summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-12-08 18:11:26 +0100
committerRemi Collet <remi@remirepo.net>2018-12-08 18:11:26 +0100
commit676f81f0817cfc41e3b6c3e9eb3e1759354a83ba (patch)
tree060d155c73f7aa18df065acd9ea46995806cd12e
parent8987f05387b96f657d4476a1d4a5dccf985c764f (diff)
Fix null pointer dereference in imap_mail CVE-2018-19935
-rw-r--r--php-imap.patch70
-rw-r--r--php71.spec7
2 files changed, 76 insertions, 1 deletions
diff --git a/php-imap.patch b/php-imap.patch
new file mode 100644
index 0000000..c726a3a
--- /dev/null
+++ b/php-imap.patch
@@ -0,0 +1,70 @@
+From d8765852e0400ee2ce8ae9e2177c42731d4539d8 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 28 Nov 2018 15:45:51 -0800
+Subject: [PATCH] Add DISPLAY_INI_ENTRIES for imap
+
+---
+ ext/imap/php_imap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index f6feebe9f769..a23e84c08521 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -1153,6 +1153,8 @@ PHP_MINFO_FUNCTION(imap)
+ php_info_print_table_row(2, "Kerberos Support", "enabled");
+ #endif
+ php_info_print_table_end();
++
++ DISPLAY_INI_ENTRIES();
+ }
+ /* }}} */
+
+From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Nov 2018 10:04:01 -0800
+Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail
+
+If an empty $message is passed to imap_mail(), we must not set message
+to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
+(opposed to pointers to NUL).
+---
+ NEWS | 1 +
+ ext/imap/php_imap.c | 1 -
+ ext/imap/tests/bug77020.phpt | 15 +++++++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 ext/imap/tests/bug77020.phpt
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index a23e84c08521..b30440f000f3 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -4128,7 +4128,6 @@ PHP_FUNCTION(imap_mail)
+ if (!ZSTR_LEN(message)) {
+ /* this is not really an error, so it is allowed. */
+ php_error_docref(NULL, E_WARNING, "No message string in mail command");
+- message = NULL;
+ }
+
+ if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL,
+diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
+new file mode 100644
+index 000000000000..8a65232eec6d
+--- /dev/null
++++ b/ext/imap/tests/bug77020.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #77020 (null pointer dereference in imap_mail)
++--SKIPIF--
++<?php
++if (!extension_loaded('imap')) die('skip imap extension not available');
++?>
++--FILE--
++<?php
++imap_mail('1', 1, NULL);
++?>
++===DONE===
++--EXPECTF--
++Warning: imap_mail(): No message string in mail command in %s on line %d
++%s
++===DONE===
diff --git a/php71.spec b/php71.spec
index 39b6315..a5aa6e9 100644
--- a/php71.spec
+++ b/php71.spec
@@ -113,7 +113,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 1%{?dist}
+Release: 2%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -173,6 +173,7 @@ Patch91: php-5.6.3-oci8conf.patch
# Upstream fixes (100+)
# Security fixes (200+)
+Patch200: php-imap.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1019,6 +1020,7 @@ support for JavaScript Object Notation (JSON) to PHP.
# upstream patches
# security patches
+%patch200 -p1 -b .imap
# Fixes for tests
%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2061,6 +2063,9 @@ fi
%changelog
+* Sat Dec 8 2018 Remi Collet <remi@remirepo.net> - 7.1.25-2
+- Fix null pointer dereference in imap_mail CVE-2018-19935
+
* Wed Dec 5 2018 Remi Collet <remi@remirepo.net> - 7.1.25-1
- Update to 7.1.25 - http://www.php.net/releases/7_1_25.php