Fix Security issue with external entity loading in XML without enabling it

  GHSA-3qrf-m4j2-pcrr CVE-2023-3823
Fix Buffer mismanagement in phar_dir_read()
  GHSA-jqcx-ccgc-xwhv CVE-2023-3824
move httpd/nginx wants directive to config files in /etc

4 files changed, 751 insertions, 7 deletions

diff --git a/failed.txt b/failed.txt
index 6926f00..e8e18ca 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.4.33-7 (2023-06-06)
+===== 7.4.33-8 (2023-08-03)
 
 $ grep -ar 'Tests failed' /var/lib/mock/*/build.log
 
diff --git a/php-cve-2023-3823.patch b/php-cve-2023-3823.patch
new file mode 100644
index 0000000..a795564
--- /dev/null
+++ b/php-cve-2023-3823.patch
@@ -0,0 +1,89 @@
+From c398fe98c044c8e7c23135acdc38d4ef7bedc983 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Mon, 10 Jul 2023 13:25:34 +0200
+Subject: [PATCH 1/4] Fix buffer mismanagement in phar_dir_read()
+
+Fixes GHSA-jqcx-ccgc-xwhv.
+
+(cherry picked from commit 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef)
+---
+ ext/phar/dirstream.c                    | 15 ++++++++------
+ ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+ create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+
+diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
+index 4710703c70e..490b14528f1 100644
+--- a/ext/phar/dirstream.c
++++ b/ext/phar/dirstream.c
+@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend
+  */
+ static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */
+ {
+-	size_t to_read;
+ 	HashTable *data = (HashTable *)stream->abstract;
+ 	zend_string *str_key;
+ 	zend_ulong unused;
+ 
++	if (count != sizeof(php_stream_dirent)) {
++		return -1;
++	}
++
+ 	if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
+ 		return 0;
+ 	}
+ 
+ 	zend_hash_move_forward(data);
+-	to_read = MIN(ZSTR_LEN(str_key), count);
+ 
+-	if (to_read == 0 || count < ZSTR_LEN(str_key)) {
++	php_stream_dirent *dirent = (php_stream_dirent *) buf;
++
++	if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
+ 		return 0;
+ 	}
+ 
+-	memset(buf, 0, sizeof(php_stream_dirent));
+-	memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
+-	((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
++	memset(dirent, 0, sizeof(php_stream_dirent));
++	PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));
+ 
+ 	return sizeof(php_stream_dirent);
+ }
+diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+new file mode 100644
+index 00000000000..4e12f05fb62
+--- /dev/null
++++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--INI--
++phar.readonly=0
++--FILE--
++<?php
++$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
++$phar->startBuffering();
++$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
++$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
++$phar->stopBuffering();
++
++$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
++var_dump(strlen(readdir($handle)));
++// Must not be a string of length PHP_MAXPATHLEN+1
++var_dump(readdir($handle));
++closedir($handle);
++?>
++--CLEAN--
++<?php
++unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
++?>
++--EXPECTF--
++int(%d)
++bool(false)
+-- 
+2.41.0
+
diff --git a/php-cve-2023-3824.patch b/php-cve-2023-3824.patch
new file mode 100644
index 0000000..4a58ac4
--- /dev/null
+++ b/php-cve-2023-3824.patch
@@ -0,0 +1,644 @@
+From b3758bd21223b97c042cae7bd26a66cde081ea98 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 15 Jul 2023 17:33:52 +0200
+Subject: [PATCH 2/4] Sanitize libxml2 globals before parsing
+
+Fixes GHSA-3qrf-m4j2-pcrr.
+
+To parse a document with libxml2, you first need to create a parsing context.
+The parsing context contains parsing options (e.g. XML_NOENT to substitute
+entities) that the application (in this case PHP) can set.
+Unfortunately, libxml2 also supports providing default set options.
+For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
+option will be added to the parsing options every time you create a parsing
+context **even if the application never requested XML_NOENT**.
+
+Third party extensions can override these globals, in particular the
+substitute entity global. This causes entity substitution to be
+unexpectedly active.
+
+Fix it by setting the parsing options to a sane known value.
