fix PHP-FPM oob R/W in root process leading to priv escalation

CVE-2021-21703 use libicu version 69 use oracle client library version 21.3
author: Remi Collet <remi@remirepo.net> 2021-10-20 12:15:22 +0200
committer: Remi Collet <remi@php.net> 2021-10-20 12:15:22 +0200
commit: 1e0b327cdd97a276a06c81ba22d2308bb003807a (patch)
tree: 1ecc637e5c2a3e4a371b87bf5c5e53145e4aee9a
parent: d9d789e77a047aaa4806994269a847c74b5ecf29 (diff)
4 files changed, 428 insertions, 5 deletions
diff --git a/failed.txt b/failed.txt
index e58e9f9..bc545ee 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.2.34-6 (2021-06-28)
+===== 7.2.34-9 (2021-10-20)
 
 $ grep -r 'Tests failed' /var/lib/mock/{fc,el}*/build.log
 
diff --git a/php-7.1.33-intl.patch b/php-7.1.33-intl.patch
new file mode 100644
index 0000000..961fd89
--- /dev/null
+++ b/php-7.1.33-intl.patch
@@ -0,0 +1,13 @@
+diff -up ./ext/intl/collator/collator_sort.c.old ./ext/intl/collator/collator_sort.c
+diff -up ./ext/intl/config.m4.old ./ext/intl/config.m4
+--- ./ext/intl/config.m4.old	2021-09-07 07:38:38.698104692 +0200
++++ ./ext/intl/config.m4	2021-09-07 07:38:42.909098288 +0200
+@@ -9,7 +9,7 @@ if test "$PHP_INTL" != "no"; then
+   PHP_SETUP_ICU(INTL_SHARED_LIBADD)
+   PHP_SUBST(INTL_SHARED_LIBADD)
+   PHP_REQUIRE_CXX()
+-  INTL_COMMON_FLAGS="$ICU_INCS -Wno-write-strings -D__STDC_LIMIT_MACROS -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1"
++  INTL_COMMON_FLAGS="$ICU_INCS -Wno-write-strings -DU_DEFINE_FALSE_AND_TRUE=1 -D__STDC_LIMIT_MACROS -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1"
+   if test "$icu_version" -ge "4002"; then
+     icu_spoof_src=" spoofchecker/spoofchecker_class.c \
+     spoofchecker/spoofchecker.c\
diff --git a/php-bug81026.patch b/php-bug81026.patch
new file mode 100644
index 0000000..ed235a8
--- /dev/null
+++ b/php-bug81026.patch
@@ -0,0 +1,400 @@
+From 59246b568fb454eb7097d7d5329bcacf22c0882c Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sat, 2 Oct 2021 22:53:41 +0100
+Subject: [PATCH] Fix bug #81026 (PHP-FPM oob R/W in root process leading to
+ priv escalation)
+
+The main change is to store scoreboard procs directly to the variable sized
+array rather than indirectly through the pointer.
+
+Signed-off-by: Stanislav Malyshev <stas@php.net>
+(cherry picked from commit cb2021e5f69da5e2868130a05bb53db0f9f89e4b)
+---
+ sapi/fpm/fpm/fpm_children.c    |  14 ++---
+ sapi/fpm/fpm/fpm_request.c     |   4 +-
+ sapi/fpm/fpm/fpm_scoreboard.c  | 106 ++++++++++++++++++++-------------
+ sapi/fpm/fpm/fpm_scoreboard.h  |  11 ++--
+ sapi/fpm/fpm/fpm_status.c      |   4 +-
+ sapi/fpm/fpm/fpm_worker_pool.c |   2 +-
+ 6 files changed, 81 insertions(+), 60 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c
+index eed0c6757a..05513f0084 100644
+--- a/sapi/fpm/fpm/fpm_children.c
++++ b/sapi/fpm/fpm/fpm_children.c
+@@ -243,7 +243,7 @@ void fpm_children_bury() /* {{{ */
+ 
+ 			fpm_child_unlink(child);
+ 
+-			fpm_scoreboard_proc_free(wp->scoreboard, child->scoreboard_i);
++			fpm_scoreboard_proc_free(child);
+ 
+ 			fpm_clock_get(&tv1);
+ 
+@@ -253,9 +253,9 @@ void fpm_children_bury() /* {{{ */
+ 				if (!fpm_pctl_can_spawn_children()) {
+ 					severity = ZLOG_DEBUG;
+ 				}
+-				zlog(severity, "[pool %s] child %d exited %s after %ld.%06d seconds from start", child->wp->config->name, (int) pid, buf, tv2.tv_sec, (int) tv2.tv_usec);
