From 6523f67414995383f44dceb192a2fef7bb0e5ba3 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 18 Feb 2020 07:33:09 +0100
Subject: dom:   Fix #77569 Write Access Violation in DomImplementation phar:  
 Fix #79082 Files added to tar with Phar::buildFromIterator have all-access
 permissions   CVE-2020-7063 session:   Fix #79221 Null Pointer Dereference in
 PHP Session Upload Progress   CVE-2020-7062

---
 failed.txt         |   2 +-
 php-bug77569.patch | 100 ++++++++++++++++++++++++++++++++++++
 php-bug79082.patch | 146 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug79221.patch |  83 ++++++++++++++++++++++++++++++
 php71.spec         |  18 ++++++-
 5 files changed, 347 insertions(+), 2 deletions(-)
 create mode 100644 php-bug77569.patch
 create mode 100644 php-bug79082.patch
 create mode 100644 php-bug79221.patch

diff --git a/failed.txt b/failed.txt
index 490e22b..4c04e99 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.1.33-3 (2020-01-21)
+===== 7.1.33-5 (2020-02-18)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
diff --git a/php-bug77569.patch b/php-bug77569.patch
new file mode 100644
index 0000000..459372a
--- /dev/null
+++ b/php-bug77569.patch
@@ -0,0 +1,100 @@
+From 2ee92db814827e4484d997c91b75034995e6f99e Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 13 Feb 2020 15:13:26 +0100
+Subject: [PATCH] Fix #77569: Write Acess Violation in DomImplementation
+
+We must not assume that the zval IS_STRING.
+
+(cherry picked from commit cec8b24c848bab8562c82422f3692c193f0afcdb)
+---
+ NEWS                        |  6 ++++++
+ ext/dom/document.c          |  2 +-
+ ext/dom/tests/bug77569.phpt | 14 ++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/dom/tests/bug77569.phpt
+
+diff --git a/NEWS b/NEWS
+index e311fc78cc..0743c78268 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.28
++
++- DOM:
++  . Fixed bug #77569: (Write Acess Violation in DomImplementation). (Nikita,
++    cmb)
++
+ Backported from 7.2.27
+ 
+ - Mbstring:
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index c9e1802f78..11ef4aa818 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -341,7 +341,7 @@ int dom_document_encoding_write(dom_object *obj, zval *newval)
+ 
+ 	str = zval_get_string(newval);
+ 
+-	handler = xmlFindCharEncodingHandler(Z_STRVAL_P(newval));
++	handler = xmlFindCharEncodingHandler(ZSTR_VAL(str));
+ 
+     if (handler != NULL) {
+ 		xmlCharEncCloseFunc(handler);
+diff --git a/ext/dom/tests/bug77569.phpt b/ext/dom/tests/bug77569.phpt
+new file mode 100644
+index 0000000000..f0f3566708
+--- /dev/null
++++ b/ext/dom/tests/bug77569.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #77569 (Write Acess Violation in DomImplementation)
++--SKIPIF--
++<?php
++if (!extension_loaded('dom')) die('skip dom extension not available');
++?>
++--FILE--
++<?php
++$imp = new DOMImplementation;
++$dom = $imp->createDocument("", "");
++$dom->encoding = null;
++?>
++--EXPECTF--
++Warning: main(): Invalid Document Encoding in %s on line %d
+From 08374ddcc45940dc341afc68de505599f1839e64 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 14 Feb 2020 09:21:13 +0100
+Subject: [PATCH] Fix typo in recent bugfix
+
+(cherry picked from commit 8308196c97418ba4c8381bed0962ae160623027a)
+---
+ NEWS                        | 2 +-
+ ext/dom/tests/bug77569.phpt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 0743c78268..7e220aae24 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,7 +4,7 @@ PHP                                                                        NEWS
+ Backported from 7.2.28
+ 
+ - DOM:
+-  . Fixed bug #77569: (Write Acess Violation in DomImplementation). (Nikita,
++  . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita,
+     cmb)
+ 
+ Backported from 7.2.27
+diff --git a/ext/dom/tests/bug77569.phpt b/ext/dom/tests/bug77569.phpt