+For API calls that depend on global state we introduce
+PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
+For other APIs that work directly with a context we introduce
+php_libxml_sanitize_parse_ctxt_options().
+
+(cherry picked from commit c283c3ab0ba45d21b2b8745c1f9c7cbfe771c975)
+---
+ ext/dom/document.c                            | 15 ++++++++
+ ext/dom/documentfragment.c                    |  2 ++
+ ...xml_global_state_entity_loader_bypass.phpt | 36 +++++++++++++++++++
+ ext/libxml/php_libxml.h                       | 36 +++++++++++++++++++
+ ext/simplexml/simplexml.c                     |  6 ++++
+ ...xml_global_state_entity_loader_bypass.phpt | 36 +++++++++++++++++++
+ ext/soap/php_xml.c                            |  2 ++
+ ext/xml/compat.c                              |  2 ++
+ ext/xmlreader/php_xmlreader.c                 |  9 +++++
+ ...xml_global_state_entity_loader_bypass.phpt | 35 ++++++++++++++++++
+ ext/xsl/xsltprocessor.c                       |  9 +++--
+ 11 files changed, 183 insertions(+), 5 deletions(-)
+ create mode 100644 ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
+ create mode 100644 ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
+ create mode 100644 ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index e683eb8f701..989b5b3dd24 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1458,6 +1458,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
+ 		options |= XML_PARSE_NOBLANKS;
+ 	}
+ 
++	php_libxml_sanitize_parse_ctxt_options(ctxt);
+ 	xmlCtxtUseOptions(ctxt, options);
+ 
+ 	ctxt->recovery = recover;
+@@ -1758,7 +1759,9 @@ PHP_FUNCTION(dom_document_xinclude)
+ 
+ 	DOM_GET_OBJ(docp, id, xmlDocPtr, intern);
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(xinclude);
+ 	err = xmlXIncludeProcessFlags(docp, (int)flags);
++	PHP_LIBXML_RESTORE_GLOBALS(xinclude);
+ 
+ 	/* XML_XINCLUDE_START and XML_XINCLUDE_END nodes need to be removed as these
+ 	are added via xmlXIncludeProcess to mark beginning and ending of xincluded document
+@@ -1798,6 +1801,7 @@ PHP_FUNCTION(dom_document_validate)
+ 
+ 	DOM_GET_OBJ(docp, id, xmlDocPtr, intern);
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(validate);
+ 	cvp = xmlNewValidCtxt();
+ 
+ 	cvp->userData = NULL;
+@@ -1809,6 +1813,7 @@ PHP_FUNCTION(dom_document_validate)
+ 	} else {
+ 		RETVAL_FALSE;
+ 	}
++	PHP_LIBXML_RESTORE_GLOBALS(validate);
+ 
+ 	xmlFreeValidCtxt(cvp);
+ 
+@@ -1843,14 +1848,18 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
+ 
+ 	DOM_GET_OBJ(docp, id, xmlDocPtr, intern);
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(new_parser_ctxt);
++
+ 	switch (type) {
+ 	case DOM_LOAD_FILE:
+ 		if (CHECK_NULL_PATH(source, source_len)) {
++			PHP_LIBXML_RESTORE_GLOBALS(new_parser_ctxt);
+ 			php_error_docref(NULL, E_WARNING, "Invalid Schema file source");
+ 			RETURN_FALSE;
+ 		}
+ 		valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN);
+ 		if (!valid_file) {
++			PHP_LIBXML_RESTORE_GLOBALS(new_parser_ctxt);
+ 			php_error_docref(NULL, E_WARNING, "Invalid Schema file source");
+ 			RETURN_FALSE;
+ 		}
+@@ -1871,6 +1880,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
+ 		parser);
+ 	sptr = xmlSchemaParse(parser);
+ 	xmlSchemaFreeParserCtxt(parser);
++	PHP_LIBXML_RESTORE_GLOBALS(new_parser_ctxt);
+ 	if (!sptr) {
+ 		php_error_docref(NULL, E_WARNING, "Invalid Schema");
+ 		RETURN_FALSE;
+@@ -1889,11 +1899,13 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
+ 		valid_opts |= XML_SCHEMA_VAL_VC_I_CREATE;
+ 	}
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(validate);
+ 	xmlSchemaSetValidOptions(vptr, valid_opts);
+ 	xmlSchemaSetValidErrors(vptr, php_libxml_error_handler, php_libxml_error_handler, vptr);
+ 	is_valid = xmlSchemaValidateDoc(vptr, docp);
+ 	xmlSchemaFree(sptr);
+ 	xmlSchemaFreeValidCtxt(vptr);
++	PHP_LIBXML_RESTORE_GLOBALS(validate);
+ 
+ 	if (is_valid == 0) {
+ 		RETURN_TRUE;
+@@ -1964,12 +1976,14 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ
+ 		return;
+ 	}
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(parse);
+ 	xmlRelaxNGSetParserErrors(parser,
+ 		(xmlRelaxNGValidityErrorFunc) php_libxml_error_handler,
+ 		(xmlRelaxNGValidityWarningFunc) php_libxml_error_handler,
+ 		parser);
+ 	sptr = xmlRelaxNGParse(parser);
+ 	xmlRelaxNGFreeParserCtxt(parser);
++	PHP_LIBXML_RESTORE_GLOBALS(parse);
+ 	if (!sptr) {
+ 		php_error_docref(NULL, E_WARNING, "Invalid RelaxNG");
+ 		RETURN_FALSE;
+@@ -2068,6 +2082,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
+ 		ctxt->sax->error = php_libxml_ctx_error;
+ 		ctxt->sax->warning = php_libxml_ctx_warning;
+ 	}
++	php_libxml_sanitize_parse_ctxt_options(ctxt);
+ 	if (options) {
+ 		htmlCtxtUseOptions(ctxt, (int)options);
+ 	}
+diff --git a/ext/dom/documentfragment.c b/ext/dom/documentfragment.c
+index 9b222586ac5..711c42f939d 100644
+--- a/ext/dom/documentfragment.c
++++ b/ext/dom/documentfragment.c
+@@ -131,7 +131,9 @@ PHP_METHOD(domdocumentfragment, appendXML) {
+ 	}
+ 
+ 	if (data) {
++		PHP_LIBXML_SANITIZE_GLOBALS(parse);
+ 		err = xmlParseBalancedChunkMemory(nodep->doc, NULL, NULL, 0, (xmlChar *) data, &lst);
++		PHP_LIBXML_RESTORE_GLOBALS(parse);
+ 		if (err != 0) {
+ 			RETURN_FALSE;
+ 		}
+diff --git a/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt b/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
+new file mode 100644
+index 00000000000..b28afd4694e
+--- /dev/null
++++ b/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
+@@ -0,0 +1,36 @@
++--TEST--
++GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
++--SKIPIF--
++<?php
++if (!extension_loaded('libxml')) die('skip libxml extension not available');
++if (!extension_loaded('dom')) die('skip dom extension not available');
++if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
++?>
++--FILE--
++<?php
++
++$xml = "<?xml version='1.0'?><!DOCTYPE root [<!ENTITY % bork SYSTEM \"php://nope\"> %bork;]><nothing/>";
++
++libxml_use_internal_errors(true);
++
++function parseXML($xml) {
++  $doc = new DOMDocument();
++  @$doc->loadXML($xml);
++  $doc->createDocumentFragment()->appendXML("&bork;");
++  foreach (libxml_get_errors() as $error) {
++    var_dump(trim($error->message));
++  }
++}
++
++parseXML($xml);
++zend_test_override_libxml_global_state();
++parseXML($xml);
++
++echo "Done\n";
++
++?>
++--EXPECT--
++string(25) "Entity 'bork' not defined"
++string(25) "Entity 'bork' not defined"
++string(25) "Entity 'bork' not defined"
++Done
+diff --git a/ext/libxml/php_libxml.h b/ext/libxml/php_libxml.h
+index cf936e95de1..92028d5703e 100644
+--- a/ext/libxml/php_libxml.h
++++ b/ext/libxml/php_libxml.h
+@@ -120,6 +120,42 @@ PHP_LIBXML_API void php_libxml_shutdown(void);
+ ZEND_TSRMLS_CACHE_EXTERN()
+ #endif
+ 
++/* Other extension may override the global state options, these global options
++ * are copied initially to ctxt->options. Set the options to a known good value.
++ * See libxml2 globals.c and parserInternals.c.
++ * The unique_name argument allows multiple sanitizes and restores within the
++ * same function, even nested is necessary. */
++#define PHP_LIBXML_SANITIZE_GLOBALS(unique_name) \
++	int xml_old_loadsubset_##unique_name = xmlLoadExtDtdDefaultValue; \
++	xmlLoadExtDtdDefaultValue = 0; \
++	int xml_old_validate_##unique_name = xmlDoValidityCheckingDefaultValue; \
++	xmlDoValidityCheckingDefaultValue = 0; \
++	int xml_old_pedantic_##unique_name = xmlPedanticParserDefault(0); \
++	int xml_old_substitute_##unique_name = xmlSubstituteEntitiesDefault(0); \
++	int xml_old_linenrs_##unique_name = xmlLineNumbersDefault(0); \
++	int xml_old_blanks_##unique_name = xmlKeepBlanksDefault(1);
++
++#define PHP_LIBXML_RESTORE_GLOBALS(unique_name) \
++	xmlLoadExtDtdDefaultValue = xml_old_loadsubset_##unique_name; \
++	xmlDoValidityCheckingDefaultValue = xml_old_validate_##unique_name; \
++	(void) xmlPedanticParserDefault(xml_old_pedantic_##unique_name); \
++	(void) xmlSubstituteEntitiesDefault(xml_old_substitute_##unique_name); \
++	(void) xmlLineNumbersDefault(xml_old_linenrs_##unique_name); \
++	(void) xmlKeepBlanksDefault(xml_old_blanks_##unique_name);
++
++/* Alternative for above, working directly on the context and not setting globals.
++ * Generally faster because no locking is involved, and this has the advantage that it sets the options to a known good value. */
++static zend_always_inline void php_libxml_sanitize_parse_ctxt_options(xmlParserCtxtPtr ctxt)
++{
++	ctxt->loadsubset = 0;
++	ctxt->validate = 0;
++	ctxt->pedantic = 0;
++	ctxt->replaceEntities = 0;
++	ctxt->linenumbers = 0;
++	ctxt->keepBlanks = 1;
++	ctxt->options = 0;
++}
++
+ #else /* HAVE_LIBXML */
+ #define libxml_module_ptr NULL
+ #endif
+diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
+index 2cdff0e648d..101a9d8fd8c 100644
+--- a/ext/simplexml/simplexml.c
++++ b/ext/simplexml/simplexml.c
+@@ -2194,7 +2194,9 @@ PHP_FUNCTION(simplexml_load_file)
+ 		RETURN_FALSE;
+ 	}
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(read_file);
+ 	docp = xmlReadFile(filename, NULL, (int)options);
++	PHP_LIBXML_RESTORE_GLOBALS(read_file);
+ 
+ 	if (!docp) {
+ 		RETURN_FALSE;
+@@ -2248,7 +2250,9 @@ PHP_FUNCTION(simplexml_load_string)
+ 		RETURN_FALSE;
+ 	}
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(read_memory);
+ 	docp = xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options);
++	PHP_LIBXML_RESTORE_GLOBALS(read_memory);
+ 
+ 	if (!docp) {
+ 		RETURN_FALSE;
+@@ -2298,7 +2302,9 @@ SXE_METHOD(__construct)
+ 		return;
+ 	}
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(read_file_or_memory);
+ 	docp = is_url ? xmlReadFile(data, NULL, (int)options) : xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options);
++	PHP_LIBXML_RESTORE_GLOBALS(read_file_or_memory);
+ 
+ 	if (!docp) {
+ 		((php_libxml_node_object *)sxe)->document = NULL;
+diff --git a/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt b/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
+new file mode 100644
+index 00000000000..2152e012328
+--- /dev/null
++++ b/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
+@@ -0,0 +1,36 @@
++--TEST--
++GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
++--SKIPIF--
++<?php
++if (!extension_loaded('libxml')) die('skip libxml extension not available');
++if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
++if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
++?>
++--FILE--
++<?php
++
++$xml = "<?xml version='1.0'?><!DOCTYPE root [<!ENTITY % bork SYSTEM \"php://nope\"> %bork;]><nothing/>";
++
++libxml_use_internal_errors(true);
++zend_test_override_libxml_global_state();
++
++echo "--- String test ---\n";
++simplexml_load_string($xml);
++echo "--- Constructor test ---\n";
++new SimpleXMLElement($xml);
++echo "--- File test ---\n";
++file_put_contents("libxml_global_state_entity_loader_bypass.tmp", $xml);
++simplexml_load_file("libxml_global_state_entity_loader_bypass.tmp");
++
++echo "Done\n";
++
++?>
++--CLEAN--
++<?php
++@unlink("libxml_global_state_entity_loader_bypass.tmp");
++?>
++--EXPECT--
++--- String test ---
++--- Constructor test ---
++--- File test ---
++Done
+diff --git a/ext/soap/php_xml.c b/ext/soap/php_xml.c
+index 18a266179b7..1bb7fa00a37 100644
+--- a/ext/soap/php_xml.c
++++ b/ext/soap/php_xml.c
+@@ -93,6 +93,7 @@ xmlDocPtr soap_xmlParseFile(const char *filename)
+ 	if (ctxt) {
+ 		zend_bool old;
+ 
++		php_libxml_sanitize_parse_ctxt_options(ctxt);
+ 		ctxt->keepBlanks = 0;
+ 		ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ 		ctxt->sax->comment = soap_Comment;
+@@ -141,6 +142,7 @@ xmlDocPtr soap_xmlParseMemory(const void *buf, size_t buf_size)
+ 	if (ctxt) {
+ 		zend_bool old;
+ 
++		php_libxml_sanitize_parse_ctxt_options(ctxt);
+ 		ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ 		ctxt->sax->comment = soap_Comment;
+ 		ctxt->sax->warning = NULL;
+diff --git a/ext/xml/compat.c b/ext/xml/compat.c
+index fc4525650fc..57eb00dd429 100644
+--- a/ext/xml/compat.c
++++ b/ext/xml/compat.c
+@@ -19,6 +19,7 @@
+ #include "php.h"
+ #if defined(HAVE_LIBXML) && (defined(HAVE_XML) || defined(HAVE_XMLRPC)) && !defined(HAVE_LIBEXPAT)
+ #include "expat_compat.h"
++#include "ext/libxml/php_libxml.h"
+ 
+ typedef struct _php_xml_ns {
+ 	xmlNsPtr nsptr;
+@@ -471,6 +472,7 @@ XML_ParserCreate_MM(const XML_Char *encoding, const XML_Memory_Handling_Suite *m
+ 		return NULL;
+ 	}
+ 
++	php_libxml_sanitize_parse_ctxt_options(parser->parser);
+ 	xmlCtxtUseOptions(parser->parser, XML_PARSE_OLDSAX);
+ 
+ 	parser->parser->replaceEntities = 1;
+diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
+index ecc81ad1470..51d6bb9c9f2 100644
+--- a/ext/xmlreader/php_xmlreader.c
++++ b/ext/xmlreader/php_xmlreader.c
+@@ -304,6 +304,7 @@ static xmlRelaxNGPtr _xmlreader_get_relaxNG(char *source, size_t source_len, siz
+ 		return NULL;
+ 	}
+ 
++	PHP_LIBXML_SANITIZE_GLOBALS(parse);
+ 	if (error_func || warn_func) {
+ 		xmlRelaxNGSetParserErrors(parser,
+ 			(xmlRelaxNGValidityErrorFunc) error_func,
+@@ -312,6 +313,7 @@ static xmlRelaxNGPtr _xmlreader_get_relaxNG(char *source, size_t source_len, siz
+ 	}
+ 	sptr = xmlRelaxNGParse(parser);
+ 	xmlRelaxNGFreeParserCtxt(parser);
++	PHP_LIBXML_RESTORE_GLOBALS(parse);
+ 
+ 	return sptr;
+ }
+@@ -881,7 +883,9 @@ PHP_METHOD(xmlreader, open)
+ 	valid_file = _xmlreader_get_valid_file_path(source, resolved_path, MAXPATHLEN );
+ 
+ 	if (valid_file) {
++		PHP_LIBXML_SANITIZE_GLOBALS(reader_for_file);
+ 		reader = xmlReaderForFile(valid_file, encoding, options);
++		PHP_LIBXML_RESTORE_GLOBALS(reader_for_file);
+ 	}
+ 
+ 	if (reader == NULL) {
+@@ -958,7 +962,9 @@ PHP_METHOD(xmlreader, setSchema)
+ 
+ 	intern = Z_XMLREADER_P(id);
+ 	if (intern && intern->ptr) {
++		PHP_LIBXML_SANITIZE_GLOBALS(schema);
+ 		retval = xmlTextReaderSchemaValidate(intern->ptr, source);
++		PHP_LIBXML_RESTORE_GLOBALS(schema);
+ 
+ 		if (retval == 0) {
+ 			RETURN_TRUE;
