From 31f64936b375a050907bb77bf2fb33ea3f6ebfe8 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 21 Jun 2023 10:52:29 +0200 Subject: fix possible buffer overflow in date --- php-7.0.0-systzdata-v14.patch | 2 +- php-cve-2023-3247.patch | 151 ++++++++++++++++++++++++++++++++++++ php-ghsa-76gg-c692-v2mw.patch | 124 ------------------------------ php70.spec | 173 +++++++++++++++++++++--------------------- 4 files changed, 240 insertions(+), 210 deletions(-) create mode 100644 php-cve-2023-3247.patch delete mode 100644 php-ghsa-76gg-c692-v2mw.patch diff --git a/php-7.0.0-systzdata-v14.patch b/php-7.0.0-systzdata-v14.patch index dd6b784..bbf65ed 100644 --- a/php-7.0.0-systzdata-v14.patch +++ b/php-7.0.0-systzdata-v14.patch @@ -392,7 +392,7 @@ diff -up php-7.0.12RC1/ext/date/lib/parse_tz.c.systzdata php-7.0.12RC1/ext/date/ + size_t n; + char *data, *p; + -+ data = malloc(3 * sysdb->index_size + 7); ++ data = malloc(3 * sysdb->index_size + sizeof(FAKE_HEADER) - 1); + + p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); + diff --git a/php-cve-2023-3247.patch b/php-cve-2023-3247.patch new file mode 100644 index 0000000..d16530a --- /dev/null +++ b/php-cve-2023-3247.patch @@ -0,0 +1,151 @@ +From b9e09489f8160eb5e38a11e84ef6c8b74c2ec828 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 16 Apr 2023 15:05:03 +0200 +Subject: [PATCH] Fix missing randomness check and insufficient random bytes + for SOAP HTTP Digest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If php_random_bytes_throw fails, the nonce will be uninitialized, but +still sent to the server. The client nonce is intended to protect +against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], +and bullet point 2 below. + +Tim pointed out that even though it's the MD5 of the nonce that gets sent, +enumerating 31 bits is trivial. So we have still a stack information leak +of 31 bits. + +Furthermore, Tim found the following issues: +* The small size of cnonce might cause the server to erroneously reject + a request due to a repeated (cnonce, nc) pair. As per the birthday + problem 31 bits of randomness will return a duplication with 50% + chance after less than 55000 requests and nc always starts counting at 1. +* The cnonce is intended to protect the client and password against a + malicious server that returns a constant server nonce where the server + precomputed a rainbow table between passwords and correct client response. + As storage is fairly cheap, a server could precompute the client responses + for (a subset of) client nonces and still have a chance of reversing the + client response with the same probability as the cnonce duplication. + + Precomputing the rainbow table for all 2^31 cnonces increases the rainbow + table size by factor 2 billion, which is infeasible. But precomputing it + for 2^14 cnonces only increases the table size by factor 16k and the server + would still have a 10% chance of successfully reversing a password with a + single client request. + +This patch fixes the issues by increasing the nonce size, and checking +the return value of php_random_bytes_throw(). In the process we also get +rid of the MD5 hashing of the nonce. + +[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 + +Co-authored-by: Tim Düsterhus +(cherry picked from commit 126d517ce240e9f638d9a5eaa509eaca49ef562a) +(cherry picked from commit 0cfca9aa1395271833848daec0bace51d965531d) +--- + NEWS | 6 ++++++ + ext/soap/php_http.c | 19 ++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/NEWS b/NEWS +index 11f6e7ad5a8..0770d913467 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.0.29 ++ ++- Soap: ++ . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random ++ bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla) ++ + Backported from 8.0.28 + + - Core: +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 3a890d7c36f..3bfa4f6f54c 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -646,14 +646,23 @@ int make_http_soap_request(zval *this_ptr, + if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { + if (Z_TYPE_P(digest) == IS_ARRAY) { + char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; ++ unsigned char nonce[16]; + PHP_MD5_CTX md5ctx; + unsigned char hash[16]; + +- PHP_MD5Init(&md5ctx); +- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, php_rand()); +- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); +- PHP_MD5Final(hash, &md5ctx); +- make_digest(cnonce, hash); ++ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { ++ ZEND_ASSERT(EG(exception)); ++ php_stream_close(stream); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1); ++ smart_str_free(&soap_headers_z); ++ smart_str_free(&soap_headers); ++ return FALSE; ++ } ++ ++ php_hash_bin2hex(cnonce, nonce, sizeof(nonce)); ++ cnonce[32] = 0; + + if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL && + Z_TYPE_P(tmp) == IS_LONG) { +From e4dd20803ac5579deec54dc6b699d359890f96f0 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 6 Jun 2023 18:05:22 +0200 +Subject: [PATCH] Fix GH-11382 add missing hash header for bin2hex + +(cherry picked from commit 40439039c224bb8cdebd1b7b3d03b8cc11e7cce7) +--- + ext/soap/php_http.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 3bfa4f6f54..72b5bdec2b 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -22,7 +22,8 @@ + #include "php_soap.h" + #include "ext/standard/base64.h" + #include "ext/standard/md5.h" +-#include "ext/standard/php_rand.h" ++#include "ext/standard/php_random.h" ++#include "ext/hash/php_hash.h" + + static char *get_http_header_value(char *headers, char *type); + static zend_string *get_http_body(php_stream *socketd, int close, char *headers); +From 4e2dda0221e03b9b9dfc767b26dae656bc7a2407 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 15 Jun 2023 08:47:55 +0200 +Subject: [PATCH] add cve + +(cherry picked from commit f3021d66d7bb42d2578530cc94f9bde47e58eb10) +--- + NEWS | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 0770d91346..835c538663 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,7 +5,8 @@ Backported from 8.0.29 + + - Soap: + . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random +- bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla) ++ bytes in HTTP Digest authentication for SOAP). ++ (CVE-2023-3247) (nielsdos, timwolla) + + Backported from 8.0.28 + +-- +2.40.1 + diff --git a/php-ghsa-76gg-c692-v2mw.patch b/php-ghsa-76gg-c692-v2mw.patch deleted file mode 100644 index fdf9fce..0000000 --- a/php-ghsa-76gg-c692-v2mw.patch +++ /dev/null @@ -1,124 +0,0 @@ -From b9e09489f8160eb5e38a11e84ef6c8b74c2ec828 Mon Sep 17 00:00:00 2001 -From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> -Date: Sun, 16 Apr 2023 15:05:03 +0200 -Subject: [PATCH] Fix missing randomness check and insufficient random bytes - for SOAP HTTP Digest -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If php_random_bytes_throw fails, the nonce will be uninitialized, but -still sent to the server. The client nonce is intended to protect -against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], -and