summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--failed.txt2
-rw-r--r--php-cve-2025-14178.patch94
-rw-r--r--php-fpm.service2
-rw-r--r--php72.spec25
4 files changed, 105 insertions, 18 deletions
diff --git a/failed.txt b/failed.txt
index e36292e..8ea6d77 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.2.34-25 (2024-11-26)
+===== 7.2.34-26 (2026-02-18)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch
new file mode 100644
index 0000000..5ce90c2
--- /dev/null
+++ b/php-cve-2025-14178.patch
@@ -0,0 +1,94 @@
+From 190eefda704550c49db7b9ec2b60369f1a4db1a8 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Sun, 9 Nov 2025 13:23:11 +0100
+Subject: [PATCH 1/2] Fix GHSA-h96m-rvf9-jgm2
+
+(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415)
+(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2)
+(cherry picked from commit 84b83e2979bad57618528d4e669636117022f37c)
+(cherry picked from commit d8f3aac707341374fa8bffc90b76c0c8b0f6d1b0)
+---
+ ext/standard/array.c | 7 ++++++-
+ .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+
+diff --git a/ext/standard/array.c b/ext/standard/array.c
+index 46e8340906..8da33a9d14 100644
+--- a/ext/standard/array.c
++++ b/ext/standard/array.c
+@@ -3836,7 +3836,7 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE
+ } else {
+ zval *src_entry;
+ HashTable *src, *dest;
+- uint32_t count = 0;
++ uint64_t count = 0;
+
+ for (i = 0; i < argc; i++) {
+ zval *arg = args + i;
+@@ -3848,6 +3848,11 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE
+ count += zend_hash_num_elements(Z_ARRVAL_P(arg));
+ }
+
++ if (UNEXPECTED(count >= HT_MAX_SIZE)) {
++ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
++ return;
++ }
++
+ arg = args;
+ src = Z_ARRVAL_P(arg);
+ /* copy first array */
+diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+new file mode 100644
+index 0000000000..2e3e85357e
+--- /dev/null
++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++GHSA-h96m-rvf9-jgm2
++--FILE--
++<?php
++
++$power = 20; // Chosen to be well within a memory_limit
++$arr = range(0, 2**$power);
++try {
++ array_merge(...array_fill(0, 2**(32-$power), $arr));
++} catch (Error $e) {
++ echo $e->getMessage(), "\n";
++}
++
++?>
++--EXPECTF--
++The total number of elements must be lower than %d
+--
+2.53.0
+
+From 77eb44b9f1c24c44f3bc8c9b4e04200db935f91d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 17 Feb 2026 15:48:22 +0100
+Subject: [PATCH 2/2] NEWS
+
+(cherry picked from commit 143f4339e80c13ffa1b11aae7f629807c9442edc)
+---
+ NEWS | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index cc2d877d94..18217680a1 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,11 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.1.34
++
++ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()).
++ (CVE-2025-14178) (ndossche)
++
+ Backported from 8.1.31
+
+ - CLI:
+--
+2.53.0
+
diff --git a/php-fpm.service b/php-fpm.service
index b68765f..9323cbe 100644
--- a/php-fpm.service
+++ b/php-fpm.service
@@ -4,7 +4,7 @@
[Unit]
Description=The PHP FastCGI Process Manager
-After=syslog.target network.target
+After=network.target
[Service]
Type=notify
diff --git a/php72.spec b/php72.spec
index 7822248..c3663a1 100644
--- a/php72.spec
+++ b/php72.spec
@@ -25,17 +25,10 @@
%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
-%ifarch aarch64
-%global oraclever 19.24
-%global oraclemax 20
-%global oraclelib 19.1
-%global oracledir 19.24
-%else
-%global oraclever 23.6
+%global oraclever 23.26.1
%global oraclemax 24
%global oraclelib 23.1
%global oracledir 23
-%endif
# Build for LiteSpeed Web Server (LSAPI)
%global with_lsws 1
@@ -123,7 +116,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 25%{?dist}
+Release: 26%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -221,6 +214,7 @@ Patch227: php-cve-2024-11234.patch
Patch228: php-cve-2024-8932.patch
Patch229: php-cve-2024-11233.patch
Patch230: php-ghsa-4w77-75f9-2c8w.patch
+Patch231: php-cve-2025-14178.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -731,14 +725,7 @@ Summary: A module for PHP applications that use OCI8 databases
Group: Development/Languages
# All files licensed under PHP version 3.01
License: PHP
-%ifarch aarch64
-BuildRequires: oracle-instantclient%{oraclever}-devel
-# Should requires libclntsh.so.19.1()(aarch-64), but it's not provided by Oracle RPM.
-Requires: libclntsh.so.%{oraclelib}
-AutoReq: 0
-%else
BuildRequires: (oracle-instantclient-devel >= %{oraclever} with oracle-instantclient-devel < %{oraclemax})
-%endif
Requires: php-pdo%{?_isa} = %{version}-%{release}
Provides: php_database
Provides: php-pdo_oci, php-pdo_oci%{?_isa}
@@ -1187,6 +1174,7 @@ low-level PHP extension for the libsodium cryptographic library.
%patch -P228 -p1 -b .cve8932
%patch -P229 -p1 -b .cve11233
%patch -P230 -p1 -b .ghsa4w77
+%patch -P231 -p1 -b .cve14178
# Fixes for tests
%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2294,6 +2282,11 @@ EOF
%changelog
+* Tue Feb 17 2026 Remi Collet <remi@remirepo.net> - 7.2.34-26
+- Fix Heap buffer overflow in array_merge()
+ CVE-2025-14178
+- use oracle client library version 23.26 on x86_64 and aarch64
+
* Tue Nov 26 2024 Remi Collet <remi@remirepo.net> - 7.2.34-25
- Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface
GHSA-4w77-75f9-2c8w
generated by cgit (git 2.34.1) at 2026-02-19 10:58:05 +0000