summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-03-17 09:34:59 +0100
committerRemi Collet <remi@remirepo.net>2020-03-17 09:34:59 +0100
commit9f6be3ba3d21582ce2bc0e2934e8bc3c71b18b38 (patch)
tree3cd80723c05a4bcbd9b31db616634e74a55ac960
parente45351ab26fc8ef71c133804d0999c0b64e0f1bb (diff)
standard:
Fix #79329 get_headers() silently truncates after a null byte CVE-2020-7066 exif: Fix #79282 Use-of-uninitialized-value in exif CVE-2020-7064 use oracle client library version 19.6 (18.5 on EL-6)
-rw-r--r--php-bug79282.patch107
-rw-r--r--php-bug79329.patch54
-rw-r--r--php71.spec17
3 files changed, 176 insertions, 2 deletions
diff --git a/php-bug79282.patch b/php-bug79282.patch
new file mode 100644
index 0000000..0ea2bae
--- /dev/null
+++ b/php-bug79282.patch
@@ -0,0 +1,107 @@
+From 8577fa5891220dac40d42b2f745fa159dcd871ad Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:26:00 -0700
+Subject: [PATCH] Fixed bug #79282
+
+(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216)
+---
+ ext/exif/exif.c | 7 ++++++-
+ ext/exif/tests/bug79282.phpt | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug79282.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 406fee4ff4..9130ceaf6d 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3243,6 +3243,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
+ {
+ unsigned exif_value_2a, offset_of_ifd;
+
++ if (length < 2) {
++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
++ return;
++ }
++
+ /* set the thumbnail stuff to nothing so we can test to see if they get set up */
+ if (memcmp(CharBuf, "II", 2) == 0) {
+ ImageInfo->motorola_intel = 0;
+@@ -3395,7 +3400,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo)
+ return FALSE;
+ }
+
+- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
+ Data = ImageInfo->file.list[sn].data;
+
+ /* Store first two pre-read bytes. */
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+new file mode 100644
+index 0000000000..7b7e365657
+--- /dev/null
++++ b/ext/exif/tests/bug79282.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #79282: Use-of-uninitialized-value in exif
++--FILE--
++<?php
++
++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
++
++?>
++--EXPECTF--
++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++
++Warning: exif_read_data(): File structure corrupted in %s on line %d
++
++Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++bool(false)
+From ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:55:28 -0700
+Subject: [PATCH] Fix test
+
+(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be)
+---
+ ext/exif/tests/bug79282.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index 7b7e365657..df91127c9c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
+
+ Warning: exif_read_data(): File structure corrupted in %s on line %d
+
+From b42b6d0ff774fdced1155cb0c721d91914d619f5 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:23:32 +0100
+Subject: [PATCH] fix test
+
+---
+ ext/exif/tests/bug79282.phpt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+index df91127c9c..142cf28a6c 100644
+--- a/ext/exif/tests/bug79282.phpt
++++ b/ext/exif/tests/bug79282.phpt
+@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+ ?>
+ --EXPECTF--
+-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d
++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d
+
+-Warning: exif_read_data(): File structure corrupted in %s on line %d
++Warning: exif_read_data(%s): File structure corrupted in %s on line %d
+
+-Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d
+ bool(false)
diff --git a/php-bug79329.patch b/php-bug79329.patch
new file mode 100644
index 0000000..1dedb01
--- /dev/null
+++ b/php-bug79329.patch
@@ -0,0 +1,54 @@
+From b7b9302660a23a67285e204bc3d7fcf6ba7f6533 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Mar 2020 07:25:12 +0100
+Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0
+
+From 0d139c5b94a5f485a66901919e51faddb0371c43
+---
+ ext/standard/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 0eac03ee0a..39e5b1b2c2 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -660,7 +660,7 @@ PHP_FUNCTION(get_headers)
+ zval *zcontext = NULL;
+ php_stream_context *context;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lr!", &url, &url_len, &format, &zcontext) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lr!", &url, &url_len, &format, &zcontext) == FAILURE) {
+ return;
+ }
+
+From 03471e31c9b467d1d8d944e44fa009ef247e81bd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 19:35:26 -0700
+Subject: [PATCH] [ci skip] Update NEWS
+
+(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5)
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 4233a530c1..f0bec6aa69 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.29
++
++- Core:
++ . Fixed bug #79329 (get_headers() silently truncates after a null byte)
++ (CVE-2020-7066) (cmb)
++
++- EXIF:
++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064)
++ (Nikita)
++
+ Backported from 7.2.28
+
+ - DOM:
diff --git a/php71.spec b/php71.spec
index 10b81db..07e33d0 100644
--- a/php71.spec
+++ b/php71.spec
@@ -34,7 +34,7 @@
%endif
%global oraclelib 18.1
%else
-%global oraclever 19.5
+%global oraclever 19.6
%global oraclelib 19.1
%endif
@@ -118,7 +118,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 5%{?dist}
+Release: 6%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -189,6 +189,8 @@ Patch208: php-bug79037.patch
Patch209: php-bug77569.patch
Patch210: php-bug79221.patch
Patch211: php-bug79082.patch
+Patch212: php-bug79282.patch
+Patch213: php-bug79329.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1056,6 +1058,8 @@ support for JavaScript Object Notation (JSON) to PHP.
%patch209 -p1 -b .bug77569
%patch210 -p1 -b .bug79221
%patch211 -p1 -b .bug79082
+%patch212 -p1 -b .bug79282
+%patch213 -p1 -b .bug79329
# Fixes for tests
%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2130,6 +2134,15 @@ EOF
%changelog
+* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.1.33-6
+- standard:
+ Fix #79329 get_headers() silently truncates after a null byte
+ CVE-2020-7066
+- exif:
+ Fix #79282 Use-of-uninitialized-value in exif
+ CVE-2020-7064
+- use oracle client library version 19.6 (18.5 on EL-6)
+
* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.1.33-5
- dom:
Fix #77569 Write Access Violation in DomImplementation