bullet point 2 below. - -Tim pointed out that even though it's the MD5 of the nonce that gets sent, -enumerating 31 bits is trivial. So we have still a stack information leak -of 31 bits. - -Furthermore, Tim found the following issues: -* The small size of cnonce might cause the server to erroneously reject - a request due to a repeated (cnonce, nc) pair. As per the birthday - problem 31 bits of randomness will return a duplication with 50% - chance after less than 55000 requests and nc always starts counting at 1. -* The cnonce is intended to protect the client and password against a - malicious server that returns a constant server nonce where the server - precomputed a rainbow table between passwords and correct client response. - As storage is fairly cheap, a server could precompute the client responses - for (a subset of) client nonces and still have a chance of reversing the - client response with the same probability as the cnonce duplication. - - Precomputing the rainbow table for all 2^31 cnonces increases the rainbow - table size by factor 2 billion, which is infeasible. But precomputing it - for 2^14 cnonces only increases the table size by factor 16k and the server - would still have a 10% chance of successfully reversing a password with a - single client request. - -This patch fixes the issues by increasing the nonce size, and checking -the return value of php_random_bytes_throw(). In the process we also get -rid of the MD5 hashing of the nonce. - -[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 - -Co-authored-by: Tim Düsterhus -(cherry picked from commit 126d517ce240e9f638d9a5eaa509eaca49ef562a) -(cherry picked from commit 0cfca9aa1395271833848daec0bace51d965531d) ---- - NEWS | 6 ++++++ - ext/soap/php_http.c | 19 ++++++++++++++----- - 2 files changed, 20 insertions(+), 5 deletions(-) - -diff --git a/NEWS b/NEWS -index 11f6e7ad5a8..0770d913467 100644 ---- a/NEWS -+++ b/NEWS -@@ -1,6 +1,12 @@ - PHP NEWS - ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| - -+Backported from 8.0.29 -+ -+- Soap: -+ . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random -+ bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla) -+ - Backported from 8.0.28 - - - Core: -diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c -index 3a890d7c36f..3bfa4f6f54c 100644 ---- a/ext/soap/php_http.c -+++ b/ext/soap/php_http.c -@@ -646,14 +646,23 @@ int make_http_soap_request(zval *this_ptr, - if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { - if (Z_TYPE_P(digest) == IS_ARRAY) { - char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; -+ unsigned char nonce[16]; - PHP_MD5_CTX md5ctx; - unsigned char hash[16]; - -- PHP_MD5Init(&md5ctx); -- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, php_rand()); -- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); -- PHP_MD5Final(hash, &md5ctx); -- make_digest(cnonce, hash); -+ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { -+ ZEND_ASSERT(EG(exception)); -+ php_stream_close(stream); -+ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1); -+ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1); -+ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1); -+ smart_str_free(&soap_headers_z); -+ smart_str_free(&soap_headers); -+ return FALSE; -+ } -+ -+ php_hash_bin2hex(cnonce, nonce, sizeof(nonce)); -+ cnonce[32] = 0; - - if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL && - Z_TYPE_P(tmp) == IS_LONG) { -From e4dd20803ac5579deec54dc6b699d359890f96f0 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Tue, 6 Jun 2023 18:05:22 +0200 -Subject: [PATCH] Fix GH-11382 add missing hash header for bin2hex - -(cherry picked from commit 40439039c224bb8cdebd1b7b3d03b8cc11e7cce7) ---- - ext/soap/php_http.