++				zlog(severity, "[pool %s] child %d exited %s after %ld.%06d seconds from start", wp->config->name, (int) pid, buf, tv2.tv_sec, (int) tv2.tv_usec);
+ 			} else {
+-				zlog(ZLOG_DEBUG, "[pool %s] child %d has been killed by the process management after %ld.%06d seconds from start", child->wp->config->name, (int) pid, tv2.tv_sec, (int) tv2.tv_usec);
++				zlog(ZLOG_DEBUG, "[pool %s] child %d has been killed by the process management after %ld.%06d seconds from start", wp->config->name, (int) pid, tv2.tv_sec, (int) tv2.tv_usec);
+ 			}
+ 
+ 			fpm_child_close(child, 1 /* in event_loop */);
+@@ -321,7 +321,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) /
+ 		return 0;
+ 	}
+ 
+-	if (0 > fpm_scoreboard_proc_alloc(wp->scoreboard, &c->scoreboard_i)) {
++	if (0 > fpm_scoreboard_proc_alloc(c)) {
+ 		fpm_stdio_discard_pipes(c);
+ 		fpm_child_free(c);
+ 		return 0;
+@@ -333,7 +333,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) /
+ 
+ static void fpm_resources_discard(struct fpm_child_s *child) /* {{{ */
+ {
+-	fpm_scoreboard_proc_free(child->wp->scoreboard, child->scoreboard_i);
++	fpm_scoreboard_proc_free(child);
+ 	fpm_stdio_discard_pipes(child);
+ 	fpm_child_free(child);
+ }
+@@ -346,10 +346,10 @@ static void fpm_child_resources_use(struct fpm_child_s *child) /* {{{ */
+ 		if (wp == child->wp) {
+ 			continue;
+ 		}
+-		fpm_scoreboard_free(wp->scoreboard);
++		fpm_scoreboard_free(wp);
+ 	}
+ 
+-	fpm_scoreboard_child_use(child->wp->scoreboard, child->scoreboard_i, getpid());
++	fpm_scoreboard_child_use(child, getpid());
+ 	fpm_stdio_child_use_pipes(child);
+ 	fpm_child_free(child);
+ }
+diff --git a/sapi/fpm/fpm/fpm_request.c b/sapi/fpm/fpm/fpm_request.c
+index a4ace85310..deaccf432a 100644
+--- a/sapi/fpm/fpm/fpm_request.c
++++ b/sapi/fpm/fpm/fpm_request.c
+@@ -286,7 +286,7 @@ int fpm_request_is_idle(struct fpm_child_s *child) /* {{{ */
+ 	struct fpm_scoreboard_proc_s *proc;
+ 
+ 	/* no need in atomicity here */
+-	proc = fpm_scoreboard_proc_get(child->wp->scoreboard, child->scoreboard_i);
++	proc = fpm_scoreboard_proc_get_from_child(child);
+ 	if (!proc) {
+ 		return 0;
+ 	}
+@@ -301,7 +301,7 @@ int fpm_request_last_activity(struct fpm_child_s *child, struct timeval *tv) /*
+ 
+ 	if (!tv) return -1;
+ 
+-	proc = fpm_scoreboard_proc_get(child->wp->scoreboard, child->scoreboard_i);
++	proc = fpm_scoreboard_proc_get_from_child(child);
+ 	if (!proc) {
+ 		return -1;
+ 	}
+diff --git a/sapi/fpm/fpm/fpm_scoreboard.c b/sapi/fpm/fpm/fpm_scoreboard.c
+index 7a65fcbeb7..091efdc574 100644
+--- a/sapi/fpm/fpm/fpm_scoreboard.c
++++ b/sapi/fpm/fpm/fpm_scoreboard.c
+@@ -7,6 +7,7 @@
+ #include <time.h>
+ 
+ #include "fpm_config.h"
++#include "fpm_children.h"
+ #include "fpm_scoreboard.h"
+ #include "fpm_shm.h"
+ #include "fpm_sockets.h"
+@@ -24,7 +25,6 @@ static float fpm_scoreboard_tick;
+ int fpm_scoreboard_init_main() /* {{{ */
+ {
+ 	struct fpm_worker_pool_s *wp;
+-	unsigned int i;
+ 
+ #ifdef HAVE_TIMES
+ #if (defined(HAVE_SYSCONF) && defined(_SC_CLK_TCK))
+@@ -41,7 +41,7 @@ int fpm_scoreboard_init_main() /* {{{ */
+ 
+ 
+ 	for (wp = fpm_worker_all_pools; wp; wp = wp->next) {
+-		size_t scoreboard_size, scoreboard_nprocs_size;
++		size_t scoreboard_procs_size;
+ 		void *shm_mem;
+ 
+ 		if (wp->config->pm_max_children < 1) {
+@@ -54,22 +54,15 @@ int fpm_scoreboard_init_main() /* {{{ */
+ 			return -1;
+ 		}
+ 
+-		scoreboard_size        = sizeof(struct fpm_scoreboard_s) + (wp->config->pm_max_children) * sizeof(struct fpm_scoreboard_proc_s *);
+-		scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children;
+-		shm_mem                = fpm_shm_alloc(scoreboard_size + scoreboard_nprocs_size);
++		scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children;
++		shm_mem = fpm_shm_alloc(sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size);
+ 
+ 		if (!shm_mem) {
+ 			return -1;
+ 		}
+-		wp->scoreboard         = shm_mem;
++		wp->scoreboard = shm_mem;
++		wp->scoreboard->pm = wp->config->pm;
+ 		wp->scoreboard->nprocs = wp->config->pm_max_children;
+-		shm_mem               += scoreboard_size;
+-
+-		for (i = 0; i < wp->scoreboard->nprocs; i++, shm_mem += sizeof(struct fpm_scoreboard_proc_s)) {
+-			wp->scoreboard->procs[i] = shm_mem;
+-		}
+-
+-		wp->scoreboard->pm          = wp->config->pm;
+ 		wp->scoreboard->start_epoch = time(NULL);
+ 		strlcpy(wp->scoreboard->pool, wp->config->name, sizeof(wp->scoreboard->pool));
+ 	}
+@@ -163,28 +156,48 @@ struct fpm_scoreboard_s *fpm_scoreboard_get() /* {{{*/
+ }
+ /* }}} */
+ 
+-struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/
++static inline struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_ex(
++		struct fpm_scoreboard_s *scoreboard, int child_index, unsigned int nprocs) /* {{{*/
+ {
+ 	if (!scoreboard) {
+-		scoreboard = fpm_scoreboard;
++		return NULL;
+ 	}
+ 
+-	if (!scoreboard) {
++	if (child_index < 0 || (unsigned int)child_index >= nprocs) {
+ 		return NULL;
+ 	}
+ 
++	return &scoreboard->procs[child_index];
++}
++/* }}} */
++
++struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(
++		struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/
++{
++	if (!scoreboard) {
++		scoreboard = fpm_scoreboard;
++	}
++
+ 	if (child_index < 0) {
+ 		child_index = fpm_scoreboard_i;
+ 	}
+ 
+-	if (child_index < 0 || (unsigned int)child_index >= scoreboard->nprocs) {
+-		return NULL;
+-	}
++	return fpm_scoreboard_proc_get_ex(scoreboard, child_index, scoreboard->nprocs);
++}
++/* }}} */
+ 
+-	return scoreboard->procs[child_index];
++struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_from_child(struct fpm_child_s *child) /* {{{*/
++{
++	struct fpm_worker_pool_s *wp = child->wp;
++	unsigned int nprocs = wp->config->pm_max_children;
++	struct fpm_scoreboard_s *scoreboard = wp->scoreboard;
++	int child_index = child->scoreboard_i;
++
++	return fpm_scoreboard_proc_get_ex(scoreboard, child_index, nprocs);
+ }
+ /* }}} */
+ 
++
+ struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang) /* {{{ */
+ {
+ 	struct fpm_scoreboard_s *s;
+@@ -235,28 +248,28 @@ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc) /* {{{ */
+ 	proc->lock = 0;
+ }
+ 
+-void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard) /* {{{ */
++void fpm_scoreboard_free(struct fpm_worker_pool_s *wp) /* {{{ */
+ {
+-	size_t scoreboard_size, scoreboard_nprocs_size;
++	size_t scoreboard_procs_size;
++	struct fpm_scoreboard_s *scoreboard = wp->scoreboard;
+ 
+ 	if (!scoreboard) {
+ 		zlog(ZLOG_ERROR, "**scoreboard is NULL");
+ 		return;
+ 	}
+ 
+-	scoreboard_size        = sizeof(struct fpm_scoreboard_s) + (scoreboard->nprocs) * sizeof(struct fpm_scoreboard_proc_s *);
+-	scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * scoreboard->nprocs;
