diff options
author | Remi Collet <remi@remirepo.net> | 2020-04-14 11:01:37 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-04-14 11:01:37 +0200 |
commit | 37eeab3864b96768419ed0ee5492bca293ad003c (patch) | |
tree | c68f5d91ccf631818ef020a8956739e591575a41 | |
parent | 9f6be3ba3d21582ce2bc0e2934e8bc3c71b18b38 (diff) |
standard:
Fix #79330 shell_exec silently truncates after a null byte
Fix #79465 OOB Read in urldecode
CVE-2020-7067
-rw-r--r-- | php-bug79330.patch | 31 | ||||
-rw-r--r-- | php-bug79465.patch | 58 | ||||
-rw-r--r-- | php71.spec | 12 |
3 files changed, 100 insertions, 1 deletions
diff --git a/php-bug79330.patch b/php-bug79330.patch new file mode 100644 index 0000000..4698880 --- /dev/null +++ b/php-bug79330.patch @@ -0,0 +1,31 @@ +From edd1ff390be461e9ae5c69237358beddee4655a4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 13 Apr 2020 21:00:44 -0700 +Subject: [PATCH] Fix bug #79330 - make all execution modes consistent in + rejecting \0 + +(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62) +--- + ext/standard/exec.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ext/standard/exec.c b/ext/standard/exec.c +index 8af11801ad..02d9539f73 100644 +--- a/ext/standard/exec.c ++++ b/ext/standard/exec.c +@@ -524,6 +524,15 @@ PHP_FUNCTION(shell_exec) + return; + } + ++ if (!command_len) { ++ php_error_docref(NULL, E_WARNING, "Cannot execute a blank command"); ++ RETURN_FALSE; ++ } ++ if (strlen(command) != command_len) { ++ php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack"); ++ RETURN_FALSE; ++ } ++ + #ifdef PHP_WIN32 + if ((in=VCWD_POPEN(command, "rt"))==NULL) { + #else diff --git a/php-bug79465.patch b/php-bug79465.patch new file mode 100644 index 0000000..9dd39ab --- /dev/null +++ b/php-bug79465.patch @@ -0,0 +1,58 @@ +From 3a81a8f4d47c1b628da3b3a2db433d8cc7146bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 13 Apr 2020 21:07:04 -0700 +Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes. + +(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be) +--- + ext/standard/url.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 39e5b1b2c2..4cc1f77aec 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -540,7 +540,7 @@ PHPAPI size_t php_url_decode(char *str, size_t len) + #ifndef CHARSET_EBCDIC + *dest = (char) php_htoi(data + 1); + #else +- *dest = os_toebcdic[(char) php_htoi(data + 1)]; ++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; + #endif + data += 2; + len -= 2; +@@ -632,7 +632,7 @@ PHPAPI size_t php_raw_url_decode(char *str, size_t len) + #ifndef CHARSET_EBCDIC + *dest = (char) php_htoi(data + 1); + #else +- *dest = os_toebcdic[(char) php_htoi(data + 1)]; ++ *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; + #endif + data += 2; + len -= 2; +From bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 14 Apr 2020 08:02:28 +0200 +Subject: [PATCH] NEWS + +--- + NEWS | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/NEWS b/NEWS +index f0bec6aa69..cc1e992229 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.30 ++ ++- Standard: ++ . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas) ++ . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas) ++ + Backported from 7.2.29 + + - Core: @@ -118,7 +118,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 6%{?dist} +Release: 7%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -191,6 +191,8 @@ Patch210: php-bug79221.patch Patch211: php-bug79082.patch Patch212: php-bug79282.patch Patch213: php-bug79329.patch +Patch214: php-bug79330.patch +Patch215: php-bug79465.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1060,6 +1062,8 @@ support for JavaScript Object Notation (JSON) to PHP. %patch211 -p1 -b .bug79082 %patch212 -p1 -b .bug79282 %patch213 -p1 -b .bug79329 +%patch214 -p1 -b .bug79330 +%patch215 -p1 -b .bug79465 # Fixes for tests %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 @@ -2134,6 +2138,12 @@ EOF %changelog +* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.1.33-7 +- standard: + Fix #79330 shell_exec silently truncates after a null byte + Fix #79465 OOB Read in urldecode + CVE-2020-7067 + * Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.1.33-6 - standard: Fix #79329 get_headers() silently truncates after a null byte |