diff options
| author | Remi Collet <remi@remirepo.net> | 2020-01-21 09:46:37 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2020-01-21 09:46:37 +0100 |
| commit | 9fd633180dddf5573aa49084454a9357b29b06bb (patch) | |
| tree | 7d9f1b6270c1e901a05c747d6e1825cec55ed9db | |
| parent | 0d443001c41652e457799d1134de2c2ab6420e08 (diff) | |
mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
CVE-2020-7060
session:
Fix #79091 heap use-after-free in session_create_id
standard:
Fix #79099 OOB read in php_strip_tags_ex
CVE-2020-7059
| -rw-r--r-- | failed.txt | 6 | ||||
| -rw-r--r-- | php-bug79037.patch | 96 | ||||
| -rw-r--r-- | php-bug79091.patch | 99 | ||||
| -rw-r--r-- | php-bug79099.patch | 81 | ||||
| -rw-r--r-- | php71.spec | 28 |
5 files changed, 307 insertions, 3 deletions
@@ -1,12 +1,14 @@ -===== 7.1.33 (2019-10-24) +===== 7.1.33-3 (2020-01-21) $ grep -r 'Tests failed' /var/lib/mock/*/build.log /var/lib/mock/el6i/build.log:Tests failed : 0 -/var/lib/mock/el6x/build.log:Tests failed : 0 +/var/lib/mock/el6x/build.log:Tests failed : 1 /var/lib/mock/el7x/build.log:Tests failed : 3 +el6x: + 1 Bug #69521 Segfault in gc_collect_cycles() [ext/standard/tests/streams/bug69521.phpt] el7x 4 Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt] 4 Bug #33415 [2] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-2.phpt] diff --git a/php-bug79037.patch b/php-bug79037.patch new file mode 100644 index 0000000..d488065 --- /dev/null +++ b/php-bug79037.patch @@ -0,0 +1,96 @@ +From 6639124e6e1fbfe81a6afe5ee9f0a1fee24d0856 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jan 2020 21:42:44 -0800 +Subject: [PATCH] Fix bug #79037 (global buffer-overflow in + `mbfl_filt_conv_big5_wchar`) + +(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501) +--- + ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++----- + ext/mbstring/tests/bug79037.phpt | 10 ++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + create mode 100644 ext/mbstring/tests/bug79037.phpt + +diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c +index f5ab8809ce..5e1ca815da 100644 +--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c ++++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c +@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = { + {0xf70f,0xf848,0xc740,0xc8fe}, + }; + ++static inline int is_in_cp950_pua(int c1, int c) { ++ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || ++ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) { ++ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe); ++ } ++ if (c1 == 0xc6) { ++ return c >= 0xa1 && c <= 0xfe; ++ } ++ return 0; ++} ++ + /* + * Big5 => wchar + */ +@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter) + + if (filter->from->no_encoding == mbfl_no_encoding_cp950) { + /* PUA for CP950 */ +- if (w <= 0 && +- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || +- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8)) +- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) || +- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) { ++ if (w <= 0 && is_in_cp950_pua(c1, c)) { + c2 = c1 << 8 | c; + for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) { + if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) { +diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt +new file mode 100644 +index 0000000000..94ff01a4a1 +--- /dev/null ++++ b/ext/mbstring/tests/bug79037.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` ++--FILE-- ++<?php ++ ++var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950")); ++ ++?> ++--EXPECT-- ++string(1) "?" +From 18d8f6f9033a35b33e4bbf8590cd6e653b45b6d7 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Tue, 21 Jan 2020 09:06:34 +0100 +Subject: [PATCH] update NEWS + +--- + NEWS | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/NEWS b/NEWS +index 25d352f784..e311fc78cc 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,18 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.27 ++ ++- Mbstring: ++ . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). ++ (CVE-2020-7060) (Nikita) ++ ++- Session: ++ . Fixed bug #79091 (heap use-after-free in session_create_id()). (cmb, Nikita) ++ ++- Standard: ++ . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb) ++ + Backported from 7.2.26 + + - Bcmath: diff --git a/php-bug79091.patch b/php-bug79091.patch new file mode 100644 index 0000000..ad3a5cc --- /dev/null +++ b/php-bug79091.patch @@ -0,0 +1,99 @@ +From 35c8a53c098cd828413a80ed7964146d50161c6c Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Mon, 20 Jan 2020 18:05:00 +0100 +Subject: [PATCH] Fix #79091: heap use-after-free in session_create_id() + +If the `new_id` is released, we must not use it again. + +(cherry picked from commit f79c7742746907d676989cb7f97fb4f7cd26789f) +--- + ext/session/session.c | 1 + + ext/session/tests/bug79091.phpt | 67 +++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + create mode 100644 ext/session/tests/bug79091.