++	scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children;
+ 
+-	fpm_shm_free(scoreboard, scoreboard_size + scoreboard_nprocs_size);
++	fpm_shm_free(scoreboard, sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size);
+ }
+ /* }}} */
+ 
+-void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_index, pid_t pid) /* {{{ */
++void fpm_scoreboard_child_use(struct fpm_child_s *child, pid_t pid) /* {{{ */
+ {
+ 	struct fpm_scoreboard_proc_s *proc;
+-	fpm_scoreboard = scoreboard;
+-	fpm_scoreboard_i = child_index;
+-	proc = fpm_scoreboard_proc_get(scoreboard, child_index);
++	fpm_scoreboard = child->wp->scoreboard;
++	fpm_scoreboard_i = child->scoreboard_i;
++	proc = fpm_scoreboard_proc_get_from_child(child);
+ 	if (!proc) {
+ 		return;
+ 	}
+@@ -265,18 +278,22 @@ void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_ind
+ }
+ /* }}} */
+ 
+-void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{ */
++void fpm_scoreboard_proc_free(struct fpm_child_s *child) /* {{{ */
+ {
++	struct fpm_worker_pool_s *wp = child->wp;
++	struct fpm_scoreboard_s *scoreboard = wp->scoreboard;
++	int child_index = child->scoreboard_i;
++
+ 	if (!scoreboard) {
+ 		return;
+ 	}
+ 
+-	if (child_index < 0 || (unsigned int)child_index >= scoreboard->nprocs) {
++	if (child_index < 0 || child_index >= wp->config->pm_max_children) {
+ 		return;
+ 	}
+ 
+-	if (scoreboard->procs[child_index] && scoreboard->procs[child_index]->used > 0) {
+-		memset(scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s));
++	if (scoreboard->procs[child_index].used > 0) {
++		memset(&scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s));
+ 	}
+ 
+ 	/* set this slot as free to avoid search on next alloc */
+@@ -284,41 +301,44 @@ void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_ind
+ }
+ /* }}} */
+ 
+-int fpm_scoreboard_proc_alloc(struct fpm_scoreboard_s *scoreboard, int *child_index) /* {{{ */
++int fpm_scoreboard_proc_alloc(struct fpm_child_s *child) /* {{{ */
+ {
+ 	int i = -1;
++	struct fpm_worker_pool_s *wp = child->wp;
++	struct fpm_scoreboard_s *scoreboard = wp->scoreboard;
++	int nprocs = wp->config->pm_max_children;
+ 
+-	if (!scoreboard || !child_index) {
++	if (!scoreboard) {
+ 		return -1;
+ 	}
+ 
+ 	/* first try the slot which is supposed to be free */
+-	if (scoreboard->free_proc >= 0 && (unsigned int)scoreboard->free_proc < scoreboard->nprocs) {
+-		if (scoreboard->procs[scoreboard->free_proc] && !scoreboard->procs[scoreboard->free_proc]->used) {
++	if (scoreboard->free_proc >= 0 && scoreboard->free_proc < nprocs) {
++		if (!scoreboard->procs[scoreboard->free_proc].used) {
+ 			i = scoreboard->free_proc;
+ 		}
+ 	}
+ 
+ 	if (i < 0) { /* the supposed free slot is not, let's search for a free slot */
+ 		zlog(ZLOG_DEBUG, "[pool %s] the proc->free_slot was not free. Let's search", scoreboard->pool);
+-		for (i = 0; i < (int)scoreboard->nprocs; i++) {
+-			if (scoreboard->procs[i] && !scoreboard->procs[i]->used) { /* found */
++		for (i = 0; i < nprocs; i++) {
++			if (!scoreboard->procs[i].used) { /* found */
+ 				break;
+ 			}
+ 		}
+ 	}
+ 
+ 	/* no free slot */
+-	if (i < 0 || i >= (int)scoreboard->nprocs) {
++	if (i < 0 || i >= nprocs) {
+ 		zlog(ZLOG_ERROR, "[pool %s] no free scoreboard slot", scoreboard->pool);
+ 		return -1;
+ 	}
+ 
+-	scoreboard->procs[i]->used = 1;
