From 48da71cabffa853e95433f5a7127c2439eb65ea3 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 13 Nov 2024 08:22:44 +0100
Subject: rename patches

---
 php-bug81740.patch       |  84 ---------------------
 php-bug81744.patch       | 188 -----------------------------------------------
 php-bug81746.patch       |  98 ------------------------
 php-cve-2022-31631.patch |  84 +++++++++++++++++++++
 php-cve-2023-0567.patch  | 188 +++++++++++++++++++++++++++++++++++++++++++++++
 php-cve-2023-0568.patch  |  98 ++++++++++++++++++++++++
 php74.spec               |  14 ++--
 7 files changed, 377 insertions(+), 377 deletions(-)
 delete mode 100644 php-bug81740.patch
 delete mode 100644 php-bug81744.patch
 delete mode 100644 php-bug81746.patch
 create mode 100644 php-cve-2022-31631.patch
 create mode 100644 php-cve-2023-0567.patch
 create mode 100644 php-cve-2023-0568.patch

diff --git a/php-bug81740.patch b/php-bug81740.patch
deleted file mode 100644
index 4826efc..0000000
--- a/php-bug81740.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 7cb160efe19d3dfb8b92629805733ea186b55050 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Mon, 31 Oct 2022 17:20:23 +0100
-Subject: [PATCH 1/2] Fix #81740: PDO::quote() may return unquoted string
-
-`sqlite3_snprintf()` expects its first parameter to be `int`; we need
-to avoid overflow.
-
-(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba)
----
- ext/pdo_sqlite/sqlite_driver.c     |  3 +++
- ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
- 2 files changed, 20 insertions(+)
- create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
-
-diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
-index 0595bd09feb..54f9d05e1e2 100644
---- a/ext/pdo_sqlite/sqlite_driver.c
-+++ b/ext/pdo_sqlite/sqlite_driver.c
-@@ -233,6 +233,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t
- /* NB: doesn't handle binary strings... use prepared stmts for that */
- static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype )
- {
-+	if (unquotedlen > (INT_MAX - 3) / 2) {
-+		return 0;
-+	}
- 	*quoted = safe_emalloc(2, unquotedlen, 3);
- 	sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
- 	*quotedlen = strlen(*quoted);
-diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
-new file mode 100644
-index 00000000000..99fb07c3048
---- /dev/null
-+++ b/ext/pdo_sqlite/tests/bug81740.phpt
-@@ -0,0 +1,17 @@
-+--TEST--
-+Bug #81740 (PDO::quote() may return unquoted string)
-+--SKIPIF--
-+<?php
-+if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
-+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
-+?>
-+--INI--
-+memory_limit=-1
-+--FILE--
-+<?php
-+$pdo = new PDO("sqlite::memory:");
-+$string = str_repeat("a", 0x80000000);
-+var_dump($pdo->quote($string));
-+?>
-+--EXPECT--
-+bool(false)
--- 
-2.38.1
-
-From 7328f3a0344806b846bd05657bdce96e47810bf0 Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@remirepo.net>
-Date: Mon, 19 Dec 2022 09:24:02 +0100
-Subject: [PATCH 2/2] NEWS
-
----
- NEWS | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/NEWS b/NEWS
-index 8a8c0c9285d..03e8c839c77 100644
---- a/NEWS
-+++ b/NEWS
-@@ -1,5 +1,12 @@
- PHP                                                                        NEWS
- |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-+
-+Backported from 8.0.27
-+
-+- PDO/SQLite:
-+  . Fixed bug #81740 (PDO::quote() may return unquoted string).
-+    (CVE-2022-31631) (cmb)
-+
- 03 Nov 2022, PHP 7.4.33
- 
- - GD:
--- 
-2.38.1
-
diff --git a/php-bug81744.patch b/php-bug81744.patch
deleted file mode 100644
index 62296ce..0000000
--- a/php-bug81744.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From 7437aaae38cf4b3357e7580f9e22fd4a403b6c23 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
-Date: Mon, 23 Jan 2023 21:15:24 +0100
-Subject: [PATCH 1/7] crypt: Fix validation of malformed BCrypt hashes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-PHP’s implementation of crypt_blowfish differs from the upstream Openwall
-version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
-by including a `$` character within the characters that represent the salt.
-
-Hashes that are affected by the “PHP Hack” may erroneously validate any
-password as valid when used with `password_verify` and when comparing the
-return value of `crypt()` against the input.
-
-The PHP Hack exists since the first version of PHP’s own crypt_blowfish
-implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
-
-No clear reason is given for the PHP Hack’s existence. This commit removes it,
-because BCrypt hashes containing a `$` character in their salt are not valid
-BCrypt hashes.
-
-(cherry picked from commit c840f71524067aa474c00c3eacfb83bd860bfc8a)
----
- ext/standard/crypt_blowfish.c                 |  8 --
- .../tests/crypt/bcrypt_salt_dollar.phpt       | 82 +++++++++++++++++++
- 2 files changed, 82 insertions(+), 8 deletions(-)
- create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
-
-diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
-index c1f945f29ed..aa7e1bc2e68 100644
---- a/ext/standard/crypt_blowfish.c
-+++ b/ext/standard/crypt_blowfish.c
-@@ -376,7 +376,6 @@ static unsigned char BF_atoi64[0x60] = {
- #define BF_safe_atoi64(dst, src) \
- { \
- 	tmp = (unsigned char)(src); \
--	if (tmp == '$') break; /* PHP hack */ \
- 	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
- 	tmp = BF_atoi64[tmp]; \
- 	if (tmp > 63) return -1; \
-@@ -404,13 +403,6 @@ static int BF_decode(BF_word *dst, const char *src, int size)
- 		*dptr++ = ((c3 & 0x03) << 6) | c4;
- 	} while (dptr < end);
- 
--	if (end - dptr == size) {
--		return -1;
--	}
--
--	while (dptr < end) /* PHP hack */
--		*dptr++ = 0;
--
- 	return 0;
- }
- 
-diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
-new file mode 100644
-index 00000000000..32e335f4b08
---- /dev/null
-+++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
-@@ -0,0 +1,82 @@
-+--TEST--
-+bcrypt correctly rejects salts containing $
-+--FILE--
-+<?php
-+for ($i = 0; $i < 23; $i++) {
-+	$salt = '$2y$04$' . str_repeat('0', $i) . '$';
-+	$result = crypt("foo", $salt);
-+	var_dump($salt);
-+	var_dump($result);
-+	var_dump($result === $salt);
-+}
-+?>
-+--EXPECT--
-+string(8) "$2y$04$$"
-+string(2) "*0"
-+bool(false)
-+string(9) "$2y$04$0$"
-+string(2) "*0"
-+bool(false)
-+string(10) "$2y$04$00$"
-+string(2) "*0"
-+bool(false)
-+string(11) "$2y$04$000$"
-+string(2) "*0"
-+bool(false)
-+string(12) "$2y$04$0000$"
-+string(2) "*0"
-+bool(false)
-+string(13) "$2y$04$00000$"
-+string(2) "*0"
-+bool(false)
-+string(14) "$2y$04$000000$"
-+string(2) "*0"
-+bool(false)
-+string(15) "$2y$04$0000000$"
-+string(2) "*0"
-+bool(false)
-+string(16) "$2y$04$00000000$"
-+string(2) "*0"
-+bool(false)
-+string(17) "$2y$04$000000000$"
-+string(2) "*0"
-+bool(false)
-+string(18) "$2y$04$0000000000$"
-+string(2) "*0"
-+bool(false)
-+string(19) "$2y$04$00000000000$"
-+string(2) "*0"
-+bool(false)
-+string(20) "$2y$04$000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(21) "$2y$04$0000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(22) "$2y$04$00000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(23) "$2y$04$000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(24) "$2y$04$0000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(25) "$2y$04$00000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(26) "$2y$04$000000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(27) "$2y$04$0000000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(28) "$2y$04$00000000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(29) "$2y$04$000000000000000000000$"
-+string(2) "*0"
-+bool(false)
-+string(30) "$2y$04$0000000000000000000000$"
-+string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K"
-+bool(false)
--- 
-2.39.1
-
-From ed0281b588a6840cb95f3134a4e68847a3be5bb7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
-Date: Mon, 23 Jan 2023 22:13:57 +0100
-Subject: [PATCH 2/7] crypt: Fix possible buffer overread in php_crypt()
-
-(cherry picked from commit a92acbad873a05470af1a47cb785a18eadd827b5)
----
- ext/standard/crypt.c                                   | 1 +
- ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++
- 2 files changed, 9 insertions(+)
- create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt
-
-diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
-index 92430b69f77..04487f3fe5a 100644
---- a/ext/standard/crypt.c
-+++ b/ext/standard/crypt.c
-@@ -151,6 +151,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
- 		} else if (
- 				salt[0] == '$' &&
- 				salt[1] == '2' &&
-+				salt[2] != 0 &&
- 				salt[3] == '$') {
- 			char output[PHP_MAX_SALT_LEN + 1];
- 
-diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt
-new file mode 100644
-index 00000000000..085bc8a2390
---- /dev/null
-+++ b/ext/standard/tests/password/password_bcrypt_short.phpt
-@@ -0,0 +1,8 @@
-+--TEST--
-+Test that password_hash() does not overread buffers when a short hash is passed
-+--FILE--
-+<?php
-+var_dump(password_verify("foo", '$2'));
-+?>
-+--EXPECT--
-+bool(false)
--- 
-2.39.1
-
diff --git a/php-bug81746.patch b/php-bug81746.patch
deleted file mode 100644
index 6e2ba19..0000000
--- a/php-bug81746.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 887cd0710ad856a0d22c329b6ea6c71ebd8621ae Mon Sep 17 00:00:00 2001
-From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
-Date: Fri, 27 Jan 2023 19:28:27 +0100
-Subject: [PATCH 3/7] Fix array overrun when appending slash to paths
-
-Fix it by extending the array sizes by one character. As the input is
-limited to the maximum path length, there will always be place to append
-the slash. As the php_check_specific_open_basedir() simply uses the
-strings to compare against each other, no new failures related to too
-long paths are introduced.
-We'll let the DOM and XML case handle a potentially too long path in the
-library code.
-
-(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953)
----
- ext/dom/document.c            | 2 +-
- ext/xmlreader/php_xmlreader.c | 2 +-
- main/fopen_wrappers.c         | 6 +++---
- 3 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/ext/dom/document.c b/ext/dom/document.c
-index b478e1a1aab..e683eb8f701 100644
---- a/ext/dom/document.c
-+++ b/ext/dom/document.c
-@@ -1380,7 +1380,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
- 	int validate, recover, resolve_externals, keep_blanks, substitute_ent;
- 	int resolved_path_len;
- 	int old_error_reporting = 0;
--	char *directory=NULL, resolved_path[MAXPATHLEN];
-+	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
- 
- 	if (id != NULL) {
- 		intern = Z_DOMOBJ_P(id);
-diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
-index 06f569949ce..ecc81ad1470 100644
---- a/ext/xmlreader/php_xmlreader.c
-+++ b/ext/xmlreader/php_xmlreader.c
-@@ -1038,7 +1038,7 @@ PHP_METHOD(xmlreader, XML)
- 	xmlreader_object *intern = NULL;
- 	char *source, *uri = NULL, *encoding = NULL;
- 	int resolved_path_len, ret = 0;
--	char *directory=NULL, resolved_path[MAXPATHLEN];
-+	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
- 	xmlParserInputBufferPtr inputbfr;
- 	xmlTextReaderPtr reader;
- 
-diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
-index 27135020fa3..90de040a218 100644
---- a/main/fopen_wrappers.c
-+++ b/main/fopen_wrappers.c
-@@ -138,10 +138,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
- */
- PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
- {
--	char resolved_name[MAXPATHLEN];
--	char resolved_basedir[MAXPATHLEN];
-+	char resolved_name[MAXPATHLEN + 1];
-+	char resolved_basedir[MAXPATHLEN + 1];
- 	char local_open_basedir[MAXPATHLEN];
--	char path_tmp[MAXPATHLEN];
-+	char path_tmp[MAXPATHLEN + 1];
- 	char *path_file;
- 	size_t resolved_basedir_len;
- 	size_t resolved_name_len;
--- 
-2.39.1
-
-From 614468ce4056c0ef93aae09532dcffdf65b594b5 Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@remirepo.net>
-Date: Mon, 13 Feb 2023 11:46:47 +0100
-Subject: [PATCH 4/7] NEWS
-
----
- NEWS | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/NEWS b/NEWS
-index 03e8c839c77..8157a20d4b3 100644
---- a/NEWS
-+++ b/NEWS
-@@ -1,6 +1,14 @@
- PHP                                                                        NEWS
- |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 
-+Backported from 8.0.28
-+
-+- Core:
-+  . Fixed bug #81744 (Password_verify() always return true with some hash).
-+    (CVE-2023-0567). (Tim Düsterhus)
-+  . Fixed bug #81746 (1-byte array overrun in common path resolve code).
-+    (CVE-2023-0568). (Niels Dossche)
-+
- Backported from 8.0.27
- 
- - PDO/SQLite:
--- 
-2.39.1
-
diff --git a/php-cve-2022-31631.patch b/php-cve-2022-31631.patch
new file mode 100644
index 0000000..4826efc
--- /dev/null
+++ b/php-cve-2022-31631.patch
@@ -0,0 +1,84 @@
+From 7cb160efe19d3dfb8b92629805733ea186b55050 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 31 Oct 2022 17:20:23 +0100
+Subject: [PATCH 1/2] Fix #81740: PDO::quote() may return unquoted string
+
+`sqlite3_snprintf()` expects its first parameter to be `int`; we need
+to avoid overflow.
+
+(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba)
+---
+ ext/pdo_sqlite/sqlite_driver.c     |  3 +++
+ ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
+ 2 files changed, 20 insertions(+)
+ create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
+
+diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
+index 0595bd09feb..54f9d05e1e2 100644
+--- a/ext/pdo_sqlite/sqlite_driver.c
++++ b/ext/pdo_sqlite/sqlite_driver.c
+@@ -233,6 +233,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t
+ /* NB: doesn't handle binary strings... use prepared stmts for that */
+ static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype )
+ {
++	if (unquotedlen > (INT_MAX - 3) / 2) {
++		return 0;
++	}
+ 	*quoted = safe_emalloc(2, unquotedlen, 3);
+ 	sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
+ 	*quotedlen = strlen(*quoted);
+diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
+new file mode 100644
+index 00000000000..99fb07c3048
+--- /dev/null
++++ b/ext/pdo_sqlite/tests/bug81740.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #81740 (PDO::quote() may return unquoted string)
++--SKIPIF--
++<?php
++if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--INI--
++memory_limit=-1
++--FILE--
++<?php
++$pdo = new PDO("sqlite::memory:");
++$string = str_repeat("a", 0x80000000);
++var_dump($pdo->quote($string));
++?>
++--EXPECT--
++bool(false)
+-- 
+2.38.1
+
+From 7328f3a0344806b846bd05657bdce96e47810bf0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Mon, 19 Dec 2022 09:24:02 +0100
+Subject: [PATCH 2/2] NEWS
+
+---
+ NEWS | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 8a8c0c9285d..03e8c839c77 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
++
++Backported from 8.0.27
++
++- PDO/SQLite:
++  . Fixed bug #81740 (PDO::quote() may return unquoted string).