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index 8d60ac249a..44ecb85f74 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -2049,6 +2049,7 @@ static PHP_FUNCTION(session_create_id) + /* Detect collision and retry */ + if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) { + zend_string_release(new_id); ++ new_id = NULL; + continue; + } + break; +diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt +new file mode 100644 +index 0000000000..1d14427159 +--- /dev/null ++++ b/ext/session/tests/bug79091.phpt +@@ -0,0 +1,67 @@ ++--TEST-- ++Bug #79091 (heap use-after-free in session_create_id()) ++--SKIPIF-- ++<?php ++if (!extension_loaded('session')) die('skip session extension not available'); ++?> ++--FILE-- ++<?php ++class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface ++{ ++ public function close() ++ { ++ return true; ++ } ++ ++ public function destroy($session_id) ++ { ++ return true; ++ } ++ ++ public function gc($maxlifetime) ++ { ++ return true; ++ } ++ ++ public function open($save_path, $session_name) ++ { ++ return true; ++ } ++ ++ public function read($session_id) ++ { ++ return ''; ++ } ++ ++ public function write($session_id, $session_data) ++ { ++ return true; ++ } ++ ++ public function create_sid() ++ { ++ return uniqid(); ++ } ++ ++ public function updateTimestamp($key, $val) ++ { ++ return true; ++ } ++ ++ public function validateId($key) ++ { ++ return false; ++ } ++} ++ ++ob_start(); ++var_dump(session_set_save_handler(new MySessionHandler())); ++var_dump(session_start()); ++ob_flush(); ++session_create_id(); ++?> ++--EXPECTF-- ++bool(true) ++bool(true) ++ ++Warning: session_create_id(): Failed to create new ID in %s on line %d diff --git a/php-bug79099.patch b/php-bug79099.patch new file mode 100644 index 0000000..2e42a70 --- /dev/null +++ b/php-bug79099.patch @@ -0,0 +1,81 @@ +From f18f20c032482e34d5f94d747da16f8ae029a017 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jan 2020 21:33:17 -0800 +Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex + +(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09) +--- + ext/standard/string.c | 6 ++--- + ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/file/bug79099.phpt + +diff --git a/ext/standard/string.c b/ext/standard/string.c +index 922d4fceaf..c88135da6f 100644 +--- a/ext/standard/string.c ++++ b/ext/standard/string.c +@@ -4781,7 +4781,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha + if (state == 4) { + /* Inside <!-- comment --> */ + break; +- } else if (state == 2 && *(p-1) != '\\') { ++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') { + if (lc == c) { + lc = '\0'; + } else if (lc != '\\') { +@@ -4808,7 +4808,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha + + case '!': + /* JavaScript & Other HTML scripting languages */ +- if (state == 1 && *(p-1) == '<') { ++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { + state = 3; + lc = c; + } else { +@@ -4835,7 +4835,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha + + case '?': + +- if (state == 1 && *(p-1) == '<') { ++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { + br=0; + state=2; + break; +diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt +new file mode 100644 +index 0000000000..7c842f4654 +--- /dev/null ++++ b/ext/standard/tests/file/bug79099.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #79099 (OOB read in php_strip_tags_ex) ++--FILE-- ++<?php ++$stream = fopen('php://memory', 'w+'); ++fputs($stream, "<?\n\"\n"); ++rewind($stream); ++var_dump(fgetss($stream)); ++var_dump(fgetss($stream)); ++fclose($stream); ++ ++$stream = fopen('php://memory', 'w+'); ++fputs($stream, "<\0\n!\n"); ++rewind($stream); ++var_dump(fgetss($stream)); ++var_dump(fgetss($stream)); ++fclose($stream); ++ ++$stream = fopen('php://memory', 'w+'); ++fputs($stream, "<\0\n?\n"); ++rewind($stream); ++var_dump(fgetss($stream)); ++var_dump(fgetss($stream)); ++fclose($stream); ++?> ++--EXPECT-- ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" @@ -118,7 +118,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -178,6 +178,14 @@ Patch91: php-5.6.3-oci8conf.patch # Upstream fixes (100+) # Security fixes (200+) +Patch201: php-bug78878.patch +Patch202: php-bug78862.patch +Patch203: php-bug78863.patch +Patch204: php-bug78793.patch +Patch205: php-bug78910.patch +Patch206: php-bug79091.patch +Patch207: php-bug79099.patch +Patch208: php-bug79037.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1032,6 +1040,14 @@ support for JavaScript Object Notation (JSON) to PHP. # upstream patches # security patches +%patch201 -p1 -b .bug78878 +%patch202 -p1 -b .bug78862 +%patch203 -p1 -b .bug78863 +%patch204 -p1 -b .bug78793 +%patch205 -p1 -b .bug78910 +%patch206 -p1 -b .bug79091 +%patch207 -p1 -b .bug79099 +%patch208 -p1 -b .bug79037 # Fixes for tests %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 @@ -2102,6 +2118,16 @@ EOF %changelog +* Tue Jan 21 2020 Remi Collet <remi@remirepo.net> - 7.1.33-3 +- mbstring: + Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar + CVE-2020-7060 +- session: + Fix #79091 heap use-after-free in session_create_id +- standard: + Fix #79099 OOB read in php_strip_tags_ex + CVE-2020-7059 + * Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 7.1.33-2 - bcmath: Fix #78878 Buffer underflow in bc_shift_addsub |