diff options
author | Remi Collet <remi@remirepo.net> | 2020-05-12 08:49:43 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-05-12 08:49:43 +0200 |
commit | 9eaf588d871806c7b15be482b5740bea85285b93 (patch) | |
tree | e51332ce1305a7af03382c7702e5009b3129ef18 | |
parent | 37eeab3864b96768419ed0ee5492bca293ad003c (diff) |
Core:
Fix #78875 Long filenames cause OOM and temp files are not cleaned
CVE-2019-11048
Fix #78876 Long variables in multipart/form-data cause OOM and temp
files are not cleaned
-rw-r--r-- | php-bug78875.patch | 38 | ||||
-rw-r--r-- | php-bug78876.patch | 73 | ||||
-rw-r--r-- | php71.spec | 13 |
3 files changed, 123 insertions, 1 deletions
diff --git a/php-bug78875.patch b/php-bug78875.patch new file mode 100644 index 0000000..aa04cee --- /dev/null +++ b/php-bug78875.patch @@ -0,0 +1,38 @@ +From d856f7b27eef0249abc6fd2f87cca379b48b815e Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Wed, 18 Mar 2020 10:26:53 +0100 +Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not + cleaned + +We must not cast `size_t` to `int` (unless the `size_t` value is +guaranteed to be less than or equal to `INT_MAX`). In this case we can +declare `array_len` as `size_t` in the first place. + +(cherry picked from commit 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87) +--- + main/rfc1867.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index b930e07ad1..14ffbea9f4 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -692,7 +692,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; + char *lbuf = NULL, *abuf = NULL; + zend_string *temp_filename = NULL; +- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; ++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; ++ size_t array_len = 0; + int64_t total_bytes = 0, max_file_size = 0; + int skip_upload = 0, anonindex = 0, is_anonymous; + HashTable *uploaded_files = NULL; +@@ -1126,7 +1127,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); + + if (is_arr_upload) { +- array_len = (int)strlen(start_arr); ++ array_len = strlen(start_arr); + if (array_index) { + efree(array_index); + } diff --git a/php-bug78876.patch b/php-bug78876.patch new file mode 100644 index 0000000..0afab9c --- /dev/null +++ b/php-bug78876.patch @@ -0,0 +1,73 @@ +From 29b3876a0aad27a65e853fd0be4bdc7647dee444 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Wed, 18 Mar 2020 10:57:42 +0100 +Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not + cleaned + +We use the proper type for size calculations, which is `size_t`. + +(cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124) +--- + main/rfc1867.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index 14ffbea9f4..1742b9c0a9 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -616,7 +616,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne + } + + /* read until a boundary condition */ +-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) ++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) + { + size_t len, max; + char *bound; +@@ -655,7 +655,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes + self->buf_begin += len; + } + +- return (int)len; ++ return len; + } + + /* +@@ -665,7 +665,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes + static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len) + { + char buf[FILLUNIT], *out=NULL; +- int total_bytes=0, read_bytes=0; ++ size_t total_bytes=0, read_bytes=0; + + while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) { + out = erealloc(out, total_bytes + read_bytes + 1); +From f1a89efe27650b62d58fceb77252480b19da6555 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 11 May 2020 14:28:51 -0700 +Subject: [PATCH] Update NEWS + +(cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705) +--- + NEWS | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/NEWS b/NEWS +index cc1e992229..19fbb3adf2 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,14 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.31 ++ ++- Core: ++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). ++ (CVE-2019-11048) (cmb) ++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp ++ files are not cleaned). (CVE-2019-11048) (cmb) ++ + Backported from 7.2.30 + + - Standard: @@ -118,7 +118,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 7%{?dist} +Release: 8%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -193,6 +193,8 @@ Patch212: php-bug79282.patch Patch213: php-bug79329.patch Patch214: php-bug79330.patch Patch215: php-bug79465.patch +Patch216: php-bug78875.patch +Patch217: php-bug78876.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1064,6 +1066,8 @@ support for JavaScript Object Notation (JSON) to PHP. %patch213 -p1 -b .bug79329 %patch214 -p1 -b .bug79330 %patch215 -p1 -b .bug79465 +%patch216 -p1 -b .bug78875 +%patch217 -p1 -b .bug78876 # Fixes for tests %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 @@ -2138,6 +2142,13 @@ EOF %changelog +* Tue May 12 2020 Remi Collet <remi@remirepo.net> - 7.1.33-8 +- Core: + Fix #78875 Long filenames cause OOM and temp files are not cleaned + CVE-2019-11048 + Fix #78876 Long variables in multipart/form-data cause OOM and temp + files are not cleaned + * Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.1.33-7 - standard: Fix #79330 shell_exec silently truncates after a null byte |