+index f0f3566708..9eef2af65a 100644
+--- a/ext/dom/tests/bug77569.phpt
++++ b/ext/dom/tests/bug77569.phpt
+@@ -1,5 +1,5 @@
+ --TEST--
+-Bug #77569 (Write Acess Violation in DomImplementation)
++Bug #77569 (Write Access Violation in DomImplementation)
+ --SKIPIF--
+ <?php
+ if (!extension_loaded('dom')) die('skip dom extension not available');
diff --git a/php-bug79082.patch b/php-bug79082.patch
new file mode 100644
index 0000000..5ad894a
--- /dev/null
+++ b/php-bug79082.patch
@@ -0,0 +1,146 @@
+From d1b4f9477f43c55cfb631e7c60d5b3568bdc889c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 22:17:14 -0800
+Subject: [PATCH] Fix bug #79082 - Files added to tar with
+ Phar::buildFromIterator have all-access permissions
+
+(cherry picked from commit e5c95234d87fcb8f6b7569a96a89d1e1544749a6)
+---
+ ext/phar/phar_object.c                       | 11 +++++
+ ext/phar/tests/bug79082.phpt                 | 52 ++++++++++++++++++++
+ ext/phar/tests/test79082/test79082-testfile  |  1 +
+ ext/phar/tests/test79082/test79082-testfile2 |  1 +
+ 4 files changed, 65 insertions(+)
+ create mode 100644 ext/phar/tests/bug79082.phpt
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile
+ create mode 100644 ext/phar/tests/test79082/test79082-testfile2
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index c1ba97a195..b22a6acf90 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -1439,6 +1439,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
+ 	char *str_key;
+ 	zend_class_entry *ce = p_obj->c;
+ 	phar_archive_object *phar_obj = p_obj->p;
++	php_stream_statbuf ssb;
+ 
+ 	value = iter->funcs->get_current_data(iter);
+ 
+@@ -1718,6 +1719,16 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
+ 		php_stream_copy_to_stream_ex(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);
+ 		data->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =
+ 			php_stream_tell(p_obj->fp) - data->internal_file->offset;
++		if (php_stream_stat(fp, &ssb) != -1) {
++			data->internal_file->flags = ssb.sb.st_mode & PHAR_ENT_PERM_MASK ;
++		} else {
++#ifndef _WIN32
++			mode_t mask;
++			mask = umask(0);
++			umask(mask);
++			data->internal_file->flags &= ~mask;
++#endif
++		}
+ 	}
+ 
+ 	if (close_fp) {
+diff --git a/ext/phar/tests/bug79082.phpt b/ext/phar/tests/bug79082.phpt
+new file mode 100644
+index 0000000000..ca453d1b57
+--- /dev/null
++++ b/ext/phar/tests/bug79082.phpt
+@@ -0,0 +1,52 @@
++--TEST--
++Phar: Bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
++--SKIPIF--
++<?php 
++if (!extension_loaded("phar")) die("skip"); 
++if (defined("PHP_WINDOWS_VERSION_MAJOR")) die("skip not for Windows")
++?>
++--FILE--
++<?php
++umask(022);
++var_dump(decoct(umask()));
++chmod(__DIR__ . '/test79082/test79082-testfile', 0644);
++chmod(__DIR__ . '/test79082/test79082-testfile2', 0400);
++
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++	clearstatcache();
++	$phar = new PharData(__DIR__ . '/test79082.' . $ext, null, null, $mode);
++	$phar->buildFromIterator(new \RecursiveDirectoryIterator(__DIR__ . '/test79082', \FilesystemIterator::SKIP_DOTS), __DIR__ . '/test79082');
++	$phar->extractTo(__DIR__);
++	var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++	var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++	unlink(__DIR__ . '/test79082-testfile');
++	unlink(__DIR__ . '/test79082-testfile2');
++}
++foreach([Phar::TAR => 'tar', Phar::ZIP => 'zip'] as $mode => $ext) {
++	clearstatcache();
++	$phar = new PharData(__DIR__ . '/test79082-d.' . $ext, null, null, $mode);
++	$phar->buildFromDirectory(__DIR__ . '/test79082');
++	$phar->extractTo(__DIR__);
++	var_dump(decoct(stat(__DIR__ . '/test79082-testfile')['mode']));
++	var_dump(decoct(stat(__DIR__ . '/test79082-testfile2')['mode']));
++	unlink(__DIR__ . '/test79082-testfile');
++	unlink(__DIR__ . '/test79082-testfile2');
++}
++?>
++--CLEAN--
++<?
