diff options
author | Remi Collet <remi@remirepo.net> | 2019-03-05 08:05:32 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-03-05 08:05:32 +0100 |
commit | 8c026d6051827ff72723439bda7650ab3f2d4322 (patch) | |
tree | 16c6f1ff2297c42862cd075a287106e782ba8f4a | |
parent | 9263effd14b58fdcb883b9388511ed58e28e07d0 (diff) |
Fix #77630 rename() across the device may allow unwanted access during processing
-rw-r--r-- | php-bug77630.patch | 86 | ||||
-rw-r--r-- | php70.spec | 24 |
2 files changed, 105 insertions, 5 deletions
diff --git a/php-bug77630.patch b/php-bug77630.patch new file mode 100644 index 0000000..208bbb6 --- /dev/null +++ b/php-bug77630.patch @@ -0,0 +1,86 @@ +From e3133e4db70476fb7adfdedb738483e2255ce0e1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 2 Mar 2019 23:42:53 -0800 +Subject: [PATCH] Fix bug #77630 - safer rename() procedure + +In order to rename safer, we do the following: +- set umask to 077 (unfortunately, not TS, so excluding ZTS) +- chown() first, to set proper group before allowing group access +- chmod() after, even if chown() fails +--- + main/streams/plain_wrapper.c | 51 ++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c +index af890a9aa3bb..7fdf906e6fad 100644 +--- a/main/streams/plain_wrapper.c ++++ b/main/streams/plain_wrapper.c +@@ -1160,34 +1160,51 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f + # ifdef EXDEV + if (errno == EXDEV) { + zend_stat_t sb; ++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) ++ /* not sure what to do in ZTS case, umask is not thread-safe */ ++ int oldmask = umask(077); ++# endif ++ int success = 0; + if (php_copy_file(url_from, url_to) == SUCCESS) { + if (VCWD_STAT(url_from, &sb) == 0) { ++ success = 1; + # if !defined(TSRM_WIN32) && !defined(NETWARE) +- if (VCWD_CHMOD(url_to, sb.st_mode)) { +- if (errno == EPERM) { +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; +- } ++ /* ++ * Try to set user and permission info on the target. ++ * If we're not root, then some of these may fail. ++ * We try chown first, to set proper group info, relying ++ * on the system environment to have proper umask to not allow ++ * access to the file in the meantime. ++ */ ++ if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { + php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; ++ if (errno != EPERM) { ++ success = 0; ++ } + } +- if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) { +- if (errno == EPERM) { ++ ++ if (success) { ++ if (VCWD_CHMOD(url_to, sb.st_mode)) { + php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- VCWD_UNLINK(url_from); +- return 1; ++ if (errno != EPERM) { ++ success = 0; ++ } + } +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; + } + # endif +- VCWD_UNLINK(url_from); +- return 1; ++ if (success) { ++ VCWD_UNLINK(url_from); ++ } ++ } else { ++ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); + } ++ } else { ++ php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); + } +- php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno)); +- return 0; ++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE) ++ umask(oldmask); ++# endif ++ return success; + } + # endif + #endif @@ -112,7 +112,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 4%{?dist} +Release: 5%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -183,6 +183,7 @@ Patch209: php-bug77431.patch Patch210: php-bug77540.patch Patch211: php-bug77563.patch Patch212: php-bug77586.patch +Patch213: php-bug77630.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1042,6 +1043,7 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch210 -p1 -b .bug77540 %patch211 -p1 -b .bug77563 %patch212 -p1 -b .bug77586 +%patch213 -p1 -b .bug77630 # Fixes for tests %if 0%{?fedora} >= 21 || 0%{?rhel} >= 5 @@ -1818,10 +1820,18 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/php/modules/*.a \ rm -f README.{Zeus,QNX,CVS-RULES} -%pre common -%if %{?fedora}%{!?fedora:99} < 25 -echo -e "WARNING : Fedora %{fedora} is now EOL :" -echo -e "You should consider upgrading to a supported release.\n" +posttrans +%if %{?fedora}%{!?fedora:99} < 28 +cat << EOF +===================================================================== + + WARNING : PHP 7.0 have reached its "End of Life" in December 2018. + Even, if this package includes some of the important security fix, + backported from 7.1, + The UPGRADE to a maintained version is very strongly RECOMMENDED. + +===================================================================== +EOF %endif @@ -2055,6 +2065,10 @@ fi %changelog +* Tue Mar 5 2019 Remi Collet <remi@remirepo.net> - 7.0.33-5 +- Fix #77630 rename() across the device may allow unwanted access + during processing + * Mon Mar 4 2019 Remi Collet <remi@remirepo.net> - 7.0.33-4 - exif: Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF |