diff options
author | Remi Collet <remi@remirepo.net> | 2019-04-02 16:18:22 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-04-02 16:18:22 +0200 |
commit | 41459cd6c7eec2fbaafbc956d901342cfa1216fc (patch) | |
tree | 957df0ab79a32eb70c5eb5f8d6bd2656267ab72b | |
parent | 203a5d87754d5da4dc93cf165a422e4a7676d607 (diff) |
- exif:
Fix #77753 Heap-buffer-overflow in php_ifd_get32s
Fix #77831 Heap-buffer-overflow in exif_iif_add_value
- sqlite3:
Added sqlite3.defensive INI directive
-rw-r--r-- | failed.txt | 6 | ||||
-rw-r--r-- | php-bug77753.patch | 33 | ||||
-rw-r--r-- | php-bug77831.patch | 232 | ||||
-rw-r--r-- | php-news.patch | 96 | ||||
-rw-r--r-- | php-sqlite3-defensive.patch | 167 | ||||
-rw-r--r-- | php70.spec | 17 |
6 files changed, 546 insertions, 5 deletions
@@ -1,14 +1,12 @@ -===== 7.0.33-5 (2019-03-05) +===== 7.0.33-7 (2019-04-02) $ grep -r 'Tests failed' /var/lib/mock/*/build.log /var/lib/mock/el6i/build.log:Tests failed : 0 /var/lib/mock/el6x/build.log:Tests failed : 0 -/var/lib/mock/el7x/build.log:Tests failed : 1 +/var/lib/mock/el7x/build.log:Tests failed : 0 -el7x: - 1 Bug #68879: Match IP address fields in subjectAltName checks [ext/openssl/tests/bug68879.phpt] 1 proc_open give erratic test results :( diff --git a/php-bug77753.patch b/php-bug77753.patch new file mode 100644 index 0000000..59fc5f0 --- /dev/null +++ b/php-bug77753.patch @@ -0,0 +1,33 @@ +Without test as binary patch are not supported + + + +From 46bda08a639a77da855bcd306d0a0095af169b8e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 17 Mar 2019 22:54:46 -0700 +Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s + +(cherry picked from commit f3aefc6d071b807ddacae0a0bc49f09c38e18490) +--- + ext/exif/exif.c | 4 ++++ + ext/exif/tests/bug77753.phpt | 16 ++++++++++++++++ + ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes + 3 files changed, 20 insertions(+) + create mode 100644 ext/exif/tests/bug77753.phpt + create mode 100644 ext/exif/tests/bug77753.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 57567fb666..cd6b824d38 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2801,6 +2801,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len); + return FALSE; + } ++ if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) { ++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len); ++ return FALSE; ++ } + + for (de=0;de<NumDirEntries;de++) { + if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de, diff --git a/php-bug77831.patch b/php-bug77831.patch new file mode 100644 index 0000000..afef6df --- /dev/null +++ b/php-bug77831.patch @@ -0,0 +1,232 @@ +Without test as binary patch are not supported + + + +From b325c4632c6a2016109c9f53397ef4356bb47bcf Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 2 Apr 2019 00:12:26 -0700 +Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value + in EXIF + +(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4) +--- + NEWS | 4 ++++ + ext/exif/exif.c | 43 +++++++++++++++++++++++------------ + ext/exif/tests/bug77831.phpt | 13 +++++++++++ + ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes + 4 files changed, 45 insertions(+), 15 deletions(-) + create mode 100644 ext/exif/tests/bug77831.phpt + create mode 100644 ext/exif/tests/bug77831.tiff + +diff --git a/NEWS b/NEWS +index 4ab4ddb5cd..a49afe2411 100644 +--- a/NEWS ++++ b/NEWS +@@ -3,6 +3,10 @@ PHP NEWS + + Backported from 7.1.28 + ++- EXIF: ++ . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas) ++ . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas) ++ + - SQLite3: + . Added sqlite3.defensive INI directive. (BohwaZ) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index cd6b824d38..fc6ee852fa 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1654,10 +1654,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo) + /* {{{ exif_iif_add_value + Add a value to image_info + */ +-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel) ++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel) + { + size_t idex; +- void *vptr; ++ void *vptr, *vptr_end; + image_info_value *info_value; + image_info_data *info_data; + image_info_data *list; +@@ -1679,8 +1679,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + + switch (format) { + case TAG_FMT_STRING: ++ if (length > value_len) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); ++ value = NULL; ++ } + if (value) { +- length = php_strnlen(value, length); ++ length = (int)php_strnlen(value, length); + info_value->s = estrndup(value, length); + info_data->length = length; + } else { +@@ -1702,6 +1706,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + if (!length) + break; + case TAG_FMT_UNDEFINED: ++ if (length > value_len) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len); ++ value = NULL; ++ } + if (value) { + if (tag == TAG_MAKER_NOTE) { + length = (int) php_strnlen(value, length); +@@ -1732,7 +1740,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + } else { + info_value = &info_data->value; + } ++ vptr_end = value+value_len; + for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { ++ if (vptr_end - vptr < php_tiff_bytes_per_format[format]) { ++ exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); ++ break; ++ } + if (length>1) { + info_value = &info_data->value.list[idex]; + } +@@ -1768,7 +1781,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + php_error_docref(NULL, E_WARNING, "Found value of type single"); + #endif + info_value->f = *(float *)value; +- ++ break; + case TAG_FMT_DOUBLE: + #ifdef EXIF_DEBUG + php_error_docref(NULL, E_WARNING, "Found value of type double"); +@@ -1786,9 +1799,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + /* {{{ exif_iif_add_tag + Add a tag from IFD to image_info + */ +-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value) ++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len) + { +- exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel); ++ exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel); + } + /* }}} */ + +@@ -2209,7 +2222,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im + */ + static void exif_process_COM (image_info_type *image_info, char *value, size_t length) + { +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2); + } + /* }}} */ + +@@ -2224,17 +2237,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l + if (length>3) { + switch(value[2]) { + case 0: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length; + break; + case 1: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length); + break; + default: + php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding"); + break; + } + } else { +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL); ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0); + php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small"); + } + } +@@ -2826,7 +2839,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table) + { + size_t length; +- int tag, format, components; ++ unsigned int tag, format, components; + char *value_ptr, tagname[64], cbuf[32], *outside=NULL; + size_t byte_count, offset_val, fpos, fgot; + int64_t byte_count_signed; +@@ -3137,7 +3150,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha + } + } + } +- exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr); ++ exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count); + EFREE_IF(outside); + return TRUE; + } +@@ -3295,10 +3308,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t + size_t l1, l2=0; + + if ((l1 = php_strnlen(buffer+2, length-2)) > 0) { +- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2); ++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1); + if (length > 2+l1+1) { + l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1); +- exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1); ++ exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2); + } + } + #ifdef EXIF_DEBUG +@@ -4099,7 +4112,7 @@ PHP_FUNCTION(exif_read_data) + if (ImageInfo.Thumbnail.size) { + if (read_thumbnail) { + /* not exif_iif_add_str : this is a buffer */ +- exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data); ++ exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); + } + if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { + /* try to evaluate if thumbnail data is present */ +From 1f9f1ad6e55d784fd0c6842c3925117247858b8e Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 2 Apr 2019 11:03:40 +0200 +Subject: [PATCH] fix paste issue + +--- + ext/exif/exif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index fc6ee852fa..a1c49e937d 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2237,7 +2237,7 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l + if (length>3) { + switch(value[2]) { + case 0: +- exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length; ++ exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length); + break; + case 1: + exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length); +From e96f513c13926f2e027949c343a93c534f155b6e Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 2 Apr 2019 10:37:40 +0200 +Subject: [PATCH] Pointer arithmetic on void pointers is illegal + +We quick-fix this by casting to char*; it might be more appropriate to +use char pointers in the first place. + +(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c) +--- + ext/exif/exif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index a1c49e937d..0e490abd1b 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -1740,9 +1740,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c + } else { + info_value = &info_data->value; + } +- vptr_end = value+value_len; ++ vptr_end = (char *) value + value_len; + for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) { +- if (vptr_end - vptr < php_tiff_bytes_per_format[format]) { ++ if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) { + exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short"); + break; + } diff --git a/php-news.patch b/php-news.patch new file mode 100644 index 0000000..eb02c6c --- /dev/null +++ b/php-news.patch @@ -0,0 +1,96 @@ +From 2701c18b3f5edcff2b08839c9e18b93b77ec7a81 Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Thu, 7 Mar 2019 16:30:16 +0100 +Subject: [PATCH] Update NEWS + +--- + NEWS | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/NEWS b/NEWS +index 5b0aeb597b..bdefc0ede2 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,51 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ++ ++Backported from 7.2.27 ++ ++- Core: ++ . Fixed bug #77630 (rename() across the device may allow unwanted access during ++ processing). (Stas) ++ ++- EXIF: ++ . Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas) ++ . Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas) ++ . Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) ++ . Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) ++ ++- PHAR: ++ . Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). ++ (bishop) ++ . Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (bishop) ++ ++- SPL: ++ . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb) ++ ++Backported from 7.2.26 ++ ++- GD: ++ . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to ++ use-after-free). (cmb) ++ . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) ++ ++- Mbstring: ++ . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas) ++ . Fixed bug #77371 (heap buffer overflow in mb regex functions ++ - compile_string_node). (Stas) ++ . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas) ++ . Fixed bug #77382 (heap buffer overflow due to incorrect length in ++ expand_case_fold_string). (Stas) ++ . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) ++ . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) ++ . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) ++ ++- Phar: ++ . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas) ++ ++- Xmlrpc: ++ . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) ++ . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas) ++ + 06 Dec 2018 PHP 7.0.33 + + - Core: +From bffa56dcaafe01686d2b975f7a2e9f740d25e0bb Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Thu, 7 Mar 2019 16:31:43 +0100 +Subject: [PATCH] Fix version in NEWS + +--- + NEWS | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index bdefc0ede2..d21699c54b 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,7 +1,7 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + +-Backported from 7.2.27 ++Backported from 7.1.27 + + - Core: + . Fixed bug #77630 (rename() across the device may allow unwanted access during +@@ -21,7 +21,7 @@ Backported from 7.2.27 + - SPL: + . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb) + +-Backported from 7.2.26 ++Backported from 7.1.26 + + - GD: + . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to diff --git a/php-sqlite3-defensive.patch b/php-sqlite3-defensive.patch new file mode 100644 index 0000000..5a14fcb --- /dev/null +++ b/php-sqlite3-defensive.patch @@ -0,0 +1,167 @@ +From afc129d7f5cd54edf8614c71318a9b3506d79848 Mon Sep 17 00:00:00 2001 +From: bohwaz <github.bohwaz@miam.kd2.org> +Date: Sun, 16 Dec 2018 22:52:37 +0100 +Subject: [PATCH] SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a + mitigation strategy against potential security flaws + +(cherry picked from commit 58c25bf679125a2da354db58ddc6b0cf6d10ee00) +--- + NEWS | 5 +++ + ext/sqlite3/php_sqlite3.h | 1 + + ext/sqlite3/sqlite3.c | 9 ++++++ + ext/sqlite3/tests/sqlite3_defensive.phpt | 40 ++++++++++++++++++++++++ + php.ini-development | 11 +++++++ + php.ini-production | 11 +++++++ + 6 files changed, 77 insertions(+) + create mode 100644 ext/sqlite3/tests/sqlite3_defensive.phpt + +diff --git a/NEWS b/NEWS +index d21699c54b..4ab4ddb5cd 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,11 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.1.28 ++ ++- SQLite3: ++ . Added sqlite3.defensive INI directive. (BohwaZ) ++ + Backported from 7.1.27 + + - Core: +diff --git a/ext/sqlite3/php_sqlite3.h b/ext/sqlite3/php_sqlite3.h +index c6bf4af07e..047b63d95f 100644 +--- a/ext/sqlite3/php_sqlite3.h ++++ b/ext/sqlite3/php_sqlite3.h +@@ -28,6 +28,7 @@ extern zend_module_entry sqlite3_module_entry; + + ZEND_BEGIN_MODULE_GLOBALS(sqlite3) + char *extension_dir; ++ int dbconfig_defensive; + ZEND_END_MODULE_GLOBALS(sqlite3) + + #ifdef ZTS +diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c +index a22f455331..5e6d9dd792 100644 +--- a/ext/sqlite3/sqlite3.c ++++ b/ext/sqlite3/sqlite3.c +@@ -81,6 +81,9 @@ static void php_sqlite3_error(php_sqlite3_db_object *db_obj, char *format, ...) + */ + PHP_INI_BEGIN() + STD_PHP_INI_ENTRY("sqlite3.extension_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals) ++#if