+@@ -1082,6 +1088,7 @@ PHP_METHOD(xmlreader, XML)
+ 			}
+ 			uri = (char *) xmlCanonicPath((const xmlChar *) resolved_path);
+ 		}
++		PHP_LIBXML_SANITIZE_GLOBALS(text_reader);
+ 		reader = xmlNewTextReader(inputbfr, uri);
+ 
+ 		if (reader != NULL) {
+@@ -1100,9 +1107,11 @@ PHP_METHOD(xmlreader, XML)
+ 					xmlFree(uri);
+ 				}
+ 
++				PHP_LIBXML_RESTORE_GLOBALS(text_reader);
+ 				return;
+ 			}
+ 		}
++		PHP_LIBXML_RESTORE_GLOBALS(text_reader);
+ 	}
+ 
+ 	if (uri) {
+diff --git a/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt b/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
+new file mode 100644
+index 00000000000..e9ffb04c2bb
+--- /dev/null
++++ b/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
+@@ -0,0 +1,35 @@
++--TEST--
++GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
++--SKIPIF--
++<?php
++if (!extension_loaded('libxml')) die('skip libxml extension not available');
++if (!extension_loaded('xmlreader')) die('skip xmlreader extension not available');
++if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
++?>
++--FILE--
++<?php
++
++$xml = "<?xml version='1.0'?><!DOCTYPE root [<!ENTITY % bork SYSTEM \"php://nope\"> %bork;]><nothing/>";
++
++libxml_use_internal_errors(true);
++zend_test_override_libxml_global_state();
++
++echo "--- String test ---\n";
++$reader = XMLReader::xml($xml);
++$reader->read();
++echo "--- File test ---\n";
++file_put_contents("libxml_global_state_entity_loader_bypass.tmp", $xml);
++$reader = XMLReader::open("libxml_global_state_entity_loader_bypass.tmp");
++$reader->read();
++
++echo "Done\n";
++
++?>
++--CLEAN--
++<?php
++@unlink("libxml_global_state_entity_loader_bypass.tmp");
++?>
++--EXPECT--
++--- String test ---
++--- File test ---
++Done
+diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
+index 079920d0ffa..2d95b2ff4bb 100644
+--- a/ext/xsl/xsltprocessor.c
++++ b/ext/xsl/xsltprocessor.c
+@@ -398,7 +398,7 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
+ 	xmlDoc *doc = NULL, *newdoc = NULL;
+ 	xsltStylesheetPtr sheetp, oldsheetp;
+ 	xsl_object *intern;
+-	int prevSubstValue, prevExtDtdValue, clone_docu = 0;
++	int clone_docu = 0;
+ 	xmlNode *nodep = NULL;
+ 	zval *cloneDocu, member, rv;
+ 
+@@ -421,13 +421,12 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
+ 	stylesheet document otherwise the node proxies will be a mess */
+ 	newdoc = xmlCopyDoc(doc, 1);
+ 	xmlNodeSetBase((xmlNodePtr) newdoc, (xmlChar *)doc->URL);
+-	prevSubstValue = xmlSubstituteEntitiesDefault(1);
+-	prevExtDtdValue = xmlLoadExtDtdDefaultValue;
++	PHP_LIBXML_SANITIZE_GLOBALS(parse);
++	xmlSubstituteEntitiesDefault(1);
+ 	xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
+ 
+ 	sheetp = xsltParseStylesheetDoc(newdoc);
+-	xmlSubstituteEntitiesDefault(prevSubstValue);
+-	xmlLoadExtDtdDefaultValue = prevExtDtdValue;
++	PHP_LIBXML_RESTORE_GLOBALS(parse);
+ 
+ 	if (!sheetp) {
+ 		xmlFreeDoc(newdoc);
+-- 
+2.41.0
+
+From ef1d507acf7be23d7624dc3c891683b2218feb51 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 1 Aug 2023 07:22:33 +0200
+Subject: [PATCH 3/4] NEWS
+
+---
+ NEWS | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 899644b3d63..4f88029a7d6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.0.30
++
++- Libxml:
++  . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
++    in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)
++
++- Phar:
++  . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
++    (CVE-2023-3824) (nielsdos)
++
+ Backported from 8.0.29
+ 
