From 5155e7af6ac73b0e341a5c42d1dcee4d2f13ee24 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 17 Dec 2019 17:00:58 +0100 Subject: - bcmath: Fix #78878 Buffer underflow in bc_shift_addsub CVE-2019-11046 - core: Fix #78862 link() silently truncates after a null byte on Windows CVE-2019-11044 Fix #78863 DirectoryIterator class silently truncates after a null byte CVE-2019-11045 - exif Fix #78793 Use-after-free in exif parsing under memory sanitizer CVE-2019-11050 Fix #78910 Heap-buffer-overflow READ in exif CVE-2019-11047 - use oracle client library version 19.5 (18.5 on EL-6) --- php-bug78862.patch | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 php-bug78862.patch (limited to 'php-bug78862.patch') diff --git a/php-bug78862.patch b/php-bug78862.patch new file mode 100644 index 0000000..1ecc1f5 --- /dev/null +++ b/php-bug78862.patch @@ -0,0 +1,68 @@ +From 76a8b07ed74add68c52ed1a5399416ff267cef88 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 17 Dec 2019 10:53:47 +0100 +Subject: [PATCH] Fix #78862: link() silently truncates after a null byte on + Windows + +Since link() is supposed to accepts paths (i.e. strings without NUL +bytes), we must not accept arbitrary strings. + +(cherry picked from commit 0e6c0654ed06751ced134515f7629c40bd979d7f) +--- + NEWS | 4 ++++ + ext/standard/link_win32.c | 2 +- + .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt + +diff --git a/NEWS b/NEWS +index 29fcce8947..02cd502c8c 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,10 @@ Backported from 7.2.26 + . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046). + (cmb) + ++- Core: ++ . Fixed bug #78862 (link() silently truncates after a null byte on Windows). ++ (CVE-2019-11044). (cmb) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c +index 0068a3edb1..c6133c7ef6 100644 +--- a/ext/standard/link_win32.c ++++ b/ext/standard/link_win32.c +@@ -208,7 +208,7 @@ PHP_FUNCTION(link) + + /*First argument to link function is the target and hence should go to frompath + Second argument to link function is the link itself and hence should go to topath */ +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { + return; + } + +diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt +new file mode 100644 +index 0000000000..33b4b49293 +--- /dev/null ++++ b/ext/standard/tests/file/windows_links/bug78862.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #78862 (link() silently truncates after a null byte on Windows) ++--FILE-- ++ ++--EXPECTF-- ++Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d ++NULL ++bool(false) ++--CLEAN-- ++ -- cgit