SQLITE_VERSION_NUMBER >= 3026000 ++ STD_PHP_INI_ENTRY("sqlite3.defensive", "1", PHP_INI_SYSTEM, OnUpdateBool, dbconfig_defensive, zend_sqlite3_globals, sqlite3_globals) ++#endif + PHP_INI_END() + /* }}} */ + +@@ -178,6 +181,12 @@ PHP_METHOD(sqlite3, open) + sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL); + } + ++#if SQLITE_VERSION_NUMBER >= 3026000 ++ if (SQLITE3G(dbconfig_defensive)) { ++ sqlite3_db_config(db_obj->db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL); ++ } ++#endif ++ + if (fullpath != filename) { + efree(fullpath); + } +diff --git a/ext/sqlite3/tests/sqlite3_defensive.phpt b/ext/sqlite3/tests/sqlite3_defensive.phpt +new file mode 100644 +index 0000000000..064d87b50a +--- /dev/null ++++ b/ext/sqlite3/tests/sqlite3_defensive.phpt +@@ -0,0 +1,40 @@ ++--TEST-- ++SQLite3 defensive mode ini setting ++--SKIPIF-- ++<?php require_once(__DIR__ . '/skipif.inc'); ++ ++if (SQLite3::version()['versionNumber'] < 3026000) { ++ die("skip: sqlite3 library version < 3.26: no support for defensive mode"); ++} ++ ++?> ++--INI-- ++sqlite3.defensive=On ++--FILE-- ++<?php ++ ++$db = new SQLite3(':memory:'); ++var_dump($db->exec('CREATE TABLE test (a, b);')); ++ ++// This does not generate an error! ++var_dump($db->exec('PRAGMA writable_schema = ON;')); ++var_dump($db->querySingle('PRAGMA writable_schema;')); ++ ++// Should be 1 ++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;')); ++ ++// Should generate an error! ++var_dump($db->querySingle('DELETE FROM sqlite_master;')); ++ ++// Should still be 1 ++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;')); ++?> ++--EXPECTF-- ++bool(true) ++bool(true) ++int(1) ++int(1) ++ ++Warning: SQLite3::querySingle(): Unable to prepare statement: 1, table sqlite_master may not be modified in %s on line %d ++bool(false) ++int(1) +\ No newline at end of file +diff --git a/php.ini-development b/php.ini-development +index 50b9dbc37e..0a5be60f6b 100644 +--- a/php.ini-development ++++ b/php.ini-development +@@ -969,8 +969,19 @@ cli_server.color = On + ;intl.use_exceptions = 0 + + [sqlite3] ++; Directory pointing to SQLite3 extensions ++; http://php.net/sqlite3.extension-dir + ;sqlite3.extension_dir = + ++; SQLite defensive mode flag (only available from SQLite 3.26+) ++; When the defensive flag is enabled, language features that allow ordinary ++; SQL to deliberately corrupt the database file are disabled. This forbids ++; writing directly to the schema, shadow tables (eg. FTS data tables), or ++; the sqlite_dbpage virtual table. ++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html ++; (for older SQLite versions, this flag has no use) ++sqlite3.defensive = 1 ++ + [Pcre] + ;PCRE library backtracking limit. + ; http://php.net/pcre.backtrack-limit +diff --git a/php.ini-production b/php.ini-production +index 52a11fce3f..c05428fdbc 100644 +--- a/php.ini-production ++++ b/php.ini-production +@@ -969,8 +969,19 @@ cli_server.color = On + ;intl.use_exceptions = 0 + + [sqlite3] ++; Directory pointing to SQLite3 extensions ++; http://php.net/sqlite3.extension-dir + ;sqlite3.extension_dir = + ++; SQLite defensive mode flag (only available from SQLite 3.26+) ++; When the defensive flag is enabled, language features that allow ordinary ++; SQL to deliberately corrupt the database file are disabled. This forbids ++; writing directly to the schema, shadow tables (eg. FTS data tables), or ++; the sqlite_dbpage virtual table. ++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html ++; (for older SQLite versions, this flag has no use) ++sqlite3.defensive = 1 ++ + [Pcre] + ;PCRE library backtracking limit. + ; http://php.net/pcre.backtrack-limit @@ -112,7 +112,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 6%{?dist} +Release: 7%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -185,6 +185,10 @@ Patch210: php-bug77540.patch Patch211: php-bug77563.patch Patch212: php-bug77586.patch Patch213: php-bug77630.patch +Patch214: php-news.patch +Patch215: php-sqlite3-defensive.patch +Patch216: php-bug77753.patch +Patch217: php-bug77831.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1052,6 +1056,10 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch211 -p1 -b .bug77563 %patch212 -p1 -b .bug77586 %patch213 -p1 -b .bug77630 +%patch214 -p1 -b .backport +%patch215 -p1 -b .sqlite3.defensive +%patch216 -p1 -b .bug77753 +%patch217 -p1 -b .bug77831 # Fixes for tests %if 0%{?fedora} >= 21 || 0%{?rhel} >= 5 @@ -2076,6 +2084,13 @@ fi %changelog +* Tue Apr 2 2019 Remi Collet <remi@remirepo.net> - 7.0.33-7 +- exif: + Fix #77753 Heap-buffer-overflow in php_ifd_get32s + Fix #77831 Heap-buffer-overflow in exif_iif_add_value +- sqlite3: + Added sqlite3.defensive INI directive + * Fri Mar 15 2019 Remi Collet <remi@remirepo.net> - 7.0.33-6 - Fix #76846 Segfault in shutdown function after memory limit error |