+ - Soap:
+-- 
+2.41.0
+
+From 24e669e790e6aebd219c9a9fa19017455c8646b4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 1 Aug 2023 07:37:25 +0200
+Subject: [PATCH 4/4] backport zend_test changes
+ (zend_test_override_libxml_global_state)
+
+---
+ ...xml_global_state_entity_loader_bypass.phpt |  1 +
+ ...xml_global_state_entity_loader_bypass.phpt |  1 +
+ ...xml_global_state_entity_loader_bypass.phpt |  5 +++--
+ ext/zend_test/test.c                          | 22 +++++++++++++++++++
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt b/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
+index b28afd4694e..7fc2a249ac7 100644
+--- a/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
++++ b/ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
+@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
+ if (!extension_loaded('libxml')) die('skip libxml extension not available');
+ if (!extension_loaded('dom')) die('skip dom extension not available');
+ if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
++if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
+ ?>
+ --FILE--
+ <?php
+diff --git a/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt b/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
+index 2152e012328..54f9d4941eb 100644
+--- a/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
++++ b/ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
+@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
+ if (!extension_loaded('libxml')) die('skip libxml extension not available');
+ if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+ if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
++if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
+ ?>
+ --FILE--
+ <?php
+diff --git a/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt b/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
+index e9ffb04c2bb..b0120b325ef 100644
+--- a/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
++++ b/ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
+@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
+ if (!extension_loaded('libxml')) die('skip libxml extension not available');
+ if (!extension_loaded('xmlreader')) die('skip xmlreader extension not available');
+ if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
++if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
+ ?>
+ --FILE--
+ <?php
+@@ -15,11 +16,11 @@ libxml_use_internal_errors(true);
+ zend_test_override_libxml_global_state();
+ 
+ echo "--- String test ---\n";
+-$reader = XMLReader::xml($xml);
++$reader = @XMLReader::xml($xml);
+ $reader->read();
+ echo "--- File test ---\n";
+ file_put_contents("libxml_global_state_entity_loader_bypass.tmp", $xml);
+-$reader = XMLReader::open("libxml_global_state_entity_loader_bypass.tmp");
++$reader = @XMLReader::open("libxml_global_state_entity_loader_bypass.tmp");
+ $reader->read();
+ 
+ echo "Done\n";
+diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
+index 4f81adc6ac1..cdfc15571c0 100644
+--- a/ext/zend_test/test.c
++++ b/ext/zend_test/test.c
+@@ -25,6 +25,11 @@
+ #include "ext/standard/info.h"
+ #include "php_test.h"
+ 
++#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
++# include <libxml/globals.h>
++# include <libxml/parser.h>
++#endif
++
+ static zend_class_entry *zend_test_interface;
+ static zend_class_entry *zend_test_class;
+ static zend_class_entry *zend_test_child_class;
+@@ -48,6 +53,20 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_zend_leak_variable, 0, 0, 1)