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c -index 3bfa4f6f54..72b5bdec2b 100644 ---- a/ext/soap/php_http.c -+++ b/ext/soap/php_http.c -@@ -22,7 +22,8 @@ - #include "php_soap.h" - #include "ext/standard/base64.h" - #include "ext/standard/md5.h" --#include "ext/standard/php_rand.h" -+#include "ext/standard/php_random.h" -+#include "ext/hash/php_hash.h" - - static char *get_http_header_value(char *headers, char *type); - static zend_string *get_http_body(php_stream *socketd, int close, char *headers); diff --git a/php70.spec b/php70.spec index bf19bf3..7434f50 100644 --- a/php70.spec +++ b/php70.spec @@ -109,7 +109,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 38%{?dist} +Release: 39%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -231,7 +231,7 @@ Patch259: php-bug81740.patch Patch260: php-bug81744.patch Patch261: php-bug81746.patch Patch262: php-cve-2023-0662.patch -Patch263: php-ghsa-76gg-c692-v2mw.patch +Patch263: php-cve-2023-3247.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1057,111 +1057,111 @@ support for JavaScript Object Notation (JSON) to PHP. echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzip} %setup -q -n php-%{upver}%{?rcver} -%patch1 -p1 -b .mpmcheck -%patch5 -p1 -b .includedir -%patch6 -p1 -b .embed -%patch7 -p1 -b .recode -%patch8 -p1 -b .libdb +%patch -P1 -p1 -b .mpmcheck +%patch -P5 -p1 -b .includedir +%patch -P6 -p1 -b .embed +%patch -P7 -p1 -b .recode +%patch -P8 -p1 -b .libdb %if 0%{?rhel} -%patch9 -p1 -b .curltls +%patch -P9 -p1 -b .curltls %endif %if 0%{?fedora} >= 29 || 0%{?rhel} >= 7 -%patch10 -p1 -b .icu62 +%patch -P10 -p1 -b .icu62 %endif -%patch40 -p1 -b .dlopen +%patch -P40 -p1 -b .dlopen %if 0%{?fedora} >= 28 || 0%{?rhel} >= 6 -%patch42 -p1 -b .systzdata +%patch -P42 -p1 -b .systzdata %endif -%patch43 -p1 -b .headers +%patch -P43 -p1 -b .headers %if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 -%patch45 -p1 -b .ldap_r +%patch -P45 -p1 -b .ldap_r %endif -%patch46 -p1 -b .fixheader -%patch47 -p1 -b .phpinfo +%patch -P46 -p1 -b .fixheader +%patch -P47 -p1 -b .phpinfo -%patch91 -p1 -b .remi-oci8 +%patch -P91 -p1 -b .remi-oci8 # upstream patches -%patch103 -p1 -b .bug76846 +%patch -P103 -p1 -b .bug76846 # security patches -%patch200 -p1 -b .bug77242 -%patch201 -p1 -b .bug77247 -%patch202 -p1 -b .bug77370 -%patch203 -p1 -b .bug77371 -%patch204 -p1 -b .bug77380 -%patch205 -p1 -b .bug77381 -%patch206 -p1 -b .bug77369 -%patch207 -p1 -b .bug77418 -%patch208 -p1 -b .bug77396 -%patch209 -p1 -b .bug77431 -%patch210 -p1 -b .bug77540 -%patch211 -p1 -b .bug77563 -%patch212 -p1 -b .bug77586 -%patch213 -p1 -b .bug77630 -%patch214 -p1 -b .backport -%patch215 -p1 -b .sqlite3.defensive -%patch216 -p1 -b .bug77753 -%patch217 -p1 -b .bug77831 -%patch218 -p1 -b .bug77950 -%patch219 -p1 -b .bug78069 -%patch220 -p1 -b .bug77988 -%patch221 -p1 -b .bug77967 -%patch222 -p1 -b .bug78222 -%patch223 -p1 -b .bug78256 -%patch224 -p1 -b .bug77919 -%patch225 -p1 -b .bug75457 -%patch226 -p1 -b .bug78380 -%patch227 -p1 -b .bug78599 -%patch228 -p1 -b .bug78878 -%patch229 -p1 -b .bug78862 -%patch230 -p1 -b .bug78863 -%patch231 -p1 -b .bug78793 -%patch232 -p1 -b .bug78910 -%patch233 -p1 -b .bug79099 -%patch234 -p1 -b .bug79037 -%patch235 -p1 -b .bug77569 -%patch236 -p1 -b .bug79221 -%patch237 -p1 -b .bug79082 -%patch238 -p1 -b .bug79282 -%patch239 -p1 -b .bug79329 -%patch240 -p1 -b .bug79330 -%patch241 -p1 -b .bug79465 -%patch242 -p1 -b .bug78875 -%patch243 -p1 -b .bug78876 -%patch244 -p1 -b .bug79797 -%patch245 -p1 -b .bug79877 -%patch246 -p1 -b .bug79699 -%patch247 -p1 -b .bug77423 -%patch248 -p1 -b .bug80672 -%patch249 -p1 -b .bug80710 -%patch250 -p1 -b .bug81122 -%patch251 -p1 -b .bug76450 -%patch252 -p1 -b .bug81211 -%patch253 -p1 -b .bug81026 -%patch254 -p1 -b .bug79971 -%patch255 -p1 -b .bug81719 -%patch256 -p1 -b .bug81720 -%patch257 -p1 -b .bug81727 -%patch258 -p1 -b .bug81726 -%patch259 -p1 -b .bug81740 -%patch260 -p1 -b .bug81744 -%patch261 -p1 -b .bug81746 -%patch262 -p1 -b .cve0662 -%patch263 -p1 -b .ghsa-76gg-c692-v2mw +%patch -P200 -p1 -b .bug77242 +%patch -P201 -p1 -b .bug77247 +%patch -P202 -p1 -b .bug77370 +%patch -P203 -p1 -b .bug77371 +%patch -P204 -p1 -b .bug77380 +%patch -P205 -p1 -b .bug77381 +%patch -P206 -p1 -b .bug77369 +%patch -P207 -p1 -b .bug77418 +%patch -P208 -p1 -b .bug77396 +%patch -P209 -p1 -b .bug77431 +%patch -P210 -p1 -b .bug77540 +%patch -P211 -p1 -b .bug77563 +%patch -P212 -p1 -b .bug77586 +%patch -P213 -p1 -b .bug77630 +%patch -P214 -p1 -b .backport +%patch -P215 -p1 -b .sqlite3.defensive +%patch -P216 -p1 -b .bug77753 +%patch -P217 -p1 -b .bug77831 +%patch -P218 -p1 -b .bug77950 +%patch -P219 -p1 -b .bug78069 +%patch -P220 -p1 -b .bug77988 +%patch -P221 -p1 -b .bug77967 +%patch -P222 -p1 -b .bug78222 +%patch -P223 -p1 -b .bug78256 +%patch -P224 -p1 -b .bug77919 +%patch -P225 -p1 -b .bug75457 +%patch -P226 -p1 -b .bug78380 +%patch -P227 -p1 -b .bug78599 +%patch -P228 -p1 -b .bug78878 +%patch -P229 -p1 -b .bug78862 +%patch -P230 -p1 -b .bug78863 +%patch -P231 -p1 -b .bug78793 +%patch -P232 -p1 -b .bug78910 +%patch -P233 -p1 -b .bug79099 +%patch -P234 -p1 -b .bug79037 +%patch -P235 -p1 -b .bug77569 +%patch -P236 -p1 -b .bug79221 +%patch -P237 -p1 -b .bug79082 +%patch -P238 -p1 -b .bug79282 +%patch -P239 -p1 -b .bug79329 +%patch -P240 -p1 -b .bug79330 +%patch -P241 -p1 -b .bug79465 +%patch -P242 -p1 -b .bug78875 +%patch -P243 -p1 -b .bug78876 +%patch -P244 -p1 -b .bug79797 +%patch -P245 -p1 -b .bug79877 +%patch -P246 -p1 -b .bug79699 +%patch -P247 -p1 -b .bug77423 +%patch -P248 -p1 -b .bug80672 +%patch -P249 -p1 -b .bug80710 +%patch -P250 -p1 -b .bug81122 +%patch -P251 -p1 -b .bug76450 +%patch -P252 -p1 -b .bug81211 +%patch -P253 -p1 -b .bug81026 +%patch -P254 -p1 -b .bug79971 +%patch -P255 -p1 -b .bug81719 +%patch -P256 -p1 -b .bug81720 +%patch -P257 -p1 -b .bug81727 +%patch -P258 -p1 -b .bug81726 +%patch -P259 -p1 -b .bug81740 +%patch -P260 -p1 -b .bug81744 +%patch -P261 -p1 -b .bug81746 +%patch -P262 -p1 -b .cve0662 +%patch -P263 -p1 -b .cve3247 # Fixes for tests %if 0%{?fedora} >= 21 || 0%{?rhel} >= 5 -%patch300 -p1 -b .datetests +%patch -P300 -p1 -b .datetests %endif %if %{with_libpcre} if ! pkg-config libpcre --atleast-version 8.34 ; then # Only apply when system libpcre < 8.34 -%patch301 -p1 -b .pcre834 +%patch -P301 -p1 -b .pcre834 fi %endif -%patch302 -p1 -b .renewcert +%patch -P302 -p1 -b .renewcert rm ext/openssl/tests/bug65538_003.phpt # WIP patch @@ -2187,10 +2187,13 @@ fi %changelog +* Wed Jun 21 2023 Remi Collet - 7.0.33-39 +- fix possible buffer overflow in date + * Wed Jun 7 2023 Remi Collet - 7.0.33-38 - Fix Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP - GHSA-76gg-c692-v2mw + GHSA-76gg-c692-v2mw CVE-2023-3247 - use oracle client library version 21.10 - define __phpize and __phpconfig -- cgit