1 files changed, 180 insertions, 0 deletions

diff --git a/php-bug81726.patch b/php-bug81726.patch
new file mode 100644
index 0000000..847ebff
--- /dev/null
+++ b/php-bug81726.patch
@@ -0,0 +1,180 @@
+From 2bdc26af43cdd4376bf8e0fdf532bb12dd35d3dd Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 25 Jul 2022 15:58:59 +0200
+Subject: [PATCH 2/2] Fix #81726: phar wrapper: DOS when using quine gzip file
+
+The phar wrapper needs to uncompress the file; the uncompressed file
+might be compressed, so the wrapper implementation loops. This raises
+potential DOS issues regarding too deep or even infinite recursion (the
+latter are called compressed file quines[1]). We avoid that by
+introducing a recursion limit; we choose the somewhat arbitrary limit
+`3`.
+
+This issue has been reported by real_as3617 and gPayl0ad.
+
+[1] <https://honno.dev/gzip-quine/>
+
+(cherry picked from commit 404e8bdb68350931176a5bdc86fc417b34fb583d)
+(cherry picked from commit 96fda78bcddd1d793cf2d0ee463dbb49621b577f)
+---
+ NEWS                         |   2 ++
+ ext/phar/phar.c              |  16 +++++++++++-----
+ ext/phar/tests/bug81726.gz   | Bin 0 -> 204 bytes
+ ext/phar/tests/bug81726.phpt |  14 ++++++++++++++
+ 4 files changed, 27 insertions(+), 5 deletions(-)
+ create mode 100644 ext/phar/tests/bug81726.gz
+ create mode 100644 ext/phar/tests/bug81726.phpt
+
+diff --git a/NEWS b/NEWS
+index 90ac6b751b..be8bfd2f98 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,8 @@ PHP                                                                        NEWS
+ Backported from 7.4.31
+ 
+ - Core:
++  . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
++    (CVE-2022-31628). (cmb)
+   . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
+     that have a specific semantic meaning. (CVE-2022-31629). (Derick)
+ 
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index ba76a9b0e0..52c973d7c4 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1575,7 +1575,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 	const char zip_magic[] = "PK\x03\x04";
+ 	const char gz_magic[] = "\x1f\x8b\x08";
+ 	const char bz_magic[] = "BZh";
+-	char *pos, test = '\0';
++	char *pos;
++	int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
+ 	const int window_size = 1024;
+ 	char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
+ 	const zend_long readsize = sizeof(buffer) - sizeof(token);
+@@ -1603,8 +1604,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 			MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
+ 		}
+ 
+-		if (!test) {
+-			test = '\1';
++		if (recursion_count) {
+ 			pos = buffer+tokenlen;
+ 			if (!memcmp(pos, gz_magic, 3)) {
+ 				char err = 0;
+@@ -1664,7 +1664,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 				compression = PHAR_FILE_COMPRESSED_GZ;
+ 
+ 				/* now, start over */
+-				test = '\0';
++				if (!--recursion_count) {
++					MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
++					break;
++				}
+ 				continue;
+ 			} else if (!memcmp(pos, bz_magic, 3)) {
+ 				php_stream_filter *filter;
+@@ -1702,7 +1705,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 				compression = PHAR_FILE_COMPRESSED_BZ2;
+ 
+ 				/* now, start over */
+-				test = '\0';
++				if (!--recursion_count) {
++					MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
++					break;
++				}
+ 				continue;
+ 			}
+ 
+From 8fad7bf40e1b5bf74f308eb882b1d72987ef539c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 27 Sep 2022 17:43:40 +0200
+Subject: [PATCH] Fix regression introduced by fixing bug 81726
+
+When a tar phar is created, `phar_open_from_fp()` is also called, but
+since the file has just been created, none of the format checks can
+succeed, so we continue to loop, but must not check again for the
+format.  Therefore, we bring back the old `test` variable.
+
+Closes GH-9620.
+
+(cherry picked from commit 432bf196d59bcb661fcf9cb7029cea9b43f490af)
+---
+ ext/phar/phar.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 52c973d7c4..534af318f4 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1575,7 +1575,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 	const char zip_magic[] = "PK\x03\x04";
+ 	const char gz_magic[] = "\x1f\x8b\x08";
+ 	const char bz_magic[] = "BZh";
+-	char *pos;
++	char *pos, test = '\0';
+ 	int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
+ 	const int window_size = 1024;
+ 	char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
+@@ -1604,7 +1604,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 			MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
+ 		}
+ 
+-		if (recursion_count) {
++		if (!test && recursion_count) {
++			test = '\1';
+ 			pos = buffer+tokenlen;
+ 			if (!memcmp(pos, gz_magic, 3)) {
+ 				char err = 0;
+@@ -1664,6 +1665,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 				compression = PHAR_FILE_COMPRESSED_GZ;
+ 
+ 				/* now, start over */
++				test = '\0';
+ 				if (!--recursion_count) {
+ 					MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
+ 					break;
+@@ -1705,6 +1707,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
+ 				compression = PHAR_FILE_COMPRESSED_BZ2;
+ 
+ 				/* now, start over */
++				test = '\0';
+ 				if (!--recursion_count) {
+ 					MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
+ 					break;
+-- 
+2.37.3
+
+From 9d32d284b25f5df75780911a47b3c23cbaac1761 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 30 Sep 2022 09:22:14 +0200
+Subject: [PATCH] fix NEWS
+
+---
+ NEWS | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index fe4cb9c484..b7a19aea19 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,14 +1,16 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
+-Backported from 7.4.31
++Backported from 7.4.32
+ 
+ - Core:
+-  . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
+-    (CVE-2022-31628). (cmb)
+   . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
+     that have a specific semantic meaning. (CVE-2022-31629). (Derick)
+ 
++- Phar:
++  . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
++    (CVE-2022-31628). (cmb)
++
+ Backported from 7.4.30
+ 
+ - mysqlnd: