diff options
| author | Remi Collet <remi@remirepo.net> | 2025-12-18 09:25:40 +0100 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2025-12-18 09:25:40 +0100 |
| commit | 2aeb356c75e3a25967de6a68c263bcf77185126d (patch) | |
| tree | 077b46bf467c88fa692ce5994408377530395dfe | |
| parent | 0a0d5b048d0376fbd73096b0c08426a6a52c9991 (diff) | |
GHSA-www2-q4fc-65wf
Fix Heap buffer overflow in array_merge()
CVE-2025-14178
Fix Information Leak of Memory in getimagesize
CVE-2025-14177
| -rw-r--r-- | failed.txt | 20 | ||||
| -rw-r--r-- | php-7.2.0-includedir.patch | 2 | ||||
| -rw-r--r-- | php-7.4.33-bash53.patch | 26 | ||||
| -rw-r--r-- | php-cve-2025-14177.patch | 107 | ||||
| -rw-r--r-- | php-cve-2025-14178.patch | 63 | ||||
| -rw-r--r-- | php-ghsa-www2-q4fc-65wf.patch | 256 | ||||
| -rw-r--r-- | php74.spec | 25 |
7 files changed, 489 insertions, 10 deletions
@@ -1,21 +1,27 @@ -===== 7.4.33-24 (2025-07-03) +===== 7.4.33-25 (2025-12-18) $ grep -ar 'Tests failed' /var/lib/mock/*/build.log /var/lib/mock/el8a74/build.log:Tests failed : 0 /var/lib/mock/el8x74/build.log:Tests failed : 0 -/var/lib/mock/el9a74/build.log:Tests failed : 0 -/var/lib/mock/el9x74/build.log:Tests failed : 0 -/var/lib/mock/el10a74/build.log:Tests failed : 0 -/var/lib/mock/el10x74/build.log:Tests failed : 0 -/var/lib/mock/fc40a74/build.log:Tests failed : 0 -/var/lib/mock/fc40x74/build.log:Tests failed : 0 +/var/lib/mock/el9a74/build.log:Tests failed : 1 +/var/lib/mock/el9x74/build.log:Tests failed : 1 +/var/lib/mock/el10a74/build.log:Tests failed : 1 +/var/lib/mock/el10x74/build.log:Tests failed : 1 /var/lib/mock/fc41a74/build.log:Tests failed : 0 /var/lib/mock/fc41x74/build.log:Tests failed : 0 /var/lib/mock/fc42a74/build.log:Tests failed : 0 /var/lib/mock/fc42x74/build.log:Tests failed : 0 +/var/lib/mock/fc43a74/build.log:Tests failed : 4 +/var/lib/mock/fc43x74/build.log:Tests failed : 4 +el9, el10, fc43: + 3 Bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds) [ext/openssl/tests/bug74341.phpt] +fc43: + 3 X (PCRE_EXTRA) modifier is ignored (no error, no change) [ext/pcre/tests/pcre_extra.phpt] + 3 preg_split() [ext/pcre/tests/split.phpt] + 3 preg_grep() 2nd test [ext/pcre/tests/grep2.phpt] 1 proc_open give erratic test results :( diff --git a/php-7.2.0-includedir.patch b/php-7.2.0-includedir.patch index 2202026..930adc0 100644 --- a/php-7.2.0-includedir.patch +++ b/php-7.2.0-includedir.patch @@ -5,7 +5,7 @@ EXPANDED_PHP_CONFIG_FILE_PATH=`eval echo "$PHP_CONFIG_FILE_PATH"` EXPANDED_PHP_CONFIG_FILE_SCAN_DIR=`eval echo "$PHP_CONFIG_FILE_SCAN_DIR"` -INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR -+INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:${EXPANDED_DATADIR}/php:/usr/share/pear:/usr/share/php ++INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:${EXPANDED_DATADIR}/php exec_prefix=$old_exec_prefix libdir=$old_libdir diff --git a/php-7.4.33-bash53.patch b/php-7.4.33-bash53.patch new file mode 100644 index 0000000..0b09e2a --- /dev/null +++ b/php-7.4.33-bash53.patch @@ -0,0 +1,26 @@ +From 98d2b923243d406b3d26f0770ac02f917729b948 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 4 Sep 2025 09:01:49 +0200 +Subject: [PATCH] Fix GH-19681 PHP_EXPAND_PATH broken with bash 5.3.0 + +--- + build/php.m4 | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/build/php.m4 b/build/php.m4 +index 142ddf08fd98b..e5ead0f4c44af 100644 +--- a/build/php.m4 ++++ b/build/php.m4 +@@ -64,7 +64,11 @@ AC_DEFUN([PHP_EXPAND_PATH],[ + changequote({,}) + ep_dir=`echo $1|$SED 's%/*[^/][^/]*/*$%%'` + changequote([,]) +- ep_realdir=`(cd "$ep_dir" && pwd)` ++ if test -z $ep_dir ; then ++ ep_realdir=`(pwd)` ++ else ++ ep_realdir=`(cd "$ep_dir" && pwd)` ++ fi + $2="$ep_realdir"/`basename "$1"` + fi + ]) diff --git a/php-cve-2025-14177.patch b/php-cve-2025-14177.patch new file mode 100644 index 0000000..036dcb0 --- /dev/null +++ b/php-cve-2025-14177.patch @@ -0,0 +1,107 @@ +From 6cf0fb3c48fda6a236359304e4db663ae77d858c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Tue, 25 Nov 2025 23:11:38 +0100 +Subject: [PATCH 1/5] Fix GH-20584: Information Leak of Memory + +The string added had uninitialized memory due to +php_read_stream_all_chunks() not moving the buffer position, resulting +in the same data always being overwritten instead of new data being +added to the end of the buffer. + +This is backport as there is a security impact as described in +GHSA-3237-qqm7-mfv7 . + +(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc) +(cherry picked from commit ed665eb1903737d2b52b27368b155f6208604ed9) +--- + ext/standard/image.c | 20 +++++++++++--- + ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/image/gh20584.phpt + +diff --git a/ext/standard/image.c b/ext/standard/image.c +index 4f2c5a505b4..800c5de8da3 100644 +--- a/ext/standard/image.c ++++ b/ext/standard/image.c +@@ -434,8 +434,22 @@ static int php_skip_variable(php_stream * stream) + } + /* }}} */ + +-/* {{{ php_read_APP +- */ ++static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_t length) ++{ ++ size_t read_total = 0; ++ do { ++ ssize_t read_now = php_stream_read(stream, buffer, length - read_total); ++ read_total += read_now; ++ if (read_now < stream->chunk_size && read_total != length) { ++ return 0; ++ } ++ buffer += read_now; ++ } while (read_total < length); ++ ++ return read_total; ++} ++ ++/* {{{ php_read_APP */ + static int php_read_APP(php_stream * stream, unsigned int marker, zval *info) + { + unsigned short length; +@@ -451,7 +465,7 @@ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info) + + buffer = emalloc((size_t)length); + +- if (php_stream_read(stream, buffer, (size_t) length) != length) { ++ if (php_read_stream_all_chunks(stream, buffer, length) != length) { + efree(buffer); + return 0; + } +diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt +new file mode 100644 +index 00000000000..d117f218202 +--- /dev/null ++++ b/ext/standard/tests/image/gh20584.phpt +@@ -0,0 +1,39 @@ ++--TEST-- ++GH-20584 (Information Leak of Memory) ++--CREDITS-- ++Nikita Sveshnikov (Positive Technologies) ++--FILE-- ++<?php ++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter ++$file = __DIR__ . '/gh20584.jpg'; ++ ++// Make APP1 large enough so it is read in multiple chunks ++$chunk = 8192; ++$tail = 123; ++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z', ++$tail); ++$app1Len = 2 + strlen($payload); ++ ++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI ++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) . ++"\x01\x11\x00"; ++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof . ++"\xFF\xD9"; ++file_put_contents($file, $jpeg); ++ ++// Read through a filter to enforce multiple reads ++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file; ++$info = null; ++@getimagesize($src, $info); ++$exp = $payload; ++$ret = $info['APP1']; ++ ++var_dump($ret === $exp); ++ ++?> ++--CLEAN-- ++<?php ++@unlink(__DIR__ . '/gh20584.jpg'); ++?> ++--EXPECT-- ++bool(true) +-- +2.52.0 + diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch new file mode 100644 index 0000000..572454b --- /dev/null +++ b/php-cve-2025-14178.patch @@ -0,0 +1,63 @@ +From 84b83e2979bad57618528d4e669636117022f37c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Sun, 9 Nov 2025 13:23:11 +0100 +Subject: [PATCH 3/5] Fix GHSA-h96m-rvf9-jgm2 + +(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415) +(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2) +--- + ext/standard/array.c | 7 ++++++- + .