From 37eeab3864b96768419ed0ee5492bca293ad003c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Apr 2020 11:01:37 +0200
Subject: standard:   Fix #79330 shell_exec silently truncates after a null
 byte   Fix #79465 OOB Read in urldecode   CVE-2020-7067

---
 php-bug79330.patch | 31 +++++++++++++++++++++++++++++
 php-bug79465.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php71.spec         | 12 ++++++++++-
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 php-bug79330.patch
 create mode 100644 php-bug79465.patch

diff --git a/php-bug79330.patch b/php-bug79330.patch
new file mode 100644
index 0000000..4698880
--- /dev/null
+++ b/php-bug79330.patch
@@ -0,0 +1,31 @@
+From edd1ff390be461e9ae5c69237358beddee4655a4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:00:44 -0700
+Subject: [PATCH] Fix bug #79330 - make all execution modes consistent in
+ rejecting \0
+
+(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62)
+---
+ ext/standard/exec.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ext/standard/exec.c b/ext/standard/exec.c
+index 8af11801ad..02d9539f73 100644
+--- a/ext/standard/exec.c
++++ b/ext/standard/exec.c
+@@ -524,6 +524,15 @@ PHP_FUNCTION(shell_exec)
+ 		return;
+ 	}
+ 
++	if (!command_len) {
++		php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
++		RETURN_FALSE;
++	}
++	if (strlen(command) != command_len) {
++		php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
++		RETURN_FALSE;
++	}
++
+ #ifdef PHP_WIN32
+ 	if ((in=VCWD_POPEN(command, "rt"))==NULL) {
+ #else
diff --git a/php-bug79465.patch b/php-bug79465.patch
new file mode 100644
index 0000000..9dd39ab
--- /dev/null
+++ b/php-bug79465.patch
@@ -0,0 +1,58 @@
+From 3a81a8f4d47c1b628da3b3a2db433d8cc7146bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 13 Apr 2020 21:07:04 -0700
+Subject: [PATCH] Fix bug #79465 - use unsigneds as indexes.
+
+(cherry picked from commit 9d6bf8221b05f86ce5875832f0f646c4c1f218be)
+---
+ ext/standard/url.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 39e5b1b2c2..4cc1f77aec 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -540,7 +540,7 @@ PHPAPI size_t php_url_decode(char *str, size_t len)
+ #ifndef CHARSET_EBCDIC
+ 			*dest = (char) php_htoi(data + 1);
+ #else
+-			*dest = os_toebcdic[(char) php_htoi(data + 1)];
++			*dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ 			data += 2;
+ 			len -= 2;
+@@ -632,7 +632,7 @@ PHPAPI size_t php_raw_url_decode(char *str, size_t len)
+ #ifndef CHARSET_EBCDIC
+ 			*dest = (char) php_htoi(data + 1);
+ #else
+-			*dest = os_toebcdic[(char) php_htoi(data + 1)];
++			*dest = os_toebcdic[(unsigned char) php_htoi(data + 1)];
+ #endif
+ 			data += 2;
+ 			len -= 2;
+From bd4a5ebe653f36ea7705fbc95a6ec4842d7f86fc Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 14 Apr 2020 08:02:28 +0200
+Subject: [PATCH] NEWS
+
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index f0bec6aa69..cc1e992229 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.30
++
++- Standard:
++  . Fixed bug #79330 (shell_exec silently truncates after a null byte). (stas)
++  . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) (stas)
++
+ Backported from 7.2.29
+ 
+ - Core: 
diff --git a/php71.spec b/php71.spec
index 07e33d0..2d27acd 100644
--- a/php71.spec
+++ b/php71.spec
@@ -118,7 +118,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 6%{?dist}
+Release: 7%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -191,6 +191,8 @@ Patch210: php-bug79221.patch
 Patch211: php-bug79082.patch
 Patch212: php-bug79282.patch
 Patch213: php-bug79329.patch
+Patch214: php-bug79330.patch
+Patch215: php-bug79465.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1060,6 +1062,8 @@ support for JavaScript Object Notation (JSON) to PHP.
 %patch211 -p1 -b .bug79082
 %patch212 -p1 -b .bug79282
 %patch213 -p1 -b .bug79329
+%patch214 -p1 -b .bug79330
+%patch215 -p1 -b .bug79465
 
 # Fixes for tests
 %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2134,6 +2138,12 @@ EOF
 
 
 %changelog
+* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.1.33-7
+- standard:
+  Fix #79330 shell_exec silently truncates after a null byte
+  Fix #79465 OOB Read in urldecode
+  CVE-2020-7067
+
 * Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.1.33-6
 - standard:
   Fix #79329 get_headers() silently truncates after a null byte
-- 
cgit