1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
From a4173e5e7a7f0f927c7bd8fcaffbc0d2caa914d9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 15 Feb 2020 22:17:14 -0800
Subject: [PATCH 4/5] Fix bug #79082 - Files added to tar with
Phar::buildFromIterator have all-access permissions
(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6)
---
ext/phar/phar_object.c | 11 +++++
ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++
ext/phar/tests/test79082/test79082-testfile | 1 +
ext/phar/tests/test79082/test79082-testfile2 | 1 +
4 files changed, 65 insertions(+)
create mode 100644 ext/phar/tests/bug79082.phpt
create mode 100644 ext/phar/tests/test79082/test79082-testfile
create mode 100644 ext/phar/tests/test79082/test79082-testfile2
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index d4ad4e0dcf..8a0d369287 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1451,6 +1451,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
char *str_key;
zend_class_entry *ce = p_obj->c;
phar_archive_object *phar_obj = p_obj->p;
+ php_stream_statbuf ssb;
value = iter->funcs->get_current_data(iter);
@@ -1745,6 +1746,16 @@ after_open_fp:
php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
php_stream_tell(p_obj->fp) - data->internal_file->offset;
+ if (php_stream_stat(fp, &ssb) != -1) {
+ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
+ } else {
+#ifndef _WIN32
+ mode_t mask;
+ mask = umask(0);
+ umask(mask);
+ data->internal_file->flags &= ~mask;
+#endif
+ }
}
if (close_fp) {
diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
new file mode 100644
index 0000000000..ca453d1b57
--- /dev/null
+++ b/ext/phar/tests/bug79082.phpt
@@ -0,0 +1,52 @@
+--TEST--
+Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
+?>
+--FILE--
+<?php
+umask(022);
+var_dump(decoct(umask()));
+chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
+chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
+
+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
+ clearstatcache();
+ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
+ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
+ $phar->extractTo(__DIR__);
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
+ unlink(__DIR__ . '/test79082-testfile');
+ unlink(__DIR__ . '/test79082-testfile2');
+}
+foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
+ clearstatcache();
+ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
+ $phar->buildFromDirectory(__DIR__ . '/test79082');
+ $phar->extractTo(__DIR__);
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
+ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
+ unlink(__DIR__ . '/test79082-testfile');
+ unlink(__DIR__ . '/test79082-testfile2');
+}
+?>
+--CLEAN--
+<?
+unlink(__DIR__ . '/test79082.tar');
+unlink(__DIR__ . '/test79082.zip');
+unlink(__DIR__ . '/test79082-d.tar');
+unlink(__DIR__ . '/test79082-d.zip');
+?>
+--EXPECT--
+string(2) "22"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
+string(6) "100644"
+string(6) "100400"
diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
new file mode 100644
index 0000000000..9daeafb986
--- /dev/null
+++ b/ext/phar/tests/test79082/test79082-testfile
@@ -0,0 +1 @@
+test
diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
new file mode 100644
index 0000000000..9daeafb986
--- /dev/null
+++ b/ext/phar/tests/test79082/test79082-testfile2
@@ -0,0 +1 @@
+test
--
2.24.1
From 9e5dbc9e3c6d970868d112175a286ceddc648aff Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 18 Feb 2020 06:35:00 +0100
Subject: [PATCH 5/5] NEWS
---
NEWS | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NEWS b/NEWS
index 9467c98e33..853e9b5341 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,14 @@ Backported from 7.2.28
. Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita,
cmb)
+- Phar:
+ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
+ all-access permissions). (CVE-2020-7063) (stas)
+
+- Session:
+ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
+ (CVE-2020-7062) (stas)
+
Backported from 7.2.27
- Mbstring:
--
2.24.1
|