diff options
author | Remi Collet <remi@remirepo.net> | 2018-12-08 18:11:26 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-12-08 18:11:26 +0100 |
commit | 676f81f0817cfc41e3b6c3e9eb3e1759354a83ba (patch) | |
tree | 060d155c73f7aa18df065acd9ea46995806cd12e | |
parent | 8987f05387b96f657d4476a1d4a5dccf985c764f (diff) |
Fix null pointer dereference in imap_mail CVE-2018-19935
-rw-r--r-- | php-imap.patch | 70 | ||||
-rw-r--r-- | php71.spec | 7 |
2 files changed, 76 insertions, 1 deletions
diff --git a/php-imap.patch b/php-imap.patch new file mode 100644 index 0000000..c726a3a --- /dev/null +++ b/php-imap.patch @@ -0,0 +1,70 @@ +From d8765852e0400ee2ce8ae9e2177c42731d4539d8 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 28 Nov 2018 15:45:51 -0800 +Subject: [PATCH] Add DISPLAY_INI_ENTRIES for imap + +--- + ext/imap/php_imap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index f6feebe9f769..a23e84c08521 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -1153,6 +1153,8 @@ PHP_MINFO_FUNCTION(imap) + php_info_print_table_row(2, "Kerberos Support", "enabled"); + #endif + php_info_print_table_end(); ++ ++ DISPLAY_INI_ENTRIES(); + } + /* }}} */ + +From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Nov 2018 10:04:01 -0800 +Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail + +If an empty $message is passed to imap_mail(), we must not set message +to NULL, since _php_imap_mail() is not supposed to handle NULL pointers +(opposed to pointers to NUL). +--- + NEWS | 1 + + ext/imap/php_imap.c | 1 - + ext/imap/tests/bug77020.phpt | 15 +++++++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/imap/tests/bug77020.phpt + +diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c +index a23e84c08521..b30440f000f3 100644 +--- a/ext/imap/php_imap.c ++++ b/ext/imap/php_imap.c +@@ -4128,7 +4128,6 @@ PHP_FUNCTION(imap_mail) + if (!ZSTR_LEN(message)) { + /* this is not really an error, so it is allowed. */ + php_error_docref(NULL, E_WARNING, "No message string in mail command"); +- message = NULL; + } + + if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL, +diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt +new file mode 100644 +index 000000000000..8a65232eec6d +--- /dev/null ++++ b/ext/imap/tests/bug77020.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #77020 (null pointer dereference in imap_mail) ++--SKIPIF-- ++<?php ++if (!extension_loaded('imap')) die('skip imap extension not available'); ++?> ++--FILE-- ++<?php ++imap_mail('1', 1, NULL); ++?> ++===DONE=== ++--EXPECTF-- ++Warning: imap_mail(): No message string in mail command in %s on line %d ++%s ++===DONE=== @@ -113,7 +113,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -173,6 +173,7 @@ Patch91: php-5.6.3-oci8conf.patch # Upstream fixes (100+) # Security fixes (200+) +Patch200: php-imap.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1019,6 +1020,7 @@ support for JavaScript Object Notation (JSON) to PHP. # upstream patches # security patches +%patch200 -p1 -b .imap # Fixes for tests %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 @@ -2061,6 +2063,9 @@ fi %changelog +* Sat Dec 8 2018 Remi Collet <remi@remirepo.net> - 7.1.25-2 +- Fix null pointer dereference in imap_mail CVE-2018-19935 + * Wed Dec 5 2018 Remi Collet <remi@remirepo.net> - 7.1.25-1 - Update to 7.1.25 - http://www.php.net/releases/7_1_25.php |