summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-05-12 08:49:43 +0200
committerRemi Collet <remi@remirepo.net>2020-05-12 08:49:43 +0200
commit9eaf588d871806c7b15be482b5740bea85285b93 (patch)
treee51332ce1305a7af03382c7702e5009b3129ef18
parent37eeab3864b96768419ed0ee5492bca293ad003c (diff)
Core:
Fix #78875 Long filenames cause OOM and temp files are not cleaned CVE-2019-11048 Fix #78876 Long variables in multipart/form-data cause OOM and temp files are not cleaned
-rw-r--r--php-bug78875.patch38
-rw-r--r--php-bug78876.patch73
-rw-r--r--php71.spec13
3 files changed, 123 insertions, 1 deletions
diff --git a/php-bug78875.patch b/php-bug78875.patch
new file mode 100644
index 0000000..aa04cee
--- /dev/null
+++ b/php-bug78875.patch
@@ -0,0 +1,38 @@
+From d856f7b27eef0249abc6fd2f87cca379b48b815e Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:26:53 +0100
+Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not
+ cleaned
+
+We must not cast `size_t` to `int` (unless the `size_t` value is
+guaranteed to be less than or equal to `INT_MAX`). In this case we can
+declare `array_len` as `size_t` in the first place.
+
+(cherry picked from commit 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
+---
+ main/rfc1867.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index b930e07ad1..14ffbea9f4 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -692,7 +692,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ char *lbuf = NULL, *abuf = NULL;
+ zend_string *temp_filename = NULL;
+- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++ size_t array_len = 0;
+ int64_t total_bytes = 0, max_file_size = 0;
+ int skip_upload = 0, anonindex = 0, is_anonymous;
+ HashTable *uploaded_files = NULL;
+@@ -1126,7 +1127,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
+
+ if (is_arr_upload) {
+- array_len = (int)strlen(start_arr);
++ array_len = strlen(start_arr);
+ if (array_index) {
+ efree(array_index);
+ }
diff --git a/php-bug78876.patch b/php-bug78876.patch
new file mode 100644
index 0000000..0afab9c
--- /dev/null
+++ b/php-bug78876.patch
@@ -0,0 +1,73 @@
+From 29b3876a0aad27a65e853fd0be4bdc7647dee444 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:57:42 +0100
+Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not
+ cleaned
+
+We use the proper type for size calculations, which is `size_t`.
+
+(cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124)
+---
+ main/rfc1867.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 14ffbea9f4..1742b9c0a9 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -616,7 +616,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
+ {
+ size_t len, max;
+ char *bound;
+@@ -655,7 +655,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ self->buf_begin += len;
+ }
+
+- return (int)len;
++ return len;
+ }
+
+ /*
+@@ -665,7 +665,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
+ {
+ char buf[FILLUNIT], *out=NULL;
+- int total_bytes=0, read_bytes=0;
++ size_t total_bytes=0, read_bytes=0;
+
+ while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
+ out = erealloc(out, total_bytes + read_bytes + 1);
+From f1a89efe27650b62d58fceb77252480b19da6555 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 11 May 2020 14:28:51 -0700
+Subject: [PATCH] Update NEWS
+
+(cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index cc1e992229..19fbb3adf2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.31
++
++- Core:
++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
++ (CVE-2019-11048) (cmb)
++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
++ files are not cleaned). (CVE-2019-11048) (cmb)
++
+ Backported from 7.2.30
+
+ - Standard:
diff --git a/php71.spec b/php71.spec
index 2d27acd..063b31b 100644
--- a/php71.spec
+++ b/php71.spec
@@ -118,7 +118,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 7%{?dist}
+Release: 8%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -193,6 +193,8 @@ Patch212: php-bug79282.patch
Patch213: php-bug79329.patch
Patch214: php-bug79330.patch
Patch215: php-bug79465.patch
+Patch216: php-bug78875.patch
+Patch217: php-bug78876.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1064,6 +1066,8 @@ support for JavaScript Object Notation (JSON) to PHP.
%patch213 -p1 -b .bug79329
%patch214 -p1 -b .bug79330
%patch215 -p1 -b .bug79465
+%patch216 -p1 -b .bug78875
+%patch217 -p1 -b .bug78876
# Fixes for tests
%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2138,6 +2142,13 @@ EOF
%changelog
+* Tue May 12 2020 Remi Collet <remi@remirepo.net> - 7.1.33-8
+- Core:
+ Fix #78875 Long filenames cause OOM and temp files are not cleaned
+ CVE-2019-11048
+ Fix #78876 Long variables in multipart/form-data cause OOM and temp
+ files are not cleaned
+
* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.1.33-7
- standard:
Fix #79330 shell_exec silently truncates after a null byte