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt + +diff --git a/ext/standard/array.c b/ext/standard/array.c +index cd2e5287daf..153a4d39d15 100644 +--- a/ext/standard/array.c ++++ b/ext/standard/array.c +@@ -3813,7 +3813,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + int argc, i; + zval *src_entry; + HashTable *src, *dest; +- uint32_t count = 0; ++ uint64_t count = 0; + + ZEND_PARSE_PARAMETERS_START(0, -1) + Z_PARAM_VARIADIC('+', args, argc) +@@ -3833,6 +3833,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + count += zend_hash_num_elements(Z_ARRVAL_P(arg)); + } + ++ if (UNEXPECTED(count >= HT_MAX_SIZE)) { ++ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); ++ return; ++ } ++ + if (argc == 2) { + zval *ret = NULL; + +diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +new file mode 100644 +index 00000000000..2e3e85357e1 +--- /dev/null ++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++GHSA-h96m-rvf9-jgm2 ++--FILE-- ++<?php ++ ++$power = 20; // Chosen to be well within a memory_limit ++$arr = range(0, 2**$power); ++try { ++ array_merge(...array_fill(0, 2**(32-$power), $arr)); ++} catch (Error $e) { ++ echo $e->getMessage(), "\n"; ++} ++ ++?> ++--EXPECTF-- ++The total number of elements must be lower than %d +-- +2.52.0 + diff --git a/php-ghsa-www2-q4fc-65wf.patch b/php-ghsa-www2-q4fc-65wf.patch new file mode 100644 index 0000000..39b67f4 --- /dev/null +++ b/php-ghsa-www2-q4fc-65wf.patch @@ -0,0 +1,256 @@ +From 3e9d47f6cc04c9978bb384e2d487cf28d37889f0 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sat, 6 Sep 2025 21:55:13 +0200 +Subject: [PATCH 4/5] Fix GHSA-www2-q4fc-65wf + +(cherry picked from commit ed70b1ea43a9b7ffa2f53b3e5d6ba403f37ae81c) +(cherry picked from commit 52c5762a902e8731b7068ded027fbd780f5a1991) +--- + ext/standard/basic_functions.c | 12 ++-- + ext/standard/dns.c | 6 +- + ext/standard/dns_win32.c | 6 +- + .../tests/network/ghsa-www2-q4fc-65wf.phpt | 71 +++++++++++++++++++ + ext/standard/tests/network/ip_x86_64.phpt | 2 +- + 5 files changed, 84 insertions(+), 13 deletions(-) + create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt + +diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c +index 64f27ef5af7..45746335689 100644 +--- a/ext/standard/basic_functions.c ++++ b/ext/standard/basic_functions.c +@@ -3960,7 +3960,7 @@ PHP_NAMED_FUNCTION(php_inet_pton) + char buffer[17]; + + ZEND_PARSE_PARAMETERS_START(1, 1) +- Z_PARAM_STRING(address, address_len) ++ Z_PARAM_PATH(address, address_len) + ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE); + + memset(buffer, 0, sizeof(buffer)); +@@ -3998,7 +3998,7 @@ PHP_FUNCTION(ip2long) + #endif + + ZEND_PARSE_PARAMETERS_START(1, 1) +- Z_PARAM_STRING(addr, addr_len) ++ Z_PARAM_PATH(addr, addr_len) + ZEND_PARSE_PARAMETERS_END(); + + #ifdef HAVE_INET_PTON +@@ -5714,8 +5714,8 @@ PHP_FUNCTION(getservbyname) + struct servent *serv; + + ZEND_PARSE_PARAMETERS_START(2, 2) +- Z_PARAM_STRING(name, name_len) +- Z_PARAM_STRING(proto, proto_len) ++ Z_PARAM_PATH(name, name_len) ++ Z_PARAM_PATH(proto, proto_len) + ZEND_PARSE_PARAMETERS_END(); + + +@@ -5759,7 +5759,7 @@ PHP_FUNCTION(getservbyport) + + ZEND_PARSE_PARAMETERS_START(2, 2) + Z_PARAM_LONG(port) +- Z_PARAM_STRING(proto, proto_len) ++ Z_PARAM_PATH(proto, proto_len) + ZEND_PARSE_PARAMETERS_END(); + + serv = getservbyport(htons((unsigned short) port), proto); +@@ -5783,7 +5783,7 @@ PHP_FUNCTION(getprotobyname) + struct protoent *ent; + + ZEND_PARSE_PARAMETERS_START(1, 1) +- Z_PARAM_STRING(name, name_len) ++ Z_PARAM_PATH(name, name_len) + ZEND_PARSE_PARAMETERS_END(); + + ent = getprotobyname(name); +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index dc85c45e1d7..698ad4f661d 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -377,7 +377,7 @@ PHP_FUNCTION(dns_check_record) + #endif + + ZEND_PARSE_PARAMETERS_START(1, 2) +- Z_PARAM_STRING(hostname, hostname_len) ++ Z_PARAM_PATH(hostname, hostname_len) + Z_PARAM_OPTIONAL + Z_PARAM_STRING(rectype, rectype_len) + ZEND_PARSE_PARAMETERS_END(); +@@ -825,7 +825,7 @@ PHP_FUNCTION(dns_get_record) + zend_bool raw = 0; + + ZEND_PARSE_PARAMETERS_START(1, 5) +- Z_PARAM_STRING(hostname, hostname_len) ++ Z_PARAM_PATH(hostname, hostname_len) + Z_PARAM_OPTIONAL + Z_PARAM_LONG(type_param) + Z_PARAM_ZVAL(authns) +@@ -1065,7 +1065,7 @@ PHP_FUNCTION(dns_get_mx) + #endif + + ZEND_PARSE_PARAMETERS_START(2, 3) +- Z_PARAM_STRING(hostname, hostname_len) ++ Z_PARAM_PATH(hostname, hostname_len) + Z_PARAM_ZVAL(mx_list) + Z_PARAM_OPTIONAL + Z_PARAM_ZVAL(weight_list) +diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c +index 466d927ea3e..f5b6e03a128 100644 +--- a/ext/standard/dns_win32.c ++++ b/ext/standard/dns_win32.c +@@ -50,7 +50,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */ + DNS_STATUS status; /* Return value of DnsQuery_A() function */ + PDNS_RECORD pResult, pRec; /* Pointer to DNS_RECORD structure */ + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) { + return; + } + +@@ -104,7 +104,7 @@ PHP_FUNCTION(dns_check_record) + DNS_STATUS status; /* Return value of DnsQuery_A() function */ + PDNS_RECORD pResult; /* Pointer to DNS_RECORD structure */ + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &hostname, &hostname_len, &rectype, &rectype_len) == FAILURE) { + return; + } + +@@ -357,7 +357,7 @@ PHP_FUNCTION(dns_get_record) + int type, type_to_fetch, first_query = 1, store_results = 1; + zend_bool raw = 0; + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b", ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b", + &hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) { + return; + } +diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt +new file mode 100644 +index 00000000000..b14c8ca719b +--- /dev/null ++++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt +@@ -0,0 +1,71 @@ ++--TEST-- ++GHSA-www2-q4fc-65wf ++--DESCRIPTION-- ++This is a ZPP test but *keep* this as it is security-sensitive! ++--FILE-- ++<?php ++try { ++ dns_check_record("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ dns_get_mx("\0", $out); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ dns_get_record("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getprotobyname("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getservbyname("\0", "tcp"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getservbyname("x", "tcp\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ getservbyport(0, "tcp\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ inet_pton("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++try { ++ ip2long("\0"); ++} catch (ValueError $e) { ++ echo $e->getMessage(), "\n"; ++} ++?> ++--EXPECTF-- ++Warning: dns_check_record() expects parameter 1 to be a valid path, string given in %s ++ ++Warning: dns_get_mx() expects parameter 1 to be a valid path, string given in %s ++ ++Warning: dns_get_record() expects parameter 1 to be a valid path, string given in %s ++ ++Warning: getprotobyname() expects parameter 1 to be a valid path, string given in %s ++ ++Warning: getservbyname() expects parameter 1 to be a valid path, string given in %s ++ ++Warning: getservbyname() expects parameter 2 to be a valid path, string given in %s ++ ++Warning: getservbyport() expects parameter 2 to be a valid path, string given