++    (CVE-2022-31631) (cmb)
++
+ 03 Nov 2022, PHP 7.4.33
+ 
+ - GD:
+-- 
+2.38.1
+
diff --git a/php-cve-2023-0567.patch b/php-cve-2023-0567.patch
new file mode 100644
index 0000000..62296ce
--- /dev/null
+++ b/php-cve-2023-0567.patch
@@ -0,0 +1,188 @@
+From 7437aaae38cf4b3357e7580f9e22fd4a403b6c23 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
+Date: Mon, 23 Jan 2023 21:15:24 +0100
+Subject: [PATCH 1/7] crypt: Fix validation of malformed BCrypt hashes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PHP’s implementation of crypt_blowfish differs from the upstream Openwall
+version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
+by including a `$` character within the characters that represent the salt.
+
+Hashes that are affected by the “PHP Hack” may erroneously validate any
+password as valid when used with `password_verify` and when comparing the
+return value of `crypt()` against the input.
+
+The PHP Hack exists since the first version of PHP’s own crypt_blowfish
+implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
+
+No clear reason is given for the PHP Hack’s existence. This commit removes it,
+because BCrypt hashes containing a `$` character in their salt are not valid
+BCrypt hashes.
+
+(cherry picked from commit c840f71524067aa474c00c3eacfb83bd860bfc8a)
+---
+ ext/standard/crypt_blowfish.c                 |  8 --
+ .../tests/crypt/bcrypt_salt_dollar.phpt       | 82 +++++++++++++++++++
+ 2 files changed, 82 insertions(+), 8 deletions(-)
+ create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+
+diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
+index c1f945f29ed..aa7e1bc2e68 100644
+--- a/ext/standard/crypt_blowfish.c
++++ b/ext/standard/crypt_blowfish.c
+@@ -376,7 +376,6 @@ static unsigned char BF_atoi64[0x60] = {
+ #define BF_safe_atoi64(dst, src) \
+ { \
+ 	tmp = (unsigned char)(src); \
+-	if (tmp == '$') break; /* PHP hack */ \
+ 	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
+ 	tmp = BF_atoi64[tmp]; \
+ 	if (tmp > 63) return -1; \
+@@ -404,13 +403,6 @@ static int BF_decode(BF_word *dst, const char *src, int size)
+ 		*dptr++ = ((c3 & 0x03) << 6) | c4;
+ 	} while (dptr < end);
+ 
+-	if (end - dptr == size) {
+-		return -1;
+-	}
+-
+-	while (dptr < end) /* PHP hack */
+-		*dptr++ = 0;
+-
+ 	return 0;
+ }
+ 
+diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+new file mode 100644
+index 00000000000..32e335f4b08
+--- /dev/null
++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt
+@@ -0,0 +1,82 @@
++--TEST--
++bcrypt correctly rejects salts containing $
++--FILE--
++<?php
++for ($i = 0; $i < 23; $i++) {
++	$salt = '$2y$04$' . str_repeat('0', $i) . '$';
++	$result = crypt("foo", $salt);
++	var_dump($salt);
++	var_dump($result);
++	var_dump($result === $salt);
++}
++?>
++--EXPECT--
++string(8) "$2y$04$$"
++string(2) "*0"
++bool(false)
++string(9) "$2y$04$0$"
++string(2) "*0"
++bool(false)
++string(10) "$2y$04$00$"
++string(2) "*0"
++bool(false)
++string(11) "$2y$04$000$"
++string(2) "*0"
++bool(false)
++string(12) "$2y$04$0000$"
++string(2) "*0"
++bool(false)
++string(13) "$2y$04$00000$"
++string(2) "*0"
++bool(false)
++string(14) "$2y$04$000000$"
++string(2) "*0"
++bool(false)
