summaryrefslogtreecommitdiffstats
path: root/php-bug78862.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-12-17 17:57:09 +0100
committerRemi Collet <remi@remirepo.net>2019-12-17 17:57:09 +0100
commit0d443001c41652e457799d1134de2c2ab6420e08 (patch)
tree82649e9f534e050ea3ab512bcfac91ecaa30524a /php-bug78862.patch
parentd6128b53b1aa6b71cd4cae6113c821fddab7c464 (diff)
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub CVE-2019-11046 - core: Fix #78862 link() silently truncates after a null byte on Windows CVE-2019-11044 Fix #78863 DirectoryIterator class silently truncates after a null byte CVE-2019-11045 - exif Fix #78793 Use-after-free in exif parsing under memory sanitizer CVE-2019-11050 Fix #78910 Heap-buffer-overflow READ in exif CVE-2019-11047 - use oracle client library version 19.5 (18.5 on EL-6)
Diffstat (limited to 'php-bug78862.patch')
-rw-r--r--php-bug78862.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/php-bug78862.patch b/php-bug78862.patch
new file mode 100644
index 0000000..cf9a338
--- /dev/null
+++ b/php-bug78862.patch
@@ -0,0 +1,68 @@
+From 4a9f72a29b086f40ff6529bbd28b843b5e902ebd Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 10:57:12 +0100
+Subject: [PATCH] Fix #78862: link() silently truncates after a null byte on
+ Windows
+
+Since link() is supposed to accepts paths (i.e. strings without NUL
+bytes), we must not accept arbitrary strings.
+
+(cherry picked from commit 0e6c0654ed06751ced134515f7629c40bd979d7f)
+---
+ NEWS | 4 ++++
+ ext/standard/link_win32.c | 2 +-
+ .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt
+
+diff --git a/NEWS b/NEWS
+index ec0247e1f1..93f18b9c8e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,10 @@ Backported from 7.2.26
+ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
+ (cmb)
+
++- Core:
++ . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
++ (CVE-2019-11044). (cmb)
++
+ 24 Oct 2019, PHP 7.1.33
+
+ - FPM:
+diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c
+index b46dee6a26..0197ec02af 100644
+--- a/ext/standard/link_win32.c
++++ b/ext/standard/link_win32.c
+@@ -211,7 +211,7 @@ PHP_FUNCTION(link)
+
+ /*First argument to link function is the target and hence should go to frompath
+ Second argument to link function is the link itself and hence should go to topath */
+- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt
+new file mode 100644
+index 0000000000..33b4b49293
+--- /dev/null
++++ b/ext/standard/tests/file/windows_links/bug78862.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78862 (link() silently truncates after a null byte on Windows)
++--FILE--
++<?php
++file_put_contents(__DIR__ . '/bug78862.target', 'foo');
++var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more"));
++var_dump(file_exists(__DIR__ . '/bug78862.link'));
++?>
++--EXPECTF--
++Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d
++NULL
++bool(false)
++--CLEAN--
++<?php
++unlink(__DIR__ . '/bug78862.target');
++unlink(__DIR__ . '/bug78862.link');
++?>