in %s ++ ++Warning: inet_pton() expects parameter 1 to be a valid path, string given in %s ++ ++Warning: ip2long() expects parameter 1 to be a valid path, string given in %s ++ +diff --git a/ext/standard/tests/network/ip_x86_64.phpt b/ext/standard/tests/network/ip_x86_64.phpt +index 3c530b83713..2158e289bae 100644 +--- a/ext/standard/tests/network/ip_x86_64.phpt ++++ b/ext/standard/tests/network/ip_x86_64.phpt +@@ -54,7 +54,7 @@ bool(false) + bool(false) + int(1869573999) + +-Warning: ip2long() expects parameter 1 to be string, array given in %sip_x86_64.php on line %d ++Warning: ip2long() expects parameter 1 to be a valid path, array given in %sip_x86_64.php on line %d + NULL + + Warning: long2ip() expects exactly 1 parameter, 0 given in %sip_x86_64.php on line %d +-- +2.52.0 + +From f2cb8ad2342a7b58b8e467ed60233bb9be30f42e Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 18 Dec 2025 07:17:43 +0100 +Subject: [PATCH 5/5] NEWS from 8.1.34 + +(cherry picked from commit 52b3bdaa74078e4ea8abd9696cdbdc35a8091446) +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index a9dd716c003..f212d40b2e9 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.1.34 ++ ++- Standard: ++ . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). ++ (ndossche) ++ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). ++ (CVE-2025-14178) (ndossche) ++ . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). ++ (CVE-2025-14177) (ndossche) ++ + Backported from 8.1.33 + + - PGSQL: +-- +2.52.0 + @@ -24,7 +24,7 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%global oraclever 23.8 +%global oraclever 23.9 %global oraclemax 24 %global oraclelib 23.1 %global oracledir 23 @@ -109,7 +109,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 24%{?dist} +Release: 25%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -154,6 +154,8 @@ Patch10: php-7.4.33-gcc14.patch Patch11: php-7.4.33-icu.patch # Fix strict prototypes from 8.1 Patch12: php-7.4.33-proto.patch +# Fix for bash 5.3 (Fedora 43) +Patch13: php-7.4.33-bash53.patch # Functional changes Patch42: php-7.3.3-systzdata-v19.patch @@ -205,6 +207,9 @@ Patch224: php-cve-2025-1219.patch Patch225: php-cve-2025-6491.patch Patch226: php-cve-2025-1220.patch Patch227: php-cve-2025-1735.patch +Patch228: php-cve-2025-14177.patch +Patch229: php-cve-2025-14178.patch +Patch230: php-ghsa-www2-q4fc-65wf.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -890,7 +895,11 @@ License: PHP and BSD %endif Requires: php-common%{?_isa} = %{version}-%{release} %if %{with_libgd} +%if 0%{?rhel} +BuildRequires: gd3php-devel >= 2.3.3 +%else BuildRequires: pkgconfig(gdlib) >= 2.3.3 +%endif %else # Required to build the bundled GD library BuildRequires: pkgconfig(zlib) @@ -1192,6 +1201,7 @@ in pure PHP. %patch -P10 -p1 -b .gcc14 %patch -P11 -p1 -b .icu74 %patch -P12 -p1 -b .proto +%patch -P13 -p1 -b .bash53 %patch -P42 -p1 -b .systzdata %patch -P43 -p1 -b .headers @@ -1237,6 +1247,9 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 %patch -P225 -p1 -b .cve6491 %patch -P226 -p1 -b .cve1220 %patch -P227 -p1 -b .cve1735 +%patch -P228 -p1 -b .cve14177 +%patch -P229 -p1 -b .cve14178 +%patch -P230 -p1 -b .ghsawwww2 # Fixes for tests related to tzdata %patch -P300 -p1 -b .datetests @@ -2264,6 +2277,14 @@ EOF %changelog +* Thu Dec 18 2025 Remi Collet <remi@remirepo.net> - 7.4.33-25 +- Fix Null byte termination in dns_get_record() + GHSA-www2-q4fc-65wf +- Fix Heap buffer overflow in array_merge() + CVE-2025-14178 +- Fix Information Leak of Memory in getimagesize + CVE-2025-14177 + * Thu Jul 3 2025 Remi Collet <remi@remirepo.net> - 7.4.33-24 - Fix pgsql extension does not check for errors during escaping CVE-2025-1735 |