++unlink(__DIR__ . '/test79082.tar');
++unlink(__DIR__ . '/test79082.zip');
++unlink(__DIR__ . '/test79082-d.tar');
++unlink(__DIR__ . '/test79082-d.zip');
++?>
++--EXPECT--
++string(2) "22"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
++string(6) "100644"
++string(6) "100400"
+diff --git a/ext/phar/tests/test79082/test79082-testfile b/ext/phar/tests/test79082/test79082-testfile
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile
+@@ -0,0 +1 @@
++test
+diff --git a/ext/phar/tests/test79082/test79082-testfile2 b/ext/phar/tests/test79082/test79082-testfile2
+new file mode 100644
+index 0000000000..9daeafb986
+--- /dev/null
++++ b/ext/phar/tests/test79082/test79082-testfile2
+@@ -0,0 +1 @@
++test
+From f59b90d7c7d5b593fdde3fda1195490125d0f170 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 Feb 2020 06:34:16 +0100
+Subject: [PATCH] NEWS
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 7e220aae24..4233a530c1 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,14 @@ Backported from 7.2.28
+   . Fixed bug #77569: (Write Access Violation in DomImplementation). (Nikita,
+     cmb)
+ 
++- Phar:
++  . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
++    all-access permissions). (CVE-2020-7063) (stas)
++
++- Session:
++  . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
++    (CVE-2020-7062) (stas)
++
+ Backported from 7.2.27
+ 
+ - Mbstring:
diff --git a/php-bug79221.patch b/php-bug79221.patch
new file mode 100644
index 0000000..f687d40
--- /dev/null
+++ b/php-bug79221.patch
@@ -0,0 +1,83 @@
+From 4438b2844e80d9533587d558f4411f29d17de2c1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 15 Feb 2020 20:52:19 -0800
+Subject: [PATCH] Fix bug #79221 - Null Pointer Dereference in PHP Session
+ Upload Progress
+
+(cherry picked from commit d76f7c6c636b8240e06a1fa29eebb98ad005008a)
+---
+ ext/session/session.c           |  8 +++---
+ ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 3 deletions(-)
+ create mode 100644 ext/session/tests/bug79221.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index 44ecb85f74..ee52d24fcc 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -2999,9 +2999,11 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
+ 				if (PS(rfc1867_cleanup)) {
+ 					php_session_rfc1867_cleanup(progress);
+ 				} else {
+-					add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
+-					Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
+-					php_session_rfc1867_update(progress, 1);
++					if (!Z_ISUNDEF(progress->data)) {
++						add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
++						Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
++						php_session_rfc1867_update(progress, 1);
++					}
+ 				}
+ 				php_rshutdown_session_globals();
+ 			}
+diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt
+new file mode 100644
+index 0000000000..b0972c4697
+--- /dev/null
++++ b/ext/session/tests/bug79221.phpt
+@@ -0,0 +1,45 @@
++--TEST--
++Null Pointer Dereference in PHP Session Upload Progress
++--INI--
++error_reporting=0
++file_uploads=1
++upload_max_filesize=1024
++session.save_path=
++session.name=PHPSESSID
++session.serialize_handler=php
++session.use_strict_mode=0
++session.use_cookies=1
++session.use_only_cookies=0
++session.upload_progress.enabled=1
++session.upload_progress.cleanup=0
++session.upload_progress.prefix=upload_progress_
++session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
++session.upload_progress.freq=1%
++session.upload_progress.min_freq=0.000000001
++--COOKIE--
++PHPSESSID=session-upload
++--POST_RAW--
++Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHPSESSID"
++
++session-upload
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
++
++ryat
++-----------------------------20896060251896012921717172737
++Content-Disposition: form-data; file="file"; ryat="filename"
++
++1
++-----------------------------20896060251896012921717172737--
++--FILE--
++<?php
++
++session_start();
++var_dump($_SESSION);
++session_destroy();
++
++--EXPECTF--
++array(0) {
++}
diff --git a/php71.spec b/php71.spec
index bf6cfee..7c0387b 100644
--- a/php71.spec
+++ b/php71.spec
@@ -118,7 +118,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 4%{?dist}
+Release: 5%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -186,6 +186,9 @@ Patch205: php-bug78910.patch
 Patch206: php-bug79091.patch
 Patch207: php-bug79099.patch
 Patch208: php-bug79037.patch
+Patch209: php-bug77569.patch
+Patch210: php-bug79221.patch
+Patch211: php-bug79082.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1048,6 +1051,9 @@ support for JavaScript Object Notation (JSON) to PHP.
 %patch206 -p1 -b .bug79091
 %patch207 -p1 -b .bug79099
 %patch208 -p1 -b .bug79037
+%patch209 -p1 -b .bug77569
+%patch210 -p1 -b .bug79221
+%patch211 -p1 -b .bug79082
 
 # Fixes for tests
 %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2119,6 +2125,16 @@ EOF
 
 
 %changelog
+* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.1.33-5
+- dom:
+  Fix #77569 Write Access Violation in DomImplementation
+- phar:
+  Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
+  CVE-2020-7063
+- session:
+  Fix #79221 Null Pointer Dereference in PHP Session Upload Progress
+  CVE-2020-7062
+
 * Thu Jan 23 2020 Remi Collet <remi@remirepo.net> - 7.1.33-4
 - mbstring:
   Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
-- 
cgit