+ 	ZEND_ARG_INFO(0, variable)
+ ZEND_END_ARG_INFO()
+ 
++#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
++static ZEND_FUNCTION(zend_test_override_libxml_global_state)
++{
++	ZEND_PARSE_PARAMETERS_NONE();
++
++	xmlLoadExtDtdDefaultValue = 1;
++	xmlDoValidityCheckingDefaultValue = 1;
++	(void) xmlPedanticParserDefault(1);
++	(void) xmlSubstituteEntitiesDefault(1);
++	(void) xmlLineNumbersDefault(1);
++	(void) xmlKeepBlanksDefault(0);
++}
++#endif
++
+ ZEND_FUNCTION(zend_test_func)
+ {
+ 	/* dummy */
+@@ -297,6 +316,9 @@ static const zend_function_entry zend_test_functions[] = {
+ 	ZEND_FE(zend_terminate_string, arginfo_zend_terminate_string)
+ 	ZEND_FE(zend_leak_bytes, NULL)
+ 	ZEND_FE(zend_leak_variable, arginfo_zend_leak_variable)
++#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
++	ZEND_FE(zend_test_override_libxml_global_state, NULL)
++#endif
+ 	ZEND_FE_END
+ };
+ 
+-- 
+2.41.0
+
diff --git a/php74.spec b/php74.spec
index c609963..5b5da77 100644
--- a/php74.spec
+++ b/php74.spec
@@ -98,7 +98,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 7%{?dist}
+Release: 8%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -167,6 +167,8 @@ Patch201: php-bug81744.patch
 Patch202: php-bug81746.patch
 Patch203: php-cve-2023-0662.patch
 Patch204: php-cve-2023-3247.patch
+Patch205: php-cve-2023-3823.patch
+Patch206: php-cve-2023-3824.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1172,6 +1174,8 @@ rm ext/openssl/tests/p12_with_extra_certs.p12
 %patch -P202 -p1 -b .bug81746
 %patch -P203 -p1 -b .cve0662
 %patch -P204 -p1 -b .cve3247
+%patch -P205 -p1 -b .cve3823
+%patch -P206 -p1 -b .cve3824
 
 # Fixes for tests related to tzdata
 %patch -P300 -p1 -b .datetests
@@ -1780,8 +1784,8 @@ install -m 755 -d $RPM_BUILD_ROOT/run/php-fpm
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/php-fpm.service.d
 install -Dm 644 %{SOURCE6}  $RPM_BUILD_ROOT%{_unitdir}/php-fpm.service
 %if 0%{?fedora} >= 27 || 0%{?rhel} >= 8
-install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d/php-fpm.conf
-install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/nginx.service.d/php-fpm.conf
+install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/httpd.service.d/php-fpm.conf
+install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/nginx.service.d/php-fpm.conf
 %endif
 
 %if 0%{?fedora} >= 26 || 0%{?rhel} >= 8
@@ -2117,8 +2121,8 @@ EOF
 %endif
 %{_unitdir}/php-fpm.service
 %if 0%{?fedora} >= 27 || 0%{?rhel} >= 8
-%{_unitdir}/httpd.service.d/php-fpm.conf
-%{_unitdir}/nginx.service.d/php-fpm.conf
+%config(noreplace) %{_sysconfdir}/systemd/system/httpd.service.d/php-fpm.conf
+%config(noreplace) %{_sysconfdir}/systemd/system/nginx.service.d/php-fpm.conf
 %endif
 %dir %{_sysconfdir}/systemd/system/php-fpm.service.d
 %dir %ghost /run/php-fpm
@@ -2199,10 +2203,17 @@ EOF
 
 
 %changelog
+* Tue Aug  1 2023 Remi Collet <remi@remirepo.net> - 7.4.33-8
+- Fix Security issue with external entity loading in XML without enabling it
+  GHSA-3qrf-m4j2-pcrr CVE-2023-3823
+- Fix Buffer mismanagement in phar_dir_read()
+  GHSA-jqcx-ccgc-xwhv CVE-2023-3824
+- move httpd/nginx wants directive to config files in /etc
+
 * Tue Jun  6 2023 Remi Collet <remi@remirepo.net> - 7.4.33-7
 - Fix Missing error check and insufficient random bytes in HTTP Digest
   authentication for SOAP
-  GHSA-76gg-c692-v2mw  CVE-2023-3247
+  GHSA-76gg-c692-v2mw CVE-2023-3247
 
 * Fri Apr 14 2023 Remi Collet <remi@remirepo.net> - 7.4.33-6
 - use ICU 72.1