++string(15) "$2y$04$0000000$"
++string(2) "*0"
++bool(false)
++string(16) "$2y$04$00000000$"
++string(2) "*0"
++bool(false)
++string(17) "$2y$04$000000000$"
++string(2) "*0"
++bool(false)
++string(18) "$2y$04$0000000000$"
++string(2) "*0"
++bool(false)
++string(19) "$2y$04$00000000000$"
++string(2) "*0"
++bool(false)
++string(20) "$2y$04$000000000000$"
++string(2) "*0"
++bool(false)
++string(21) "$2y$04$0000000000000$"
++string(2) "*0"
++bool(false)
++string(22) "$2y$04$00000000000000$"
++string(2) "*0"
++bool(false)
++string(23) "$2y$04$000000000000000$"
++string(2) "*0"
++bool(false)
++string(24) "$2y$04$0000000000000000$"
++string(2) "*0"
++bool(false)
++string(25) "$2y$04$00000000000000000$"
++string(2) "*0"
++bool(false)
++string(26) "$2y$04$000000000000000000$"
++string(2) "*0"
++bool(false)
++string(27) "$2y$04$0000000000000000000$"
++string(2) "*0"
++bool(false)
++string(28) "$2y$04$00000000000000000000$"
++string(2) "*0"
++bool(false)
++string(29) "$2y$04$000000000000000000000$"
++string(2) "*0"
++bool(false)
++string(30) "$2y$04$0000000000000000000000$"
++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K"
++bool(false)
+-- 
+2.39.1
+
+From ed0281b588a6840cb95f3134a4e68847a3be5bb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
+Date: Mon, 23 Jan 2023 22:13:57 +0100
+Subject: [PATCH 2/7] crypt: Fix possible buffer overread in php_crypt()
+
+(cherry picked from commit a92acbad873a05470af1a47cb785a18eadd827b5)
+---
+ ext/standard/crypt.c                                   | 1 +
+ ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+ create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt
+
+diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
+index 92430b69f77..04487f3fe5a 100644
+--- a/ext/standard/crypt.c
++++ b/ext/standard/crypt.c
+@@ -151,6 +151,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
+ 		} else if (
+ 				salt[0] == '$' &&
+ 				salt[1] == '2' &&
++				salt[2] != 0 &&
+ 				salt[3] == '$') {
+ 			char output[PHP_MAX_SALT_LEN + 1];
+ 
+diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt
+new file mode 100644
+index 00000000000..085bc8a2390
+--- /dev/null
++++ b/ext/standard/tests/password/password_bcrypt_short.phpt
+@@ -0,0 +1,8 @@
++--TEST--
++Test that password_hash() does not overread buffers when a short hash is passed
++--FILE--
++<?php
++var_dump(password_verify("foo", '$2'));
++?>
++--EXPECT--
++bool(false)
+-- 
+2.39.1
+
diff --git a/php-cve-2023-0568.patch b/php-cve-2023-0568.patch
new file mode 100644
index 0000000..6e2ba19
--- /dev/null
+++ b/php-cve-2023-0568.patch
@@ -0,0 +1,98 @@
+From 887cd0710ad856a0d22c329b6ea6c71ebd8621ae Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Fri, 27 Jan 2023 19:28:27 +0100
+Subject: [PATCH 3/7] Fix array overrun when appending slash to paths
+
+Fix it by extending the array sizes by one character. As the input is
+limited to the maximum path length, there will always be place to append
+the slash. As the php_check_specific_open_basedir() simply uses the
+strings to compare against each other, no new failures related to too
+long paths are introduced.
+We'll let the DOM and XML case handle a potentially too long path in the
+library code.
