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze
+ char *newname = NULL, *newpath = NULL;
+ zval ret, arg1;
+ zend_class_entry *ce;
+- char *error;
++ char *error = NULL;
+ const char *pcr_error;
+ int ext_len = ext ? strlen(ext) : 0;
+ size_t new_len, oldname_len;
+@@ -2232,6 +2232,8 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze
+ phar_flush(phar, 0, 0, 1, &error);
+
+ if (error) {
++ zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
++ *sphar = NULL;
+ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error);
+ efree(error);
+ efree(oldpath);
diff --git a/php-bug78222.patch b/php-bug78222.patch
new file mode 100644
index 0000000..adbb0f1
--- /dev/null
+++ b/php-bug78222.patch
@@ -0,0 +1,32 @@
+Without test as binary patch not supported
+
+
+
+
+From 2a0f13b2321381cf8772ff6ac10bbb8d2820b8f9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:01:01 -0700
+Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+
+(cherry picked from commit dea2989ab8ba87a6180af497b2efaf0527e985c5)
+---
+ ext/exif/exif.c | 2 +-
+ ext/exif/tests/bug78222.jpg | Bin 0 -> 91 bytes
+ ext/exif/tests/bug78222.phpt | 11 +++++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78222.jpg
+ create mode 100644 ext/exif/tests/bug78222.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index dd7d268bbd..8b379bbb7f 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3497,7 +3497,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ size_t length=2, pos=0;
+ jpeg_sof_info sof_info;
+
+- if (!data) {
++ if (!data || ImageInfo->Thumbnail.size < 4) {
+ return FALSE; /* nothing to do here */
+ }
+ if (memcmp(data, "\xFF\xD8\xFF", 3)) {
diff --git a/php-bug78256.patch b/php-bug78256.patch
new file mode 100644
index 0000000..f4e4232
--- /dev/null
+++ b/php-bug78256.patch
@@ -0,0 +1,47 @@
+Without test as binary patch not supported
+
+
+
+
+From 3174fd02078cd9cfd21dc1256adbb1cf8a6cb973 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:39:59 -0700
+Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
+ exif_process_user_comment)
+
+(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)
+---
+ ext/exif/exif.c | 6 +++---
+ ext/exif/tests/bug78256.jpg | Bin 0 -> 69 bytes
+ ext/exif/tests/bug78256.phpt | 11 +++++++++++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+ create mode 100644 ext/exif/tests/bug78256.jpg
+ create mode 100644 ext/exif/tests/bug78256.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 8b379bbb7f..3f8dd907dc 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2619,7 +2619,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ {
+ int a;
+ char *decode;
+- size_t len;;
++ size_t len;
+
+ *pszEncoding = NULL;
+ /* Copy the comment */
+@@ -2632,11 +2632,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
+ * since we have no encoding support for the BOM yet we skip that.
+ */
+- if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
++ if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
+ decode = "UCS-2BE";
+ szValuePtr = szValuePtr+2;
+ ByteCount -= 2;
+- } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
++ } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
+ decode = "UCS-2LE";
+ szValuePtr = szValuePtr+2;
+ ByteCount -= 2;
diff --git a/php70.spec b/php70.spec
index deff63a..1b97cd0 100644
--- a/php70.spec
+++ b/php70.spec
@@ -114,7 +114,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 11%{?dist}
+Release: 12%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -195,6 +195,9 @@ Patch218: php-bug77950.patch
Patch219: php-bug78069.patch
Patch220: php-bug77988.patch
Patch221: php-bug77967.patch
+Patch222: php-bug78222.patch
+Patch223: php-bug78256.patch
+Patch224: php-bug77919.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1070,6 +1073,9 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
%patch219 -p1 -b .bug78069
%patch220 -p1 -b .bug77988
%patch221 -p1 -b .bug77967
+%patch222 -p1 -b .bug78222
+%patch223 -p1 -b .bug78256
+%patch224 -p1 -b .bug77919
# Fixes for tests
%if 0%{?fedora} >= 21 || 0%{?rhel} >= 5
@@ -2104,7 +2110,16 @@ fi
%changelog
-* Tue Jul 2 2019 Remi Collet <remi@remirepo.net> - 7.1.30-3
+* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 7.0.33-12
+- exif:
+ Fix #78256 heap-buffer-overflow on exif_process_user_comment
+ CVE-2019-11042
+ Fix #78222 heap-buffer-overflow on exif_scan_thumbnail
+ CVE-2019-11041
+- phar:
+ Fix #77919 Potential UAF in Phar RSHUTDOWN
+
+* Tue Jul 2 2019 Remi Collet <remi@remirepo.net> - 7.0.33-11
- use oracle client library version 19.3
- disable opcache.huge_code_pages in default configuration