+-	*child_index = i;
++	scoreboard->procs[i].used = 1;
++	child->scoreboard_i = i;
+ 
+ 	/* supposed next slot is free */
+-	if (i + 1 >= (int)scoreboard->nprocs) {
++	if (i + 1 >= nprocs) {
+ 		scoreboard->free_proc = 0;
+ 	} else {
+ 		scoreboard->free_proc = i + 1;
+diff --git a/sapi/fpm/fpm/fpm_scoreboard.h b/sapi/fpm/fpm/fpm_scoreboard.h
+index abce616d76..6405abb7cf 100644
+--- a/sapi/fpm/fpm/fpm_scoreboard.h
++++ b/sapi/fpm/fpm/fpm_scoreboard.h
+@@ -64,7 +64,7 @@ struct fpm_scoreboard_s {
+ 	unsigned int nprocs;
+ 	int free_proc;
+ 	unsigned long int slow_rq;
+-	struct fpm_scoreboard_proc_s *procs[];
++	struct fpm_scoreboard_proc_s procs[];
+ };
+ 
+ int fpm_scoreboard_init_main();
+@@ -73,18 +73,19 @@ int fpm_scoreboard_init_child(struct fpm_worker_pool_s *wp);
+ void fpm_scoreboard_update(int idle, int active, int lq, int lq_len, int requests, int max_children_reached, int slow_rq, int action, struct fpm_scoreboard_s *scoreboard);
+ struct fpm_scoreboard_s *fpm_scoreboard_get();
+ struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index);
++struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_from_child(struct fpm_child_s *child);
+ 
+ struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang);
+ void fpm_scoreboard_release(struct fpm_scoreboard_s *scoreboard);
+ struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_acquire(struct fpm_scoreboard_s *scoreboard, int child_index, int nohang);
+ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc);
+ 
+-void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard);
++void fpm_scoreboard_free(struct fpm_worker_pool_s *wp);
+ 
+-void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_index, pid_t pid);
++void fpm_scoreboard_child_use(struct fpm_child_s *child, pid_t pid);
+ 
+-void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_index);
+-int fpm_scoreboard_proc_alloc(struct fpm_scoreboard_s *scoreboard, int *child_index);
++void fpm_scoreboard_proc_free(struct fpm_child_s *child);
++int fpm_scoreboard_proc_alloc(struct fpm_child_s *child);
+ 
+ #ifdef HAVE_TIMES
+ float fpm_scoreboard_get_tick();
+diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c
+index 1d78ebf849..45852a5b39 100644
+--- a/sapi/fpm/fpm/fpm_status.c
++++ b/sapi/fpm/fpm/fpm_status.c
+@@ -402,10 +402,10 @@ int fpm_status_handle_request(void) /* {{{ */
+ 
+ 			first = 1;
+ 			for (i=0; i<scoreboard_p->nprocs; i++) {
+-				if (!scoreboard_p->procs[i] || !scoreboard_p->procs[i]->used) {
++				if (!scoreboard_p->procs[i].used) {
+ 					continue;
+ 				}
+-				proc = *scoreboard_p->procs[i];
++				proc = scoreboard_p->procs[i];
+ 
+ 				if (first) {
+ 					first = 0;
+diff --git a/sapi/fpm/fpm/fpm_worker_pool.c b/sapi/fpm/fpm/fpm_worker_pool.c
+index 90e155975e..96b7ca50fc 100644
+--- a/sapi/fpm/fpm/fpm_worker_pool.c
++++ b/sapi/fpm/fpm/fpm_worker_pool.c
+@@ -43,7 +43,7 @@ static void fpm_worker_pool_cleanup(int which, void *arg) /* {{{ */
+ 		fpm_worker_pool_config_free(wp->config);
+ 		fpm_children_free(wp->children);
+ 		if ((which & FPM_CLEANUP_CHILD) == 0 && fpm_globals.parent_pid == getpid()) {
+-			fpm_scoreboard_free(wp->scoreboard);
++			fpm_scoreboard_free(wp);
+ 		}
+ 		fpm_worker_pool_free(wp);
+ 	}
+-- 
+2.31.1
+
diff --git a/php72.spec b/php72.spec
index 25b0a8f..492122c 100644
--- a/php72.spec
+++ b/php72.spec
@@ -25,7 +25,7 @@
 