+
+(cherry picked from commit ec10b28d64decbc54aa1e585dce580f0bd7a5953)
+---
+ ext/dom/document.c            | 2 +-
+ ext/xmlreader/php_xmlreader.c | 2 +-
+ main/fopen_wrappers.c         | 6 +++---
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index b478e1a1aab..e683eb8f701 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1380,7 +1380,7 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
+ 	int validate, recover, resolve_externals, keep_blanks, substitute_ent;
+ 	int resolved_path_len;
+ 	int old_error_reporting = 0;
+-	char *directory=NULL, resolved_path[MAXPATHLEN];
++	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ 
+ 	if (id != NULL) {
+ 		intern = Z_DOMOBJ_P(id);
+diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
+index 06f569949ce..ecc81ad1470 100644
+--- a/ext/xmlreader/php_xmlreader.c
++++ b/ext/xmlreader/php_xmlreader.c
+@@ -1038,7 +1038,7 @@ PHP_METHOD(xmlreader, XML)
+ 	xmlreader_object *intern = NULL;
+ 	char *source, *uri = NULL, *encoding = NULL;
+ 	int resolved_path_len, ret = 0;
+-	char *directory=NULL, resolved_path[MAXPATHLEN];
++	char *directory=NULL, resolved_path[MAXPATHLEN + 1];
+ 	xmlParserInputBufferPtr inputbfr;
+ 	xmlTextReaderPtr reader;
+ 
+diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
+index 27135020fa3..90de040a218 100644
+--- a/main/fopen_wrappers.c
++++ b/main/fopen_wrappers.c
+@@ -138,10 +138,10 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
+ */
+ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
+ {
+-	char resolved_name[MAXPATHLEN];
+-	char resolved_basedir[MAXPATHLEN];
++	char resolved_name[MAXPATHLEN + 1];
++	char resolved_basedir[MAXPATHLEN + 1];
+ 	char local_open_basedir[MAXPATHLEN];
+-	char path_tmp[MAXPATHLEN];
++	char path_tmp[MAXPATHLEN + 1];
+ 	char *path_file;
+ 	size_t resolved_basedir_len;
+ 	size_t resolved_name_len;
+-- 
+2.39.1
+
+From 614468ce4056c0ef93aae09532dcffdf65b594b5 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Mon, 13 Feb 2023 11:46:47 +0100
+Subject: [PATCH 4/7] NEWS
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 03e8c839c77..8157a20d4b3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.0.28
++
++- Core:
++  . Fixed bug #81744 (Password_verify() always return true with some hash).
++    (CVE-2023-0567). (Tim Düsterhus)
++  . Fixed bug #81746 (1-byte array overrun in common path resolve code).
++    (CVE-2023-0568). (Niels Dossche)
++
+ Backported from 8.0.27
+ 
+ - PDO/SQLite:
+-- 
+2.39.1
+
diff --git a/php74.spec b/php74.spec
index da5d2f6..58dbc96 100644
--- a/php74.spec
+++ b/php74.spec
@@ -30,7 +30,7 @@
 %global oraclelib 19.1
 %global oracledir 19.24
 %else
-%global oraclever 23.5
+%global oraclever 23.6
 %global oraclemax 24
 %global oraclelib 23.1
 %global oracledir 23
@@ -178,9 +178,9 @@ Patch91: php-7.2.0-oci8conf.patch
 # Upstream fixes (100+)
 
 # Security fixes (200+)
-Patch200: php-bug81740.patch
-Patch201: php-bug81744.patch
-Patch202: php-bug81746.patch
+Patch200: php-cve-2022-31631.patch
+Patch201: php-cve-2023-0567.patch
+Patch202: php-cve-2023-0568.patch
 Patch203: php-cve-2023-0662.patch
 Patch204: php-cve-2023-3247.patch
 Patch205: php-cve-2023-3823.patch
@@ -1203,9 +1203,9 @@ rm ext/openssl/tests/p12_with_extra_certs.p12
 # upstream patches
 
 # security patches
-%patch -P200 -p1 -b .bug81740
-%patch -P201 -p1 -b .bug81744
-%patch -P202 -p1 -b .bug81746
+%patch -P200 -p1 -b .cve31631
+%patch -P201 -p1 -b .cve0567
+%patch -P202 -p1 -b .cve0568
 %patch -P203 -p1 -b .cve0662
 %patch -P204 -p1 -b .cve3247
 %patch -P205 -p1 -b .cve3823
-- 
cgit