From 6523f67414995383f44dceb192a2fef7bb0e5ba3 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 18 Feb 2020 07:33:09 +0100 Subject: dom: Fix #77569 Write Access Violation in DomImplementation phar: Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions CVE-2020-7063 session: Fix #79221 Null Pointer Dereference in PHP Session Upload Progress CVE-2020-7062 --- failed.txt | 2 +- php-bug77569.patch | 100 ++++++++++++++++++++++++++++++++++++ php-bug79082.patch | 146 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug79221.patch | 83 ++++++++++++++++++++++++++++++ php71.spec | 18 ++++++- 5 files changed, 347 insertions(+), 2 deletions(-) create mode 100644 php-bug77569.patch create mode 100644 php-bug79082.patch create mode 100644 php-bug79221.patch diff --git a/failed.txt b/failed.txt index 490e22b..4c04e99 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -===== 7.1.33-3 (2020-01-21) +===== 7.1.33-5 (2020-02-18) $ grep -r 'Tests failed' /var/lib/mock/*/build.log diff --git a/php-bug77569.patch b/php-bug77569.patch new file mode 100644 index 0000000..459372a --- /dev/null +++ b/php-bug77569.patch @@ -0,0 +1,100 @@ +From 2ee92db814827e4484d997c91b75034995e6f99e Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 13 Feb 2020 15:13:26 +0100 +Subject: [PATCH] Fix #77569: Write Acess Violation in DomImplementation + +We must not assume that the zval IS_STRING. + +(cherry picked from commit cec8b24c848bab8562c82422f3692c193f0afcdb) +--- + NEWS | 6 ++++++ + ext/dom/document.c | 2 +- + ext/dom/tests/bug77569.phpt | 14 ++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/dom/tests/bug77569.phpt + +diff --git a/NEWS b/NEWS +index e311fc78cc..0743c78268 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.28 ++ ++- DOM: ++ . Fixed bug #77569: (Write Acess Violation in DomImplementation). (Nikita, ++ cmb) ++ + Backported from 7.2.27 + + - Mbstring: +diff --git a/ext/dom/document.c b/ext/dom/document.c +index c9e1802f78..11ef4aa818 100644 +--- a/ext/dom/document.c ++++ b/ext/dom/document.c +@@ -341,7 +341,7 @@ int dom_document_encoding_write(dom_object *obj, zval *newval) + + str = zval_get_string(newval); + +- handler = xmlFindCharEncodingHandler(Z_STRVAL_P(newval)); ++ handler = xmlFindCharEncodingHandler(ZSTR_VAL(str)); + + if (handler != NULL) { + xmlCharEncCloseFunc(handler); +diff --git a/ext/dom/tests/bug77569.phpt b/ext/dom/tests/bug77569.phpt +new file mode 100644 +index 0000000000..f0f3566708 +--- /dev/null ++++ b/ext/dom/tests/bug77569.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #77569 (Write Acess Violation in DomImplementation) ++--SKIPIF-- ++ ++--FILE-- ++createDocument("", ""); ++$dom->encoding = null; ++?> ++--EXPECTF-- ++Warning: main(): Invalid Document Encoding in %s on line %d +From 08374ddcc45940dc341afc68de505599f1839e64 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Fri, 14 Feb 2020 09:21:13 +0100 +Subject: [PATCH] Fix typo in recent bugfix + +(cherry picked from commit 8308196c97418ba4c8381bed0962ae160623027a) +--- + NEWS | 2 +- + ext/dom/tests/bug77569.phpt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index 0743c78268..7e220aae24 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,7 +4,7 @@ PHP NEWS + Backported from 7.2.28 + + - DOM: +- . Fixed bug #77569: (Write Acess Violation in DomImplementation). (Nikita, ++ . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita, + cmb) + + Backported from 7.2.27 +diff --git a/ext/dom/tests/bug77569.phpt b/ext/dom/tests/bug77569.phpt +index f0f3566708..9eef2af65a 100644 +--- a/ext/dom/tests/bug77569.phpt ++++ b/ext/dom/tests/bug77569.phpt +@@ -1,5 +1,5 @@ + --TEST-- +-Bug #77569 (Write Acess Violation in DomImplementation) ++Bug #77569 (Write Access Violation in DomImplementation) + --SKIPIF-- + +Date: Sat, 15 Feb 2020 22:17:14 -0800 +Subject: [PATCH] Fix bug #79082 - Files added to tar with + Phar::buildFromIterator have all-access permissions + +(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6) +--- + ext/phar/phar_object.c | 11 +++++ + ext/phar/tests/bug79082.phpt | 52 ++++++++++++++++++++ + ext/phar/tests/test79082/test79082-testfile | 1 + + ext/phar/tests/test79082/test79082-testfile2 | 1 + + 4 files changed, 65 insertions(+) + create mode 100644 ext/phar/tests/bug79082.phpt + create mode 100644 ext/phar/tests/test79082/test79082-testfile + create mode 100644 ext/phar/tests/test79082/test79082-testfile2 + +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index c1ba97a195..b22a6acf90 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -1439,6 +1439,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ + char *str_key; + zend_class_entry *ce = p_obj->c; + phar_archive_object *phar_obj = p_obj->p; ++ php_stream_statbuf ssb; + + value = iter->funcs->get_current_data(iter); + +@@ -1718,6 +1719,16 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ + php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len); + data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize = + php_stream_tell(p_obj->fp) - data->internal_file->offset; ++ if (php_stream_stat(fp, &ssb) != -1) { ++ data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ; ++ } else { ++#ifndef _WIN32 ++ mode_t mask; ++ mask = umask(0); ++ umask(mask); ++ data->internal_file->flags &= ~mask; ++#endif ++ } + } + + if (close_fp) { +diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt +new file mode 100644 +index 0000000000..ca453d1b57 +--- /dev/null ++++ b/ext/phar/tests/bug79082.phpt +@@ -0,0 +1,52 @@ ++--TEST-- ++Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions ++--SKIPIF-- ++ ++--FILE-- ++ 'tar', Phar::ZIP => 'zip'] as $mode => $ext) { ++ clearstatcache(); ++ $phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode); ++ $phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082'); ++ $phar->extractTo(__DIR__); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode'])); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode'])); ++ unlink(__DIR__ . '/test79082-testfile'); ++ unlink(__DIR__ . '/test79082-testfile2'); ++} ++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) { ++ clearstatcache(); ++ $phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode); ++ $phar->buildFromDirectory(__DIR__ . '/test79082'); ++ $phar->extractTo(__DIR__); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode'])); ++ var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode'])); ++ unlink(__DIR__ . '/test79082-testfile'); ++ unlink(__DIR__ . '/test79082-testfile2'); ++} ++?> ++--CLEAN-- ++ ++--EXPECT-- ++string(2) "22" ++string(6) "100644" ++string(6) "100400" ++string(6) "100644" ++string(6) "100400" ++string(6) "100644" ++string(6) "100400" ++string(6) "100644" ++string(6) "100400" +diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile +new file mode 100644 +index 0000000000..9daeafb986 +--- /dev/null ++++ b/ext/phar/tests/test79082/test79082-testfile +@@ -0,0 +1 @@ ++test +diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2 +new file mode 100644 +index 0000000000..9daeafb986 +--- /dev/null ++++ b/ext/phar/tests/test79082/test79082-testfile2 +@@ -0,0 +1 @@ ++test +From f59b90d7c7d5b593fdde3fda1195490125d0f170 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 18 Feb 2020 06:34:16 +0100 +Subject: [PATCH] NEWS + +--- + NEWS | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/NEWS b/NEWS +index 7e220aae24..4233a530c1 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,14 @@ Backported from 7.2.28 + . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita, + cmb) + ++- Phar: ++ . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have ++ all-access permissions). (CVE-2020-7063) (stas) ++ ++- Session: ++ . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). ++ (CVE-2020-7062) (stas) ++ + Backported from 7.2.27 + + - Mbstring: diff --git a/php-bug79221.patch b/php-bug79221.patch new file mode 100644 index 0000000..f687d40 --- /dev/null +++ b/php-bug79221.patch @@ -0,0 +1,83 @@ +From 4438b2844e80d9533587d558f4411f29d17de2c1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 15 Feb 2020 20:52:19 -0800 +Subject: [PATCH] Fix bug #79221 - Null Pointer Dereference in PHP Session + Upload Progress + +(cherry picked from commit d76f7c6c636b8240e06a1fa29eebb98ad005008a) +--- + ext/session/session.c | 8 +++--- + ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 3 deletions(-) + create mode 100644 ext/session/tests/bug79221.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index 44ecb85f74..ee52d24fcc 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -2999,9 +2999,11 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo + if (PS(rfc1867_cleanup)) { + php_session_rfc1867_cleanup(progress); + } else { +- add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1); +- Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; +- php_session_rfc1867_update(progress, 1); ++ if (!Z_ISUNDEF(progress->data)) { ++ add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1); ++ Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; ++ php_session_rfc1867_update(progress, 1); ++ } + } + php_rshutdown_session_globals(); + } +diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt +new file mode 100644 +index 0000000000..b0972c4697 +--- /dev/null ++++ b/ext/session/tests/bug79221.phpt +@@ -0,0 +1,45 @@ ++--TEST-- ++Null Pointer Dereference in PHP Session Upload Progress ++--INI-- ++error_reporting=0 ++file_uploads=1 ++upload_max_filesize=1024 ++session.save_path= ++session.name=PHPSESSID ++session.serialize_handler=php ++session.use_strict_mode=0 ++session.use_cookies=1 ++session.use_only_cookies=0 ++session.upload_progress.enabled=1 ++session.upload_progress.cleanup=0 ++session.upload_progress.prefix=upload_progress_ ++session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS ++session.upload_progress.freq=1% ++session.upload_progress.min_freq=0.000000001 ++--COOKIE-- ++PHPSESSID=session-upload ++--POST_RAW-- ++Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; name="PHPSESSID" ++ ++session-upload ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" ++ ++ryat ++-----------------------------20896060251896012921717172737 ++Content-Disposition: form-data; file="file"; ryat="filename" ++ ++1 ++-----------------------------20896060251896012921717172737-- ++--FILE-- ++= 25 || 0%{?rhel} >= 6 @@ -2119,6 +2125,16 @@ EOF %changelog +* Tue Feb 18 2020 Remi Collet - 7.1.33-5 +- dom: + Fix #77569 Write Access Violation in DomImplementation +- phar: + Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions + CVE-2020-7063 +- session: + Fix #79221 Null Pointer Dereference in PHP Session Upload Progress + CVE-2020-7062 + * Thu Jan 23 2020 Remi Collet - 7.1.33-4 - mbstring: Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar -- cgit