 %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
 
-%global oraclever 21.1
+%global oraclever 21.3
 %global oraclelib 21.1
 
 # Build for LiteSpeed Web Server (LSAPI)
@@ -110,7 +110,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 7%{?dist}
+Release: 9%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -147,6 +147,7 @@ Source99: php-fpm.init
 
 # Build fixes
 Patch1: php-7.1.7-httpd.patch
+Patch2: php-7.1.33-intl.patch
 Patch5: php-7.2.0-includedir.patch
 Patch6: php-5.6.3-embed.patch
 Patch7: php-5.3.0-recode.patch
@@ -182,6 +183,7 @@ Patch202: php-bug80710.patch
 Patch203: php-bug81122.patch
 Patch204: php-bug76450.patch
 Patch205: php-bug81211.patch
+Patch206: php-bug81026.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -987,7 +989,7 @@ Group: System Environment/Libraries
 License: PHP
 Requires: php-common%{?_isa} = %{version}-%{release}
 # Upstream requires 4.0, we require 50 to ensure use of libicu-last / libicu62
-BuildRequires: libicu-devel >= 50
+BuildRequires: libicu-devel >= 69
 %if 0%{?rhel}
 Obsoletes: php53-intl, php53u-intl, php54-intl, php54w-intl, php55u-intl, php55w-intl, php56u-intl, php56w-intl
 Obsoletes: php70u-intl, php70w-intl, php71u-intl, php71w-intl, php72u-intl, php72w-intl
@@ -1091,6 +1093,7 @@ low-level PHP extension for the libsodium cryptographic library.
 %setup -q -n php-%{upver}%{?rcver}
 
 %patch1 -p1 -b .mpmcheck
+%patch2 -p1 -b .true
 %patch5 -p1 -b .includedir
 %patch6 -p1 -b .embed
 %patch7 -p1 -b .recode
@@ -1123,6 +1126,7 @@ low-level PHP extension for the libsodium cryptographic library.
 %patch203 -p1 -b .bug81122
 %patch204 -p1 -b .bug76450
 %patch205 -p1 -b .bug81211
+%patch206 -p1 -b .bug81026
 
 # Fixes for tests
 %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -1656,7 +1660,7 @@ popd
 
 %check
 %if %runselftest
-cd build-apache
+cd build-fpm
 
 # Run tests, using the CLI SAPI
 export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2
@@ -2236,6 +2240,12 @@ EOF
 
 
 %changelog
+* Wed Oct 20 2021 Remi Collet <remi@remirepo.net> - 7.2.34-9
+- fix PHP-FPM oob R/W in root process leading to priv escalation
+  CVE-2021-21703
+- use libicu version 69
+- use oracle client library version 21.3
+
 * Wed Aug 25 2021 Remi Collet <remi@remirepo.net> - 7.2.34-7
 - Fix #81211 Symlinks are followed when creating PHAR archive
author	Remi Collet <remi@remirepo.net>	2021-10-20 12:15:22 +0200
committer	Remi Collet <remi@php.net>	2021-10-20 12:15:22 +0200
commit	1e0b327cdd97a276a06c81ba22d2308bb003807a (patch)
tree	1ecc637e5c2a3e4a371b87bf5c5e53145e4aee9a
parent	d9d789e77a047aaa4806994269a847c74b5ecf29 (diff)